.jpg)
Technology Tap
Technology Tap
Cybersecurity Fundamentals: Unlocking Security Plus Chapter 1 Part 1
Professor JRod makes a triumphant return to Technology Tap after a year-long hiatus, bringing listeners up to speed on his personal journey and diving straight into Security Plus 701 fundamentals. Having completed his doctorate and subsequently focusing on his health—resulting in an impressive 50-pound weight loss—he reconnects with his audience with the same passion and expertise that made his podcast popular.
The heart of this comeback episode centers on essential cybersecurity concepts, beginning with the CIA triad (confidentiality, integrity, availability) that forms the foundation of information security. Professor J-Rod expertly breaks down complex frameworks including NIST, ISO/IEC standards, and compliance-driven approaches like HIPAA and GDPR, explaining how organizations should select frameworks based on their specific industry requirements.
With his trademark clear explanations, he walks listeners through the process of gap analysis—a methodical approach to identifying differences between current security postures and desired standards. The episode then transitions to a comprehensive overview of access control models, including Discretionary, Mandatory, Role-Based, Attribute-Based, and Rule-Based controls, each illustrated with practical examples that bring abstract concepts to life.
What sets this episode apart is the interactive element, as Professor JRod concludes with practice questions that challenge listeners to apply their newly acquired knowledge. This practical approach bridges the gap between theory and real-world implementation, making complex security concepts accessible to professionals and students alike. Whether you're preparing for certification or simply expanding your cybersecurity knowledge, this return episode delivers valuable insights from an educator who clearly missed sharing his expertise with his audience.
Interviews with Tech Leaders and insights on the latest emerging technology trends.
Listen on: Apple Podcasts Spotify
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
And and. Welcome to Technology Tap. I'm Professor J-Rod. Hey guys, guess who's back this episode. I'm going to tell you what I've been doing the last year and dive into Security Plus. Hey guys, guess who decided to come back and do this thing again? What was I thinking? No, I've kind of missed doing this. For those of you who don't know me, my name is Professor J Rod. I'm a professor of cybersecurity and I make this podcast to help people with their security A+ and network+. And I've been away for a year. Yeah, I've been away for a whole year and it's because of you, know, I had some stuff coming up.
Speaker 1:Those of you who know me and been following me here on this platform know that I was doing my doctorate, and doing the doctorate took a toll on me physically, mentally, emotionally. It was draining. It was a lot of work, not that I was skinny to begin with, but I gained 35 pounds the last year of me doing the dissertation. So I kind of wanted to focus on my health, my mental health, and I had stuff going on at work my full-time, my part-time so I was kind of out of it trying to get that stuff sorted. So the good news is I lost over 50 pounds since October of 2024. Until now, today's August 20th I'm glad about that Been trying to enjoy life a little bit more. Uh, has the thing settled at work for the part-time? Yes, we, you know, we the part-time stuff, part-time job is way better, you know, I really like it. I really love my part-time job, my full-time job.
Speaker 1:You know, there's something happened last year, last summer, for those of you who know. You know, still haven't gotten over it, probably will never get over it. Calm and carry on, right. Uh, it's a british say uh, keep calm, keep calm and carry on. So I've, you know, I've kind of uh, has it gotten better? The spring semester was a lot better than the fall semester, uh, you know. So hopefully things will get better. Um, I kind of want to get into that mindset of just do you? But I kind of can't because you know then I can't do.
Speaker 1:What I do for my students, and that's my main goal, is to do stuff for the students and try to block out other stuff that's going on. And you know, I actually went last summer. I spent a lot of time actually looking for another job and I got companies who, not companies, just other institutions, educational institutions that wanted to hire me. I turned it down Various reasons. Pay location there was a really good one, but it was so I had to move. There was one that was really close to me, where I live. I had to turn that down. The pay was okay, but the insurance was terrible. Insurance was, you know, I was already gonna make less and then I had to pay an enormous amount of money for insurance, which was even gonna take my pay down even less.
Speaker 1:So I decided to stay where I'm at and you know I'll just focus on myself and on the students and you know just. You know, keep the other noise out and not. You know, I guess I was looking for validation last summer that I was valued. You know, summer, that was valued. You know that bring value to companies or to schools and I feel that I do. Um, you know my students for the most part like me and not everybody likes me. You know that I'm, I'm more aware of that and I I can't, I can't do anything about it if they don't um, but um, I mean I can and I try, but this the, you know it gets to a point that you really can't do much. So you know I'm back.
Speaker 1:I'm gonna try to do this podcast, uh, get it up and running. I was looking through the numbers and I I saw the Security Plus. That's like the most popular one, for whatever reason. Anytime I do something about Security Plus, I get a high number of views or whatever downloads, whatever you call it downloads. Right, and you know, I think I'm going to continue, I'm going to try to continue with it, but I'm going to add a new, you know different twist to it. I will add like questions at the end, so, and then maybe we'll talk about stuff that happens in the news. Right, if we see a breach, come up here and talk about it. Talk about the breach, because these are important stuff for us to do.
Speaker 1:You know, ai is really big. Since the last time we talked, it has exploded. You know, people listen, I like AI and I use AI. Listen, I like AI and I use AI. This podcast, the stuff that I'm going to read to you, I got it from the slides that I use, but I kind of fed it into ChatGPT to kind of make it readable and kind of concise. And you know, listen, ai is here to stay.
Speaker 1:Ai is not going anywhere. We just have to embrace it and use it very smart, right? Do I think it's going to take some people's job? Yeah, is it going to take my job? I don't know. Maybe Right. But hopefully by the time that it does I'm retired, so I don't have to deal with worrying about losing my job. So, yeah, but yeah, let's start. Let's start with the security plus the 701. Right?
Speaker 1:So information security refers to the practice of protecting information and information system from unauthorized access using disclosure, disruption, modification or destruction. It ensures the three pillars, the triad right of cybersecurity confidentiality, integrity and availability of data, whether restored, processed or transmitted. So confidentiality ensures that data is only accessible to those authorized to view it. Techniques for confidentiality include encryption, access control, authentication. Integrity ensures that data remains accurate and unaltered unless modified in authorized ways. Hashing checks on digital signatures are used. Availability ensures that information and systems are accessible when needed, using redundancy, fault tolerance, ddos protection and backups.
Speaker 1:Core areas of information security Risk management Identify, assess and mitigate risk to information systems. Access control, managing who can view or use resources. Cryptology, securing data using encryption and digital signatures. Incident response Det digital signatures. Incident response, detecting, responding to and recovering from security breaches. Security policies and procedures. Organizational rules for securing data and systems, security, awareness and training, educating users about safe computing practices, which we must be. That's you know that the insider the guy sitting at his keyboard is, is our biggest enemy. It's not the guy sitting in the basement guys in his mom's basement, it's a guy who has, who has bypassed the infrastructure, who's actually physically there at the location. He's the guy you got to worry about the most uh related fields physical security, right. You also got to worry about that guards physical access to the system and data centers and then you have your guards physical access to the system and data centers and then you have your compliance and legal issues right, whatever regulations that your company or organization falls under.
Speaker 1:Next is cybersecurity framework. It's a structured set of guidelines, best practices and standards used to manage and reduce cybersecurity risk. It helps an organization identify, protect, detect, respond to and recover from cyber threats in a consistent and measurable way. Here's some of the most widely used cybersecurity frameworks. First, you have NIST cybersecurity framework, developed by the National Institute of Standard and Technology in the US. It's widely adopted across industries. It has five core functions. Is widely adopted across industries. It has five core functions Identify, understands assets, risk and governance. Protect, implement safeguards to limit or contain impact. Detect, develop activities to identify cybersecurity incidents. Response take action after cybersecurity incident occurs. Recover, restore capabilities and services after an incident.
Speaker 1:Next, we have the ISO-ISO-TEC, iso-iec 27001 and 27002, international Standards for Managing Information Security Management Systems. 27001 specifies the requirements for establishing, implementing, maintaining and improving an information security management systems. 27001 specifies the requirements for establishing, implementing, maintaining and improving an information security management system. And 27002 provides best practice for controls. Next, we have CIS Controls Center for Internet Security, a set of 18 prioritized and actionable security controls categorized into three categories basic, foundational and organizational. And then COBIT control objects for information and related technologies developed by ISACA.
Speaker 1:Cobit focus on governance and management of enterprise IT, blending cybersecurity with business objectives. Enterprise IT blending cybersecurity with business objectives. Next, we have HIPAA, pci DSS, gdpr, compliance-driven framework. These are regulatory frameworks specific to different industries HIPAA is healthcare, pci DSS is payment card and GDPR is data protection and privacy in the EU. So why do we use a cybersecurity framework? It's standardized security practice, aids in compliance and audit readiness, improves risk management, align cybersecurity with business goals and enhance communications with stakeholders.
Speaker 1:Now, choosing the right framework it depends on your organizational type, right? So that's how you use it. So, whatever organizational type you fall under, that's, you use that recommended framework. So, if you fall into HIPAA I'm sorry, healthcare you use HIPAA. You use NIST, right. If you're Global Enterprise, you use ISO IEC 27001, right. So you use those.
Speaker 1:Gap analysis in cybersecurity. Gap analysis is a method used to assess the difference between an organization's current cybersecurity posture and its desired or required security standard. Gap analysis what is a gap analysis? A gap is the missing piece between where you are and where you want to be or you need to be. Gap analysis helps identify weakness, vulnerabilities and noncompliance in your security controls, policies or practice.
Speaker 1:Steps in conducting a cybersecurity gap analysis Well, first you got to define a framework or standard that your organization falls under, right. What is your benchmark? Is it NIST? Is it PCI DSS? Right, what is it? Next, you're going to assess the current state, conduct interviews, surveys, audits and technical assessments, review existing policies, procedures and controls. Next, you're going to compare current versus desired state. You're going to map existing controls to framework requirements, identify missing, incomplete or ineffective controls. Next, you're going to identify gaps, document areas of noncompliance or high risk, classify gaps by severity critical, moderate or low. Then you're going to develop a remediation plan. Prioritize gap based on risk and business impacts. Assign resources, timelines and responsibilities to your team members. Monitor and reassess. Track implementation of corrective actions. Reassess periodically or after major changes. So that's not bad. So let's say you have a control requirement, that you need to have multi-factor authentication, and the current status is it's not implemented. You identified the gap, which is you need to have MFA. That priority should be high and then you implement an MFA solution. What are the benefits of gap analysis? It ensures compliance with regulation, improves risk visibility, aligns security with business goals, justifies budgets and resource requests, guides roadmaps for security program development.
Speaker 1:Next, we have access control. Access control refers to the methods and policies used to regulate who can access or use information systems, resources and data and under what condition. It's a foundational concept in protecting CIA confidentiality, integrity and availability. So there are five types of access control model that we're going to talk about. First is discretionary access control or DAC owner control. The resource owner decides who can access it Common in customer OS like Windows file sharing, flexible but less secure. Then you have mandatory access control or MAC System-enforced policies. Access is based on labels Top secret, secret, public, private, confidential, used in military government. Users cannot change access permission.
Speaker 1:Role-based control or RBAC Access is based on user's role in the organization central to enterprise systems. The example HR personnel have access to employee records, but they don't have access to financial records. Attribute-based control access is determined by evaluating attributes, users, resource, environments and the example they give here. If a user is a manager and accessing from a company device and during business hours, then you can allow them to do that, as opposed to maybe not letting them after business hours. Right, a rule base is use predefined rules to allow deny access, often seen in firewalls and routers. That's the clue, right there, guys. Often seen in firewalls and routers. Example deny all traffic from IP whatever during the weekends. So, access control mechanism right. Identification who is the user? Authentication can you prove it? Authorization what are you allowed to do in accounting? When did you do and when? This is often referred to as the AAA authentication, authorization and accounting, which we will go over.
Speaker 1:A couple of last things that I want to go over before we get to the questions. Principle of good access control right Least privilege grants only the permission. A user needs nothing more. Right, they don't need to have access to everything if they're, you know a tech. Separations of duty split critical tasks among multiple users to reduce fraud. Right, the signing of two checks. Right, you need two users to sign like an amount over, like $5,000, right, that's an example of separation of duties. Need to know even authorized users should access only necessary data. Right, you don't need to see this. They shouldn't give you rights for it. Time-based or contact-based access. Limited access based on business hours or geolocations Companies do that. Now. They only give you access. You know. If you work somewhere else, they know they won't. Right, some of your stuff won't work.
Speaker 1:Access control technologies you have access control lists, file folder or firewall based rules. Single sign-on, one login to access multiple system. Federated identity, cross organization's identity using google or microsoft or your microsoft login to log into different stuff. And Multi-factor authentication combines two or more authentication factors. So an example scenario an employee logs into HR portal using multi-factor Based on our back. She can view employee salary information but cannot edit it unless she is part of the payroll team. Access is further restricted outside of office hours using abac. Right, I attribute based access control. So all right.
Speaker 1:So now let's get to the questions. I'm going to give you five questions based on what we just went over and I'm going to read it, I'm going to give you the choices, I'm going to pause for a little bit and then you know. You see, if you got the answer right, I will put this on TikTok. So if you want to follow me, professor J-Rod that's professor, and then J-R-O-D I'll put these questions up and sometimes people are better like they're looking at it rather than answering it. So here's the first question.
Speaker 1:A hospital IT department grants all nurses access to patient records, but restricts prescribing medications to doctors only. Which access control models being implemented? A discretionary B, role base, c, mandatory, d rule base. Give me a couple of seconds. All right, this one's easy. It's role-based right. Yes, a nurse can look at the hospital records, but she cannot prescribe medication. Next is role-based control. I'm sorry, I just gave you the answer. All right, let's skip that one. Next, a military system classifies documents as confidential, secret or top secret. Users are allowed to access information if their clearance level matches or exceeds the classification. Which method is being used? A rule-based B, rule-based B, rule-based C, discretionary, d, mandatory. I'll give you a couple of seconds there to think about it. What do you think the answer is? The answer is D mandatory access control. Next we'll do.
Speaker 1:A project manager creates a share folder and manually grants access to only two team members while denying access to others. Which access control model is applied? A, mandatory, b discretionary, c rule-based, d role-based? Oh, I'm sorry, c is role-based, d is rule-based. Think about a couple of seconds. What do you think? The answer is b discretion. And it makes sense, right, because she's using her own discretion. That's the clue. And the other clue is share folder. That's the other clue. That means that it's her computer, it's an OS thing. Here's one a little tougher. A company requires that employees are grouped together by department to determine their access. Firewalls enforce filtering rules regardless of roles, and certain high sensitive files are only available to executives with an explicit clearance level. Which combinations of access control model are being used?
Speaker 1:Now, the key here is to make sure whatever answer you choose checks off all the requirements that they're giving you. So here they're giving you three requirements. Make sure that they check off. I've seen this a lot with student C2, and then they just go with that one. So the biggest example I can think of is the A-plus exam, where there was a question that it was like oh, if you have which of the following cables does audio video and data? And people see HDMI and they pick that one because it does audio video but it doesn't do data. So, regardless, even if you don't know what the other, you know they have three other choices. Even if you don't know what the other, you know they have three other choices even if you don't know what the other three choices mean. Or are you never heard of them? If you only heard of HDMI and you know about HDMI, you know it doesn't do data, at least today, right? So you know you can't choose that one because it didn't meet all the three requirements, all the three requirements. So anytime you have that choice, when they give you like oh, it's more than one, or they use the word and make sure that you are recovering, are you covering both or all the requirements that they're asking you to? Because if they don't, then it's going to be wrong, all right.
Speaker 1:So here's the choices Role-based, root-based base and Mac is a, b is discretionary, role base and rule base. C is rule based and dissect, discretionary only, and D is mandatory. So let me read the question again, cause I talked a lot in between. Our company requires that employees are grouped by departments to determine their access. Firewalls enforce traffic filtering rules regardless of roles, and certain highly sensitive files are only available to executives with explicit clearance levels. So which combinations of access controls are being used? A Role-based, rule-based and MAC B DAC role-based and MAC B DAC. Row base and root base. C root base and DAC only Discretionary, that's DAC, and D is mandatory only. So I'll give you a couple of seconds to think about it. And the answer is what do you think? The answer is the answer is A row base, rule base and MAC right. Mandatory right, mandatory is right. Highly sensitive information right. Rule base is the firewall right, and it's in the definition that I gave you. I gave you that hint and the definition that I gave you. I gave you that hint. And then a rule base is employees are grouped together by departments, right? That's the role that they're playing. So, all right, that's going to put a bowl on it.
Speaker 1:Today. I want to thank everybody who came back or planning on coming back to listening to me. I miss doing this and hopefully I can keep doing it, and if you keep encouraging me, I'll keep doing it. You keep listening, I'll keep doing it. Nobody listens, I'll stop doing it, and even after a year I'm not doing it. People were still listening, so I'm happy Until next time.