WEBVTT 1 00:00:00.240 --> 00:00:03.640 Have you ever felt like you're just drowning in information, 2 00:00:04.040 --> 00:00:06.559 you know, trying to get a grip on some complex topic, 3 00:00:06.879 --> 00:00:10.119 especially with everything being so digital these days. Maybe you're 4 00:00:10.160 --> 00:00:12.480 prepping for a big meeting, or just trying to understand 5 00:00:12.480 --> 00:00:15.240 something new that well everyone else seems to get. It 6 00:00:15.240 --> 00:00:18.679 could feel pretty overwhelming. Well, you're definitely in the right place, 7 00:00:19.280 --> 00:00:22.440 because today's deep dive we're cutting through all that noise. 8 00:00:22.480 --> 00:00:26.160 We're going to explore the really fascinating, always changing world 9 00:00:26.359 --> 00:00:30.320 of information security. Our mission basically to give you a 10 00:00:30.359 --> 00:00:35.000 straightforward but still really thorough understanding core principles, how it 11 00:00:35.039 --> 00:00:36.920 works in the real world, and why it's just so 12 00:00:37.000 --> 00:00:39.359 critical in our lives. We're going to strip away the jargon, 13 00:00:39.560 --> 00:00:41.560 get to the you know, the crucial stuff, maybe throwing 14 00:00:41.560 --> 00:00:45.159 a few surprising facts too, and guiding us our main sources. 15 00:00:45.439 --> 00:00:51.240 Foundations of Information Security A straightforward introduction by doctor Jason Andres. 16 00:00:51.479 --> 00:00:53.520 This guy is not just an author, he's a real 17 00:00:53.719 --> 00:00:56.759 seasoned security pro researcher, been writing about this stuff for 18 00:00:56.840 --> 00:00:59.600 like over a decade, and his book is known for 19 00:00:59.679 --> 00:01:03.240 being so super clear, not overly technical, perfect for really 20 00:01:03.280 --> 00:01:06.000 getting a handle on this. So okay, let's dive in. 21 00:01:06.359 --> 00:01:09.959 If someone's trying to wrap their head around information security, 22 00:01:10.319 --> 00:01:12.200 like where do we even begin? What are we actually 23 00:01:12.239 --> 00:01:12.959 trying to protect? 24 00:01:13.079 --> 00:01:17.040 That's the fundamental question right at its heart, information security 25 00:01:17.120 --> 00:01:21.959 is about protecting information and the systems that handle that information. 26 00:01:22.519 --> 00:01:24.799 If you look at US law, the formal definition is 27 00:01:24.799 --> 00:01:33.719 something like protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, 28 00:01:33.920 --> 00:01:37.560 or destruction. But really it boils down to preventing misuse, 29 00:01:37.879 --> 00:01:40.719 any kind of misuse, whether someone means to or not, 30 00:01:41.280 --> 00:01:44.640 making sure only the right people or systems can touch 31 00:01:44.680 --> 00:01:45.920 the data in the right ways. 32 00:01:46.200 --> 00:01:49.239 Okay, that definition really frames it, but it makes you wonder. 33 00:01:49.599 --> 00:01:51.799 You know, in the real world, can anything ever be 34 00:01:51.840 --> 00:01:54.319 perfectly secure? It feels like this constant battle. 35 00:01:54.480 --> 00:01:56.799 It's a great point, and yeah, there's this built in tension. 36 00:01:56.799 --> 00:01:59.400 There's a famous quote from Eugene Spafford, a big name 37 00:01:59.439 --> 00:02:02.480 in security. He said something like, the only truly secure 38 00:02:02.519 --> 00:02:04.760 system is one that is powered off, cast in a 39 00:02:04.760 --> 00:02:07.079 block of concrete, and sealed in a lead lined room 40 00:02:07.120 --> 00:02:10.599 with armed guards. And even then I have my doubts. 41 00:02:11.120 --> 00:02:14.159 It perfectly captures that trade off. You know, the more 42 00:02:14.199 --> 00:02:17.159 security you pile on the less usable or productive things 43 00:02:17.199 --> 00:02:20.199 tend to get. So the key insight really is that 44 00:02:20.240 --> 00:02:23.840 it's a balancing act. The cost of protecting something shouldn't 45 00:02:23.840 --> 00:02:26.039 be more than what that thing is actually worth. Like 46 00:02:26.080 --> 00:02:28.800 you wouldn't spend a billion dollars guarding a cookie recipe. 47 00:02:28.960 --> 00:02:33.120 That makes total sense. This idea of trade offs are there, 48 00:02:33.319 --> 00:02:36.599 Like models or frameworks, people used to think about these 49 00:02:36.639 --> 00:02:38.840 different facets of security. I think I've heard of the 50 00:02:38.879 --> 00:02:40.159 CIA triad. Ah. 51 00:02:40.240 --> 00:02:45.120 Yes, the CIA triad absolutely foundational. It stands for confidentiality, integrity, 52 00:02:45.159 --> 00:02:49.879 and availability. So confidentiality that's about keeping data secret, protecting 53 00:02:49.879 --> 00:02:52.599 it from unauthorized eyes your atmpion for. 54 00:02:52.560 --> 00:02:55.759 Example, right or accidentally sending that email attachment to the wrong. 55 00:02:55.599 --> 00:02:59.520 Person exactly, that's a confidentiality breach. Then there's integrity. This 56 00:02:59.599 --> 00:03:03.639 is about preventing unauthorized changes to data and just as important, 57 00:03:03.680 --> 00:03:08.400 being able to undo unwanted authorized changes. Think about altered 58 00:03:08.479 --> 00:03:11.479 medical test results leading to the wrong treatment. That's a 59 00:03:11.520 --> 00:03:13.159 catastrophic integrity failure. 60 00:03:13.240 --> 00:03:13.439 Wow. 61 00:03:13.560 --> 00:03:16.360 And finally, availability just making sure you can actually get 62 00:03:16.360 --> 00:03:18.120 to your data when you need it. This could be 63 00:03:18.159 --> 00:03:22.360 disrupted by anything from a simple power outage to a 64 00:03:22.400 --> 00:03:24.759 malicious denial of service attack a DOS attack. 65 00:03:24.840 --> 00:03:30.039 Okay. Confidentiality, integrity availability CIA seems like a really solid 66 00:03:30.120 --> 00:03:32.840 way to break it down. Are there other angles, though, 67 00:03:33.080 --> 00:03:36.439 other dimensions security pros think about beyond just those three? 68 00:03:36.719 --> 00:03:40.520 Definitely, the CIA triad is like the starting point, but 69 00:03:40.639 --> 00:03:43.879 some models go deeper. There's one called the Parkian hexad 70 00:03:43.960 --> 00:03:48.360 from Don Parker. It keeps CIA but adds three more principles. 71 00:03:48.800 --> 00:03:53.199 Possession or control, basically keeping physical or logical control over 72 00:03:53.240 --> 00:03:56.560 your stuff. Then authenticity, This is making sure data really 73 00:03:56.560 --> 00:03:59.360 came from who it says it came from, usually enforced 74 00:03:59.360 --> 00:04:02.599 with things like digital signatures okay, which leads directly to 75 00:04:02.719 --> 00:04:05.639 non repudiation. If you digitally signed something, you can't later say, oh, 76 00:04:05.680 --> 00:04:07.879 that wasn't me, like a real signature on a contract. 77 00:04:08.080 --> 00:04:11.520 And the last one is utility. The data has to 78 00:04:11.560 --> 00:04:15.360 be well, useful, valid, and usable for what it's supposed 79 00:04:15.360 --> 00:04:18.240 to do. The real power of these models isn't just 80 00:04:18.360 --> 00:04:21.120 listing things. It's giving us a solid framework to think 81 00:04:21.199 --> 00:04:25.360 through those trade offs consistently across all these different dimensions. 82 00:04:25.560 --> 00:04:28.199 Right, so we've got these models, we understand what aspects 83 00:04:28.199 --> 00:04:31.319 of information we're protecting, but what are we protecting from 84 00:04:31.360 --> 00:04:33.720 when things go wrong? What are these attacks actually do? 85 00:04:33.800 --> 00:04:35.399 What kind of damage are we talking about? 86 00:04:35.639 --> 00:04:38.079 Yeah, attacks generally cause damage in a few main ways, 87 00:04:38.160 --> 00:04:41.279 hitting those aspects we just talked about. First, you've got interruption. 88 00:04:41.879 --> 00:04:45.639 This basically makes something unusable or unavailable, like that doss 89 00:04:45.680 --> 00:04:48.839 attack taking down your email server can't access it. Then 90 00:04:48.839 --> 00:04:53.199 there's modification, tampering with something, messing with its integrity, maybe 91 00:04:53.279 --> 00:04:55.879 changing it config file to mess up a service or worse, 92 00:04:56.000 --> 00:04:57.480 expose confidential data. 93 00:04:57.879 --> 00:04:58.199 Okay. 94 00:04:58.480 --> 00:05:03.439 And lastly, fabrication. This is creating fake stuff, fake data, 95 00:05:03.519 --> 00:05:07.839 fake processes, like inserting bogus information into a database, or 96 00:05:07.879 --> 00:05:10.720 maybe generating tons of fake network traffic to cause an 97 00:05:10.720 --> 00:05:11.839 availability problem. 98 00:05:12.000 --> 00:05:17.680 Okay, Interruption, modification, fabrication, right, got it. So, knowing what 99 00:05:17.680 --> 00:05:21.959 we're guarding and the kinds of threats, how do organizations 100 00:05:22.079 --> 00:05:24.959 actually start defending themselves? How do you manage all this risk? 101 00:05:25.040 --> 00:05:27.560 Well, effective defense really starts with a structured process. It's 102 00:05:27.639 --> 00:05:32.079 usually a five step risk management cycle. First, you identify 103 00:05:32.120 --> 00:05:36.639 critical information what absolutely needs protecting. For a software company, 104 00:05:36.680 --> 00:05:41.160 maybe it's their source code. Second, you analyze threats who 105 00:05:41.240 --> 00:05:46.480 are what could harm that information? Insiders, cyber criminals, nation states. Third, 106 00:05:46.759 --> 00:05:50.480 analyze vulnerabilities. Where are the weaknesses in your current defenses? 107 00:05:50.600 --> 00:05:54.879 Maybe uh, weak access controls on that source code repository. Fourth, 108 00:05:54.959 --> 00:05:57.600 u assess risks. Now, a risk is really a threat 109 00:05:57.639 --> 00:06:01.160 combined with a vulnerability. So that database holding customer data, 110 00:06:01.199 --> 00:06:03.240 if it doesn't have redundancy, that's a big risk to 111 00:06:03.240 --> 00:06:06.240 availability if the main one fails. And finally step five 112 00:06:06.519 --> 00:06:09.279 apply countermeasures. These are the security controls you put in 113 00:06:09.319 --> 00:06:11.120 place to actually reduce those risks. 114 00:06:11.160 --> 00:06:14.480 You found countermeasures the controls, right, So once the risks 115 00:06:14.480 --> 00:06:16.879 are known, what do these controls actually look like? What 116 00:06:16.920 --> 00:06:17.839 are the main types? 117 00:06:18.079 --> 00:06:23.279 Good question? They generally fall into three buckets. First, physical controls. 118 00:06:23.680 --> 00:06:29.160 These protect the actual physical environment, think fences, locks, security guards, 119 00:06:29.279 --> 00:06:31.680 even making sure the server room has good air conditioning. 120 00:06:31.959 --> 00:06:35.480 These are absolutely vital. Why so vital because if someone 121 00:06:35.480 --> 00:06:37.639 can just walk in and physically take your servers, while 122 00:06:37.680 --> 00:06:40.199 all your fancy software security doesn't mean much does it? 123 00:06:40.319 --> 00:06:43.000 Good? Point? Okay? Physical? What else? Second? 124 00:06:43.279 --> 00:06:48.079 Logical controls. These are the technical measures firewalls, intrusion detection systems, 125 00:06:49.040 --> 00:06:52.680 access control lists on files, all the tech stuff. And Third, 126 00:06:52.720 --> 00:06:57.800 administrative controls. These are the rules policies, procedures, things like 127 00:06:57.879 --> 00:07:01.639 password complexity rules, mandatory security training, or even just as 128 00:07:01.680 --> 00:07:04.600 sign saying turn off the coffee pot. Okay, but here's 129 00:07:04.639 --> 00:07:07.759 the thing about administrative controls, and this is crucial. They 130 00:07:07.800 --> 00:07:10.639 are worse than useless if they're not enforced. They just 131 00:07:10.720 --> 00:07:12.959 create this false sense of security. Oh, we have a 132 00:07:13.000 --> 00:07:15.079 policy for that, but if nobody follows. 133 00:07:14.759 --> 00:07:20.279 It, right, it's just words on paper, okay, physical, logical, administrative. Well, 134 00:07:20.279 --> 00:07:22.720 it sounds like we're building layers here, which makes me 135 00:07:22.759 --> 00:07:26.240 think of defense and depth. I hear that term a lot. 136 00:07:26.279 --> 00:07:28.920 What's that about defense and depth? Yeah, it's a core principle. 137 00:07:29.199 --> 00:07:32.600 The idea isn't just piling on more security. It's about 138 00:07:32.720 --> 00:07:36.199 layering different kinds of security controls. So if one layer 139 00:07:36.240 --> 00:07:39.319 fails or an attacker gets past it, there's another layer waiting. 140 00:07:39.720 --> 00:07:42.959 It buys you time basically time to detect the attack, 141 00:07:43.040 --> 00:07:46.079 time to respond. Can you give you example, sure, think 142 00:07:46.079 --> 00:07:49.959 about password strength. An eight character all lowercase password like 143 00:07:50.319 --> 00:07:53.240 my password, an attacker might crack that in I don't 144 00:07:53.279 --> 00:07:56.399 know hours or weeks. But a ten character password mixed 145 00:07:56.399 --> 00:08:00.439 case numbers symbols like is un QW three cents that 146 00:08:00.480 --> 00:08:03.879 could take decades to crack with current tech. That's one layer. 147 00:08:04.040 --> 00:08:07.480 But defense in depth also tackles problems like manual synchronization. 148 00:08:07.600 --> 00:08:10.199 That's just using the same password everywhere. If once it 149 00:08:10.279 --> 00:08:13.000 gets breached, boom, attackers try that password on your bank, 150 00:08:13.040 --> 00:08:13.480 your email. 151 00:08:13.600 --> 00:08:15.279 Ah, yeah, guilty is charged. 152 00:08:15.279 --> 00:08:18.600 Sometimes we all are but using different strong passwords plus 153 00:08:18.639 --> 00:08:20.560 maybe MFA. That's layering defenses. 154 00:08:20.839 --> 00:08:23.680 Okay, layers make sense, but you know, even with the 155 00:08:23.720 --> 00:08:27.639 best layers, breaches happen. So if an attack does get through, 156 00:08:28.480 --> 00:08:31.079 what's the game plan? What does a good incident response 157 00:08:31.120 --> 00:08:31.480 look like? 158 00:08:31.519 --> 00:08:34.320 Absolutely, you have to assume something will eventually get through. 159 00:08:34.639 --> 00:08:38.240 No defense is perfect, So effective incident response is critical 160 00:08:38.559 --> 00:08:42.039 and it has distinct femins. And honestly, most important phase 161 00:08:42.240 --> 00:08:49.600 is preparation, doing the work before anything happens. Policies, training, documentation, running. 162 00:08:49.360 --> 00:08:51.919 Drills so you're not scrambling mid crisis exactly. 163 00:08:51.960 --> 00:08:54.000 You don't want to be figuring out who to call 164 00:08:54.039 --> 00:08:57.240 while the building's metaphorical fire alarm is going off. After 165 00:08:57.360 --> 00:09:01.720 prep comes detection and analysis that something's wrong. Often security 166 00:09:01.759 --> 00:09:04.320 tools flag things and then figuring out, okay, is this 167 00:09:04.360 --> 00:09:07.200 a real incident or a false alarm that takes human 168 00:09:07.320 --> 00:09:11.440 judgment combined with automation. Then you move into containment, eradication, 169 00:09:11.639 --> 00:09:15.159 and recovery basically, stop the bleeding, clean up the mess, 170 00:09:15.360 --> 00:09:18.279 and get things back online safely. And finally, and this 171 00:09:18.399 --> 00:09:22.559 is key post incident activity, the post mortem, not to 172 00:09:22.639 --> 00:09:25.759 point fingers, but to learn what went wrong? How can 173 00:09:25.799 --> 00:09:27.720 we do better next time? How can we prevent this 174 00:09:27.799 --> 00:09:28.480 specific thing? 175 00:09:28.519 --> 00:09:32.960 Again? That learning part seems crucial. Okay, shifting gears a bit. 176 00:09:33.000 --> 00:09:35.159 It feels like so much as security boils down to 177 00:09:35.679 --> 00:09:38.960 who gets in, who has access, how do we differentiate 178 00:09:39.000 --> 00:09:41.879 between just like saying who you are and proving who 179 00:09:41.919 --> 00:09:44.519 you are, identification versus authentication. 180 00:09:44.759 --> 00:09:47.960 Yeah, that's a really important distinction. Identification is simply claiming 181 00:09:48.000 --> 00:09:50.759 an identity, me saying I'm Bob, or a computer saying 182 00:09:50.799 --> 00:09:54.159 I'm server X. Identity verification is a step beyond like 183 00:09:54.159 --> 00:09:57.600 showing your driver's license. It provides some evidence, but authentication 184 00:09:57.759 --> 00:10:01.120 is the actual process of verifying that against some trusted 185 00:10:01.159 --> 00:10:02.200 credential or factor. 186 00:10:02.279 --> 00:10:04.200 And why is that verification so critical? 187 00:10:04.320 --> 00:10:08.120 Well, consider this identity thieves stole something like sixteen point 188 00:10:08.120 --> 00:10:11.480 eight billion dollars from US consumers back in twenty seventeen. 189 00:10:12.200 --> 00:10:14.799 A huge chimp of that was because the activities involved 190 00:10:14.799 --> 00:10:18.600 didn't require strong authentication. It's easy to claim to be someone. 191 00:10:18.960 --> 00:10:21.480 Proving it is harder, and that's where security lies. 192 00:10:21.639 --> 00:10:24.039 Okay, so how do we prove it? What are these 193 00:10:24.279 --> 00:10:27.679 factors of authentication? Passwords are one, obviously, but what else? 194 00:10:27.840 --> 00:10:30.320 Right? Passwords fall under the First factor? Something you know, 195 00:10:30.720 --> 00:10:34.159 like a password, a PI in a secret question. Often 196 00:10:34.200 --> 00:10:36.720 the weakest because people choose bad ones or reuse them. 197 00:10:36.879 --> 00:10:44.600 Second factor, something you are. Biometrics, fingerprints, iris, scans, facial recognition. 198 00:10:45.080 --> 00:10:47.279 These are stronger in some ways, but they have issues 199 00:10:47.440 --> 00:10:50.919 like what well, they can sometimes be forged, and more importantly, 200 00:10:51.000 --> 00:10:53.679 if your biometric data gets stolen, say your fingerprints, you 201 00:10:53.679 --> 00:10:55.720 can't just change your fingerprints like you change a password. 202 00:10:55.960 --> 00:10:59.120 Remember that big OPM breach In twenty fifteen, five point 203 00:10:59.200 --> 00:11:02.399 six million the US federal employees have their fingerprint stolen. 204 00:11:02.679 --> 00:11:04.200 Makes re enrolling them pretty tricky. 205 00:11:04.279 --> 00:11:06.679 Ray, Wow, Yeah, I didn't think about that. Okay, what's next? 206 00:11:06.799 --> 00:11:11.919 Third factor? Something you have a physical object like your 207 00:11:12.039 --> 00:11:15.440 ATM card, a hardware token that generates those little codes 208 00:11:15.480 --> 00:11:18.000 that change every minute, or even your smartphone getting a 209 00:11:18.039 --> 00:11:21.519 push notification. Then there's something you do, which is more 210 00:11:21.519 --> 00:11:25.440 about behavioral biometrics like your unique signature or typing pattern. 211 00:11:25.919 --> 00:11:29.240 And finally, where you are using your location as a factor. 212 00:11:29.399 --> 00:11:31.399 So five factors and putting them together. 213 00:11:31.519 --> 00:11:36.279 That's multi factor authentication MFA, or often two factor authentication 214 00:11:36.519 --> 00:11:39.960 two FA, using two or more different factors like your 215 00:11:39.960 --> 00:11:43.559 ATM cards something you have, plus your pin something you know, 216 00:11:44.399 --> 00:11:46.240 much stronger than just one factor alone. 217 00:11:46.360 --> 00:11:49.200 Makes sense. Now I've heard the term mutual authentication. What's 218 00:11:49.240 --> 00:11:50.919 that about and why does it matter? Ah? 219 00:11:51.080 --> 00:11:54.519 Mutual authentication that's where both sides prove their identity to 220 00:11:54.559 --> 00:11:56.720 each other, not just you proving yourself to the server, 221 00:11:56.840 --> 00:11:58.639 but the server also proving itself to you. 222 00:11:58.919 --> 00:12:00.200 Why is that necessary? 223 00:12:00.279 --> 00:12:03.480 It's crucial for preventing man in the middle attacks. If 224 00:12:03.559 --> 00:12:07.320 only you authenticate, an attacker could potentially sit between you 225 00:12:07.399 --> 00:12:09.639 and the real server, pretending to be the server to 226 00:12:09.720 --> 00:12:12.799 you and pretending to be you to the server. They 227 00:12:12.840 --> 00:12:14.240 intercept everything. 228 00:12:14.200 --> 00:12:17.720 Uh okay, like an imposter relaying messages exactly. 229 00:12:18.159 --> 00:12:21.759 Mutual authentication helps shut that down by making sure both 230 00:12:21.919 --> 00:12:24.399 ends are talking to who they think they're talking to. 231 00:12:25.080 --> 00:12:27.840 All right, so we've authenticated someone, we know who they are, 232 00:12:28.320 --> 00:12:30.279 But how do we control what they can actually do 233 00:12:30.360 --> 00:12:32.679 once they're in. That's access control precisely. 234 00:12:33.120 --> 00:12:37.000 Access controls determine who or what gets to access which resources, 235 00:12:37.240 --> 00:12:40.600 and what actions they're allowed to perform read, write, delete, 236 00:12:40.639 --> 00:12:43.879 execute whatever. A really common way to implement this is 237 00:12:43.960 --> 00:12:46.840 using access control lists or acls. You see these all 238 00:12:46.879 --> 00:12:48.279 the time and file systems like. 239 00:12:48.240 --> 00:12:51.360 On Linux or Mac. When you do elslie those RVX. 240 00:12:50.879 --> 00:12:55.879 Permissions exactly that read write, execute permissions assigned to the owner, 241 00:12:56.039 --> 00:12:59.279 a group and everyone else. That's a classic ACL. But 242 00:12:59.360 --> 00:13:01.960 acls aren't perfect. They can suffer from something called the 243 00:13:02.120 --> 00:13:07.039 confused deputy problem. But what now the confused deputy? Imagine 244 00:13:07.039 --> 00:13:09.720 you have a powerful system processed the deputy that has 245 00:13:09.840 --> 00:13:14.279 lots of permissions. An attacker with fewer permissions might trick 246 00:13:14.320 --> 00:13:17.559 that deputy into performing an action on their behalf using 247 00:13:17.559 --> 00:13:19.000 the deputy's higher privileges. 248 00:13:19.240 --> 00:13:21.960 Okay, I think I get it. Tricking the powerful. 249 00:13:21.600 --> 00:13:25.519 Assistant, right, And this vulnerability is often exploited in things 250 00:13:25.559 --> 00:13:30.039 like cross site request forgery CSRF or clickjacking. These are 251 00:13:30.039 --> 00:13:32.960 attacks that trick your browser, acting as a sort of 252 00:13:33.000 --> 00:13:35.840 deputy for you, into doing things on websites you're logged 253 00:13:35.840 --> 00:13:38.559 into without you realizing it, like making a purchase or 254 00:13:38.679 --> 00:13:41.639 changing your password just by you clicking a disguised link 255 00:13:41.720 --> 00:13:42.159 or button. 256 00:13:42.480 --> 00:13:45.799 Yikes. Okay, so digital access is complex. What about just 257 00:13:46.600 --> 00:13:50.679 physical access? Blocks on doors? Seems basic but probably still. 258 00:13:50.440 --> 00:13:54.759 Important, absolutely fundamental. Physical access controls are all about regulating 259 00:13:54.799 --> 00:13:57.919 who can physically get near the systems or data. A 260 00:13:57.960 --> 00:14:01.559 really common problem here is tailgating are sometimes called piggybacking. 261 00:14:01.960 --> 00:14:04.720 Someone just follows an authorized person through a secure door 262 00:14:04.759 --> 00:14:05.960 without badging in themselves. 263 00:14:06.080 --> 00:14:08.399 Yeah, holding the door open for someone exactly. 264 00:14:08.440 --> 00:14:12.240 It relies on politeness. Solutions range from strict policies and 265 00:14:12.279 --> 00:14:16.120 having guards watch entrances to physical barriers like turnstiles that 266 00:14:16.200 --> 00:14:19.919 only let one person through per valid credential. Think about 267 00:14:19.919 --> 00:14:24.360 airport security. That's a massive, complex system of layered physical 268 00:14:24.360 --> 00:14:28.960 access controls, checking IDs, scanning bags, controlling movement between zones, 269 00:14:29.000 --> 00:14:30.600 all to manage physical access. 270 00:14:30.639 --> 00:14:33.960 True. Okay, so beyond the tech and the physical, there's 271 00:14:34.000 --> 00:14:38.519 this whole layer of rules and regulations laws. What exactly 272 00:14:38.720 --> 00:14:41.600 is compliance in security and why is it such a 273 00:14:41.600 --> 00:14:42.039 big deal? 274 00:14:42.759 --> 00:14:45.639 Compliance, simply put, is just sticking to the rules, But 275 00:14:45.679 --> 00:14:48.720 the rules can come from different places. You've got regulatory compliance, 276 00:14:48.720 --> 00:14:52.159 which means rules mandated by law. Think FISMA for US 277 00:14:52.200 --> 00:14:56.360 federal agencies, HYPATH for healthcare information, or FEDBRAM for cloud 278 00:14:56.360 --> 00:14:59.679 providers wanting government contracts. FEDRAM is interesting. It gives a 279 00:14:59.679 --> 00:15:02.840 single authority to operate an ATO, but the security bar 280 00:15:03.000 --> 00:15:04.080 is incredibly high. 281 00:15:04.120 --> 00:15:05.879 Okay, so legal requirements. What else? 282 00:15:06.080 --> 00:15:09.559 Then there's industry compliance. These aren't laws, but standards set 283 00:15:09.600 --> 00:15:13.480 by industry bodies. PCFID DSS. The Payment Card Industry Data 284 00:15:13.480 --> 00:15:16.000 Security Standard is the big one here. If you want 285 00:15:16.000 --> 00:15:18.399 to process credit cards, you have to comply or you 286 00:15:18.440 --> 00:15:21.519 face massive fines or even get cut off from processing payments. 287 00:15:21.799 --> 00:15:25.919 Huge business impact, so high stakes either way, definitely, and 288 00:15:26.039 --> 00:15:29.120 breaches really drive this home. Look at the twenty seventeen 289 00:15:29.200 --> 00:15:32.320 Equifex breach data for one hundred and forty seven million 290 00:15:32.360 --> 00:15:36.360 Americans stolen why an unpatched vulnerability and Apache struts two 291 00:15:36.360 --> 00:15:40.240 and inadequate controls. That mess really underscored accountability and led 292 00:15:40.240 --> 00:15:42.720 to breach disclosure laws popping up in all fifty US 293 00:15:42.759 --> 00:15:46.159 states by twenty eighteen. So compliance isn't just about ticking 294 00:15:46.159 --> 00:15:49.639 boxes to avoid fines. It's about demonstrating you're taking security seriously, 295 00:15:50.000 --> 00:15:52.480 building trust and ultimately being more resilient. 296 00:15:52.679 --> 00:15:55.159 And if a client's demand sticking to rules, how do 297 00:15:55.320 --> 00:15:58.240 organizations prove they're doing it? What role do audit to play? 298 00:15:58.480 --> 00:16:01.279 Audits are key for account of bile. An audit is 299 00:16:01.320 --> 00:16:06.519 basically a methodical checkup, examining records, interviewing people, testing controls 300 00:16:06.559 --> 00:16:10.519 to verify that you are in fact complying with those laws, regulations, 301 00:16:10.559 --> 00:16:14.720 or standards. Some auditing bodies have real teeth. The Business 302 00:16:14.759 --> 00:16:19.360 Software Alliance the BSA audits companies for software license compliance. 303 00:16:20.039 --> 00:16:23.039 If they find unlicensed software, settlements can hit two hundred 304 00:16:23.039 --> 00:16:26.000 and fifty thousand dollars per instance, and they even offer 305 00:16:26.039 --> 00:16:28.240 rewards up to a million bucks for whistleblowers. 306 00:16:28.320 --> 00:16:29.919 Wow, serious business it is. 307 00:16:30.200 --> 00:16:32.320 But here's a critical insight about auditing. A lot of 308 00:16:32.360 --> 00:16:34.679 it relies on logs, records of who did what when, 309 00:16:35.120 --> 00:16:37.360 But just collecting logs is useless if no one ever 310 00:16:37.360 --> 00:16:40.159 looks at them. Regular review is essential for logs to 311 00:16:40.200 --> 00:16:42.360 have any value for accountability or security. 312 00:16:42.440 --> 00:16:44.440 Makes sense, Log it and look at it. Okay, let's 313 00:16:44.440 --> 00:16:46.279 sing back to people. We often hear people are the 314 00:16:46.320 --> 00:16:49.720 weakest link. How do attackers actually exploit as humans? 315 00:16:50.080 --> 00:16:53.200 Yeah? The human element is a huge target. Attackers who 316 00:16:53.240 --> 00:16:56.799 focus on this are called social engineers. They gather intelligence 317 00:16:56.799 --> 00:17:00.759 in two main ways. Human or human intelligence comes from 318 00:17:00.759 --> 00:17:05.000 talking to people, maybe direct scams, maybe just subtle questioning, 319 00:17:05.319 --> 00:17:09.839 building rapport an osent. Open source intelligence comes from publicly 320 00:17:09.880 --> 00:17:14.880 available information, job postings, revealing tech used, social media posts, 321 00:17:15.079 --> 00:17:19.119 public records, even hidden data in files like GPS coordinates 322 00:17:19.160 --> 00:17:22.160 embedded in photos that's called exif data, so that. 323 00:17:22.079 --> 00:17:24.880 They build a profile from public scraps exactly. 324 00:17:25.440 --> 00:17:28.119 And there are powerful tools things like showdown that scans 325 00:17:28.119 --> 00:17:32.079 the Internet for connected devices or Maltago that visualizes relationships 326 00:17:32.079 --> 00:17:35.079 between data points that help attackers gather and connect massive 327 00:17:35.079 --> 00:17:38.880 amounts of this ocent to find vulnerabilities or craft targeted attacks. 328 00:17:38.920 --> 00:17:41.039 That's kind of scary. So what specific kinds of social 329 00:17:41.039 --> 00:17:43.079 engineering attack should people really watch out for? 330 00:17:43.279 --> 00:17:45.799 Well, there are a few classic techniques. Pretexting is a 331 00:17:45.799 --> 00:17:49.680 big one. The attacker creates a believable scenario, often pretending 332 00:17:49.720 --> 00:17:53.319 to be someone trustworthy. Maybe it support maybe a vendor 333 00:17:53.400 --> 00:17:56.599 to trick you into giving up info or doing something like. 334 00:17:56.920 --> 00:17:59.640 I need your password to fix your account, right. 335 00:17:59.559 --> 00:18:03.240 Or maybe something more subtle. Then there's phishing using email, 336 00:18:03.359 --> 00:18:06.240 text messages sometimes spend calls to trick you into clicking 337 00:18:06.319 --> 00:18:10.599 malicious links, opening infected attachments, or entering credentials on fake 338 00:18:10.680 --> 00:18:14.200 websites that look real. Browsers are getting better at warning us, 339 00:18:14.240 --> 00:18:16.559 but it's still incredibly common and effective. 340 00:18:16.720 --> 00:18:18.000 I get those emails all the time. 341 00:18:18.079 --> 00:18:21.079 We all do. And don't forget tailgating, which we mentioned 342 00:18:21.079 --> 00:18:24.640 with physical access. That's also a social engineering tactic, relying 343 00:18:24.640 --> 00:18:28.240 on someone's politeness or inattention to bypass a physical control. 344 00:18:28.400 --> 00:18:30.720 Okay, so if people are the target, how do we 345 00:18:30.759 --> 00:18:36.200 make them less vulnerable? What goes into good security awareness 346 00:18:36.240 --> 00:18:37.640 training that actually sticks? 347 00:18:38.000 --> 00:18:41.279 Effective training is absolutely crucial. It needs to cover several 348 00:18:41.400 --> 00:18:45.440 key areas. Password hygiene is fundamental, Teaching people why strong, 349 00:18:45.599 --> 00:18:49.799 unique passwords matter and the risks of reusing them, Instilling 350 00:18:49.839 --> 00:18:53.640 a healthy sense of skepticism, a trust but verify mindset. 351 00:18:53.920 --> 00:18:56.519 Encourage people if something seems weird or too good to 352 00:18:56.519 --> 00:18:59.319 be true, don't just click or comply, check with the 353 00:18:59.359 --> 00:19:02.079 security team or the supposed center through a different channel. 354 00:19:02.160 --> 00:19:05.200 Good advice training on safe network usage is vital too, 355 00:19:05.640 --> 00:19:08.640 Explaining the dangers of unsecured public Wi Fi like in 356 00:19:08.640 --> 00:19:12.079 coffee shops or hotels, and why using a VPN is important. 357 00:19:12.079 --> 00:19:15.799 When accessing work resources from outside the office network, people 358 00:19:15.839 --> 00:19:18.920 need to know how to spot malware, red flags, weird 359 00:19:19.079 --> 00:19:23.640 email attachments like ex files, maybe even ZP or PDF, 360 00:19:23.720 --> 00:19:27.960 sometimes links hidden behind URL shorteners, website addresses that are 361 00:19:27.960 --> 00:19:30.640 slightly misspelled, apps from unofficial stores. 362 00:19:30.759 --> 00:19:32.079 Write the basics. 363 00:19:31.680 --> 00:19:35.200 Exactly, and clear rules around using personal equipment for work, 364 00:19:35.279 --> 00:19:39.079 bring your own device or BYOD policies, Plus simple things 365 00:19:39.119 --> 00:19:42.440 like a clean desk policy. Don't leave sensitive papers lying around. 366 00:19:42.920 --> 00:19:46.039 But here's the real key. The training has to be engaging. 367 00:19:46.200 --> 00:19:49.319 Nobody learns from a dry, fifty page policy document sent 368 00:19:49.400 --> 00:19:52.720 once a year. Make it interactive, quizzes, videos, posters, maybe 369 00:19:52.720 --> 00:19:56.640 even little giveaways for participation. Make it memorable, make it regular. 370 00:19:56.920 --> 00:19:59.160 That's how you build a strong human firewall. 371 00:19:59.319 --> 00:20:02.559 Engaging just informing. Got it okay? It Shift to the 372 00:20:02.559 --> 00:20:05.160 really technical stuff. Cryptography. How does this sort of secret 373 00:20:05.200 --> 00:20:06.519 coding protect our data today? 374 00:20:06.680 --> 00:20:11.079 Cryptography is basically the science of scrambling information so only 375 00:20:11.160 --> 00:20:15.720 authorized parties can understand it. It protects both confidentiality, keeping 376 00:20:15.799 --> 00:20:19.039 its secret and integrity, ensuring it hasn't been tampered with. 377 00:20:19.640 --> 00:20:23.440 Its history is fascinating from ancient methods like the Caesar cipher, 378 00:20:23.519 --> 00:20:28.200 just shifting letters like ROT thirteen up to complex machines 379 00:20:28.240 --> 00:20:30.079 like the German Enigma in World War. 380 00:20:30.039 --> 00:20:32.160 Two, which is famously broken. 381 00:20:32.640 --> 00:20:35.920 Right and partly because it's security relied on keeping the 382 00:20:35.960 --> 00:20:39.799 machines designed secret, what we call security through obscurity, which 383 00:20:39.799 --> 00:20:43.440 is generally a bad idea. Modern crypto algorithms are the opposite. 384 00:20:43.440 --> 00:20:47.559 They're usually public knowledge, heavily scrutinized by experts worldwide. Their 385 00:20:47.599 --> 00:20:51.039 strength comes from relying on really hard mathematical problems, one 386 00:20:51.039 --> 00:20:53.440 way problems, things that are easy to do one way, 387 00:20:53.519 --> 00:20:57.480 like multiplying two huge prime numbers, but incredibly difficult to reverse, 388 00:20:57.559 --> 00:20:59.759 like factoring the result back into the original primes. 389 00:21:00.119 --> 00:21:02.559 So based on hardmath, what are the main types of 390 00:21:02.640 --> 00:21:03.759 encryption we use now? 391 00:21:04.000 --> 00:21:08.240 Broadly? There are two main families. Symmetric key cryptography uses 392 00:21:08.279 --> 00:21:12.599 the same secret key for both encryption and decryption. Algorithms 393 00:21:12.640 --> 00:21:17.160 like AES Advanced Encryption Standard are the modern workhorses here. 394 00:21:17.279 --> 00:21:19.799 Strong fast, Look the challenges. 395 00:21:19.440 --> 00:21:22.720 Sharing that single key securely. If you and I want 396 00:21:22.720 --> 00:21:25.720 to communicate using symmetric encryption, how do I get the 397 00:21:25.799 --> 00:21:29.200 secret key to you without someone intercepting it. That's the key. 398 00:21:29.039 --> 00:21:31.240 Exchange problem, right, So what's the alternative. 399 00:21:31.640 --> 00:21:35.559 That's asymmetric key cryptography, also known as public key cryptography. 400 00:21:35.720 --> 00:21:37.920 This is really clever. It uses a pair of keys, 401 00:21:38.440 --> 00:21:40.599