1
00:00:00,140 --> 00:00:03,980
One of the most fundamental security principles that a lot of organizations miss.

2
00:00:04,010 --> 00:00:07,280
Is reducing or restricting the attack surface.

3
00:00:07,310 --> 00:00:13,190
This includes changing the default configurations and the lack of system hardening some of the ways

4
00:00:13,190 --> 00:00:19,580
in which system hardening can be implemented include disabling the default services, restricting default

5
00:00:19,580 --> 00:00:26,720
permissions that start up with a power on default usernames and passwords, open ports and so on.

6
00:00:27,650 --> 00:00:34,190
Concerning passwords and credentials, a policy must be developed that enforces the usage of complex

7
00:00:34,190 --> 00:00:41,810
passwords with more than an eight character limit, with a mandated usage of numeric values, capital

8
00:00:41,810 --> 00:00:43,940
letters and special characters.

9
00:00:43,970 --> 00:00:48,110
A password change policy must also be in place.

10
00:00:48,140 --> 00:00:50,420
Network Segmentation.

11
00:00:50,450 --> 00:00:58,610
Network segmentation refers to segregating a network into subnetworks with the aim of improving performance

12
00:00:58,610 --> 00:00:59,480
and security.

13
00:00:59,480 --> 00:01:04,280
So a reduced attack surface and grouping systems with a similar security needs.

14
00:01:04,310 --> 00:01:11,930
This can be achieved by implementing firewalls, a virtual local area, network, LAN and software defined

15
00:01:11,960 --> 00:01:14,750
networking Sd-wan to name a few.

16
00:01:15,960 --> 00:01:23,100
Proper network segmentation will allow the organization to segregate low priority and low trust network

17
00:01:23,100 --> 00:01:27,390
areas from the rest of the infrastructure or critical network segments.

18
00:01:27,420 --> 00:01:32,430
Use preventing widespread impact on the event of a cyber attack.

19
00:01:32,460 --> 00:01:38,580
This also helps with the utilizing security monitoring platforms and access controls for the most business

20
00:01:38,580 --> 00:01:40,620
circular segments of the organization.

21
00:01:41,190 --> 00:01:43,200
Network Choke Points.

22
00:01:44,070 --> 00:01:50,610
One of the major differentiating aspects between a fragile and resilient cybersecurity program is the

23
00:01:50,610 --> 00:01:55,680
strategy and approach toward building a comprehensive foundation.

24
00:01:55,710 --> 00:02:03,150
This foundation can be built only by having a clear visualization of the logical and technological layout

25
00:02:03,150 --> 00:02:04,410
of the environment.

26
00:02:04,560 --> 00:02:12,300
For example, identifying and adequately monitoring bottlenecks and choke points can often help us discover

27
00:02:12,300 --> 00:02:15,840
larger and deeper problems in the Networks Foundation.

28
00:02:15,990 --> 00:02:24,360
In military terms, a choke point is a location on land or sea, a valley or a strait where the military

29
00:02:24,360 --> 00:02:31,770
is forced to pass through a narrow column, which makes it easier for an opposing force to take them

30
00:02:31,770 --> 00:02:32,970
out with ease.

31
00:02:33,670 --> 00:02:39,790
Technically this is a shooting fish in a barrel kind of situation in networking terms.

32
00:02:39,820 --> 00:02:46,750
A similar situation is faced when the data flow of a network is restricted due to bandwidth or application

33
00:02:46,750 --> 00:02:50,110
constraints from a network security standpoint.

34
00:02:50,140 --> 00:02:56,170
Common examples include implementing a firewall for an internet facing site or a load balancer that

35
00:02:56,170 --> 00:03:00,070
reroutes traffic based on a bandwidth consumption.

36
00:03:00,310 --> 00:03:08,270
In the case of distributed denial of service, DDoS or denial of service DDoS attack, this can add

37
00:03:08,270 --> 00:03:10,060
to a cyber resiliency.

38
00:03:10,060 --> 00:03:16,900
So today we can build such scalable and highly available load balancers over the cloud by using services

39
00:03:16,900 --> 00:03:19,030
such as Google Cloud.

40
00:03:19,840 --> 00:03:21,430
The Defense in Depth.

41
00:03:21,670 --> 00:03:27,940
This is an implementation approach where multiple layers of security or defensive controls through the

42
00:03:27,940 --> 00:03:32,920
environment or landscape have redundancy in case of security incident.

43
00:03:32,950 --> 00:03:35,360
This is also known as the castle approach.

44
00:03:35,360 --> 00:03:41,930
So the reason why this approach is important is that it takes the weight of a single cybersecurity,

45
00:03:41,930 --> 00:03:49,640
defensive control and supplements or complements the security strategy by having a multiple independent

46
00:03:49,640 --> 00:03:53,060
controls in place at different layers.

47
00:03:53,720 --> 00:04:01,130
Originally, this was a military strategy, also known as Deep in Defense that sought to hinder the

48
00:04:01,130 --> 00:04:03,560
movement of enemy forces.

49
00:04:03,590 --> 00:04:11,420
The focus is not on stopping them entirely via frontal assault, but by buying the time and slowing

50
00:04:11,420 --> 00:04:13,850
down the attacks progression.

51
00:04:13,880 --> 00:04:21,950
This is an effective measure as it often results in the attacker losing momentum over a period of time

52
00:04:21,950 --> 00:04:24,560
due to no or less progress.

53
00:04:24,590 --> 00:04:32,270
This vital time can be used to mount an attack on the assault forces or reinforce the defenses of the

54
00:04:32,270 --> 00:04:33,620
defending team.