WEBVTT

1
00:00:00.050 --> 00:00:01.740
In this section of the course,

2
00:00:01.740 --> 00:00:04.770
we are going to discuss detection and mitigation.

3
00:00:04.770 --> 00:00:06.600
The detection and mitigation section

4
00:00:06.600 --> 00:00:10.620
of the course focuses on domain 3, security engineering,

5
00:00:10.620 --> 00:00:13.890
as well as domain 4, security operations,

6
00:00:13.890 --> 00:00:18.120
specifically objectives 3.4 and 4.2.

7
00:00:18.120 --> 00:00:21.330
Objective 3.4 states that given a scenario,

8
00:00:21.330 --> 00:00:22.890
you must be able to implement

9
00:00:22.890 --> 00:00:25.830
hardware security technologies and techniques.

10
00:00:25.830 --> 00:00:29.010
Objective 4.2 states that given a scenario,

11
00:00:29.010 --> 00:00:32.250
you must be able to analyze vulnerabilities and attacks

12
00:00:32.250 --> 00:00:35.370
and recommend solutions to reduce the attack surface.

13
00:00:35.370 --> 00:00:37.200
Detecting and mitigating threats

14
00:00:37.200 --> 00:00:40.770
is essential to maintaining security and functionality.

15
00:00:40.770 --> 00:00:43.410
Effective detecting and mitigation strategies

16
00:00:43.410 --> 00:00:46.980
focused not only on identifying potential risks,

17
00:00:46.980 --> 00:00:50.100
but also on designing systems that can withstand

18
00:00:50.100 --> 00:00:52.350
and respond to threats and attack.

19
00:00:52.350 --> 00:00:53.610
This includes ensuring

20
00:00:53.610 --> 00:00:56.040
that sensitive data remains protected,

21
00:00:56.040 --> 00:00:58.170
access is properly controlled,

22
00:00:58.170 --> 00:01:00.180
and that systems can safely recover

23
00:01:00.180 --> 00:01:02.190
from unexpected failures.

24
00:01:02.190 --> 00:01:03.840
By implementing these measures,

25
00:01:03.840 --> 00:01:06.210
organizations can strengthen their defenses

26
00:01:06.210 --> 00:01:09.390
and ensure that even in the face of attacker failure,

27
00:01:09.390 --> 00:01:13.140
their systems remain secure and operational.

28
00:01:13.140 --> 00:01:16.410
As we go through this section, we will cover many topics

29
00:01:16.410 --> 00:01:18.390
related to detection and mitigation,

30
00:01:18.390 --> 00:01:21.390
including tamper detection and countermeasures,

31
00:01:21.390 --> 00:01:26.130
design mitigations, validation mitigations, safe functions,

32
00:01:26.130 --> 00:01:28.080
access control mitigations,

33
00:01:28.080 --> 00:01:31.290
confidentiality management, update management,

34
00:01:31.290 --> 00:01:33.360
and fail-safe mechanisms.

35
00:01:33.360 --> 00:01:37.080
First, we will look at tamper detection and countermeasures.

36
00:01:37.080 --> 00:01:40.500
Tamper detection and countermeasures identify and respond

37
00:01:40.500 --> 00:01:43.020
to unauthorized attempts to alter

38
00:01:43.020 --> 00:01:45.390
or manipulate a system or device.

39
00:01:45.390 --> 00:01:48.600
Tamper detection mechanisms such as seals, sensors,

40
00:01:48.600 --> 00:01:51.510
or cryptographic checks are designed to alert

41
00:01:51.510 --> 00:01:53.550
when a system has been compromised,

42
00:01:53.550 --> 00:01:55.680
triggering an appropriate response.

43
00:01:55.680 --> 00:01:58.860
Countermeasures include physical barriers, encryption,

44
00:01:58.860 --> 00:02:00.900
or system shutdowns that prevent

45
00:02:00.900 --> 00:02:03.600
or minimize the damage from tampering.

46
00:02:03.600 --> 00:02:07.410
For example, an ATM might use tamper evidence seals

47
00:02:07.410 --> 00:02:10.290
and sensors to detect unauthorized access,

48
00:02:10.290 --> 00:02:12.510
and if tampering is detected,

49
00:02:12.510 --> 00:02:15.180
the machine could automatically disable access

50
00:02:15.180 --> 00:02:18.210
to its cash vault and alert authorities.

51
00:02:18.210 --> 00:02:21.420
Next, we will explore design mitigations.

52
00:02:21.420 --> 00:02:24.660
Design mitigations involve strategically incorporating

53
00:02:24.660 --> 00:02:28.080
security measures during the system design phase

54
00:02:28.080 --> 00:02:31.770
to prevent or reduce the impact of vulnerabilities.

55
00:02:31.770 --> 00:02:35.430
Design mitigations include security design patterns,

56
00:02:35.430 --> 00:02:38.340
defense-in-depth, and dependency management.

57
00:02:38.340 --> 00:02:41.010
Security design patterns are best practices

58
00:02:41.010 --> 00:02:43.920
such as input validation, least privilege

59
00:02:43.920 --> 00:02:45.240
and secure defaults

60
00:02:45.240 --> 00:02:48.300
that guide the secure architecture of systems.

61
00:02:48.300 --> 00:02:51.810
Security design patterns help developers build defenses

62
00:02:51.810 --> 00:02:54.840
directly into the structure of applications.

63
00:02:54.840 --> 00:02:57.600
Defense-in-depth is a layered security approach

64
00:02:57.600 --> 00:03:00.420
where multiple protective measures are implemented

65
00:03:00.420 --> 00:03:04.560
to provide redundancy, ensuring that if one layer fails,

66
00:03:04.560 --> 00:03:07.440
others remain to protect a critical system.

67
00:03:07.440 --> 00:03:10.500
Dependency management involves carefully selecting,

68
00:03:10.500 --> 00:03:14.430
monitoring, and updating external libraries or components

69
00:03:14.430 --> 00:03:17.970
to prevent security flaws and third party dependencies.

70
00:03:17.970 --> 00:03:20.310
In practice, a software application

71
00:03:20.310 --> 00:03:22.410
might use security design patterns

72
00:03:22.410 --> 00:03:25.110
to enforce secure coding practices.

73
00:03:25.110 --> 00:03:28.470
Employ defense-in-depth by incorporating firewalls,

74
00:03:28.470 --> 00:03:32.160
encryption, and access controls, and manage dependencies

75
00:03:32.160 --> 00:03:35.700
by regularly updating all third party components.

76
00:03:35.700 --> 00:03:38.820
After that, we will look at validation mitigations.

77
00:03:38.820 --> 00:03:41.520
Validation Mitigations are security measures

78
00:03:41.520 --> 00:03:44.370
that ensure data entering or leaving a system

79
00:03:44.370 --> 00:03:46.830
is properly validated and encoded.

80
00:03:46.830 --> 00:03:49.620
Validation Mitigations prevent exploitation

81
00:03:49.620 --> 00:03:51.780
through malicious input or output.

82
00:03:51.780 --> 00:03:55.620
Validation Mitigation concepts include input validation

83
00:03:55.620 --> 00:03:57.060
and output encoding.

84
00:03:57.060 --> 00:04:00.630
Input validation is checking and sanitizing data provided

85
00:04:00.630 --> 00:04:03.090
by users or external sources

86
00:04:03.090 --> 00:04:05.430
to ensure it meets expected formats

87
00:04:05.430 --> 00:04:07.950
and does not contain harmful content.

88
00:04:07.950 --> 00:04:11.640
Output Encoding converts data into a secure format

89
00:04:11.640 --> 00:04:14.100
before it is processed or displayed,

90
00:04:14.100 --> 00:04:17.760
ensuring that it cannot be interpreted as executable code.

91
00:04:17.760 --> 00:04:20.130
This technique is crucial not only

92
00:04:20.130 --> 00:04:22.470
for preventing cross-site scripting attacks,

93
00:04:22.470 --> 00:04:25.440
but also for safeguarding internal resources

94
00:04:25.440 --> 00:04:28.350
and systems from unintended code execution,

95
00:04:28.350 --> 00:04:30.630
even if the input validation fails.

96
00:04:30.630 --> 00:04:34.680
For example, a web application might use input validation

97
00:04:34.680 --> 00:04:38.880
to reject any user input that contains unexpected characters

98
00:04:38.880 --> 00:04:41.700
or patterns, and employ outputting coding

99
00:04:41.700 --> 00:04:44.280
to ensure that any data displayed on the website

100
00:04:44.280 --> 00:04:45.690
is rendered safely.

101
00:04:45.690 --> 00:04:48.360
Next, we will explore safe functions.

102
00:04:48.360 --> 00:04:50.460
Safe functions are programming functions

103
00:04:50.460 --> 00:04:53.250
that operate securely and reliably.

104
00:04:53.250 --> 00:04:56.790
Safe function concepts include atomic functions,

105
00:04:56.790 --> 00:05:00.360
memory-safe functions, and thread-safe functions.

106
00:05:00.360 --> 00:05:03.420
Atomic functions are designed to complete operations

107
00:05:03.420 --> 00:05:06.180
in a single indivisible step,

108
00:05:06.180 --> 00:05:09.210
ensuring that operation is either fully completed

109
00:05:09.210 --> 00:05:10.920
or not executed at all.

110
00:05:10.920 --> 00:05:14.130
In this way, atomic functions prevent the possibility

111
00:05:14.130 --> 00:05:16.470
of interference from other processes

112
00:05:16.470 --> 00:05:20.610
and ensure data consistency even in concurrent environments.

113
00:05:20.610 --> 00:05:23.580
A concurrent environment is a computing scenario

114
00:05:23.580 --> 00:05:25.770
where multiple processes or threads

115
00:05:25.770 --> 00:05:29.880
are executed simultaneously or in overlapping time periods.

116
00:05:29.880 --> 00:05:32.670
Next, memory safe functions are used

117
00:05:32.670 --> 00:05:35.760
to prevent common memory related vulnerabilities

118
00:05:35.760 --> 00:05:38.700
such as buffer overflows or memory leaks.

119
00:05:38.700 --> 00:05:41.730
Memory-safe functions manage memory allocations

120
00:05:41.730 --> 00:05:43.290
and access securely

121
00:05:43.290 --> 00:05:46.170
by ensuring that memory boundaries are respected,

122
00:05:46.170 --> 00:05:49.680
automatically freeing up memory when it is no longer needed,

123
00:05:49.680 --> 00:05:51.690
and preventing the allocation of memory

124
00:05:51.690 --> 00:05:54.060
that exceeds the available capacity.

125
00:05:54.060 --> 00:05:56.850
Finally, thread safe functions ensure

126
00:05:56.850 --> 00:06:00.120
that when multiple threads execute simultaneously,

127
00:06:00.120 --> 00:06:03.660
the thread-safe function operates correctly without causing

128
00:06:03.660 --> 00:06:05.850
race conditions or data corruption.

129
00:06:05.850 --> 00:06:08.340
For example, a software application

130
00:06:08.340 --> 00:06:12.360
might use atomic functions to update shared resources,

131
00:06:12.360 --> 00:06:15.870
memory-safe functions to handle dynamic memory allocations

132
00:06:15.870 --> 00:06:19.470
and thread-safe functions to manage concurrent operations.

133
00:06:19.470 --> 00:06:23.130
Following that, we will look at access control mitigations.

134
00:06:23.130 --> 00:06:25.740
Access control mitigations implement measures

135
00:06:25.740 --> 00:06:28.200
that restrict access to system resources

136
00:06:28.200 --> 00:06:29.580
and functionalities.

137
00:06:29.580 --> 00:06:33.450
Access control mitigation concepts include least privilege,

138
00:06:33.450 --> 00:06:36.690
least function or functionality and allowlisting.

139
00:06:36.690 --> 00:06:38.850
The principle of least privilege ensures that

140
00:06:38.850 --> 00:06:40.830
users or processes are granted

141
00:06:40.830 --> 00:06:44.130
only the minimum levels of access or permissions,

142
00:06:44.130 --> 00:06:46.620
necessary to perform their tasks.

143
00:06:46.620 --> 00:06:49.170
In this way, the principle of least privilege

144
00:06:49.170 --> 00:06:52.980
reduces the risk of unauthorized access or misuse.

145
00:06:52.980 --> 00:06:54.840
Least function or functionality

146
00:06:54.840 --> 00:06:57.900
limits the available system functions or features

147
00:06:57.900 --> 00:07:00.510
to only those necessary for operations.

148
00:07:00.510 --> 00:07:03.990
In this way, least functionality prevents the exploitation

149
00:07:03.990 --> 00:07:06.870
of unnecessary or vulnerable components.

150
00:07:06.870 --> 00:07:10.830
Allowlisting restricts access to a predefined allowed

151
00:07:10.830 --> 00:07:13.710
list of approved applications or IP addresses.

152
00:07:13.710 --> 00:07:16.380
In this way, allow listing blocks anything

153
00:07:16.380 --> 00:07:18.330
not explicitly permitted.

154
00:07:18.330 --> 00:07:21.870
In application, an organization might configure its servers

155
00:07:21.870 --> 00:07:25.650
to grant only necessary access rights to each user

156
00:07:25.650 --> 00:07:28.170
utilizing the principle of least privilege.

157
00:07:28.170 --> 00:07:30.420
Disable all unnecessary services

158
00:07:30.420 --> 00:07:32.400
demonstrating least functionality

159
00:07:32.400 --> 00:07:34.560
and implement allowlisting to ensure

160
00:07:34.560 --> 00:07:37.410
that only trusted applications can be executed.

161
00:07:37.410 --> 00:07:40.350
Then, we will explore confidentiality management.

162
00:07:40.350 --> 00:07:42.540
Confidentiality management is safeguarding

163
00:07:42.540 --> 00:07:45.810
sensitive information to prevent unauthorized access

164
00:07:45.810 --> 00:07:46.920
or disclosure.

165
00:07:46.920 --> 00:07:50.430
Confidentiality management concepts include indexing,

166
00:07:50.430 --> 00:07:53.700
key rotation, encryption, and code signing.

167
00:07:53.700 --> 00:07:57.150
Indexing involves organizing and structuring sensitive data

168
00:07:57.150 --> 00:07:59.340
so that it can be efficiently retrieved

169
00:07:59.340 --> 00:08:02.310
while ensuring that underlying sensitive information

170
00:08:02.310 --> 00:08:06.630
remains protected and inaccessible to unauthorized users.

171
00:08:06.630 --> 00:08:09.480
Secrets management including key rotation

172
00:08:09.480 --> 00:08:12.960
ensures that encryption keys and other sensitive credentials

173
00:08:12.960 --> 00:08:16.650
are regularly updated to minimize the risk of compromise.

174
00:08:16.650 --> 00:08:20.040
Next, encryption is used to protect data and secrets

175
00:08:20.040 --> 00:08:22.470
by converting them into a secure format

176
00:08:22.470 --> 00:08:26.010
that is unreadable without the correct decryption key.

177
00:08:26.010 --> 00:08:29.160
Finally, code signing verifies the authenticity

178
00:08:29.160 --> 00:08:31.890
and integrity of software using encryption,

179
00:08:31.890 --> 00:08:34.380
ensuring that it has not been tampered with.

180
00:08:34.380 --> 00:08:37.350
In practice, an organization might use indexing

181
00:08:37.350 --> 00:08:40.890
to securely manage access to encrypted customer records,

182
00:08:40.890 --> 00:08:44.280
implement regular key rotation for its encryption systems,

183
00:08:44.280 --> 00:08:46.920
and apply code signing to its software updates.

184
00:08:46.920 --> 00:08:49.410
Next, we will look at update management.

185
00:08:49.410 --> 00:08:51.690
Update management is the process of ensuring

186
00:08:51.690 --> 00:08:54.900
that all components of a system, including firmware,

187
00:08:54.900 --> 00:08:59.370
system images, hypervisors, operating systems and software,

188
00:08:59.370 --> 00:09:01.650
are regularly updated and patched.

189
00:09:01.650 --> 00:09:03.690
Update management concepts include

190
00:09:03.690 --> 00:09:06.480
updating and patching firmware, system images,

191
00:09:06.480 --> 00:09:09.660
hypervisor considerations, operating system considerations,

192
00:09:09.660 --> 00:09:11.460
and software considerations.

193
00:09:11.460 --> 00:09:14.220
Firmware updates address the embedded software

194
00:09:14.220 --> 00:09:15.690
in hardware devices.

195
00:09:15.690 --> 00:09:17.430
Updating firmware ensures

196
00:09:17.430 --> 00:09:19.950
that foundational system components are secure

197
00:09:19.950 --> 00:09:21.510
and functioning correctly.

198
00:09:21.510 --> 00:09:24.090
Updating system images and hypervisors

199
00:09:24.090 --> 00:09:25.560
helps maintain the integrity

200
00:09:25.560 --> 00:09:27.600
and security of virtual environments.

201
00:09:27.600 --> 00:09:31.080
This is because the system images and hypervisor updates

202
00:09:31.080 --> 00:09:33.210
often include critical patches.

203
00:09:33.210 --> 00:09:35.940
Regular operating system and software updates

204
00:09:35.940 --> 00:09:39.240
ensure that all applications and operating systems

205
00:09:39.240 --> 00:09:41.700
are protected against known vulnerabilities,

206
00:09:41.700 --> 00:09:43.740
reducing the attack surface.

207
00:09:43.740 --> 00:09:46.560
For example, an organization might implement

208
00:09:46.560 --> 00:09:49.170
a robust update management process

209
00:09:49.170 --> 00:09:52.980
that regularly updates the firmware on its network routers,

210
00:09:52.980 --> 00:09:55.860
the hypervisor software running its virtual machines,

211
00:09:55.860 --> 00:09:57.810
and the virtual operating systems

212
00:09:57.810 --> 00:10:00.270
and software application on all endpoints,

213
00:10:00.270 --> 00:10:02.910
ensuring that the entire infrastructure is secure

214
00:10:02.910 --> 00:10:04.140
and up-to-date.

215
00:10:04.140 --> 00:10:07.710
Finally, we will explore fail-safe mechanisms.

216
00:10:07.710 --> 00:10:10.740
Fail safe mechanisms are systems designed to default

217
00:10:10.740 --> 00:10:13.950
to a secure state or a safe operational mode

218
00:10:13.950 --> 00:10:16.710
in the event of a failure or security breach.

219
00:10:16.710 --> 00:10:20.220
Fail-safe mechanism concepts include fail-secure

220
00:10:20.220 --> 00:10:21.600
and fail-safe.

221
00:10:21.600 --> 00:10:25.380
Fail-secure mechanisms prioritize maintaining security

222
00:10:25.380 --> 00:10:29.130
by locking down access or shutting down critical functions

223
00:10:29.130 --> 00:10:30.660
when a failure occurs.

224
00:10:30.660 --> 00:10:33.960
Fail-secure mechanisms prevent unauthorized access,

225
00:10:33.960 --> 00:10:37.350
even if it causes a temporary denial of service.

226
00:10:37.350 --> 00:10:41.280
On the other hand, fail-safe mechanisms focus on safety,

227
00:10:41.280 --> 00:10:43.890
ensuring that systems continue to operate in a way

228
00:10:43.890 --> 00:10:45.720
that prevents harm or damage,

229
00:10:45.720 --> 00:10:49.050
even if this means compromising some level of security.

230
00:10:49.050 --> 00:10:52.350
For example, in a secure building access system,

231
00:10:52.350 --> 00:10:55.200
a fail-secure door lock might remain locked

232
00:10:55.200 --> 00:10:58.650
if the power fails, preventing unauthorized entry.

233
00:10:58.650 --> 00:11:02.280
While a fail-safe door lock might unlock to allow occupants

234
00:11:02.280 --> 00:11:05.640
to exit safely during an emergency like a fire.

235
00:11:05.640 --> 00:11:08.040
To finish things off, we'll take a short quiz

236
00:11:08.040 --> 00:11:10.920
to see what you learned during this section of the course,

237
00:11:10.920 --> 00:11:14.400
and we will review each of those quiz questions fully

238
00:11:14.400 --> 00:11:17.460
to ensure you can explain why the right answers were right

239
00:11:17.460 --> 00:11:19.110
and the wrong answers were wrong.

240
00:11:19.110 --> 00:11:22.890
So let's get ready to dive into detection and mitigation

241
00:11:22.890 --> 00:11:24.903
in this section of the course.