01.05 People, Process, and Technology
Holistic Defenses
Everybody focuses on protecting or attacking technology, but you have to secure PEOPLE, PROCESS, AND TECHNOLOGY or you will be vulnerable!
This video explains all 3 from a cybersecurity context and will further serve as foundation for the rest of the course.
Lesson Summary
Protecting a business from cyber attacks requires securing not only technology, but the people, processes, and technology involved. To do this, a few key considerations must be taken into account: - People: Who is involved in the process of working with or accessing the business? This includes all employees as well as third-party vendors and contractors. - Process: What are the workflows within the business? Are there any security gaps in the workflow's implementation? - Technology: What technologies are used and how are they configured securely? Is there a plan in place to update or replace outdated technology when it's no longer supported by the vendor? Are there any cloud-based systems that are also used? By considering each aspect of the business, security risks can be reduced, while also enabling the business to achieve its goals securely.Transcription
00:00:05:20 - 00:00:34:30
All right. So let's get into the people process and technology. I referenced this earlier in the course, but it really does warrant its own lecture. Okay. So why why do I care? Why do you care? Why do you. Why should you know about people process in technology? Well, people process in technology all interrelate with each other in how you actually secure a business or deliver cybersecurity risk reduction to a business.
00:00:34:30 - 00:00:54:46
Right. Just like all the controls that we have at our disposal can influence or affect people. Process of technology. It's important to understand what these three are. So let me define these three and then we'll talk about some examples of controls that impact each of them. Okay. So first off, people, people is exactly what you would think it is.
00:00:54:46 - 00:01:19:10
The human beings that interface with the business. Now, you may just think, oh, it's it's staff, right? It's the people who work there, but it's much more than that. We can drill down even further from staff. What kind of staff are they? Executives? Are they the business? Are they i.t. Do they have elevated privileges like how people have administrator privileges?
00:01:19:14 - 00:01:46:22
These are the people also third party vendors. Right? So maybe you have contractors, professional services. Who does the va see? The heating, ventilation, ventolin ventilation, air conditioning for your business. Right. You may not think of them, but a lot of HVAC businesses will remote into your business's network in order to check the air conditioner or tweak it. Look at the Freon levels, whatever it is.
00:01:46:26 - 00:02:07:14
So you need to think about all of the people you know, Do vendors come on site once in a while to to to tune a machine or to do repairs on a machine? Do they offer you a discount if you let them remote in. Right. And that gets into some of the technology parts. But people can be much more than just your staff.
00:02:07:14 - 00:02:34:20
It's the entire composition. So you have to be mindful of all the people. So when you are developing controls or thinking about the risks associated with access, whether it's logical access within a system, technical access to a system itself, physical access, like who's allowed inside your building, do you have to swipe to go into the building? So it's just authorized people can all of those authorized people go into the data center or the server closets?
00:02:34:20 - 00:03:06:06
Probably not. How do you control access to those sensitive areas? Okay, So people gets complicated very, very quickly. The next one is process. And I have a workflow here for the demonstration purposes, but the process is how the people do their job. You must remember that cybersecurity is a business enabler. If you don't try to enable the business, you will be ignored and cybersecurity will take a hit and it won't be good.
00:03:06:10 - 00:03:37:39
So what do I mean by business enablement? You've got to remember, like, I don't care if you work at a manufacturing company, an application software development company, a hospital, whatever it is that generates revenue for that business, that is the business. So if you are introducing controls that negatively impact the business, that's not good. You have to have controls that both reduce risk but also don't impact the business and if possible, enable the business which can be done in a variety of ways.
00:03:37:43 - 00:04:06:30
So process and workflows, you've got to be thinking about usability and adoption of the workflows or for the business, right, or looking at existing workflows, because chances are they already have processes on how they do business and seen where the risks are in those workflows. Just to give you an example, let's say there is. Well, to take an example from before.
00:04:06:34 - 00:04:27:45
Let's say that you have an individual in research and development, okay? And they are working on some cool new thing that's going to make a ton of money for the business. And they're drawing it up on their computer and they hit render and it's going to take 25 hours to render on their computer, but they are super, super excited.
00:04:27:49 - 00:04:50:20
It's Friday at 2:00 in the afternoon. They're not coming to work on Saturday, but they are really interested in checking out the progress throughout the day. So they create a remote access capability into their workstation. So when they go home, they don't have to drive into work tomorrow. They can remote in and look at their computer. They ask their boss, Hey, is this cool?
00:04:50:20 - 00:05:06:04
The boss is like, Yeah, absolutely. You're doing great work. Keep it up. I love that you want to work on the weekend. Okay, So this is this is how they do it. And, you know, maybe on Saturday after it finishes render and he notices there is an error or an issue and he makes some modifications and he hits re render.
00:05:06:16 - 00:05:30:36
Now it's ready on Sunday. Guess what major win for just a few minutes of work over the weekend And let's just say that this was the workflow. This is how they do business in R&D. Okay, well, that's great. But as a cybersecurity practitioner, I look at that and say, okay, that workflow is fine. However, I don't like that you're remote in like what controls are around that.
00:05:30:36 - 00:05:53:48
Can anyone remote in if you get fired tomorrow, can you still remote in one someone remote into that computer? Can they see our entire entire internal network. Right. So understanding those particular workflows, another example, because workflows can be kind of a difficult one to wrap your head around is let's say somebody is quitting the company. What is the workflow for that?
00:05:53:48 - 00:06:15:01
Oh, well, they just give their badge and their computer to their boss and then they leave. They get their last paycheck two weeks later. Okay, well, that's a fine workflow, but let's, let's introduce a little bit of cybersecurity to it. What systems does that person have access to? When do they get their access terminated? What systems are cloud based?
00:06:15:01 - 00:06:40:16
Right? So like, you know your email, if you're using office 365, maybe they had some third party company that they were using for cloud file storage and stuff like that. Does the person still have access to that? And likely they shouldn't, but who has the list of systems to go and shut all the access off? Right. A lot of people remember to shut off the email, but they don't remember all the other systems.
00:06:40:26 - 00:07:02:27
So this is a workflow that is fine in theory, but has a lot of security gaps in its implementation. So you have to work at look at those workflows as well. The final one is technology. And this one's, you know, I think fairly obvious, but you have to look at what technologies are being used in the environment and do a bunch of things.
00:07:02:27 - 00:07:32:38
One, how do you configure them securely? There's a lot of resources out there on, you know, how to properly secure different resources. What is the lifecycle of it at some point the vendor is not going to support it anymore. So do you have a plan? Do you have budget requests set up to replace that technology when it goes end of life, when the vendor notifies you that there are security vulnerabilities with that technology, do you have a process for implementing security patches and implementing fixes to make sure that the tech stays proper?
00:07:32:42 - 00:07:55:46
Also, where is all the tech? Do you know about all the tech inventory of all the technology is a core core cybersecurity function, right? You have to know you can't patch things if you don't even know they exist, so you have to know they exist. So do you have visibility over all the technology? Who has authority to introduce new technology?
00:07:56:08 - 00:08:24:09
Right. We talked earlier about cloud systems. Can anyone go out with a credit card, sign up for some cloud system that you don't know about and start putting data in it that is, you know, corporate data. So technology can get really crazy really quickly. A final example just to kind of, you know, wrap people's heads around it is a lot of businesses will allow you to bring your own device now, bring your own cell phone, bring your own tablet, whatever, and check your work email on it.
00:08:24:09 - 00:08:51:41
And that's that's fine. But as a business, you have to accept the risk that, like you can't force your end users to patch their devices. Right? You can tell them they should. You can make it, you can make it a requirement, but you don't own their devices. You can't control that. So now you've got devices that you have no control over that are on your network that could be compromised and introduce a massive risk.
00:08:51:45 - 00:09:11:30
In a lot of businesses. It seems silly, like why would anyone do that? Well, it costs tens of thousands of dollars to outfit your company with work cell phones. And chief financial officers love the idea of bring your own device because basically you're paying for the tech that the company is getting to take advantage of. But there is that cyber risk again, getting into business enablement.
00:09:11:30 - 00:09:34:46
The CFO loves that. The executives love it because it costs less money. But you're like, Oh my gosh, Tommy troubles because it introduces risk. All right. So that's that's people process in technology. Again, the whole point of this module was really to level said introduce some new terms and give you scope of the industry and executing inside of a business and give you all that.
00:09:34:46 - 00:09:38:38
So I think we've done that. Let's move on to the next module.
The "Security" Mindset
As an addendum to this lecture, I wanted to share something I believe is valuable to frame in your mind early in this course.
Having a cybersecurity mindset is a crucial aspect of working in the field of cybersecurity. It involves a specific way of thinking that emphasizes vigilance, proactivity, and a deep understanding of potential risks.
An objective explanation of this 'mindset' is:
1. Awareness of Threat Vectors: A cybersecurity mindset starts with awareness. This means being cognizant of the various threat vectors that exist in to businesses and individuals. Threat vectors are the paths or means by which a hacker (or threat actor) can gain access to your computer or network to deliver a payload or malicious outcome. Understanding these vectors — such as malware, phishing, social engineering, and network attacks — is fundamental.
2. Proactive Defense Thinking: Individuals with a cybersecurity mindset don’t just wait for threats to emerge; they actively seek to identify potential vulnerabilities before they can be exploited. This involves regular system and network analysis, staying updated with the latest security patches, and understanding the latest trends in cyber threats.
3. Critical Thinking and Problem-Solving: Cybersecurity is not just about knowing the tools and technologies; it’s also about applying critical thinking to solve complex problems. This means being able to assess a situation, understand the potential risks, and come up with effective strategies to mitigate those risks.
4. Continuous Learning and Adaptation: The field of cybersecurity is ever-evolving, with new threats emerging regularly. Having a cybersecurity mindset means being committed to continuous learning and adaptation, staying abreast of new security technologies, understanding the evolving tactics of threat actors, and being ready to adapt strategies accordingly.
5. Risk Assessment and Management: This mindset also involves understanding how to assess and manage risk. Not all threats are equal, and part of the cybersecurity mindset is being able to evaluate the potential impact of different threats and prioritize resources and efforts accordingly.
6. Ethical Responsibility: Cybersecurity professionals hold significant responsibility in protecting information and infrastructure. An ethical mindset is crucial, ensuring that one’s skills are used responsibly, respecting privacy, and adhering to legal and ethical standards.
7. Collaboration and Communication: Finally, a cybersecurity mindset is not just about individual effort. It requires collaboration with other professionals, sharing information and strategies, and effectively communicating risks and defenses to others, including those who may not have a technical background.
Do not get overwhelmed by some of these terms or concepts. They are taught in this course, but I wanted to share this early to set you up for success in the way you are perceiving the content.
In summary, a cybersecurity mindset is a comprehensive approach that combines technical knowledge with a proactive, vigilant, and ethical approach to protecting digital assets. It’s about being one step ahead, thinking like an attacker to defend better, and being a lifelong learner in an ever-changing field.