1
00:00:01,630 --> 00:00:05,230
We'll cover one more security consideration at the end.

2
00:00:05,240 --> 00:00:12,450
This issue involves isolating programs in a perfect world you would not need to run any applications

3
00:00:12,450 --> 00:00:14,010
that are not trusted.

4
00:00:16,010 --> 00:00:18,480
This is not the case though.

5
00:00:18,720 --> 00:00:23,520
Sometimes you have to run a line of business application that was created several years ago by a person

6
00:00:23,520 --> 00:00:25,680
who is no longer the company's employee.

7
00:00:28,010 --> 00:00:32,690
It could also be that employees have grown used to purchase a piece of software and are reluctant to

8
00:00:32,690 --> 00:00:34,060
switch to anything newer

9
00:00:36,830 --> 00:00:39,500
A solution is isolating these programs.

10
00:00:40,390 --> 00:00:41,780
How is this achieved.

11
00:00:43,900 --> 00:00:51,930
First of all isolating may involve the key security boundary that is a computer you can set aside a

12
00:00:51,930 --> 00:01:00,790
dedicated computer for running this one application the computer will then obviously not be in a domain.

13
00:01:00,980 --> 00:01:05,870
The solution is secure but not very functional.

14
00:01:05,940 --> 00:01:10,610
Users are unlikely to want to have to switch between three computers to be able to work efficiently

15
00:01:14,810 --> 00:01:21,110
can also virtualize the software using a second security boundary an operating system.

16
00:01:21,350 --> 00:01:24,340
You can watch a virtual system and install software in it.

17
00:01:26,020 --> 00:01:31,630
This is an expedient solution that is easy to implement as a Windows 7 system has this mechanism has

18
00:01:31,630 --> 00:01:39,990
an inbuilt function you can run virtual PCs in Windows 7 this feature is available from Microsoft's

19
00:01:40,040 --> 00:01:42,140
website.

20
00:01:42,290 --> 00:01:50,870
Then in prepared virtual machines you can install any software to make integration seamless programs

21
00:01:50,870 --> 00:01:55,190
that are installed in virtual systems can be launched from the start menu of a host system

22
00:01:57,840 --> 00:02:02,670
after you click on an icon a virtual machine is started in the background.

23
00:02:03,060 --> 00:02:05,870
The software is run in the virtual environment.

24
00:02:05,970 --> 00:02:09,160
Everything is working fine.

25
00:02:09,220 --> 00:02:16,440
The virtual machine is obviously not in a domain the same passwords aren't stored there.

26
00:02:16,620 --> 00:02:20,210
It's quite secure.

27
00:02:20,240 --> 00:02:27,200
You can also give up standard security boundaries and attempt to isolate a program by running in a sandbox.

28
00:02:27,260 --> 00:02:32,300
One of the earlier lectures discussed the fact that Internet Explorer is to some extent sandbox to or

29
00:02:32,300 --> 00:02:33,040
isolated

30
00:02:35,890 --> 00:02:41,190
this refers to Internet Explorer running at a low security level when it's in the protected mode.

31
00:02:43,130 --> 00:02:50,150
We also said that the sandbox isn't a true instance of isolation an Internet Explorer process can read

32
00:02:50,150 --> 00:02:54,640
user data and forward it to the Internet but can't modify it.

33
00:02:54,640 --> 00:02:58,090
This usually isn't exactly what we want when we talk of data security

34
00:03:04,000 --> 00:03:05,470
to remedy the situation.

35
00:03:05,470 --> 00:03:08,990
You can use third party software.

36
00:03:09,010 --> 00:03:15,810
There are many solutions available both free and commercial in this presentation we'll see an example

37
00:03:15,810 --> 00:03:18,780
of this software.

38
00:03:18,980 --> 00:03:21,250
The program we'll use is called sandbox.

39
00:03:21,280 --> 00:03:34,990
IEEE Sandboxie is a popular and easy to use application you can run any software in sandbox mode.

40
00:03:35,010 --> 00:03:40,830
The program is designed to virtualize and intercept communications between a started application and

41
00:03:40,830 --> 00:03:41,490
a system

42
00:03:45,350 --> 00:03:49,520
all files written to buy a specific program will be written in a protected area.

43
00:03:51,280 --> 00:03:58,790
Sandbox will also disable a program from reading data that is outside the sandbox.

44
00:03:58,860 --> 00:04:05,680
The program addresses software isolation and security issues as well as enhances privacy.

45
00:04:05,690 --> 00:04:11,180
You can clear or create a sandbox at any moment and return to a point before configuration changes in

46
00:04:11,180 --> 00:04:12,740
the software were applied.

47
00:04:16,500 --> 00:04:21,900
Let's now quickly see how intuitive and transparent for a user it is to virtualize a program using tools

48
00:04:21,900 --> 00:04:29,330
like sandbox IEEE will select a program that we want to run sandbox.

49
00:04:29,360 --> 00:04:38,090
It can be anything we'll choose wireshark don't simply run it select Run sandbox from the context menu

50
00:04:40,060 --> 00:04:45,310
the option will appear after you install sandbox i.e. next.

51
00:04:45,320 --> 00:04:53,960
You should select the sandbox in which the program will run usually there is more than one sandbox that

52
00:04:53,960 --> 00:04:56,810
can be created for example for specific applications.

53
00:04:56,810 --> 00:05:06,530
If you don't want them to exchange data will you use the default sandbox when you run your program.

54
00:05:06,530 --> 00:05:10,550
Nothing has visibly changed from a user standpoint.

55
00:05:10,630 --> 00:05:12,100
The program is running.

56
00:05:12,370 --> 00:05:16,890
You can see that it's virtualise and protected from the yellow border framing the program's window

57
00:05:19,740 --> 00:05:22,550
taking a look at the sandbox menu.

58
00:05:22,830 --> 00:05:28,690
You can see that the program run sandbox if it's necessary.

59
00:05:28,750 --> 00:05:33,450
You can delete the contents of the default sandbox or recover it to a prepared point.

60
00:05:35,390 --> 00:05:40,730
Sandbox provides a guarantee that the program you run has no direct chance of interacting with anything

61
00:05:40,730 --> 00:05:44,070
that is outside the sandbox.

62
00:05:44,080 --> 00:05:46,330
This is a simple and elegant solution.

63
00:05:48,120 --> 00:05:55,370
This module discussed administrative techniques and approaches for controlling user run software the

64
00:05:55,410 --> 00:06:00,850
module emphasized the importance of regular software updates.

65
00:06:00,920 --> 00:06:05,720
It also covered methods or system functionalities designed to determine what programs can be allowed

66
00:06:05,720 --> 00:06:07,990
to run and what programs will be blocked.

67
00:06:09,710 --> 00:06:14,870
This involved a discussion of rules that identify software and mechanisms that can allow you to run

68
00:06:14,870 --> 00:06:19,980
insecure programs in a relatively secure manner.

69
00:06:19,980 --> 00:06:26,200
This included virtualization and software isolation in a sandbox thinking.