WEBVTT 00:00.000 --> 00:03.465 >> Okay guys, we're moving on to the next chapter. 00:03.465 --> 00:05.564 Operational security. 00:05.564 --> 00:07.920 Operational security has to do with 00:07.920 --> 00:11.160 those things we do day-to-day for network security. 00:11.160 --> 00:12.839 As part of this section, 00:12.839 --> 00:15.180 we'll be thinking about things like redundancy, 00:15.180 --> 00:18.225 policies and procedures, continuity planning, 00:18.225 --> 00:21.490 incident response, and monitoring. 00:23.120 --> 00:25.020 In this chapter, 00:25.020 --> 00:27.029 >> these are the topics we'll be covering. 00:27.029 --> 00:28.725 >> Personal security. 00:28.725 --> 00:30.180 It's really important to get 00:30.180 --> 00:32.050 our policies and procedures in place 00:32.050 --> 00:33.510 and we want to make sure we have 00:33.510 --> 00:35.860 the right policies for the right environment. 00:35.860 --> 00:38.450 Reducing the attack surface. 00:38.450 --> 00:40.850 This is about hardening our systems 00:40.850 --> 00:43.100 and making our surface harder to attack. 00:43.100 --> 00:44.780 The idea is that if you have 00:44.780 --> 00:46.790 a very wide range of applications 00:46.790 --> 00:50.525 and services and many ports open and so forth, 00:50.525 --> 00:53.045 there is a greater chance for compromise. 00:53.045 --> 00:56.120 But if you reduce that landscaper surface, 00:56.120 --> 00:59.000 it is harder to attack your systems. 00:59.000 --> 01:02.960 Incident response and forensic investigations. 01:02.960 --> 01:05.810 Here we'll talk about monitoring the network and 01:05.810 --> 01:08.540 determining what is an attack and what isn't, 01:08.540 --> 01:12.305 and what to do from there. Fault tolerance. 01:12.305 --> 01:14.600 This is redundancy in getting rid of 01:14.600 --> 01:17.300 those single points of failure on the network. 01:17.300 --> 01:21.760 Virtualization and cloud services go hand in hand. 01:21.760 --> 01:24.735 BCP and DRP. 01:24.735 --> 01:27.335 This is business continuity planning 01:27.335 --> 01:30.450 and disaster recovery planning. 01:32.750 --> 01:36.110 Let's get started with personnel security. 01:36.110 --> 01:38.615 The greatest weakness to any organization 01:38.615 --> 01:40.630 comes from the inside. 01:40.630 --> 01:44.720 We have to be particularly careful with our employees. 01:44.720 --> 01:47.570 We need a robust screening program for hiring 01:47.570 --> 01:50.525 them and a good onboarding process, 01:50.525 --> 01:53.045 as well as a good off boarding process 01:53.045 --> 01:56.075 when they separate from the organization. 01:56.075 --> 01:59.945 Non-disclosure agreements or NDAs, 01:59.945 --> 02:02.300 give us a way to ask employees not to release 02:02.300 --> 02:05.905 proprietary information about our organization. 02:05.905 --> 02:09.110 Employees and an NDA commit not to 02:09.110 --> 02:10.445 disclose this information to 02:10.445 --> 02:13.350 anyone outside the organization. 02:13.970 --> 02:17.675 AUPs or acceptable use policies 02:17.675 --> 02:21.215 are for detailing how company resources are to be used. 02:21.215 --> 02:23.840 For example, whether you are allowed 02:23.840 --> 02:26.300 to print personal documents on the company printer, 02:26.300 --> 02:28.070 and other rules that govern the use 02:28.070 --> 02:30.520 of company property and equipment. 02:30.520 --> 02:32.580 Privacy here refers to 02:32.580 --> 02:33.890 our employees' privacy and 02:33.890 --> 02:35.780 the organization's obligation to 02:35.780 --> 02:38.000 inform employees about any monitoring that 02:38.000 --> 02:41.089 the company does on the use of its systems. 02:41.089 --> 02:43.250 The organization should notify 02:43.250 --> 02:44.270 >> employees of how they are 02:44.270 --> 02:45.890 >> monitored and how the use of 02:45.890 --> 02:49.030 the organization's equipment is monitored. 02:49.030 --> 02:52.055 Another item here is training. 02:52.055 --> 02:54.140 Training goes a long way to preventing 02:54.140 --> 02:57.050 fraudulent activity and security instance. 02:57.050 --> 02:59.570 I mentioned earlier that social engineering is 02:59.570 --> 03:02.150 such a major threat to organizations today. 03:02.150 --> 03:04.730 That's where training can really help to inform 03:04.730 --> 03:08.125 employees of what to watch out for and avoid. 03:08.125 --> 03:11.210 Then of course, we have to have policies, 03:11.210 --> 03:13.865 procedures, standards, and guidelines. 03:13.865 --> 03:15.290 Some senior management can 03:15.290 --> 03:18.120 state how the organization should work. 03:18.340 --> 03:21.410 Usually when you're dealing with policies, 03:21.410 --> 03:23.090 you're talking about organizational 03:23.090 --> 03:24.935 or corporate policies. 03:24.935 --> 03:27.935 Of corporate policies like, for example, 03:27.935 --> 03:29.130 a policy to encrypt 03:29.130 --> 03:32.810 all personally identifiable information on the network. 03:32.810 --> 03:35.570 We might also have to have certain policies for 03:35.570 --> 03:39.830 specific systems as well as for specific issues. 03:39.830 --> 03:43.190 A system related policy might have to do with who gets 03:43.190 --> 03:47.435 access to certain systems and at what level? 03:47.435 --> 03:50.990 An issue specific policy is like the one I mentioned 03:50.990 --> 03:54.020 earlier related to acceptable use, so, 03:54.020 --> 03:56.270 in that example, it would state how a piece of 03:56.270 --> 03:57.950 equipment or a system should 03:57.950 --> 04:00.720 be used and the rules around that.