WEBVTT

00:00.000 --> 00:02.220
>> After talking in
the last section about

00:02.220 --> 00:05.070
the importance of diagrams,
change management,

00:05.070 --> 00:07.680
and configuration management
in your workplace,

00:07.680 --> 00:08.760
we're now going to look at

00:08.760 --> 00:11.744
>> some other policies
and best practices.

00:11.744 --> 00:13.290
>> Starting off, we want

00:13.290 --> 00:15.194
>> to talk about our
privileged users.

00:15.194 --> 00:17.745
>> In Unix, we have
root and in Windows,

00:17.745 --> 00:18.553
we have administrator.

00:18.553 --> 00:21.574
>> Those are two
all-powerful accounts,

00:21.574 --> 00:23.410
>> or at least they can be.

00:23.410 --> 00:25.495
What we want to do is monitor

00:25.495 --> 00:29.420
these accounts and limit
administrative privileges.

00:29.420 --> 00:32.525
We don't want a single
individual to be all powerful.

00:32.525 --> 00:34.625
Rather than having
a single admin,

00:34.625 --> 00:36.500
we want to split
administrative efforts

00:36.500 --> 00:38.470
across multiple administrators.

00:38.470 --> 00:40.625
We want to make sure
that, for instance,

00:40.625 --> 00:42.439
if someone can lock
user accounts,

00:42.439 --> 00:44.600
somebody different
can unlock them.

00:44.600 --> 00:47.670
That goes in with separation
of duties as well.

00:48.280 --> 00:51.469
We always have to talk
about password policies

00:51.469 --> 00:53.630
>> because passwords are
really the weakest link

00:53.630 --> 00:55.250
>> in most environments today.

00:55.250 --> 00:58.160
It really needs to be
stressed that passwords alone

00:58.160 --> 00:59.360
are no longer providing

00:59.360 --> 01:01.160
the amount of security
that we need.

01:01.160 --> 01:02.960
Any eight character password

01:02.960 --> 01:05.034
>> can be compromised
in a matter of days.

01:05.034 --> 01:06.920
>> If we're going
to use passwords,

01:06.920 --> 01:07.580
we want to bring in

01:07.580 --> 01:09.859
>> some other factor
of authentication.

01:09.859 --> 01:12.200
>> Smartcards,
biometrics, tokens,

01:12.200 --> 01:13.790
any additional security

01:13.790 --> 01:16.899
>> and multi-factor
authentication is best.

01:16.899 --> 01:19.610
>> For passwords, we do
want to include rules

01:19.610 --> 01:20.330
>> and make sure that we're

01:20.330 --> 01:22.130
>> securing our passwords
and encouraging

01:22.130 --> 01:23.980
our users to use
strong passwords.

01:23.980 --> 01:26.330
What's very interesting
is this list at

01:26.330 --> 01:27.770
one in time was thought to be

01:27.770 --> 01:29.725
the best practice for passwords.

01:29.725 --> 01:32.150
NIST has actually now come out

01:32.150 --> 01:34.250
>> and said, the
zoos suggestions

01:34.250 --> 01:35.674
>> that we gave
you for passwords,

01:35.674 --> 01:36.320
>> we were wrong.

01:36.320 --> 01:40.310
>> Take some time to Google
NIST passwords revised

01:40.310 --> 01:42.244
>> or password policy revised.

01:42.244 --> 01:44.450
>> Basically what NIST is saying

01:44.450 --> 01:46.190
>> is that we've
traditionally accidentally

01:46.190 --> 01:48.080
>> made passwords
easier for attackers

01:48.080 --> 01:50.500
to guess and harder
for us to remember.

01:50.500 --> 01:52.910
Most of the software
that attackers are going

01:52.910 --> 01:55.760
to use already scans
for upper and lowercase

01:55.760 --> 01:59.319
>> and Alphanumeric and
non-Alphanumeric characters.

01:59.319 --> 02:01.400
>> Just by adding these
and making these more

02:01.400 --> 02:03.815
complex does not make
them more secure.

02:03.815 --> 02:05.840
It's important to
understand complexity

02:05.840 --> 02:08.079
>> does not equal security.

02:08.079 --> 02:10.830
>> What NIST's recommending now

02:10.830 --> 02:13.040
>> is to force people to
have longer passwords

02:13.040 --> 02:15.724
>> rather than more
complex passwords.

02:15.724 --> 02:18.480
>> Ultimately, that was
what adds the entropy

02:18.480 --> 02:19.940
>> to the password cracking

02:19.940 --> 02:21.604
>> which makes it
more difficult.

02:21.604 --> 02:23.570
>> If possible, get
away from making

02:23.570 --> 02:24.800
these passwords so difficult

02:24.800 --> 02:26.254
>> that people write them down,

02:26.254 --> 02:28.231
>> tell users to
pick up four words.

02:28.231 --> 02:31.264
>> Those four words
together are your password.

02:31.264 --> 02:32.720
>> I'm going to
get something like

02:32.720 --> 02:34.835
30-some characters
just on average.

02:34.835 --> 02:36.440
That makes it very difficult for

02:36.440 --> 02:38.480
an attacker to
compromise passwords.

02:38.480 --> 02:39.560
We need to get away from

02:39.560 --> 02:42.390
these single factor
authentication.

02:43.010 --> 02:46.610
We need policies for
onboarding and offboarding,

02:46.610 --> 02:48.515
bringing people into
our environment,

02:48.515 --> 02:50.210
but also handling
it professionally

02:50.210 --> 02:52.255
when people leave our
environment as well.

02:52.255 --> 02:54.120
We've got to have a process.

02:54.120 --> 02:55.850
For onboarding, we
want to make sure that

02:55.850 --> 02:58.085
we check references,
certifications,

02:58.085 --> 02:59.990
meet with employees,
have them sign

02:59.990 --> 03:01.910
non-disclosure
agreements and that

03:01.910 --> 03:03.670
we go over the
employee handbook.

03:03.670 --> 03:05.165
When people are leaving,

03:05.165 --> 03:07.430
whether voluntarily or
through termination,

03:07.430 --> 03:09.140
we also need a
professional process

03:09.140 --> 03:10.460
>> that's documented
to make sure

03:10.460 --> 03:13.089
>> we retrieve any
company material.

03:13.089 --> 03:15.290
>> We revoke credentials, remind

03:15.290 --> 03:16.670
employees of their
non-disclosure

03:16.670 --> 03:17.960
agreement that was signed,

03:17.960 --> 03:22.140
and conduct any exit
interviews and necessary.

03:22.420 --> 03:26.285
We have to be aware in an
organization about licensing.

03:26.285 --> 03:27.830
At one in time there's a lot

03:27.830 --> 03:29.320
of funny business
in organization,

03:29.320 --> 03:30.740
is about software licensing

03:30.740 --> 03:33.140
>> and only took so many
disgruntled employees

03:33.140 --> 03:35.420
>> before organizations
realize the importance of

03:35.420 --> 03:38.195
>> making sure that their
software is properly licensed.

03:38.195 --> 03:40.790
Vendors will come in
and conduct audits

03:40.790 --> 03:43.340
>> and confine you quite
substantially in the event that

03:43.340 --> 03:45.610
>> the licensing isn't
handled properly.

03:45.610 --> 03:46.760
We want to make sure

03:46.760 --> 03:49.010
>> that we keep track of
our software licenses

03:49.010 --> 03:51.200
>> and there's a process
in place to guarantee

03:51.200 --> 03:54.060
>> we're not using
unlicensed software.

03:54.640 --> 03:58.475
Data loss prevention systems
are very helpful tools.

03:58.475 --> 04:00.590
The purpose here is to
detect and possibly

04:00.590 --> 04:03.575
prevent extra filtration
of data from the network,

04:03.575 --> 04:05.555
also known as data loss.

04:05.555 --> 04:07.640
You may also hear it
called data leakage.

04:07.640 --> 04:10.070
>> What these systems
do is they look for

04:10.070 --> 04:11.937
>> certain types or
formats of data.

04:11.937 --> 04:14.090
>> They can prevent
those data types

04:14.090 --> 04:17.270
>> from being printed, emailed,
or extra filtrated off

04:17.270 --> 04:18.988
>> the network and sent
through the Internet.

04:18.988 --> 04:21.710
>> The types of information
they would look for

04:21.710 --> 04:23.300
>> specifically would be things

04:23.300 --> 04:24.905
like Social Security numbers,

04:24.905 --> 04:26.150
credit card information,

04:26.150 --> 04:27.650
>> or any other information

04:27.650 --> 04:29.120
>> that we really
want to keep on tabs

04:29.120 --> 04:31.950
>> and to make sure it
doesn't leave our network.

04:32.149 --> 04:36.185
>> We have to think about
mobile devices policies.

04:36.185 --> 04:38.840
People want their devices
brought into the network.

04:38.840 --> 04:40.145
I want to use my tablet,

04:40.145 --> 04:43.370
my smartphone, bring my
laptop from home, and so on.

04:43.370 --> 04:45.020
What we have to consider
is the fact that

04:45.020 --> 04:47.269
>> when these systems are
not under our control,

04:47.269 --> 04:49.040
>> we don't really know
what happens with them

04:49.040 --> 04:49.970
>> or what they're used for

04:49.970 --> 04:52.069
>> outside of our
work environment.

04:52.069 --> 04:54.935
>> Even though this is
becoming very prevalent,

04:54.935 --> 04:56.810
there are certain ways that
are better than others

04:56.810 --> 04:59.209
>> to address the idea of
bringing your own device.

04:59.209 --> 05:02.300
>> For one, we can
isolate BYOD devices

05:02.300 --> 05:03.699
>> to their own subnet.

05:03.699 --> 05:06.680
>> We create a view land for
bringing your own devices.

05:06.680 --> 05:08.930
People can come in and
access the Internet,

05:08.930 --> 05:11.285
but can't interface with
the corporate network.

05:11.285 --> 05:13.040
That's really good
for Wi-Fi clients

05:13.040 --> 05:14.210
>> where people just
want to come in

05:14.210 --> 05:17.100
>> and browse the Internet
on their phone or tablet.

05:17.209 --> 05:19.790
>> There are some
other implementations,

05:19.790 --> 05:21.870
like personally owned
corporate enabled.

05:21.870 --> 05:24.305
Essentially it's enabled
for use in the workplace,

05:24.305 --> 05:25.735
but it is your device.

05:25.735 --> 05:28.355
Whereas corporate owned,
personally enabled,

05:28.355 --> 05:29.570
the company owns the device.

05:29.570 --> 05:31.490
But unless you take it
home, for instance.

05:31.490 --> 05:32.486
Here's your laptop.

05:32.486 --> 05:33.770
>> You can take it home.

05:33.770 --> 05:35.344
>> You can use it
for personal use,

05:35.344 --> 05:37.295
>> but the company
remains the owner of it.

05:37.295 --> 05:39.050
Sometimes organizations
will let you

05:39.050 --> 05:41.464
>> choose your own device, CYOD.

05:41.464 --> 05:43.940
>> There are all
variations on this.

05:43.940 --> 05:45.680
Whatever it is, we
need to realize

05:45.680 --> 05:47.240
that there is an additional
threat that comes

05:47.240 --> 05:49.010
>> from allowing
systems on our network

05:49.010 --> 05:50.000
>> that aren't controlled

05:50.000 --> 05:52.614
>> from a corporate
policy to some BYOD.

05:52.614 --> 05:58.310
>> Another important policy,
acceptable use policy, AUP's.

05:58.310 --> 06:00.500
The purpose of an
acceptable use policy

06:00.500 --> 06:01.700
is how we allow the rules

06:01.700 --> 06:03.320
that we place on end users in

06:03.320 --> 06:05.330
relation to company resources.

06:05.330 --> 06:07.990
Can you print to the company
printer for personal use?

06:07.990 --> 06:09.890
Can you make long
distance phone calls

06:09.890 --> 06:11.497
>> on the company dime?

06:11.497 --> 06:11.960
>> They should all be

06:11.960 --> 06:14.735
>> clarified in the
acceptable use policy.

06:14.735 --> 06:17.555
With NDA's non-disclosure
agreements,

06:17.555 --> 06:18.427
we want to make sure that

06:18.427 --> 06:19.520
>> our employees have committed

06:19.520 --> 06:21.110
>> in legal binding
writing to not

06:21.110 --> 06:23.164
>> disclose any company secrets.

06:23.164 --> 06:25.879
Or that's unilateral
one direction,

06:25.879 --> 06:27.380
or the company can expose

06:27.380 --> 06:29.900
the secrets of the
employee and vice versa.

06:29.900 --> 06:31.550
That might be in an environment

06:31.550 --> 06:33.950
where an employee is bringing
copyrighted material

06:33.950 --> 06:36.259
>> or providing some
additional expertise.

06:36.259 --> 06:38.870
>> Multilateral means that
non-disclosure agreement

06:38.870 --> 06:42.810
implies to multiple resources
within the organization.