Welcome to another great
show right here on ITPro.TV. You're watching
the CompTIA IT Fundamentals show. I'm your host, Ronnie Wong, and today we're diving into
basic security fundamentals. And here, of course, to help us
understand all that we need to, is Mr. Don Pezet himself. Don, welcome to the show. Thanks for having me, Ronnie. You know, I'm excited about this episode
because we're jumping into a new section here, which is IT security. And, boy, of all the topics that
we cover on IT fundamentals, this is probably the one that has
the most industry buzz behind it. There's a lot of people that are looking
to get into IT and they watch Mr. Robot. [LAUGH]
They hear about pen testing. They see this exciting side of IT,
and that's where they wanna get into. Well, a lot of that stuff
is fairly accurate. I mean, there is this aspect
of pen testing going on. But the world of IT security is
actually much bigger than that and it covers a lot of ground. So what we're going to do over the next
couple episodes is get a chance to learn a little bit about what IT security is,
what it means, all the different things that fall
under the umbrella of security. And then learn a little
bit about whether or not security is a career field
that we want to reach in to. Now, Don, when it comes down to the idea of
security, just like what you're saying, everybody has their own perspective
on what security should be like. If you and I asked ten different security
professionals, we'll kind of come up with just about ten different
answers when it comes down to it. So, if I want to begin to
learn more about IT security, what are kind of the basic fundamentals
that we have to begin with so we have at least a setting
of the expectations here. Sure. I think what it's important to start
with is to understand what the risk is. Because IT security wasn't always a thing. It wasn't always something
that we worried about. I had a computer in the late 1980,
it was an IBM PC Junior, I remember it was a great computer. We didn't have a password on it, we didn't
have any security features whatsoever, you just turned it on and you used it. That doesn't fly today, and
the reason it worked back then was that we didn't have networks,
we didn't have the Internet. We didn't have, I mean, these things
existed, but we couldn't afford them. So I didn't have access
to all these things. So when you have just a stand-alone
computer that's in your home, that you control, that just has maybe
games or word processor on there. There is not much risk, and
that's how computing started, that's how the Internet began. The Internet was a very trusting
network in the early days. If you were using Internet in the 1990s,
most websites were not encrypted, all emails was being sent unencrypted,
things were just very trusting. Fast forward to today. Today, there are thousands of malicious
actors on the Internet right now trying to intercept data,
trying to compromise servers, trying to access systems, and
just generally do bad stuff. If you get out there on the internet and
say, I'm gonna be trusting, it's okay, everything's gonna be fine. It's not, [LAUGH] and within 24 hours, you're going to have a system
you can't use anymore. Because its been infected by a virus or
compromised by a ransomware or whatever. We have to take certain measures, and
it all centers around two concepts. One concept is access, that most
computers are connected to the Internet. And that means your computer doesn't just
see people in your home or in your office. It sees people all over the world and
that creates risk. And then second thing is data. The data that we're
storing on our computers, it's a lot different
than back in the 1980s. If you had a computer in the 80s
you were largely a hobbyist, right? And maybe you're using it in a business,
so there was some kind of minor spreadsheet
work or something like that. That was what most computers were used for
back then. Today, we file our taxes on the computer. We enroll in college on the computer. We buy movie tickets, we order food,
we do all of our shopping. We do all sorts of stuff via the computer,
right? And that means all of that data about us
is stored right there on the computer. And if somebody gains access to it,
we end up with identity theft, where our personal information gets compromised,
and now we've gotta deal with that. It's a huge headache, it's worse than just
losing your car keys, which is annoying. But, having all of your personal
information stolen, that's worse because you can't take it back, and a lot
of that information, you can't change. It's not like I'm gonna go and
change my name and change my fingerprints because
my computer got broken into. So it kinda puts you into a corner. For businesses,
it's even more true, right? Now let's take for example, I don't know,
I think of the food industry, Coca Cola, whether you like them or
not, it doesn't matter. They have a formula for making Coca Cola,
and it's a close guarded secret. I don't know how big of a secret it can
be when they have these massive factories churning it out. But anyhow, apparently it's a secret,
and they don't tell people the formula. I don't even know if they have
it copyrighted or trademarked or whatever because it's such a secret. If hackers were to break in to their
system and gain access to that formula for Coca Cola,
think of the damage they could do. [LAUGH]
Well, there's not a whole lot of damage there. But competitors could use that to craft
beverages that tasted similar, and now it affects their business. Stick with the food theme, like Kentucky
Fried Chicken, where they have their- Original reciple? What are there 21 original herbs and
spices or something? If somebody knew that original recipe, then that's what's called
intellectual property. There are a lot of businesses
right now that function solely based on the value of their
intellectual property. And if that value is lost, the company
would go out of business, right? So companies have a need
to defend that data. And I'm talking about companies,
let's go even crazier, military, right? If you work for the military, just the
fact that you have a soldier stationed in a particular city at a particular time,
that basic data could put a life at risk. If attackers get that data and leak that out,
that is data that needs to be protected. Now in the case of the military, they know
that and they're protecting that data. They're working very hard on it. In the case of Coca-Cola and
Kentucky fried chicken, they hopefully know the value of that and they're
working very hard to protect that data. But in the case of average John Smith and
the tax records he's keeping on his laptop in his living room,
it's not the same level of security. He's probably not thinking about
that on a day-to-day basis. When it's a schoolteacher that's
keeping track of grades for a student, they're not necessarily thinking about
the IT security ramifications of that. But, that's where we come in. As the IT technicians, the IT
professionals, we have to step in and say, this data's got
to be stored securely. It's got to be protected,
it's got to be stored in a way that we can rely upon it and know that information
is not going to get compromised. That's a really important
thing to understand. Just right here at the outset
that even benign data, data that seems very simple, can be used
to potentially steal our information. If you were to walk up to
me on the street today and say, Don, what was your first pet's name? In the olden days, I would gladly
tell you about my first dog, who was a sheltie, and I loved that dog. It was the greatest animal on the planet,
and I miss him dearly. But I'm not gonna say
his name on the show. And the reason I'm not gonna do that is,
not that it's some national secret, but because I've used that as a security
question on various website, where, you forgot your password. Okay, answer these questions. Where did you go to high school? What's your first pet's name? What's your mother's maiden name? All of a sudden, information like that
that we used to give out freely Become something that can be used against us. And that's where we've got to have
some basic measures in place, for us personally, but also for a company. Companies have to have
a security policy that defines what employees are allowed to do or
not allowed to do. And to help educate those employees
to make sure that they know because sometimes they just don't know. And if you walk up to somebody and
you say hey, when's your birthday. And they tell you their birthday. Most people tell you their birthday. It's not that big of a deal. And you say, how old are you gonna be? Well, if I know how old you are and
I know when your birthday is, then I can figure out exactly
what your birthday is. It's just simple math. And once I have that birth date, that's used as a verification question at
a lot of banks and a lot of other places. And we can start to get information. That process is what makes all of this so
dangerous, right? And it's also kind of
what creates the buzz and the hype around working in IT security. So when we talk about this, for
the whole rest of this episode, really the whole security section,
remember that the whole point of this is to protect that data and
ultimately to protect our users. So everything in the security world
most be build around that idea of protection that's what
it all boils down to. Now Don as you say that I'm starting to
think about the very fact that they are so many companies out there
individuals that have different computer systems that are out there. I can't as an IT professional be able
to plan one system and secure that one without actually having to go and learn
the other system and secure it as well. Are there some basic principles that
we should use just in general then that can help us when there are so
many diverse systems out there? Absolutely, right, so let's say
I can only teach you one concept. I have a two minute show and
I can only teach you this one concept. There is one simple concept in the world
of IT security that you can apply across the board from
the beginning to the end. And it's the idea of what's
called the security triad. That IT security is build up of three
pieces, that's why they say the triad, and each piece is responsible for
a different aspect of security, right? I'm gonna pull up here, it's usually represented as
a triangle as triads typically are. [LAUGH] And we've got these three things,
confidentiality, integrity, and availability. A lot of people abreviate this
down into the CIA triad, but that sounds a little shady and nefarious
[LAUGH] Like the Central Intelligence Agency. But it's got nothing to do, well,
nothing specifically do with the CIA. Each of these are different concepts
of how we ensure security in a network, all right? Confidentiality, if I have data,
it's my data, I wanna keep it secret. And if I want to share the data
with somebody, I should be able to. But if I don't wanna
share data with somebody, I should be able to not share it, right? That's keeping information confidential. Integrity. If I choose to share data with somebody, I want them to know when they get it
that it hasn't been tampered with, it hasn't been changed, that it's in
the original form from when I sent it. And if they send me data I want to know
that data hasn't been tampered with, that it's in the original
form that it was sent. That's called maintaining
the integrity of data. And then availability. If I wanna access that data right
now I should be able to access it. And if I wanna access it tomorrow I
should be able to access it tomorrow, and the next day. I should be able to repeatedly access
that information whenever I want and it's available and ready for me to use it. When we implement security procedures, policies, password requirements,
backup systems, and so on, they're all designed to provide
at least one of these three things. The next time an IT security officer
comes to you with a new policy and says from now on, you have to use this. You have to use a badge here,
I'll show you one. You have to use a little key to unlock
your computer for now on, right? Well, up until that day,
they just had a username and password. But now all of the sudden
you got this little key, this is actually attached to my belt. [LAUGH]
It was. Well it was attached to my belt. This is what I use on my computer. So when I log in in the morning I just
don't put in a username and password, I also have to plug this key into
the computer to gain access to it. And I hurt my hand. So why did they do that? Why did they ask me to do that. Well, let's look at the CIA triad and
figure that out. If I log into my computer and
use a user name and a password, somebody else could get my user name and
password, couldn't they? My user name,
that's pretty easy to figure out, most companies just use your actual name. And if you know one person's
name you can figure it out. Or if you know their email address? Almost everybody these days uses your
email address as your user name. Email address is on my business card. [LAUGH] You just look at my business card,
now you know my email address. So you've got the username, the password,
maybe they could guess the password, maybe they could figure it out, maybe they could
trick me into giving them the password. That would be bad, right? Maybe they know the name of my first pet, and they can use that to reset the
password and now they know my password. They can get in my data that
breaks confidentiality, right? If they can log in as me they could
start sending false data as me, that breaks integrity, right? Everything that doesn't do is
it's doesn't really mess up with the availability, right? If somebody is able to log in
as me I can still log in as me, unless they reset my password. I cannot get in, that breaks availability. That password compromise puts
all three of these at risk. They come in and they give me this key. And they say from now on, Don, in order
to login, you got use your username, password, and plug in this key. Now if somebody figures out my password,
it's not enough, they can't log in as me,
they don't have the key. Or if somebody steals my key, they can't
log in as me, they don't have my password. They would have to have both, the password
and the key, and then they could get in. So by making that harder, they can't log
in as me, my data stays confidential. The only person who's logged in and
sending data is me, is me cuz I have the key and
the password so that maintains integrity. And I know that somebody else can't get in
there reset my password because they don't have my key, so it maintains availability. This one solution, this one little
key met all three categories. It's not always like that,
a lot that we deploy only provides one. It might improve confidentiality or
it might improve integrity. It might improve availability,
but not the others. So we have to keep that in mind, that all
security's built around these three ideas. And I want to spend a little more time
on each one because there are a lot of different solutions under each category. But, going back to what
I said a moment ago. If I could only teach you one concept,
it should be this. That when you're trying to secure
your data, anything that you turn on, any button you switch or software
you install or hardware you put in, you should look at this triad and
say, okay, how does that help this? And if it doesn't, if it doesn't help
at least one of these three things, then you're wasting your time. There's something called security theater,
are you familiar with that term, Ronnie? Where people will do things
that look secure, but aren't. There's an old photograph that's been
going around the internet forever. It's a parking lot and it has the little
arm, that is blocking the road, so if you try to get into the parking lot
the arm has to come up for you to go in. But you can see road tracks where people
have just been driving around it. It's security theater; that little arm
didn't actually secure the parking lot at all, you can just drive right around it. There is a lot of it in IT. There are a lot of people that are taking
steps that make you feel like it's more secure, but it's not actually improving
at any of these three things. So we need a map to that. Now, mapping to it,
there's a ton of stuff we can do, and you can go a little too crazy. We can get so secure that it's
unpleasant to use our computers, right? We've probably all encountered
that at some point. You go work for a company that says you
gotta reset your password every 30 days. That is so annoying,
to have a new password every 30 days. Right, well, I feel that way,
a lot of other people feel that way. It does improve security, right,
if an attacker figures out your password, they've only got it for a maximum of 30
days, but did it really improve security? If they got your password, they don't need 30 days to get
all the information they want. And the attacker can reset your
password just as easy as you can if they're already in. So in a way, doing password
resets that frequently doesn't really improve security, so
you've gotta find a balance. You gotta find a balance
between customer usability, or just end user usability, and security. And that's all a balance here between
these three things that we're trying to provide to secure our infrastructure. All right, Don, as we focus in on this
idea of confidentiality, as we see here. Can you give us some examples of what
we're really concerned about, or the idea of what people are doing
to bypass confidentiality? Absolutely, yeah, so
confidentiality, I have data, and I don't want anybody else to get it. Okay, well, how can somebody get my data? They could be sophisticated hackers,
they could be the most brilliant technological mind and
attack via the network and so on. But it's not normally that hard, it's
usually pretty easy to get someone's data. in fact, you don't even need a computer,
if I wanna get somebody's data and I know that that person
prints things out a lot. I don't need their laptop, I don't need
their network, I need their trash can. I can just wait until the end of the day
when they walk away from their desk, and I can go grab everything
out of their trash can. Odds are they printed out some of the data
I wanted and dropped it right in the can. I didn't need a password for that,
I didn't need hacking skills and tools, just go to the trash can. Right, let me show you an example of
security that can help with stuff like this, sometimes it's really really simple. What I have here,
this is a 3M screen filter, right, these are really popular because,
if you travel, I travel a lot. You get on an airplane,
you fire up your laptop, well, you get stuck in a middle seat
because that's how airlines work. And two people who miraculously didn't
get stuck in a middle seat somehow are sitting on each side of you. They can look at your screen,
they can see exactly what you're doing. Well, you can have
a privacy filter like this. When somebody is using a computer and
someone else looks and sees what they're doing,
it's called shoulder surfing. They're looking over your shoulder,
it's not sophisticated. It's just, look, that person has
a computer, what are they doing? They've got a spreadsheet,
that's kind of neat, what kind of information do they have? So there's technologies
like these screen filters. And let me show you this one,
cuz it's kind of neat. So here's the screen filter, and if I
hold it in front of my face or whatever, you can see through it. But if I was at an angle, so let's say
you're sitting to the left or right of me. As I turn this to an angle,
looks what happens, it blacks out. Right, there's little louvers and
cantilevers inside of this, so that when you're at a 45 degree angle, or I think it actually starts around 30
degrees, that it just blacks out. So now the person to your left or
right is wondering why you're sitting there typing on
a laptop that's turned off. [LAUGH] And meanwhile, you are sitting
there using the laptop and it's just fine. And it does create a little bit of
a shade effect on your screen, so it's almost like wearing sunglasses. But the trade-off is, you get great
security as far as shoulder surfing. Now, it's not perfect, I was telling
Ronnie a story before the show. I saw someone on an airplane that
had a filter just like this, and they sat in front of me. And because I was directly behind them,
I could see the screen just fine. Right, the people to the left and
right, they couldn't, right, they would get that blocking effect. But for somebody sitting directly behind,
this just dims the screen a bit, it doesn't necessarily improve security. So we always have to be aware of that,
that sometimes we can try and take steps to make
information confidential. But if it's not implemented correctly or if we do think all the way through of
all the different use case scenarios, it may not actually provide
the security that we want. A great example of that is encryption. If I wanna keep my data private,
right, I want my data to be private, so I'm going to encrypt it,
I want it to be hidden and stored away. All right, well, for example,
let me show you here, my laptop. So this is my laptop, my actual laptop
that I use for work and here on the show. I have data on here that, I was about say, I have data on here that I
wouldn't want to get out. But I don't think I actually do, [LAUGH]
I think I just have show notes and stuff. Let's pretend that I did, so
my tax returns and stuff are right here, I don't want that to get out. Okay, well, my system is encrypted. This is a MacBook, and Apple has some
software, whoops, if I can get in here. They have some software
that's called FileVault. And what FileVault does is,
FileVault encrypts your hard drive. So see it's telling you right here,
FileVault is turned on for the disk Macintosh HD, and
a recovery key has been set. My hard drive is encrypted, all right. Which means,
if I leave my laptop at an airport, or if somebody steals my laptop and
runs away with it. They could turn it on, but
unless they know my password, they can't unlock it, and
all of my data is encrypted. If they knew my password, they could
punch it in, it would unlock the laptop, and now my data is decrypted. But I know my data's safe,
it's confidential, even if someone steals my laptop,
because it's encrypted. Now, as with all security,
there's a flaw here, right? The flaw is, my laptop is protected
until I put in my password. When I put in my password,
now everything's unlocked, right? And so then I can come in here,
and I can browse my hard drive, and I can access my files, and
I don't even realize it's encrypted, because at this point,
it's all being decrypted. I'm able to browse in and
access my information, right? Well, let's say I come in in the morning,
I turn on my computer I log in. And then I say,
I'm gonna go get a cup of coffee, and I walk away to get a cup of coffee. I've already unlocked my computer,
anybody could walk up, sit down at the computer, and now they've
got access to my data unencrypted. It's not a perfect system, it's not
one thing we can deploy by itself. We need to employ it in conjunction
with something else, right? In this case, if I remember to
lock my screen when I walk away. All right, so if I'm gonna walk away,
I just kinda have this memorized, Ctrl+Cmd+Q. On Windows, it's the Windows key+L, if you
hit Windows key+L, it locks your screen. On a Mac, where everything's supposed
to be easy, it's Ctrl+Cmd+Q. So I can just hit that, and I can walk
away, well, now my screen is locked. If somebody wants to get in and
use my system, they're gonna have to
punch in my password. If they know my password,
they can get in and there they go, and
now all my data's decrypted. But if they don't know my password,
they can steal the laptop, but all the data's encrypted,
they can't access it. That's a decent solution, but it depends
on me remembering to lock the screen. Okay, what if I don't
remember to lock the screen? Well, what I could configure
is a screen saver, right? And screen savers, we don't really
need screen savers anymore, computer screens don't
burn in like they used to. You can have the same image for
days at a time and it won't burn in. But screen savers are still useful
because what you can do is, when you configure a screen saver,
you can tell it that after the screen saver kicks in,
to lock the screen and require a password. And that way, if I walk away, after
a couple of minutes, the screen will lock. And then, if somebody else tries to
use it, they can't get in, right, it's an extra step. This is all stuff that a regular
end user isn't gonna worry about, they're not gonna think
about things like this. It's up to us as IT professionals
to step in and say, all right, here's a protection mechanism
Here's a weakness, or what's called a vulnerability,
in that protection. How can I fix that? How can I correct it to maintain my end
user's security, their information. So keeping that data confidential. There's other things to
remember about this. Like, sometimes the best way
to keep data protected and keep it confidential is to destroy it,
right? That if I'm done with some data, I don't
want to just drop it in a trash can, somebody could get that. I want to make sure it gets destroyed. And there's a few different
ways to go about that, let's talk about mechanical disks for
a moment, right? Mechanical disks, so this is a hard drive
that would be inside of your computer. Some systems have SSD now, but most
systems still have spinning disks like this, where they have a platter, and
a mechanical arm that's using a magnetic signal to basically write ones and
zeroes to that platter. Well once that data is written,
even if you delete the data, remnants of it are left behind. And it's kind of like the old game where
if you write on a piece of paper and you throw it away, the piece of paper underneath it still
has an imprint of what you were writing. That's kind of how hard drives are. That data gets left behind. And so you might have a blank drive,
and then you write something on it. Here I wrote the word dictionary. Okay, and then over time I delete it,
but it's still kinda there. It's just marked as deleted. And then I write new data, and
that data gets layered on top. And then more data and then more data,
right, and so it gets to the point where there's no way I can tell what
was originally written on there. If I didn't know that it said dictionary
originally I would have no idea that's what it said now, right. But there's forensic software that does
a really good job of breaking this down, getting at that information. And so if we want to ensure that
data is no longer necessary, if we have an old laptop
that we're getting rid of. We don't wanna just sell
that laptop on Ebay. A random person buys it and now they've got access to all
the data that you had on that laptop. So we wanna make sure that
data gets purged off. And the only way to really guarantee
it is to destroy that data. Now when we're talking about paper data,
that means going through a shredder. You drop the paper in a shredder,
paper gets destroyed, that's the end of the story. We'll, I'm going to ask
somebody to glue this together. So, with hard drives,
they have software versions of shredders where you can run a software utility
that will write data over and over and over again to the disc to make it
where you can't recover the data. But in high security
environments like military and intelligence, in those areas
they don't even trust that. And they actually use, well,
shredders but not like this. Shredders like this. These are industrial shredders that can
grind up a physical hard drive like it was nothing and now there's no way to
recover that data that's off of there. You would be surprised the amount of data
they can recover from an old hard drive even if you've deleted it and
formatted it and overwritten it. There's still traces left behind of
that data, and it can be reassembled. It's actually a bit of science to it, but
you'll see where there's cyber security forensics analysts, and
that's what they do. That's their specialty, is recovering data that people would
generally assume is completely lost. So those are some aspects
of confidentiality, obviously there's a lot more. Right, we need to understand that
just because we own a laptop, that we have to do what's called
tempering our expectation of privacy. That you're using your laptop. That's great. But the moment your browse a website,
you're actually passing through a number of routers that are owned by other
companies you don't even know. You're passing through other servers and
other systems and a lot of things in between. And I wanna show you an example that, I
know I kind of went a little long on some of this so,
Ronnie can we do a part two on this one? Let's do a part two. Let's do a part two because I wanna
show you that when you use Facebook, when you use Gmail or
somebody like that, there's so many companies involved in that
communication that you cannot trust that that data is going to be
kept confidential and safe. So I wanna show you that chain,
we'll do that in part two. And then I didn't even get to
the other two of the triad, right? And so we didn't talk about integrity and
availability as well. So definitely stay tuned for that. All right, Don,
well thank you again for helping us to understand at least this. And you wanna stay around for that part
two, Don left us with a cliffhanger. That means you gotta come back. So this is a great place for
us to sign off. For ITPro.TV, I'm your host Ronnie Wong. And I'm Don Pezet. Stay tune right here for
more of your CompTIA IT Fundamental show [MUSIC] Thank you for watching IT Pro TV.
