Basic Security Principles Pt. 2 | CompTIA IT Fundamentals+ (FC0-U61) | Part 31 of 38

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to IT Pro TV I'm your what can I welcome to another great show right here on IT Pro TV you're watching the CompTIA IT fundamental show I'm your host Ronnie Wong and today we're diving into a part two on basic security principles now if you watch the part one you note that Don left us with a cliffhanger so back with us again to help deliver through and help us to see the idea here of what more confidentiality it's gonna be mr. Dom bazaine himself done welcome back to the show hey thanks having back Ronnie and you know in part one I introduced the concept of the CIA triad the confidentiality integrity and availability the three kind of facets of any IT security program and we were talking about confidentiality so we were setting the stage about how we should be able to reasonably expect our data to be private and then we control who has access to it that's what confidentiality is all about well one of the things that I wanted to touch on it and ran out of time on was the expectation of privacy like is that a realistic expectation and what does it actually look like so we're gonna talk about that in this episode and then we're gonna move on to the other two elements that we didn't get to we didn't talk about integrity or availability so we'll get a chance to see all those right here in this episode all right so Don here it is you talked about the idea at the end of episode the first episode might say episode 1 at the end of the first episode here we say we have to temper our expectations of this so what do you mean by that all right so the internet shockingly is not yours it doesn't belong to your company it doesn't belong to your country the Internet is actually a network made up of numerous entities they're called autonomous systems that are all kind of glued together in creating this friendly almost communistic type network well the thing about that is as you browse the internet as you use these services there are many people involved in helping you get to that service and most of the time you don't even know who they are they're companies that you're not even aware of or you've never heard of their names and you're reaching out and using services provided by company you have heard of but you don't know employees of that you have to have this like implied trust take Facebook for example right many many people use Facebook and many people put their personal information in their information about their family their birthday their pets photos when they're when they're on vacation so when their home is empty it's all posted right there on Facebook really really personal data all right well I know for me this is true I'll bet for most of you out there is probably true I can only name one employee at Facebook right that's Mark Zuckerberg he's always in the news I can't name a single employee that actually works in a Facebook server room I don't know that so if I start putting all of my personal information in there which for the record I don't but if I did right I would be trusting all of those data center employees to handle my data securely and properly and not to be poking through it in the middle of a night or leaking it out on the internet or or not properly securing it so that attackers could get it I would be putting my trust in those people if you use Gmail for your email service or yahoo mail or any web-based mail you're putting your trust in that company to protect your data and your interests well in the case of Gmail and I do use Gmail I do put a ton of information in there Google has a ton of information on me well I'm trusting that they keep my data protected but at the same time I know they're using my data to be able to show me advertisements so it's not like they're not looking at it they are actually looking at that data it might not be a person it might be an algorithm but it is happening right and that all happens in the background like we take a look at my computer let me jump over to my actual machine here so this is my actual laptop and when I go out and I browse to a website let's say that I go to cnn.com I'm gonna browse to CNN and I get their webpage now I know that I went to CNN because I typed it and CNN knows I went there because I asked now I said hey can you give me a copy of your webpage so now somebody at CNN somewhere knows that I looked at their webpage alright well honestly that was that was what I expect this is like a conversation if I talked to Ron I expect him to know we're having a conversation right but that's a normal expectation but what about other parties do I want other people to know that I went to CNN well do CNN it's just a website right but I mean there's there's websites maybe maybe there's personal information medical information I don't want other people to know about right but the reality is other people didn't know at the network level absolutely in order for me to get to the CNN web page let me let me fire up a little utility called traceroute trace routes a utility that shows me how how many routers I had to pass through on my way to a web site so if I went to WW cnn.com and I trace it it's gonna map that out and I had to pass through four routers to get there it's actually pretty short the further away a server is the more routers you have to pass through this first router I trust it because I own it it's in our server room back over there that's our router so I'm I'm okay with that the next one GRU that is our internet service provider we get service through the Gainesville regional utilities and so there's our ISP so I I trust them if only because we pay them a check but I actually I actually do know every single employee in their data center so so I have a good degree of trust there with GRU after that though who is this one 98.30 2.1 32.2 16 that's a name that's not familiar to me mostly because it's just a number but I don't know who that is and in this last number here that's gonna be CNN then you know the end of the journey is CNN so I see it but here's this one entry point in the middle then I don't know I don't I don't know what company that is I don't know who works there I don't even know what city that's in but my connection passed through there that's a risk right now usually these are trustworthy networks usually but I don't know that network the further away we get right in another episode we had done a server in Russia so I did profit are you and I'm not singling out Russia it's just the kind of on the opposite side of the globe so I know that when I reach out to them I've gotta cross the Atlantic Ocean I've either got a hit a satellite or a transatlantic cable maybe a pacific cable probably transatlantic for us and I can see it's eight hops away and you'll see you know our router our ISPs router and then a number of systems that I have no idea who they are right that's trust when I send my data across the network how can I expect it to be confidential well if we have things like HTTPS right secure web pages which actually CNN if I look at CNN's web page it's secure it's using HTTPS its encrypting my data so that when it passes across those ISPs when those routers see it it's encrypted so they know I went to CNN but they don't know what data I said they don't know what articles I read they just see this this encrypted connection yeah that's confidential it's perfect right sort of here's where the expectation starts to break down my data is encrypted from my laptop all the way to CNN I know that because I see you a little secure note right there in my browser so I know I'm protected but look at the rest of this webpage this webpage is made up of elements not just from CNN but from a number of other servers in the early days of the internet when you browse to a webpage the webpage was served from one server and that was it nowadays web pages can be served from many servers and this one web page that I'm looking at right now contains elements from let's see 56 different servers which is ridiculous like CNN is the worst of both Fox News is pretty bad about to but if seen it is really really bad about it 56 different servers now I know CNN alright there's one one of the other 55 well I run a little utility called ghostery if you ever bored you want try gostrey it's free it's a plug-in for your browser and what it does is it lets you see all of these connections that's how I knew there were 56 connections how did I know here it is 56 and if I go to my detailed view I can start to see what those are 39 of them are advertising trackers what's a tracker it's remembering what I did it's saying Don went to CNN and clicked on this article so now I'm gonna sell him brown shoes and you know you clicked on this other article so it's time to buy tofu right that what they do they know what you read I don't have an expectation of privacy when I go to CNN because they're sharing my data just by going there with all of these other sites right and there's a lot that are in here there's 39 trackers when we get past that we get some kind of comment system for their chat I guess the comments because new site comments are always you know useful you got some more trackers down here for customer interaction site analytics analytics are effectively trackers they don't really care where I'm going it's more of like where I came from so they can generate more leads and then social media down here Facebook beacons and gig counters I've never heard of gig you before this very moment but Here I am they they now know that I went to CNN today so that should hopefully illustrate for you kind of what that expectation of privacy is when you work with Facebook when you work with web sites like these there there is no real privacy with that data so when it comes to something is truly important in the last episode I mentioned like the secret formula for coca-cola you don't put that in your Gmail you don't go to CNN's website and search for you you don't do that because you can't expect that data to be safe and protected so that's a that's a challenge that a lot of people have and really starts to create one of the bigger weaknesses that we have and is why when we talk about that CIA triad confidentiality is something we have to actively pursue to protect our our systems and our information yeah Don speaking of that what about something else not the idea of just a website but everybody just uses instant messaging today as part of this is that something that we also have to worry about in confidentiality oh absolutely email instant messaging text messages browsing web any kind of web-based application even regular applications most of them phone home in one form or another these days all of those are different ways that we might be leaking information out right now let's stick a little spin on this though what if not only could they intercept the information but they could modify it they could change the information that could be really bad right confidentiality is about keeping my data safe in Gritti is about making sure that data doesn't get manipulated when I showed going out to CNN I passed through four different systems my router is woman I trust that GRU as another I trust them then there was that random element and then there was CNN I trust see an end to give me CNN's page cuz that's in their best interest right but that third element I don't know who they are when I went to Pravda not again not singling out Russia but I had a pass to a lot of routers to get all the way to the other side of the globe anybody along the way could in theory intercept my traffic and when there's an intercept there's a potential for what's called a man-in-the-middle attack all right normally when you talk to a system you send data to that system and you get a response back when I talk to CNN I expect CNN to give me data back right that's the normal expectation but the more things you put in between you and a destination the more likely it is that somebody could be in the middle right an attacker could pretend to be CNN and I think I'm talking to CNN but I'm talking to them and they send me back a page that might even look like CNN but isn't right they're now taking over and hijacking that that session or providing that false website and they can use that to do things like say oh hey your passwords expired you need to reset it your password hasn't actually expired but they give you a form where you type in your old password in your new password well guess what they've now got your old password and if you add a new one they've got your new one so they can then take that then they can use that to access your resources this is very common with Facebook and Amazon there are a ton of web pages that masquerade as Facebook or masquerade as Amazon because they want access to your account they want to be able to steal those credentials in that data that is a real challenge and so when we browse to sites like CNN how do we know we actually have the real website how do I know that the data is not being changed in transit well this goes hand-in-hand with confidentiality when I browse to a website and it tells me the website is secure we've got this little as to sell certificate up here that's giving us an encryption key it's encrypting data well if somebody modifies that data it breaks the encryption and it won't work we won't trust that site anymore if we go and it's not the right certificate the certificate doesn't match the name of the site then it breaks so if somebody is masquerading as CNN they would have to steal that certificate as well to do it and if they didn't have that certificate then we would know our web browser would warn us now that's a web browser there's other protocols like email that are way more trusting spoofed email is trivial it is easy that I could write an email and say it was from Barack Obama and send it along and when email was developed back in the 1970s and 80s it was a very trustworthy and today here we are 40 years later email is still just as trustworthy as it used to be so it won't even bat an eye at the fact that I'm saying I'm B Obama at whitehouse.gov right it's okay fine send it along right it's up to the mail servers now to step in and say all right and did this actually come from the White House and and if they don't do that verification you know this goes right through that becomes really really challenging and that's why integrity is becoming a bigger challenge a harder thing for us to maintain and make sure that we're protected attackers can intercept your communications manipulate them and send them along they can intercept your communications and replay them later so maybe I capture Ronnie logging into Facebook I record that traffic and then later I go to Facebook and I replay his traffic to log in well a lot of systems will have techniques like timeouts maybe you've seen that you know you go to Amazon and whoops Amazon I come and you go to login to access your account so I want to go to sign-in and then I get distracted and I walk away from my computer for a while and then I come back and I try and log in and what do I get I get a timeout form that says no you got to refresh your screen refresh your browser and then you can log-in well they're timing it out because if somebody recorded my login traffic we don't want them to be able to replay it later on so it's only good for a certain period of time in fact most systems use what are called OTPs or one-time passwords a password only works one time so if somebody tries to replay it it doesn't work again SSL does that automatically in your browser if we had to do that ourselves imagine having to come up with a different password every time you used your password give me a nightmare but computers do it no problem right they maintain that level of integrity it's an important aspect of ensuring security and making sure that we can trust the data that we're getting there's a few other tools that are kind of in the the toolbox on on this stuff for example well the biggest one that comes to mind is not a single tool but actually a class of tools do I have yeah three things in the security world they normally call this Triple A right authentication authorization and accounting all right authentication that says that whenever we access a resource it needs to verify that we are who we say we are when I went to CNN's web page if I go to Providence webpage if I go to anybody's web page they're going to have an SSL certificate these days and that certificate is based off of a private key that only that site would know and so when I see the the public key that's generated from it I can use that to verify and say yeah this is actually CNN or nope this is somebody impersonating CNN right if you want to see that like what it's like when somebody is impersonating there's a cool website called bad ssl.com bad has to sell that comm and you can go to that website and they've got examples here of what it would look like if for example the host name didn't match or if it was a fake certificate or a certificate issued by a non trusted root an attacker would be a non trusted root so if they've issued a fake certificate for CNN and you were to browse to it this is what Google Chrome would do it would come in and it would display this message warning your connection is not private it's using SSL right see how it's got the HTTPS with a slash through it it's using SSL but it's not a trustworthy certificate so we can't trust the data that's being sent across this is the error that we get right and there's a number of different scenarios that break that down like wrong host name and you get a similar error each error is just a little bit different versus when you go to a it's site and you see the nice little green box up there everything's happy it's working the way that it's supposed to you know when you have a proper key exchange or whatever it's not that one that you'll see a healthy page that comes up like here this is a healthy page comes up we get the green instead of the red warnings so I know that it's working properly and that our data is safe so that's kind of one way of doing authentication I'm verifying that site is who they say they are for users authentication normally takes the form of username and password I type in a password in the system so yeah you're done you know the password obviously no one else would know the password that would be crazy that's not always true so authentication might need to be extended you might need to have dual factor or multi-factor authentication which I talked about last episode I might have to have a password and a little key that I plug in or a password and my fingerprint or a password on a retinal scan or a retinal scan and a PIN number or it would do two things a text message with a code to be able to get in and login those are all different ways that we can authenticate a user once they're authenticated we need to authorize them what are they authorized to do what are they allowed to do I can login to Amazon and I can buy stuff I'm authorized to buy stuff can I delete items can I change their price No now at Amazon headquarters there's an employee there who can delete items there's an employee there who can change prices right they're authorized to do it I'm just a customer I'm not authorized to do that on my own computer I'm authorized do all sorts of stuff and you can see that pretty easy to if you're on Windows or Mac or whatever usually you can just browse in your file system and take a look at any file in Windows you would right click and choose properties on a Mac you can double to finger click and choose get info and what you'll see in there are sharing and permissions I'm Dee pizzette I have read and write access this folder so once it authenticates me and knows that I am Dee pizzette I'm then authorized to read and write on this folder but if I was somebody else I would only be authorized to read not write that's authorization this normally takes the form of permissions there can be other things like access control lists that can kind of contribute to this and in other technologies like that a lot of times they're not based off of a username like I'm doing here that's kind of cheating what you normally do is what's called role based access control where you're granted access based on your role in the company so I might have a if I work at a university I might have a staff professors students write these roles and as a student I can access certain areas as a professor I can access even more and as a staff I can access everything right so you kind of delineate that based on the role they serve within the organization that's another way to maintain integrity because only people who need permissions will have them and it prevents unauthorized people from writing to data changing data and manipulating it and then the last piece of this is accounting and that's keeping a record of what happened logs right most systems maintain a log or our record or they send out alerts and email hey warning your password has been reset you probably received those if I change my password with Google they immediately send me an email saying hey your password was changed are you aware of that was it you right that's a form of accounting keeping a record of what occurred and that way if something bad does happen we can figure out exactly what it was and where it came from we can try and figure out what that cause wasn't fix it so it doesn't happen again these three things authentication authorization and accounting make up a big part of maintaining the integrity of our data all right dawn that now she helps us to understand a bit more about the idea of integrity as well as confidentiality that does bring us to our final area of availability now dawn when I first started learning about this it didn't really seem to make sense to me that I wanted secured something but make it more available or make it available so don't help us out with this concept you know I took a security course years ago and and I had looked at the agenda ahead of time and I saw this bit on air-conditioning I'm like air-conditioning I'm looking I'm trying to learn about IT security what's that got to do with air conditioning well when we talk about availability that's making sure that systems are available when our users need them if I have an email server users should be able to expect to get their email and be able to log in and see it there's a number of attacks that can make that not happen if I take over someone's account they can't get at their own email anymore it's no longer available or maybe I'm just malicious and I want to take it offline I can do a denial of service act I can flood data at that email server so much data that regular people can't get to it anymore right that would reduce availability or maybe we go low-tech and I go and buy a baseball bat at the local sports store and I walk up to the building and I find the air conditioning air handler outside you they all have the big fans the exhaust fans that are outside and you take that bat or a crowbar or whatever you jam it down into the fan and you stop the blades from spinning ok what's gonna happen what's gonna happen is heat is gonna build up inside of the building and not exit the building like it's supposed to the you know the fans are supposed to take that heat out so the cool air can fill the building well if the building starts getting hot what happens to our servers what happens to our computers eventually they hit a temperature threshold and they go into what's called thermal shutdown they power off because otherwise they're gonna melt down you don't want that well if your servers power down they're no longer available so as an IT security person we have to think of a lot of things beyond firewalls and antivirus we have to think about things like physical locks on doors fences around the building generators in the event that we lose power redundant air-conditioning to be able to keep the temperature cools or service down on these are on things that you don't necessarily think about in the IT security world but they're absolutely under the realm of IT security that we've got to keep these systems on and available many systems have stuff built into them to help provide this so for example I've got a picture here this is an HP procurve switch it's actually the backside of the switch on the front side you see a bunch of ports with cables not very exciting but on the backside what we're looking at here are four power supplies this switches for power supplies why well if one fails it still has three more if two fails hey this one can actually run on two power supply it doesn't need all four I think this we can actually run on one power supply you remember Ronnie on the program yeah so so this would be fine if even three the power supplies failed well two of the power supplies are run to one UPS a battery backup the other two are run to another UPS so if a UPS fails the other one is still there a UPS is uninterruptible power supply if we lose power to the building these are big batteries that kick in and take over well we don't need the batteries very long we just need the batteries for a few minutes because if we lose power generators can power up and the generators can provide electricity but in the in the little window of time between power going out and generators restoring power we need something to keep things going and that's what the battery backups do and that's part of IT security we want to maintain availability even if we lose power right and that's a hard thing to plan for because we need power for pretty much everything in IT but you plan for it with your critical systems when companies plan for security they do what's called a business impact analysis and they say if system a failed how would that impact the business if system B failed system C failed and by doing that they identify which of the critical systems which ones are really required to keep the company running and then you take steps to ensure that those are always available that they're properly cooled that maintenance is performed on them but that you don't let those servers get 10 years old because they're gonna be more likely to have Hardware fail but the critical ones need to be updated much more frequently and that they have redundant hardware and other things available to ensure their their availability now this is just power supplies right companies can have redundant buildings entirely separate locations in fact one thing I like to do our backups write backups where we store a copy of our data somewhere else and that used to be hard we used to you know have to like back up the tape and and send off with somebody now there's all sorts of cloud services that are out there for example organizations like CrashPlan where you can run a little client on your servers and it backs up all of your data at a cloud storage is encrypted it's secure and now if your entire building was destroyed well that would really stink right but but at least your data would still be sitting out there and you can go and get it and retrieve it Microsoft they have what's called as your site recovery where they can backup all of your servers and if your facilities are destroyed you can bring up virtual machines in the azure cloud you flip a switch and all of a sudden your systems are all back online up in the cloud in just a matter of moments like that's amazing technology that provides you a level of redundancy that we didn't have in the past in the past if I wanted redundant buildings and then I had to buy two buildings well buying one building is bad enough a second one that's a ton of money so only the largest enterprises were able to take advantage of that in today's world even home users can take advantage of this stuff services like CrashPlan I don't sound like an advertisement I actually don't know how much they cost I think it's like less than 50 dollars a year so really really small versus if you had to buy hard drives and set up a network and so on so this world is constantly changing there's new technologies that are coming out but it all ties back to confidentiality availability and integrity those guys right there that is the key tenant of IT security all the different things I talked about redundant power supplies door locks biometrics like fingerprint scanners the little key for authentication SSL all of those are contributing to these three areas confidentiality availability and integrity so if you choose to move on to become an IT security professional these are three words you're gonna hear a lot and everything you do should be improving at least one of these in some way alright Don well thank you for helping us to understand the basic security principles here of confidentiality integrity as well as availability these are those security principles that will follow you throughout your entire IT security career and well it's actually a great thing to have the fundamentals down because it keeps you in keeps in mind right the very fact that all that you do regardless of what type of technique that you use that it has to help us to secure and to make these things better all right Don any other final words of wisdom for somebody that says hey I think this is a great area sure if you if you watch mr. robot and then you thought man these episodes like to be stinking hacking right well certainly true we're focused more on the level of security if you want to get in IT security and doing things like penetration testing is is more interesting to you those are in the more advanced certification courses obviously would come to you IT fundamentals is that starting point right security plus it covers all the security concepts from a much more in-depth standpoint a lot of the things that we talked about in these last two episodes but then you get into things like cyber security analyst plus and pen test plus where you actually learn the the activities that you go through to to see if you can break into a system or see if you can defend a system and that's usually what people want to jump in and learn but I just want to caution you right now if you try and jump into those advanced courses without learning the fundamentals first it's really really hard and so you'll you'll struggle learn the foundations and then jump into the cool stuff that's on TV it's just you know you just like anything you gotta you gotta walk before you can run that's kind of the process you want to take with security all right so you heard it right here and that means this is a great place for us to sign off for IT pro TV I'm your host Ronnie Wong and I'm down pizzette stay tuned right here for more of your cocktail IT fundamental show [Music] thank you for watching IT Pro TV

Info

Channel: ITProTV

Views: 2,769

Rating: undefined out of 5

Keywords: comptia itf+, comptia itf+ training, comptia itf+ study guide, comptia itf+ exam questions, comptia itf+ fc0-u61 practice test, comptia itf+ certification, comptia itf+ fc0-u61, comptia itf+ practice test, comptia itf+ fc0-u61 exam, comptia itf+ free training, security principles

Id: 8j-JzuzIZKE

Channel Id: undefined

Length: 30min 27sec (1827 seconds)

Published: Mon Apr 06 2020