0:02 hey everyone in this video I'm going to
0:04 go over some of the concepts you need
0:06 for compa Security Plus the 701 version
0:09 of the exam the one of the objectives under
0:10 under
0:13 1.2 um and uh you can go ahead and just
0:14 look that up if you're not familiar with
0:17 the exam objectives for Security Plus so
0:18 some of the things we're going to cover
0:20 in this video include the CIA Triad
0:22 what's called AAA so no that's not the
0:24 uh the people that come on the side of
0:26 the road and fix your car um this is a
0:27 different type of AAA we'll also talk about
0:28 about
0:31 non-repudiation and and we'll do a brief
0:33 overview of Gap analysis as well so it's
0:35 kind of weird how CompTIA has some of
0:38 these things like wrapped into the same
0:40 um exam objective topic area if you will
0:42 but we'll talk about all those things in
0:44 this particular video so again CIA Triad
0:45 which stands for confidentiality
0:48 integrity and availability we'll talk
0:49 about non-repudiation we'll talk about
0:52 AAA I'll talk about what all that is
0:53 we'll also talk about Gap analysis like
0:55 I said so let's just Dive Right In and
0:58 talk about the CIA Triad so CIA Triad
1:00 stands for confidentiality integration
1:02 integrity and
1:06 availability so confidentiality really
1:07 with that we're just making sure that
1:09 the right people the right applications
1:12 the right systems are getting access to
1:14 the things that they're actually able to
1:16 you know that that they're authorized to
1:19 like see right whether that's data Etc
1:21 but preventing anything else from
1:23 getting access to that right so the
1:24 whole goal with that is to help protect
1:26 sensitive data from unauthorized access
1:29 disclosure or theft um some ways we can
1:31 do that in the real world or things like
1:32 encryption which is one of the most
1:34 popular ways um using different types of
1:36 access control methods but also data
1:39 classification because if we don't
1:41 understand what we classify as sensitive
1:42 then how are we going to ever know how
1:45 to protect it next up we have integrity
1:46 so really this is just focus on
1:48 maintaining the accuracy and
1:50 trustworthiness of data so basically
1:52 just making sure that the data hasn't
1:54 been altered in any
1:57 way so ways we can do this are for
2:00 example hashing so if you ever download
2:01 like um for example Kelly Linux or
2:02 something to play around and build your
2:05 own home lab a lot of times those
2:06 software downloads will tell you what
2:08 the hash is of the of the actual
2:10 download so that way when you download
2:11 something you can compare the hash of it
2:13 make sure it's correct if it's not
2:15 correct it could mean that that file was
2:17 altered by somebody else right so
2:19 potentially it's malicious so that's
2:21 what we can do with hash fun functions
2:24 also digital signatures Etc and also
2:26 Version Control can all be used to help
2:28 us ensure that data integrity and then
2:31 finally we have a v a ability so
2:34 availability just make sure that people
2:36 systems applications Etc making sure
2:38 that the resources that all those things
2:40 need are accessible and usable when they
2:43 need them um a good example of this
2:44 would be like let's say you have a
2:47 website and let's say Ken's a bad guy
2:50 that day and I do what's called a Dos
2:51 attack or distributed denial service
2:53 attack against your website which all
2:55 that is is uh just think about it like a
2:58 snowball fight so let's say that you and
3:00 I get in a snowball fight I throw a
3:02 snowball at you you throw one at me for
3:03 the most part you can handle that right
3:04 because I got to make the snowball then
3:06 I got to throw it now let's say that
3:08 I've got a hundred of my friends though
3:10 and we all throw snowballs at you you're
3:12 going to block a couple but eventually I
3:14 mean there's a hund h 100 snowballs
3:15 coming at you you're going to get hit
3:16 you're probably going to get knocked
3:17 down you're going to get a bunch of
3:19 snowballs in your face right and that's
3:21 all a Dos attack is it's just people
3:23 throwing a bunch of snowballs at you and
3:25 overwhelming your web server so your
3:27 website goes down so that's an example
3:29 of availability if someone does that
3:31 then your customers can't access your
3:33 website and maybe maybe you've got an
3:35 e-commerce business where that's the
3:37 only way you can make money so now you
3:38 can't get any sales for your business
3:40 because someone took down their website
3:41 so that's the availability aspect of it
3:44 so for example with the example I gave
3:45 we would want to build protections
3:48 against the Dos attack so for example
3:50 using something like cloudflare with
3:51 your website so there's like another
3:53 check in place to make sure that someone
3:54 can't just do a simple dos attack
3:57 against your website also making sure
3:59 that we don't have Hardware failures
4:01 right or that we've built resiliency so
4:02 when you hear the terminology of cyber
4:05 resil resiliency if I can pronounce it
4:06 correctly that's what we're talking
4:08 about right that's M making sure that
4:11 the organization has that availability
4:13 across all those
4:16 assets next up we have non-repudiation
4:18 so if someone's like hey I didn't do
4:20 that non-repudiation is basically just
4:22 making sure that we've got tracking in
4:24 place to make sure that a user cannot
4:26 deny the authenticity or Integrity of a
4:28 message they sent or some kind of
4:31 transaction they have so for example if
4:34 I um you know let's say you send me an
4:36 email and you say Ken you're a jackass
4:38 and I go complain to HR non-repetition
4:40 would mean that we've got tracking a
4:42 place to prove that that email came from
4:44 your system at the time that you would
4:46 have been working and maybe we have a
4:47 security camera in the office as well
4:48 that shows you were at the system while
4:52 that email was sent so really yeah maybe
4:54 there was a bad hacker that broke in and
4:57 did all this stuff but we've got proof
4:59 honestly that you did it right that you
5:00 sent the the email say Ken saying Ken
5:03 was a jackass so the ways we can do
5:04 non-repetition include things like
5:06 digital signatures time stamping of
5:08 course our Auto logging etc etc right so
5:10 just basically getting that proof in
5:13 advance and making sure that hey this
5:15 was the person or system or application
5:16 that did the thing that we're thinking
5:19 they did so next up we have AAA again
5:21 not the place it comes when your car is
5:23 broke down but this AAA is
5:25 authentication authorization and
5:26 accounting what does it all mean are we
5:28 talking about accounting and and doing
5:30 all the numbers and figuring finances no
5:32 we're talking about something else right
5:35 so authentication is where we'll start
5:36 and that's basically just a process of
5:38 verifying an identity of a user a system
5:40 or application so it's just basically
5:42 confirming that identity saying okay
5:44 this person or system or application Etc
5:47 is who they who they are or what they
5:49 claim to be and we can do this through
5:51 various methods in cyber security world
5:53 so this could be like password using two
5:55 Factor auth authentication uh security
5:59 tokens Biometrics uh etc etc right um
6:01 authorization is the next one and that's
6:03 where we just determine what actions or
6:05 resources that the the authenticated
6:07 user or system or application is allowed
6:10 to access so basically just making sure
6:13 that um let's say for example that I'm a
6:15 nurse making sure that I got I've got
6:16 the appropriate permissions I need to
6:18 actually chart on a patient after I take
6:21 their vital sides so ways some ways we
6:23 can do this are arbach and abach so
6:25 arbach just stands for rule-based Access
6:28 Control aach just stands for attribute
6:30 based Access Control um so role-based in
6:32 the example of a nurse I could say okay
6:33 all the nurses coming in the company get
6:36 this level of access and then I could
6:38 say from an attribute standpoint I can
6:40 say based on the fact that this nurse
6:43 Works in Texas I'm going to give them a
6:45 little more granular access based on
6:47 where they work so they can't access
6:49 patient information from a patient over
6:51 in Florida for example um you don't
6:52 normally see that level of granular
6:55 access in in the nursing realm um but
6:56 that's an example of how it might be
6:59 used using arbach and abok there's also
7:01 Al something called pach which is policy
7:03 based access control so again we could
7:05 just set a policy to automate giving
7:08 that access so a lot of things around
7:09 Access Control we're not going to dive
7:11 into that stuff in this video but again
7:12 those are some of the ways we can do the
7:15 authorization part now accounting is
7:17 similar in the aspect of the financial
7:18 stuff it involves tracking right so but
7:20 in this example we're tracking and
7:22 recording the activities of
7:23 authenticated users or systems or
7:25 applications so basically we can get a
7:28 record of who's access what when they
7:30 when did they access
7:31 um again that's all related to the
7:33 auditing process and and part of that is
7:35 related to compliance but also part of
7:37 that is related to our incident response
7:39 in our forensic analysis so if we do
7:40 have an incident we can actually track
7:43 back and say okay this is what happened
7:45 this is who or what access this stuff
7:49 and then finally we've got Gap analysis
7:50 if you're not familiar with gap analysis
7:52 basically it's just a process to assess
7:54 the difference between our current state
7:55 and the state we want to get to so in
7:58 the example of cyber security we're
7:59 analyzing our current state or current
8:01 of cyber security or a current security
8:04 posture is what it's called and where do
8:05 we want to get to right what's kind of
8:07 that Gap that we have you know is that
8:09 do we have certain vulnerabilities or
8:11 other weaknesses are there areas where
8:13 we can improve guess what spoiler alert
8:15 there are always areas we can improve in
8:17 security so really what this allows us
8:20 to do is is get that analysis of like
8:22 where our gaps are and how can we get
8:24 better you know can we Implement more
8:26 security controls can we optimate
8:29 optimize uh processes um etc etc right
8:31 like what do we need to change to get
8:34 better and better over time so by
8:35 understanding all of these Concepts so
8:38 again CIA Tria AAA n non-repudiation and
8:42 GAP analysis um all this stuffs helps us
8:44 as cyber security practitioners help our
8:46 organization strengthen their cybercity
8:48 posture and really just help them better
8:50 protect their valuable assets which
8:51 could be a number of different things
8:53 right we're not just talking about um
8:56 the L latest uh Instagram post that
8:57 we're trying to protect right and make
8:59 sure that's not altered we are honestly
9:01 talking about human life in some
9:03 instances right um earlier I mentioned
9:06 the example of a a steamer a steam valve
9:08 going off in and killing someone right
9:09 um and actually that was in a previous
9:11 video on the controls I believe security
9:13 controls but things like that actually
9:16 could impact human life so that's why
9:17 this stuff is such a serious matter and
9:18 that's why it's important to understand
9:21 it so if you like these videos though
9:23 let me know in the comments below if you
9:25 like these videos that we do for
9:26 certification prep if it helps you at
9:28 all um that's the only way we know to do
9:30 more of right is is by you telling us
Chrome Extension