WEBVTT 00:00.000 --> 00:03.135 >> Hi, everybody. For all the security principles 00:03.135 --> 00:04.575 in the CIA triad, 00:04.575 --> 00:07.319 we have to remember some security concepts. 00:07.319 --> 00:09.780 First of all, security through 00:09.780 --> 00:12.434 >> obscurity is not security. 00:12.434 --> 00:15.360 >> There's two schools of thought with software security. 00:15.360 --> 00:16.755 There's open code, 00:16.755 --> 00:18.360 so that folks can look at the code 00:18.360 --> 00:19.709 >> and recommend changes. 00:19.709 --> 00:23.610 >> For example, TCP/IP is an open protocol, 00:23.610 --> 00:26.745 Unix and Linux are open operating systems, 00:26.745 --> 00:29.010 or the alternative is to have closed 00:29.010 --> 00:31.575 and proprietary code like Microsoft. 00:31.575 --> 00:33.390 The thought with closed code, 00:33.390 --> 00:35.805 if you can't see it, you can't break it. 00:35.805 --> 00:38.190 But that is security through obscurity, 00:38.190 --> 00:42.030 and it doesn't work. We prefer openness. 00:42.030 --> 00:45.220 Another idea is security by design. 00:45.220 --> 00:47.405 We design a product to be secure. 00:47.405 --> 00:48.950 Instead of coming along later, 00:48.950 --> 00:51.500 and realizing that something is not secure. 00:51.500 --> 00:53.720 We start by thinking about security from 00:53.720 --> 00:56.330 the very beginning in the design of our products. 00:56.330 --> 00:58.100 We haven't always done this. 00:58.100 --> 01:01.400 For example, IP, HTTP, 01:01.400 --> 01:04.985 FTP, these are all protocols that are not secure. 01:04.985 --> 01:06.965 They had to be made secure later, 01:06.965 --> 01:09.235 after they were designed. 01:09.235 --> 01:11.970 Then last but not least, 01:11.970 --> 01:14.805 layered defense is a security concept. 01:14.805 --> 01:17.450 Here, we make an attacker go through a series of 01:17.450 --> 01:20.225 controls and you make those controls different. 01:20.225 --> 01:22.415 If you think about physical security, 01:22.415 --> 01:24.694 you don't just have multiple fences. 01:24.694 --> 01:26.540 Instead you have fences, 01:26.540 --> 01:28.550 but also security guards, 01:28.550 --> 01:32.945 swipe card access, maybe biometric scans, etc. 01:32.945 --> 01:35.060 You can apply the same principle for 01:35.060 --> 01:38.490 securing our data and our systems. 01:40.010 --> 01:42.620 That wraps up some of those principles 01:42.620 --> 01:44.345 and basics of security. 01:44.345 --> 01:46.820 Always go back to the CIA triad, 01:46.820 --> 01:50.240 confidentiality, integrity, and availability. 01:50.240 --> 01:52.325 Those are tenants of security 01:52.325 --> 01:54.350 and we always want to protect them. 01:54.350 --> 01:57.005 Watch for threats like social engineering. 01:57.005 --> 01:59.755 Consider what happens to your data remnants. 01:59.755 --> 02:01.710 With integrity, we think about 02:01.710 --> 02:05.805 modifications so we use hashes or digital signatures. 02:05.805 --> 02:08.150 Then when we think about availability, 02:08.150 --> 02:10.205 we think about denial-of-service, 02:10.205 --> 02:14.070 so we make sure we have redundancy in place.