1 00:00:01,210 --> 00:00:02,120 Welcome back. 2 00:00:02,710 --> 00:00:05,100 So in the last section we introduced 3 00:00:05,110 --> 00:00:10,340 ourselves with security plus exam information, topics that it covers, and 4 00:00:10,350 --> 00:00:16,220 we also touched on some basic terms and concepts in security where we explained 5 00:00:16,230 --> 00:00:21,920 the CIA triangle and we gave an example of how a layered concept of defense could 6 00:00:21,930 --> 00:00:22,380 look like. 7 00:00:22,390 --> 00:00:26,120 But now let's dive into our first topic 8 00:00:26,130 --> 00:00:29,940 which is authentication and access control. 9 00:00:31,150 --> 00:00:33,800 Once again, feel free to organize the way 10 00:00:33,810 --> 00:00:36,340 that you follow each topic based on how you prefer. 11 00:00:36,790 --> 00:00:41,320 If you don't have any special preference which topic you want to learn first, then 12 00:00:41,330 --> 00:00:44,100 you can simply follow along the course as we go. 13 00:00:44,110 --> 00:00:47,980 Okay, back to the authentication and access control. 14 00:00:48,330 --> 00:00:52,400 We will start with the concept of control first. 15 00:00:53,050 --> 00:00:55,680 So before we get to access control and 16 00:00:55,690 --> 00:01:00,600 account or file access controls and permissions which are most common to hear 17 00:01:00,610 --> 00:01:06,180 about, let's first talk about what different types of control even are there. 18 00:01:06,950 --> 00:01:08,740 So we have several. 19 00:01:09,590 --> 00:01:11,460 These would be some of the main controls 20 00:01:11,470 --> 00:01:15,360 which are technical control, administrative control, as well as 21 00:01:15,370 --> 00:01:17,600 operational control and physical control. 22 00:01:18,250 --> 00:01:21,060 Now sometimes you might hear about only 23 00:01:21,070 --> 00:01:24,920 three of these being the main ones without physical control or without 24 00:01:24,930 --> 00:01:30,800 operational control, but in general all four are equally important and they play 25 00:01:30,810 --> 00:01:33,660 a big part in security itself . 26 00:01:33,670 --> 00:01:37,680 Now let's explain all of them one by one. 27 00:01:37,690 --> 00:01:40,400 So technical control is control 28 00:01:40,410 --> 00:01:47,180 implemented by the IT team in order to lower the risk of being compromised or exploited. 29 00:01:47,190 --> 00:01:52,660 These would include things like having IPS or IDS, where IDS or intrusion 30 00:01:52,670 --> 00:01:57,740 detection system would look at the network and try to discover or identify 31 00:01:57,750 --> 00:02:02,900 any changes or threats, while IPS or intrusion prevention system would be 32 00:02:02,910 --> 00:02:05,520 there to stop attacks taking place. 33 00:02:05,530 --> 00:02:07,400 And we would also have things such as 34 00:02:07,410 --> 00:02:13,360 firewall and firewall rules which could block unwanted traffic both coming to the 35 00:02:13,370 --> 00:02:16,380 network and going out of the network. 36 00:02:16,390 --> 00:02:18,320 We would also have antivirus programs 37 00:02:18,330 --> 00:02:24,260 which are security measures used to protect our endpoint devices and desktops. 38 00:02:24,270 --> 00:02:30,020 Next up we have administrative control which is done by the management team or 39 00:02:30,030 --> 00:02:35,120 the administrators and its goal is to write the policies which will lower risk 40 00:02:35,130 --> 00:02:40,280 of compromise or pretty much lower any unwanted risk inside the company. 41 00:02:40,290 --> 00:02:44,420 There are many of these procedures that can lower the risk inside the company and 42 00:02:44,430 --> 00:02:49,000 one of them is doing penetration tests regularly which we will talk about later 43 00:02:49,010 --> 00:02:50,840 in the course. 44 00:02:50,850 --> 00:02:53,880 Next one we have operational controls 45 00:02:53,890 --> 00:02:57,780 which is done by company employees on daily basis. 46 00:02:57,790 --> 00:03:01,540 These include things like employee training or education every year 47 00:03:01,550 --> 00:03:03,060 regarding security. 48 00:03:03,070 --> 00:03:05,420 These trainings help employees know 49 00:03:05,430 --> 00:03:08,120 exactly what they should and shouldn't do. 50 00:03:08,130 --> 00:03:11,280 For example inside the training you might 51 00:03:11,290 --> 00:03:15,560 tell an employee that they should wear their ID cards with them and that rule 52 00:03:15,570 --> 00:03:19,940 should be respected every single day so all the employees should wear their ID 53 00:03:19,950 --> 00:03:24,340 badges or ID cards every time they come to work. 54 00:03:24,350 --> 00:03:28,680 It could also be some type of a cyber security training where employees are 55 00:03:28,690 --> 00:03:33,960 educated not to open spam emails and they're educated to recognize phishing 56 00:03:33,970 --> 00:03:36,320 links and attacks. 57 00:03:36,330 --> 00:03:37,920 Employees are also taught about business 58 00:03:37,930 --> 00:03:44,440 plan of continuity or also known as BCP which is a policy on how each employee 59 00:03:44,450 --> 00:03:50,560 will act in case of incident or if some type of unwanted situation occurs. 60 00:03:50,570 --> 00:03:56,320 This would help company's business continue even in a case of catastrophe. 61 00:03:56,330 --> 00:04:00,420 Next up we have physical control which is self -explanatory. 62 00:04:00,430 --> 00:04:06,120 Now physical security control is there to prevent unauthorized access to the 63 00:04:06,130 --> 00:04:09,060 company facility and its data. 64 00:04:09,070 --> 00:04:10,880 These types of controls could include 65 00:04:10,890 --> 00:04:15,420 things like wearing security badges, having gates and fences around the 66 00:04:15,430 --> 00:04:20,960 company building, having a visitors list so for example if there is a certain 67 00:04:20,970 --> 00:04:25,800 group of visitors coming inside your company building you want to have someone 68 00:04:25,810 --> 00:04:30,580 identify them and write their names down in case anything happens so we have a 69 00:04:30,590 --> 00:04:33,500 list of who entered and left the building. 70 00:04:33,510 --> 00:04:35,560 You want to have CCTV cameras, you want 71 00:04:35,570 --> 00:04:40,240 to have good lighting around the building so everything can be seen well and for 72 00:04:40,250 --> 00:04:46,220 both outside and inside buildings you want to have guards that are there to protect. 73 00:04:46,230 --> 00:04:51,280 Now ideally you want to have multiple guards in case one of them gets distracted. 74 00:04:51,290 --> 00:04:56,020 You also want to have alarms inside the building, electronic locks, biometric 75 00:04:56,330 --> 00:05:01,780 locks, tokens, contactless cards and you want to have things such as fire 76 00:05:01,790 --> 00:05:04,380 extinguishers in case fire breaks out. 77 00:05:04,390 --> 00:05:06,200 Now these would be some of the most 78 00:05:06,210 --> 00:05:08,840 important things when it comes to physical control. 79 00:05:08,850 --> 00:05:14,500 And also in case your company has big server rooms for example you want to make 80 00:05:14,510 --> 00:05:17,260 sure that the temperature of the room is good. 81 00:05:17,270 --> 00:05:19,560 So for example we could think about 82 00:05:19,570 --> 00:05:25,220 implementing heating, ventilation and air conditioning and we also want to have 83 00:05:25,230 --> 00:05:31,140 fire protection implemented close to the important server rooms so if there is 84 00:05:31,150 --> 00:05:36,940 some type of fire outbreak we can put it out relatively quickly. 85 00:05:36,950 --> 00:05:41,000 Now these are some of the physical security controls that are the most 86 00:05:41,010 --> 00:05:44,860 important but of course there are other ones that you can include such as for 87 00:05:44,870 --> 00:05:49,580 example having cable locks on your devices so that they can't get stolen. 88 00:05:49,590 --> 00:05:54,500 You could have safe or a security room where all the laptops and other devices 89 00:05:54,510 --> 00:05:57,060 are stored when they are not used. 90 00:05:57,070 --> 00:05:58,980 Now this is not primarily to prevent the 91 00:05:58,990 --> 00:06:04,320 theft of the laptops themselves but rather the data on those laptops which 92 00:06:04,330 --> 00:06:07,960 could be far more important and valuable. 93 00:06:07,970 --> 00:06:10,880 Now of course besides all of this there 94 00:06:10,890 --> 00:06:15,500 are some other advanced methods such as for example implementing Faraday cage 95 00:06:15,510 --> 00:06:20,220 which is a metal construction which can prevent wireless devices to work inside 96 00:06:20,230 --> 00:06:21,740 the company. 97 00:06:21,750 --> 00:06:24,640 Okay so that would be physical control or 98 00:06:24,650 --> 00:06:26,100 physical security control. 99 00:06:26,110 --> 00:06:28,260 And besides these four types of control 100 00:06:28,270 --> 00:06:33,160 it is also important that we know the term of access control. 101 00:06:33,170 --> 00:06:39,120 Now concept of access control and the term itself is important for us. 102 00:06:39,130 --> 00:06:41,660 Its name is self -explanatory. 103 00:06:41,670 --> 00:06:44,140 We know what access control means. 104 00:06:44,150 --> 00:06:49,160 It is either preventing or granting access to someone based on certain types 105 00:06:49,170 --> 00:06:52,400 of rules or certain policy. 106 00:06:52,410 --> 00:06:54,620 Now there are three main components of 107 00:06:54,630 --> 00:06:58,000 access control that we should be familiar with. 108 00:06:58,010 --> 00:07:01,120 And those are identification, 109 00:07:01,130 --> 00:07:04,260 authentication and authorization. 110 00:07:04,270 --> 00:07:07,580 Now identification can be considered as 111 00:07:07,590 --> 00:07:13,820 an individual having a smart card or having their own account for example. 112 00:07:13,830 --> 00:07:18,680 Authentication is an individual authenticating their identity. 113 00:07:18,690 --> 00:07:24,460 This can be done by entering a password for an account or entering pin code. 114 00:07:24,470 --> 00:07:29,560 And authorization is last part which is level of access which will be granted to 115 00:07:29,570 --> 00:07:33,520 an individual once he gets authenticated. 116 00:07:33,530 --> 00:07:35,840 This can differ from person to person 117 00:07:35,850 --> 00:07:39,640 depending on their position in company and their spec of work. 118 00:07:39,650 --> 00:07:44,160 For example someone working in sales department will only be authorized to 119 00:07:44,170 --> 00:07:47,800 have access to sales group and its data. 120 00:07:47,810 --> 00:07:50,480 Now here comes the term that we already 121 00:07:50,490 --> 00:07:53,160 covered which is least privilege. 122 00:07:53,170 --> 00:07:55,600 Where an individual should only have 123 00:07:55,610 --> 00:08:00,200 minimal access but enough to be able to do their work. 124 00:08:00,210 --> 00:08:02,680 Ok so these three are important. 125 00:08:02,690 --> 00:08:05,080 Make sure to remember what identification 126 00:08:05,210 --> 00:08:10,400 is, what authentication is and what authorization is and what they are used for. 127 00:08:10,410 --> 00:08:14,580 Now besides this we also have different types of access control. 128 00:08:14,590 --> 00:08:20,840 And these would include MAC or mandatory access control which is based on 129 00:08:20,850 --> 00:08:28,280 classification of data and can be divided into top secret, secret, confidential and restricted. 130 00:08:28,290 --> 00:08:33,280 The next one that we have is discretionary access control or DAC which 131 00:08:33,290 --> 00:08:35,640 is similar to least privilege concept. 132 00:08:35,650 --> 00:08:37,720 But in this case it refers to one user 133 00:08:37,730 --> 00:08:42,200 where user is given enough access to finish or do their work. 134 00:08:42,210 --> 00:08:46,840 Now to fully understand this we will take a look at an example in one of the next 135 00:08:46,850 --> 00:08:51,520 lectures where we cover file permissions which is a part of DAC. 136 00:08:51,530 --> 00:08:57,120 So we will look at both Windows and Linux file access control or file permissions 137 00:08:57,130 --> 00:08:59,920 and we will explain them in detail. 138 00:08:59,930 --> 00:09:03,720 Ok besides this we also have rule based 139 00:09:03,730 --> 00:09:09,520 access control which are different set of rules aimed towards employees. 140 00:09:09,530 --> 00:09:13,300 This can be different for individuals working in separate departments. 141 00:09:13,310 --> 00:09:18,080 For example the sales team will have access in the morning hours while 142 00:09:18,090 --> 00:09:21,920 financial team will have access in the afternoon. 143 00:09:21,930 --> 00:09:23,840 These rules can be based on other things 144 00:09:23,850 --> 00:09:27,660 as well and don't have to just be based on time. 145 00:09:27,670 --> 00:09:33,820 Now another type of access control that I just want to mention is role based access control. 146 00:09:33,830 --> 00:09:39,500 Which are set of rules that are based for an individual role and sometimes you can 147 00:09:39,510 --> 00:09:45,300 find it confusing since both rule based access control and role based access 148 00:09:45,310 --> 00:09:50,660 control have same short identification of RBAC. 149 00:09:50,670 --> 00:09:52,520 Just make sure that you remember both of 150 00:09:52,530 --> 00:09:57,340 them so there is rule based and role based access control. 151 00:09:57,350 --> 00:10:03,100 Now besides these two we also have attribute based access control and 152 00:10:03,110 --> 00:10:09,140 attribute based access control is an authorization model that evaluates 153 00:10:09,150 --> 00:10:14,320 attributes or characteristics rather than roles which are then used to determine 154 00:10:14,330 --> 00:10:17,760 the access of an individual. 155 00:10:17,770 --> 00:10:20,440 And last but not least we have group 156 00:10:20,450 --> 00:10:25,160 based access control where you group individuals from let's say IT department 157 00:10:25,170 --> 00:10:28,920 and give them access to the IT data that they need. 158 00:10:28,930 --> 00:10:33,420 You would first make a list of all the people from IT department, form a group 159 00:10:33,430 --> 00:10:38,640 with all of them and then grant access to that group to certain data that the group 160 00:10:38,650 --> 00:10:40,200 works with. 161 00:10:40,210 --> 00:10:42,780 Here is an example of how a group based 162 00:10:42,790 --> 00:10:46,100 access control would look like. 163 00:10:46,110 --> 00:10:49,640 So we have two different people that both 164 00:10:49,650 --> 00:10:51,680 need access to same type of data. 165 00:10:51,690 --> 00:10:54,520 We can create group, we can add everyone 166 00:10:54,530 --> 00:10:59,680 that needs access to this type of data to that group and then grant that data to 167 00:10:59,690 --> 00:11:05,500 the group itself rather to each person or each employee individually. 168 00:11:05,510 --> 00:11:10,280 Now besides the current controls that we already mentioned let's also mention few 169 00:11:10,290 --> 00:11:15,120 more which you should be familiar with and those are preventive controls, 170 00:11:15,130 --> 00:11:18,620 corrective controls and compensating controls. 171 00:11:18,630 --> 00:11:20,840 One thing to note is that these are all 172 00:11:20,850 --> 00:11:26,100 types of controls and if certain rule applies to one type of control it doesn't 173 00:11:26,110 --> 00:11:30,720 mean it can't be a part of a different type of control as well. 174 00:11:30,730 --> 00:11:37,140 A certain policy, rule or control can be a part of many of the current types of 175 00:11:37,150 --> 00:11:41,200 control that we discussed in this lecture. 176 00:11:41,210 --> 00:11:44,320 So let's define each of these one by one. 177 00:11:44,330 --> 00:11:48,520 Preventive controls attempt to prevent security incidents. 178 00:11:48,530 --> 00:11:54,260 Now for example system hardening or user training can be example of this. 179 00:11:54,270 --> 00:11:58,660 On the other hand corrective controls attempt to reverse the impact of an 180 00:11:58,670 --> 00:12:02,300 incident or a problem after it has occurred. 181 00:12:02,310 --> 00:12:05,000 And compensating controls are controls 182 00:12:05,010 --> 00:12:09,860 which are alternative and they are used when it is not possible to use the 183 00:12:09,870 --> 00:12:11,260 primary controls. 184 00:12:11,270 --> 00:12:13,620 For example let's say an employee should 185 00:12:13,630 --> 00:12:18,940 authenticate via smart card as a primary method or primary control but he hasn't 186 00:12:18,950 --> 00:12:24,460 received his smart card yet since he is a new employee and he got hired yesterday. 187 00:12:24,470 --> 00:12:29,200 We could use compensating controls such as perhaps authenticating via password 188 00:12:29,210 --> 00:12:34,140 instead until they get their new ID card or smart card. 189 00:12:34,150 --> 00:12:38,620 Ok so that would be about it when it comes to different groups or different 190 00:12:38,630 --> 00:12:40,840 types of control. 191 00:12:40,850 --> 00:12:43,100 Quite a long video right? 192 00:12:43,110 --> 00:12:47,400 Well no worries by going over these different types of control and different 193 00:12:47,410 --> 00:12:51,700 types of access control two or three times you should remember the most 194 00:12:51,710 --> 00:12:55,680 important thing and that is what they are mostly focused on. 195 00:12:55,690 --> 00:12:59,680 You should remember each of them and their basic definitions. 196 00:12:59,690 --> 00:13:03,820 The good thing is that for many of them their name is self -explanatory such as 197 00:13:03,830 --> 00:13:07,780 for example mentioning let's say physical security control. 198 00:13:07,790 --> 00:13:11,720 Even without going over the video again you can think of what exactly that would 199 00:13:11,730 --> 00:13:13,100 be right? 200 00:13:13,110 --> 00:13:15,340 Well nonetheless let's not make the video 201 00:13:15,350 --> 00:13:20,040 any longer and let's get straight into the next lecture where we will talk about 202 00:13:20,050 --> 00:13:23,160 identity and different types of identity. 203 00:13:23,170 --> 00:13:23,880 See you in the next lecture.