WEBVTT 00:07.250 --> 00:12.800 As an analyst, you'll be required to understand basic operating functions and how they interact with 00:12.800 --> 00:18.770 the different security mechanisms implemented within your own enterprise network within Cisa. 00:18.800 --> 00:24.020 They have a basic understanding of both windows and a Linux machine, but not so much a mac. 00:24.410 --> 00:29.120 Mac OS is, while they're more secure, really aren't utilized in an enterprise environment that often. 00:29.120 --> 00:31.220 And so we really don't cover it in Cisa. 00:31.640 --> 00:37.490 In fact, I have my own biases against Mac OS, being that in most enterprise environments, you'll 00:37.490 --> 00:42.470 be challenged to find a enterprise environment that utilizes mostly Mac computers. 00:42.470 --> 00:48.770 In fact, I estimate that about 95 to 98% of enterprise environments are solely using a combination 00:48.770 --> 00:53.330 between majority of windows machines and then secondary as Linux machines. 00:53.330 --> 01:01.460 Very, very, very rarely will you find a specific industry that uses Mac OS Aside from graphics interfaces 01:01.460 --> 01:07.310 or marketing or something that has to do with specifically the utilization of audio video. 01:07.340 --> 01:12.440 Otherwise, most enterprise environments are going to be windows based and not Mac OS based. 01:12.620 --> 01:14.750 If you're using a mac OS, that's fine. 01:14.750 --> 01:20.330 Just realize that you need to understand windows machines, and it might behoove you to create a virtual 01:20.330 --> 01:26.180 environment in which you could operate a windows machine from in order to learn security functions, 01:26.180 --> 01:32.840 as even most security programs and interfaces are now moving towards a windows environment over that 01:32.840 --> 01:33.590 of a Linux. 01:33.620 --> 01:34.970 We see this in the air. 01:35.000 --> 01:41.060 We also see it in different programs and utilities, where the expectation is that a windows machine 01:41.060 --> 01:46.400 with a GUI interface is much more user friendly than, say, a Linux box or even a mac OS. 01:46.430 --> 01:50.570 There are different characteristics that come into play when talking about any operating system. 01:50.570 --> 01:54.560 It doesn't matter if it's a Linux or a mac or even a windows environment. 01:54.560 --> 01:56.390 The first one is device management. 01:56.420 --> 02:01.880 How am I managing different devices on my operating system, and how is that interface interacting with 02:01.880 --> 02:02.300 them? 02:02.300 --> 02:04.100 Meaning how is the keyboard used? 02:04.100 --> 02:07.070 How is a monitor or a mouse utilized? 02:07.070 --> 02:14.510 But there's other access points as well, whether it's a new hard drive, or maybe a pointer or even 02:14.510 --> 02:19.250 a webcam, that device management needs to be utilized inside the operating system. 02:19.250 --> 02:23.360 And how is that operating system, uh, catering to that specific device? 02:23.390 --> 02:24.920 Do I have to download new drivers? 02:24.920 --> 02:27.470 Do I have to, uh, just plug and play it? 02:27.500 --> 02:28.550 It really depends. 02:28.550 --> 02:30.050 There's the user interface. 02:30.050 --> 02:33.950 How am I interacting as a user with that specific operating system? 02:33.950 --> 02:37.130 With a windows device, everything is double click or drag. 02:37.160 --> 02:41.660 It's pretty easy to utilize a windows system from a user interface model. 02:41.870 --> 02:48.080 Um, whereas a Linux box is much more derived from a command line interface, and you're having to type 02:48.080 --> 02:53.840 in the command into the terminal in order to get the program or application to run resource management. 02:53.870 --> 02:56.810 How do I utilize resources within my environment. 02:56.870 --> 02:58.820 Uh, how is Ram being utilized? 02:58.820 --> 03:01.010 How is the processing power being utilized? 03:01.010 --> 03:06.320 All of this encompasses the resource management function of the specific operating system. 03:06.470 --> 03:08.090 Of course, there's process management. 03:08.120 --> 03:11.210 How is the processes being utilized within the different environments. 03:11.210 --> 03:17.090 And then finally file system management where a windows is different from a mac versus a Linux system 03:17.090 --> 03:23.090 in terms of how those files are derived and how are they stored on my specific hard drive or even a 03:23.090 --> 03:23.990 USB drive. 03:23.990 --> 03:29.870 Within a windows file structure, we utilize an NTFS system or a new technology for file system, as 03:29.870 --> 03:36.020 opposed to a Fat or a Fat32 system, or how we store our different files and directories on our system. 03:36.020 --> 03:39.230 Let's go over that now in a specific windows device. 03:39.260 --> 03:39.620 All right. 03:39.650 --> 03:45.350 Within a windows environment, you can see here that I've got a virtualized Windows 11 system. 03:45.350 --> 03:49.670 And it's just something to kind of showcase the different directories and subdirectories that we go 03:49.670 --> 03:50.330 through. 03:50.420 --> 03:53.180 At the very bottom you can see the file structure or the file explorer. 03:53.180 --> 03:54.440 I'm going to click on that. 03:54.470 --> 03:56.180 I'm going to scroll down to my C drive. 03:56.180 --> 03:59.540 It's only got the one operating system drive in this virtualized system. 03:59.540 --> 04:00.470 I click on that. 04:00.470 --> 04:03.050 And here you can see the program files x86. 04:03.050 --> 04:06.200 It's an x86 system because it's a 64 bit system. 04:06.230 --> 04:07.850 You can see different users. 04:07.850 --> 04:11.750 This is where I would find the different users that are operating on this specific system. 04:11.870 --> 04:15.920 And then here you can see the different windows within here. 04:15.950 --> 04:16.190 Right. 04:16.220 --> 04:22.820 So if I double click on this I can see the different aspects uh integrated within a windows file directory. 04:22.970 --> 04:27.500 Uh if I under read edit inside the system, it'll bring up the registry editor. 04:27.500 --> 04:29.210 It's going to ask me that I'm going to press yes. 04:29.210 --> 04:31.970 And you can see the five registries right now. 04:31.970 --> 04:36.500 This is a hierarchical, uh, database encompassing a wide range of settings. 04:36.680 --> 04:41.960 Uh, this could include things from desktop colors to networking to even security configurations. 04:42.230 --> 04:45.290 Um, it allows different access within the system. 04:45.290 --> 04:51.110 So if I expand on to the class root, you can see a lot of different files associated with this specific 04:51.110 --> 04:51.440 system. 04:51.440 --> 04:53.150 Now most of them just don't make sense, right? 04:53.180 --> 04:55.010 Let's say 386. 04:55.040 --> 05:00.830 And if I go in there it's a reg SC you don't need to go that much in depth with the registry editor. 05:00.830 --> 05:02.420 You just need to realize that it's there. 05:02.420 --> 05:02.780 Now. 05:02.780 --> 05:08.840 This registry structure comprises major entries known as hives, and each is dedicated to a specific 05:08.840 --> 05:11.750 context or function within the operating system. 05:12.290 --> 05:18.140 This can include settings, user configuration, items, or machine configuration, and each hive consists 05:18.140 --> 05:20.720 of numerous associated entries called keys. 05:20.720 --> 05:27.980 So if I expand into this, you can see a SL and 60 key and it provides virtual studio launcher as kind 05:27.980 --> 05:30.800 of the registry associated with it. 05:30.830 --> 05:35.840 Now this contains different data names, different data types, and of course different values associated 05:35.840 --> 05:38.450 with the specific um hive. 05:38.990 --> 05:44.120 So for instance, if I go to the user because we only have the one user and it's a default system, 05:44.120 --> 05:49.070 if I go in here, you can see that value is not set or a date any brought into it. 05:49.070 --> 05:54.270 And you can see there's really just not a lot of information here that you can read without going into 05:54.270 --> 05:55.470 detail with it. 05:55.500 --> 05:58.560 If I go into the local machine, you can see service last known. 05:58.560 --> 06:02.460 And then of course the data wasn't last seen because it hasn't been associated with it. 06:02.490 --> 06:06.480 But if I go into hardware and I expand that out, I can see Acpi. 06:06.510 --> 06:07.980 I can see a description. 06:08.010 --> 06:09.510 I can go into systems. 06:09.510 --> 06:10.890 I can expand that even more. 06:10.920 --> 06:15.510 I can go to the Bios, and I can even go to the central processor and start going through the different 06:15.510 --> 06:16.650 functionalities of it. 06:16.680 --> 06:18.990 Now again, you don't need to be able to read this. 06:18.990 --> 06:24.000 You just need to realize that the different hives are associated with the different keys within the 06:24.000 --> 06:30.060 structure, and that it's being utilized by the windows system as our hierarchical database to encompass 06:30.060 --> 06:33.030 the different settings associated with windows specifically. 06:33.060 --> 06:38.790 So if I press Control Alt delete on my keyboard, or if you're in a VirtualBox, you can do input control, 06:38.910 --> 06:41.490 import keyboard control, alt delete. 06:41.520 --> 06:42.630 Let me show you that real quick. 06:42.660 --> 06:43.920 So we'll start from scratch. 06:43.950 --> 06:44.430 All right. 06:44.460 --> 06:50.070 On my virtual system, normally we would press Control Alt Delete to get to our task manager in a VirtualBox. 06:50.070 --> 06:52.110 I'm going to go down to input keyboard. 06:52.140 --> 06:56.850 I can do a soft keyboard right there and then just press Control alt and then delete. 06:56.880 --> 07:00.570 Now there's other ways to do this, but this is a quick and easy version. 07:00.600 --> 07:02.580 I'm going to go to task manager. 07:03.060 --> 07:08.460 And then if I blow this up you can see different aspects of this uh functionality. 07:08.490 --> 07:08.670 Right. 07:08.700 --> 07:13.740 So the first one being processes I can see the different processes available, the different CPU that's 07:13.740 --> 07:18.360 being utilized in terms of how much memory, uh, I can go through here. 07:18.360 --> 07:22.590 And I can expand that and say, hey, look, Microsoft Teams is actually taking quite a bit of memory. 07:22.590 --> 07:28.110 I can go into disk space utilization and then network utilization, and then finally power usage and 07:28.110 --> 07:31.290 power usage, uh, over time. 07:31.320 --> 07:31.560 Right. 07:31.590 --> 07:38.010 So the trend of what it's utilizing right now, uh, this is all under the windows processes that we're 07:38.010 --> 07:43.560 currently utilizing for this virtual machine and how it's interacting with the different, uh, aspects. 07:43.590 --> 07:53.180 Now, this is important because if you're ever doing a security sweep on a specific client machine, 07:53.180 --> 07:57.350 sometimes you'll notice something that's taking up quite a bit of CPU space. 07:57.470 --> 08:00.620 And that can be indicative of a process ongoing. 08:00.650 --> 08:04.940 Now again, we have to use a little bit of intelligence here, because I see a program that's using 08:04.940 --> 08:07.880 a lot of CPU space and a lot of memory space. 08:07.880 --> 08:09.500 Well, it could be indicative of attack. 08:09.530 --> 08:13.220 It could also be indicative of the program running its normal processes. 08:13.220 --> 08:16.010 So this is where that baseline really comes into play. 08:16.010 --> 08:22.100 To find out what's going on with your system and understanding the different perplexities of that system. 08:22.130 --> 08:24.050 We can also do Internet Explorer. 08:24.080 --> 08:28.460 Internet explorer is utilized in a lot of different aspects of a windows machine. 08:28.490 --> 08:34.130 For instance, if I just do edge like that, then that is the actual browser. 08:34.160 --> 08:38.000 But when we talk about Windows Explorer, this is actually the manager of what's going on. 08:38.000 --> 08:39.590 And that's what we're referring to here. 08:39.620 --> 08:44.450 So for instance, if I try to open up an application or let's say that I just want to do a search for 08:44.490 --> 08:45.330 something. 08:45.660 --> 08:46.410 It would open it up. 08:46.410 --> 08:47.790 So let's do settings. 08:48.480 --> 08:49.350 Just like that. 08:49.350 --> 08:54.630 It's actually using explorer to kind of provide that management framework between it. 08:54.660 --> 08:54.930 Right. 08:54.960 --> 08:56.550 So that's Windows Explorer. 08:56.580 --> 08:59.280 I can do a client server runtime subsystem. 08:59.280 --> 09:02.850 This is essential for the subsystem processes or operations. 09:03.000 --> 09:07.140 Uh and then there's window log on processes which we're not showing today because we're not logging 09:07.140 --> 09:07.740 in. 09:07.740 --> 09:08.790 Uh it's a virtual system. 09:08.790 --> 09:11.730 So we don't have that capability without adding a bunch of users. 09:11.940 --> 09:16.530 Uh, and then, of course, I already showed you the task manager, so we know about that within a Linux 09:16.530 --> 09:17.370 file structure. 09:17.370 --> 09:21.990 It's obviously different than a windows file structure where it's point click and there is a minimal 09:21.990 --> 09:23.190 typing going on. 09:23.190 --> 09:27.540 And even when I did type a command, it popped up with a window that I was able to change, I could 09:27.540 --> 09:31.800 manipulate, I could drag, drop, I could double click on it, and it would do everything I want. 09:31.830 --> 09:36.480 While there are certain aspects about the Linux system that allow you to do that, the majority of Linux 09:36.480 --> 09:38.820 file structure is all command line interface. 09:38.820 --> 09:43.430 Let's explore the Linux file structure now in person within a Linux system. 09:43.430 --> 09:49.790 You can see here that I've got a basic VirtualBox running on a Linux platform over my windows operating 09:49.790 --> 09:50.480 system. 09:50.720 --> 09:56.510 This Linux box is currently running Kali Linux 2020 4.1, and I'm going to access the command line interface 09:56.510 --> 09:59.120 using this little box right here called a terminal. 09:59.150 --> 10:00.590 I'm going to open up this terminal. 10:00.590 --> 10:04.100 And then I'm going to press Control and plus sign to blow it up a little bit. 10:04.190 --> 10:04.910 There we go. 10:04.940 --> 10:06.740 You should be able to see that now and then. 10:06.740 --> 10:08.360 I'm just going to go through some basic commands. 10:08.360 --> 10:11.090 The first one I want to point out is the root terminal. 10:11.090 --> 10:17.060 Now the root directory I should say I can access doing CD root with a forward slash just like that. 10:17.060 --> 10:20.090 But it's going to deny me because I'm not logged into the system. 10:20.090 --> 10:21.440 As a root user. 10:21.440 --> 10:25.610 I could access the system by root user, but I caution you from doing so. 10:25.640 --> 10:31.550 The root system or the root directory is really protected to stop you from doing something stupid that 10:31.550 --> 10:33.110 you shouldn't be doing in the first place. 10:33.110 --> 10:39.860 Very rarely will we, as users on a Linux system, actually want to log in with root privileges because 10:39.860 --> 10:45.050 of that aspect of if somebody gets our access to our account, they can then change their directory. 10:45.050 --> 10:47.120 They can make some funky settings on there. 10:47.120 --> 10:48.080 What do you think? 10:48.080 --> 10:49.040 Root privileges. 10:49.070 --> 10:53.150 Think, uh, administrative control and not just a little bit of administrative control. 10:53.150 --> 10:54.890 Full administrative control. 10:54.890 --> 10:56.420 That's the root directory. 10:56.570 --> 11:00.050 The next one I want to go through is the binary directory. 11:00.050 --> 11:03.050 So we're going to do a CD forward slash binary just like that. 11:03.080 --> 11:05.360 Or I should say Ben just like that. 11:05.360 --> 11:11.960 And then if I do an LZ I can see all the different files are structures annotated within this basic 11:11.960 --> 11:12.500 confines. 11:12.530 --> 11:12.770 Right. 11:12.800 --> 11:18.890 So we see all these little, uh, directories or subdirectories associated with our Linux box under 11:18.890 --> 11:20.660 the binary directory. 11:20.840 --> 11:24.020 Uh, the next one, if I want to go back I'm just going to type in CD. 11:24.020 --> 11:27.200 And then I could do a dot dot to go back one space. 11:27.200 --> 11:30.260 And you can see that I'm no longer in that Ben directory. 11:30.260 --> 11:33.410 I'm now in the original directory, uh, on top of it. 11:33.410 --> 11:35.630 So the next one I want to hit is the boot directory. 11:35.630 --> 11:38.630 So I'm going to do the same way CD forward slash boot. 11:38.840 --> 11:41.930 The boot directory is dedicated for files essentials. 11:41.960 --> 11:47.690 Essentials for the booting process, i.e. when the system loads up for the first time, it needs this 11:47.690 --> 11:51.050 directory to kind of figure out where it's going, what it's doing with those different files, and 11:51.050 --> 11:54.050 how do I actually boot up again, I could do an LZ. 11:54.080 --> 11:58.130 This is a list command within it and quite a bit of a difference here, right. 11:58.130 --> 12:02.510 We don't have near as many files or directories or subdirectories going into it. 12:02.540 --> 12:05.300 You'll phone out that we've only got one subdirectory with grub. 12:05.330 --> 12:09.890 Now I could go into grub by typing CD grub just like that. 12:09.890 --> 12:12.080 And then I could do another list command. 12:12.350 --> 12:17.150 And you can see here that it provides me three more directories or four more if you count fonts and 12:17.150 --> 12:18.410 the different aspects of that. 12:18.410 --> 12:24.080 If I want to go back more than one, unlike the CD dot dot, I'm going to do a CD, just a backslash. 12:24.230 --> 12:28.010 Hit enter and you'll see that I am no longer in the boot directory or the grub directory. 12:28.010 --> 12:29.870 I'm all the way back at the beginning. 12:30.110 --> 12:36.260 Uh, the next one I want to do is etc. so I'm going to do CD, forward slash, etc. just like so I'm 12:36.260 --> 12:39.560 going to do another LZ command and you can see a little bit of a difference in there. 12:39.590 --> 12:43.790 Now this directory hosts system wide configuration files and scripts. 12:44.000 --> 12:46.190 There's also some small programs in here. 12:46.190 --> 12:48.110 You'll notice that Python is in here. 12:48.140 --> 12:53.990 I think I saw Wireshark in here at some point, but you can see different aspects of the Linux system 12:53.990 --> 12:55.910 within the Isa folder. 12:56.090 --> 12:59.810 If I want to go back again I'm just going to do that CD dot dot and go through it. 12:59.810 --> 13:04.280 I want to also point out that I can press the up arrow to get any of those commands. 13:04.310 --> 13:06.470 I can press the down arrow to go back where I was. 13:06.470 --> 13:08.630 So I want to do a CD home next. 13:10.070 --> 13:10.730 There we go. 13:10.730 --> 13:13.550 And you can see I'm in the home directory right here. 13:14.030 --> 13:15.560 I may see that home directory. 13:15.560 --> 13:17.090 And I'm going to do an LZ again. 13:17.090 --> 13:22.670 And you can see that this directory, it holds my personal directories for all my users that are associated 13:22.670 --> 13:23.600 with this system. 13:23.600 --> 13:25.580 So I'm logged in as Kate Kendrick. 13:25.610 --> 13:29.360 That's the only user associated with this current operating system. 13:29.360 --> 13:34.400 And so the home directory holds my specific user information associated with that. 13:34.400 --> 13:40.320 If there is more than one user, I could see the different users associated in the home directory and 13:40.320 --> 13:43.500 be able to identify the different personal directories of all the users. 13:43.530 --> 13:43.980 Right. 13:43.980 --> 13:45.360 So that's one other thing. 13:45.360 --> 13:51.840 Now I'm just going to press the up arrow to go CD colon or period period to go back one directory. 13:52.230 --> 13:55.200 And then the last one I want to show you is the variable directory. 13:55.200 --> 13:59.580 And then we'll do CD variable or var for short. 13:59.580 --> 14:00.750 And there you go. 14:00.780 --> 14:06.840 This directory contains data such as logs and support logs that we just talked about that databases 14:06.840 --> 14:10.500 websites temporary files necessary for various programs to function. 14:10.650 --> 14:13.800 Uh and it's expected to continuously change throughout the system. 14:13.800 --> 14:19.050 So if I do an LZ over here you can see that I've got that temporary folder right there. 14:19.050 --> 14:23.460 I could do a CD tmp get into that, I could do another LZ. 14:23.490 --> 14:26.700 And you can see there's different information in here as well. 14:26.730 --> 14:29.130 Now obviously this is going to change. 14:29.130 --> 14:31.980 If I wanted to go back one directory I could put that dot dot. 14:31.980 --> 14:33.510 And again I could do a new LZ. 14:33.510 --> 14:34.850 And I'm just in the variable. 14:34.850 --> 14:39.410 And that would allow me to go into, again, different directories and subdirectories as I see fit. 14:39.740 --> 14:40.940 That's Linux. 14:41.450 --> 14:47.660 Now it's important to understand the initial process that is started by Linux is determined by the kernel, 14:47.660 --> 14:52.790 which is also responsible for all other initiating processes on our operating system. 14:52.820 --> 14:53.870 Older systems. 14:53.870 --> 14:59.000 This is usually the init process, while newer systems they usually employ something called systemd 14:59.420 --> 15:01.490 or the systemd process. 15:01.610 --> 15:06.530 The system processes, also known as daemons, are background processes that we utilize at launch or 15:06.530 --> 15:08.120 the system utilizes at launch. 15:08.150 --> 15:14.300 During the system boot or after an initial login, this provides various services which include SSD, 15:14.330 --> 15:17.690 or it could be SSHd or SSH remote access. 15:17.930 --> 15:23.720 It can also do chronological schedule tasks or system login information for the system logging. 15:23.960 --> 15:26.870 There's also called orphan processes in the Linux box. 15:26.870 --> 15:29.900 This is where the parent process has terminated. 15:30.080 --> 15:36.920 And they uh subprocess is an adopted by the initialization process, or the initial process, or the 15:36.920 --> 15:42.530 system in D process, which handles clean up and termination of different aspects or different processes 15:42.530 --> 15:43.370 on your system. 15:43.400 --> 15:46.040 There's also something called a zombie processes. 15:46.070 --> 15:50.780 This occurs when the process is terminated, but the parent process is not retrieved the termination 15:50.780 --> 15:51.800 from the information. 15:51.800 --> 15:57.680 This process has completed and exhausted, but is still an entry process on the table, meaning that 15:57.680 --> 16:05.300 I quit a process or I terminated a process, but the parent process is still there, it's still functioning, 16:05.420 --> 16:08.480 and it just hasn't gotten the point that, hey, we're stopping. 16:08.510 --> 16:12.500 And then there's foreground and background processes, which is in the Linux system. 16:12.740 --> 16:18.680 This process either is at the front of what you're utilizing currently or it's in the background not 16:18.680 --> 16:19.520 really doing anything. 16:19.520 --> 16:21.620 Well, it's doing stuff, but it's in the background. 16:21.620 --> 16:26.060 It's not directly interacting with the user per se, where a foreground process is something that you're 16:26.060 --> 16:26.750 interacting with. 16:26.780 --> 16:31.830 Now within different operating systems, there's hardware that can be associated with those specific 16:31.860 --> 16:33.840 operating systems to make it more secure. 16:33.870 --> 16:39.810 This integrates hardware with the operating system, creating a more trustworthy or secure environment 16:39.840 --> 16:44.160 in which the operating system can operate safely on a specific machine. 16:44.370 --> 16:48.420 For instance, there's something called a Trusted Platform Module, or TPM. 16:48.450 --> 16:55.440 This serves as a crypto processor and enhances security by encrypting, uh, or storing cryptographic 16:55.440 --> 16:57.270 keys into the device itself. 16:57.300 --> 17:03.180 It facilitates secure hardware based key generation, storage, and authentication, and provides encryption 17:03.180 --> 17:07.590 to fortify against data unauthorized access to data, and tampering. 17:07.620 --> 17:10.800 That TPM on a Windows 11 system is actually required. 17:10.800 --> 17:17.310 You can utilize a Windows 11, uh, virtual system on a Windows 10 and create that virtualized Windows 17:17.310 --> 17:18.090 11 system. 17:18.090 --> 17:20.340 But if you have a bare metal machine, that's Windows 11. 17:20.370 --> 17:25.800 It actually requires a TPM to be present on the hardware you're utilizing to ensure a more robust, 17:25.830 --> 17:27.090 more secure system. 17:27.510 --> 17:31.050 There's also something called a hardware security module or an HSM. 17:31.080 --> 17:37.140 This is a physical device designed for secure cryptographic key generation, storage, and management. 17:37.170 --> 17:44.850 HSM find application high security scenarios such as managing SSL or TLS keys for large scale web servers. 17:44.850 --> 17:52.740 This is actual physical device that is utilized in conjunction with your software to create a secure 17:52.740 --> 17:53.520 platform. 17:53.520 --> 17:57.930 In order to store cryptographic keys on, there's a secure boot process. 17:57.930 --> 18:03.030 This is a process that ensures that only trusted software is loaded and executed during startup, and 18:03.030 --> 18:07.620 it acts as a deterrent against boot time malware attempting to seize control of the system. 18:07.620 --> 18:14.520 It's also utilized for gamers to start Anti-cheating, so we've seen secure boot processes within that 18:14.520 --> 18:15.450 process. 18:15.630 --> 18:17.100 Um, specifically with my son. 18:17.100 --> 18:18.510 He's a big time gamer. 18:19.080 --> 18:24.690 He loves to go on there, but he's always trying to download these different, uh, extensions or these 18:24.690 --> 18:27.030 different add ons for the system. 18:27.060 --> 18:28.730 He asked me one time, hey, dad, can I. 18:28.760 --> 18:31.550 Can I replace my secure boot process or access? 18:31.580 --> 18:34.400 Have this program access my secure boot process? 18:34.460 --> 18:36.260 And the answer was an emphatic no. 18:36.260 --> 18:37.310 We don't we don't do that. 18:37.340 --> 18:37.670 Right. 18:37.700 --> 18:43.760 But anti-cheat systems will often use SBP or a secure boot process to ensure that you are not cheating 18:43.760 --> 18:44.660 other systems. 18:44.900 --> 18:48.590 And finally, there is something called a CPU security extension. 18:48.620 --> 18:54.500 This is a modern CPU, often incorporates security extensions like Intel's SGX or Secure Guard Extension, 18:54.500 --> 19:01.250 or AMD's Sev secure Encryption virtualization, and these extensions introduce added security measures 19:01.250 --> 19:07.130 such as crafting encrypted memory areas or enclaves, and remain protected for the processes running 19:07.130 --> 19:11.720 at a higher levels to ensure that something that's operating in that privileged level, that's a higher 19:11.750 --> 19:12.770 point of view. 19:12.980 --> 19:18.380 It doesn't have the capability of being attacked willy nilly like we might see with lower processes. 19:18.380 --> 19:20.690 So it just adds that layer of protection on there. 19:20.690 --> 19:23.810 So today we discussed the different windows systems. 19:23.810 --> 19:25.250 We discussed Linux platforms. 19:25.250 --> 19:28.340 We windows platforms, and how their file structures are different. 19:28.370 --> 19:33.830 We discussed Windows Registry and we went across the different hardware architectures associated with 19:33.830 --> 19:35.540 TPMS and then HSM. 19:35.570 --> 19:42.350 You don't need to have a specific in-depth understanding of any of these per se, but you do need to 19:42.350 --> 19:44.270 have a broad, high level understanding. 19:44.270 --> 19:47.900 You may get questions like, what is a TPM and how does it function? 19:47.900 --> 19:50.660 Or what's the difference between an HSM and a TPM. 19:50.690 --> 19:55.070 Now, granted, these are all multiple choice questions throughout Cisa, so it provides a little bit 19:55.070 --> 19:56.120 of detail in there. 19:56.150 --> 20:02.300 Don't be surprised if you see a test or a quiz question that asks you specifically about a TPM. 20:02.300 --> 20:08.270 Such things like this particular hardware architecture helps for key generation, and it is attached 20:08.270 --> 20:10.670 within the hardware of a specific system. 20:10.670 --> 20:12.290 That would be a TPM. 20:12.470 --> 20:19.580 You don't expect to see overly robust questions diving into Windows Registry about hey, which HK key 20:19.580 --> 20:21.140 provides X, Y, or Z? 20:21.170 --> 20:24.110 That's not something they're looking for in the Cisa exam.