WEBVTT

00:00.000 --> 00:02.340
>> Hi everybody. I always like

00:02.340 --> 00:04.710
beginning security
discussions with the risk.

00:04.710 --> 00:08.605
Because information security
is risk-management.

00:08.605 --> 00:10.740
Start by looking at your assets

00:10.740 --> 00:12.210
>> and what they are worth.

00:12.210 --> 00:13.230
>> Look at the threats and

00:13.230 --> 00:15.330
vulnerabilities and
figure out what the

00:15.330 --> 00:19.155
potential for loss is based
on probability and impact.

00:19.155 --> 00:21.000
Then make a good decision

00:21.000 --> 00:22.440
based on the potential value for

00:22.440 --> 00:25.575
loss and what a good
countermeasure would be,

00:25.575 --> 00:29.295
and of course, continue to
monitor for risk after that.

00:29.295 --> 00:31.890
If we look at this a little
bit more specifically,

00:31.890 --> 00:33.945
in the realm of
information security,

00:33.945 --> 00:36.300
we have to start with
the very beginning.

00:36.300 --> 00:38.895
Here we look at the CIA triad,

00:38.895 --> 00:42.305
confidentiality, integrity,
and availability.

00:42.305 --> 00:44.860
Those are the three
tenants of security.

00:44.860 --> 00:47.545
When we talk about
securing an organization,

00:47.545 --> 00:50.185
those are the three
services we're focused on.

00:50.185 --> 00:52.330
Now the problem is that security

00:52.330 --> 00:53.754
>> always costs something.

00:53.754 --> 00:56.290
>> There's always a
trade-offs or security.

00:56.290 --> 00:59.320
Usually that trade-off
is performance.

00:59.320 --> 01:01.870
Security usually
slows things down.

01:01.870 --> 01:03.675
Sometimes it costs money.

01:03.675 --> 01:05.200
Sometimes you have to upgrade

01:05.200 --> 01:07.915
components or pay for
security devices.

01:07.915 --> 01:10.755
But performance is
the key trade-off.

01:10.755 --> 01:13.570
What have to find out is
what is the right amount of

01:13.570 --> 01:16.330
security based on the
needs for performance.

01:16.330 --> 01:18.340
We also take into consideration

01:18.340 --> 01:20.229
>> cost and user acceptance.

01:20.229 --> 01:22.240
>> But we're mainly
looking for that balance

01:22.240 --> 01:25.240
between security
and performance.

01:25.940 --> 01:28.640
Let's look at confidentiality

01:28.640 --> 01:30.500
and some of the
threats against it.

01:30.500 --> 01:33.505
The greatest threat is
social engineering.

01:33.505 --> 01:36.970
Social engineering is
all about impersonation.

01:36.970 --> 01:38.660
Impersonating someone to get

01:38.660 --> 01:40.129
>> access to certain knowledge,

01:40.129 --> 01:43.550
>> system ability in
a room and so-forth.

01:43.550 --> 01:46.280
Phishing is a very
specific type of

01:46.280 --> 01:47.390
social engineering that is

01:47.390 --> 01:49.054
>> commonly done through e-mail.

01:49.054 --> 01:51.530
>> The PH in phishing
is a throwback to

01:51.530 --> 01:52.910
the fact that it used to be

01:52.910 --> 01:55.060
very common on the phone system.

01:55.060 --> 01:57.170
We used to get these
calls soliciting

01:57.170 --> 02:00.425
donations or other
fraudulent activities.

02:00.425 --> 02:03.590
Now e-mail is the
main market for this.

02:03.590 --> 02:06.980
Phishing is based on the idea
that it's indiscriminate.

02:06.980 --> 02:10.000
An attacker sends a
massive e-mail going back.

02:10.000 --> 02:12.140
An attacker sends a
massive alien and

02:12.140 --> 02:14.765
casts a large enough net
that he catches something.

02:14.765 --> 02:17.240
A spammer purchases
a mailing list

02:17.240 --> 02:19.915
and sends the message
out to everyone.

02:19.915 --> 02:23.030
One type of phishing is
called spear phishing.

02:23.030 --> 02:24.830
This means it's targeted.

02:24.830 --> 02:27.830
The attacker's targeting
a demographic group or

02:27.830 --> 02:29.600
a specific organization and

02:29.600 --> 02:32.125
hopes that he is more
likely to be successful.

02:32.125 --> 02:35.540
A specific type of spear
phishing is called whaling.

02:35.540 --> 02:37.790
This is when the spear
phishing is focused

02:37.790 --> 02:39.860
on in snoring senior leaders.

02:39.860 --> 02:42.050
Now, senior leaders sometimes

02:42.050 --> 02:43.460
>> insist on having access to

02:43.460 --> 02:45.920
>> everything but
sometimes they don't have

02:45.920 --> 02:47.780
time to get the
security training

02:47.780 --> 02:49.270
that everyone else gets,

02:49.270 --> 02:50.870
and you'd think they
would be the most

02:50.870 --> 02:52.445
focused on avoiding risk.

02:52.445 --> 02:54.470
But that's not always the case.

02:54.470 --> 02:57.875
This might be why whaling
to tax are successful.

02:57.875 --> 03:00.380
Now going back to the
idea of phishing,

03:00.380 --> 03:02.035
we also have vishing.

03:02.035 --> 03:04.100
The idea here is
that the attacker

03:04.100 --> 03:06.590
exploits voice over IP systems.

03:06.590 --> 03:08.540
With caller ID, you
would think that

03:08.540 --> 03:10.580
you could detect
this type of attack.

03:10.580 --> 03:12.110
But phone numbers are as

03:12.110 --> 03:14.119
>> easy to spoof
as anything else.

03:14.119 --> 03:16.010
>> That is not always
a perfect way to

03:16.010 --> 03:18.185
detect these types of attacks.

03:18.185 --> 03:22.015
Another threat to
confidentiality is media reuse.

03:22.015 --> 03:25.295
This is where we stored
information on removable drive,

03:25.295 --> 03:28.300
like a thumb drive or a
removable hard drive.

03:28.300 --> 03:29.870
Or maybe people are sharing

03:29.870 --> 03:31.985
a laptop or some other device.

03:31.985 --> 03:35.675
If that hardware or a media
is not properly sanitized,

03:35.675 --> 03:37.370
we might be
inadvertently passing

03:37.370 --> 03:39.965
information from one
individual to another.

03:39.965 --> 03:43.295
Sanitizing media is
really critical.

03:43.295 --> 03:46.535
One of the ways we could
do this is zeroisation,

03:46.535 --> 03:48.905
where we override the
drive with zeros.

03:48.905 --> 03:51.260
It's fine and loose
security environments.

03:51.260 --> 03:53.600
But one thing about
zeroisation is that it's

03:53.600 --> 03:56.260
not good enough for really
sensitive information.

03:56.260 --> 03:59.565
For that, the best thing
is physical destruction.

03:59.565 --> 04:01.010
That's the only way to make

04:01.010 --> 04:03.040
sure that the data
remnants are gone.

04:03.040 --> 04:05.630
Because if an attacker
has the right equipment,

04:05.630 --> 04:07.010
he can still retrieve data

04:07.010 --> 04:09.440
from a disk that's
been zeroised.

04:09.440 --> 04:11.870
Another point to make
is that if you're

04:11.870 --> 04:14.015
storing sensitive
information in the Cloud,

04:14.015 --> 04:16.795
you can't do any
physical sanitization.

04:16.795 --> 04:19.600
For that there is something
called crypto shutting.

04:19.600 --> 04:21.950
This involves encrypting
the entire disk with

04:21.950 --> 04:24.440
a really strong publicly
known algorithm.

04:24.440 --> 04:25.820
One of the things you'll find

04:25.820 --> 04:27.170
that people in security propor

04:27.170 --> 04:30.695
is open as opposed to
close architecture.

04:30.695 --> 04:33.680
Ideally, the algorithm
is one that's

04:33.680 --> 04:36.680
tried and true and has been
around for a long time.

04:36.680 --> 04:39.695
When we use this algorithm
we destroy the key.

04:39.695 --> 04:41.330
We would never keep the key on

04:41.330 --> 04:44.140
the same volume that we keep
the encrypted information.

04:44.140 --> 04:47.920
That's how we destroy remnants
in a Cloud environment.

04:47.980 --> 04:51.710
Eavesdropping is the next
right to confidentiality.

04:51.710 --> 04:53.150
Here we don't mean people

04:53.150 --> 04:55.090
listening on phone
conversations.

04:55.090 --> 04:57.205
We mean technical eavesdropping.

04:57.205 --> 04:59.644
This means sniffers
like Wireshark.

04:59.644 --> 05:03.380
Another name for sniffer
is a protocol analyzer.

05:03.380 --> 05:06.785
May hear it called a network
or a packet analyzer.

05:06.785 --> 05:08.720
But the idea is that an attacker

05:08.720 --> 05:10.340
has a device on the network that

05:10.340 --> 05:12.320
captures traffic
in a software that

05:12.320 --> 05:14.830
allows the attacker
to view the traffic.

05:14.830 --> 05:16.670
The easy way to defend against

05:16.670 --> 05:18.710
eavesdropping is
encrypting your data.

05:18.710 --> 05:20.930
Also, you can keep a
really sensitive stuff

05:20.930 --> 05:23.210
from traversing the
network at all.

05:23.210 --> 05:26.090
We want to make sure that
we're aware of these threats,

05:26.090 --> 05:28.040
and we also want to
have a good idea of

05:28.040 --> 05:29.810
how to mitigate against them.

05:29.810 --> 05:31.040
With social engineering,

05:31.040 --> 05:33.185
your best method is
through training.

05:33.185 --> 05:36.140
Another way is to use
separation of duties because

05:36.140 --> 05:37.640
a person can't give an attacker

05:37.640 --> 05:39.710
information if they
don't have it.

05:39.710 --> 05:42.740
For media reuse, we
make sure we sanitize

05:42.740 --> 05:46.770
the media and for eavesdropping,
we encrypt our data.