WEBVTT

00:00.120 --> 00:07.830
If we use authentication to get us into a system we use authorization to determine what we can do within

00:07.830 --> 00:08.310
that.

00:08.310 --> 00:12.720
Now it's always kind of funny because we like talking about authentication because we've got usernames

00:12.720 --> 00:19.530
and passwords and retinal scanners at home kinds of cool stuff like that but that just gets us in.

00:19.650 --> 00:24.080
Authorization is just as important somebody who's authenticated the system.

00:24.210 --> 00:28.470
We have to define what they can do on that particular system.

00:28.470 --> 00:34.950
So in this episode what I want to do is cover a whole bunch of different types of authorization concepts

00:35.340 --> 00:37.980
and make sure you're comfortable with these terms for the exam.

00:37.980 --> 00:40.590
So let's go and get started with probably the biggest one.

00:40.590 --> 00:41.340
Permissions

00:45.910 --> 00:52.270
when you are granted access to a system in particular an operating system the term permissions is very

00:52.270 --> 00:53.240
very important.

00:53.320 --> 01:00.220
When we talk about authorization now what I'm talking about by permissions are what are the things that

01:00.220 --> 01:02.410
are assigned to you that you can do.

01:02.560 --> 01:07.100
We see permissions more commonly than any place else within operating systems.

01:07.150 --> 01:13.860
For example here's Microsoft Windows and Windows normally is running and tif file system NTFS.

01:14.020 --> 01:16.910
NTFS comes with a number of permissions.

01:16.960 --> 01:21.850
So here you can see some examples of permissions that are assigned to a particular folder in a Windows

01:21.850 --> 01:22.690
computer.

01:23.470 --> 01:25.360
Linux also has permissions.

01:25.360 --> 01:26.880
Let's take one more look at this now.

01:26.920 --> 01:30.760
It's going to look a lot different because Linux permissions are different but if you take a look at

01:30.760 --> 01:35.730
this screen here I'm actually just at a terminal and you can actually see all those R's and W's and

01:35.730 --> 01:36.580
exes.

01:36.640 --> 01:43.100
Those are actual permissions that are assigned to different files and folders within a Linux machine.

01:43.270 --> 01:48.640
So the important thing about permissions more than anything else is that the administrator of a particular

01:48.640 --> 01:51.320
system has to assign these permissions.

01:51.430 --> 01:55.290
So if you have a user account a user account can have permissions assigned to it.

01:55.450 --> 02:00.730
But more commonly what we'll see is that a user is put into some kind of group like a Canton's or something

02:00.730 --> 02:01.340
like that.

02:01.540 --> 02:07.540
And because everybody in accounting has the same type of permissions we assign permissions just to that

02:07.570 --> 02:12.880
particular group and then that way when people quit or go on vacation and stuff like that we don't have

02:12.880 --> 02:14.570
to mess with all of their permissions.

02:14.740 --> 02:19.380
We just move them in and out of a group and that's probably the best way to handle that.

02:19.490 --> 02:23.610
Now you would think permissions would take care of just about everything but they don't.

02:23.650 --> 02:29.040
There's a whole other group of stuff which I'm going to be calling rights and privileges.

02:32.980 --> 02:36.640
Permissions are something that we apply to resources.

02:36.640 --> 02:42.270
But rights and privileges are something we tend to assign to systems as a whole.

02:42.280 --> 02:48.640
So using Windows again as an example I can have a permission that allows me to have full control over

02:48.640 --> 02:53.500
a particular folder but there's other stuff that has to do with the system itself for example.

02:53.500 --> 02:58.740
Do you have the right to log on locally to this computer or can you only log in remotely.

02:58.810 --> 03:01.660
Do you have the right to be able to change your password.

03:01.660 --> 03:07.220
You have the right to be able to change your desktop look and feel stuff like that.

03:07.360 --> 03:10.420
So we're talking about stuff that has new at the system as a whole.

03:10.420 --> 03:12.470
We tend to call these rights.

03:12.490 --> 03:17.230
We also hear the term privileges although rights is the more common term certainly within the Windows

03:17.230 --> 03:18.060
environment.

03:18.310 --> 03:20.770
Now in Windows you can play with this stuff all day long.

03:20.770 --> 03:26.050
So here's an example of a Windows system where you can see a whole bunch of different rights that I

03:26.050 --> 03:34.340
can play with that can be assigned to a particular user or a group.

03:34.460 --> 03:40.670
You've got a lot of powerful authorization tools for you to use however I want to talk about strategies

03:40.670 --> 03:47.150
for a moment how do I as a I.T. security person think about all of these permissions and rights and

03:47.150 --> 03:47.870
stuff like that.

03:47.870 --> 03:53.570
Well two strategies that we always use when we're thinking about this kind of stuff are called lease

03:53.570 --> 04:01.730
privilege and separation of duty lease privilege as the name infers always says gives your users or

04:01.730 --> 04:06.160
your groups or whatever the least amount of privilege they need to get their job done.

04:06.230 --> 04:12.330
If I've got 500 account receivable people who are looking at a database they never change it.

04:12.440 --> 04:14.300
They're only looking at that database.

04:14.360 --> 04:18.520
It would be silly for me to give them full control because they don't need it for their job.

04:18.560 --> 04:23.000
I'm going to give them read permissions to the database whatever it might be.

04:23.090 --> 04:25.620
And then that way they can do the job that they want to do.

04:25.640 --> 04:28.030
So we always concentrate on least privilege.

04:28.310 --> 04:35.060
Secondly with separation of duties we're talking about thinking about what people's jobs are and how

04:35.060 --> 04:38.720
that ties in to rights and permissions within the system.

04:38.720 --> 04:39.490
Imagine that.

04:39.500 --> 04:46.290
I've got a payroll department and there are two really really important jobs there's one person's job.

04:46.460 --> 04:52.010
Well they probably do a lot of stuff but one of their jobs is to update the database for how much people

04:52.010 --> 04:52.580
are making.

04:52.580 --> 04:57.560
So when they type in they're making X amount of money and the computer does it and runs all that all

04:57.560 --> 05:04.570
that stuff and then there's another guy whose job is to make sure that all the payroll checks are cut.

05:04.580 --> 05:10.070
Now you could have a potential conflict of interest by putting those duties together so we would work

05:10.070 --> 05:14.840
really hard to make sure that we have different entities different people different groups handling

05:14.840 --> 05:20.540
each of those cars just in case somebody might be tempted to change a salary and start getting big checks

05:20.540 --> 05:21.430
cut to them.

05:21.440 --> 05:45.640
So we always think about these things when we're talking about the types of strategies we use for authorization.