WEBVTT 00:01.680 --> 00:02.760 - Alright. 00:02.760 --> 00:04.523 Module C. 00:06.630 --> 00:09.493 Okay, let's see, pick out some stuff here. 00:13.212 --> 00:15.496 Alright, segmenting networks, 00:15.496 --> 00:18.840 they're talking about overall just securing networks. 00:18.840 --> 00:20.620 So one of the ways you can secure a network 00:20.620 --> 00:22.570 is to create different segments for different types 00:22.570 --> 00:23.630 of things. 00:23.630 --> 00:27.640 So they talk again about you know, excuse me, 00:27.640 --> 00:29.280 collusion domains. 00:29.280 --> 00:31.081 We talked about that yesterday, 00:31.081 --> 00:33.820 talking about the idea of you know, 00:33.820 --> 00:38.670 multiple multiple clients on a hub, 00:38.670 --> 00:41.530 they all send traffic, there's collisions 00:41.530 --> 00:42.550 and all that other fun stuff, 00:42.550 --> 00:45.789 and that's why you want to get switches instead of hubs. 00:45.789 --> 00:46.950 You can't even find a hub now actually. 00:46.950 --> 00:48.670 Most people you try to find a hub will say oh 00:48.670 --> 00:51.590 this is a hub, it's not, it's really a switch, but. 00:51.590 --> 00:53.671 Broadcast domains, what networking device 00:53.671 --> 00:56.343 is used to separate broadcast domains? 00:58.330 --> 00:59.393 Router nope. 01:01.410 --> 01:03.210 Let's see, VPN's we've talked about. 01:10.310 --> 01:14.010 Securing network data, so we're gonna talk a lot about 01:14.010 --> 01:17.300 this in a different way, but tomorrow, 01:17.300 --> 01:19.957 talking about identifying sensitive data, right? 01:19.957 --> 01:22.783 You got to know what that is, where it's kept. 01:23.920 --> 01:25.330 You guys obviously have a lot of stuff 01:25.330 --> 01:28.219 here with the DOD in terms of secret, top secret 01:28.219 --> 01:31.793 and all kinds of SEI stuff et cetera. 01:33.739 --> 01:35.580 The use of secure protocol, we've talked a lot about that, 01:35.580 --> 01:40.580 like the HTTPS, SFTP, and now apparently TPS as well. 01:42.689 --> 01:44.910 We also have to worry about potentially regulations, 01:44.910 --> 01:47.460 especially in the private sector when you're talking about 01:47.460 --> 01:50.723 things like PII and PHI, and what things have to be 01:50.723 --> 01:52.083 protected. 01:54.310 --> 01:56.150 I think later on we talk about DLP. 01:56.150 --> 01:57.580 Are you guys familiar with DLP? 01:57.580 --> 01:59.941 Data leak prevention, sometimes it's called 01:59.941 --> 02:04.390 data loss prevention, but we'll talk about DLP. 02:04.390 --> 02:06.240 I think it comes up a little bit later. 02:06.240 --> 02:08.270 It's kind of an interesting area. 02:08.270 --> 02:10.020 You can do some cool stuff with it but it definitely 02:10.020 --> 02:13.410 helps when you're worrying about sending out 02:14.351 --> 02:15.750 or accidentally, it doesn't even have to be maliciously, 02:15.750 --> 02:19.193 but accidentally sending out PII or anything like that. 02:21.120 --> 02:22.897 Alright, no you don't need to memorize all of this crap. 02:22.897 --> 02:27.897 It should be pretty straightforward as far as when 02:29.640 --> 02:32.260 you're talking about post systems and securing those. 02:32.260 --> 02:33.390 What are the things that you want to do? 02:33.390 --> 02:34.840 What are the best practices, right? 02:34.840 --> 02:36.030 You want to make sure that you're up to date 02:36.030 --> 02:38.470 on patches as much as you can be, 02:38.470 --> 02:40.460 forming any updates. 02:40.460 --> 02:42.210 There are services that are running on it 02:42.210 --> 02:43.960 that you're not using, shut them down. 02:43.960 --> 02:45.220 It's the same thing as a firewall. 02:45.220 --> 02:48.260 You don't just open up crap for no reason. 02:48.260 --> 02:51.650 Use of firewalls, anti malware softwares such as like 02:51.650 --> 02:54.070 Malware Bites would be a good one. 02:54.070 --> 02:56.460 You don't want to have accounts that aren't being used. 02:56.460 --> 02:57.912 You want to disable guest accounts, 02:57.912 --> 03:00.500 don't have that kind of stuff. 03:00.500 --> 03:02.550 Disable a secure remote login, 03:02.550 --> 03:04.330 make sure that somebody's remoting in, 03:04.330 --> 03:05.880 you know who they are. 03:05.880 --> 03:10.090 Use two factor authentication or even multifactor 03:10.090 --> 03:12.880 authentication using types one, type two, 03:12.880 --> 03:16.663 and type three authentication. 03:18.670 --> 03:20.319 Have procedures written for on boarding 03:20.319 --> 03:21.810 and off boarding people. 03:21.810 --> 03:23.180 You know, when they come on board, 03:23.180 --> 03:24.130 what do they have to go through, 03:24.130 --> 03:26.097 when they leave, what do you do? 03:27.170 --> 03:30.000 I talked about this, we kind of go in here too though, 03:30.000 --> 03:33.212 but the idea of least privilege when you're talking 03:33.212 --> 03:35.260 about somebody and doing permission reviews 03:35.260 --> 03:37.730 if they happen to get promoted into different 03:37.730 --> 03:41.100 jobs, you don't just keep adding permissions to it. 03:41.100 --> 03:42.920 You want to make sure whatever they have is 03:42.920 --> 03:44.830 what they need, and they don't have any more 03:44.830 --> 03:45.663 than they need. 03:48.600 --> 03:50.650 Securing infrastructure. 03:50.650 --> 03:55.650 Okay, we're gonna talk about, firmware up to date firmware. 03:58.921 --> 04:01.640 The interfaces, management interfaces, right? 04:01.640 --> 04:05.490 Make sure you don't have, you don't leave like domain, 04:05.490 --> 04:09.724 excuse me, admin passwords as defaults. 04:09.724 --> 04:11.443 Whatever they happen to be, change those. 04:15.140 --> 04:17.300 Router and switch security, okay we talked about 04:17.300 --> 04:18.853 MAC filtering quite a bit. 04:19.820 --> 04:21.999 That's a good one, DHCP snooping. 04:21.999 --> 04:25.410 That's a good thing. 04:25.410 --> 04:27.330 I don't think I know what that is. 04:27.330 --> 04:28.910 Can you see anything in your book, 04:28.910 --> 04:31.382 does it have like a highlighter or a bold face 04:31.382 --> 04:33.077 or anything? 04:33.077 --> 04:37.327 I'd be interested in knowing what DHCP snooping is. 04:40.670 --> 04:42.914 - [Student] It just says enables DHCP snooping 04:42.914 --> 04:46.767 to protect against malicious DHCP traffic 04:46.767 --> 04:48.840 that just ruins servers. 04:48.840 --> 04:51.340 - Yeah, okay, I never heard that term before, 04:51.340 --> 04:56.290 but yeah I guess there's a rouge server out there 04:56.290 --> 04:58.920 getting IP addresses and giving them out even 04:58.920 --> 05:01.400 would be even worse. 05:01.400 --> 05:02.250 Never heard that. 05:04.180 --> 05:05.860 It says use strong encryption for wham 05:05.860 --> 05:08.900 and VPN connections, we know a lot about encryption now 05:08.900 --> 05:10.403 so I think you're good there. 05:11.460 --> 05:14.073 Perimeter security, alright. 05:15.650 --> 05:17.247 Same thing is repeated here. 05:17.247 --> 05:20.060 One only necessary ports, right. 05:20.060 --> 05:24.023 Don't use insecure protocols. 05:24.970 --> 05:27.218 Minimize value of perimeter and bastion hosts. 05:27.218 --> 05:29.720 What was a bastion host? 05:29.720 --> 05:31.926 It's a host that's behind what? 05:31.926 --> 05:34.420 Behind some kind of firewall, right, 05:34.420 --> 05:36.069 a filtering device of some kind. 05:36.069 --> 05:38.690 A firewall is fine. 05:38.690 --> 05:41.790 Ensure strong firewalls between DMZ and interior. 05:41.790 --> 05:45.113 How do you create a DMZ, what's required? 05:45.113 --> 05:48.270 Yep, you got it. 05:48.270 --> 05:49.620 I got that, front and back. 05:52.340 --> 05:54.563 Monitoring, it's normal. 05:56.010 --> 05:59.290 Alright, we've talked about securing WAPs, 05:59.290 --> 06:01.730 wireless access points. 06:01.730 --> 06:03.743 Let's see, strong encryption we know, 06:05.366 --> 06:08.103 disable WPS, what's the other one that you shouldn't use? 06:11.082 --> 06:14.665 The other encryption protocol from wireless 06:16.011 --> 06:16.844 that is no go. 06:16.844 --> 06:17.677 WEP, remember WEP? 06:17.677 --> 06:19.210 Don't use WEP, don't use WPS. 06:19.210 --> 06:21.073 802.1 acts as what? 06:23.750 --> 06:26.963 Say port level securities, yeah port security, good. 06:27.810 --> 06:29.850 VPN's we've talked about. 06:29.850 --> 06:31.680 What is the SSID? 06:31.680 --> 06:34.193 I didn't mention that, I thought you would know it but. 06:35.520 --> 06:38.280 So service set identifier I think is what it stands for, 06:38.280 --> 06:40.113 but it's basically the network name. 06:41.620 --> 06:45.010 And it says disable SSID broadcast and use MAC filtering 06:45.010 --> 06:45.900 for private networks, 06:45.900 --> 06:49.100 so if you don't disable the broadcast, 06:49.100 --> 06:50.490 that means it's always sending out. 06:50.490 --> 06:52.080 Like if you go to your phone and say what networks 06:52.080 --> 06:53.930 are around here, it's picking up all the ones 06:53.930 --> 06:55.391 that are broadcasting hey I'm here. 06:55.391 --> 06:56.949 What they're saying is for a private network 06:56.949 --> 06:58.530 that you don't want people doing that, 06:58.530 --> 07:01.283 go ahead and turn off the SSID broadcast. 07:01.283 --> 07:02.657 That way they have to know the name of the network. 07:02.657 --> 07:04.762 That doesn't mean they can't find it. 07:04.762 --> 07:07.087 It's just one more thing to do, 07:07.087 --> 07:08.520 but that means they have to know the name of 07:08.520 --> 07:10.230 the network to be able to find it. 07:10.230 --> 07:11.830 And MAC filtering, what is that? 07:13.048 --> 07:16.451 Well it's a form of access control, 07:16.451 --> 07:18.250 but what is the MAC filtering. 07:18.250 --> 07:19.650 What are we talking about filtering out? 07:19.650 --> 07:21.360 What is the MAC? 07:21.360 --> 07:24.313 I heard it somewhere. 07:26.180 --> 07:28.320 Layer two, yeah, it's the media access control right? 07:28.320 --> 07:31.903 It's the burned in hardware address on the nick. 07:38.580 --> 07:42.253 Guest networks, yeah separate, got that, configure, 07:43.270 --> 07:44.800 captive portals are nothing more than 07:44.800 --> 07:46.580 just you know, somebody goes into a web, 07:46.580 --> 07:48.883 they go into web browser and they basically 07:48.883 --> 07:53.860 get greeted with a page saying if you want to go 07:53.860 --> 07:56.460 any further, you have to supply certain credentials. 07:58.530 --> 08:00.340 You can usually get those from the admin or 08:00.340 --> 08:01.290 somebody like that. 08:02.570 --> 08:03.713 Oh, that was quick. 08:06.530 --> 08:10.190 Alright, a perimeter network needs most of the same security 08:10.190 --> 08:12.551 precautions as a trusted network, 08:12.551 --> 08:14.480 just with a few extra concerns. 08:14.480 --> 08:15.570 Well sure, why not? 08:15.570 --> 08:17.620 I don't know what they're gonna say, but. 08:19.160 --> 08:21.350 Yeah I mean it can't hurt, so I don't know, 08:21.350 --> 08:22.683 I'm gonna go with true. 08:22.683 --> 08:23.563 Alright. 08:27.480 --> 08:29.570 Has stricter host level, I don't even know what they're 08:29.570 --> 08:30.403 saying. 08:32.638 --> 08:33.930 - [Student] It's supposed to be true? 08:33.930 --> 08:36.518 - Yeah, I said true too but I don't. 08:36.518 --> 08:39.530 Well, I haven't gotten there yet. 08:39.530 --> 08:41.471 It's a safe assumption that an attacker with 08:41.471 --> 08:44.399 physical access to a system can compromise 08:44.399 --> 08:47.493 any other security measures given time. 08:48.950 --> 08:51.078 Probably, I would say if you have physical access 08:51.078 --> 08:53.819 you can probably turn off all the other shit, right? 08:53.819 --> 08:58.350 So yeah, or I can take a sledgehammer and just 08:58.350 --> 09:00.583 destroy your crap, so. 09:04.960 --> 09:07.750 Alright, what's the most essential tool for segmenting, 09:07.750 --> 09:09.850 oh we already, somebody already said this. 09:10.793 --> 09:14.263 Routers, yes. 09:17.970 --> 09:21.050 What feature primarily helps to protect against 09:21.050 --> 09:22.803 denial of service attacks? 09:23.690 --> 09:26.960 Okay, authentication, DMZ, loop protection, 09:26.960 --> 09:28.718 oh that's funny, okay. 09:28.718 --> 09:32.930 I mean it's got to be C, but it's so funny. 09:32.930 --> 09:36.160 I don't know that I would consider that an attack 09:36.160 --> 09:37.920 'cause if it's a loop it's not something 09:37.920 --> 09:39.092 that somebody is doing to you, 09:39.092 --> 09:41.922 it's something that happens because you're not 09:41.922 --> 09:46.922 using like, you're not using STP, but okay, good enough. 09:48.520 --> 09:50.990 And flood guard, oh yeah, I forgot about that one. 09:50.990 --> 09:52.100 Now flood guard makes sense. 09:52.100 --> 09:54.110 Remember we talked about an attack, 09:54.110 --> 09:55.470 there was a denial of service attack 09:55.470 --> 09:59.260 called sin flood? 09:59.260 --> 10:01.123 How did sin flood work? 10:07.931 --> 10:09.772 Now wait a minute, I take that back, I know I did. 10:09.772 --> 10:11.663 Who put money on it? 10:12.827 --> 10:17.590 Yeah, so sin flood is where I told you that yeah, 10:17.590 --> 10:20.287 somebody sends a whole bunch of TCP sin requests, 10:20.287 --> 10:22.970 like 10,000, that's right, I said hey, 10:22.970 --> 10:23.930 we want to talk to you. 10:23.930 --> 10:24.763 - [Student] Is the thing that 10:24.763 --> 10:26.180 everything responds back to it. 10:26.180 --> 10:29.490 - No that was smurf, that's a little bit different. 10:29.490 --> 10:32.155 That's an ICNP, that's a reflective attack. 10:32.155 --> 10:35.794 The sin flood is me just getting a whole bunch of 10:35.794 --> 10:38.930 connection requests to a single system, 10:38.930 --> 10:40.290 so I just send a whole bunch of requests and 10:40.290 --> 10:41.573 it just can't handle it. 10:41.573 --> 10:44.789 It could come from different systems, that's true. 10:44.789 --> 10:47.223 It could be a distributed denial like that, 10:47.223 --> 10:49.181 but it could also just be one big powerful system 10:49.181 --> 10:51.490 sending a whole bunch of requests, 10:51.490 --> 10:53.593 and eventually they dosum. 10:56.460 --> 10:58.600 If there are two firewalls between the internet 10:58.600 --> 11:00.088 and the interior network, they should be from 11:00.088 --> 11:01.732 different vendors. 11:01.732 --> 11:04.902 What a stupid ass question, sorry. 11:04.902 --> 11:06.965 That is ridiculous, okay. 11:06.965 --> 11:09.543 Should be, should is a very strong word. 11:09.543 --> 11:12.934 Could be, and if you want say in an ideal situation 11:12.934 --> 11:16.126 and thinking about defense and depth, okay, 11:16.126 --> 11:18.799 but I get it. 11:18.799 --> 11:21.537 They're probably gonna say true, yeah. 11:21.537 --> 11:24.356 So I get that, I don't know that the should, 11:24.356 --> 11:25.703 should's a strong word. 11:25.703 --> 11:29.068 - [Student] They explained it that way to us early on 11:29.068 --> 11:30.900 about the firewall. 11:30.900 --> 11:33.493 - [Lecturer] Yeah, what's that? 11:33.493 --> 11:34.326 - [Student] Yeah, in an ideal world. 11:34.326 --> 11:35.570 - Yeah, in an ideal world right? 11:38.826 --> 11:39.790 But when some vendors practically giving away their shit 11:39.790 --> 11:41.443 so you'll buy a lot of it, and then you pretty much 11:41.443 --> 11:42.943 just do it that way. 11:43.940 --> 11:46.020 What security feature is especially important 11:46.020 --> 11:48.980 for preventing rogue devices on the network? 11:48.980 --> 11:51.793 So rogue device means somebody just plugs in. 11:51.793 --> 11:52.626 Yeah, there you go. 11:52.626 --> 11:55.975 Oh here's a follow on question that I didn't talk about 11:55.975 --> 11:57.757 was to see if you know what it is. 11:57.757 --> 12:01.270 So yes, that rogue device, and I told you I plugged 12:01.270 --> 12:04.380 in one time, it was like General Dynamics 12:04.380 --> 12:05.550 or somebody like that, and they were like get your shit 12:07.288 --> 12:08.601 of our stuff, 'cause of port level security. 12:08.601 --> 12:10.870 What is the name, what is the three letter acronym 12:10.870 --> 12:14.195 for the part for the solution in technology 12:14.195 --> 12:18.503 for that, for port security? 12:19.380 --> 12:21.619 Yeah, kind of what monitors it and can then isolate 12:21.619 --> 12:26.072 and can quarantine and stuff like that? 12:26.072 --> 12:30.050 It's called NAC, network access control. 12:30.050 --> 12:32.587 It's not real sexy, but network access control. 12:32.587 --> 12:36.973 NAC is what utilizes the idea of port level security. 12:39.640 --> 12:42.170 Which WiFi feature should you disable? 12:42.170 --> 12:43.333 Oh, that's easy. 12:43.333 --> 12:47.123 Yep, yep, very good. 12:49.770 --> 12:52.590 Alright, a critical network service is hosted 12:52.590 --> 12:54.556 on a legacy sever running an obsolete operating, 12:54.556 --> 12:56.110 that sound great. 12:56.110 --> 12:58.840 And you cannot replace it until fiscal, okay, 12:58.840 --> 13:01.481 you just learned it is extremely vulnerable to a new worm. 13:01.481 --> 13:02.925 We know what a worm is. 13:02.925 --> 13:04.994 It's appeared on other computers on your network 13:04.994 --> 13:08.000 but you can't update the server or install software to 13:08.000 --> 13:08.920 protect it. 13:08.920 --> 13:11.530 What can you place between the server and the rest 13:11.530 --> 13:13.010 of the network to protect it? 13:13.010 --> 13:18.010 Haha, Airgap would work, that is absolutely true. 13:19.370 --> 13:23.010 It might limit the usefulness of your box, 13:23.010 --> 13:24.283 but you could do it. 13:25.890 --> 13:27.573 So firewall would work. 13:30.543 --> 13:31.376 Um, oh. 13:36.459 --> 13:40.400 A NIPS, a network intrusion prevention system. 13:40.400 --> 13:44.930 So again, horrible answer choices. 13:44.930 --> 13:48.941 A firewall would help, an IPS is what they're saying 13:48.941 --> 13:51.601 basically as opposed to HIPS, which is host based, 13:51.601 --> 13:53.410 right? 13:53.410 --> 13:57.473 But HIPS and NIPS, that's a name of a club I think. 13:58.703 --> 13:59.895 Oh, sorry. 13:59.895 --> 14:02.493 Thank you I'll be here all week. 14:06.340 --> 14:07.841 Matt's just shaking his head back there like, 14:07.841 --> 14:10.433 we hired this shmuck? 14:10.433 --> 14:13.620 Yeah okay, maybe that would work, but whatever. 14:13.620 --> 14:14.870 Still not a great answer. 14:18.670 --> 14:21.223 Alright, module D. 14:24.330 --> 14:26.290 Monitoring stuff. 14:26.290 --> 14:29.863 Okay, again this section I think we've talked about 14:29.863 --> 14:34.160 a decent amount of this stuff so it should be more 14:34.160 --> 14:36.580 like a review, but let's find out. 14:36.580 --> 14:39.390 So different ways of monitoring. 14:39.390 --> 14:41.361 Okay, you can use something like Wiresharp 14:41.361 --> 14:43.942 as an example, some type of a network analyzer 14:43.942 --> 14:46.710 capturing packets. 14:46.710 --> 14:50.380 If you're doing it at the interface level 14:50.380 --> 14:53.293 on a command line like TCP dump would be another one. 14:54.290 --> 14:57.000 Interface monitoring, that would be an example. 14:57.000 --> 14:59.280 Port mirrors is what I talked about before. 14:59.280 --> 15:01.010 Do you remember when I gave the explanation of the 15:01.010 --> 15:02.240 race condition with Websense, 15:02.240 --> 15:05.146 and I said you want to monitor all the traffic 15:05.146 --> 15:07.940 going to and from the internet so you create a port 15:07.940 --> 15:11.250 span or a port mirror on the switch 15:11.250 --> 15:13.950 to tell all the transmit and receive traffic, 15:13.950 --> 15:16.940 make a copy and send it over here for me to inspect? 15:16.940 --> 15:18.040 That's port mirroring. 15:18.920 --> 15:22.400 Actually I think port span is a Cisco term. 15:22.400 --> 15:24.660 So sorry about using that. 15:24.660 --> 15:26.983 I think the more generic term is port mirror. 15:29.280 --> 15:30.640 Top talkers and listeners. 15:30.640 --> 15:33.700 I don't know what that is, I wouldn't worry about it. 15:33.700 --> 15:35.023 Wireless analyzers. 15:39.610 --> 15:41.740 Oh what they're saying is they're just looking 15:41.740 --> 15:42.880 for anomalies. 15:42.880 --> 15:44.520 Detects frequent transmitters and recipients. 15:44.520 --> 15:46.672 It's kind of an anomaly detection. 15:46.672 --> 15:51.672 Alright, other things you need to monitor, 15:52.760 --> 15:55.720 SNMP simple network management protocol 15:55.720 --> 16:00.190 uses traps and MIB's, management information libraries. 16:00.190 --> 16:01.340 Of course regular logs. 16:01.340 --> 16:04.183 Syslog is a very common way of logging. 16:04.183 --> 16:06.941 You'll see later there's like I want to say seven or eight 16:06.941 --> 16:09.701 different levels of verbosity that you can choose 16:09.701 --> 16:13.010 with Syslog, I think it's zero through seven 16:13.010 --> 16:14.770 and seven is just like holy crap 16:14.770 --> 16:16.060 I've got a ton of data on this thing. 16:16.060 --> 16:21.060 Here's the SIEM, security incident and invent management. 16:21.197 --> 16:24.600 And I told you there's tools out there on the 16:24.600 --> 16:29.600 commercial side like QRader which is know owned 16:29.870 --> 16:31.978 by IBM, and I think HP 16:31.978 --> 16:34.780 or somebody like that bought Arcsight. 16:34.780 --> 16:36.380 Arcsight would be another SIEM tool, 16:36.380 --> 16:38.390 and most of you are probably familiar with hopefully, 16:38.390 --> 16:40.570 maybe you've heard of it, Splunk. 16:40.570 --> 16:43.207 Kind of the biggest 800 pound gorilla. 16:43.207 --> 16:47.493 And of course physical monitoring, that's easy to do. 16:49.270 --> 16:53.770 Network analyzers, so here's oh I think this is Wire Shark, 16:53.770 --> 16:57.080 I'm guessing 'cause it looks like a shark fin at the top. 16:57.080 --> 16:58.710 Alright, yeah, a little shark fin. 16:58.710 --> 17:01.010 So how many people, show of hands, 17:01.010 --> 17:03.462 have ever used Wire Shark or done packet analysis 17:03.462 --> 17:05.380 of any kind? 17:05.380 --> 17:07.378 If you ever get a chance to just play with it, 17:07.378 --> 17:10.060 do it because a lot of the stuff, 17:10.060 --> 17:12.426 I mean a whole ton of things we talk about in here 17:12.426 --> 17:14.750 are just in these little captures. 17:14.750 --> 17:18.770 I mean you've got things like source and destination 17:18.770 --> 17:20.815 IP address, which protocols being used, 17:20.815 --> 17:22.660 you recognize these. 17:22.660 --> 17:24.034 And then when you click on one of these, 17:24.034 --> 17:26.100 if you were to blow this thing up, 17:26.100 --> 17:28.460 this kind of middle section to make it larger, 17:28.460 --> 17:32.230 you can see that it says frame, 17:32.230 --> 17:35.700 which is layered to ethernet which is a layer two thing. 17:35.700 --> 17:39.289 Internet protocol version four, what layer is that? 17:39.289 --> 17:40.800 Network layer. 17:40.800 --> 17:43.863 Transmission control protocol, what layer is that? 17:43.863 --> 17:45.000 Transport. 17:45.000 --> 17:47.698 So you can kind of keep going up the stack of the OSI 17:47.698 --> 17:50.960 model and click on those little arrows and blow stuff 17:50.960 --> 17:55.160 up and see oh, there's the source destination IP address, 17:55.160 --> 17:55.993 oh here's the port. 17:55.993 --> 17:57.995 Port 80, what kind of traffic is probably going through 17:57.995 --> 17:59.551 there, hopefully? 17:59.551 --> 18:02.190 HTTP, hopefully, right? 18:02.190 --> 18:04.360 Et cetera et cetera, so they're really good for kind 18:04.360 --> 18:06.212 of just learning about network stuff. 18:06.212 --> 18:11.212 This is SNMP, I already mentioned it. 18:11.400 --> 18:13.400 Talked about the management information library, 18:13.400 --> 18:14.835 not men in black. 18:14.835 --> 18:16.733 Mid server here. 18:21.920 --> 18:23.493 Syslog, here we go. 18:24.340 --> 18:25.730 Talked about this. 18:25.730 --> 18:28.590 Here are the ranges from zero to seven, debug, that's why. 18:28.590 --> 18:31.637 Debug level seven gives you the most information, 18:31.637 --> 18:34.361 but it's an absolute crap time, 18:34.361 --> 18:37.833 but you can send Syslog's to your SIEM as an example. 18:43.550 --> 18:45.050 What do SIEM's do? 18:45.050 --> 18:46.350 Well they do these things. 18:47.296 --> 18:49.500 So the idea of a SIEM is that it aggregates information, 18:49.500 --> 18:52.851 so it takes in logs from almost any device, 18:52.851 --> 18:57.150 takes all those in, and then it does correlation. 18:57.150 --> 18:59.160 Puts it together and says what's interesting? 18:59.160 --> 19:00.839 And as a matter of fact, it's not really. 19:00.839 --> 19:02.670 I'm gonna give you a description. 19:02.670 --> 19:04.073 So I used to work for a company after I left that 19:04.073 --> 19:05.990 communications company Intermedia, 19:05.990 --> 19:08.910 I went to what's called a MSSP, 19:08.910 --> 19:10.418 anybody know what that stands for? 19:10.418 --> 19:14.862 MSSP, manage security service provider, 19:14.862 --> 19:16.949 was a company out of Alexandria, Virginia called Riptec. 19:16.949 --> 19:21.949 We eventually got acquired by Symantec, but Riptec, 19:22.220 --> 19:24.572 what we did was we managed and monitored firewalls 19:24.572 --> 19:26.684 and IDS's. 19:26.684 --> 19:29.040 So if you were a client of ours, 19:29.040 --> 19:30.833 all your firewall logs would come to us, 19:30.833 --> 19:34.200 all your IDS logs would come to us, 19:34.200 --> 19:35.700 and we could do some other stuff, 19:35.700 --> 19:37.510 but those were the main two things. 19:37.510 --> 19:41.130 We would take all those logs and then aggregate them, 19:41.130 --> 19:46.010 correlate them, and then start doing queries on it 19:46.010 --> 19:47.408 to find interesting information such as somebody 19:47.408 --> 19:50.560 trying to hack into your network. 19:50.560 --> 19:51.820 So that's the idea of the SIEM. 19:51.820 --> 19:54.110 So we were like a SIEM, 19:54.110 --> 19:56.918 as an outsource SIEM back in the day. 19:56.918 --> 19:59.960 And there's alerts, and of course you retain your logs 19:59.960 --> 20:03.839 and do analysis, and there's a lot of really cool stuff 20:03.839 --> 20:05.690 like Splunk, if you ever get a chance to. 20:05.690 --> 20:07.770 I haven't worked with Splunk directly, 20:07.770 --> 20:10.010 but I know a decent amount about them, 20:10.010 --> 20:12.650 and you got a lot of information there. 20:12.650 --> 20:13.850 There's a lot of cool queries. 20:13.850 --> 20:15.010 It's not just for security. 20:15.010 --> 20:16.730 People of course use it for security, 20:16.730 --> 20:18.198 but it's also good for what's called BI, 20:18.198 --> 20:20.360 or business intelligence. 20:20.360 --> 20:22.346 So you can get you know, a lot of interesting data 20:22.346 --> 20:25.084 about your customers, about your vendors, 20:25.084 --> 20:27.198 anything you want. 20:27.198 --> 20:30.115 (inaudible speech) 20:32.760 --> 20:35.430 And it is expensive as shit, 20:35.430 --> 20:37.810 'cause they actually charge, this is the great part. 20:37.810 --> 20:40.370 Splunk charges based on volume, 20:40.370 --> 20:42.455 like the amount of log data that you have, 20:42.455 --> 20:45.296 so the more devices you have and the higher level 20:45.296 --> 20:48.528 of verbosity with which you log, 20:48.528 --> 20:52.580 price goes up, those guys are doing well. 20:52.580 --> 20:54.744 I have quite a few friends there actually. 20:54.744 --> 20:58.248 System logs, okay I don't think there's anything special 20:58.248 --> 20:59.923 about this. 21:01.060 --> 21:01.893 Not in my mind. 21:03.660 --> 21:05.870 Where do you put monitoring tools? 21:05.870 --> 21:06.890 That's a good one. 21:06.890 --> 21:09.346 So this kind of reminds me of the old debate 21:09.346 --> 21:13.190 about when intrusion detection system first came out. 21:13.190 --> 21:15.799 People would say where do you put it? 21:15.799 --> 21:18.994 Some people would say oh, I want to put it outside 21:18.994 --> 21:20.420 my firewall, 21:20.420 --> 21:22.900 'cause I want to see who's knocking on the door. 21:22.900 --> 21:24.620 Other people would say I don't want to waste all my time 21:24.620 --> 21:25.960 'cause everybody and their mother is knocking 21:25.960 --> 21:26.793 on the door, I don't give a crap, 21:26.793 --> 21:28.840 they're gonna have a bunch of false positives, 21:28.840 --> 21:30.560 or I'm gonna have to tune that thing so far down 21:30.560 --> 21:32.260 that I'm gonna end up with false negatives, 21:32.260 --> 21:33.700 which is worse. 21:33.700 --> 21:35.150 So they say oh, I'll put it on the interior network. 21:35.150 --> 21:36.930 I'll put it on the DMZ. 21:36.930 --> 21:38.670 Well the answer is you put them everywhere. 21:38.670 --> 21:40.324 So when it comes to monitoring, right? 21:40.324 --> 21:41.840 Where do you want to monitor? 21:41.840 --> 21:45.240 You want to monitor as often as you can, 21:45.240 --> 21:46.790 wherever you can, right? 21:46.790 --> 21:47.976 Some devices have it built in. 21:47.976 --> 21:51.936 Network taps, I don't hear that very often anymore. 21:51.936 --> 21:54.862 What is a network tap? 21:54.862 --> 21:59.224 It's a physical device that allows the traffic 21:59.224 --> 22:03.200 to be copied and sent off somewhere else for inspection, 22:03.200 --> 22:05.482 so instead of using a port mirror, 22:05.482 --> 22:08.300 so back in the day when we were trying to set up 22:08.300 --> 22:10.296 Websense and I said hey, you know, 22:10.296 --> 22:13.581 Mr. and Mrs. switch administrator, I need you to set up 22:13.581 --> 22:15.783 a port mirror, sometimes I get pushback 22:15.783 --> 22:18.393 and they'd say hey, we only have the ability to mirror 22:18.393 --> 22:22.960 two ports, and we need our mirroring for other things. 22:22.960 --> 22:24.170 You can't have it. 22:24.170 --> 22:26.587 If they said that, we had to have a different answer, 22:26.587 --> 22:28.925 and the different answer was to get a tap, 22:28.925 --> 22:31.085 which quite literally was a box that you would then 22:31.085 --> 22:35.415 plug from the switch that goes to the firewall, 22:35.415 --> 22:37.880 you would plug that into the tap, 22:37.880 --> 22:40.170 and then the other side of the tap would go 22:40.170 --> 22:41.526 to the firewall, and then there would be two cables 22:41.526 --> 22:44.430 that go out to the Websense box. 22:44.430 --> 22:46.701 So it's a physical device that acts like a man in the middle 22:46.701 --> 22:50.436 but not in a bad way, to copy traffic. 22:50.436 --> 22:52.854 That's a tap, and they have optical taps as well, 22:52.854 --> 22:55.623 so if you want to do fiber and stuff like that. 22:58.320 --> 23:00.793 Place systems, logically central. 23:05.151 --> 23:06.277 Gigamon, is that what you said? 23:06.277 --> 23:07.373 Yeah. 23:09.880 --> 23:11.960 Network security posture, okay, 23:11.960 --> 23:14.244 this is just kind of smart things to do. 23:14.244 --> 23:16.730 We talked about baselines already. 23:16.730 --> 23:18.320 You understand the idea of a baseline and that 23:18.320 --> 23:19.730 you should have one. 23:19.730 --> 23:21.870 You definitely want to do different types of monitoring, 23:21.870 --> 23:23.530 whether it's electronic monitoring, 23:23.530 --> 23:27.019 physical visual monitoring, audits are a way 23:27.019 --> 23:28.773 of doing that as well. 23:34.190 --> 23:36.420 More scanner stuff. 23:36.420 --> 23:40.580 We talked about protocols, analyzer, port scanners. 23:40.580 --> 23:42.303 Network mappers, those are good. 23:43.190 --> 23:45.170 There's a company, I don't even know if they exist anymore, 23:45.170 --> 23:47.180 there's a company called Lumeta, Lumeta, 23:48.860 --> 23:51.950 Lumeta had a really nice kind of network discovery tool 23:51.950 --> 23:54.060 that would go out and invariably people would 23:54.060 --> 23:56.235 get back a report, once it would discover all the nodes 23:56.235 --> 23:58.220 in the network and they'd be like holy shit, 23:58.220 --> 24:00.680 we didn't even know we had a third of these things, 24:00.680 --> 24:01.880 and like that's no good. 24:03.040 --> 24:05.958 We talked about cracking passwords, right? 24:05.958 --> 24:10.330 Vulnerability, assessment, we talked about as well. 24:10.330 --> 24:12.200 You can do application based stuff, 24:12.200 --> 24:14.390 database doesn't really matter. 24:14.390 --> 24:19.390 Wireless, exploitation framework, that's a good one. 24:20.570 --> 24:22.789 So has anybody heard of Metasploit? 24:22.789 --> 24:25.970 Metasploit is a, it got bought by somebody, 24:25.970 --> 24:27.490 I don't even remember who owns it now. 24:27.490 --> 24:31.359 But Metasploit and Calilinux, Calilinux actually has 24:31.359 --> 24:33.680 a copy of Metasploit in it, 24:33.680 --> 24:37.142 but Metasploit back in the day, and again I'm dating myself, 24:37.142 --> 24:39.217 Metasploit was a great tool, 24:39.217 --> 24:41.410 and it was an exploitation framework. 24:41.410 --> 24:43.173 So it's basically a tool that was built for 24:43.173 --> 24:46.868 dumb people like me, and you would turn it on on a network, 24:46.868 --> 24:49.880 and it would say oh hey, I see I'm connected to a network. 24:49.880 --> 24:51.370 Would you like to scan this network 24:51.370 --> 24:52.673 and see what's out there? 24:52.673 --> 24:55.410 Yes I would, click, it would go out and scan it, 24:55.410 --> 24:56.584 come back and go hey, here are all the hosts that I found. 24:56.584 --> 24:59.602 Would you like to know what they're vulnerable too? 24:59.602 --> 25:02.020 Why yes I would, click. 25:02.020 --> 25:03.970 It goes out, does a vulnerability assessment, 25:03.970 --> 25:05.675 comes back and goes hey, I found all these vulnerabilities, 25:05.675 --> 25:07.879 would you like to exploit any of them? 25:07.879 --> 25:10.280 Why yes I would, click, and it goes out and attacks, 25:10.280 --> 25:12.378 and then a lot of fun stuff. 25:12.378 --> 25:14.902 Cool tool, built for big dumb guys, and it works. 25:14.902 --> 25:17.960 (inaudible speech) 25:17.960 --> 25:19.200 Have what? 25:19.200 --> 25:20.033 - [Student] Red Seal. 25:20.033 --> 25:21.279 - Red Seal? 25:21.279 --> 25:23.040 (inaudible speech) 25:23.040 --> 25:24.950 Oh okay, that's cool. 25:24.950 --> 25:26.760 Is that the name of the product or the name of the company 25:26.760 --> 25:27.874 or what? 25:27.874 --> 25:28.983 - [Student] Both. 25:28.983 --> 25:29.984 - Both, Red Seal, okay. 25:29.984 --> 25:30.840 I've never heard of that. 25:33.555 --> 25:37.083 Security audits, okay, we talked about logs already. 25:38.380 --> 25:40.130 Incident response, we'll talk a little bit more 25:40.130 --> 25:41.930 about that tomorrow actually. 25:41.930 --> 25:43.522 User accounts and permissions we talked about that 25:43.522 --> 25:45.186 and said least privilege. 25:45.186 --> 25:47.280 Device configurations, right? 25:47.280 --> 25:48.743 You should have some type of a baseline. 25:48.743 --> 25:51.890 You should obviously know which apps are installed. 25:51.890 --> 25:55.181 A lot of people as a matter of fact, 25:55.181 --> 25:57.337 in different companies, what they'll do is they won't 25:57.337 --> 25:59.991 allow you to install applications. 25:59.991 --> 26:01.617 Like any time you try to install a new app, 26:01.617 --> 26:04.132 it will say eh eh, you have to go through our 26:04.132 --> 26:06.742 approved app list and they've have apps you can get to 26:06.742 --> 26:08.899 through the network. 26:08.899 --> 26:13.899 Incident reports. 26:14.200 --> 26:17.900 Okay, alarms, alerts, and trends. 26:17.900 --> 26:19.950 There's nothing really interesting there. 26:21.450 --> 26:23.753 Network security troubleshooting, okay. 26:27.930 --> 26:30.697 Changes and unusual behavior, suspicions (inaudible speech). 26:32.850 --> 26:35.000 Yeah, these are all, again, this is a summary 26:35.000 --> 26:36.243 of a lot of the stuff we already talked about. 26:36.243 --> 26:38.332 I don't see anything new. 26:38.332 --> 26:39.548 We talked about updates. 26:39.548 --> 26:44.548 Yeah, only disable security measures during formal 26:44.850 --> 26:45.760 troubleshooting, yeah. 26:45.760 --> 26:47.960 If you don't have to do that, don't do that. 26:48.880 --> 26:52.930 Controls re-enable, relaxing security only as necessary, 26:52.930 --> 26:53.763 yes. 26:58.490 --> 27:00.292 An interface monitor is likely to be one part 27:00.292 --> 27:03.127 of a larger monitoring tool. 27:03.127 --> 27:06.023 I'm talking a wild guess here, probably true. 27:10.240 --> 27:11.073 Yeah. 27:13.294 --> 27:17.840 What SNMP component is a database? 27:17.840 --> 27:18.890 Ooo, I know that one. 27:20.480 --> 27:23.313 Yep, management information database. 27:29.010 --> 27:31.076 Even though Syslog has been around a very long time 27:31.076 --> 27:34.270 and hasn't always been a well defined standard, 27:34.270 --> 27:37.552 well that is true actually. 27:37.552 --> 27:40.453 I think they give you an explanation here. 27:41.450 --> 27:43.541 Yeah, developed a long time ago in the 80's, 27:43.541 --> 27:47.940 but they didn't standardize it until much much later. 27:47.940 --> 27:49.953 That's probably not gonna be on the test. 27:50.910 --> 27:54.880 What SIEM software feature finds broader trends? 27:54.880 --> 27:58.363 Okay, and relationships, you should be able to get that. 27:59.877 --> 28:03.803 Finds things that are corelated. 28:05.657 --> 28:06.490 Yeah, there you go. 28:09.455 --> 28:13.830 What kind of tool is often called a sniffer? 28:13.830 --> 28:18.830 Oh okay, yep, protocol analyzer, yep. 28:22.720 --> 28:27.720 Boom, boom, boom, boom, boom, alright. 28:27.864 --> 28:29.583 We're on a new one, right? Chapter six. 28:30.760 --> 28:31.593 Sweet. 28:39.114 --> 28:44.114 Oh the first two, I'm sorry, I don't remember. 28:47.130 --> 28:49.370 First one is this one. 28:49.370 --> 28:52.743 True, and the next one was MIB, 28:54.140 --> 28:56.843 management information database, yeah. 29:16.140 --> 29:18.343 Alright, securing hosts and data. 29:21.240 --> 29:25.400 Cool, alright, classification levels. 29:25.400 --> 29:27.230 Okay, you guys are pretty familiar with this stuff 29:27.230 --> 29:28.540 I would imagine. 29:28.540 --> 29:30.733 Top secret, secret, confidential, unclass. 29:31.586 --> 29:33.696 If you're talking about the private sector, 29:33.696 --> 29:36.313 a lot of times they'll use things like confidential, 29:36.313 --> 29:40.000 proprietary, public, terms like that, 29:40.000 --> 29:43.417 but these are definitely terms that you're familiar with. 29:43.417 --> 29:47.590 PII, we've talked about. 29:47.590 --> 29:49.678 They give some examples of different types of PII. 29:49.678 --> 29:52.238 They mention biometric data. 29:52.238 --> 29:57.238 ID bank numbers, background, PHI they mention of course. 29:57.546 --> 30:00.090 Oh here's the, I made this reference the other day 30:00.090 --> 30:02.961 and people were like what are you talking about? 30:02.961 --> 30:04.714 So anytime if you have a business that's expecting 30:04.714 --> 30:08.182 credit cards and information related to people's credit 30:08.182 --> 30:11.825 card, you have to comply with PCI-DSS, 30:11.825 --> 30:14.963 payment card industry digital security standard. 30:18.231 --> 30:19.578 What's that now? 30:19.578 --> 30:21.050 Oh they do get hacked. 30:21.050 --> 30:22.420 And as a matter of fact, not only do they get hacked, 30:22.420 --> 30:24.230 but there's a threshold that if they lose a certain 30:24.230 --> 30:26.078 number of records, they hit that threshold, 30:26.078 --> 30:28.150 they have to announce it publicly, 30:28.150 --> 30:29.830 and they get charged per record. 30:29.830 --> 30:31.750 I don't know what the number is, it might be eight dollars, 30:31.750 --> 30:34.059 but when you have 50,000 of those, it's a lot. 30:34.059 --> 30:39.059 - [Student] If they lose 8,000, they lose my record? 30:39.273 --> 30:41.555 - Well yeah, well they get yeah, 30:41.555 --> 30:46.224 it adds up for them, but yeah you're not worth much. 30:46.224 --> 30:48.210 Yeah I don't know where the money goes. 30:48.210 --> 30:49.840 That's a great question. 30:49.840 --> 30:52.034 They get fined but, you would think the money 30:52.034 --> 30:53.730 goes to something that would go into something 30:55.048 --> 30:56.657 that would help them be more secure, 30:56.657 --> 30:57.855 but I don't believe that's the case. 30:57.855 --> 31:00.857 Goes right to the wall, yeah, that's right. 31:00.857 --> 31:03.563 Straight to Mexico. 31:05.010 --> 31:05.880 That's hysterical. 31:05.880 --> 31:10.390 Okay, some various roles that you should be 31:10.390 --> 31:11.843 familiar with. 31:11.843 --> 31:16.843 The data steward, I don't know. 31:17.080 --> 31:19.240 I've never heard that before you know, 31:19.240 --> 31:20.480 I started teaching this class. 31:20.480 --> 31:23.490 I'm not sure that's really anything in the real world. 31:23.490 --> 31:26.683 Maybe it is, but the data owner is exactly that. 31:26.683 --> 31:28.240 They're the data owner. 31:28.240 --> 31:33.240 So if you have a company and you have an engineering 31:33.570 --> 31:35.976 department, you have the director of engineering. 31:35.976 --> 31:39.240 The director of engineering would be the data owner 31:39.240 --> 31:44.240 for all the data inside of engineering, okay? 31:44.770 --> 31:48.210 But, that data is kept on systems, 31:48.210 --> 31:50.788 those systems are managed by system administrators. 31:50.788 --> 31:54.970 The system administrator is the data custodian. 31:54.970 --> 31:57.714 The data custodian is the person who's in charge 31:57.714 --> 32:00.867 of taking care of the security of the data, 32:00.867 --> 32:02.086 day in and day out. 32:02.086 --> 32:03.515 So it's the admin. 32:03.515 --> 32:05.967 The data owner is usually somebody hiring the organization 32:05.967 --> 32:09.380 like a manager or director, or something like that. 32:09.380 --> 32:12.637 Of course the user would be the engineers themselves. 32:12.637 --> 32:16.770 Privacy officer is just usually a sea level person, 32:16.770 --> 32:17.857 right? 32:17.857 --> 32:19.214 Chief privacy officer, somebody who's in charge of 32:19.214 --> 32:22.764 setting the company's charter as it pertains to 32:22.764 --> 32:25.683 how do we keep information private. 32:31.170 --> 32:32.703 Oh yeah, here I wrote that thing down for the data steward. 32:32.703 --> 32:37.190 Ensures data quality, ensures that metadata is sufficient 32:37.190 --> 32:40.230 and useful, and that the data meets regulatory requirements. 32:40.230 --> 32:42.940 Okay, so I would, if I was trying to play that out, 32:42.940 --> 32:45.051 I would say that if you had a regulatory requirement, 32:45.051 --> 32:48.845 whether it's HIPA, PCI, doesn't really matter, 32:48.845 --> 32:51.015 that whatever those requirements are, 32:51.015 --> 32:53.043 the data steward would make sure that the information 32:53.043 --> 32:56.760 that you're collecting does meet that requirement, so. 32:56.760 --> 32:59.873 Okay, I just made it up, but I don't think you'll see it. 33:01.060 --> 33:02.440 We've talked about the different, 33:02.440 --> 33:03.390 oh we haven't talked about this. 33:03.390 --> 33:04.620 The states of data, right? 33:04.620 --> 33:08.052 We talked about data, usually you talk about data at rest, 33:08.052 --> 33:11.050 data in, they don't usually use in transit. 33:11.050 --> 33:11.950 That's a weird way of saying it. 33:11.950 --> 33:15.010 Usually say data in motion, but either one's fine. 33:15.010 --> 33:16.957 They mean the same thing, but data in motion 33:16.957 --> 33:19.830 and data at rest, and data in use. 33:19.830 --> 33:22.815 So data in motion is as you're sending something 33:22.815 --> 33:24.488 across the wire, let's say you're transmitting 33:24.488 --> 33:27.910 data across a VPN, that's data in motion. 33:27.910 --> 33:30.430 Data at rest of course is sitting either on your 33:30.430 --> 33:32.850 system or in a database would be an example. 33:32.850 --> 33:36.200 And data in use is when it's actually being used, 33:36.200 --> 33:38.280 which means when it's in RAM, in memory. 33:38.280 --> 33:39.899 What does RAM stand for? 33:39.899 --> 33:40.880 - [Unison] Remote access memory. 33:40.880 --> 33:42.364 - Holy shit, everybody knew one. 33:42.364 --> 33:45.020 That was like, everybody just went off on me. 33:45.020 --> 33:46.650 That was awesome. 33:46.650 --> 33:48.240 I love it, I got to find more like that 33:48.240 --> 33:51.020 to boost y'all's confidence, that was good. 33:51.020 --> 33:52.732 But data in use is when it's being, 33:52.732 --> 33:54.923 usually in memory. 33:58.520 --> 34:00.934 Okay, we talked about the life cycle of data, 34:00.934 --> 34:05.934 and I don't disagree necessarily with these, 34:06.100 --> 34:08.155 but the way I've seen it most often 34:08.155 --> 34:13.155 is create, use, archive, and then dispose, 34:15.470 --> 34:18.380 and these are all basically saying the same thing. 34:18.380 --> 34:21.769 But that's, so however you happen to manufacture 34:21.769 --> 34:24.013 or create the data, then however you use it, 34:24.013 --> 34:26.355 you usually have the archive it or back it up 34:26.355 --> 34:28.024 in some way shape or form, 34:28.024 --> 34:30.947 and then eventually you may have to get rid of it, 34:30.947 --> 34:33.132 and I talked about things like GDPR, 34:33.132 --> 34:37.333 which is a new European Union regulation for privacy, 34:37.333 --> 34:41.370 and you as a European Union citizen, if you are one, 34:41.370 --> 34:44.580 you have the right to tell a company to forget you. 34:44.580 --> 34:46.179 Which means they have to go in and dispose 34:46.179 --> 34:48.293 of everything they had on you. 34:51.360 --> 34:52.683 Oh here's DLP. 34:53.635 --> 34:54.960 Oh okay, I want to draw a little picture here 34:54.960 --> 34:56.965 'cause I don't know, I'm not worried about this thing. 34:56.965 --> 34:58.149 It's not gonna help me at all, 34:58.149 --> 35:00.010 I don't think it's gonna help you either. 35:00.010 --> 35:01.640 But DLP is pretty cool. 35:01.640 --> 35:03.504 Data loss prevention or data leak prevention, 35:03.504 --> 35:05.763 either one is fine. 35:07.350 --> 35:10.070 So when I worked for Websense, 35:10.070 --> 35:12.435 we were known for URL filtering. 35:12.435 --> 35:14.770 Funny story, side bar here. 35:14.770 --> 35:16.646 So when I got that job, I told you that they started 35:16.646 --> 35:19.448 as a porn filter, that's really what they were. 35:19.448 --> 35:22.380 And I remember when I got the job as a SE and I came home 35:22.380 --> 35:24.170 to my wife and I said hey babe, 35:24.170 --> 35:26.534 I got that offer from Websense, I'm gonna go be an engineer 35:26.534 --> 35:28.100 at Websense. 35:28.100 --> 35:29.550 She goes alright, great, congratulations. 35:29.550 --> 35:30.430 What do they do? 35:30.430 --> 35:31.661 I go oh, they do (mumbling) 35:31.661 --> 35:33.784 Pardon me? 35:33.784 --> 35:34.810 (mumbling) 35:34.810 --> 35:36.583 Did you say porn? 35:36.583 --> 35:38.520 Yeah, they kind of do porn filtering. 35:38.520 --> 35:39.620 She started freaking out. 35:39.620 --> 35:41.300 She's like oh my god, you're gonna be in porn. 35:41.300 --> 35:43.041 I'm like it ain't that good a job, trust me. 35:43.041 --> 35:47.019 But yeah, so that was kind of fun in the beginning. 35:47.019 --> 35:48.683 That's what they were known for. 35:48.683 --> 35:52.058 But they obviously, they expanded their business 35:52.058 --> 35:53.960 and one of the things they did while I was there, 35:53.960 --> 35:55.815 they bought a company called Port Authority. 35:55.815 --> 35:58.911 And Port Authority did DLP, data leak prevention, 35:58.911 --> 36:00.384 and there's some cool stuff. 36:00.384 --> 36:02.874 The idea of data leak prevention is really neat. 36:02.874 --> 36:04.513 - [Student] Data loess. 36:05.730 --> 36:07.860 - Either one, I don't care. 36:07.860 --> 36:09.813 And they're not gonna give you both on a test 36:09.813 --> 36:11.610 and say pick one. 36:11.610 --> 36:13.793 So doesn't really matter. 36:13.793 --> 36:16.589 I think I usually say leak, data leak prevention, yeah. 36:16.589 --> 36:19.158 Either one's fine though. 36:19.158 --> 36:20.695 But the idea behind it is pretty cool. 36:20.695 --> 36:24.920 So we obviously know that there's bad people that you 36:24.920 --> 36:26.600 want to keep out of your network, 36:26.600 --> 36:28.560 but there's also a lot of good things in your network 36:28.560 --> 36:30.810 that you don't want going out, right? 36:30.810 --> 36:32.400 Things that are proprietary. 36:32.400 --> 36:35.160 When I say IP, we always say internet protocol, 36:35.160 --> 36:37.400 but what's the other definition of IP? 36:37.400 --> 36:39.107 That you don't want getting out? 36:39.107 --> 36:42.262 It's a legal term. 36:42.262 --> 36:45.640 Intellectual property, right? 36:45.640 --> 36:47.590 So you don't want something like that getting out, 36:47.590 --> 36:49.299 or sensitive information, all that stuff. 36:49.299 --> 36:53.791 So the way DLP works is that there's different 36:53.791 --> 36:57.501 mechanisms in place so let's say there's a PDF, 36:57.501 --> 37:00.875 and that PDF is labeled, it says it on it. 37:00.875 --> 37:04.962 It says proprietary and confidential, 37:04.962 --> 37:08.210 and it's meant for internal resources only. 37:08.210 --> 37:10.525 And I, by accident, I attach it to an email 37:10.525 --> 37:12.290 and send it out. 37:12.290 --> 37:16.850 DLP will see that, look at that PDF and go uh oh, 37:16.850 --> 37:18.540 you're not allowed to do that and boom, 37:18.540 --> 37:20.460 kill it before it ever gets out, 37:20.460 --> 37:21.600 which is a really cool thing. 37:21.600 --> 37:24.680 And it works with documents, it works with PDF's, 37:24.680 --> 37:27.570 it works with PowerPoint, you name it, it works with it. 37:27.570 --> 37:28.914 And not only can it do that, 37:28.914 --> 37:32.835 it can actually do it based on data format. 37:32.835 --> 37:36.720 So you should never for HIPA, you should never send out 37:36.720 --> 37:40.724 a full social security number out through 37:40.724 --> 37:42.934 plain text email. 37:42.934 --> 37:46.130 So what DLP will do is it will scan every email 37:46.130 --> 37:47.499 and it will look for something that looks like 37:47.499 --> 37:51.690 three numbers, dash two numbers, dash four numbers. 37:51.690 --> 37:55.100 And you can set it up to be as smart as you want it. 37:55.100 --> 37:56.280 If there's maybe some other thing, 37:56.280 --> 37:58.070 maybe there's account numbers you don't want going out, 37:58.070 --> 37:59.650 you can set all that stuff up. 37:59.650 --> 38:02.090 But one thing I want to give you one example, 38:02.090 --> 38:04.090 'cause this ties into something we get in crypto, 38:04.090 --> 38:05.930 and I think this will help you appreciate that a little 38:05.930 --> 38:09.718 bit more, is that let's say you have a document. 38:09.718 --> 38:13.307 It's a Word document and it should never go out. 38:13.307 --> 38:14.608 And it's easy to say okay great, 38:14.608 --> 38:18.018 if somebody attaches a document, it won't go out. 38:18.018 --> 38:21.175 But what if they take the document 38:21.175 --> 38:25.670 and they just add in a bunch of filler words to it, 38:25.670 --> 38:27.760 or they take out a bunch of it, they delete a bunch 38:27.760 --> 38:28.960 of stuff, right? 38:28.960 --> 38:33.570 So the idea is that you got this document, 38:33.570 --> 38:36.040 and it's got a bunch of proprietary information 38:36.040 --> 38:37.760 that should not go out. 38:37.760 --> 38:40.380 And this will also work with a PowerPoint. 38:40.380 --> 38:41.618 If you say I don't want this PowerPoint 38:41.618 --> 38:44.327 and somebody just says oh I'm just gonna take one slide, 38:44.327 --> 38:46.570 still doesn't work. 38:46.570 --> 38:48.416 But what's cool about this is the way it does it. 38:48.416 --> 38:53.416 So when the DLP sees this document, you could say, 38:55.890 --> 38:57.790 or I'll ask you in the form of a question. 38:57.790 --> 39:02.790 If I wanted to check the integrity of this document, 39:03.070 --> 39:04.623 what would I do? 39:06.000 --> 39:07.680 That's right, I would take this thing and I would run 39:07.680 --> 39:09.884 it through name a hashing algorithm. 39:09.884 --> 39:11.593 Sure, why not. 39:12.840 --> 39:14.810 I was driving last night to go to dinner 39:14.810 --> 39:16.850 and there was a sign, and I don't know what it was for 39:16.850 --> 39:18.330 but it was a blue sign with white letters, 39:18.330 --> 39:21.070 and it said SHA something, and it didn't mean 39:21.070 --> 39:23.300 secure hashing algorithm, but of course, 39:23.300 --> 39:25.200 been talking all that crap all week so I'm like, 39:25.200 --> 39:27.098 SHA something, oh, I'm gonna wreck my car. 39:27.098 --> 39:28.970 Is that what it was? 39:28.970 --> 39:31.300 See, now you got a whole new way of thinking of it. 39:31.300 --> 39:33.250 So I would go ahead and hash that thing, 39:33.250 --> 39:35.733 and it would come out as ABC123. 39:36.710 --> 39:40.252 So then, I would take this in a DLP scenario, 39:40.252 --> 39:43.240 I would take this hash and I would store it in 39:43.240 --> 39:44.400 a database. 39:44.400 --> 39:47.490 Now my DLP system, hey guys, 39:47.490 --> 39:50.989 in the DLP system now is monitoring for attachments. 39:50.989 --> 39:53.266 It sees this attachment and it says hang on, 39:53.266 --> 39:55.217 I can't send you out yet. 39:55.217 --> 39:57.310 Let me take off the attachment. 39:57.310 --> 39:59.750 I'm gonna run it through, this is the DLP system 39:59.750 --> 40:01.830 now doing it in real time, 40:01.830 --> 40:06.796 I'm gonna run it through MD5, and I'm gonna get a hash. 40:06.796 --> 40:11.420 Mine is gonna be ABC123. 40:11.420 --> 40:13.737 So then it says what does it do with this hash. 40:13.737 --> 40:16.487 Compares it to what? 40:16.487 --> 40:18.637 The other hash that's sitting inside of the big DLP 40:18.637 --> 40:22.769 database over here, compares it to that one, 40:22.769 --> 40:26.236 and it's the same, and it goes oh, you can't send that 40:26.236 --> 40:28.130 and boom, doesn't allow you to send it. 40:28.130 --> 40:29.526 So that's how it works kind of at a high level. 40:29.526 --> 40:31.512 You're like okay, that makes sense, I get it. 40:31.512 --> 40:35.580 But what happens if somebody, this is the original 40:35.580 --> 40:37.337 document and we've already gone through that process. 40:37.337 --> 40:38.806 So now I'm gonna erase this, 40:38.806 --> 40:41.526 and that's the hash sitting over there. 40:41.526 --> 40:44.706 But now I'm gonna take this and I'm gonna say 40:44.706 --> 40:48.424 oh, but somebody takes this document and they change it. 40:48.424 --> 40:50.500 Maybe they get rid of some stuff, 40:50.500 --> 40:52.996 maybe they add some stuff, but they change it 40:52.996 --> 40:54.707 from it's original thing. 40:54.707 --> 40:56.080 Now they try to send it. 40:56.080 --> 40:58.700 DLP system says hang on, you're trying 40:58.700 --> 40:59.610 to send an attachment, 40:59.610 --> 41:00.875 an attachment, I have to check it out. 41:00.875 --> 41:05.049 It takes the attachment, it runs it through MD5. 41:05.049 --> 41:06.733 What is it not gonna get? 41:07.571 --> 41:08.750 - [Student] ABC123. 41:08.750 --> 41:10.205 - Right, it's gonna get something different 41:10.205 --> 41:13.686 because this thing changed, so it's gonna get 41:13.686 --> 41:15.690 let's say DEF456. 41:15.690 --> 41:19.657 Now what does it do with that hash. 41:19.657 --> 41:22.227 Compare it, and what happens? 41:22.227 --> 41:25.742 It's different, so it doesn't match, so what does it do. 41:25.742 --> 41:28.220 Let's it go out. 41:28.220 --> 41:31.277 So you've like oh well, we just broke your system. 41:31.277 --> 41:33.730 Yes, if that's the only way that it worked, 41:33.730 --> 41:35.040 that would break the system. 41:35.040 --> 41:36.690 But here's the cool thing. 41:36.690 --> 41:39.842 DLP doesn't just take a hash of the entire document. 41:39.842 --> 41:44.348 What it does is it takes overlapping hashes 41:44.348 --> 41:49.348 all the way through this thing of the document. 41:49.640 --> 41:52.651 So one document could have a thousand hashes, 41:52.651 --> 41:56.244 because that way, if you try to make one simple change 41:56.244 --> 41:58.843 somewhere else, but it recognizes anything else 41:58.843 --> 42:02.400 in here, it says no go. 42:02.400 --> 42:03.470 So that's kind of cool. 42:03.470 --> 42:04.560 I thought that was pretty neat. 42:04.560 --> 42:06.386 But, not a perfect system, they're really expensive 42:06.386 --> 42:11.386 and can be pretty difficult to tune if you will, 42:13.062 --> 42:15.083 but they're really neat. 42:16.580 --> 42:18.040 Yeah, time consuming. 42:18.040 --> 42:19.713 Do you work with a DLP now. 42:19.713 --> 42:22.630 (inaudible speech) 42:25.265 --> 42:26.926 - [Student] It's not level four yet, 42:26.926 --> 42:29.005 so it's monitoring for social security numbers and 42:29.005 --> 42:32.490 (inaudible speech) 42:32.490 --> 42:34.616 - So it's looking for the data format for those things, 42:34.616 --> 42:36.490 yeah. 42:36.490 --> 42:38.348 So like if you, I mean sure, like social security 42:38.348 --> 42:41.100 numbers are a great idea. 42:41.100 --> 42:43.322 I mean it's easy if you say yeah three numbers dash 42:43.322 --> 42:45.410 two numbers dash four numbers. 42:45.410 --> 42:46.988 But what if you spelled it out right, 42:46.988 --> 42:51.008 two, thr, nobody's gonna pick that up. 42:51.008 --> 42:52.740 So it's not that you can't get around it, 42:52.740 --> 42:55.742 it's mainly supposed to stop people from doing 42:55.742 --> 43:00.023 the accidental stuff that can get you fined, so. 43:05.180 --> 43:08.503 Alright, NTFS, I got to put this back on here. 43:11.800 --> 43:14.306 Yeah, they have a couple slides here with file permissions. 43:14.306 --> 43:17.290 To be honest with you, I don't know why. 43:17.290 --> 43:20.310 It's not really anything that's terribly interesting 43:20.310 --> 43:22.660 or that you wouldn't already have known, right? 43:22.660 --> 43:25.526 Read write, read execute, modify full control. 43:25.526 --> 43:29.073 No idea. 43:31.730 --> 43:33.600 They talk about the Linux stuff. 43:33.600 --> 43:36.595 I mean I can barely spell Linux without using a K. 43:36.595 --> 43:39.330 Not really a Linux guy. 43:39.330 --> 43:42.453 But read, write, execute, okay, got it. 43:43.890 --> 43:45.633 Standard permissions. 43:45.633 --> 43:49.193 File attributes again, I don't think you have to identify 43:49.193 --> 43:52.293 any of these things here, but they talk about 43:52.293 --> 43:54.642 the attributes section, they point it out there for you, 43:54.642 --> 43:56.970 whether or not you want to read only, 43:56.970 --> 44:01.970 if you want to hide it or archive et cetera. 44:02.350 --> 44:03.978 Compress it, encrypt it. 44:03.978 --> 44:07.993 Nothing unusual here. 44:09.440 --> 44:11.209 Share permissions, kind of same idea. 44:11.209 --> 44:12.642 If you want to share stuff out. 44:12.642 --> 44:14.835 We'll talk about that a little bit more in a minute, 44:14.835 --> 44:17.094 when we talk about, or maybe it's tomorrow. 44:17.094 --> 44:20.778 I think tomorrow we talk about things like DAC, MAC, 44:20.778 --> 44:22.770 ARBAC, things like that. 44:22.770 --> 44:25.040 If you're familiar with discretionary acts as control, 44:25.040 --> 44:26.980 mandatory acts as control, et cetera. 44:26.980 --> 44:29.070 We'll talk more about permissions in that vain. 44:29.070 --> 44:30.382 This is pretty simple right? 44:30.382 --> 44:32.272 Read, change, full control. 44:32.272 --> 44:37.272 You do have to be careful when it comes to sharing 44:37.907 --> 44:39.000 permissions and stuff. 44:39.000 --> 44:40.625 I had this happen at Riptec. 44:40.625 --> 44:45.625 I had only been there for maybe a month when this happened. 44:46.328 --> 44:49.763 A woman, a co worker walked up to me and she goes hey, 44:49.763 --> 44:52.210 Hack, did you see that thing on the network? 44:52.210 --> 44:54.740 I'm like, that's pretty vague I have no idea what 44:54.740 --> 44:55.740 you're talking about. 44:55.740 --> 44:58.750 And I was sitting at my desk, she was shoulder surfing me, 44:58.750 --> 44:59.900 she goes, can I use your mouse. 44:59.900 --> 45:02.280 I said yeah, so she navigates on the network 45:02.280 --> 45:04.798 to this network drive, and she opens up a folder 45:04.798 --> 45:06.340 and it has a spreadsheet. 45:06.340 --> 45:08.440 She opens it up and this spreadsheet has, 45:08.440 --> 45:10.131 and this was a startup, private company, 45:10.131 --> 45:11.934 has the names of all the employees, 45:11.934 --> 45:15.976 about 135 of us at the time, all the employees names, 45:15.976 --> 45:20.976 salaries, stock options, all these, 45:23.510 --> 45:27.780 and I was like oh shit, and she goes yeah, no kidding. 45:27.780 --> 45:30.650 And so she walked away, and I was like oh my god. 45:30.650 --> 45:31.584 So I closed that thing down. 45:31.584 --> 45:35.010 I went in to my boss I said hey boss, 45:35.010 --> 45:36.362 I go there's something up here on the network 45:36.362 --> 45:37.673 I think you need to get fixed now. 45:37.673 --> 45:39.180 And he goes what? 45:39.180 --> 45:40.447 And I showed him he's like Jesus Christ, 45:40.447 --> 45:41.674 he goes running out of the office, 45:41.674 --> 45:45.029 and all of a sudden I go back to my desk, 45:45.029 --> 45:50.029 I'm doing my job, and I heard the CEO meet, 45:52.120 --> 45:53.440 I heard her meet down the hall, 45:53.440 --> 45:57.460 I just hear hey Hackmeyer, I'm like sir yes sir. 45:57.460 --> 45:59.762 He's like, can you come in here a minute? 45:59.762 --> 46:01.765 I'm like sure. Remember I've only been there a month. 46:01.765 --> 46:02.598 Right, I didn't know many people that well, 46:02.598 --> 46:05.039 and I walk in and he says have a seat. 46:05.039 --> 46:06.425 I said great. 46:06.425 --> 46:08.470 So I sit down and he says so you're familiar 46:08.470 --> 46:13.470 with the file that was up on the network? 46:13.610 --> 46:15.270 I said yes sir. 46:15.270 --> 46:16.630 Well first of all I want to thank you for doing 46:16.630 --> 46:17.920 the right thing. 46:17.920 --> 46:20.159 He said you found out about it, you informed 46:20.159 --> 46:22.063 your manager, we have now taken it off of that drive, 46:22.063 --> 46:25.330 but I want to thank you for what you did, 46:25.330 --> 46:26.360 that was the right move. 46:26.360 --> 46:27.637 Yeah, no problem, I knew it was the right thing to do, 46:27.637 --> 46:28.680 that's why I did it. 46:28.680 --> 46:31.870 But I have to ask, he goes, did you actually look 46:31.870 --> 46:33.198 at the information on that sheet? 46:33.198 --> 46:34.790 I said look at it? 46:34.790 --> 46:36.585 I damn near memorized it and why you're paying 46:36.585 --> 46:39.540 that shmuck what you're paying him, I'll never know. 46:39.540 --> 46:40.826 And he just started laughing. 46:40.826 --> 46:43.500 And I go, yeah, hell yeah, who wouldn't look at it. 46:43.500 --> 46:44.860 He goes it's kind of why I asked. 46:44.860 --> 46:46.280 I wanted to see if you'd be honest. 46:46.280 --> 46:47.662 I go yeah, I'm not here trying to fool anybody. 46:47.662 --> 46:50.500 Yeah, I looked at it of course. 46:50.500 --> 46:51.920 I'm not gonna share it. 46:51.920 --> 46:54.799 Well what I did not know, what ended up happening, 46:54.799 --> 46:57.863 the woman who showed me got fired. 46:57.863 --> 47:00.184 But the reason she got fired was because she printed 47:00.184 --> 47:04.370 it out, and then she went in to her friend 47:04.370 --> 47:06.673 who was the VP of sales and said dude man, 47:06.673 --> 47:08.811 they are screwing you over look at this compared 47:08.811 --> 47:12.232 to so and so. He got pissed off, went into the CEO's office 47:12.232 --> 47:14.807 and started yelling, and he got fired. 47:14.807 --> 47:17.251 So I was like oh man, glad I wasn't the dumb one 47:17.251 --> 47:19.651 to do that, and the reason to wrap this back 47:19.651 --> 47:22.165 into share permissions, what happened was 47:22.165 --> 47:24.177 it was an innocent mistake. 47:24.177 --> 47:27.803 Somebody from HR took the file and dropped it into 47:27.803 --> 47:31.230 a folder that was a public, you know, 47:31.230 --> 47:32.517 a shared folder on a network. 47:32.517 --> 47:34.160 And it shouldn't have been there. 47:34.160 --> 47:36.072 But again, she had the permissions to fully control 47:36.072 --> 47:39.567 and to move that thing, so. 47:39.567 --> 47:41.417 (inaudible speech) 47:41.417 --> 47:43.095 Yeah, what as that? 47:43.095 --> 47:46.454 - [Student] Why would HR have the ability to move 47:46.454 --> 47:48.450 the sales file. 47:48.450 --> 47:49.931 - Well it wasn't, it has a HR related file. 47:49.931 --> 47:53.866 Yeah, say that again, that was inherited permissions. 47:53.866 --> 47:55.118 Yeah, tell me about that. 47:55.118 --> 47:58.013 - [Student] That's when upper level permissions 47:58.013 --> 47:59.015 can carry through. 47:59.015 --> 48:03.200 (inaudible speech) inherited permission from the top level. 48:03.200 --> 48:04.467 - That's right, so we're gonna see a little, 48:04.467 --> 48:06.005 there's a diagram on that I think tomorrow 48:06.005 --> 48:07.733 talking about inherited permissions. 48:07.733 --> 48:10.542 And if you're not careful, you can actually take something 48:10.542 --> 48:15.229 that's supposed to be, that's supposed to be restricted 48:15.229 --> 48:18.560 or it's open or whatever the case is, 48:18.560 --> 48:20.120 either way, and you give it, 48:20.120 --> 48:21.765 you move it to a different location and it 48:21.765 --> 48:23.541 doesn't carry the same permissions. 48:23.541 --> 48:25.175 The next thing you know you just opened it up to 48:25.175 --> 48:29.343 whoever, you know, whoever wants to see it. 48:30.303 --> 48:31.785 Storage encryption. 48:31.785 --> 48:33.901 This is pretty common. 48:33.901 --> 48:38.901 This is data at rest, the idea that you want to keep it 48:38.932 --> 48:43.370 encrypted, there's nothing new there. 48:43.370 --> 48:45.000 I got a good backup story but I'll save that 48:45.000 --> 48:47.123 for tomorrow when we're talking about backups. 48:50.250 --> 48:52.283 Encryption hardware, okay. 48:53.620 --> 48:56.930 Your laptops probably have your hard disk is 48:56.930 --> 48:58.010 probably encrypted. 48:58.010 --> 49:00.220 Your key is probably on your kack, 49:00.220 --> 49:01.880 I don't know this for a fact but I'm guessing 49:01.880 --> 49:03.009 it's the way it works. 49:03.009 --> 49:07.248 Smart card, you can do USB. Oh, that's a good term to know. 49:07.248 --> 49:09.866 TPM, trusted platform module. 49:09.866 --> 49:12.000 Anytime you see TPM, what they're talking about 49:12.000 --> 49:16.840 is encryption that takes place on the chip. 49:16.840 --> 49:20.130 Alright, on the actual chip, hence the trusted platform. 49:20.130 --> 49:22.600 Remember when I did the rings and I said you know, 49:22.600 --> 49:24.930 ring zero, you're either in or you're out? 49:24.930 --> 49:27.970 Remember that, with ring architecture? 49:27.970 --> 49:30.567 Well ring zero is the trusted, 49:30.567 --> 49:33.853 I call it the TCB, the trusted computing base, right? 49:33.853 --> 49:36.537 The strict definition is all the hardware, 49:36.537 --> 49:38.400 software, and firmware that make up the 49:38.400 --> 49:41.610 protective mechanisms of the system. 49:41.610 --> 49:46.610 TPM, which is the chip on the motherboard, 49:46.660 --> 49:49.440 what ring do you think that thing is in? 49:49.440 --> 49:52.040 Ring zero, right, it's part of the trusted platform. 49:53.410 --> 49:55.298 The HSM hardware security module, 49:55.298 --> 49:57.690 like it says, it's external device. 49:57.690 --> 49:59.590 Still labeled to do encryption though. 50:01.690 --> 50:03.003 Alright, let's see. 50:08.220 --> 50:10.709 Windows encryption, encrypting file system, EFS. 50:10.709 --> 50:13.770 That's just for personal, I don't think I've ever 50:13.770 --> 50:14.603 used that actually. 50:14.603 --> 50:16.750 Has anybody used EFS before? 50:16.750 --> 50:20.240 Controlled by individual user, intended for personal files? 50:20.240 --> 50:21.735 I don't know that I've ever used it. 50:21.735 --> 50:23.960 - [Student] Put a password on a database? 50:23.960 --> 50:25.299 - [Man] Yeah, you could do that, yeah or like an Excel 50:25.299 --> 50:26.860 spreadsheet or something? 50:26.860 --> 50:28.034 Yeah, that's a good example. 50:28.034 --> 50:29.901 - [Student] So our access database, 50:29.901 --> 50:31.020 they used to have a password. 50:31.020 --> 50:32.166 - Oh, access wow. 50:32.166 --> 50:34.573 Love it, yeah. 50:38.329 --> 50:40.089 BitLocker's pretty common. 50:40.089 --> 50:43.351 If you want to encrypt a whole volume of data, right? 50:43.351 --> 50:48.321 You can use it for whole disk encryption, 50:48.321 --> 50:51.143 full disk encryption, however you want to put it. 50:53.600 --> 50:57.150 Okay, here's the encrypting, this is the EFS example, right? 50:57.150 --> 50:58.590 If you want to do encrypt it, 50:58.590 --> 51:00.600 you can go ahead and just go under the file properties 51:00.600 --> 51:03.680 and it says encrypt contents to secure data, 51:03.680 --> 51:04.570 there you go. 51:04.570 --> 51:07.690 They give you an example of BitLocker here, right? 51:07.690 --> 51:11.340 BitLocker, you can either use the TPM, 51:11.340 --> 51:12.540 this is supposed to be a chip. 51:12.540 --> 51:14.340 You can't, I don't know if you can see that or not. 51:14.340 --> 51:15.173 It's a little chip. 51:15.173 --> 51:17.469 That's the trusted platform module 51:17.469 --> 51:20.550 inside the chip. 51:20.550 --> 51:23.179 You also have potentially a start up key 51:23.179 --> 51:25.214 or some kind of a USB type key that has pen 51:25.214 --> 51:30.140 or password, and you can have the secondary key as well, 51:30.140 --> 51:31.513 software based. 51:35.850 --> 51:38.200 Here's how you enable BitLocker if you want to. 51:39.913 --> 51:41.470 Does anybody ever use BitLocker? 51:41.470 --> 51:43.360 I don't think I've ever used it, but. 51:43.360 --> 51:44.193 You use it? 51:44.193 --> 51:45.098 Okay, good. 51:45.098 --> 51:48.015 (inaudible speech) 51:53.400 --> 51:55.217 So you better make sure you what the key? 51:55.217 --> 51:58.369 So he was saying that if you have a contract 51:58.369 --> 52:00.269 you got to make, basically have a secure copy 52:00.269 --> 52:01.492 of the key right? 52:01.492 --> 52:03.317 'Cause he was saying if you have a contractor, 52:03.317 --> 52:05.937 and they have that thing and they lock it all down 52:05.937 --> 52:08.140 and you don't have a copy of that key and they leave, 52:08.140 --> 52:10.350 well then, you got a problem, right? 52:10.350 --> 52:11.553 Same thing we talked about when we're talking about 52:11.553 --> 52:14.250 vacking up keys and PKI, right? 52:14.250 --> 52:15.195 Public key infrastructure. 52:15.195 --> 52:17.413 How do you destroy media? 52:17.413 --> 52:19.780 Well there's all kinds of ways of doing it. 52:19.780 --> 52:22.370 Pulverizing, I love it. 52:22.370 --> 52:23.620 I love that word pulverizing, 52:23.620 --> 52:25.900 I just think it's so visually descriptive. 52:25.900 --> 52:28.570 Reduces media to loose fibers. 52:28.570 --> 52:30.051 That sounds fantastic. 52:30.051 --> 52:33.003 Pulping, of course, similar thing. 52:33.870 --> 52:35.410 I like the word slurry as well. 52:35.410 --> 52:37.570 You don't hear that often enough. 52:37.570 --> 52:41.300 Incineration, burning into unrecognizable ash, 52:41.300 --> 52:44.304 as opposed to recognizable ash, so. 52:44.304 --> 52:45.702 - [Student] Pulping works really well actually, 52:45.702 --> 52:47.727 instead of using the shredder, 52:47.727 --> 52:52.727 we just put the shredder (inaudible speech) 52:52.900 --> 52:54.632 - Oh really, okay. 52:54.632 --> 52:59.632 Wow, so it's just faster and more efficient 53:00.504 --> 53:03.020 than trying to feed it into the damn shredder. 53:03.020 --> 53:04.728 That's interesting, never done that before. 53:04.728 --> 53:07.170 I like it when they take stuff like hammers 53:07.170 --> 53:10.220 and beat the crap out of a hard drive or something 53:10.220 --> 53:14.800 and destroy the platters and yeah. 53:14.800 --> 53:16.450 Yeah they have industrial shredders too 53:16.450 --> 53:19.127 where you can do that and you dump it in 53:19.127 --> 53:22.370 and all of a sudden it's just a bunch of small metal bits 53:22.370 --> 53:23.670 that comes out the other end. 53:23.670 --> 53:25.350 My wife threatens me with that a lot. 53:25.350 --> 53:26.850 That and the chipper shredder. 53:29.870 --> 53:31.730 Securely erasing data. 53:31.730 --> 53:32.838 Oh that's a good one. 53:32.838 --> 53:34.127 Remember I talked to you about that before, 53:34.127 --> 53:35.648 and people say like, but I deleted it. 53:35.648 --> 53:38.350 No you didn't, you deleted the pointer, 53:38.350 --> 53:39.760 that's all you did. 53:39.760 --> 53:42.328 So there's different ways to delete or erase data. 53:42.328 --> 53:45.030 They give you a bunch of different examples here, 53:45.030 --> 53:46.604 but they do have programs that go through 53:46.604 --> 53:49.270 and do like, overwrites. 53:49.270 --> 53:52.380 So it'll write over all zeros and ones 53:52.380 --> 53:56.020 in all sectors, and it will do that 11 times 53:56.020 --> 53:58.520 or whatever, and the finally it's been overwritten 53:58.520 --> 54:01.170 enough that you couldn't recover it if you wanted to. 54:02.650 --> 54:04.639 What does SSD stand for? 54:04.639 --> 54:07.777 Solid state drive, right? 54:07.777 --> 54:09.590 Can be difficult to securely erase. 54:09.590 --> 54:10.950 I don't know that I've ever had to do that, 54:10.950 --> 54:11.985 I'm sure that I have not. 54:11.985 --> 54:13.610 And I can understand why, 54:13.610 --> 54:14.920 and a lot of our computers now have SSD's, right? 54:14.920 --> 54:19.920 And there's definitely, heck I remember hearing stories 54:20.385 --> 54:23.094 about people just not with SSD, but with RAM, 54:23.094 --> 54:25.644 and people freezing the RAM to hold electrons 54:25.644 --> 54:28.954 in place, and they can go ahead and you know, 54:28.954 --> 54:30.530 get out what was in RAM. 54:30.530 --> 54:32.728 So I can imagine a SSD would be even harder 54:32.728 --> 54:36.056 'cause it's not even something that gets flushed 54:36.056 --> 54:38.500 like RAM does. 54:38.500 --> 54:40.844 - [Student] And they have limited like capabilities. 54:40.844 --> 54:43.522 (inaudible speech) 54:43.522 --> 54:45.619 - Oh really, yeah. 54:45.619 --> 54:47.334 (inaudible speech) 54:47.334 --> 54:49.380 Oh really, the SSD's do? 54:49.380 --> 54:51.113 Oh, alright, better not save much. 54:52.200 --> 54:53.850 Good to know. 54:53.850 --> 54:56.040 Alright, let's see what we got here for quizzing. 54:56.040 --> 54:57.940 Which Windows encryption tool can protect the, 54:57.940 --> 54:59.962 oh the entire system volume? 54:59.962 --> 55:03.429 Yeah, BitLocker, that's exactly what you guys use. 55:03.429 --> 55:08.429 Your organization has a degausser in the basement. 55:08.780 --> 55:10.880 Oh okay, I'll tell you a story about that in a minute. 55:10.880 --> 55:12.875 What media can you use to securely destroy, 55:12.875 --> 55:15.080 choose all that apply. 55:15.080 --> 55:16.295 Hard drives and tapes, yeah, 55:16.295 --> 55:18.041 anything that's magnetic is the answer. 55:18.041 --> 55:23.041 So quick story, I was teaching a CISSP class 55:24.130 --> 55:26.830 one time and we were talking about degaussing, right? 55:26.830 --> 55:29.427 Degaussing is nothing more than a really strong magnet. 55:29.427 --> 55:31.597 And I remember back in the old days like I used 55:31.597 --> 55:33.440 to have a speaker, a big old speaker, 55:33.440 --> 55:35.468 and of course speakers are driven by magnets. 55:35.468 --> 55:37.166 If you put anything on there that's electronic, 55:37.166 --> 55:39.097 it ends up screwing it up or if you put 55:39.097 --> 55:41.514 a speaker on top of your TV in the old days, 55:41.514 --> 55:43.967 you'll notice your TV started doing weird shit. 55:43.967 --> 55:47.019 So but one of the guys in my class was a forensics 55:47.019 --> 55:51.583 investigator out of Florida, and he said that, 55:51.583 --> 55:54.096 he told me this one story, this is insane. 55:54.096 --> 55:57.570 So they had a guy that was working with the FBI, 55:57.570 --> 55:59.531 and they had a guy that they had been tracking 55:59.531 --> 56:02.188 and suspected of, among other things, 56:02.188 --> 56:06.720 a lot of selling of dope and child pornography. 56:06.720 --> 56:08.740 They've been watching this guy for a long time, 56:08.740 --> 56:11.263 they were finally prepared to raid his house. 56:11.263 --> 56:13.830 So they raid his house, they go in, 56:13.830 --> 56:16.370 and they find his office 56:16.370 --> 56:17.780 or whatever and they find his computer. 56:17.780 --> 56:18.660 He's not there. 56:18.660 --> 56:22.798 They take his computer, and they give the computer 56:22.798 --> 56:25.517 back to the lab expecting to find all this stuff, 56:25.517 --> 56:27.670 and the computer was, when they got it there 56:27.670 --> 56:28.670 and they hooked it up, 56:28.670 --> 56:30.428 it was basically empty, and when I say empty, 56:30.428 --> 56:32.939 like there was like nothing on it. 56:32.939 --> 56:34.894 And they were like what the hell. 56:34.894 --> 56:37.379 As it turns out, they found this out in retrospect. 56:37.379 --> 56:41.598 What the guy had done is that in his house, 56:41.598 --> 56:45.810 inside of the doorways, he had put degaussing 56:45.810 --> 56:47.906 equipment, so that if you took the computer 56:47.906 --> 56:51.033 and walked it through the house getting it out, 56:51.033 --> 56:56.033 it would start to destroy the data on the drive. 56:56.083 --> 56:58.666 And I was like that's genius in one way, 56:58.666 --> 57:01.439 and maybe you should of thrown it out the window 57:01.439 --> 57:03.365 to somebody below, that might of helped. 57:03.365 --> 57:04.606 But they didn't know that. 57:04.606 --> 57:07.110 But then I'm also thinking about that's gotta 57:07.110 --> 57:08.860 be bad for your health and other things. 57:08.860 --> 57:10.240 Like you're trying to walk through the doorway, 57:10.240 --> 57:11.510 I don't know what's going to happen to you, 57:11.510 --> 57:12.370 but it's got to be bad. 57:12.370 --> 57:13.480 But I was like are you kidding me? 57:13.480 --> 57:16.040 He's like no, they ended up, I don't remember what 57:16.040 --> 57:18.165 the outcome as, but in terms of trying to find 57:18.165 --> 57:20.778 the child pornography and stuff, they didn't have anything 57:20.778 --> 57:22.900 by the time they got the thing down there. 57:22.900 --> 57:24.069 It destroyed almost everything. 57:24.069 --> 57:26.986 (inaudible speech) 57:28.600 --> 57:33.480 Yeah, well it wasn't even on then. 57:33.480 --> 57:36.130 But the point was that the degaussers were taking 57:36.130 --> 57:37.752 care of the hard drive 'cause it wasn't a solid 57:37.752 --> 57:38.780 state hard drive. 57:38.780 --> 57:41.400 It was just back in the old days with a platter and stuff. 57:41.400 --> 57:44.050 So it was still going through, it was close enough 57:44.050 --> 57:46.732 to the magnetic field to corrupt the data. 57:46.732 --> 57:48.172 Like that's pretty messed up. 57:48.172 --> 57:52.739 What cryptographic tool is commonly built 57:52.739 --> 57:54.490 into the motherboard? 57:54.490 --> 57:57.230 Oh, we talked about this, yep TPM. 57:57.230 --> 57:58.567 The trusted platform module, right? 57:58.567 --> 58:00.438 Part of ring zero. 58:00.438 --> 58:04.050 Oh there's an answer for you already up. 58:04.050 --> 58:05.163 That probably shouldn't work like that. 58:05.163 --> 58:08.300 What might protect users from copying 58:08.300 --> 58:10.431 sensitive data files to external media. 58:10.431 --> 58:13.590 Yeah, so DLP, I gave you the example 58:13.590 --> 58:14.423 of going out through the internet, 58:14.423 --> 58:19.423 but DLP can also work with like it says there, 58:19.682 --> 58:22.010 with media, external media. 58:22.010 --> 58:23.528 So if you want to copy something onto a thumb drive, 58:23.528 --> 58:28.528 it would be able to control that locally. 58:32.490 --> 58:35.670 Big data, oh, shouldn't be confused, 58:35.670 --> 58:37.550 why is this even in here. 58:37.550 --> 58:39.910 Big data shouldn't be confused with cloud storage. 58:39.910 --> 58:42.030 Well yeah, those are two different things, 58:42.030 --> 58:43.607 but I don't understand why it's in here. 58:43.607 --> 58:48.597 Alright, have you guys heard the term big data before? 58:48.597 --> 58:51.934 Big data, I mentioned it a little bit the other day 58:51.934 --> 58:53.810 when I mentioned the difference between a 58:53.810 --> 58:56.890 standard database which is called a relational database, 58:56.890 --> 59:01.890 versus when you're talking about no SQL, no SQL. 59:02.563 --> 59:03.573 A no SQL database. 59:03.573 --> 59:07.210 A no SQL database is a form of a database that holds 59:07.210 --> 59:08.120 big data. 59:08.120 --> 59:11.700 Big data just means if you were to look it up, 59:11.700 --> 59:14.670 big data talks about the three V's. 59:14.670 --> 59:19.420 Veracity I think, volume, veracity, and shit, 59:21.330 --> 59:22.403 what's the third V? 59:23.690 --> 59:25.246 I'll think of it later and tell you but 59:25.246 --> 59:27.567 the idea is that a lot of stuff in the world now 59:27.567 --> 59:30.150 is a lot of big data, so it can be files, 59:30.150 --> 59:33.303 it can be huge, it can be huge image files, 59:33.303 --> 59:35.770 like medical imaging is a great example. 59:35.770 --> 59:37.669 Like X rays and all those things that are now digital, 59:37.669 --> 59:40.493 would be part of a big data store. 59:45.270 --> 59:46.863 Your organization has a critical database 59:46.863 --> 59:49.630 full of customer PII, good to know. 59:49.630 --> 59:52.730 And a new employee as just authorized to use it. 59:52.730 --> 59:54.813 How would you best describe the role the system 59:54.813 --> 59:57.950 administrator who configures the, well okay, 59:57.950 --> 59:59.032 you should know that. 59:59.032 --> 01:00:01.460 Who's, the data custodian, that's right. 01:00:01.460 --> 01:00:02.753 That's the person who takes care of the data 01:00:02.753 --> 01:00:07.753 from a, on a daily basis in terms of security, so good. 01:00:08.450 --> 01:00:09.283 That was easy. 01:00:10.470 --> 01:00:11.892 Alright, let's take a break. 01:00:11.892 --> 01:00:16.383 Come back at 11:15 please.