WEBVTT

00:00.140 --> 00:03.980
One of the most fundamental security principles that a lot of organizations miss.

00:04.010 --> 00:07.280
Is reducing or restricting the attack surface.

00:07.310 --> 00:13.190
This includes changing the default configurations and the lack of system hardening some of the ways

00:13.190 --> 00:19.580
in which system hardening can be implemented include disabling the default services, restricting default

00:19.580 --> 00:26.720
permissions that start up with a power on default usernames and passwords, open ports and so on.

00:27.650 --> 00:34.190
Concerning passwords and credentials, a policy must be developed that enforces the usage of complex

00:34.190 --> 00:41.810
passwords with more than an eight character limit, with a mandated usage of numeric values, capital

00:41.810 --> 00:43.940
letters and special characters.

00:43.970 --> 00:48.110
A password change policy must also be in place.

00:48.140 --> 00:50.420
Network Segmentation.

00:50.450 --> 00:58.610
Network segmentation refers to segregating a network into subnetworks with the aim of improving performance

00:58.610 --> 00:59.480
and security.

00:59.480 --> 01:04.280
So a reduced attack surface and grouping systems with a similar security needs.

01:04.310 --> 01:11.930
This can be achieved by implementing firewalls, a virtual local area, network, LAN and software defined

01:11.960 --> 01:14.750
networking Sd-wan to name a few.

01:15.960 --> 01:23.100
Proper network segmentation will allow the organization to segregate low priority and low trust network

01:23.100 --> 01:27.390
areas from the rest of the infrastructure or critical network segments.

01:27.420 --> 01:32.430
Use preventing widespread impact on the event of a cyber attack.

01:32.460 --> 01:38.580
This also helps with the utilizing security monitoring platforms and access controls for the most business

01:38.580 --> 01:40.620
circular segments of the organization.

01:41.190 --> 01:43.200
Network Choke Points.

01:44.070 --> 01:50.610
One of the major differentiating aspects between a fragile and resilient cybersecurity program is the

01:50.610 --> 01:55.680
strategy and approach toward building a comprehensive foundation.

01:55.710 --> 02:03.150
This foundation can be built only by having a clear visualization of the logical and technological layout

02:03.150 --> 02:04.410
of the environment.

02:04.560 --> 02:12.300
For example, identifying and adequately monitoring bottlenecks and choke points can often help us discover

02:12.300 --> 02:15.840
larger and deeper problems in the Networks Foundation.

02:15.990 --> 02:24.360
In military terms, a choke point is a location on land or sea, a valley or a strait where the military

02:24.360 --> 02:31.770
is forced to pass through a narrow column, which makes it easier for an opposing force to take them

02:31.770 --> 02:32.970
out with ease.

02:33.670 --> 02:39.790
Technically this is a shooting fish in a barrel kind of situation in networking terms.

02:39.820 --> 02:46.750
A similar situation is faced when the data flow of a network is restricted due to bandwidth or application

02:46.750 --> 02:50.110
constraints from a network security standpoint.

02:50.140 --> 02:56.170
Common examples include implementing a firewall for an internet facing site or a load balancer that

02:56.170 --> 03:00.070
reroutes traffic based on a bandwidth consumption.

03:00.310 --> 03:08.270
In the case of distributed denial of service, DDoS or denial of service DDoS attack, this can add

03:08.270 --> 03:10.060
to a cyber resiliency.

03:10.060 --> 03:16.900
So today we can build such scalable and highly available load balancers over the cloud by using services

03:16.900 --> 03:19.030
such as Google Cloud.

03:19.840 --> 03:21.430
The Defense in Depth.

03:21.670 --> 03:27.940
This is an implementation approach where multiple layers of security or defensive controls through the

03:27.940 --> 03:32.920
environment or landscape have redundancy in case of security incident.

03:32.950 --> 03:35.360
This is also known as the castle approach.

03:35.360 --> 03:41.930
So the reason why this approach is important is that it takes the weight of a single cybersecurity,

03:41.930 --> 03:49.640
defensive control and supplements or complements the security strategy by having a multiple independent

03:49.640 --> 03:53.060
controls in place at different layers.

03:53.720 --> 04:01.130
Originally, this was a military strategy, also known as Deep in Defense that sought to hinder the

04:01.130 --> 04:03.560
movement of enemy forces.

04:03.590 --> 04:11.420
The focus is not on stopping them entirely via frontal assault, but by buying the time and slowing

04:11.420 --> 04:13.850
down the attacks progression.

04:13.880 --> 04:21.950
This is an effective measure as it often results in the attacker losing momentum over a period of time

04:21.950 --> 04:24.560
due to no or less progress.

04:24.590 --> 04:32.270
This vital time can be used to mount an attack on the assault forces or reinforce the defenses of the

04:32.270 --> 04:33.620
defending team.