WEBVTT

00:00.000 --> 00:03.690
>> Course recap. The
learning objective

00:03.690 --> 00:06.170
for this lesson is to review
key course components.

00:06.170 --> 00:09.810
Let's get started. You made
it to the end of the course.

00:09.810 --> 00:12.555
What I want to do in this
lesson is help reinforce

00:12.555 --> 00:14.010
a lot of the items that we went

00:14.010 --> 00:15.750
through in the entire course,

00:15.750 --> 00:16.770
but these are going to be

00:16.770 --> 00:19.155
key things for you to
remember for the exam.

00:19.155 --> 00:20.850
We're going to start
off with risk.

00:20.850 --> 00:23.955
Because in cybersecurity,
everything starts with risk.

00:23.955 --> 00:25.290
We can't formulate a response

00:25.290 --> 00:27.165
if we don t know
what our risk is.

00:27.165 --> 00:30.220
The definition of risk
for the exam purpose is,

00:30.220 --> 00:32.400
risk is a measure
of the impact and

00:32.400 --> 00:33.540
the likelihood that a threat

00:33.540 --> 00:34.900
will exploit a vulnerability.

00:34.900 --> 00:37.230
The key components are
highlighted in pink.

00:37.230 --> 00:39.830
Likelihood is how realistic
is the threat to occur,

00:39.830 --> 00:42.195
is it highly likely
or is it less likely?

00:42.195 --> 00:45.135
Impact is if the
risk were to happen,

00:45.135 --> 00:47.180
how bad would it be
for the organization?

00:47.180 --> 00:49.940
Are we talking about
loss of money?

00:49.940 --> 00:52.535
Are we talking about
loss of reputation,

00:52.535 --> 00:54.860
loss of customers?
That type of thing.

00:54.860 --> 00:56.555
Then when we're measuring risk,

00:56.555 --> 00:58.025
we have two types of analysis.

00:58.025 --> 01:00.230
These are the quantitative
and the qualitative.

01:00.230 --> 01:02.360
Quantitative always
uses numbers.

01:02.360 --> 01:04.550
If you have a question on the
test and it's asking you to

01:04.550 --> 01:07.460
calculate something based
on a number for risk,

01:07.460 --> 01:09.550
then you know that's a
quantitative analysis,

01:09.550 --> 01:11.030
if it's asking you to use

01:11.030 --> 01:13.620
words that you know
it's a qualitative.

01:13.760 --> 01:17.715
For quantitative, we have
some terms and some formulas.

01:17.715 --> 01:21.095
Our single loss expectancy is
the cost of a single event.

01:21.095 --> 01:24.580
How much did this
one event cost us?

01:24.580 --> 01:27.560
Annual loss expectancy is
we take all the SLEs that

01:27.560 --> 01:28.610
happened in one year for

01:28.610 --> 01:30.875
this one device and
add them together,

01:30.875 --> 01:32.830
it's an annual cost.

01:32.830 --> 01:34.820
Then our annual rate
of occurrence is

01:34.820 --> 01:36.455
how many times did it happen?

01:36.455 --> 01:38.240
How many times did
this one device

01:38.240 --> 01:40.895
fail or did this
one event happen?

01:40.895 --> 01:44.255
If we want to calculate our
annual loss expectancy,

01:44.255 --> 01:47.030
we multiply the single
loss expectancy times

01:47.030 --> 01:48.305
the annual rate of occurrence.

01:48.305 --> 01:49.550
You need to remember
this formula,

01:49.550 --> 01:50.830
it's going to be important.

01:50.830 --> 01:54.170
Asset value is simply how
much is this asset worth?

01:54.170 --> 01:57.230
The exposure factor is
what portion calculated in

01:57.230 --> 01:59.060
a percent of the asset would be

01:59.060 --> 02:01.310
lost if the risk were to happen?

02:01.310 --> 02:04.820
The example we gave
was if we're concerned

02:04.820 --> 02:06.680
about natural disasters and

02:06.680 --> 02:08.690
our building were to be
hit by a natural disaster,

02:08.690 --> 02:09.740
do we expect to lose

02:09.740 --> 02:12.365
the whole building or a
portion of the building?

02:12.365 --> 02:15.020
Those type of things go
into our calculations when

02:15.020 --> 02:18.095
we're defining our risks and
also our responses to it.

02:18.095 --> 02:20.030
Keep in mind this
other formula for

02:20.030 --> 02:21.995
calculating your single
loss expectancy,

02:21.995 --> 02:26.190
it's the asset value times
the exposure factor.

02:28.010 --> 02:31.040
We also have our
meantime to recovery.

02:31.040 --> 02:32.810
This is the time that
it takes us to get

02:32.810 --> 02:35.375
a device back up and
running once it fails.

02:35.375 --> 02:37.880
Our meantime between
failure is the amount of

02:37.880 --> 02:40.750
time that transpires
between two failures.

02:40.750 --> 02:44.120
With risk responses, we have
several ways of responding

02:44.120 --> 02:45.530
to the different types of

02:45.530 --> 02:47.180
risks that an
organization might face.

02:47.180 --> 02:48.410
The first is to avoid,

02:48.410 --> 02:49.610
this is simply stop doing

02:49.610 --> 02:51.380
whatever it is that's
causing the risk.

02:51.380 --> 02:53.015
We can also accept it,

02:53.015 --> 02:54.440
which is where we determine that

02:54.440 --> 02:56.000
the cost of preventing
the risk or

02:56.000 --> 02:57.110
the measures we have to put in

02:57.110 --> 02:58.730
place to mitigate the risk,

02:58.730 --> 03:00.530
cost us more than
the damage would

03:00.530 --> 03:03.035
actually cost us if
it were to happen.

03:03.035 --> 03:04.715
We can mitigate the risk

03:04.715 --> 03:06.470
by using controls
that will help us

03:06.470 --> 03:08.000
lower our exposure and lower

03:08.000 --> 03:09.995
the chances that the
risk will occur.

03:09.995 --> 03:11.720
Finally, we can transfer.

03:11.720 --> 03:13.820
Typically when you're talking
about transferring risk,

03:13.820 --> 03:15.550
you're talking about insurance.

03:15.550 --> 03:19.610
I also want to talk about
the risk as it comes into

03:19.610 --> 03:23.810
the different models
of cloud operations.

03:23.810 --> 03:25.475
For our software as a service,

03:25.475 --> 03:28.370
the entire model is
managed by the provider,

03:28.370 --> 03:30.500
so all the risk is with them.

03:30.500 --> 03:33.335
But as we move over to a
Platform as a Service,

03:33.335 --> 03:35.270
then you start to
see that the abs and

03:35.270 --> 03:37.580
the operating system are
now under our control,

03:37.580 --> 03:40.375
so that portion of the
risks now is shifted to us.

03:40.375 --> 03:42.230
Then we also have Infrastructure

03:42.230 --> 03:44.120
as a Service where the platform,

03:44.120 --> 03:45.470
the app, and the
operating system

03:45.470 --> 03:46.940
are now under our control.

03:46.940 --> 03:49.870
More of the risk has
shifted to us with this.

03:49.870 --> 03:52.370
With a third party,
with, for example,

03:52.370 --> 03:53.585
the Software as a Service,

03:53.585 --> 03:56.370
they assume all of the risk.

03:58.330 --> 04:00.980
We also have regulations that

04:00.980 --> 04:03.680
impact us with risks and
also with our responses,

04:03.680 --> 04:06.965
what we're required to do
to mitigate certain risks.

04:06.965 --> 04:08.570
We're going to start off
with the General Data

04:08.570 --> 04:10.985
Protection Regulation
or the GDPR.

04:10.985 --> 04:12.845
The key thing to
remember, this is

04:12.845 --> 04:15.545
the EU's data privacy standard.

04:15.545 --> 04:17.480
We also have the
Capability Maturity

04:17.480 --> 04:19.640
Model Integration, or CMMI.

04:19.640 --> 04:21.050
This is the Department of

04:21.050 --> 04:22.460
Defense Standard
that it uses for

04:22.460 --> 04:23.780
vendors for ensuring they have

04:23.780 --> 04:26.330
mature cybersecurity
models in place.

04:26.330 --> 04:27.080
We also have

04:27.080 --> 04:28.985
the Children's Online
Privacy Protection Act,

04:28.985 --> 04:30.830
or COPPA, which
is a U.S. federal

04:30.830 --> 04:33.140
law designed to
protect children.

04:33.140 --> 04:34.490
We also have the Payment Card

04:34.490 --> 04:35.960
Industry Data Security Standard,

04:35.960 --> 04:37.280
PCIDSS.

04:37.280 --> 04:38.480
The key to remember about this,

04:38.480 --> 04:41.230
that is not a
governmental regulation,

04:41.230 --> 04:44.150
this is the payment card
industry has created their own,

04:44.150 --> 04:47.060
that anyone that processes
credit cards has to follow,

04:47.060 --> 04:49.760
and it's designed to
protect payer information,

04:49.760 --> 04:53.375
but also to help reduce
credit card fraud.

04:53.375 --> 04:55.100
Then lastly, we have

04:55.100 --> 04:56.420
the Health Insurance Portability

04:56.420 --> 04:58.100
and Accountability
Act, or HIPAA.

04:58.100 --> 05:02.160
This is the U.S. federal
healthcare privacy law.

05:03.320 --> 05:05.730
Let's talk about PKI.

05:05.730 --> 05:07.910
What I want you to
remember about PKI is that

05:07.910 --> 05:10.265
the public key and a private
key or a matched pair.

05:10.265 --> 05:12.455
We can give our public
keys away freely,

05:12.455 --> 05:14.735
but we have to keep our
private key secure.

05:14.735 --> 05:17.330
The keys can be
used to digitally

05:17.330 --> 05:19.730
sign messages or files,
and when we do this,

05:19.730 --> 05:21.800
we are proving
authenticity or ownership,

05:21.800 --> 05:24.720
which also allows us
for non-repudiation.

05:24.720 --> 05:26.690
We can't deny that this
is ours or that we

05:26.690 --> 05:28.925
signed it because it's
using our key to do it.

05:28.925 --> 05:30.740
But we can also
encrypt messages to

05:30.740 --> 05:32.915
others by using
their public key.

05:32.915 --> 05:36.650
The problem this solves is
it makes it easy for us

05:36.650 --> 05:38.420
to give away our public key

05:38.420 --> 05:40.130
and get other
people's public keys,

05:40.130 --> 05:42.635
and then send secure
messages back-and-forth.

05:42.635 --> 05:44.330
Because now we're not
having to worry about

05:44.330 --> 05:46.430
sending passwords for
decrypting messages,

05:46.430 --> 05:49.140
PKI really solves this.

05:50.950 --> 05:53.960
Certificate authority
is the entity

05:53.960 --> 05:56.450
that issues and
guarantees certificates.

05:56.450 --> 05:59.915
A digital certificate is a
public assertion of identity,

05:59.915 --> 06:02.645
but it's validated by a
certificate authority.

06:02.645 --> 06:05.990
When a digital
certificate is issued,

06:05.990 --> 06:07.849
the certificate
authority guarantees

06:07.849 --> 06:10.370
that this one is who
they say they are.

06:10.370 --> 06:12.740
A wildcard certificate
allows us to use

06:12.740 --> 06:15.590
subdomains instead of
just, for example,

06:15.590 --> 06:17.240
domain.com and a certificate,

06:17.240 --> 06:19.595
we could also use
chat.domain.com

06:19.595 --> 06:22.530
or mail.domain.com
with one certificate.

06:22.530 --> 06:24.680
That's the purpose of a
wildcard certificate.

06:24.680 --> 06:27.150
The certificate
revocation list is

06:27.150 --> 06:29.480
a list of all the certificates
that have been revoked.

06:29.480 --> 06:31.190
That way we're not going to be

06:31.190 --> 06:33.140
using that to encrypt
something or to

06:33.140 --> 06:34.280
send something to someone else

06:34.280 --> 06:36.380
using their
certificate because we

06:36.380 --> 06:38.030
have query the
revocation list in

06:38.030 --> 06:40.135
making sure that we're
not using those.

06:40.135 --> 06:42.830
A certificate signing
request is when

06:42.830 --> 06:44.330
we want to request a certificate

06:44.330 --> 06:45.575
from a certificate authority,

06:45.575 --> 06:48.180
we use a CSR for that.

06:49.090 --> 06:52.580
Hardening. The
basic definition of

06:52.580 --> 06:55.280
hardening is to remove
any unnecessary services,

06:55.280 --> 06:57.320
software, and protocols
from a device.

06:57.320 --> 06:59.630
If you remove those
and you're lowering

06:59.630 --> 07:02.555
your exposure factor, and
that's what we want to do.

07:02.555 --> 07:04.265
We want to make sure that we are

07:04.265 --> 07:06.500
lowering all possibilities of

07:06.500 --> 07:08.630
exposure by removing
anything that's not

07:08.630 --> 07:11.240
absolutely necessary for
this device to operate.

07:11.240 --> 07:14.690
Hatching refers to installing
vendor supplied updates,

07:14.690 --> 07:17.315
and this will plug any
holes, fix any bugs.

07:17.315 --> 07:19.010
This is very critical because

07:19.010 --> 07:20.520
bugs are constantly being found,

07:20.520 --> 07:21.950
vulnerabilities are being found,

07:21.950 --> 07:22.730
and we want to make sure we're

07:22.730 --> 07:24.500
patching those as
soon as we can.

07:24.500 --> 07:27.380
Disk encryption
encrypts the data,

07:27.380 --> 07:30.560
and this is especially
useful on mobile devices.

07:30.560 --> 07:34.060
I also want to go over
BIOS versus UEFI.

07:34.060 --> 07:37.070
Keep in mind that bios
is typically older,

07:37.070 --> 07:39.305
UEFI is the newer version,

07:39.305 --> 07:43.260
and we also have TPM or
Trusted Platform Module.

07:43.570 --> 07:46.880
This is a chip that's embedded
on the motherboard of

07:46.880 --> 07:50.680
devices that allows it
to store keys for us.

07:50.680 --> 07:53.704
Then we also want to use
host-based firewalls,

07:53.704 --> 07:56.000
block lists for apps,

07:56.000 --> 07:58.850
host-based intrusion
detection systems,

07:58.850 --> 08:02.045
host-based intrusion
prevention systems.

08:02.045 --> 08:04.865
We want to make sure that
when we're looking at these,

08:04.865 --> 08:07.925
we are putting the
appropriate level of controls

08:07.925 --> 08:09.320
with these hardening steps

08:09.320 --> 08:11.360
on the appropriate
level of device.

08:11.360 --> 08:13.150
For example, you might

08:13.150 --> 08:14.920
want to use a block
lists for apps so

08:14.920 --> 08:18.300
that certain users are not
allowed to use certain apps,

08:18.300 --> 08:20.440
you may also want to use
time restrictions for

08:20.440 --> 08:22.840
things so that they can't
use apps after hours,

08:22.840 --> 08:24.490
and you want to make sure

08:24.490 --> 08:26.590
that host-based firewalls
are being used to

08:26.590 --> 08:29.230
allow for only the
necessary traffic

08:29.230 --> 08:31.045
to come into a
particular device,

08:31.045 --> 08:32.770
all of these are involved in

08:32.770 --> 08:35.930
the hardening process
of a given device.

08:37.320 --> 08:40.480
Now we're going to talk
about the forensics process.

08:40.480 --> 08:42.400
We begin with identification,

08:42.400 --> 08:43.905
then we go collection,

08:43.905 --> 08:47.155
then analysis, and then
reporting and presentation.

08:47.155 --> 08:48.790
It's very important
that when we're

08:48.790 --> 08:50.230
doing this entire process,

08:50.230 --> 08:52.375
we remember the
chain of custody,

08:52.375 --> 08:55.125
because this allows us to
do evidence preservation.

08:55.125 --> 08:57.650
We have to make sure that
any evidence that is

08:57.650 --> 09:00.145
collected is
identified properly,

09:00.145 --> 09:01.670
labeled properly,
and then stored

09:01.670 --> 09:03.470
properly all the way through,

09:03.470 --> 09:06.349
because if at any point
it's outside of control,

09:06.349 --> 09:08.300
then that can become
tainted evidence

09:08.300 --> 09:09.890
and then it can be thrown out,

09:09.890 --> 09:12.110
or not allowed to be
used in a prosecution

09:12.110 --> 09:15.720
or in any type of
proceedings against someone.

09:17.720 --> 09:19.875
Incident response.

09:19.875 --> 09:21.680
The first step is preparation.

09:21.680 --> 09:23.450
This includes
hardening our systems,

09:23.450 --> 09:24.560
creating different policies and

09:24.560 --> 09:26.945
procedures that we need
for the organization.

09:26.945 --> 09:29.810
Then we want to create our
incident response procedure.

09:29.810 --> 09:31.205
We do this ahead of time.

09:31.205 --> 09:32.960
We don't want to do
it as the incidents

09:32.960 --> 09:35.210
happening because those are
high stress times and we

09:35.210 --> 09:36.500
want to be able to go and

09:36.500 --> 09:38.000
pull out a document
and follow that

09:38.000 --> 09:39.590
step-by-step to make sure

09:39.590 --> 09:41.810
that we're doing the
things that are necessary.

09:41.810 --> 09:43.790
Detection analysis is when we

09:43.790 --> 09:45.850
decide if an incident
has occurred,

09:45.850 --> 09:48.950
and then if we have determined
this is an incident,

09:48.950 --> 09:50.140
how serious is it,

09:50.140 --> 09:52.925
and then at this time we also
notify the stakeholders.

09:52.925 --> 09:55.660
Containment is simply limiting
the scope of the breach,

09:55.660 --> 09:56.990
we want to make
sure that it's not

09:56.990 --> 09:59.000
spreading throughout
the organization.

09:59.000 --> 10:00.470
Then once we have contained it,

10:00.470 --> 10:02.585
we'll begin our
eradication and recovery.

10:02.585 --> 10:05.810
This is where we remove the
cause of the breach and start

10:05.810 --> 10:06.950
getting things back up to

10:06.950 --> 10:09.410
running normal like
they were before.

10:09.410 --> 10:11.345
Then after everything
is said and done,

10:11.345 --> 10:13.265
we'll have our
post-incident activity.

10:13.265 --> 10:15.520
This is also your
after-action review,

10:15.520 --> 10:17.850
where we define what
can we improve,

10:17.850 --> 10:19.310
what did we do well,

10:19.310 --> 10:20.870
what did we do not so well?

10:20.870 --> 10:24.240
We want to document our
lessons learned here.

10:25.940 --> 10:29.850
Vulnerabilities. I'm going
to go over this quickly,

10:29.850 --> 10:31.910
because if you really want
to get more information,

10:31.910 --> 10:33.950
just go back to the
particular lesson for this,

10:33.950 --> 10:35.780
because there's a lot
of details there.

10:35.780 --> 10:38.300
But I want to have these
terms in front of you,

10:38.300 --> 10:39.680
so that you remember at

10:39.680 --> 10:41.155
a high level what
all of these are.

10:41.155 --> 10:45.770
SQL injection is manipulating
the SQL language to inject

10:45.770 --> 10:48.545
data into a database to either

10:48.545 --> 10:51.390
get it to send us data
that it shouldn't,

10:51.390 --> 10:53.675
or for us to put data
that shouldn't be there.

10:53.675 --> 10:57.830
LDAP injection manipulates
LDAP strings to do similar so

10:57.830 --> 10:59.750
that we can inject
things in or actually

10:59.750 --> 11:02.240
pull information back out
of an LDAP directory.

11:02.240 --> 11:05.060
Cross-site request
forgery is when

11:05.060 --> 11:06.410
the victim unintentionally

11:06.410 --> 11:07.670
makes changes to their accounts,

11:07.670 --> 11:08.690
and then because of that,

11:08.690 --> 11:11.360
they're giving access to the
attacker to their account.

11:11.360 --> 11:14.390
Cross-site scripting
manipulates the file paths

11:14.390 --> 11:16.540
to control how a
web app operates.

11:16.540 --> 11:18.500
Finally, directory traversal is

11:18.500 --> 11:20.855
accessing the directories
outside of the web route.

11:20.855 --> 11:22.190
The attacker should not have

11:22.190 --> 11:23.990
access to this,
but by doing that,

11:23.990 --> 11:25.760
they're able to get in into

11:25.760 --> 11:27.680
the operating system
directories and then they

11:27.680 --> 11:29.660
can copy data down or move

11:29.660 --> 11:33.180
tools up and then further
compromise the server.

11:34.610 --> 11:37.930
Authentication. We
always want to use

11:37.930 --> 11:39.520
strong complex passwords for

11:39.520 --> 11:41.980
everything. The
stronger the better.

11:41.980 --> 11:44.200
I mentioned a good
technique is to choose

11:44.200 --> 11:46.495
three or four random words
and put those together

11:46.495 --> 11:48.895
because that is a very
difficult concept

11:48.895 --> 11:51.340
for brute force
attackers to crack.

11:51.340 --> 11:54.070
But we always want to use
strong passwords everywhere.

11:54.070 --> 11:55.690
One of the things I
want to mention here is

11:55.690 --> 11:57.250
we don't want to
reuse passwords.

11:57.250 --> 11:59.200
You don't want to have the
same administrator password in

11:59.200 --> 12:01.765
all your servers, it
becomes cumbersome.

12:01.765 --> 12:04.540
But if one of those will
ever be compromised,

12:04.540 --> 12:05.980
it's easy for an
attacker to pivot to

12:05.980 --> 12:08.245
the other servers using
the same password.

12:08.245 --> 12:10.180
Federation is when
we are trusting

12:10.180 --> 12:12.370
the accounts that are from
another organization.

12:12.370 --> 12:14.360
They can access
resources from us,

12:14.360 --> 12:16.510
we can access resources
from them by using

12:16.510 --> 12:19.045
this shared model of federation.

12:19.045 --> 12:24.055
OpenID, it has authentication
to the OAuth 2.0 protocol.

12:24.055 --> 12:26.870
Security Assertion
Markup Language or SAML,

12:26.870 --> 12:27.890
I want you to go back and review

12:27.890 --> 12:29.150
that if you don't
remember about that.

12:29.150 --> 12:31.745
Then shibboleth is
based on SAML and it's

12:31.745 --> 12:33.200
often used by universities

12:33.200 --> 12:35.850
and public service
organizations.

12:37.940 --> 12:40.335
Access control methods.

12:40.335 --> 12:42.470
Discretionary access
control is where

12:42.470 --> 12:44.810
the owner decides
who has access.

12:44.810 --> 12:47.090
Active Directory is a
good example of this.

12:47.090 --> 12:50.510
Keep that in mind that
this is easy to manage,

12:50.510 --> 12:54.065
but it's very difficult
to secure because it's

12:54.065 --> 12:56.510
the owner of the
resource decides

12:56.510 --> 12:58.955
who gets to access
it and who doesn't.

12:58.955 --> 13:01.100
Mandatory access
control is based on

13:01.100 --> 13:03.755
clearance levels
and it uses labels.

13:03.755 --> 13:05.495
It is considered
non-discretionary,

13:05.495 --> 13:07.040
so if you see a question that's

13:07.040 --> 13:08.975
asking about clearance
levels and labels,

13:08.975 --> 13:11.410
you know that that's
mandatory access control.

13:11.410 --> 13:13.370
Rule-based access control is

13:13.370 --> 13:15.680
DAC when we're adding
on the subjects roles.

13:15.680 --> 13:17.690
For example, we may
have a department

13:17.690 --> 13:20.060
for human resources
and one for finance,

13:20.060 --> 13:21.470
and they may have
different levels of

13:21.470 --> 13:23.510
access based on those roles.

13:23.510 --> 13:26.180
Attribute-based access
control is when we're using

13:26.180 --> 13:30.230
the subjects attributes
and it uses XACML.

13:30.230 --> 13:33.470
Rule-based access control
is when the policies are

13:33.470 --> 13:37.860
a system defined rules.

13:39.230 --> 13:42.780
Let's summarize.
We recapped risk,

13:42.780 --> 13:44.640
we also went over PKI,

13:44.640 --> 13:46.950
we discussed hardening
and vulnerabilities,

13:46.950 --> 13:49.045
we went over the
forensics process,

13:49.045 --> 13:50.600
and then incident response,

13:50.600 --> 13:54.335
and we also discussed
authentication and authorization.

13:54.335 --> 13:56.090
Hope this lesson was helpful for

13:56.090 --> 13:58.470
you, and I'll see
you in the next one.