Up next in 10
The Cloud Show with Magnus Mårtensson ft. Jennifer Holland - Ep. 30
0 views
Aug 6, 2025
Join this live session with Magnus Mårtensson ft. Jennifer Holland for the next episode of The Cloud Show with Magnus Mårtensson on June 5, at 01:05 PM (EST). The show is about cloud leadership and all the important questions relating to cloud projects. Certainly, many matters when a company is going to and wants to be successful in the cloud, are about technology. However, there are many additional matters, adjacent to technology, that we also need to tend to regarding business strategy, human resources, organizational change, planning for a technical cloud approach, and many more questions. These conversations are critical for a healthy cloud and for a swift and accurate cloud approach. GUEST SPEAKER Jennifer Holland 4th year Digital Security and Forensics student at Glasgow Caledonian University. Always eager to learn new things, She is currently a Gold Microsoft Learn Student Ambassador. She really enjoy spreading cyber awareness and encouraging interest in the area especially among young women. 📺 CSharp TV - Dev Streaming Destination http://csharp.tv 🌎 C# Corner - Community of Software and Data Developers https://www.c-sharpcorner.com/ #CSharpTV #csharpcorner #TheCloudShow #CSharp #Interview
View Video Transcript
0:04
hello everyone and welcome back to the
0:07
hello everyone and welcome back to the
0:07
hello everyone and welcome back to the cloud show this is going to be a really
0:10
cloud show this is going to be a really
0:10
cloud show this is going to be a really interesting conversation today about a
0:11
interesting conversation today about a
0:12
interesting conversation today about a topic which is near and dear to my heart
0:13
topic which is near and dear to my heart
0:13
topic which is near and dear to my heart it is about authentication and it's
0:15
it is about authentication and it's
0:15
it is about authentication and it's going to be about access control which
0:17
going to be about access control which
0:17
going to be about access control which is such an important topic and we are
0:20
is such an important topic and we are
0:20
is such an important topic and we are going to talk about this top topic today
0:22
going to talk about this top topic today
0:23
going to talk about this top topic today together with an expert on this matter
0:25
together with an expert on this matter
0:25
together with an expert on this matter uh her name is Jennifer Holland
0:27
uh her name is Jennifer Holland
0:27
uh her name is Jennifer Holland [Music]
0:37
well hello there welcome to the cloud
0:39
well hello there welcome to the cloud
0:39
well hello there welcome to the cloud show thank you very for having me I'm
0:41
show thank you very for having me I'm
0:41
show thank you very for having me I'm really good thank you how are you yeah
0:44
really good thank you how are you yeah
0:44
really good thank you how are you yeah brilliant well it's nice to see you and
0:47
brilliant well it's nice to see you and
0:47
brilliant well it's nice to see you and um I think we need to uh do a little bit
0:48
um I think we need to uh do a little bit
0:48
um I think we need to uh do a little bit of uh who's who here like so you can
0:51
of uh who's who here like so you can
0:51
of uh who's who here like so you can tell sort of the audience uh who who are
0:53
tell sort of the audience uh who who are
0:53
tell sort of the audience uh who who are you and why do you know anything about
0:54
you and why do you know anything about
0:55
you and why do you know anything about access
0:56
access
0:56
access control yeah of course so my name is
0:59
control yeah of course so my name is
0:59
control yeah of course so my name is Jennifer I live in Scotland and I am a
1:02
Jennifer I live in Scotland and I am a
1:02
Jennifer I live in Scotland and I am a student I am in between two degrees at
1:04
student I am in between two degrees at
1:04
student I am in between two degrees at the moment so I have just wrapped up my
1:07
the moment so I have just wrapped up my
1:07
the moment so I have just wrapped up my undergraduate degree I was studying
1:09
undergraduate degree I was studying
1:09
undergraduate degree I was studying digital security and digital forensics
1:12
digital security and digital forensics
1:12
digital security and digital forensics at Glasgow Caledonian University so that
1:15
at Glasgow Caledonian University so that
1:15
at Glasgow Caledonian University so that was four years and I just wrapped that
1:17
was four years and I just wrapped that
1:17
was four years and I just wrapped that up finished all my exams I will graduate
1:20
up finished all my exams I will graduate
1:20
up finished all my exams I will graduate in July and then in September I will be
1:22
in July and then in September I will be
1:22
in July and then in September I will be starting my Master's Degree at
1:25
starting my Master's Degree at
1:25
starting my Master's Degree at University of sha Clyde and I will be
1:27
University of sha Clyde and I will be
1:27
University of sha Clyde and I will be studying Advanced Computer Science with
1:29
studying Advanced Computer Science with
1:29
studying Advanced Computer Science with artificial intell intelligence which I
1:31
artificial intell intelligence which I
1:31
artificial intell intelligence which I think there's not a better time in the
1:33
think there's not a better time in the
1:34
think there's not a better time in the world to be studying these kind of
1:36
world to be studying these kind of
1:36
world to be studying these kind of topics cyber
1:38
topics cyber
1:38
topics cyber security all that kind of stuff it's
1:40
security all that kind of stuff it's
1:40
security all that kind of stuff it's it's crazy how I would agree yeah how
1:44
it's crazy how I would agree yeah how
1:44
it's crazy how I would agree yeah how quick it all progresses yeah and so it's
1:47
quick it all progresses yeah and so it's
1:47
quick it all progresses yeah and so it's summertime up there now in in
1:49
summertime up there now in in
1:49
summertime up there now in in Scotland and I have never been I'm gonna
1:51
Scotland and I have never been I'm gonna
1:51
Scotland and I have never been I'm gonna have to come and visit yeah don't come
1:54
have to come and visit yeah don't come
1:54
have to come and visit yeah don't come now though because it's like pouring you
1:56
now though because it's like pouring you
1:56
now though because it's like pouring you wouldn't know you wouldn't know it was
1:57
wouldn't know you wouldn't know it was
1:57
wouldn't know you wouldn't know it was summer because the weather is horrible
2:00
summer because the weather is horrible
2:00
summer because the weather is horrible okay fine all right well at some point
2:02
okay fine all right well at some point
2:03
okay fine all right well at some point anyway at some point I will I will go up
2:05
anyway at some point I will I will go up
2:05
anyway at some point I will I will go up uh and and visit and maybe visit I don't
2:08
uh and and visit and maybe visit I don't
2:08
uh and and visit and maybe visit I don't know a few distilleries as you
2:10
know a few distilleries as you
2:10
know a few distilleries as you do have lots of them lots of them lots
2:14
do have lots of them lots of them lots
2:14
do have lots of them lots of them lots of them in in in nature I
2:16
of them in in in nature I
2:16
of them in in in nature I guess yep yep all right brilliant so um
2:20
guess yep yep all right brilliant so um
2:20
guess yep yep all right brilliant so um as as a student of of of um cyber
2:24
as as a student of of of um cyber
2:24
as as a student of of of um cyber security and and security Concepts and
2:26
security and and security Concepts and
2:26
security and and security Concepts and and things like that I I definitely
2:27
and things like that I I definitely
2:27
and things like that I I definitely agree with you that now is the time to
2:30
agree with you that now is the time to
2:30
agree with you that now is the time to study this because I guess uh and and
2:32
study this because I guess uh and and
2:33
study this because I guess uh and and like look at the world right look at
2:34
like look at the world right look at
2:34
like look at the world right look at look at the wars going on and and
2:37
look at the wars going on and and
2:37
look at the wars going on and and hackers trying to attack uh everything
2:41
hackers trying to attack uh everything
2:41
hackers trying to attack uh everything uh all the time so I guess you're you
2:42
uh all the time so I guess you're you
2:42
uh all the time so I guess you're you have your um sort of career set before
2:45
have your um sort of career set before
2:45
have your um sort of career set before you yeah that's the thing so many of the
2:48
you yeah that's the thing so many of the
2:48
you yeah that's the thing so many of the wars nowadays it's an on the ground war
2:52
wars nowadays it's an on the ground war
2:52
wars nowadays it's an on the ground war and also a cyber War you know it's not
2:55
and also a cyber War you know it's not
2:55
and also a cyber War you know it's not just about who can shoot the most guns
2:57
just about who can shoot the most guns
2:57
just about who can shoot the most guns it's who can take down a country
3:00
it's who can take down a country
3:00
it's who can take down a country infrastructure and all that kind of
3:02
infrastructure and all that kind of
3:02
infrastructure and all that kind of thing so it's yeah so important yeah
3:05
thing so it's yeah so important yeah
3:05
thing so it's yeah so important yeah definitely and and and actually in terms
3:07
definitely and and and actually in terms
3:07
definitely and and and actually in terms of data centers and and um the the um
3:12
of data centers and and um the the um
3:12
of data centers and and um the the um the cloud data centers at one point we
3:14
the cloud data centers at one point we
3:14
the cloud data centers at one point we were I mean it's it's it's wrong to say
3:18
were I mean it's it's it's wrong to say
3:18
were I mean it's it's it's wrong to say we were laughing about it but we were
3:19
we were laughing about it but we were
3:19
we were laughing about it but we were saying that a good attack would be to to
3:22
saying that a good attack would be to to
3:22
saying that a good attack would be to to put a a missile into a Data Center and
3:25
put a a missile into a Data Center and
3:25
put a a missile into a Data Center and and blow it up right that would be that
3:27
and blow it up right that would be that
3:27
and blow it up right that would be that would be a way to attack and actually
3:29
would be a way to attack and actually
3:29
would be a way to attack and actually now
3:30
now
3:30
now um data centers are physically built
3:32
um data centers are physically built
3:32
um data centers are physically built into smaller units so you even that sort
3:36
into smaller units so you even that sort
3:36
into smaller units so you even that sort of attack couldn't really couldn't
3:38
of attack couldn't really couldn't
3:38
of attack couldn't really couldn't really happen but that's physical
3:39
really happen but that's physical
3:39
really happen but that's physical security that's something else U you're
3:42
security that's something else U you're
3:42
security that's something else U you're you're about the the digital security
3:44
you're about the the digital security
3:45
you're about the the digital security yes yeah so um authentication and and
3:49
yes yeah so um authentication and and
3:49
yes yeah so um authentication and and access control being so Central to
3:52
access control being so Central to
3:52
access control being so Central to everything that we do uh let's get into
3:54
everything that we do uh let's get into
3:54
everything that we do uh let's get into it uh why why is this such an important
3:57
it uh why why is this such an important
3:57
it uh why why is this such an important area so I think when we start talking
4:01
area so I think when we start talking
4:01
area so I think when we start talking about Cloud security one of the most
4:03
about Cloud security one of the most
4:03
about Cloud security one of the most important things to look at to start
4:05
important things to look at to start
4:05
important things to look at to start with is the shared responsibility model
4:08
with is the shared responsibility model
4:08
with is the shared responsibility model so with Cloud there are some things that
4:11
so with Cloud there are some things that
4:11
so with Cloud there are some things that the cloud provider is responsible for
4:13
the cloud provider is responsible for
4:13
the cloud provider is responsible for and some things that you as user are
4:16
and some things that you as user are
4:16
and some things that you as user are responsible for and this carries over
4:17
responsible for and this carries over
4:17
responsible for and this carries over into security so the cloud provider is
4:21
into security so the cloud provider is
4:21
into security so the cloud provider is responsible for the actual physical
4:24
responsible for the actual physical
4:24
responsible for the actual physical computers and networks you are
4:26
computers and networks you are
4:26
computers and networks you are responsible for things like security the
4:29
responsible for things like security the
4:29
responsible for things like security the user data who can access these things
4:32
user data who can access these things
4:32
user data who can access these things identity control so that's why you know
4:36
identity control so that's why you know
4:36
identity control so that's why you know we you need to be aware that that is not
4:39
we you need to be aware that that is not
4:39
we you need to be aware that that is not something in most cases that the cloud
4:41
something in most cases that the cloud
4:41
something in most cases that the cloud provider is going to take care of that's
4:43
provider is going to take care of that's
4:43
provider is going to take care of that's a that's a you problem that's a you
4:46
a that's a you problem that's a you
4:46
a that's a you problem that's a you problem all right so this this you
4:48
problem all right so this this you
4:48
problem all right so this this you problem here um how how do you like um
4:51
problem here um how how do you like um
4:51
problem here um how how do you like um how do you set up for uh for users uh to
4:56
how do you set up for uh for users uh to
4:56
how do you set up for uh for users uh to be able to log in and do what they need
4:58
be able to log in and do what they need
4:58
be able to log in and do what they need to do but it shouldn't like too
5:00
to do but it shouldn't like too
5:00
to do but it shouldn't like too complicated uh to to do so like this
5:03
complicated uh to to do so like this
5:03
complicated uh to to do so like this balance between uh is it secure and and
5:06
balance between uh is it secure and and
5:06
balance between uh is it secure and and is it and can we even use this security
5:08
is it and can we even use this security
5:08
is it and can we even use this security is it usable yeah that's what that's
5:11
is it usable yeah that's what that's
5:11
is it usable yeah that's what that's something that has been getting more
5:13
something that has been getting more
5:13
something that has been getting more common and it's really it's well not
5:16
common and it's really it's well not
5:16
common and it's really it's well not it's it's frustrating to see companies
5:19
it's it's frustrating to see companies
5:19
it's it's frustrating to see companies that go we're going to be really secure
5:21
that go we're going to be really secure
5:21
that go we're going to be really secure we're g and then they make it something
5:24
we're g and then they make it something
5:24
we're g and then they make it something like you need to change your password
5:26
like you need to change your password
5:26
like you need to change your password every single week because what people
5:29
every single week because what people
5:29
every single week because what people are going to do is they're going to get
5:31
are going to do is they're going to get
5:31
are going to do is they're going to get a password any password and they're just
5:33
a password any password and they're just
5:33
a password any password and they're just going to go like my password one my
5:35
going to go like my password one my
5:35
going to go like my password one my password two my password three or
5:38
password two my password three or
5:38
password two my password three or they're just going to write it down and
5:40
they're just going to write it down and
5:40
they're just going to write it down and then um I don't know if you've seen
5:42
then um I don't know if you've seen
5:42
then um I don't know if you've seen there's been quite a few things on the
5:43
there's been quite a few things on the
5:43
there's been quite a few things on the news in the last few years where people
5:46
news in the last few years where people
5:46
news in the last few years where people will be filming in big important places
5:49
will be filming in big important places
5:49
will be filming in big important places and there will be like a little sticky
5:50
and there will be like a little sticky
5:50
and there will be like a little sticky note on the back that will have
5:52
note on the back that will have
5:52
note on the back that will have someone's like Wi-Fi password or they're
5:54
someone's like Wi-Fi password or they're
5:54
someone's like Wi-Fi password or they're like whatever password and it's that
5:56
like whatever password and it's that
5:56
like whatever password and it's that kind of thing you're like do you not
5:58
kind of thing you're like do you not
5:58
kind of thing you're like do you not look and see
6:00
look and see
6:00
look and see what you're
6:01
what you're
6:01
what you're filming and and that's that's the the
6:04
filming and and that's that's the the
6:04
filming and and that's that's the the key right if if it becomes too
6:07
key right if if it becomes too
6:07
key right if if it becomes too challenging for the users the common
6:09
challenging for the users the common
6:09
challenging for the users the common users of of a computer system to use it
6:12
users of of a computer system to use it
6:12
users of of a computer system to use it that to use the security they're going
6:14
that to use the security they're going
6:14
that to use the security they're going to try to get around it it should be
6:16
to try to get around it it should be
6:16
to try to get around it it should be empowering not not
6:18
empowering not not
6:18
empowering not not overpowering right yeah because if
6:21
overpowering right yeah because if
6:21
overpowering right yeah because if people think it's too complicated
6:24
people think it's too complicated
6:24
people think it's too complicated they're just going to be like oh well I
6:26
they're just going to be like oh well I
6:26
they're just going to be like oh well I don't have the time you know I'm a busy
6:28
don't have the time you know I'm a busy
6:28
don't have the time you know I'm a busy person I don't have the time to be
6:29
person I don't have the time to be
6:29
person I don't have the time to be thinking of secure passwords I'll just
6:31
thinking of secure passwords I'll just
6:31
thinking of secure passwords I'll just add numbers on the end or whatever and
6:33
add numbers on the end or whatever and
6:33
add numbers on the end or whatever and that doesn't help because you have
6:36
that doesn't help because you have
6:36
that doesn't help because you have things like Brute Force password attacks
6:39
things like Brute Force password attacks
6:40
things like Brute Force password attacks which will you know they have like
6:42
which will you know they have like
6:42
which will you know they have like dictionaries of breached passwords and
6:44
dictionaries of breached passwords and
6:44
dictionaries of breached passwords and if you're just adding numbers onto the
6:46
if you're just adding numbers onto the
6:46
if you're just adding numbers onto the end it just makes things so much easier
6:48
end it just makes things so much easier
6:48
end it just makes things so much easier for the attackers to work out what your
6:49
for the attackers to work out what your
6:49
for the attackers to work out what your password is for sure for sure that's not
6:52
password is for sure for sure that's not
6:52
password is for sure for sure that's not security uh at all that's uh that's the
6:54
security uh at all that's uh that's the
6:54
security uh at all that's uh that's the first thing that they will they will try
6:56
first thing that they will they will try
6:56
first thing that they will they will try to break or or find if they try to break
6:58
to break or or find if they try to break
6:58
to break or or find if they try to break your password but passwords is one thing
7:00
your password but passwords is one thing
7:00
your password but passwords is one thing I I'm I'm think I'm I'm really liking
7:03
I I'm I'm think I'm I'm really liking
7:03
I I'm I'm think I'm I'm really liking multiactor authentication I'm using this
7:05
multiactor authentication I'm using this
7:05
multiactor authentication I'm using this one all the time to to log into things
7:07
one all the time to to log into things
7:07
one all the time to to log into things so what's the next level up there
7:10
so what's the next level up there
7:10
so what's the next level up there um how does that work I think uh the way
7:14
um how does that work I think uh the way
7:14
um how does that work I think uh the way I've seen things going certainly people
7:16
I've seen things going certainly people
7:16
I've seen things going certainly people seem to be using a lot more kind of like
7:17
seem to be using a lot more kind of like
7:17
seem to be using a lot more kind of like Biometrics nowadays which seems like
7:20
Biometrics nowadays which seems like
7:20
Biometrics nowadays which seems like something just totally sci-fi like you
7:22
something just totally sci-fi like you
7:22
something just totally sci-fi like you that's in like movies like you use your
7:24
that's in like movies like you use your
7:24
that's in like movies like you use your eye to scan into places but that's a
7:26
eye to scan into places but that's a
7:26
eye to scan into places but that's a people that's a real thing that people
7:28
people that's a real thing that people
7:28
people that's a real thing that people use nowadays it's yeah it's it's crazy
7:31
use nowadays it's yeah it's it's crazy
7:31
use nowadays it's yeah it's it's crazy to think in the future you know you see
7:34
to think in the future you know you see
7:34
to think in the future you know you see I can't remember where it was but there
7:36
I can't remember where it was but there
7:36
I can't remember where it was but there was the Amazon shop I think where you
7:38
was the Amazon shop I think where you
7:38
was the Amazon shop I think where you just could walk in and pick stuff up and
7:40
just could walk in and pick stuff up and
7:40
just could walk in and pick stuff up and then walk back out again and it took
7:42
then walk back out again and it took
7:42
then walk back out again and it took your face and it was able to connect
7:44
your face and it was able to connect
7:44
your face and it was able to connect your face for payment so although that's
7:46
your face for payment so although that's
7:46
your face for payment so although that's not password although that's not
7:48
not password although that's not
7:48
not password although that's not passwords it's still like it's
7:50
passwords it's still like it's
7:50
passwords it's still like it's Biometrics it's being able to know it
7:52
Biometrics it's being able to know it
7:52
Biometrics it's being able to know it just goes oh that's that's Magnus I'll
7:55
just goes oh that's that's Magnus I'll
7:55
just goes oh that's that's Magnus I'll charge his bank account that's
7:57
charge his bank account that's
7:57
charge his bank account that's interesting it it really is interesting
7:59
interesting it it really is interesting
7:59
interesting it it really is interesting kind of scary but I I like I like the
8:01
kind of scary but I I like I like the
8:01
kind of scary but I I like I like the thinking so
8:04
thinking so
8:04
thinking so um what what what are some good advice
8:06
um what what what are some good advice
8:06
um what what what are some good advice in terms of setting up a like a good
8:08
in terms of setting up a like a good
8:08
in terms of setting up a like a good authentication story then for for your
8:10
authentication story then for for your
8:10
authentication story then for for your uh your employees to to give them
8:13
uh your employees to to give them
8:13
uh your employees to to give them something that they can use with or and
8:15
something that they can use with or and
8:15
something that they can use with or and work
8:16
work
8:16
work with so I think first of all let's talk
8:20
with so I think first of all let's talk
8:20
with so I think first of all let's talk about usernames because everyone loves a
8:24
about usernames because everyone loves a
8:24
about usernames because everyone loves a good predictable
8:25
good predictable
8:25
good predictable username especially hackers hackers love
8:28
username especially hackers hackers love
8:28
username especially hackers hackers love predictable us user names and you know
8:30
predictable us user names and you know
8:30
predictable us user names and you know actually who is really bad for that is
8:32
actually who is really bad for that is
8:32
actually who is really bad for that is universities because they have thousands
8:35
universities because they have thousands
8:35
universities because they have thousands of students they don't have time to be
8:36
of students they don't have time to be
8:36
of students they don't have time to be giving you your unique usernames for
8:38
giving you your unique usernames for
8:38
giving you your unique usernames for everything so our emails are just like
8:41
everything so our emails are just like
8:41
everything so our emails are just like our names and then like a number on the
8:42
our names and then like a number on the
8:42
our names and then like a number on the end and that's really easily like
8:46
end and that's really easily like
8:46
end and that's really easily like username enumeration is a step that I
8:49
username enumeration is a step that I
8:49
username enumeration is a step that I think people don't think about an awful
8:51
think people don't think about an awful
8:51
think people don't think about an awful lot um one of those things is like if
8:55
lot um one of those things is like if
8:55
lot um one of those things is like if you can if you're trying to log in
8:58
you can if you're trying to log in
8:58
you can if you're trying to log in somewhere for example example and your
9:02
somewhere for example example and your
9:02
somewhere for example example and your um the response that you get for a wrong
9:04
um the response that you get for a wrong
9:04
um the response that you get for a wrong username versus a wrong password is
9:07
username versus a wrong password is
9:07
username versus a wrong password is different that then becomes a really
9:09
different that then becomes a really
9:09
different that then becomes a really easy way to enumerate usernames and it
9:13
easy way to enumerate usernames and it
9:13
easy way to enumerate usernames and it can if you know the username it becomes
9:15
can if you know the username it becomes
9:15
can if you know the username it becomes so much easier to get the password right
9:18
so much easier to get the password right
9:18
so much easier to get the password right so when somebody's trying to sign in and
9:21
so when somebody's trying to sign in and
9:21
so when somebody's trying to sign in and they don't get they don't get the
9:22
they don't get they don't get the
9:22
they don't get they don't get the credent the name username and the
9:24
credent the name username and the
9:24
credent the name username and the password right you shouldn't tell them
9:27
password right you shouldn't tell them
9:27
password right you shouldn't tell them your username is unknown you should you
9:30
your username is unknown you should you
9:30
your username is unknown you should you should tell them sorry you couldn't log
9:32
should tell them sorry you couldn't log
9:33
should tell them sorry you couldn't log in right yeah
9:35
in right yeah
9:35
in right yeah exactly I that's it's a big difference
9:37
exactly I that's it's a big difference
9:37
exactly I that's it's a big difference between those
9:39
between those
9:39
between those two because it can be as easy as if it's
9:43
two because it can be as easy as if it's
9:43
two because it can be as easy as if it's m if you if it's something that is
9:45
m if you if it's something that is
9:45
m if you if it's something that is having to be manually set up it can be
9:47
having to be manually set up it can be
9:47
having to be manually set up it can be as easy as um for one of them so if it's
9:50
as easy as um for one of them so if it's
9:50
as easy as um for one of them so if it's the username that's wrong it's whatever
9:53
the username that's wrong it's whatever
9:53
the username that's wrong it's whatever and then there's a full stop at the end
9:54
and then there's a full stop at the end
9:54
and then there's a full stop at the end and when it's the password that's wrong
9:56
and when it's the password that's wrong
9:56
and when it's the password that's wrong you missed out the full stop and that's
9:58
you missed out the full stop and that's
9:58
you missed out the full stop and that's the difference and attackers will notice
10:00
the difference and attackers will notice
10:00
the difference and attackers will notice that difference and will absolutely
10:01
that difference and will absolutely
10:02
that difference and will absolutely capitalize on it oh yeah yeah for sure
10:05
capitalize on it oh yeah yeah for sure
10:05
capitalize on it oh yeah yeah for sure that's uh whenever I talk about this
10:07
that's uh whenever I talk about this
10:07
that's uh whenever I talk about this stuff I get really scared I don't know I
10:10
stuff I get really scared I don't know I
10:10
stuff I get really scared I don't know I guess I guess this your this is your
10:12
guess I guess this your this is your
10:12
guess I guess this your this is your life you're used to this stuff yeah it's
10:15
life you're used to this stuff yeah it's
10:15
life you're used to this stuff yeah it's really scary though because like my mom
10:17
really scary though because like my mom
10:17
really scary though because like my mom for example my mom will not take QR
10:19
for example my mom will not take QR
10:19
for example my mom will not take QR codes someone tries to offer her a QR
10:21
codes someone tries to offer her a QR
10:21
codes someone tries to offer her a QR code and she's like no no my daughter
10:22
code and she's like no no my daughter
10:22
code and she's like no no my daughter told me not to scan QR codes they can be
10:24
told me not to scan QR codes they can be
10:24
told me not to scan QR codes they can be bad so I can't take her anywhere we go
10:26
bad so I can't take her anywhere we go
10:26
bad so I can't take her anywhere we go to like a restaurant we go to a
10:28
to like a restaurant we go to a
10:29
to like a restaurant we go to a restaurant and it's like oh scan here
10:30
restaurant and it's like oh scan here
10:30
restaurant and it's like oh scan here for the menu and my mom is like no n and
10:33
for the menu and my mom is like no n and
10:33
for the menu and my mom is like no n and I'm like it's okay we can trust we can
10:35
I'm like it's okay we can trust we can
10:35
I'm like it's okay we can trust we can trust the restaurant but yeah everything
10:38
trust the restaurant but yeah everything
10:38
trust the restaurant but yeah everything can be manipulated these days into
10:41
can be manipulated these days into
10:41
can be manipulated these days into becoming scary in the world of cyber I
10:44
becoming scary in the world of cyber I
10:44
becoming scary in the world of cyber I guess yeah yeah that's for sure uh which
10:46
guess yeah yeah that's for sure uh which
10:46
guess yeah yeah that's for sure uh which means it it that for us to being able to
10:50
means it it that for us to being able to
10:50
means it it that for us to being able to authenticate using ourselves or or or a
10:54
authenticate using ourselves or or or a
10:54
authenticate using ourselves or or or a device uh is is a useful uh thing
10:57
device uh is is a useful uh thing
10:57
device uh is is a useful uh thing because multiactor I don't know what's
10:59
because multiactor I don't know what's
10:59
because multiactor I don't know what's the number there this it's a massive
11:01
the number there this it's a massive
11:01
the number there this it's a massive number of of uh security increase uh
11:05
number of of uh security increase uh
11:05
number of of uh security increase uh between having just a password and
11:06
between having just a password and
11:07
between having just a password and having a a a phone validation uh like
11:11
having a a a phone validation uh like
11:11
having a a a phone validation uh like almost all uh attack vectors or the the
11:15
almost all uh attack vectors or the the
11:15
almost all uh attack vectors or the the attack surface kind of goes away almost
11:17
attack surface kind of goes away almost
11:17
attack surface kind of goes away almost not completely of course but really they
11:20
not completely of course but really they
11:20
not completely of course but really they can maybe break my passport but they
11:21
can maybe break my passport but they
11:22
can maybe break my passport but they actually have to have my phone and
11:24
actually have to have my phone and
11:24
actually have to have my phone and that's going to be hard for them to have
11:26
that's going to be hard for them to have
11:26
that's going to be hard for them to have right definitely even some places will
11:28
right definitely even some places will
11:28
right definitely even some places will try to add an extra layer of security by
11:31
try to add an extra layer of security by
11:31
try to add an extra layer of security by adding in like a capture so like solve
11:33
adding in like a capture so like solve
11:33
adding in like a capture so like solve this capture and it's like the letters
11:35
this capture and it's like the letters
11:35
this capture and it's like the letters that are all messed up but you can
11:37
that are all messed up but you can
11:37
that are all messed up but you can actually find that AI can solve those
11:39
actually find that AI can solve those
11:39
actually find that AI can solve those captures really easily and and you can
11:42
captures really easily and and you can
11:42
captures really easily and and you can train them to be able to read it so if
11:44
train them to be able to read it so if
11:44
train them to be able to read it so if you're try if you're doing like password
11:46
you're try if you're doing like password
11:46
you're try if you're doing like password attacks you can just submit loads and
11:48
attacks you can just submit loads and
11:48
attacks you can just submit loads and loads of passwords and the cap the AI
11:51
loads of passwords and the cap the AI
11:51
loads of passwords and the cap the AI will be trained to be able to read the
11:52
will be trained to be able to read the
11:52
will be trained to be able to read the captures so so so are you saying that do
11:57
captures so so so are you saying that do
11:57
captures so so so are you saying that do does it mean that capture as a thing
11:59
does it mean that capture as a thing
11:59
does it mean that capture as a thing will kind of go away because it's going
12:00
will kind of go away because it's going
12:00
will kind of go away because it's going to be pointless or I think I think
12:03
to be pointless or I think I think
12:03
to be pointless or I think I think eventually yeah because I mean that was
12:06
eventually yeah because I mean that was
12:06
eventually yeah because I mean that was something I actually did during the um
12:09
something I actually did during the um
12:09
something I actually did during the um during the the tryhackme Advent of cyber
12:12
during the the tryhackme Advent of cyber
12:12
during the the tryhackme Advent of cyber uh at the end of 2023 one of the tasks
12:15
uh at the end of 2023 one of the tasks
12:15
uh at the end of 2023 one of the tasks on one of the days was we're going to
12:18
on one of the days was we're going to
12:18
on one of the days was we're going to build something that can break captures
12:20
build something that can break captures
12:20
build something that can break captures and then you do a password attack I
12:23
and then you do a password attack I
12:23
and then you do a password attack I might need one of those because
12:24
might need one of those because
12:24
might need one of those because sometimes those captures are really hard
12:26
sometimes those captures are really hard
12:27
sometimes those captures are really hard they are I'll just get an AI to read it
12:29
they are I'll just get an AI to read it
12:29
they are I'll just get an AI to read it for me and be done with that problem
12:33
for me and be done with that problem
12:33
for me and be done with that problem yeah click on all the all the images
12:36
yeah click on all the all the images
12:36
yeah click on all the all the images where there's a car right or what not
12:39
where there's a car right or what not
12:39
where there's a car right or what not yeah yeah I can you can totally train
12:41
yeah yeah I can you can totally train
12:41
yeah yeah I can you can totally train them to do that that's interesting yeah
12:43
them to do that that's interesting yeah
12:43
them to do that that's interesting yeah definitely I haven't thought about that
12:45
definitely I haven't thought about that
12:45
definitely I haven't thought about that that's that's a that's a fun New uh new
12:48
that's that's a that's a fun New uh new
12:48
that's that's a that's a fun New uh new um sort of way to break the the system
12:52
um sort of way to break the the system
12:52
um sort of way to break the the system you can use the AI to just destroy all
12:55
you can use the AI to just destroy all
12:55
you can use the AI to just destroy all these captures um y
13:01
not afraid but that was annoying like
13:03
not afraid but that was annoying like
13:03
not afraid but that was annoying like that that was that was a thing that I
13:05
that that was that was a thing that I
13:05
that that was that was a thing that I thought was kind of working but now I
13:07
thought was kind of working but now I
13:07
thought was kind of working but now I realized that it's not it's becoming a
13:10
realized that it's not it's becoming a
13:10
realized that it's not it's becoming a thing in the past really yeah I think I
13:13
thing in the past really yeah I think I
13:13
thing in the past really yeah I think I think eventually they'll probably find
13:15
think eventually they'll probably find
13:15
think eventually they'll probably find other ways to annoy you when you're
13:16
other ways to annoy you when you're
13:17
other ways to annoy you when you're trying to log in yeah so now we have
13:20
trying to log in yeah so now we have
13:20
trying to log in yeah so now we have authenticated let's say okay we we've
13:21
authenticated let's say okay we we've
13:21
authenticated let's say okay we we've done we're done with that now we need to
13:23
done we're done with that now we need to
13:23
done we're done with that now we need to have to ensure that we have proper
13:25
have to ensure that we have proper
13:25
have to ensure that we have proper access to the systems that we need to
13:27
access to the systems that we need to
13:27
access to the systems that we need to have access to um what are some dos and
13:30
have access to um what are some dos and
13:30
have access to um what are some dos and downs in this space of access
13:32
downs in this space of access
13:32
downs in this space of access control so I think with Access Control
13:36
control so I think with Access Control
13:36
control so I think with Access Control you need to be employing the concept of
13:38
you need to be employing the concept of
13:38
you need to be employing the concept of lease privilege which is make sure any
13:41
lease privilege which is make sure any
13:41
lease privilege which is make sure any users anyone doesn't have access to
13:44
users anyone doesn't have access to
13:44
users anyone doesn't have access to anything more than they actually need to
13:46
anything more than they actually need to
13:46
anything more than they actually need to have access for one of the big problems
13:49
have access for one of the big problems
13:49
have access for one of the big problems with access control is privilege
13:52
with access control is privilege
13:52
with access control is privilege escalation so there are two types of
13:54
escalation so there are two types of
13:54
escalation so there are two types of privilege escalation horizontal
13:56
privilege escalation horizontal
13:56
privilege escalation horizontal privilege escalation and vertical priv
13:59
privilege escalation and vertical priv
13:59
privilege escalation and vertical priv escalation
14:01
escalation
14:01
escalation so so with horizontal privilege
14:05
so so with horizontal privilege
14:05
so so with horizontal privilege escalation it's when so for example
14:08
escalation it's when so for example
14:08
escalation it's when so for example you're accessing not necessarily
14:11
you're accessing not necessarily
14:11
you're accessing not necessarily something that needs higher permissions
14:14
something that needs higher permissions
14:14
something that needs higher permissions but it's not yours so an example of
14:17
but it's not yours so an example of
14:17
but it's not yours so an example of horizontal privilege escalation would be
14:19
horizontal privilege escalation would be
14:19
horizontal privilege escalation would be me and you Magnus we are both regular
14:22
me and you Magnus we are both regular
14:22
me and you Magnus we are both regular people regular users I can access your
14:26
people regular users I can access your
14:26
people regular users I can access your resources that's an example of
14:27
resources that's an example of
14:28
resources that's an example of horizontal privileges es alation
14:30
horizontal privileges es alation
14:30
horizontal privileges es alation vertical privilege escalation would be
14:33
vertical privilege escalation would be
14:33
vertical privilege escalation would be if you Magnus you're an admin and I'm a
14:36
if you Magnus you're an admin and I'm a
14:36
if you Magnus you're an admin and I'm a regular user and I can access your
14:39
regular user and I can access your
14:39
regular user and I can access your Administration functions or even just
14:43
Administration functions or even just
14:43
Administration functions or even just someone who isn't logged in being able
14:45
someone who isn't logged in being able
14:46
someone who isn't logged in being able to access resources that only people who
14:48
to access resources that only people who
14:48
to access resources that only people who are logged in should be able to access
14:50
are logged in should be able to access
14:50
are logged in should be able to access that's another type of horizontal
14:52
that's another type of horizontal
14:52
that's another type of horizontal privilege escalation or vertical
14:54
privilege escalation or vertical
14:54
privilege escalation or vertical privilege yes yes right yeah so that
14:58
privilege yes yes right yeah so that
14:58
privilege yes yes right yeah so that kind of thing is really important
15:01
kind of thing is really important
15:01
kind of thing is really important obviously for obvious reasons you don't
15:03
obviously for obvious reasons you don't
15:03
obviously for obvious reasons you don't want people being able to access you
15:05
want people being able to access you
15:05
want people being able to access you know not regular users being able to
15:07
know not regular users being able to
15:07
know not regular users being able to access admin functionality one of the
15:11
access admin functionality one of the
15:11
access admin functionality one of the things that you can do to kind of try to
15:14
things that you can do to kind of try to
15:14
things that you can do to kind of try to mitigate this is mapping out your Cloud
15:18
mitigate this is mapping out your Cloud
15:18
mitigate this is mapping out your Cloud so the best way I can describe this is
15:21
so the best way I can describe this is
15:21
so the best way I can describe this is basically just as yourself going about
15:25
basically just as yourself going about
15:25
basically just as yourself going about the cloud going about all of your
15:26
the cloud going about all of your
15:26
the cloud going about all of your resources everything you have and seeing
15:29
resources everything you have and seeing
15:29
resources everything you have and seeing what you can access as an admin as a
15:31
what you can access as an admin as a
15:31
what you can access as an admin as a regular user as someone who isn't logged
15:34
regular user as someone who isn't logged
15:34
regular user as someone who isn't logged in whatever different kind of roles you
15:36
in whatever different kind of roles you
15:36
in whatever different kind of roles you have set up you know you could have
15:37
have set up you know you could have
15:37
have set up you know you could have different ones depending what your
15:38
different ones depending what your
15:38
different ones depending what your business is so if as an admin you should
15:43
business is so if as an admin you should
15:43
business is so if as an admin you should probably be able to access most things
15:45
probably be able to access most things
15:45
probably be able to access most things or whatever and then a regular user what
15:48
or whatever and then a regular user what
15:48
or whatever and then a regular user what can they access can they access things
15:51
can they access can they access things
15:51
can they access can they access things they shouldn't be able to something
15:53
they shouldn't be able to something
15:53
they shouldn't be able to something people something a lot of people don't
15:55
people something a lot of people don't
15:55
people something a lot of people don't think about is so maybe you've got some
15:58
think about is so maybe you've got some
15:58
think about is so maybe you've got some kind of ad
15:59
kind of ad
15:59
kind of ad functionality and in the middle there is
16:01
functionality and in the middle there is
16:01
functionality and in the middle there is some kind of validation to make sure
16:05
some kind of validation to make sure
16:05
some kind of validation to make sure that this functionality can't be
16:07
that this functionality can't be
16:07
that this functionality can't be accessed but can this regular user jump
16:11
accessed but can this regular user jump
16:11
accessed but can this regular user jump over the wall basically and go straight
16:13
over the wall basically and go straight
16:13
over the wall basically and go straight to the functionality bypass the
16:15
to the functionality bypass the
16:15
to the functionality bypass the validation and therefore access that
16:17
validation and therefore access that
16:17
validation and therefore access that resource without having to validate
16:20
resource without having to validate
16:20
resource without having to validate that's something that you need to think
16:22
that's something that you need to think
16:22
that's something that you need to think about looking at what can people who
16:25
about looking at what can people who
16:25
about looking at what can people who aren't logged in Access can they go
16:27
aren't logged in Access can they go
16:27
aren't logged in Access can they go straight to things that they shouldn't
16:28
straight to things that they shouldn't
16:28
straight to things that they shouldn't be able to go straight to all that kind
16:31
be able to go straight to all that kind
16:31
be able to go straight to all that kind of thing it takes a while it takes
16:34
of thing it takes a while it takes
16:34
of thing it takes a while it takes perseverance but I think it's really
16:37
perseverance but I think it's really
16:37
perseverance but I think it's really it's a very valid thing to take up your
16:40
it's a very valid thing to take up your
16:40
it's a very valid thing to take up your time to do that to to to map the map the
16:43
time to do that to to to map the map the
16:44
time to do that to to to map the map the sort of the access that you have to to
16:45
sort of the access that you have to to
16:45
sort of the access that you have to to different things and and figure out
16:48
different things and and figure out
16:48
different things and and figure out where can you have access and and kind
16:50
where can you have access and and kind
16:50
where can you have access and and kind of secure the things that or those
16:53
of secure the things that or those
16:53
of secure the things that or those avenues that you shouldn't be able to
16:54
avenues that you shouldn't be able to
16:54
avenues that you shouldn't be able to walk you secure secure them one by one
16:57
walk you secure secure them one by one
16:57
walk you secure secure them one by one and and make sure that things are in the
16:59
and and make sure that things are in the
16:59
and and make sure that things are in the right place okay that makes sense that
17:00
right place okay that makes sense that
17:00
right place okay that makes sense that makes a lot of sense um because U to
17:03
makes a lot of sense um because U to
17:03
makes a lot of sense um because U to sort of this um a privilege uh
17:07
sort of this um a privilege uh
17:07
sort of this um a privilege uh escalation um you should be able to to
17:11
escalation um you should be able to to
17:11
escalation um you should be able to to escalate your access more like when you
17:14
escalate your access more like when you
17:14
escalate your access more like when you need it right like just in time
17:16
need it right like just in time
17:16
need it right like just in time activation I guess yeah yeah you could
17:19
activation I guess yeah yeah you could
17:19
activation I guess yeah yeah you could Al you could also have that although
17:21
Al you could also have that although
17:21
Al you could also have that although that's dangerous you need to be very
17:22
that's dangerous you need to be very
17:22
that's dangerous you need to be very careful that's where obviously the
17:24
careful that's where obviously the
17:24
careful that's where obviously the different types of Access Control come
17:27
different types of Access Control come
17:27
different types of Access Control come in you have like your role-based access
17:29
in you have like your role-based access
17:29
in you have like your role-based access control which is like this person has
17:31
control which is like this person has
17:31
control which is like this person has this role and the role is what has the
17:34
this role and the role is what has the
17:34
this role and the role is what has the permissions or like the other types
17:36
permissions or like the other types
17:36
permissions or like the other types where it's every individual has specific
17:39
where it's every individual has specific
17:39
where it's every individual has specific permissions which is obviously the
17:41
permissions which is obviously the
17:41
permissions which is obviously the really complicated way to do it
17:43
really complicated way to do it
17:43
really complicated way to do it especially if you've got a really big
17:44
especially if you've got a really big
17:44
especially if you've got a really big business but it's slightly more secure
17:48
business but it's slightly more secure
17:48
business but it's slightly more secure where that where the role-based access
17:50
where that where the role-based access
17:50
where that where the role-based access control or any access control can become
17:54
control or any access control can become
17:54
control or any access control can become a slight issue is if you have people who
17:56
a slight issue is if you have people who
17:56
a slight issue is if you have people who are leaving your company or going to
17:59
are leaving your company or going to
17:59
are leaving your company or going to different departments because you need
18:00
different departments because you need
18:00
different departments because you need to have a good offboarding process to
18:03
to have a good offboarding process to
18:03
to have a good offboarding process to remove those permissions because I think
18:05
remove those permissions because I think
18:06
remove those permissions because I think it's easy to just think of offboarding
18:07
it's easy to just think of offboarding
18:07
it's easy to just think of offboarding as when people leave the company but if
18:11
as when people leave the company but if
18:11
as when people leave the company but if you have people who are moving to a
18:12
you have people who are moving to a
18:12
you have people who are moving to a different department chances are they
18:14
different department chances are they
18:14
different department chances are they shouldn't have access to the resources
18:16
shouldn't have access to the resources
18:16
shouldn't have access to the resources of the department they were in before
18:18
of the department they were in before
18:18
of the department they were in before and I think that can be quite easily
18:19
and I think that can be quite easily
18:19
and I think that can be quite easily forgotten because it's like oh they
18:21
forgotten because it's like oh they
18:21
forgotten because it's like oh they still work for us it's fine it's not
18:23
still work for us it's fine it's not
18:23
still work for us it's fine it's not fine no it's not fine at all now that I
18:26
fine no it's not fine at all now that I
18:26
fine no it's not fine at all now that I I can see that can be a really uh sticky
18:29
I can see that can be a really uh sticky
18:29
I can see that can be a really uh sticky problem to figure out and i' I've I've
18:31
problem to figure out and i' I've I've
18:31
problem to figure out and i' I've I've seen um you know people having access to
18:35
seen um you know people having access to
18:35
seen um you know people having access to systems that have left the company many
18:38
systems that have left the company many
18:38
systems that have left the company many you know months ago uh and they their
18:40
you know months ago uh and they their
18:41
you know months ago uh and they their account still technically has access now
18:44
account still technically has access now
18:44
account still technically has access now of course that account may be uh you
18:47
of course that account may be uh you
18:47
of course that account may be uh you know dis disabled and it should be
18:49
know dis disabled and it should be
18:49
know dis disabled and it should be disabled but it's still um having you
18:53
disabled but it's still um having you
18:53
disabled but it's still um having you know the ability to clean up old access
18:55
know the ability to clean up old access
18:55
know the ability to clean up old access is of course uh a key process as well
18:58
is of course uh a key process as well
18:58
is of course uh a key process as well yeah very recently um Microsoft were
19:02
yeah very recently um Microsoft were
19:02
yeah very recently um Microsoft were hacked um late 2023 to beginning of 2024
19:06
hacked um late 2023 to beginning of 2024
19:06
hacked um late 2023 to beginning of 2024 um by a Russian advanced persistent
19:08
um by a Russian advanced persistent
19:08
um by a Russian advanced persistent threat and the way they got in they
19:10
threat and the way they got in they
19:10
threat and the way they got in they actually managed to get access to
19:12
actually managed to get access to
19:12
actually managed to get access to Microsoft's Corporate Office 365 and it
19:16
Microsoft's Corporate Office 365 and it
19:16
Microsoft's Corporate Office 365 and it was through a Legacy account that hadn't
19:18
was through a Legacy account that hadn't
19:18
was through a Legacy account that hadn't been shut down and that was how they got
19:20
been shut down and that was how they got
19:20
been shut down and that was how they got in so it's just like those things that
19:24
in so it's just like those things that
19:24
in so it's just like those things that you think it doesn't matter it's just
19:26
you think it doesn't matter it's just
19:26
you think it doesn't matter it's just like one account that one account can be
19:28
like one account that one account can be
19:28
like one account that one account can be your downfall and can be the way in for
19:31
your downfall and can be the way in for
19:31
your downfall and can be the way in for very persistent
19:32
very persistent
19:32
very persistent attackers I've heard that that that that
19:35
attackers I've heard that that that that
19:35
attackers I've heard that that that that they can put up um or you know um
19:37
they can put up um or you know um
19:37
they can put up um or you know um there's technically the ability to set
19:40
there's technically the ability to set
19:40
there's technically the ability to set up uh Access Control reviews uh these
19:43
up uh Access Control reviews uh these
19:43
up uh Access Control reviews uh these days as well so that the manager of a
19:45
days as well so that the manager of a
19:45
days as well so that the manager of a system needs to go and check
19:48
system needs to go and check
19:48
system needs to go and check periodically who has access to this
19:50
periodically who has access to this
19:50
periodically who has access to this system and is that still accurate um
19:53
system and is that still accurate um
19:53
system and is that still accurate um that's a good idea I like that yeah it's
19:56
that's a good idea I like that yeah it's
19:56
that's a good idea I like that yeah it's very useful it's a handy thing all right
19:58
very useful it's a handy thing all right
19:58
very useful it's a handy thing all right brilliant well I have very much enjoyed
20:00
brilliant well I have very much enjoyed
20:00
brilliant well I have very much enjoyed having a conversation with you today
20:03
having a conversation with you today
20:03
having a conversation with you today about authentication about access
20:04
about authentication about access
20:04
about authentication about access control and all kinds of things it's
20:06
control and all kinds of things it's
20:06
control and all kinds of things it's been brilliant I want to thank you so
20:08
been brilliant I want to thank you so
20:08
been brilliant I want to thank you so much for having been on the cloud show
20:10
much for having been on the cloud show
20:10
much for having been on the cloud show with me today thank you very much for
20:13
with me today thank you very much for
20:13
with me today thank you very much for having me it's been so much fun yeah
20:15
having me it's been so much fun yeah
20:15
having me it's been so much fun yeah absolutely and um audience let's see you
20:18
absolutely and um audience let's see you
20:18
absolutely and um audience let's see you again next week for another episode of
20:20
again next week for another episode of
20:20
again next week for another episode of the cloud show
20:22
the cloud show
20:22
the cloud show [Music]
#Computer Security
#Hacking & Cracking