1.32 - Intro To Ethical Hacking - Security Controls Part 2

1
00:00:00,256 --> 00:00:02,304

Welcome 90 protv I'm your host.
2
00:00:06,912 --> 00:00:09,472
You're watching iPhone
3
00:00:12,032 --> 00:00:18,176
Hello protv empowering the world through engaging learning on
your host Zach Memphis
4
00:00:18,432 --> 00:00:19,712
Ceh V10
5
00:00:19,968 --> 00:00:23,552
This episode is intro to ethical hacking and security
controls part
6
00:00:23,808 --> 00:00:24,320
2
7
00:00:24,576 --> 00:00:29,184
And once again are experts in the field in the studio and
everywhere he goes Daniel Lowery is here
8
00:00:29,440 --> 00:00:34,816
Just show us the way Daniel get to see his
9
00:00:35,072 --> 00:00:35,584
If you could folks
10
00:00:37,632 --> 00:00:40,192
What better way to spend your day right
11
00:00:40,448 --> 00:00:45,824
So that being said let's get at it let's get back to it and
our previous episode we were talking about Sakura
12
00:00:46,080 --> 00:00:47,360
Policies
13
00:00:47,616 --> 00:00:48,640
Continue on with that
14
00:00:49,920 --> 00:00:54,528
Security policy development how about that so we talked about
what a security policy is
15
00:00:54,784 --> 00:01:00,928
Now it's time to start looking at developing a security
policy of our own right
16
00:01:01,184 --> 00:01:03,488
What is it all about how do we how we do this break it down
for me Daniel
17
00:01:03,744 --> 00:01:04,768
Let's do it
18
00:01:07,072 --> 00:01:09,120
Never do that again
19
00:01:09,376 --> 00:01:14,240
Ec-council does
20
00:01:14,496 --> 00:01:18,336
Give you some proprietary steps of Lisa wood looks like
proprietary steps
21
00:01:18,592 --> 00:01:19,616
From what I can tell
22
00:01:19,872 --> 00:01:22,688
But still very very helpful when it comes to
23
00:01:22,944 --> 00:01:23,456
Creating us
24
00:01:25,760 --> 00:01:29,344
They start talking about types different types of
25
00:01:29,600 --> 00:01:30,368
Security policies
26
00:01:31,392 --> 00:01:31,904
Develop
27
00:01:32,928 --> 00:01:35,232
First one is
28
00:01:36,000 --> 00:01:36,512
So
29
00:01:37,280 --> 00:01:43,168
We all know what promiscuous mean network card totally you do
which means to
30
00:01:43,680 --> 00:01:44,704
Allow everything
31
00:01:45,728 --> 00:01:47,008
But want everything
32
00:01:47,264 --> 00:01:50,336
To come my way that's exactly right so
33
00:01:50,592 --> 00:01:53,408
When you have a promiscuous security policy
34
00:01:53,664 --> 00:01:55,200
It means it's really not
35
00:01:55,456 --> 00:01:57,760
I mean I don't know how this is a security policy be honest
with you
36
00:01:58,016 --> 00:01:59,296
I'm allowing everything
37
00:02:00,064 --> 00:02:02,880
So there is no security it's just
38
00:02:03,136 --> 00:02:03,648
Go for it
39
00:02:04,416 --> 00:02:07,744
But I guess it's there just labeling of it are an idea
of
40
00:02:08,000 --> 00:02:10,304
Or you don't really have your security policy is that
enough
41
00:02:11,072 --> 00:02:12,608
No respect
42
00:02:14,400 --> 00:02:15,936
Then we get into her missing
43
00:02:16,448 --> 00:02:17,984
Now we're starting to
44
00:02:18,240 --> 00:02:19,776
Get some ideas because permissive
45
00:02:20,032 --> 00:02:21,312
Allow at least it
46
00:02:21,824 --> 00:02:23,104
Give the idea
47
00:02:23,360 --> 00:02:24,128
Of that
48
00:02:24,384 --> 00:02:25,920
There are things that are allowed in things
49
00:02:26,176 --> 00:02:26,688
Games that are not
50
00:02:27,200 --> 00:02:28,992
And that's more of a Albert Russo
51
00:02:29,504 --> 00:02:30,016
Policy
52
00:02:30,528 --> 00:02:32,320
But there are things that are disallowed
53
00:02:34,112 --> 00:02:35,904
What is permissive
54
00:02:36,160 --> 00:02:38,208
It's only the known dangers
55
00:02:38,464 --> 00:02:39,744
That are disallowed
56
00:02:40,512 --> 00:02:41,280
I not think about that
57
00:02:42,048 --> 00:02:44,864
Is arnone age of things you know for certain
58
00:02:45,120 --> 00:02:45,888
AR
59
00:02:46,144 --> 00:02:47,424
Not good for your organs
60
00:02:49,216 --> 00:02:50,240
Now that's cool
61
00:02:52,032 --> 00:02:52,800
You don't know
62
00:02:53,824 --> 00:02:57,152
I saw this is obviously a policy that you're going to ARA
policy type
63
00:02:57,664 --> 00:02:59,200
It will have to reinvent the wheel
64
00:02:59,456 --> 00:03:00,224
On occasion
65
00:03:00,480 --> 00:03:02,784
To make sure that those known variables
66
00:03:03,040 --> 00:03:05,600
Are put in this kind of like blacklisting
67
00:03:06,624 --> 00:03:09,184
So you're blacklisting certain activities or
68
00:03:09,440 --> 00:03:10,720
Or connections or whatever
69
00:03:12,256 --> 00:03:14,048
And that's that's the the idea that
70
00:03:15,584 --> 00:03:16,096
Permissive
71
00:03:16,608 --> 00:03:17,120
Type of
72
00:03:20,448 --> 00:03:21,984
I need to tell you about that
73
00:03:22,240 --> 00:03:24,544
So these are our only known dangerous will be services
74
00:03:25,312 --> 00:03:26,080
Or behaviors
75
00:03:26,336 --> 00:03:28,640
I will be disallowed the things that you know are bad
76
00:03:28,896 --> 00:03:29,920
Don't leave the doors open
77
00:03:30,176 --> 00:03:31,968
And don't say you must lock
78
00:03:32,480 --> 00:03:35,296
You're filing cabinets if they're not locked then that's not
allowed
79
00:03:35,552 --> 00:03:36,064
Rancho
80
00:03:36,320 --> 00:03:37,856
Things that you know even even
81
00:03:38,112 --> 00:03:38,880
I'll Behavior
82
00:03:39,136 --> 00:03:40,160
Everything else
83
00:03:40,416 --> 00:03:40,928
Is allowed
84
00:03:41,440 --> 00:03:45,536
It's not specifically called out in the black list of things
that are bad for us
85
00:03:46,048 --> 00:03:48,352
Then I am free to roam about the cabin
86
00:03:48,608 --> 00:03:49,376
Okay
87
00:03:49,632 --> 00:03:51,680
And then of course this must be updated
88
00:03:54,752 --> 00:04:00,128
Yes which is kind of the opposite it's it's more like a white
listing
89
00:04:00,640 --> 00:04:01,152
Of
90
00:04:01,408 --> 00:04:02,432
No I'm good activity
91
00:04:02,688 --> 00:04:03,456
Please or behavior
92
00:04:05,248 --> 00:04:07,040
Isis, the opposite of
93
00:04:07,552 --> 00:04:08,320
Well we just talk
94
00:04:09,088 --> 00:04:14,464
Cancel or being prudent I know what's good for us so I asked
what I'm going to allow everything else
95
00:04:14,976 --> 00:04:15,744
Is this allowed
96
00:04:16,512 --> 00:04:20,351
Unify don't know about it so if you think that this activity
should be allowed
97
00:04:20,607 --> 00:04:23,167
You have to make a case for it bring it to us and then we
will
98
00:04:23,679 --> 00:04:24,191
Effect change
99
00:04:25,727 --> 00:04:26,239
Okay
100
00:04:28,287 --> 00:04:30,335
Usually involves a high-level vlogging
101
00:04:30,847 --> 00:04:34,687
So they were looking for things that we would want to allow
or disallow
102
00:04:34,943 --> 00:04:36,991
Probably on both ends of the spectrum
103
00:04:37,247 --> 00:04:40,575
Going on it is is this an activity we should allow for
104
00:04:40,831 --> 00:04:41,599
If we can't
105
00:04:42,111 --> 00:04:47,231
Monitor for that we can't look and see what activities are
happening give me a hard time for us to figure out
106
00:04:47,487 --> 00:04:50,815
What's going on with whitelisting that can be really really
tough
107
00:04:51,327 --> 00:04:54,911
And it's really just the idea of either an implicit
deny
108
00:04:57,215 --> 00:04:57,727
Allow in
109
00:04:58,751 --> 00:04:59,519
That would be
110
00:05:01,567 --> 00:05:06,431
Then there's the one that I can really appreciate paranoid
paranoid Android
111
00:05:06,687 --> 00:05:09,759
Paranoid is everything right or almost everything
112
00:05:10,527 --> 00:05:14,879
Either make myself remind or almost everything always
everything but for the most part
113
00:05:15,135 --> 00:05:16,159
Everything is just
114
00:05:16,415 --> 00:05:17,951
This is a non permissive environment
115
00:05:18,719 --> 00:05:19,231
At all
116
00:05:20,511 --> 00:05:21,023
Cuz everyone's office
117
00:05:21,791 --> 00:05:23,327
The World At Large want us dead
118
00:05:30,239 --> 00:05:31,263
Yasso
119
00:05:31,775 --> 00:05:35,103
That that is sometimes a necessary thing
120
00:05:35,359 --> 00:05:37,663
There might be extremely sensitive
121
00:05:38,175 --> 00:05:42,527
Systems are information or assets of some sort
122
00:05:43,807 --> 00:05:46,111
You just can't let anyone get their hands on
123
00:05:46,623 --> 00:05:48,671
And I'm thinking of things like government Secret
124
00:05:48,927 --> 00:05:51,487
That would probably be a very much so a
125
00:05:51,743 --> 00:05:53,535
Paranoid environment banking information
126
00:05:53,791 --> 00:05:56,095
You were alright and evenly even then
127
00:05:56,351 --> 00:05:58,911
Banking information is does have allowance
128
00:05:59,167 --> 00:06:02,239
Right so we could follow and apparently just depends on
it
129
00:06:02,495 --> 00:06:03,263
How deep
130
00:06:03,775 --> 00:06:05,567
The access controls go
131
00:06:06,079 --> 00:06:06,591
If there
132
00:06:08,895 --> 00:06:10,175
No access then yeah they would follow
133
00:06:10,431 --> 00:06:10,943
Paranoid
134
00:06:11,199 --> 00:06:12,223
Otherwise are probably Beyond
135
00:06:14,015 --> 00:06:14,527
Permissive
136
00:06:15,551 --> 00:06:16,319
Okay
137
00:06:16,831 --> 00:06:17,599
Everything is
138
00:06:17,855 --> 00:06:18,367
Disallowed
139
00:06:18,623 --> 00:06:20,927
You're right. Everything is just
140
00:06:21,695 --> 00:06:22,463
These known good fat
141
00:06:23,999 --> 00:06:27,583
So those are the four different types of ch
142
00:06:27,839 --> 00:06:29,119
Calls out specifically
143
00:06:29,375 --> 00:06:31,935
For your security policy development
144
00:06:32,191 --> 00:06:34,751
Whiskey was permissive prudent and paranoid
145
00:06:35,007 --> 00:06:35,519
What's ketosis
146
00:06:37,823 --> 00:06:39,103
Moving on don't forget about work
147
00:06:39,359 --> 00:06:41,919
Workplace privacy policy say that
148
00:06:42,175 --> 00:06:43,199
3 * 5
149
00:06:43,455 --> 00:06:46,271
That's not
150
00:06:48,319 --> 00:06:50,111
If you have them they will they will show up
151
00:06:50,367 --> 00:06:55,231
The song to do with employee PIR personally I'd personally
identifiable in
152
00:06:56,255 --> 00:07:02,399
What do we do with that are we are we Gathering that is that
something that we're in the business of doing what if you are in some sort of
Industry
153
00:07:02,655 --> 00:07:03,423
Organization
154
00:07:03,679 --> 00:07:06,495
You probably to some extent are gathering
155
00:07:08,031 --> 00:07:09,311
Your staff employees or whatever
156
00:07:11,615 --> 00:07:14,431
You don't just open the doors and anybody that wants to come
in and do stuff
157
00:07:14,943 --> 00:07:15,711
Is allowed
158
00:07:16,223 --> 00:07:17,247
Right you have
159
00:07:17,759 --> 00:07:18,783
You are
160
00:07:19,039 --> 00:07:21,599
I joined to this organization
161
00:07:21,855 --> 00:07:25,951
Through hiring or volunteering or whatever but there's a
official
162
00:07:26,463 --> 00:07:28,255
Relationship and partnership that data
163
00:07:29,279 --> 00:07:30,047
When that happens
164
00:07:30,303 --> 00:07:32,607
We have to be able to identify you as such
165
00:07:33,631 --> 00:07:36,191
That is what is involved with taking in
166
00:07:38,495 --> 00:07:39,007
From
167
00:07:40,543 --> 00:07:42,591
So is that comes to work for me I'm going to need things
like
168
00:07:42,847 --> 00:07:43,615
What is your name
169
00:07:46,431 --> 00:07:50,527
I might need Social Security number for financial purposes if
I'm going to pay him
170
00:07:50,783 --> 00:07:52,319
I need that okay let's write that down
171
00:07:52,575 --> 00:07:55,647
He's going to be putting a lot more information into
government forms that week
172
00:07:55,903 --> 00:07:57,439
That we actually hold
173
00:07:57,951 --> 00:07:58,719
And use
174
00:07:58,975 --> 00:08:00,511
Farrar Financial purposes
175
00:08:01,023 --> 00:08:03,583
What it contains his personal information things like this
so
176
00:08:04,351 --> 00:08:04,863
Number
177
00:08:05,119 --> 00:08:06,399
Things like his address
178
00:08:07,935 --> 00:08:10,239
A lot of different formations is age
179
00:08:10,751 --> 00:08:14,335
That could be used for nefarious purposes I want to
180
00:08:14,591 --> 00:08:16,639
Make sure that you understand if we are taking that
181
00:08:16,895 --> 00:08:18,175
We need to have a policy
182
00:08:18,687 --> 00:08:22,271
That sets out security to keep that information
183
00:08:23,039 --> 00:08:23,551
Confidential
184
00:08:25,599 --> 00:08:26,623
The availability to the
185
00:08:27,391 --> 00:08:29,695
The necessary bodies get access to it
186
00:08:30,719 --> 00:08:31,743
To all that CIA
187
00:08:33,279 --> 00:08:36,863
So as we move on we need to explain to our staff
188
00:08:37,119 --> 00:08:39,935
Why we are taking pii don't just
189
00:08:40,191 --> 00:08:42,751
Ask you if you are an employee should be asking
190
00:08:43,007 --> 00:08:45,311
So what is it that you need from this and why do you need
it
191
00:08:45,567 --> 00:08:47,359
And they should be happy to explain it to you
192
00:08:47,871 --> 00:08:49,407
Probably even making that information
193
00:08:49,663 --> 00:08:50,175
Unavailable
194
00:08:50,431 --> 00:08:51,199
There's some means
195
00:08:51,455 --> 00:08:52,735
Maybe an internet page
196
00:08:52,991 --> 00:08:54,015
Employee handbook
197
00:08:56,831 --> 00:08:58,367
Also you'll need to explain
198
00:08:58,623 --> 00:08:59,135
What
199
00:08:59,647 --> 00:09:00,415
You are gathering
200
00:09:01,183 --> 00:09:02,719
Don't keep this thing secret it's not
201
00:09:04,767 --> 00:09:05,535
We don't like Secret
202
00:09:06,559 --> 00:09:08,351
Only real Secrets but
203
00:09:08,607 --> 00:09:10,911
When you're taking information for me that's not something
I'm just
204
00:09:13,215 --> 00:09:14,751
I want to know why is your taking it
205
00:09:15,007 --> 00:09:15,775
What you're taking
206
00:09:16,287 --> 00:09:18,847
Do have to add a little bit of paranoid because that's
what
207
00:09:20,127 --> 00:09:22,943
And then we develop a policy around that that should
be
208
00:09:23,199 --> 00:09:24,223
Again disseminated
209
00:09:24,479 --> 00:09:26,527
To our users aurstaff whoever
210
00:09:26,783 --> 00:09:27,551
That they know
211
00:09:27,807 --> 00:09:29,087
This is why we're doing this
212
00:09:29,343 --> 00:09:31,647
This is what we're taking from you and these are the
security
213
00:09:35,231 --> 00:09:37,535
So also tell them what you do with it
214
00:09:39,071 --> 00:09:41,375
I'm were just storing it for financial purpose
215
00:09:44,703 --> 00:09:46,239
Maybe you work at a daycare center
216
00:09:46,495 --> 00:09:47,775
And yeah that background checks
217
00:09:48,287 --> 00:09:48,799
That information
218
00:09:51,615 --> 00:09:53,151
At for the sake of the workers and
219
00:09:55,455 --> 00:09:56,223
Let's see here
220
00:09:57,247 --> 00:09:58,271
Lemon what you collect
221
00:09:58,783 --> 00:09:59,551
If it all possible
222
00:09:59,807 --> 00:10:01,599
And you don't want to over grab
223
00:10:02,111 --> 00:10:02,879
What do you need that stuff
224
00:10:03,647 --> 00:10:05,439
You just some sort of like nosy Nelly
225
00:10:06,207 --> 00:10:07,743
You don't need a bunch of information on you
226
00:10:07,999 --> 00:10:08,767
I just need
227
00:10:09,023 --> 00:10:09,791
The bare minimums
228
00:10:10,047 --> 00:10:10,559
So just
229
00:10:10,815 --> 00:10:12,095
Try to stay out of the business
230
00:10:12,351 --> 00:10:12,863
Collecting
231
00:10:13,119 --> 00:10:14,911
Superfluous information
232
00:10:15,423 --> 00:10:15,935
About your employer
233
00:10:17,471 --> 00:10:19,007
I keep occurrence
234
00:10:19,263 --> 00:10:20,287
Don't let it fall out of date
235
00:10:20,543 --> 00:10:22,079
Because then it becomes irrelevant
236
00:10:23,103 --> 00:10:25,407
If you are gathering it you've got a reason for
Gathering
237
00:10:26,431 --> 00:10:28,479
And if the information is incorrect
238
00:10:28,735 --> 00:10:30,015
It defeats the purpose of gas
239
00:10:32,575 --> 00:10:36,927
Make sure the employees have access to it so if it is their
information
240
00:10:37,439 --> 00:10:38,719
So this is their file
241
00:10:39,231 --> 00:10:40,255
Now maybe
242
00:10:41,791 --> 00:10:46,143
Other things like reviews and things of that nature that
might not be something they have access to
243
00:10:46,655 --> 00:10:49,215
But their personal information their W-2s
244
00:10:49,727 --> 00:10:50,495
Other Financial in
245
00:10:51,775 --> 00:10:52,799
Formation about their person
246
00:10:53,055 --> 00:10:54,335
The company keeps
247
00:10:54,591 --> 00:10:56,383
That is identifiable for them
248
00:10:57,919 --> 00:10:58,687
Have access to
249
00:10:58,943 --> 00:11:01,759
And also welcome forget keep it secure
250
00:11:02,015 --> 00:11:03,295
I got in big letters
251
00:11:03,807 --> 00:11:04,319
He pits
252
00:11:04,831 --> 00:11:05,599
Cure exclamation
253
00:11:07,391 --> 00:11:12,511
Security is the name of this game we're doing here
254
00:11:14,047 --> 00:11:15,839
Certified ethical forget about it
255
00:11:16,863 --> 00:11:19,935
We are security might have people there for we need to be
in
256
00:11:20,703 --> 00:11:21,215
Insecurities
257
00:11:21,727 --> 00:11:23,007
Creating a security policy
258
00:11:23,263 --> 00:11:26,079
If you're not doing things if it's a hard file
259
00:11:26,335 --> 00:11:28,383
Put it in a filing cabinet that's Fireproof
260
00:11:29,151 --> 00:11:30,943
As good locking systems
261
00:11:31,455 --> 00:11:32,479
And keep them locked
262
00:11:32,735 --> 00:11:35,551
Keep them away or so maybe those fine systems go
263
00:11:35,807 --> 00:11:38,111
Behind a locked door not only are they locked with the doors
locked
264
00:11:38,623 --> 00:11:41,695
And only people in HR have access to her managers have access
to
265
00:11:42,207 --> 00:11:46,559
And then you have to create policies that say here are the
people that are supposed to have
266
00:11:46,815 --> 00:11:48,095
Access to the HR files
267
00:11:49,119 --> 00:11:49,631
And there you go
268
00:11:49,887 --> 00:11:50,399
Chainsaw
269
00:11:50,911 --> 00:11:53,215
Putting those security controls around this security
270
00:11:55,007 --> 00:11:55,519
Other steps
271
00:11:55,775 --> 00:12:01,919
Security policy creation yes and easy Council calls them out
for the ceh exam they have a specific order and
272
00:12:02,175 --> 00:12:03,199
I would like you to
273
00:12:03,455 --> 00:12:04,479
Know about and
274
00:12:04,735 --> 00:12:08,831
Get on then we all need some help in these Endeavors we
aren't born knowing this stuff
275
00:12:09,087 --> 00:12:11,135
And this is all convention right it's something that
276
00:12:11,391 --> 00:12:13,183
The security industry at Large
277
00:12:13,439 --> 00:12:14,207
Give me
278
00:12:14,463 --> 00:12:18,047
As devised in this is a based off of that idea
279
00:12:18,303 --> 00:12:21,375
Here we go take a look at my screen right here
280
00:12:21,631 --> 00:12:27,007
And we've got nine different steps for creating a security
policy
281
00:12:29,055 --> 00:12:30,591
First one is risk assessment
282
00:12:31,359 --> 00:12:32,383
You can't create
283
00:12:32,639 --> 00:12:33,919
An effective security policy
284
00:12:34,175 --> 00:12:35,711
If you don't know what the risks to your
285
00:12:37,503 --> 00:12:40,063
So it's very important that the first step that you do
286
00:12:40,319 --> 00:12:41,343
Is assess
287
00:12:41,599 --> 00:12:44,671
The landscape around you I'm take a look what are the
risks
288
00:12:44,927 --> 00:12:45,439
2R
289
00:12:45,695 --> 00:12:46,975
Systems and environment at Large
290
00:12:47,743 --> 00:12:49,535
Once you figure those out
291
00:12:49,791 --> 00:12:53,887
You'll be able to take the next few steps but until you do
your you're stuck
292
00:12:54,911 --> 00:12:57,727
First thing you need to do is perform some form of risk
assessment
293
00:12:57,983 --> 00:13:00,287
Even if it's rudimentary Enfamil just get the ball
rolling
294
00:13:00,799 --> 00:13:04,383
You can always come back and do a second draft on 3rd Drive
in Fords
295
00:13:04,639 --> 00:13:05,919
Up until your final draft
296
00:13:06,175 --> 00:13:07,967
Continually revising and maintaining
297
00:13:08,223 --> 00:13:10,015
Until you get there and you feel like you
298
00:13:10,271 --> 00:13:12,319
You've reached the station you've reached the mount
299
00:13:13,087 --> 00:13:15,391
You have a good security policy that you feel and
Compasses
300
00:13:18,463 --> 00:13:18,975
Security gold
301
00:13:19,231 --> 00:13:19,743
What you had in mind
302
00:13:21,535 --> 00:13:23,839
So make sure you do that risk assess
303
00:13:24,863 --> 00:13:28,703
Then you can use a lien on security standards and
Frameworks
304
00:13:28,959 --> 00:13:29,727
As guides
305
00:13:30,239 --> 00:13:34,591
To help you right you don't want to be Reinventing the wheel
if not if it's not necessary
306
00:13:35,103 --> 00:13:35,871
And in a lot of
307
00:13:36,127 --> 00:13:36,895
Organizations
308
00:13:37,151 --> 00:13:37,919
Businesses in industry
309
00:13:38,687 --> 00:13:39,455
Already have
310
00:13:39,967 --> 00:13:42,527
Set standards and Frameworks to help you do this
311
00:13:42,783 --> 00:13:46,879
So why not use them if they are a resource that are out there
Avail yourself of it
312
00:13:47,135 --> 00:13:47,647
And
313
00:13:47,903 --> 00:13:48,671
And grab ahold of
314
00:13:50,207 --> 00:13:51,743
Get management and staff
315
00:13:52,767 --> 00:13:53,535
So
316
00:13:54,303 --> 00:13:56,607
Worst thing you can do is think I got this
317
00:13:57,119 --> 00:14:00,191
I am the person that knows about security
318
00:14:00,447 --> 00:14:03,519
Therefore this is just on my Comedown heavy-handed ham-
fisted
319
00:14:04,031 --> 00:14:05,823
And Scooby my-way-or-the-highway
320
00:14:06,847 --> 00:14:10,431
With an iron fist that will rule the security
landscape
321
00:14:10,687 --> 00:14:14,015
That's a bad way to go.
322
00:14:14,271 --> 00:14:17,087
The one big promises is you have blind
323
00:14:17,855 --> 00:14:18,623
I don't care who you are
324
00:14:19,391 --> 00:14:20,159
You're going to miss something
325
00:14:20,927 --> 00:14:24,767
So a team is always helpful and a team that comes from
varying
326
00:14:25,023 --> 00:14:27,071
Different areas of your organization
327
00:14:27,839 --> 00:14:28,351
Perspective
328
00:14:29,119 --> 00:14:34,751
Perspective is very helpful because they'll be able to tell
you all that control won't work because we do x y and z
329
00:14:35,007 --> 00:14:37,055
That will stop that from happening that's mission-
critical
330
00:14:37,823 --> 00:14:38,847
Oii
331
00:14:39,103 --> 00:14:40,383
I know you did that
332
00:14:41,407 --> 00:14:44,991
Okay so you need those different perspective
333
00:14:45,247 --> 00:14:47,295
So I definitely Management's
334
00:14:47,551 --> 00:14:48,575
Because
335
00:14:48,831 --> 00:14:49,343
But their manager
336
00:14:49,599 --> 00:14:53,183
Tried the kind of run the show they make things happen there
that the grease in the wheel
337
00:14:54,463 --> 00:14:55,999
Staff input is great because
338
00:14:56,255 --> 00:14:57,023
Are the boots on the ground
339
00:14:57,535 --> 00:14:59,327
Either the people in the trenches everyday
340
00:14:59,839 --> 00:15:03,679
That these security policies and controls and which we
implement
341
00:15:03,935 --> 00:15:04,703
Will affect them
342
00:15:05,471 --> 00:15:06,751
We want to make sure
343
00:15:09,823 --> 00:15:10,847
They help to their job
344
00:15:11,103 --> 00:15:12,127
Sometimes
345
00:15:12,639 --> 00:15:14,175
It just happens where
346
00:15:14,687 --> 00:15:18,015
This is an unacceptable risk we must put a controlling
place
347
00:15:18,527 --> 00:15:20,063
And yes it will make your job more difficult
348
00:15:21,087 --> 00:15:22,879
And we understand that we apologize
349
00:15:24,159 --> 00:15:26,463
The implications of a data breach
350
00:15:26,719 --> 00:15:30,303
Through this mechanism through the the function that you
perform here
351
00:15:30,559 --> 00:15:31,327
An organization
352
00:15:31,583 --> 00:15:32,607
Is so
353
00:15:33,631 --> 00:15:34,655
Devastating to us
354
00:15:34,911 --> 00:15:36,191
That you would be out of a job
355
00:15:36,703 --> 00:15:37,727
If we don't do
356
00:15:38,495 --> 00:15:44,127
Okay so it it sounds more so that's the kind of thing you
need to get that from your user base can you get that buy-in from your
manager
357
00:15:45,151 --> 00:15:48,479
I think need to understand that you're not doing this just
make allies
358
00:15:48,991 --> 00:15:49,759
You're doing it
359
00:15:50,015 --> 00:15:56,159
To help increase the security so that the organization
flourishes and prosperous and doesn't get data breaches
360
00:15:56,671 --> 00:15:58,463
And all the ramifications thereof
361
00:15:58,975 --> 00:16:02,559
Alright so that is what you need to do when it comes to
getting mansion
362
00:16:03,839 --> 00:16:04,607
Once you have that
363
00:16:04,863 --> 00:16:05,631
Chicago
364
00:16:06,143 --> 00:16:08,959
You need to be able to enforce the policy is an hour moving
out here
365
00:16:09,215 --> 00:16:09,727
Force policy
366
00:16:09,983 --> 00:16:12,031
Use penalties for non-compliance with necessary
367
00:16:12,543 --> 00:16:14,335
And a lot of times it is
368
00:16:14,591 --> 00:16:16,639
There's no real repercussions
369
00:16:17,151 --> 00:16:17,663
4
370
00:16:17,919 --> 00:16:18,431
Not being
371
00:16:20,479 --> 00:16:21,247
What you going to do
372
00:16:22,015 --> 00:16:23,807
So you need to make those
373
00:16:24,319 --> 00:16:26,879
Known to the company a large organization at Large
374
00:16:27,391 --> 00:16:29,183
If you do not follow
375
00:16:29,439 --> 00:16:30,463
These security procedure
376
00:16:32,255 --> 00:16:33,023
Compliance
377
00:16:33,535 --> 00:16:34,303
Keep us legally
378
00:16:34,559 --> 00:16:38,143
Ensure they keep us regulatory with a government body
379
00:16:38,399 --> 00:16:39,423
Whatever the case
380
00:16:39,679 --> 00:16:41,727
We've created you know even though it is just
381
00:16:41,983 --> 00:16:44,287
Comes down from on high and CEO of the company said
382
00:16:44,543 --> 00:16:48,127
He wants to increase security we've developed a security
policy you must follow it
383
00:16:48,383 --> 00:16:50,175
Listen to write their checks
384
00:16:53,759 --> 00:16:57,855
Authority before and
385
00:16:58,111 --> 00:17:04,255
Yui Auto
386
00:17:04,511 --> 00:17:05,279
Experian
387
00:17:06,559 --> 00:17:09,375
So there must be a penalty in some way
388
00:17:09,887 --> 00:17:10,399
Shape or form
389
00:17:10,911 --> 00:17:12,191
A negative repercussions
390
00:17:12,703 --> 00:17:13,215
4
391
00:17:13,727 --> 00:17:15,007
Not following being uncle
392
00:17:16,799 --> 00:17:17,567
That's how we enforce
393
00:17:18,847 --> 00:17:22,687
Then once we're all done we have a final draft ready to go we
publish it
394
00:17:22,943 --> 00:17:23,711
To everyone
395
00:17:23,967 --> 00:17:25,247
We make sure they've read it
396
00:17:25,503 --> 00:17:28,063
Maybe do digitally sign documents if your
397
00:17:28,319 --> 00:17:29,599
Disseminated them digitally
398
00:17:30,111 --> 00:17:32,671
Mckeithen available on an Internet site or
399
00:17:33,183 --> 00:17:34,207
Via
400
00:17:34,463 --> 00:17:38,815
KO I can e-mail or an attachment or something always just
request it and we'll give you a copy
401
00:17:40,607 --> 00:17:45,983
It needs to be available because here's what invariably
habits you write this wonderful security policy
402
00:17:46,495 --> 00:17:47,007
It's cover
403
00:17:47,263 --> 00:17:48,287
Every last thing
404
00:17:48,543 --> 00:17:54,687
And nobody knows about it they have no idea where to get to
it how to get to it what it says or even though I know it's
405
00:17:54,943 --> 00:17:58,015
Read it so and whatever I'm pretty sure I know what to
do
406
00:17:58,271 --> 00:17:59,807
And then they do something that violates it
407
00:18:00,063 --> 00:18:01,855
And now they're subject to the sanctions
408
00:18:03,135 --> 00:18:09,279
Maybe they're getting fired maybe they're getting you no
wages doc maybe they lose vacation time whatever it is that you use
409
00:18:10,047 --> 00:18:11,071
A formal write-up
410
00:18:11,583 --> 00:18:12,863
You get three of those and you're gone
411
00:18:17,727 --> 00:18:19,775
But it is our responsibility to make sure
412
00:18:20,031 --> 00:18:21,055
That they do have that access
413
00:18:21,567 --> 00:18:22,079
I can't find it
414
00:18:22,591 --> 00:18:24,383
And then we have directed it to him and we have been
415
00:18:24,639 --> 00:18:26,687
Neon blinking signs going
416
00:18:26,943 --> 00:18:29,247
Here is the security policy
417
00:18:29,759 --> 00:18:33,343
Read That's & Science dinosaur
418
00:18:34,623 --> 00:18:35,903
Very important part right
419
00:18:36,415 --> 00:18:42,047
I've also read and sign that they understood
420
00:18:42,303 --> 00:18:45,375
We just got here
421
00:18:46,655 --> 00:18:49,471
Reading it is great but I need to make sure that you've
understood his
422
00:18:50,495 --> 00:18:51,007
If I don't
423
00:18:51,263 --> 00:18:52,543
Zack and come to bingo
424
00:18:52,799 --> 00:18:54,079
I didn't notice what that means
425
00:18:54,847 --> 00:18:56,383
Will you sign the thing
426
00:19:07,135 --> 00:19:09,183
Then we want to avoid those situations
427
00:19:09,439 --> 00:19:13,279
I'm not looking for trying to call the herd of bad employees
even though a problem
428
00:19:13,535 --> 00:19:14,303
We will do that
429
00:19:15,071 --> 00:19:15,583
But
430
00:19:16,095 --> 00:19:19,167
If I'd known that you read and signed it I've got it right
here in black and white
431
00:19:19,423 --> 00:19:21,215
You can't try to pull the wool over my eyes
432
00:19:21,471 --> 00:19:21,983
So you haven't done it
433
00:19:22,495 --> 00:19:25,823
And then employee we're going to go number 7 here employee
tools
434
00:19:26,079 --> 00:19:27,103
Help enforce
435
00:19:27,359 --> 00:19:27,871
The policy
436
00:19:28,383 --> 00:19:29,663
And this is going to be found in very soon
437
00:19:29,919 --> 00:19:32,223
Underway so whatever the case is Maybe
438
00:19:32,479 --> 00:19:33,503
Through digital suits
439
00:19:34,271 --> 00:19:36,063
You going to a website you click a check mark
440
00:19:36,319 --> 00:19:37,599
Whatever the case is
441
00:19:38,367 --> 00:19:38,879
Find some
442
00:19:39,647 --> 00:19:40,159
Or
443
00:19:40,415 --> 00:19:42,207
Ensuring that that has been done monitoring something
444
00:19:43,999 --> 00:19:45,535
Engagement staff training
445
00:19:46,047 --> 00:19:49,887
It's because they say and read and have signed that they
understood doesn't actually
446
00:19:50,399 --> 00:19:51,423
Necessarily
447
00:19:53,471 --> 00:19:53,983
Rantso
448
00:19:55,007 --> 00:19:59,615
Backing all this up with some training is a very useful and
beneficial thing
449
00:20:00,639 --> 00:20:01,151
Do
450
00:20:01,407 --> 00:20:03,455
That way we know for certain and we ask questions
451
00:20:03,711 --> 00:20:06,271
I didn't know that's what that meant I thought I meant
this
452
00:20:06,527 --> 00:20:07,551
Great now we've clarify
453
00:20:08,319 --> 00:20:11,647
It's a great way to clarify and know that all of our
staff
454
00:20:11,903 --> 00:20:14,719
I've had an opportunity to answer any questions they have
about the
455
00:20:15,743 --> 00:20:17,279
Understand how it's going to work week
456
00:20:17,535 --> 00:20:19,071
Show it in real-time and implemented
457
00:20:19,583 --> 00:20:21,631
They can see it in effect pragmatically
458
00:20:23,167 --> 00:20:24,191
So it's always a good idea
459
00:20:24,447 --> 00:20:24,959
Staff training
460
00:20:25,215 --> 00:20:27,519
Regularly review and update
461
00:20:28,543 --> 00:20:30,847
Because invariably and inevitably
462
00:20:31,359 --> 00:20:32,127
They go out of date
463
00:20:33,407 --> 00:20:35,711
Things change we bring in new things we
464
00:20:35,967 --> 00:20:37,247
Retire old things
465
00:20:37,503 --> 00:20:40,831
And that changes the landscape of our business and our
organization
466
00:20:43,135 --> 00:20:45,951
Go back to the drawing board see what's working see what's
not
467
00:20:46,463 --> 00:20:50,559
Make some customizations maybe make some changes maybe do
some wholesale removal
468
00:20:52,351 --> 00:20:57,983
That security policy maybe create a whole new security policy
based off of what the landscape looks like now as it has evolved
469
00:20:58,495 --> 00:20:59,007
Into something
470
00:21:00,543 --> 00:21:04,127
So that are are those are the security policy creation
steps
471
00:21:04,383 --> 00:21:05,919
That are laid out by
472
00:21:06,175 --> 00:21:08,735
Chinese counsel for the ceh V10 exam
473
00:21:08,991 --> 00:21:10,015
Looking at our clock
474
00:21:10,527 --> 00:21:12,575
A great spot for us to take another stop
475
00:21:14,623 --> 00:21:20,768
Hacking security controls part 3 will be coming your way make
sure you see Parts 1 2 and 3
476
00:21:21,024 --> 00:21:23,072
And make sure you see everything is ceh V10
477
00:21:23,328 --> 00:21:26,656
The dentist put together for you that'll help you with that
exam rules around big-time
478
00:21:27,168 --> 00:21:33,056
I just remembered
479
00:21:33,312 --> 00:21:35,872
Just for for the sake of
480
00:21:36,128 --> 00:21:36,640
It kind of goes
481
00:21:36,896 --> 00:21:43,040
Is HR what their job is you don't need to know that if you
are in the HR like what
482
00:21:44,064 --> 00:21:44,576
Asian 30s
483
00:21:44,832 --> 00:21:45,344
When it comes to the secure
484
00:21:45,600 --> 00:21:51,744
This really quickly it is to publish the policy that's that's
part of HRS position to do the training for the info
485
00:21:52,512 --> 00:21:55,328
Make sure that happens that falls under their
responsibilities
486
00:21:55,584 --> 00:21:59,936
Also to answer questions about the pasta all those things we
just talked about those are the duties
487
00:22:00,192 --> 00:22:01,216
Under HR
488
00:22:02,240 --> 00:22:03,520
And of course monitor
489
00:22:03,776 --> 00:22:08,128
Then we have legal you might have a legal team and I would
highly recommend it
490
00:22:08,384 --> 00:22:09,920
If you can if you do have the minions
491
00:22:10,176 --> 00:22:15,552
I highly recommend
492
00:22:16,320 --> 00:22:19,648
And they make sure that no laws are being violated by the
policy
493
00:22:20,160 --> 00:22:20,928
That's probably
494
00:22:22,208 --> 00:22:25,792
Even inadvertently you might inadvertently violating some law
or maybe some
495
00:22:26,048 --> 00:22:26,560
White
496
00:22:27,328 --> 00:22:28,608
Like a citizen rights
497
00:22:28,864 --> 00:22:29,888
Human rights
498
00:22:30,144 --> 00:22:32,960
Maybe not in the worst way possible but in some way
499
00:22:33,216 --> 00:22:34,496
You could be violating a law
500
00:22:34,752 --> 00:22:36,288
Having legal look over
501
00:22:36,544 --> 00:22:38,336
Those things.
502
00:22:39,104 --> 00:22:41,152
Keep you out of that legal hot water and that's always a nice
day
503
00:22:41,920 --> 00:22:43,456
Okay now I'm done for this episode
504
00:22:44,480 --> 00:22:47,552
Good catch Daniel intro to ethical hacking security controls
part
505
00:22:47,808 --> 00:22:50,112
Three is coming your way this been part 2 in once
again
506
00:22:50,368 --> 00:22:53,440
Ceh V10 great series of Daniel's put together for you
507
00:22:53,952 --> 00:22:58,560
Make sure you want it'll help me with that exam rolls
around
508
00:23:00,096 --> 00:23:06,240
Library with this thousands of hours of complementary
information it's there to help you go even further so checked out
509
00:23:07,264 --> 00:23:13,408
I told her you know but I see Brody vippro TV is binge-worthy
thanks for watching him he will see you again
510
00:23:20,576 --> 00:23:21,344
Thank you for watching

1.32 - Intro To Ethical Hacking - Security Controls Part 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1.32 - Intro To Ethical Hacking - Security Controls Part 2

Uploaded by

Copyright:

Available Formats

1

00:00:00,256 --> 00:00:02,304

You might also like