1
00:00:00,000 --> 00:00:01,710
In this lesson, we're here to discuss

2
00:00:01,710 --> 00:00:03,420
some of the various security principles

3
00:00:03,420 --> 00:00:06,180
that are crucial to securing our networks and systems.

4
00:00:06,180 --> 00:00:07,950
The first foundational security principle

5
00:00:07,950 --> 00:00:10,380
we need to discuss is least privilege.

6
00:00:10,380 --> 00:00:11,280
Now, the principle

7
00:00:11,280 --> 00:00:13,470
of least privilege is pretty straightforward.

8
00:00:13,470 --> 00:00:16,079
It states that whenever the user's performing a job function

9
00:00:16,079 --> 00:00:18,870
or an administrative task, they should do that while using

10
00:00:18,870 --> 00:00:21,450
the lowest level of permissions or privileges needed

11
00:00:21,450 --> 00:00:23,640
in order for them to complete their job.

12
00:00:23,640 --> 00:00:25,860
So as a network or system administrator,

13
00:00:25,860 --> 00:00:27,300
if you're going to be able to do a function

14
00:00:27,300 --> 00:00:29,490
as a regular user, then you should.

15
00:00:29,490 --> 00:00:31,230
Now, if you need to do something as an administrator,

16
00:00:31,230 --> 00:00:33,330
then you need to log in as an administrator.

17
00:00:33,330 --> 00:00:35,340
Whenever I log into my computer to check my email,

18
00:00:35,340 --> 00:00:38,190
for example, I'm going to do that using my user account,

19
00:00:38,190 --> 00:00:40,350
which has no administrative permissions.

20
00:00:40,350 --> 00:00:42,510
But if I need to install a piece of software

21
00:00:42,510 --> 00:00:44,520
or change some kind of configuration setting,

22
00:00:44,520 --> 00:00:45,883
then I'm going to log in as the root

23
00:00:45,883 --> 00:00:48,870
or administrative user so that I have all the accesses

24
00:00:48,870 --> 00:00:51,780
and permissions that I need to make those changes.

25
00:00:51,780 --> 00:00:53,700
This principle of least privilege extends

26
00:00:53,700 --> 00:00:55,590
past the different types of accounts we use

27
00:00:55,590 --> 00:00:56,880
with our given users.

28
00:00:56,880 --> 00:00:59,280
It also applies to things like designing our systems

29
00:00:59,280 --> 00:01:01,320
and networks, because we need to design them

30
00:01:01,320 --> 00:01:03,930
with the concept of least privilege in mind as well.

31
00:01:03,930 --> 00:01:05,138
For example, if you're installing

32
00:01:05,138 --> 00:01:07,865
some new Internet of things devices like LED lights

33
00:01:07,865 --> 00:01:09,450
that are going to connect to your network

34
00:01:09,450 --> 00:01:11,940
and allow them to be remotely controlled through automation,

35
00:01:11,940 --> 00:01:13,200
you also need to make sure you're using

36
00:01:13,200 --> 00:01:15,840
the principle of least privilege here as well.

37
00:01:15,840 --> 00:01:17,700
Should these IoT devices have access

38
00:01:17,700 --> 00:01:19,830
to every system or service on your network?

39
00:01:19,830 --> 00:01:20,663
Of course not.

40
00:01:20,663 --> 00:01:23,550
Instead, these devices likely only need to have

41
00:01:23,550 --> 00:01:26,007
one or two ports open, that way they can communicate,

42
00:01:26,007 --> 00:01:27,845
and they may need to have access to the internet

43
00:01:27,845 --> 00:01:30,930
to receive firmware updates, and that's okay too.

44
00:01:30,930 --> 00:01:33,720
But they shouldn't have access to any of your file servers,

45
00:01:33,720 --> 00:01:35,490
your web servers, or your printers.

46
00:01:35,490 --> 00:01:37,950
So using the principle of least privilege,

47
00:01:37,950 --> 00:01:40,920
we could isolate these devices into their own screen subnet

48
00:01:40,920 --> 00:01:44,040
or VLAN, and then we can tightly control access into

49
00:01:44,040 --> 00:01:46,526
and out of that VLAN to ensure that only those users

50
00:01:46,526 --> 00:01:49,470
and applications that have an absolute need to communicate

51
00:01:49,470 --> 00:01:51,930
with these IoT devices can.

52
00:01:51,930 --> 00:01:53,850
Now, the second foundational security principle

53
00:01:53,850 --> 00:01:57,060
we need to cover is known as role-based access.

54
00:01:57,060 --> 00:01:59,220
There are several methods of conducting access control

55
00:01:59,220 --> 00:02:02,520
in a network such as DAC, MAC and RBAC.

56
00:02:02,520 --> 00:02:04,860
DAC, or discretionary access control is

57
00:02:04,860 --> 00:02:07,410
an access control method where access is determined

58
00:02:07,410 --> 00:02:09,360
by the owner of that resource.

59
00:02:09,360 --> 00:02:11,940
This is discretionary, so for every file

60
00:02:11,940 --> 00:02:13,800
or folder on your shared drive, the owner

61
00:02:13,800 --> 00:02:15,960
who created it will assign the permission levels

62
00:02:15,960 --> 00:02:17,760
to other users on the system.

63
00:02:17,760 --> 00:02:20,190
The owner is going to be the one who decides who can read,

64
00:02:20,190 --> 00:02:21,870
write, and run these different types

65
00:02:21,870 --> 00:02:24,090
of files on that file server.

66
00:02:24,090 --> 00:02:26,460
Discretionary access control is commonly used

67
00:02:26,460 --> 00:02:28,856
because you have very granular control to be able to decide

68
00:02:28,856 --> 00:02:31,582
who has access to things that a user has created,

69
00:02:31,582 --> 00:02:34,208
and because the person who created makes those decisions,

70
00:02:34,208 --> 00:02:37,170
they are the most knowledgeable on this area.

71
00:02:37,170 --> 00:02:39,990
There are two big challenges, though, when you use DAC.

72
00:02:39,990 --> 00:02:41,790
The first is that every object

73
00:02:41,790 --> 00:02:43,440
on the system has to have an owner,

74
00:02:43,440 --> 00:02:44,820
because if there's no owner,

75
00:02:44,820 --> 00:02:47,192
then nobody would know who has the right permissions to it

76
00:02:47,192 --> 00:02:50,220
because the owner is the one who sets those permissions.

77
00:02:50,220 --> 00:02:52,260
The second problem is that you need to make sure

78
00:02:52,260 --> 00:02:54,240
that each owner determines the access rights

79
00:02:54,240 --> 00:02:56,700
and permissions for each of those objects.

80
00:02:56,700 --> 00:02:58,140
So if I'm the owner of a file

81
00:02:58,140 --> 00:02:59,820
and I never set permissions on it,

82
00:02:59,820 --> 00:03:01,680
this means that nobody's going to have access

83
00:03:01,680 --> 00:03:03,240
to be able to read that file.

84
00:03:03,240 --> 00:03:05,490
And if I set those permissions too tightly,

85
00:03:05,490 --> 00:03:07,080
then I would be keeping people out

86
00:03:07,080 --> 00:03:08,820
who may need to have access.

87
00:03:08,820 --> 00:03:12,090
Or if I set them up too loosely, everyone can now access it

88
00:03:12,090 --> 00:03:13,740
and read the contents of that file,

89
00:03:13,740 --> 00:03:16,380
eliminating my confidentiality and security.

90
00:03:16,380 --> 00:03:19,320
So the owner here really has a lot of control.

91
00:03:19,320 --> 00:03:21,060
In corporate or enterprise systems,

92
00:03:21,060 --> 00:03:22,410
this can be really dangerous,

93
00:03:22,410 --> 00:03:23,340
and you have to think about it

94
00:03:23,340 --> 00:03:25,710
if you really want to be using a discretionary model

95
00:03:25,710 --> 00:03:27,720
or one of our other choices.

96
00:03:27,720 --> 00:03:30,000
Now, our second model is what's known as MAC,

97
00:03:30,000 --> 00:03:32,040
or mandatory access control.

98
00:03:32,040 --> 00:03:34,050
MAC goes to the other extreme.

99
00:03:34,050 --> 00:03:36,300
With MAC, or mandatory access control,

100
00:03:36,300 --> 00:03:38,070
we have an access control policy

101
00:03:38,070 --> 00:03:39,900
where the computer system gets to decide

102
00:03:39,900 --> 00:03:42,090
who has access to what objects.

103
00:03:42,090 --> 00:03:44,250
So how does the computer do this?

104
00:03:44,250 --> 00:03:46,020
Well, with discretionary access control,

105
00:03:46,020 --> 00:03:48,990
you the owner were able to choose who got permissions,

106
00:03:48,990 --> 00:03:51,660
but in MAC, the computer's going to do that for you,

107
00:03:51,660 --> 00:03:53,970
and it does this through data labels.

108
00:03:53,970 --> 00:03:56,550
In MAC, data labels are going to create this trust level

109
00:03:56,550 --> 00:03:57,992
for all subjects and all objects

110
00:03:57,992 --> 00:04:00,066
so that every person out there gets a label

111
00:04:00,066 --> 00:04:02,430
with their associated trust level.

112
00:04:02,430 --> 00:04:04,860
If we have a high trust level, a medium trust level,

113
00:04:04,860 --> 00:04:06,360
or a low trust level for them,

114
00:04:06,360 --> 00:04:08,610
then each data object gets a label as well,

115
00:04:08,610 --> 00:04:10,920
as either high, medium, or low trust,

116
00:04:10,920 --> 00:04:12,420
and then we just compare the labels

117
00:04:12,420 --> 00:04:14,070
to determine if somebody should be granted

118
00:04:14,070 --> 00:04:16,740
or denied access to a particular object.

119
00:04:16,740 --> 00:04:18,870
So how does this really work in the real world?

120
00:04:18,870 --> 00:04:20,100
Well, the most common use

121
00:04:20,100 --> 00:04:22,590
of mandatory access control is in the military,

122
00:04:22,590 --> 00:04:25,140
and they'd use this with their high security systems.

123
00:04:25,140 --> 00:04:27,780
So if you've ever seen a war movie at any time in your life,

124
00:04:27,780 --> 00:04:28,885
you've probably seen the words top secret

125
00:04:28,885 --> 00:04:30,870
on some kind of document.

126
00:04:30,870 --> 00:04:33,120
Well, there's really four levels of documentation

127
00:04:33,120 --> 00:04:34,890
inside the military content.

128
00:04:34,890 --> 00:04:36,900
They have unclassified, confidential,

129
00:04:36,900 --> 00:04:38,940
secret, and top secret levels.

130
00:04:38,940 --> 00:04:40,980
Now, each person in the military is also assigned

131
00:04:40,980 --> 00:04:42,480
a clearance level that tells them

132
00:04:42,480 --> 00:04:43,830
what they're allowed to see.

133
00:04:43,830 --> 00:04:45,720
So maybe the private only gets to see

134
00:04:45,720 --> 00:04:47,070
confidential information,

135
00:04:47,070 --> 00:04:49,470
but the colonel gets to see top secret information,

136
00:04:49,470 --> 00:04:50,850
and the captain only gets to see

137
00:04:50,850 --> 00:04:52,770
secret information, and so on.

138
00:04:52,770 --> 00:04:55,500
Now, each person here has a label associated with them.

139
00:04:55,500 --> 00:04:56,700
This is their clearance,

140
00:04:56,700 --> 00:04:59,310
and this also gets associated with their account.

141
00:04:59,310 --> 00:05:01,530
Now, all the documents are also going to be labeled

142
00:05:01,530 --> 00:05:02,696
with whatever they're classified as,

143
00:05:02,696 --> 00:05:04,980
so they're either unclassified, confidential,

144
00:05:04,980 --> 00:05:06,630
secret, or top secret.

145
00:05:06,630 --> 00:05:08,850
Now, when a person wants to read a document,

146
00:05:08,850 --> 00:05:11,550
their label of their user account is going to be checked

147
00:05:11,550 --> 00:05:12,990
against the documents label.

148
00:05:12,990 --> 00:05:14,720
If your label is at or above the level

149
00:05:14,720 --> 00:05:16,170
of that clearance document,

150
00:05:16,170 --> 00:05:17,400
you're going to be able to read it.

151
00:05:17,400 --> 00:05:19,710
If not, you're going to be denied access.

152
00:05:19,710 --> 00:05:20,970
Now, this makes a lot of sense,

153
00:05:20,970 --> 00:05:22,950
because if you have a top secret clearance,

154
00:05:22,950 --> 00:05:24,870
you should be able to read top secret documents,

155
00:05:24,870 --> 00:05:26,760
but you should also be able to read secret,

156
00:05:26,760 --> 00:05:28,740
confidential, and unclassified documents,

157
00:05:28,740 --> 00:05:31,920
because top secret is a higher level than these other three.

158
00:05:31,920 --> 00:05:33,690
But if you have a confidential clearance,

159
00:05:33,690 --> 00:05:36,720
you would be denied access to secret and top secret data,

160
00:05:36,720 --> 00:05:38,034
because those are higher classifications

161
00:05:38,034 --> 00:05:39,627
than the clearance you hold.

162
00:05:39,627 --> 00:05:42,630
Now, in a MAC system, they're going to add another piece

163
00:05:42,630 --> 00:05:44,160
of information though as well.

164
00:05:44,160 --> 00:05:45,886
This is that if you want to access something,

165
00:05:45,886 --> 00:05:48,360
you need to not just meet the minimum levels for it,

166
00:05:48,360 --> 00:05:51,720
but you also need to have what's known as a need to know.

167
00:05:51,720 --> 00:05:54,450
So for example, let's say we have two military members,

168
00:05:54,450 --> 00:05:56,490
we have an Army person and a Navy person,

169
00:05:56,490 --> 00:05:58,470
and they both have a top secret clearance.

170
00:05:58,470 --> 00:05:59,910
Now, I have this particular document

171
00:05:59,910 --> 00:06:01,590
that's about a Navy operation.

172
00:06:01,590 --> 00:06:03,930
In this case, the Army guy doesn't need to know

173
00:06:03,930 --> 00:06:05,070
about what's going on there,

174
00:06:05,070 --> 00:06:06,390
because he's not in the Navy

175
00:06:06,390 --> 00:06:08,610
and doesn't need to have access to this information.

176
00:06:08,610 --> 00:06:10,290
He doesn't have a need to know.

177
00:06:10,290 --> 00:06:12,750
So even though he has the clearance level of top secret,

178
00:06:12,750 --> 00:06:14,010
he doesn't have a need to know,

179
00:06:14,010 --> 00:06:16,290
and therefore he shouldn't have access.

180
00:06:16,290 --> 00:06:19,050
Now with MAC, these labels can be very in-depth,

181
00:06:19,050 --> 00:06:21,240
and they can get very, very complicated.

182
00:06:21,240 --> 00:06:24,390
This is why MAC is not used in most enterprise networks,

183
00:06:24,390 --> 00:06:26,418
and observed only for highly classified information

184
00:06:26,418 --> 00:06:28,590
within military systems.

185
00:06:28,590 --> 00:06:31,350
Now, the third type of access we have is known as RBAC,

186
00:06:31,350 --> 00:06:33,420
or role-based access control.

187
00:06:33,420 --> 00:06:35,730
Now, role-based access control is an access model

188
00:06:35,730 --> 00:06:38,430
that's controlled by the system like MAC,

189
00:06:38,430 --> 00:06:41,310
but instead of using labels, it's going to focus on a set

190
00:06:41,310 --> 00:06:44,160
of permissions instead of an individual's permissions.

191
00:06:44,160 --> 00:06:45,540
Now, we don't have to actually label

192
00:06:45,540 --> 00:06:48,270
each individual person on every single file.

193
00:06:48,270 --> 00:06:51,000
Instead, we're going to assign roles to these files,

194
00:06:51,000 --> 00:06:53,130
and then we're going to assign roles to these people.

195
00:06:53,130 --> 00:06:54,930
The way I like to think about this is that we create roles

196
00:06:54,930 --> 00:06:57,990
for each job function, and then we assign roles

197
00:06:57,990 --> 00:07:01,080
for each person's permissions to that particular object.

198
00:07:01,080 --> 00:07:03,480
For example, let's say you go into your company,

199
00:07:03,480 --> 00:07:04,740
and there's a sales department,

200
00:07:04,740 --> 00:07:07,260
a human resource department, and an IT department.

201
00:07:07,260 --> 00:07:09,570
Now we have these three departments sitting here.

202
00:07:09,570 --> 00:07:11,190
Do the sales people need to have access

203
00:07:11,190 --> 00:07:12,486
to the human resources people's files?

204
00:07:12,486 --> 00:07:13,885
Probably not.

205
00:07:13,885 --> 00:07:15,780
Now, does the human resource people need

206
00:07:15,780 --> 00:07:17,207
to have access to the salespeople's files?

207
00:07:17,207 --> 00:07:18,937
Probably not again, right?

208
00:07:18,937 --> 00:07:22,290
Does the IT person need to have access to everybody's file?

209
00:07:22,290 --> 00:07:23,957
Probably, if they're going to be doing all the data backups

210
00:07:23,957 --> 00:07:26,370
and maintenance and things like that, right?

211
00:07:26,370 --> 00:07:28,470
So essentially, what we're going to do is create

212
00:07:28,470 --> 00:07:30,930
these different groups, and then these groups are going to get

213
00:07:30,930 --> 00:07:33,090
a set of permissions, and those are going to be applied

214
00:07:33,090 --> 00:07:34,800
to the different files and folders.

215
00:07:34,800 --> 00:07:37,213
When we do this, we add or remove people into the roles

216
00:07:37,213 --> 00:07:39,870
instead of onto those particular files.

217
00:07:39,870 --> 00:07:41,910
By using role-based access controls,

218
00:07:41,910 --> 00:07:43,314
we are going to be using a best practice

219
00:07:43,314 --> 00:07:45,840
inside of the cybersecurity industry.

220
00:07:45,840 --> 00:07:47,790
Now, if I have a file on the shared drive,

221
00:07:47,790 --> 00:07:50,250
and you see that Jason was added to it individually,

222
00:07:50,250 --> 00:07:51,944
you would flag this as a bad practice

223
00:07:51,944 --> 00:07:54,480
because we're not using role-based access,

224
00:07:54,480 --> 00:07:57,240
and instead we're using discretionary access control.

225
00:07:57,240 --> 00:07:59,070
Now, in role-based access control,

226
00:07:59,070 --> 00:08:00,750
we're instead going to have an owner's group

227
00:08:00,750 --> 00:08:02,550
instead of an individual person.

228
00:08:02,550 --> 00:08:04,110
We're also going to have an admin group,

229
00:08:04,110 --> 00:08:05,130
and we're going to have an IT group,

230
00:08:05,130 --> 00:08:06,510
and we're going to a sales group, and we're going to put

231
00:08:06,510 --> 00:08:08,085
all the people who have the same type of job

232
00:08:08,085 --> 00:08:11,280
and the same functions into the same type of group.

233
00:08:11,280 --> 00:08:12,976
This makes it much easier to control our permissions

234
00:08:12,976 --> 00:08:15,510
based around the concept of least privilege,

235
00:08:15,510 --> 00:08:17,157
because we're relating it to the permissions required

236
00:08:17,157 --> 00:08:19,096
to actually do your job.

237
00:08:19,096 --> 00:08:21,840
Always ask yourself, what is the role of the person

238
00:08:21,840 --> 00:08:23,550
that is going to be using this file?

239
00:08:23,550 --> 00:08:25,710
Based on that, assign them to the right group

240
00:08:25,710 --> 00:08:26,790
with the right permissions

241
00:08:26,790 --> 00:08:30,030
that are going to do that thing using those job functions.

242
00:08:30,030 --> 00:08:31,710
Let me give you a great example of this.

243
00:08:31,710 --> 00:08:33,990
There's a role-based group called power users

244
00:08:33,990 --> 00:08:35,760
inside of a Windows system.

245
00:08:35,760 --> 00:08:37,893
Now, power users are people who aren't a normal user,

246
00:08:37,893 --> 00:08:40,770
but they're also not a normal administrator either.

247
00:08:40,770 --> 00:08:42,049
They're somewhere in the middle, for example,

248
00:08:42,049 --> 00:08:44,250
an administrator might have full access

249
00:08:44,250 --> 00:08:45,930
to do whatever they want on a system,

250
00:08:45,930 --> 00:08:48,330
whereas a user might only be able to operate the programs

251
00:08:48,330 --> 00:08:49,380
that currently exist,

252
00:08:49,380 --> 00:08:51,180
but they can't make configuration changes

253
00:08:51,180 --> 00:08:53,280
like changing the time or adding a printer.

254
00:08:53,280 --> 00:08:55,890
Well, a power user has a little bit more permissions

255
00:08:55,890 --> 00:08:56,970
than a regular user,

256
00:08:56,970 --> 00:08:58,620
and they could do things like changing the time

257
00:08:58,620 --> 00:09:00,180
or adding a printer to the network,

258
00:09:00,180 --> 00:09:02,340
but they don't have full administrative rights

259
00:09:02,340 --> 00:09:03,930
like an administrator would.

260
00:09:03,930 --> 00:09:06,702
So we could put different users into that power users group,

261
00:09:06,702 --> 00:09:08,970
and they'll be able to inherit those permissions

262
00:09:08,970 --> 00:09:10,970
and be able to do just those functions that are necessary

263
00:09:10,970 --> 00:09:12,347
to add things like printers

264
00:09:12,347 --> 00:09:15,033
or make minor system changes like the time.