LongCut logo

CompTIA Security+ Full Course for Beginners - Module 1 - Fundamental Security Concepts

By BurningIceTech

Summary

Topics Covered

  • Forget AIC: The CIA Triad Is the Only Term That Matters
  • How Email Integrity Can Be Compromised
  • White Hat Hackers Must Think Like Criminals

Full Transcript

Howdy Folks welcome to module one of Security Plus this version of the course is based on the s-71 version of Security Plus which is

currently the latest version of the course at the time of this recording this version of the course can however also be used to study for newer version of the course if they eventually do come

out since the content do generally stay about 95% the same so yeah if a newer version comes out you can also go and use this to go and study for that now as

for this first module of the course as you can see it is called fundamental security Concepts now folks if you're new on my Channel or to this course the

full official course folks consists of 16 modules and that is exactly how I will deliver it here on this channel there will be a full dedicated video to

cover each of the 16 modules of this course and by the end of the course you should be able to for the official certification exam associated with this

course all righty and then folks as for the objectives that will be covered in this first module of the course there are three of them the first one is

summarize information security Concepts so we'll be covering that objective the second objective is compare and contrast security control types and then the third and the last objective in this

module will be describe security role goals and responsibilities so by the end of this module we would have covered all three of those objectives as for the agenda for this module folks there are

two main sections in this module the first is security Concepts which we'll dive into just in a few moments the second main section is security

controls all right and then lastly folks before we start learning if you haven't done it already do your homie here a favor and give this video a like it does take a lot of time and a lot of effort

to create these lessons so yeah you'll be helping your brother out then also if you'd like to know when the next module disc course comes out or any of my other content for that matter maybe also consider subscribing all right and then

of all the formalities now out of the way let's dive into module one [Music]

[Music] all right folks let's start with that first main section security Concepts

within this first main section the first topic up is information security so what we're going to be talking about here is the CIA Triad there's a bit of a picture

for you guys there on the right hand side but the first thing I want to mention about this folks is is this is not to be confused with the federal Authority in the United States of

America it's not the same CIA so that CIA in America stands for Central Intelligence blah blah blah they investigate and all that kinds of stuff this is absolutely not the same thing

this CIA stands for confidentiality integrity and availability as you guys can see in my triangle that I've got for you guys there the top right hand side now

apparently according to Coma uh due to the confusion this is what they say due to the confusion of the American Authority and blah blah blah CIA is

sometimes referred to as AIC it's literally the same letters Just In Reverse now I can tell you guys from experience that's total hogwash that's nonsense nowhere in any manual will you

see that it's not asked in any exam and absolutely nobody in real life will go and talk about AIC so in real life we also just referred to it as the CIA and normally if you're an it especially if

you're in Security in it you will know what Salon is talking about when they talk about the CIA Triad so regarding this little triangle the first one up

we're going to be talking about is the C in CIA which is confidentiality now I'm sure you all know what confidentiality is because that obviously extends well beyond it so in real life confidentiality could for

example be something in an envelope it does not necessarily mean you've got security if something is in an envelope but it does give you you a sense of confidentiality because other folks

can't see what is in that envelope this could be something private this could be medical records this could be your your pay slip your salary invoice the point here folks is it's confidential and it's

for certain people's eyes only authorized people only so of confidentiality we can say information can only be viewed or read by people

authorized to do so now in it there is many ways you can achieve confidentiality and sometimes some of these methods accidentally give you Integrity as well or availability if

you're lucky normally they'll only give you the one or the other in a triangle but if you're lucky they might just give you more than one of these items in a triangle ideally we want to achieve all of these but it's not always possible

sometimes we need to go and combine multiple things so if I for example put a private document in an envelope yes it gives me confidentiality in real life but it does not give me Integrity

because anybody can go and tamper with it and it does not have anything to do with availability so more than that in just a moment as for the i n CIA folks

that is integrity integrity means something is authentic it's original it has not been

tampered with in other words so in it if I for example send you let's say an email how do you know this email is really from me I mean sure you might say

okay well you can see the email looks like it's coming from my email address but how do you know somebody has not spoofed my email address that means they're forging my email address or how

do you know somebody has not compromised my email address they maybe might have hacked my email address and they've taken it over and now they're sending emails as if they are me or maybe I did

send you an email but somebody or something has intercepted this email and they've altered it in some sort of way or the content of it in some sort of way and it's no longer the original contents

it might even be a document for that matter so how do we ensure Integrity now one of the many ways we can do that mean just using email as an example here folks is to use what we call

certificates and digital signatures so the same applies in real life if you look at a document in real life let's say a contract how do we ensure it's

legit authentic most often this is done using signatures so if me and you come into some sort of agreement and we decide to put this on paper both parties

me and you will probably sign this agreement and um if you decide to go and change something in this agreement afterwards or I decide to go and change something in this agreement afterwards I need you to go and resign it and then

obviously you're going to know the jig is up now I can try and Forge your signature or you can try and Forge mine but normally that's going to be a very difficult task to achieve so that's how

we ensure Integrity in real life so that someone don't go and tamper a contract afterwards and change the contents without the other person knowing about it now in it you also get digital

contracts and you can achieve the same goal you can either go and scan in you know a physical copy of a contract or you can actually go and believe it or not apply a digital signature to

documents you get many kinds of digital signatures you know scary thought isn't it so the IT world is very vast folks you get many kinds of digital signatures the end of the day they achieve the same

goal and is to make sure something authentic and original so emails one way we can achieve Integrity is to go and encrypt the emails perhaps to use some

sort of digital signature perhaps so if you receive an email from me and you see there's no digital signature or it's not the original signature then you know this email is either not from me or

somebody has tampered with this email in some sort of way all right so of Integrity we can say this is to ensure data is authentic and original any

changes are authorized now as for the a in the CIA Tri it folks that is availability so this is basically just to ensure information is always accessible so if

it's on a server we want to make sure that server is highly available there's two or more of the same server giving us redundancy and Fa tolerance we want to make sure there's backup internet

connections backup hard drives backup this backup that so at the end of the day whatever information you have and where wherever it might be it needs to always be available that is availability

so we can say availability is information is always accessible to those authorized to view it so something like a server that might be offline is not supposed to cause people not to be

able to access data because that can be disastrous in a company environment now getting back to the Sea of confidentiality because I told you guys we're going to get back to some of these I mentioned earlier I'm not sure if you

guys remember that depending on what solution you implement you you might get lucky and you might be able to cover more than one of these boxes in the CIA Triad if you look at let's say

encryption let's say bit Locker encryption bit Locker encryption which is used to encrypt a whole freaking hard drive a whole volume on a computer for those of you who don't know that will give you confidentiality because people

won't be able to see the contents of your hard drive but at the same time it actually gives you Integrity because nobody will be able to temper the content the hard drive so that's is just one example example of where you can

achieve more than one thing using just one object in this case but Locker all right folks let's move on to the next Topic in this section which is cyber

security framework so the first thing I'm going to do here for you guys is I'm going to add two points here the first of which is Def fense and the second one is going

to be to attack an attacker so when it comes to security or more specifically the cyber security framework we are constantly going to be in a battle to

defend our networks to defend our infrastructure and our whole environments and our company so basically you guys can think of yourself as a white hat hacker if you guys know

what that is you get black hat hackers and you get white hat hackers so a white hat hacker needs to be better than a normal hacker because you need to be

able to protect your environment or that of your client yes there's such a thing guys so you can basically think of the white hat hackers as the good guys so if you want to catch a criminal you

sometimes need to hire a criminal yeah so you guys are not going to be criminals per se but you need to be able to think like a hacker and you need to have the knowledge of a hacker to be able to protect your environments from

said hackers your job is going to be to defend and defend and defend and you need to know what these bad guys are going to do when it comes to attacking and attacking and attacking so the first

thing we need to talk about is to identify you need to know what can be used and how you can go about it when it comes to identifying potential threats

in your environment or that of your client's company so this consists and includes things like developing security policies and capabilities evaluating risks threats

and vulnerabilities and recommending security controls to mitigate them so sometimes you'll find that at clients you don't always have full control sometimes you can only recommend or

suggest you wouldn't believe how frustrating that can be I've had so many clients where I can see they're wide open for attack and sometimes the solution is so so simple and there's

nothing I can do about it besides recommending to the client sir ma'am you've got the following issues in your environment and this is sometimes nothing complicated at all someone that's got no idea what they're doing in

it will even understand what these things are if you go and put it in simple terms and I will tell them very simply that sir you need to the following can I do it for you and they'll say no please don't do that and

I'm like okay end of the day the client is always right they get what they want all we can do is recommend and suggest sometimes now if you're lucky you might be working for one company where you

have been tossed to do these things you don't need to go and ask your job is to go and do these things so if you're lucky enough to be able to go and do these things your job is going to be to go and identify there's various

softwares you can go and use you'll find you've got all kinds of fancy monitoring software these days and all kinds of platforms that allow you to monitor your your network your security your internet

usage your servers there's just about not a thing out there these days that we cannot go and monitor guys the second thing you need to go and do is protect

this consists of procure and development install operate and decommissioning of it hardware and software assets with security as an embedded requirement of

every stage of this operation's life cycle so in a nutshell if that doesn't make sense to you guys you're going to have to go into a couple of installations which includes those monitoring softwares I've mentioned earlier some of them you need to install

some of them you don't sometimes you just need to have some sort of subscriptions if we go look at some of the cloud platforms we've got these days it's literally just a matter of you need to have the right license or the right

subscription and voila you'll have the extra fancy tools to your disposal other times it involves you installing Hardware or software this could be something like a firewall an actual

physical firewall you've got to go and install at your company's environment or your client's company environment this could be a software based firewall it's a cheaper version but that's normally only going to be found in SoHo

environments in other words small office home office environment but for the most part in medium to large siiz companies you can expect to be installing a physical firewall this could also

potentially be other forms of security you that you can go and install this could be something like an antivirus yes something as simple as an antivirus this could potentially be physical security

like CCTV cameras not exactly related to this but it still forms as part of installing something and operating something and protecting something step three folks detect now you get to go and

use your fancy monitoring software your CCTV your antivirus your firewall those things are used to detect potential threats now yes sometimes you're going to get false positives that means it's

is going to detect something but it turns out to be false it's not really a threat it's just well we call that a false positive it's a false alarm in other words but rather have too many

false alarms than no alarms going off when someone you know happens to potentially hack your company I would always I always tell my people rather have too many false alarms than having

no alarms going off at all some alarm is always better than no alarm so under the tech we say this is to perform ongoing proactive monitoring to Ure sure that

controls are effective and capable of protecting against new types of threats folks step four and there's five steps

by the way respond this is to identify analyze contain and eradicate threats to systems and data security Now your folks will find that a lot of these

steps do tend to somewhat overlap with one another so one of the things we can use to go respond there an antivirus although antiviruses tend to respond automatically so that's not a bad thing but it does form of respond now

depending on the fancy fancy software you've got your disposal in your company or your client's company some of them will only do monitoring but they don't really do anything other than that you're can have to go and do stuff

manually which sucks and sometimes it's not possible some of these tools do however allow to respond to a certain degree so some of these fancy tools will be things like 365 so if you guys are

familiar with Microsoft specifically Microsoft's azour platform and the Microsoft 365 platform they've got a lot of tools you guys can can use not just to monitor but also to go and respond to

threats in the cloud because a lot of companies these days make use of Microsoft 365 and Microsoft's aour platform that and obviously other platforms out there like AWS and all

those kinds of things then you get other tools like secm which is happens to also be a Microsoft tool you get Microsoft InTune tool all of these tools are used

not just to monitor but to actually take action to react and not just monitor the last last step here folks is to recover and I think that speaks for itself so if

you eventually get yourself in that situation and let's face it is going to happen where a threat happens to do what it was supposed to do the hacker got in or the malw it infiltrated your

company's environment it happened to get in and it happen to do some sort of damage how do you recover from that when do you recover from that and how long does it take you to recover from that

all companies should always have backups in place this includes but it's not limited to daily backups weekly backups monthly backups and my goodness folks

offside backups I cannot emphasize enough how important it is to have backups especially offside backups there's a lot of threats out there

especially ransomware that know you do backups and they actually get into your backups they light dormant on your system for about a few days weeks or months at a time and eventually when

they activate you know the trigger it encrypts all your backups including your monthly backups so the only way you can recover from that is to have offsite backups that were not plugged in

anywhere now this is easier said than done obviously everything is easier said than done backups guys are very expensive the more you have the more expensive they are especially offside

backups they are sometimes stupid expensive so it's very easy for me to go and say hey go do backups but sometimes some companies they know they need to go and do backups but they simply can't

because the budget does not allow it but my goodness guys if your budget allows it please go and do those backups so under recovery we can say this is to

implement cyber security resilience to restore systems and data if other controls are unavailable to prevent attacks so if your security your

firewalls your antivirus and whatever other things you had in place if they fail to keep this Fred out this person or this this this malware whatever it might be you need to have some sort of

contingency in place what can you go and do to go and recover and how long will it take you to go and recover all right folks so regarding this cyber security

framework um I've been referring to it as levels or steps but I suppose you can actually call these functions that's actually what they're called they're not really called steps or levels they're

actually called functions so information security and cyber security tasks can be classified as five functions which is the ones after just labeled for you guys

which are identify protect detect respond and recover those are the five functions so the following framework was developed by the National Institute of

Standards and technology in other words N for short all right so still on the same topic of cyber security framework I'm just going to rearrange this a little bit differently for you guys so

normally how this works if we have to try and paint a picture as to how this all fit together at the top we'll normally go and put identify and as we know that is to go and develop your

policies get your monitoring in place and all that right below that you'll go and put your protect function so protect is to go and actually implement the security your antivirus and all that and

then below protect you'll find the other three remaining functions which is detect respond and recover now looking at the way I've organized this from the

bottom the attackers would normally attack you and your environment or that environment of your client or the company that you're working for so detect respond and recover is going to

be at the bottom and very going to be dealing with the attackers defense is from the top you would remember earlier I classified all of these five functions

into two categories two main categories defense and attack so defense is going to be coming from the top from the back so to speak which is going to be from identify then it's going to go through

protect and all that and attack is going to be from the front front or in this case from the bottom and attackers will have to go through detect respond and recover now if this is still confusing to you folks don't stress we're going to

go a little bit more in depth with this later in the course once we've covered a couple of other topics which will help this one make a little bit more sense for now let's move on to the next Topic

in this first main section and that folks is Access Control now the name alone should tell you pretty much what you need to know it's to control access you know who can access what and when

and where basically privilege and a nutshell I suppose so there's four main things you need to know when we talk about access control the first of which is

identification to identify who is who what is what and that's normally done via identities of some sort of kind so on identification we can say the system owner which is probably going to be you

in most cases confirms the user's identity and creates an account to represent the user so if you look at an on premises company inv enironment this is most likely going to be done on your

active directory environment so you or some sort of administrator will go and create an account on the active directory and that is going to be used by the user to log in and to identify

the user and ultimately to go and check what level of access they've got which is well privilege nowadays we know this extends well beyond just on premises obviously these days we use things like

Microsoft aour 365 and much much more so these user accounts are not not necessarily created on premises anymore these could very well be created in a cloud so this could be a cloud active

directory account amongst many other kinds of accounts now secondly guys under Access Control we talk about authentication so authentication is to

check if someone is who they claim to be or what they claim to be and this is obviously done using identities so a user if it's a human being they will normally need to provide something like

a username and an email address combined of a password this could potentially be a fingerprint a retina eye scan this could be voice recognition face

recognition this could be a smart card you know it could be many many things the point here is the user which may or may not be you might be a client or user of yours they will need to now prove

they are who they claim to be otherwise any willingly can gain access to this account or this device so authentication is to prove you are who you claim to be or in some rare cases what you claim to

be because sometimes a server or something like a server needs to authenticate to another server yes that's a thing folks now the third main thing you need to know about regarding

access control is authorization now authentication the previous one we spoke about you can think of that as step one to check if someone is who they claim to be step two

which unfortunately does not always take place is to check what level of access somebody or something has once they have authenticated so you can think of this

as a domain account on premises for those of you that knows what domain account is so once somebody has logged in it's going to check what permissions what privilege that individual has on

their account so it might see oh thiss is an administrator he or she's got full access or oh thiss is a manager they've got a lot of access they can see all the

following departments or o this is just a trainer like myself the trainer you will expect them to only have access to things like slides manuals exams you

know course material so depending on who you are what department you work in and all that that will determine what level of access you've got which we refer to as privilege or permissions now this

does not always take place I mean if you log into something like a Facebook account a Gmail account anything like that or even your own personal laptop you probably have full outright access

so authorization doesn't really take place there for say but if you look at something like a domain environment which is a very good example for this authorization does kick in and it is

going to check what level of access you or the user has so of authorization we can say for each action the account performs a permission list is checked to

allow or deny the action that the user wants to go and do lastly folks the four thing I'm going to mention here under access control which is the last one is accounting now accounting the name alone

should tell you what you need to know so this is to basically kind of sort of keep logs of sorts so the system tracks permission usage in a log the user cannot prevent the auditing so yeah

these days guys you might have seen nobody cannot do anything without somebody knowing about it doesn't matter if it's on premises on your own laptop your personal laptop or desktop or on a

company laptop or desktop a phone a tablet this can be online you can be anybody on any platform and you can do anything everything is logged so you'll

find out if a hacker always is about to get caught they'll always go and burn the PC or physically completely destroy it because anything can be recovered even if you going delete it permanently

even if you going format your hard drive anything can always be recovered so yeah keep that in mind the next time you get up to some sort of shenanigans folks all right folks so let's move on to the

second main section in this module and that in case you don't remember was security control rols the first topic we're going to talk about in this

section is security control categories yes I kid you not there are categories the first one is managerial and I cannot even pronounce that word because I'm not

English so yeah forgive me if I'm butchering the name so this is normally someone that's in charge some sort of manager could be a general manager could

be an IT manager generally managers needs to know who is doing what they need to know what going on in general in a company or at least in their

respective department so this is to give oversight of a system or in some cases a department so that's just one form of security control category it's managerial now something folks I want to

quickly mention before we move on to the next security control category is regarding this managerial there I go again saying it hoping I'm not butchering it is uh a couple of examples

would be to include risk identification or a tool allowing the evaluation and selection of other security controls so that's just something else I wanted to

add on to managerial now the second security control category we get is operational so operational the control

is implemented primarily by people for example security guards and training programs are operational controls just in case you guys didn't know so those

are a couple of examples so what we can say here is operational relies on a person for implementation as for the third security

control category that I've got for you guys that would be technical so in the technical category the control is implemented as a system this would be

things like Hardware software or firmware um for example fire walls antivirus software and operating system

Access Control models are technical control examples so in other words it is implemented in operating systems software and security appliances because

something like a firewall is an appliance yes you get firewalls like the Windows Firewall and firewalls you can go and buy and install but in a proper medium to large- siiz company a firewall

folks is normally an actual physical device a security Appliance and let me tell you they do not come cheap very very expensive you get many brands many models and depending on how much money

you throw at it yeah that'll dictate how many functions you've got and how many people it can actually handle lastly folks the last security control category

I've got for you guys is physical now physical tells you a lot that you need to know here so this is devices that mediate access to premises and Hardware

now regarding physical controls guys physical controls such as alarms gateways locks lighting and security cameras that deter and detect access to

premises and Hardware they're often placed in a separate category to technical controls so it's in a different categories normally folks and then I'm going to move you guys on to the next Topic in this video which is

actually very much the same thing so instead of talking about security control categories we are going to talk a bit about security control types very much the same thing but not exactly the

same thing so you get things like administrative controls Tech technical controls and physical controls now with each of these you get three

subcategories if I can call it that you get preventative detective and corrective now to help you understand this I'm going to give you guys lots of examples and this is possibly something

they can ask you in the exam so starting with administrative controls if we look under preventative this could be things like hiring and termination policies it

could possibly be things like separation of Duties you know who's doing what and what are your duties and responsibilities in the company this could possibly be things like data classification to classify your data

correctly and categories and all that so that people know what to find where to find it who is what whose responsibility and all that kinds of jazz and if we look at the detective section here that

under administrative controls will be things like reviewing access rights who has access to what should they still have access to that or do they not have enough access for the responsibilities

this includes but it's not limited to things like audit logs and unauthorized changes that could possibly fall under the detective and if we look under the corrective section of administrative

controls this can be things like implementing a business continuity plan so in the event of something going sideways what is Plan B how quickly can you be up and running and um will you be

offline if offline at all hopefully you're not going to be offline at all ideally you want to have all systems running non-stop even though something might have gone wrong in the background under corrective we also have things

like have an incident response plan which is pretty much the same thing so in the event of something going sideways what is Plan B do you have backups in

place backup servers backup internet backup technicians backup this backup that so you need to have full tolerance in high redundancy in other words is what we saying now if you look at the

technical controls section there once again starting on the preventative so under technical controls what would be seen as preventative would be things like firewalls

IPS MFA and Antivirus these are seen as preventative under technical controls under detective but still under

thechnical controls this would be things like IDs in other words intrusion detection system or honeypots now honey pot is something we're going to be talking about a lot in this course as well as quite a few of these other

things I've mentioned th far and then under corrective but still under technical controls this would be things like vulnerability patching to prevent someone from exploiting something so you're just going to go and Patch

anything before someone takes advantage of that this could be rebooting a system so that updates can take effect patches can take effect that kinds of nonsense

and it can also be to quarantine a virus so to go and quarantine a virus or some sort of malware is seen as corrective under technical controls and then the

last main control type guys physical controls So Physical is usually things you can see and touch so preventative would be things like a fence a gate a

lock I think you guys see where we're going with this if we talk about detective this will be things like CCTV to detect if someone is up to something it doesn't really prevent them it's more

to detect them so CCTV and on that note we can probably go and add surveillance cameras which is pretty much the same thing and then corrective to go and physically repair physical damage or to go and reissue access cards so if

someone needs an access card to go and enter a certain section of the building or a certain section of the business to go and reissue an actual physical card to individuals or users or employees that is seen as corrective under

physical controls folks all right folks and then moving on to the next topic which is still kind of the same topic still security control types um so in case you didn't know

while most controls can be classed functionally as prevented detective or corrective like we just discussed a few other types can be used

to define other cases so there are a couple of weird scenarios out there so a couple of ones that I'm going to mention to you is first of all directive so that's a directive security control type

now looking at the name once again we can kind of guess what this will be about it's to direct the users into a certain kind of

behavior so that being said we say this enforces a rule of behavior this could be something such as a policy so if your

company has some sort of policy that policy can sometimes force your users or the users of your client's company to behave a certain way this policy will

either outright block them from doing certain things or it'll just kind of encourage certain Behavior this could for example also be best practice standard so maybe your company or your

clients companies got some sort of best practice standard a certain way they prefer to do things which is not necessarily a legal or illegal or against any rules it's just a certain

way that your company or your client's company prefers to do things a best practice standard if you will to force people to behave a certain way with certain things um other things that

forces people to behave a certain way is for example a standard operating procedure which most companies just refer to as an sop almost all companies have got an sop and you'll find a lot of

companies have actually got multiple Sops it depends on which department you work in so the SOP in case you guys don't know is what your responsibilities are so if you look at me I'm an IT

trainer so my responsibilities as an IT trainer might be to get you to pass the exam to make sure you understand the exam objectives uh if you are an official

course of mine I'll maybe record attendance and if you attend all the days of the course I'll issue you of an attendance certificate that kind of stuff so that's

my sop every department and every company has got their own unique sop and that basically dictates what that person has to do in that department and obviously if people don't do what

they're supposed to do then there may or may not be consequences to that they might just give you a slap on the wrist you might be called into the boss's office it's kind of like getting called into the principal's office in school

and the boss might give you a scolding they might give you a written warning or a verbal warning eventually there might even be a disciplinary action you never know so with that in mind you'll find it

very often in your contract or contracts of some sort of employee there will be some sort of contract and in that contract there's a procedure that basically explains what the disciplinary

actions will be so if you don't do X Y and Z the following will happen so it's expected of you to do a b and c failing which the following will happen

now another security control type we get besides this directive one wow there's a lot of them is deterrent now I hope to to goodness that I'm pronouncing that correctly but it's basically to prevent

people outright from doing something so this one we say it's psychologically discourages intrusions I suppose it's probably incorrect to say that it outright stops

them it's just psychologically discourages it wow I can't even say that don't laugh at me um so I suppose if you look at burglar bar in the window a little off topic it's still security

that discourages someone it doesn't completely stop them and it's somewhat going to stop them but it just discouraged them so psychologically that might be something like a security camera maybe I mean a security camera

doesn't stop you from committing a crime but if you know it's there and if you know the cameras are looking at you and that you may or may not potentially get caught doing whatever Shenanigans you're

about to do that could psychologically stop you from doing whatever it was that you were about to go and do So within this category we can say this control

may not physically or logically prevent access it's not going to outright stop you but it can psychologically discourage an attacker from attempting an intrusion so if you notice the

security camera or you might know there's an emotion detection system in place then you might not go and do whatever Shenanigans you were about to go and do this could also include signs

and warnings of legal penalties against trespass or intrusion so if you look at real life examples this is not just an IT guys so if there's a sign up outside some sort of property that says if you

trespass there's going to be prosecution or the following going to happen heck they might even say they're going to shoot you for all we know that is going to discourage you from going onto that property another example would be

speeding cameras in a lot of countries they've got signs up it says if you speed over the following um speeding limit there's going to be a speed camera they're going to catch you and you're going to get a huge fine now that

doesn't stop you from speeding end of the day it's not going to do anything I can go and speed at the speed of light if I want to on that freeway or whatever Road I'm driving on but if I know there's going to be a potential fine in

the mail for me because of a speeding camera then I might not do it so it's to discourage bad behavior and enforce good behavior it doesn't actually stop anyone

it's just to enforce good behavior it's to kind of control the behavior of people and then the third one I've got for you guys on this list which is the last last one

compensating so this basically substitutes for a principal control a suppose we can also say It's associated with framework and compliance measures

perhaps so if that doesn't make sense let me put it this way compensating is a control or it's a substitute for a principal control as recommended by

security standard and affords the same if not better level of protection but uses a different methodology or technology hopefully that makes a little

bit more sense for you guys it's a very difficult one to explain let me put it that way anyway folks this security control TP that we've been talking about so much up until now uh let me just get

this out of the way first to make a blank page so cyber security control is broadly specified into seven categories in case you guys didn't know so I'm just going to kind of summarize it here for

you guys into seven main broad categories the seven main categories is as follows the first one is directive which I literally just explained to you guys a few moments ago then you get deterrent

controls which I kind of failed to pronounce earlier and hopefully I'm pronouncing it correctly now you get preventative controls the name speaks for itself you get compensating controls

which I also spoke about a few moments ago so number one two and four are the three that I just spoke about a few moments ago you get detective controls

you get corrective controls and then lastly you get recovery controls so the fre I just spoke about previously just a few moments ago that was number one

number two and number four directive deterrent and compensating gave you guys a bit of a description of each of those now if that's not enough for you guys let me just get this out of the way um let's quickly give you guys a brief

description again of each of these just in case the previous descriptions did not make a lot of sense to you guys because it's very important you guys understand this for the exam so to repeat myself with directive controls a little bit of a different description

for you guys directive controls are the mandatory controls that are implemented to monitor the regulations it provides guidance primarily aligned with the

organization's policies and regulations so that's what it is in the nutshell we're going to do this for each of these seven that I've got for you guys so moving on to number two which is the tyan controls the ones that I keep

failing to pronounce please let me know in the comment section down below if I'm pronouncing that correctly or or not so number two deterent controls are deployed to discourage the violation of

a security function and it helps to reduce the chances of a deliberate attack deteran controls help to make Intelligent Decisions and deter way that

it's not secure to use all right folks and then before we move on to number three here which is preventative controls for those of you that's been watching my YouTube videos especially if you watched my other courses you would

know that I like to play a little bit of a game in some of my videos videos so this is normally towards the end of a video so in this video I've got a hidden phrase for you guys and the idea of this

hidden phrase is for you guys to play a bit of a game this is completely optional you do not need to go and do this so the hidden phrase for today's video is apple sauce and what I need you guys to do which is completely optional

is to either type the word as is in the comment section down below or to preferably this is the more fun part to create some sort of creative sentence using the words applesauce

now where it gets fun is if anybody else is reading the comment section and did not watch the video yet they're going to be like what the heck is going on here why are people talking about applesauce so much they're going to be very confused and only people that actually

watch the video up until this point would know what the heck is going on so it's a bit of an inside joke if you want to call it that so feel free to play this if you want to you don't have to go and do that if you are going to play along please keep to YouTube's rules and

policies do not swear do not say something mean but you are allowed to be a bit creative so you can use it either or you can use it as is but it's going to be more fun if you make some sort of creative sentence using the words

applesauce uh this does not stop you from asking any questions down below so if you've got any questions about something that's been discussed in this specific module please by all means feel free to ask your questions down below

and I'll do my best to answer your questions alternatively you can join the Channel's Discord server that you'll find in the video description down below so it's literally going to be the very bottom of the video description check

out that link join the Discord server if you've not down so already and um you'll find me as well as a couple of other it trainers on there and thousands of other students on there that studies this course as well as other courses so if

you've got a question either myself or somebody will be there to assist you and um who knows maybe you can help someone else that's struggling on this course anyway folks moving on to number three

preventative controls so if you don't know what that is or if you don't remember what that is preventative controls are used to prevent or avoid security incidents in the organiz gation

it helps to mitigate unauthorized activities by indulging preventative methods in the organization so hopefully that makes a little bit more sense so we're just trying to prevent people from doing certain Shenanigans and then

moving on to number four which I did briefly explain a few moments ago compensating controls if I have to put this a different way for you guys compensating controls are the

alternative methods that support the requirement of actual security controls implemented the role of the compensating control is to provide a similar level of

assurance even if the attacker has compromised the actual security control so hopefully that description makes a little bit more sense to you guys than the previous one I gave you guys moving

on to number five detective controls doesn't that just sound cool so if you don't know what that is or if you don't remember what that is detective controls are used to detect and alert

unauthorized or unwanted activities within the organization it helps detect and react to security violations using tools processes and best practices as

for the second last one here people corrective controls wow sounds like a prison doesn't it so corrective controls are used to remediate or mitigate the

effect of a security incident it includes measures to mitigate and prevent the same security incident from reoccurrence I mean it doesn't help you go and Implement some sort of solution

or mitigation to an incident and then the next day just goes and happens again so the other day if something happens we want to prevent that something from happening again in the same way um as

the old saying goes learn from your mistakes and then guys the last one recovery controls so recovery controls

are deployed to recover and restore the operating system to normal condition after the security incident so what can we use for Recovery controls this could

be something as simple and and as easy as a backup it could be that built-in functions into Windows like refresh and reset all of those falls under this

umbrella which we call recovery control so if you break a machine someone else breaks a machine or let's say this is a server operating system there's no rule that says here this is just limited to

client operating systems this could very well be a server operating system so what can you or I or we use to restore an operating system which may or may not be client or may or may not be server

and if you go look at something like system restore that can actually also work unfortunately system restore is kind of limited to client operating systems other things you can go and use if this is a virtual machine because

let's face it almost everybody and everything is using virtual machines these days you can go and use something called snapshots which are nowadays referred to as checkpoints so if it's a virtual machine you can basically go and revert this virtual machine back to an

earlier state in time very much like a system restore although system restore just restores back the system but a checkpoint or a snapshot literally stores the whole freaking machine back

to an early estate very cool and useful don't you think all right I think we've spoken enough about this topic let's move on to the next topic information

security roles and responsibilities so for those of you that don't know a security policy is a formalized statement that defines how

Security will be implemented within an organization and it describes the means the organiz ation will take to protect the confidentiality availability and the

Integrity of sensitive data and resources so think of it as a a guideline a set of rules so every company is going to be unique in their own way I mean I can't say what works

for my company is going to work for your company so depending on what industry you're in well I suppose also depending what country you're in so depending on the country you're in the industry you're in what your company is what they

do that will dictate what your security policy will be so if you are for example a bank there's a certain way you will need your employees to behave so

depending on the department you're in in the bank depending on what you do in the bank uh that's what the security policy will be all about so it's got a lot to do of what industry you're in and what

you do in that company the security policy basically says what they're allowed to do and what they're not allowed to do in your company organization so the implementation of a

security policy to support the goals of the CIA triot might be very different from a school a multinational accounting firm or a machine tool manufacturer it's

going to be different for every organization guys so one place might be a bank the next might be a law firm the next might be a school or a college or

university every company and every entity is going to be unique and their security requirement needs are going to be unique the way they need their users and staff to behave is going to be

unique so every situation is going to be unique I suppose you could say every company is like a human being they're unique in their own way and their needs and requirements are unique in their own way so it's up to you and your company or that of your client's company to try

and figure out what is going to work for you or what is not going to work and the end of the day all of these companies organizations have the same interest and that is to ensure the employees

equipment and data are secure against attack or damage now as part of the process of adopting an effective organizational security posture

employees must be aware of the responsibilities the end of the day a company can go and Implement policies the IT team which may or may not be you you can go and Implement policies and

measures but U I'm not sure if you guys ever heard that saying you can bring the donkey to the water but you can't make the donkey drink there's an old saying like that so it means I can't always go and force something down people's

throats I can bring them the tools I can show them how to go and do it but the end of the day it's going to be up to the people to go and actually implement this so yes the directors and the owner of the company going to have some level

of responsibility they want us to behave a certain way yes the it managers and all those people that's high up they will have a certain level of responsibility and they can to a certain

extent enforce some of these policies but the end of the day it's also responsibility of the normal end user they need to make sure they don't do

certain things this can be something as stupid and as simple as not sharing your password something as silly is making sure he pieces up to date I can't always

Force the person to make sure they've got a secure passord sometimes I can sometimes I can't so I need to tell these people sir ma'am when you get an

email from somebody that you don't know please don't open it if you get a weird suspicious attachment in that email or a weird suspicious Link in that email

please don't click it now I apologize folks I'm using an email as an example here but that's probably a very common example you will experience of your users end of the day I can tell my users not to go and do those things I've just

said but that's all I can do I can tell them not to go and do that but I can only hope that they will not actually go and do that so when I can stop them yeah that's a different story so in the end

of the day the overall responsibility for the it function lies with a chief in information officer

which we call C for short this role might also have direct responsibility for security some organizations will also appoint a chief technology officer

which we call CTO for short with more specific responsibility for ensuring effective use of new and emerging it products and solutions to achieve

business goals in larger organizations however internal responsibility for security might be allocated to a dedicated Department which is run by a

chief security officer which we call CSO for short or just Chief Information Security Officer ciso now as for managers managers may

have responsibility for a domain such as a building control web services or accounting so managers also have a certain level of responsibility even though they might not necessarily be an

IT manager all managers still have a certain level of responsibility and when it comes to the technical staff and specialist staff they have responsibility for

implementing maintaining and monitoring the policy security might be made of a core competency of systems and network

administrators or there may be dedicated security administrators one such job title guys is Information Systems

security officer which we call ISO for short as for nontechnical staff that's just your normal everyday users those people don't really know what they're doing and

let's face it even though you tell them don't click on that link don't open that attachment let's face it you're still going to get those pesky users that are going to go do that so as for the

non-technical staff they also have the responsibility of complying with policy and with any relevant legislation so yeah we can tell them not to go and do

that but whether they actually do that yeah you can bring the donkey to the water but you can make a drink like I said earlier now if you don't know what due care or liability is because I've got it listed here for you guys in front

of you that is external responsibility so external responsibility for security which we call due care or liability that lies

mainly with directors or owners something I did briefly mentioned earlier now though again it is important to note that all employees share some

measure responsibility it doesn't matter if you are the owner a director if you work in security or if even if you are just a normal measly user the end of the

day everybody has a responsibility to make sure they do their part end of the day there's a saying another saying here that says you're only as strong as the weakest link and um if you don't train your staff not to go and do certain

things guess what something bad's going to happen you can have security that looks like it's straight from NASA for crying out loud but if you did not train your staff not to go and click on the Spacey links boom you're still going to

get ran somewhere boom you're still going to get hacked doesn't help much now does it all right folks let's move on to the next topic information security competencies now what this is

all about is just because you work in security doesn't mean you're just going to be working with security it's not always that simple it's never that simple so if you are going to be working

as the security or in the security department in a company you're going to have to be competent in quite a few things so if you are studying for the Security Plus course guys you'd be wise

to also go and study a couple of other things and to familiarize yourself with a couple other things for example a lot of you guys might have already done n

Plus network plus now that's really going to help you guys because the end of the day if you've got some sort of networking background even if you haven't worked networking if you just have the certific ation that's going to

help you a lot you do need to have a certain level of knowledge of certain things if you want to be able to protect those things you can't protect something if you don't understand that something

so how do you expect to protect a network if you don't know networking how do you expect to go and do risk management if you don't understand what risk management is so it's not as simple

as hey let me go on ten Security Plus course and now I can go into security h no you do need to have a certain level of experience with a couple of other random things out there so with that in

mind we can say it professionals working in a role with security responsibilities must be competent in a wide range of

disciplines from Network and application design to procurement and Human Resources yep I kid you not now I'm going to give you guys a bit of a list of a couple of competencies that you

guys might want to go and look at obviously this list is not the full list but this is a very decent list of things you need to know especially from an exam perspective so you need to participate

in Risk assessments and the testing of security assessments and you need to also be able to make recommendations and security so for you to be able to make recommendations and security you need to understand security you need to

understand risk assessments otherwise you're not going to be able to make recommendations to your company or your client's company you need to specify

source install and configure secure devices and software you need to set up and maintain document access control and user privilege profiles you can have to

monitor audit logs review your users Privileges and document access controls now just because everybody's got access to what they need to have access doesn't mean everything's just going to be

sunshine and rainbows guys Sometimes some folks have got too much privilege maybe you or somebody in your company gave someone access temporarily once upon a time to go and do a certain task

and you or this other technician completely forgot about that meanwhile this user's got too much access now and in in it we always live by the Golden Rule of least privilege so there's many

tools out there we can go and use to achieve this Tas to go and see what privilege someone has what they don't have because the end of the day let's face it it doesn't help you ask the users if they've got too much access because even if they do know they're not

going to tell you but most of the time they're not going to know they'll just see oh I can access the following I'm not supposed to but I can and they'll keep it to themselves which is not a good thing now under security

competencies you need to also be able to manage security related incident response and Reporting so what if something happens one day security wise

what if there's a malware attack what if someone hacks you or what if there was a breach what are you going to do about it you need to be able to handle that and manage that you need to be able to

create and test business continuity and Disaster Recovery plans and procurement so in the event of a failure of some kind you need to be able to make sure there's a solution in place that can

keep the business up and running nothing should be down and if it is going to be down for whatever reason it needs to be minimal the time needs to be minimal so ideally we want to keep the business your business or your client's business

up and running or we need to get them back up and running as quickly as possible lastly folks you need to actively participate in security

training and education programs this can be something as simple as sending an email to users telling them guys please note don't open mails from people you

don't know I know I said it before but I'm going to say it again this is very important send mails to your people tell them don't do this don't do that now unfortunately we know a lot of users

they're going to read this it's going to go in the one ear it's going to go out the other ear and they're not going to comprehend what they just read some people will just ignore the mail actually a lot of people are probably just going to ignore the mail I've seen this happen in so many companies where

the IT team like me and you will send people various emails which are very important and nine out of 10 people are going to ignore it like a stop sign at a street they're going to ignore it they're going to skip it and um that's

bad guys and only when the day comes when D day comes when the poop hits the fan they'll be like oh I never saw that mail oh oops I didn't know meanwhile you've been sending the males all along

telling them don't do this don't do that and they just decided to ignore these males of yours so it's frustrating being an ITA I hope you guys have got the patience for it all right folks let's move on to the

last Topic in this video information security business units so the following units that I'm about to list for you guys are often used to represent the security function within the

organizational hierarchy the first one I've got for you guys is something called security operations center which we just call S so for short if you don't

know what this is It's a location where security professionals monitor and protect cryto IAL information assets across other business functions this could be things such as Finance

operations sales and marketing and so on now because the security Operation Center can be very difficult to establish maintain and let's not forget Finance they're usually employed by

larger corporations like a government agency or a health care company so basically how this works is you may or may not work for a big company let's say

it's a big company now just because it's a big company does not mean the security Operation Center is inhouse it might be it might not be I've seen huge companies

that's got no it department or the IT department is very small or quite limited now usually it's going to be quite large now if you have an IT department let's say you're lucky and you've got an IT department it doesn't

mean they're very good of security that might potentially be outsourced to a third party potentially you never know it might be a third party which is basically what this comes down to the

same applies to noral basic it needs a lot of companies out there big and small sometimes they've got no in-house it other times they've got minimal in-house it and whenever they need some sort of

technical expert to a system they will log a ticket or a job card or that other third party company and they will assist them timelessly I know this because I used to work for one of these companies

as one of the main Engineers so I was working for a company and my job was to service hundreds if not thousands of clients some sometimes I would just sell them products like a PC or a network

cable easy peasy easy day other times we had to sell them Solutions I had to be an engineer I had to help them remotely I had to go out to them give them recommendations give them mitigations

and all that sometimes I had to go and just swap a hard drive I would go out to the client swap a hard drive this can be for a private company can be for the government sector other times I had to go and build them server rooms or build

them Ser room environments build them a solution of some kind other times as you going impl Security Solutions of some kind so some days were quick and easy other days were're just wow I don't want

to talk about it it's just wow some of these days so it's completely random but the point here is it was outsourced to a third party in that scenario and I was that third party now another information

security business unit we get this is the second one out of Freedom I'm going to list for you guys is Def SE Ops so network operations and use of cloud

computing make very very increasing use of automation through software code these days now folks traditionally software code would be the responsibility of a programming or

developing team but I'm not sure if you guys have seen these days there's so many features so many platforms so many programs we need little to know coding experience so if you are somebody that's

got no coding experience guess what you can go do coding there's platforms out there that can allow you to make your own website your own program and guess what you would have no experience when it comes to coding there's tools like

that out there it's kind of like an AI of sorts when you guys have probably seen chat GPT and Gemini and all those platforms these days by now the the AI

these days that we've got is just insane so if they sick ops separate development and operation departments or teams can

lead to silos where each team does not work effectively with the other and to add on to this if that doesn't make sense to you guys development in operations is a cultural shift with an

organization to encourage much more collaboration between developers and system administrators because generally in the past I don't know if you guys have seen But developers and administrators just don't get along I'm

an administrator and I've got quite a few colleagues which are developers and in the past developers and administrators just generally don't get along now there are a couple of rare cases where developers and administrators might potentially be the

same person but that's very rare normally developers and administrators are to different entities and in most companies these folks just don't get

along I don't know why they just don't so by creating a highly orchestrated environment IT personnel and developers

can build test and release software faster and more reliably this def SEC up guys extends the boundary to security Specialists and Personnel reflecting the

principle that security is a primary consideration at every stage of software development and deployment this is also known as shift LIF meaning that security

considerations need to be made during requirements and planning phases not grafted on at the end because that just doesn't work the principle of death SEC

op recognizes this and shows that security expertise must be embedded into any development project and similary to this is the recognition that security

operations can be conceived as software development projects huh security tools guys can be automated through code who

knew that so consequently security operations need to take on developer expertise to improve detection and monitoring now as for the last

information security business unit guys that would be incident response something I did kind of sort of touch on earlier so you guys will see this is

generally a dedicated computer incident response team which we sometimes just refer to as a cirt if you don't know what it is it's generally a single point of contact for

notification of security incidents you might potentially be in that Central Security point of contact you never know so if you guys keep up your security

studies you never know you might be that Central contact so this function might be handled by the S so which we spoke of earlier or it might be established as an

independent business unit so so like we said might be an outsourced entity so maybe you work for that outsourced entity like I used to work or it might be inh house you never know either way

you might very well end up being in security one day all right folks that is it can you believe it that is the end of the first module so before you guys disappear just thank you very much for

watching this module I truly hope you guys have learned something in this first module of Security Plus this still 15 more modules to go before we've covered everything in Security Plus so it's still a lot of content we need to

cover please do not attempt the exam unless you've covered everything in Security Plus otherwise there's a chance they might ask you about something that you feel very uncomfortable about or something you've never heard about if

you guys have learned something in this video and if you've enjoyed it please do me a favor give this video a like it does help me it does help the video and it also helps the channel if you'd like to know when module 2 comes out or any

of my other content maybe consider subscribing otherwise you might miss it and then lastly folks thank you to everybody supporting and sponsoring the channel thank you to those of you clicking on the thanks button below a

video if it's available in your country to those of you buying me milkshake or coffee uh by the way if you want to sponsor or support the channel you can find that links in the video description down below and then those of you making

PayPal donations thank you very much guys I really appreciate that that does help me make more of these videos and then lastly guys the patreons the patreons the patreons guys thank you

very much I cannot say thank you enough thank you thank you thank you for helping me make more content like this so we can help more people out there I really appreciate you guys here is the list of the patreons as well all right

guys and then the last thing I'll mention here before I conclude this video is the channel does have a Discord server for those of you that's new on my channel so if you guys want to join the Discord server that link is in the video

description down below it's the very last link in the video description I'm in there other it trainers are in in there people studying for security Plaza are in there amongst many other courses so if you want to ask questions you can

ask them there if you want to help other people studying for this course you can also go and do it there there's lots of courses being covered in there and it's completely for free alternatively you might also find additional resources in

there who knows all right folks I will see you in module two of my Security Plus course [Music]

you're I'm TI to you [Music]

Loading...

Loading video analysis...