Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:29):
And and.
Welcome to Technology Tap.
I'm Professor J-Rod.
Hey guys, guess who's back thisepisode.
I'm going to tell you what I'vebeen doing the last year and
dive into Security Plus.
Hey guys, guess who decided tocome back and do this thing
(01:00):
again?
What was I thinking?
No, I've kind of missed doingthis.
For those of you who don't knowme, my name is Professor J Rod.
I'm a professor ofcybersecurity and I make this
podcast to help people withtheir security A+ and network+.
And I've been away for a year.
(01:21):
Yeah, I've been away for awhole year and it's because of
you, know, I had some stuffcoming up.
Those of you who know me andbeen following me here on this
platform know that I was doingmy doctorate, and doing the
(01:42):
doctorate took a toll on mephysically, mentally,
emotionally.
It was draining.
It was a lot of work, not thatI was skinny to begin with, but
I gained 35 pounds the last yearof me doing the dissertation.
So I kind of wanted to focus onmy health, my mental health,
(02:03):
and I had stuff going on at workmy full-time, my part-time so I
was kind of out of it trying toget that stuff sorted.
So the good news is I lost over50 pounds since October of 2024
.
Until now, today's August 20thI'm glad about that Been trying
(02:27):
to enjoy life a little bit more.
Uh, has the thing settled atwork for the part-time?
Yes, we, you know, we thepart-time stuff, part-time job
is way better, you know, Ireally like it.
I really love my part-time job,my full-time job.
You know, there's somethinghappened last year, last summer,
(02:49):
for those of you who know.
You know, still haven't gottenover it, probably will never get
over it.
Calm and carry on, right.
Uh, it's a british say uh, keepcalm, keep calm and carry on.
So I've, you know, I've kind ofuh, has it gotten better?
(03:11):
The spring semester was a lotbetter than the fall semester,
uh, you know.
So hopefully things will getbetter.
Um, I kind of want to get intothat mindset of just do you?
But I kind of can't because youknow then I can't do.
What I do for my students, andthat's my main goal, is to do
(03:33):
stuff for the students and tryto block out other stuff that's
going on.
And you know, I actually wentlast summer.
I spent a lot of time actuallylooking for another job and I
got companies who, not companies, just other institutions,
educational institutions thatwanted to hire me.
I turned it down Variousreasons.
(03:56):
Pay location there was a reallygood one, but it was so I had
to move.
There was one that was reallyclose to me, where I live.
I had to turn that down.
The pay was okay, but theinsurance was terrible.
Insurance was, you know, I wasalready gonna make less and then
I had to pay an enormous amountof money for insurance, which
(04:20):
was even gonna take my pay downeven less.
So I decided to stay where I'mat and you know I'll just focus
on myself and on the studentsand you know just.
You know, keep the other noiseout and not.
You know, I guess I was lookingfor validation last summer that
(04:45):
I was valued.
You know, summer, that wasvalued.
You know that bring value tocompanies or to schools and I
feel that I do.
Um, you know my students forthe most part like me and not
everybody likes me.
You know that I'm, I'm moreaware of that and I I can't, I
can't do anything about it ifthey don't um, but um, I mean I
(05:10):
can and I try, but this the, youknow it gets to a point that
you really can't do much.
So you know I'm back.
I'm gonna try to do this podcast, uh, get it up and running.
I was looking through thenumbers and I I saw the Security
Plus.
That's like the most popularone, for whatever reason.
(05:30):
Anytime I do something aboutSecurity Plus, I get a high
number of views or whateverdownloads, whatever you call it
downloads.
Right, and you know, I thinkI'm going to continue, I'm going
to try to continue with it, butI'm going to add a new, you
know different twist to it.
(05:50):
I will add like questions atthe end, so, and then maybe
we'll talk about stuff thathappens in the news.
Right, if we see a breach, comeup here and talk about it.
Talk about the breach, becausethese are important stuff for us
to do.
You know, ai is really big.
(06:11):
Since the last time we talked,it has exploded.
You know, people listen, I likeAI and I use AI.
Listen, I like AI and I use AI.
This podcast, the stuff thatI'm going to read to you, I got
it from the slides that I use,but I kind of fed it into
(06:37):
ChatGPT to kind of make itreadable and kind of concise.
And you know, listen, ai ishere to stay.
Ai is not going anywhere.
We just have to embrace it anduse it very smart, right?
(06:58):
Do I think it's going to takesome people's job?
Yeah, is it going to take myjob?
I don't know.
Maybe Right.
But hopefully by the time thatit does I'm retired, so I don't
have to deal with worrying aboutlosing my job.
(07:20):
So, yeah, but yeah, let's start.
Let's start with the securityplus the 701.
Right?
So information security refersto the practice of protecting
information and informationsystem from unauthorized access
using disclosure, disruption,modification or destruction.
(07:41):
It ensures the three pillars,the triad right of cybersecurity
confidentiality, integrity andavailability of data, whether
restored, processed ortransmitted.
So confidentiality ensures thatdata is only accessible to
those authorized to view it.
Techniques for confidentialityinclude encryption, access
(08:04):
control, authentication.
Integrity ensures that dataremains accurate and unaltered
unless modified in authorizedways.
Hashing checks on digitalsignatures are used.
Availability ensures thatinformation and systems are
accessible when needed, usingredundancy, fault tolerance,
ddos protection and backups.
(08:27):
Core areas of informationsecurity Risk management
Identify, assess and mitigaterisk to information systems.
Access control, managing whocan view or use resources.
Cryptology, securing data usingencryption and digital
signatures.
Incident response Det digitalsignatures.
Incident response, detecting,responding to and recovering
(08:48):
from security breaches.
Security policies andprocedures.
Organizational rules forsecuring data and systems,
security, awareness and training, educating users about safe
computing practices, which wemust be.
That's you know that theinsider the guy sitting at his
keyboard is, is our biggestenemy.
(09:10):
It's not the guy sitting in thebasement guys in his mom's
basement, it's a guy who has,who has bypassed the
infrastructure, who's actuallyphysically there at the location
.
He's the guy you got to worryabout the most uh related fields
physical security, right.
You also got to worry aboutthat guards physical access to
(09:31):
the system and data centers andthen you have your guards
physical access to the systemand data centers and then you
have your compliance and legalissues right, whatever
regulations that your company ororganization falls under.
Next is cybersecurity framework.
It's a structured set ofguidelines, best practices and
standards used to manage andreduce cybersecurity risk.
It helps an organizationidentify, protect, detect,
(09:52):
respond to and recover fromcyber threats in a consistent
and measurable way.
Here's some of the most widelyused cybersecurity frameworks.
First, you have NISTcybersecurity framework,
developed by the NationalInstitute of Standard and
Technology in the US.
It's widely adopted acrossindustries.
It has five core functions.
(10:13):
Is widely adopted acrossindustries.
It has five core functionsIdentify, understands assets,
risk and governance.
Protect, implement safeguardsto limit or contain impact.
Detect, develop activities toidentify cybersecurity incidents
.
Response take action aftercybersecurity incident occurs.
Recover, restore capabilitiesand services after an incident.
(10:46):
Next, we have the ISO-ISO-TEC,iso-iec 27001 and 27002,
international Standards forManaging Information Security
Management Systems.
27001 specifies therequirements for establishing,
implementing, maintaining andimproving an information
security management systems.
27001 specifies therequirements for establishing,
implementing, maintaining andimproving an information
security management system.
And 27002 provides bestpractice for controls.
(11:06):
Next, we have CIS ControlsCenter for Internet Security, a
set of 18 prioritized andactionable security controls
categorized into threecategories basic, foundational
and organizational.
And then COBIT control objectsfor information and related
technologies developed by ISACA.
Cobit focus on governance andmanagement of enterprise IT,
(11:30):
blending cybersecurity withbusiness objectives.
Enterprise IT blendingcybersecurity with business
objectives.
Next, we have HIPAA, pci DSS,gdpr, compliance-driven
framework.
These are regulatory frameworksspecific to different
industries HIPAA is healthcare,pci DSS is payment card and GDPR
(11:58):
is data protection and privacyin the EU.
So why do we use acybersecurity framework?
It's standardized securitypractice, aids in compliance and
audit readiness, improves riskmanagement, align cybersecurity
with business goals and enhancecommunications with stakeholders
.
Now, choosing the rightframework it depends on your
organizational type, right?
(12:18):
So that's how you use it.
So, whatever organizationaltype you fall under, that's, you
use that recommended framework.
So, if you fall into HIPAA I'msorry, healthcare you use HIPAA.
You use NIST, right.
If you're Global Enterprise,you use ISO IEC 27001, right.
So you use those.
(12:40):
Gap analysis in cybersecurity.
Gap analysis is a method usedto assess the difference between
an organization's currentcybersecurity posture and its
desired or required securitystandard.
Gap analysis what is a gapanalysis?
A gap is the missing piecebetween where you are and where
you want to be or you need to be.
(13:02):
Gap analysis helps identifyweakness, vulnerabilities and
noncompliance in your securitycontrols, policies or practice.
Steps in conducting acybersecurity gap analysis Well,
first you got to define aframework or standard that your
organization falls under, right.
What is your benchmark?
Is it NIST?
Is it PCI DSS?
(13:23):
Right, what is it?
Next, you're going to assessthe current state, conduct
interviews, surveys, audits andtechnical assessments, review
existing policies, proceduresand controls.
Next, you're going to comparecurrent versus desired state.
You're going to map existingcontrols to framework
requirements, identify missing,incomplete or ineffective
(13:43):
controls.
Next, you're going to identifygaps, document areas of
noncompliance or high risk,classify gaps by severity
critical, moderate or low.
Then you're going to develop aremediation plan.
Prioritize gap based on riskand business impacts.
Assign resources, timelines andresponsibilities to your team
(14:04):
members.
Monitor and reassess.
Track implementation ofcorrective actions.
Reassess periodically or aftermajor changes.
So that's not bad.
So let's say you have a controlrequirement, that you need to
have multi-factor authentication, and the current status is it's
not implemented.
You identified the gap, whichis you need to have MFA.
(14:28):
That priority should be highand then you implement an MFA
solution.
What are the benefits of gapanalysis?
It ensures compliance withregulation, improves risk
visibility, aligns security withbusiness goals, justifies
budgets and resource requests,guides roadmaps for security
(14:49):
program development.
Next, we have access control.
Access control refers to themethods and policies used to
regulate who can access or useinformation systems, resources
and data and under whatcondition.
It's a foundational concept inprotecting CIA confidentiality,
(15:10):
integrity and availability.
So there are five types ofaccess control model that we're
going to talk about.
First is discretionary accesscontrol or DAC owner control.
The resource owner decides whocan access it Common in customer
OS like Windows file sharing,flexible but less secure.
(15:33):
Then you have mandatory accesscontrol or MAC System-enforced
policies.
Access is based on labels Topsecret, secret, public, private,
confidential, used in militarygovernment.
Users cannot change accesspermission.
Role-based control or RBACAccess is based on user's role
(15:57):
in the organization central toenterprise systems.
The example HR personnel haveaccess to employee records, but
they don't have access tofinancial records.
Attribute-based control accessis determined by evaluating
attributes, users, resource,environments and the example
they give here.
If a user is a manager andaccessing from a company device
(16:21):
and during business hours, thenyou can allow them to do that,
as opposed to maybe not lettingthem after business hours.
Right, a rule base is usepredefined rules to allow deny
access, often seen in firewallsand routers.
That's the clue, right there,guys.
Often seen in firewalls androuters.
(16:41):
Example deny all traffic fromIP whatever during the weekends.
So, access control mechanismright.
Identification who is the user?
Authentication can you prove it?
Authorization what are youallowed to do in accounting?
When did you do and when?
(17:03):
This is often referred to asthe AAA authentication,
authorization and accounting,which we will go over.
A couple of last things that Iwant to go over before we get to
the questions.
Principle of good accesscontrol right Least privilege
(17:24):
grants only the permission.
A user needs nothing more.
Right, they don't need to haveaccess to everything if they're,
you know a tech.
Separations of duty splitcritical tasks among multiple
users to reduce fraud.
Right, the signing of twochecks.
Right, you need two users tosign like an amount over, like
(17:45):
$5,000, right, that's an exampleof separation of duties.
Need to know even authorizedusers should access only
necessary data.
Right, you don't need to seethis.
They shouldn't give you rightsfor it.
Time-based or contact-basedaccess.
Limited access based onbusiness hours or geolocations
(18:06):
Companies do that.
Now.
They only give you access.
You know.
If you work somewhere else,they know they won't.
Right, some of your stuff won'twork.
Access control technologies youhave access control lists, file
folder or firewall based rules.
Single sign-on, one login toaccess multiple system.
Federated identity, crossorganization's identity using
(18:30):
google or microsoft or yourmicrosoft login to log into
different stuff.
And Multi-factor authenticationcombines two or more
authentication factors.
So an example scenario anemployee logs into HR portal
using multi-factor Based on ourback.
She can view employee salaryinformation but cannot edit it
unless she is part of thepayroll team.
(18:51):
Access is further restrictedoutside of office hours using
abac.
Right, I attribute based accesscontrol.
So all right.
So now let's get to thequestions.
I'm going to give you fivequestions based on what we just
(19:12):
went over and I'm going to readit, I'm going to give you the
choices, I'm going to pause fora little bit and then you know.
You see, if you got the answerright, I will put this on TikTok
.
So if you want to follow me,professor J-Rod that's professor
, and then J-R-O-D I'll putthese questions up and sometimes
(19:32):
people are better like they'relooking at it rather than
answering it.
So here's the first question.
A hospital IT department grantsall nurses access to patient
records, but restrictsprescribing medications to
doctors only.
Which access control modelsbeing implemented?
A discretionary B, role base, c, mandatory, d rule base.
(19:54):
Give me a couple of seconds.
All right, this one's easy.
It's role-based right.
Yes, a nurse can look at thehospital records, but she cannot
prescribe medication.
Next is role-based control.
I'm sorry, I just gave you theanswer.
(20:16):
All right, let's skip that one.
Next, a military systemclassifies documents as
confidential, secret or topsecret.
Users are allowed to accessinformation if their clearance
level matches or exceeds theclassification.
Which method is being used?
A rule-based B, rule-based B,rule-based C, discretionary, d,
(20:37):
mandatory.
I'll give you a couple ofseconds there to think about it.
What do you think the answer is?
The answer is D mandatoryaccess control.
Next we'll do.
A project manager creates ashare folder and manually grants
access to only two team memberswhile denying access to others.
Which access control model isapplied?
(20:58):
A, mandatory, b discretionary,c rule-based, d role-based?
Oh, I'm sorry, c is role-based,d is rule-based.
Think about a couple of seconds.
What do you think?
The answer is b discretion.
And it makes sense, right,because she's using her own
discretion.
That's the clue.
(21:18):
And the other clue is sharefolder.
That's the other clue.
That means that it's hercomputer, it's an OS thing.
Here's one a little tougher.
A company requires thatemployees are grouped together
by department to determine theiraccess.
Firewalls enforce filteringrules regardless of roles, and
(21:42):
certain high sensitive files areonly available to executives
with an explicit clearance level.
Which combinations of accesscontrol model are being used?
Now, the key here is to makesure whatever answer you choose
checks off all the requirementsthat they're giving you.
So here they're giving youthree requirements.
Make sure that they check off.
I've seen this a lot withstudent C2, and then they just
(22:05):
go with that one.
So the biggest example I canthink of is the A-plus exam,
where there was a question thatit was like oh, if you have
which of the following cablesdoes audio video and data?
And people see HDMI and theypick that one because it does
(22:26):
audio video but it doesn't dodata.
So, regardless, even if youdon't know what the other, you
know they have three otherchoices.
Even if you don't know what theother, you know they have three
other choices even if you don'tknow what the other three
choices mean.
Or are you never heard of them?
If you only heard of HDMI andyou know about HDMI, you know it
doesn't do data, at least today, right?
(22:46):
So you know you can't choosethat one because it didn't meet
all the three requirements, allthe three requirements.
So anytime you have that choice, when they give you like oh,
it's more than one, or they usethe word and make sure that you
are recovering, are you coveringboth or all the requirements
that they're asking you to?
Because if they don't, thenit's going to be wrong, all
(23:08):
right.
So here's the choices Role-based, root-based base and Mac is a,
b is discretionary, role baseand rule base.
C is rule based and dissect,discretionary only, and D is
mandatory.
So let me read the questionagain, cause I talked a lot in
(23:29):
between.
Our company requires thatemployees are grouped by
departments to determine theiraccess.
Firewalls enforce trafficfiltering rules regardless of
roles, and certain highlysensitive files are only
available to executives withexplicit clearance levels.
So which combinations of accesscontrols are being used?
(23:51):
A Role-based, rule-based andMAC B DAC role-based and MAC B
DAC.
Row base and root base.
C root base and DAC onlyDiscretionary, that's DAC, and D
is mandatory only.
So I'll give you a couple ofseconds to think about it.
And the answer is what do youthink?
(24:13):
The answer is the answer is Arow base, rule base and MAC
right.
Mandatory right, mandatory isright.
Highly sensitive informationright.
Rule base is the firewall right, and it's in the definition
that I gave you.
I gave you that hint and thedefinition that I gave you.
(24:36):
I gave you that hint.
And then a rule base isemployees are grouped together
by departments, right?
That's the role that they'replaying.
So, all right, that's going toput a bowl on it.
Today.
I want to thank everybody whocame back or planning on coming
(24:57):
back to listening to me.
I miss doing this and hopefullyI can keep doing it, and if you
keep encouraging me, I'll keepdoing it.
You keep listening, I'll keepdoing it.
Nobody listens, I'll stop doingit, and even after a year I'm
not doing it.
People were still listening, soI'm happy Until next time.