1
00:00:00,510 --> 00:00:05,930
How do we know what security controls to assign to an asset to protect it.

2
00:00:06,210 --> 00:00:09,210
Well you should know the answer to this as discussed.

3
00:00:09,210 --> 00:00:17,130
We do a risk assessment considering the threats or abilities and consequences to the assets and select

4
00:00:17,190 --> 00:00:19,170
appropriate security controls.

5
00:00:19,170 --> 00:00:27,240
But what exactly do our assets need from our security controls the security controls need to enable

6
00:00:27,480 --> 00:00:31,510
what we will call security attributes.

7
00:00:31,610 --> 00:00:37,260
We need to consider the type of security control we might need for an asset is to think about the asset

8
00:00:37,710 --> 00:00:40,030
in terms of its needs.

9
00:00:40,050 --> 00:00:46,200
For confidentiality integrity and availability.

10
00:00:46,200 --> 00:00:48,080
So let's define those three things.

11
00:00:48,080 --> 00:00:54,950
Now confidentiality do we not want the asset disclosed to anyone.

12
00:00:55,190 --> 00:01:03,000
I say that the asset is not disclosed to own authorized individuals entities and processes.

13
00:01:03,000 --> 00:01:12,080
If that is true that the asset that defines the sort of security controls we need for that asset.

14
00:01:12,090 --> 00:01:13,140
The next one.

15
00:01:13,140 --> 00:01:18,310
Integrity do we not want the asset on intentionally altered.

16
00:01:18,310 --> 00:01:26,430
Do we want to maintain and assure the accuracy and completeness of the asset over its entire lifecycle.

17
00:01:26,430 --> 00:01:32,920
This means that the asset cannot be modified and authorized or undetermined manner.

18
00:01:33,150 --> 00:01:41,100
Determining the security controls the last one availability do we not want it destroyed i.e. for any

19
00:01:41,100 --> 00:01:42,590
asset to serve its purpose.

20
00:01:42,600 --> 00:01:45,210
It must be available when it is needed.

21
00:01:45,210 --> 00:01:51,820
This means the systems used to store and process the asset the security controls used to protect it.

22
00:01:51,930 --> 00:01:56,850
The communication channels used to access it must be functioning correctly.

23
00:01:56,880 --> 00:02:01,780
Again this is determining the types of security controls.

24
00:02:01,830 --> 00:02:10,290
If that is a security attribute that the asset requires CIA it is known in the security industry as

25
00:02:10,290 --> 00:02:10,830
the.

26
00:02:11,020 --> 00:02:12,530
A triad.

27
00:02:12,600 --> 00:02:17,660
Its a very old but still well used security paradigm.

28
00:02:17,760 --> 00:02:22,130
And we can call these CIA these confidentiality integrity available.

29
00:02:22,180 --> 00:02:31,500
They can call each of those security attributes all the security properties that an asset needs to be

30
00:02:31,500 --> 00:02:34,350
secure as the security expert.

31
00:02:34,590 --> 00:02:43,380
You need to help determine what the assets are and assign what security attributes that are required

32
00:02:43,440 --> 00:02:48,900
for the asset so that it can be secured to within acceptable levels of risk.

33
00:02:48,960 --> 00:02:55,770
You would do this by questioning the owner of the entity that you are trying to secure and find out

34
00:02:55,770 --> 00:02:57,110
what they require.

35
00:02:57,120 --> 00:03:00,300
What does security mean to the owner.

36
00:03:00,360 --> 00:03:06,270
Thats why somebody can't say to you give me a secure system because you don't know what secure means

37
00:03:06,600 --> 00:03:13,800
you have to ask them what secure means and what method one technique is to use security attributes and

38
00:03:13,800 --> 00:03:17,250
find out what attributes those assets need.

39
00:03:17,250 --> 00:03:19,130
Does it need see.

40
00:03:19,210 --> 00:03:20,080
Or a.

41
00:03:20,190 --> 00:03:25,310
So you do a requirements gathering for the security needs or attributes of assets.

42
00:03:25,320 --> 00:03:27,560
You simply ask the owner what they want.

43
00:03:27,570 --> 00:03:32,640
This isn't always a simple process because you have to guide them with your expertise and they tell

44
00:03:32,640 --> 00:03:35,590
you what security means to them for that asset.

45
00:03:35,880 --> 00:03:44,600
Many security attributes have been proposed over time see a being the original and well referenced but

46
00:03:44,640 --> 00:03:45,760
it has its problems.

47
00:03:45,780 --> 00:03:53,460
The CIA doesn't cover all security needs and it does not speak in the language of the business or the

48
00:03:53,460 --> 00:03:55,620
way business people like to talk.

49
00:03:55,620 --> 00:04:01,710
So in 1998 a guy called Don park proposed an alternative model to the CIA triad.

50
00:04:01,720 --> 00:04:09,620
They called the six atomic elements of information all the park here and hexane the security attributes

51
00:04:09,650 --> 00:04:11,050
are confidentiality.

52
00:04:11,070 --> 00:04:17,010
As we've already known possession which is the new want integrity authenticity you know the new OWN

53
00:04:17,010 --> 00:04:23,800
availability and utility and the new arm of the new ones from the CIA.

54
00:04:23,850 --> 00:04:29,150
We have the first one possession or control is it can be called Let's define these.

55
00:04:29,220 --> 00:04:38,430
This would be a loss of control or possession of an asset but does not involve the breach of confidentiality.

56
00:04:38,430 --> 00:04:47,190
You've also got authenticity which refers to the veracity of the claim of origin or authorship of the

57
00:04:47,190 --> 00:04:48,050
asset.

58
00:04:48,360 --> 00:04:53,670
And then you have utility which means usefulness which again isn't part of CIA.

59
00:04:53,670 --> 00:05:03,330
So for example ransom where bankruptcy uses data the asset then is no longer useful it has no utility.

60
00:05:03,480 --> 00:05:10,050
So if you are just using the CIA as security attributes you would not have usefulness as an option but

61
00:05:10,050 --> 00:05:13,130
you would have available you which is similar.

62
00:05:13,350 --> 00:05:18,740
So these security attributes can be used to define asset security controls.

63
00:05:18,750 --> 00:05:24,870
As we said not in the park area and aid is non repudiation.

64
00:05:24,960 --> 00:05:30,780
And no the common security attribute we will see you mentioned if you read security literature.

65
00:05:30,990 --> 00:05:40,850
So no repudiation in the law implies Warnes intention to fulfill obligations to a contract in cybersecurity.

66
00:05:40,890 --> 00:05:47,430
It implies that one party of a transaction cannot deny having received a transaction or message.

67
00:05:47,430 --> 00:05:53,820
Nor can the other party deny having sent a transaction or message a non repudiation and shows that the

68
00:05:53,820 --> 00:05:57,420
sender can't deny sending the message.

69
00:05:57,570 --> 00:06:01,010
And there's also two other important and well referenced security and abuse.

70
00:06:01,030 --> 00:06:10,400
And those are authentication and authorization authentication verifies the identity of the user or system.

71
00:06:10,440 --> 00:06:12,270
Is it what it claims to be.

72
00:06:12,270 --> 00:06:14,990
Are you who you claim to be is the answer.

73
00:06:15,120 --> 00:06:16,460
What it claims to be.

74
00:06:16,590 --> 00:06:25,440
And then you have authorization so upon authentication of the identity or of an identity authorization

75
00:06:25,440 --> 00:06:28,860
determines what is it allowed to access.

76
00:06:28,920 --> 00:06:30,430
So authorization.

77
00:06:30,450 --> 00:06:37,140
What is it allowed to access authentication verifies the identity of the user or system.

78
00:06:37,140 --> 00:06:39,080
Is it what it claims to be.

79
00:06:39,120 --> 00:06:44,760
So as you can see there are many security attributes that we might want to assign to an asset or think

80
00:06:44,760 --> 00:06:48,520
about in terms of an asset in terms of security controls.

81
00:06:48,520 --> 00:06:54,310
And from these this enables us to choose security controls that provide those attributes.

82
00:06:54,480 --> 00:06:57,860
Let's get a little bit more tangible here with some examples.

83
00:06:57,930 --> 00:07:06,120
So if something is encrypted this can provide confidentiality if something is hashed this can provide

84
00:07:06,180 --> 00:07:09,840
integrity if something is digitally signed.

85
00:07:09,840 --> 00:07:17,790
This can also provide authentication on repudiation and integrity is something is encrypted and digitally

86
00:07:17,790 --> 00:07:18,490
signed.

87
00:07:18,540 --> 00:07:25,380
This can also provide confidentiality authentication non repudiation and integrity.

88
00:07:25,530 --> 00:07:30,480
So you can see that how we've gone from an asset to an obvious could attribute to then having security

89
00:07:30,480 --> 00:07:37,470
controls encryption and hashing and digital signatures then meet those security attributes that where

90
00:07:37,470 --> 00:07:42,750
if you didn't understand about what hashes or encryption all those things were going to go through as

91
00:07:42,750 --> 00:07:43,700
we go through the course.

92
00:07:43,710 --> 00:07:48,360
But it's just to show you the path through which we have our asset.

93
00:07:48,390 --> 00:07:53,690
We have our security attributes and then we have our security control that meets our security needs

94
00:07:53,690 --> 00:07:55,200
our security attributes.

95
00:07:55,320 --> 00:08:02,280
So as you can see the way we're talking we're not really talking in the way a business owner or a business

96
00:08:02,280 --> 00:08:04,100
person likes to speak.

97
00:08:04,170 --> 00:08:09,970
And it's often a business that is the entity by which we're trying to secure in cybersecurity.

98
00:08:09,970 --> 00:08:17,190
So this brings to light to use for designing security architectures that businesses and that's the ceps

99
00:08:17,640 --> 00:08:19,590
business attributes.

100
00:08:19,590 --> 00:08:20,620
And here we are.

101
00:08:20,760 --> 00:08:25,210
If we look here we can see security attributes or as they call them business attributes.

102
00:08:25,380 --> 00:08:31,170
But these speak a little better to the business to understand the security requirements i.e. security

103
00:08:31,170 --> 00:08:38,120
controls for assets you determine if these business attributes here are acquired.

104
00:08:38,250 --> 00:08:40,110
Maybe they're not required are they.

105
00:08:40,120 --> 00:08:46,680
Nice to have your assets you would look at their use of attribute management attribute operational attributes

106
00:08:47,030 --> 00:08:50,660
do you need detectability that need to be error free.

107
00:08:50,730 --> 00:08:54,910
Or disability should it be legal will it be scalable.

108
00:08:54,930 --> 00:08:57,580
Should it be governable and so on.

109
00:08:57,600 --> 00:09:00,360
So that's confidentiality integrity and availability.

110
00:09:00,570 --> 00:09:04,440
And I'm taking you a little bit further than what you might yet understand a security course where they

111
00:09:04,440 --> 00:09:06,480
may just talk about the CIA.

112
00:09:06,510 --> 00:09:11,230
I want to give you a little bit more of the real world where you need some more than the CIA through

113
00:09:11,270 --> 00:09:16,730
to the parking area and heck sayd through to even having business attributes that come from sabse.

114
00:09:16,870 --> 00:09:20,140
If you're interested more in sabzi and check out that link there.