March 17, 2025 • 36 mins
The cybersecurity landscape is constantly evolving, with even major corporations falling victim to devastating attacks. A recent UnitedHealthcare ransomware incident cost the company $22 million, with fingers pointing at leadership for allegedly appointing an unqualified CISO. This sobering reality highlights why defense in depth strategies aren't just theoretical concepts—they're essential protective measures for organizations of all sizes.
Defense in depth implements multiple security layers that work together like a medieval castle's defenses. When one layer fails, others remain to protect your assets. This approach serves two crucial functions: frustrating attackers enough that they move to easier targets, and creating trigger points that alert your team to potential breaches. From firewalls and IDS/IPS systems to role-based access controls and encryption, each layer contributes to a comprehensive security posture.
Beyond implementing multiple controls, we explore the critical concept of secure defaults—ensuring systems are configured securely from the moment they're deployed. Unfortunately, many products arrive with functionality prioritized over security, requiring security teams to implement proper configurations before deployment. This includes setting up strong password requirements, disabling unnecessary services, configuring automatic updates, and establishing proper network rules.
Balancing security with usability presents ongoing challenges. Each additional security layer adds complexity, impacts performance, and potentially frustrates users. The most effective security professionals find that sweet spot where protection is robust without driving users to circumvent controls. Documentation, regular reviews, and automated configuration management form the foundation of sustainable security practices.
Ready to enhance your security knowledge and prepare for your CISSP certification? Visit CISSPCyberTraining.com for my comprehensive blueprint and sign up for 360 free practice questions to help you pass your exam the first time.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:24):
All right, let's get started.
Good morning everybody.
This is Sean Gerber with CISSPCyber Training, and hope you all
are having a wonderfullyblessed day today.
Today is an amazing day here inKansas.
Yeah, it's actually going to belike 75 degrees, 75 to 85
degrees.
It's going to be amazing.
The sun is out, so it's reallyquite pleasant for this time of
(00:44):
year.
The interesting part, though,is the 125 degree weather is
soon around the corner.
Well, actually I'm exaggeratingjust a little bit it's not
going to quite get to 125, maybe120, but it gets really warm
here and sticky, and yeah, it'snot fun, but that's okay.
We enjoy it while we can whenit's pleasant.
But you're not here to hearabout the weather.
(01:06):
Yeah, no, this is not a weatherpodcast.
This is about the CISSP, andtoday we're going to be talking
about domain 3.1.2 and basically3.1.3.
And we're going to be gettingover defense in depth and secure
defaults.
This is all part of domainthree of the CISSP exam, and so
this is going to be some funstuff, right, but actually it's
(01:27):
a little bit apropos that one ofthe things that happened in the
news yesterday that I sawactually is a little bit
disconcerting.
If you are a securityprofessional that doesn't have
the experience.
I'm saying this not to scareanybody off, but it's actually
quite interesting.
In the register there was, a USSenator had claimed that the
UnitedHealthcare debacle thatoccurred, where basically the
(01:50):
ransomware occurred, cost $22million all kinds of stuff.
Right, then who knows how muchmore they're going to gain, how
much more it's going to end upcosting UnitedHealthcare.
But if you all aren't connected, unitedhealthcare was one of
the main UnitedHealthcare, butif you all aren't connected,
unitedhealthcare was one of themain.
Basically it's kind of aclearinghouse for what do they
(02:11):
call it?
Insurance products that aregoing out there from when you go
.
I have an insurance companysuch as UnitedHealthcare and
then they go through anotherclearinghouse and that's like
there's lots of stuff thatbasically has to happen.
So, as you can tell realquickly, I don't know what the
crud I'm talking about when itcomes to all that healthcare
stuff.
So we'll just keep moving on.
But bottom line, it's like aclearinghouse of some sort.
But what ended up happening isthey had a ransomware attack
(02:34):
back this last year and it waspretty traumatic.
It cost a lot of money, cost alot of drama.
It was a big deal.
Well, come to find out thatthere now is going to be some
situations that are coming outwith the unqualified CISO for
UnitedHealthcare's CEO.
Basically he had appointed, sothis CEO had appointed the CISO,
(02:56):
and then the hack occurred andnow they're trying to find
somebody's head to lop off.
And again, I don't know thisindividual at all.
It's a gentleman by the name ofSteve Martin.
He was appointed CISO in 2023.
And the interesting part isthey said he didn't hold any
security specific role duringhis career, despite his high
(03:17):
level experience in other techroles, and it is interesting.
So this kind of flies in theface of what we talk about here
in security, where you need towork your way up through the
corporation, get some level ofexperience, and you may bounce
around from job to job a littlebit to do that, but you need
some level of experience insecurity and when you start off,
you may not have that andthat's okay, but you really need
(03:40):
to have, when you deal in yourroles, that you have some level
of security tied to your role,that you understand the concepts
.
Now, I don't know Mr Martin, sonor am I to say whether he does
or doesn't know it.
He looks like he has a verysolid career and he's done a lot
of stuff in IT.
But bottom line is they'relooking for somebody's head to
chop off and he's in thesituation where he didn't have a
(04:02):
specific security role in hisjob job title per se so he
wasn't the director of security,he wasn't the security analyst,
he wasn't whatever that mightbe.
So when he ended up getting therole as the CISO, they're
saying that well, because hedidn't have that experience,
they should have never done that.
So they're really going afterthe CEO and they're going after
(04:24):
him.
Now I will say that if you readthrough the article, there's
some pretty bonehead things thatdid occur where they didn't
have any multi-factorauthentication on remote access
server.
You know that's kind of a bigbasic practice type of aspect.
However, if you've been insecurity long enough to know
that there may be a good reasonwhy I don't think I could
(04:46):
actually figure that one out butthere might have been a good
reason why they didn't have MFAon those systems.
And I would also say sometimesyou get into the political
schema that rolls into theselarge corporations and you get a
lot of pushback for puttingstuff like MFA on the remote
access because it causesdisruption, maybe causes some
(05:07):
level of outage just goingthrough that whole process.
So I don't know the details,nor am I going to comment on
whether it's right or wrong.
The only other thing I want tobring up was the fact that now
in this article they're havingpeople within the legislative
groups are wanting him, they'rewanting somebody's head, and the
point is that they're sayingthat careless activities.
(05:29):
You know you wouldn't have abrain surgeon work on somebody's
brain if they never went toschool to be a brain surgeon or
they never had the background ofbeing a brain surgeon.
So I understand what he'ssaying.
It's a little bit more nuancedthan that and unfortunately, a
lot of times the politicianswill say things that they don't
truly understand.
(05:50):
So I hope for Mr Martin and forthe CEO that they can work this
out.
But it's a good lesson for allof us to know that if you are
working as a securityprofessional, you need to make
sure that you are working to getyour title to match up with it
and you need to follow bestpractices.
Especially if you're in apublicly held company where
(06:10):
there's people's livelihoods areon the line, especially when it
comes to stock and shareholders, you are under a lot more
scrutiny and, as such, thosearticles that I put out there.
You need to also be compensatedfor this, because I'm hoping
that Mr Martin had beencompensated well for his
activities, because there's alot of responsibility that he
had.
So check it out Again.
(06:31):
Us Senator claimsUnitedHealthcare CEO and board
appointed an unqualified CISO.
So, yeah, it's an interestingworld we live in, but you don't
want to hear about all of that.
We could go down many differenttangents.
So we're going to get intodomain 3.1.2 and 3.1.3.
And this is around the overallpiece of defense in depth and
(06:53):
secure defaults.
So, when we talk about securedefense in depth, one of the key
concepts around this is we talkabout just in the case of what
we had with this last articlewith MFA, mfa would be
considered a defense in depth.
It's one of the first thingsthat you would run into if
you're an outsider.
Just in the case of what we hadwith this last article with MFA
, mfa would be considered adefense in depth.
It's one of the first thingsthat you would run into if
you're an outsider trying to getinto a network.
Is you run into MFA?
Well, it's a layer to securityapproach that you must have
(07:14):
multiple controls in place tohelp mitigate the potential
risks, and so, therefore, youneed to have these controls in
place to do that.
This layered approach, again,is designed so that if one layer
fails, the other still canprovide some level of protection
against basically everythingfalling apart.
So this layered approachensures that this is set up in
(07:35):
place.
Now.
One example that you've seen ormaybe you've heard of people
talking about is the medievalcastle where you have the moat.
So you'll have this if you lookat it from a mind's eye, you
have this medieval castlesitting on a hill Probably not a
hill, probably more of a flatplain, because a moat won't
really work too well on a bighill but you have this castle
(07:56):
sitting out there and there'sthis moat, a big trench dug
around it, and inside thattrench is all kinds of there's
water and alligators and snakesand whatever else things.
Those are just basicallydesigned that if you want to get
into this really tall castle,you've got to go through this
moat to get to the castle.
Well, the same kind of conceptit has in security is that you
(08:16):
want to have this set up so thatif one of your protection
mechanisms fails, there'sanother one waiting to catch the
attacker and I try to bringthis up when I was talking about
security to partners and toindividuals is that the fact is
that these controls are notdesigned to necessarily stop the
individual.
I mean, you want them to stopthe individual, but there's many
(08:37):
cases if there's one control,they'll find a way around it and
you want them to run intoanother one.
There's two different conceptswith this.
One is you want to slow themdown enough that they get
frustrated and they move on tosomebody else.
Fortunately, that's how itworks.
Right, it's the law of the, notlaw of the fittest.
That's where, okay, if you'rethe little tiny gazelle and
(08:57):
there's tigers everywhere andyou broke your leg, you're gonna
get eaten.
Yeah, it's the law of issomething like that, but bottom
line is you're going to geteaten right.
So we want to have it so thatyour gazelle has all four legs,
maybe six legs, and can runreally, really fast.
So by having these protectionmechanisms in place, you are
(09:19):
that gazelle with six legs.
I know it's a really weirdtangent, but it kind of sort of
works.
The bottom line is then theywill move on to somebody else
and eat somebody's other gazelle, but if they penetrate one, you
also want to have.
The second concept is that ifthey are determined to get into
your network and they're goingto bridge your moat and they're
going to bridge and cross yourhigh walls of your castle, you
want to have sentries that aregoing to be alerting you that
(09:40):
hey, somebody just did something.
You that, hey, somebody justdid something.
So another reason about havingthese multiple controls is the
fact that they can be triggers.
They can be alerts to go okay,someone has just crossed this
line.
Okay, now, someone has justcrossed this line, and by doing
so, you now have the ability tohave better situational
awareness of what are some ofthe attackers trying to do
within your environment.
So it's really important tohave a defense strategy around
(10:05):
with multiple controls.
Now, also, knowing this fullwell, you're going to be in
security.
At any point in time in yourcareer.
You're going to realize thatthat isn't always the case.
There may be situations whereyou've only got one control and
that is it.
It may happen.
You may not have the luxury ofputting in multiple controls in
place for a specific area.
(10:26):
So if that is the case, thenyou have to be keenly aware of
what you're going to put thereto protect yourself and alert on
it, so that if anybody getsinto the inner sanctum of this
one thing because you only haveone control, then you better
have all kinds of fireworks gooff, bells and whistles, you
name it, you need to know aboutit.
So just keep that in mind asyou're thinking about this from
(10:48):
an attacker's perspective.
Now, some of the protectionmechanisms we're going to talk
about and this is not allinclusive this is just a good
example of some of them that youcan use.
Perimeter security is one ofthe first ones, and that is like
the firewall.
The firewall will act as yourfirst line of defense as far as
coming into the network.
So, again, though, there's manyother controls, it isn't just
(11:10):
the first one, a lot of onecomes into.
Another one is that you'reallowing who has access to your
network is another really greatcontrol that you have in place.
So your firewalls, they're yourfirst line of defense.
They filter incoming andoutgoing traffic based on rules
that are maybe predefined, setup already.
Some of the firewalls today canactually be thinking on the fly
(11:31):
, and they can do that work foryou, but that's your first line
coming in Now.
You could then run into IDS andIPS systems, which is your
intrusion detection andprevention systems.
These two will monitor trafficand they'll look for suspicious
activity and in many cases, yourIDS IPS can be embedded and
ingrained within your firewalland, again, they're designed
(11:53):
specifically to block attacks.
Now the downside of this is iswhen you block anything, you're
causing a disruption, so you'redisrupting the bad guys or you
potentially could be disruptingyourself if there's a problem.
Okay, so role-based access we'retalking about access controls
is the next level down fromperimeter security.
Role-based access controls theyassign permissions to users, to
(12:15):
an individual users based ontheir specific job role within
their company, and this ensuresthat they only have access to
the data and functionality thatthey need to perform their
specific duties.
Now, that would be where theywould have one individual is
able to do I don't know they'reable to pull out data for their
EDI system, which deals withelectronic file transfers.
(12:37):
Another person is not allowedto do that, but they're allowed
to have access to the HR system,and so it's based on their
specific role and what they'reallowed to do within the company
.
Data security is where it's abeyond.
The encryption piece of this,data security rolls into.
The encryption obviously is abig factor where you've got data
at rest, data in transit, databasically in use, so you have
(13:01):
those different types of accessthat are within the encryption
mechanisms.
However, what you can also addis data loss prevention tools
that will help limit or restrictthe access to individuals
gaining to that data itself thatthese tools are limiting that.
One of the things can be donethrough emails, usb drives and
other types of channels that canbe put in place to limit those
(13:25):
activities.
I've seen it time and againwhere individuals, if they can't
use a USB drive, they will thentry to use Bluetooth or they
will try to email it, which isthe typical one they use, but
they're trying to look fordifferent ways to get the data
out of their organization.
Another one is system hardening.
This is where this involvessecurity updates to fix
(13:45):
vulnerabilities in the specificsoftware.
Now, this could be software ofthe application, it could be the
hardware itself that you'retrying to update, it could be
the operating system software,many different factors that roll
into it, but system hardeningis an important factor within
trying to create various levelsof defense in depth.
(14:05):
Now One thing to think aboutwith system hardening it's not
sexy, it's not something thatpeople like to do a lot with.
But when you're dealing withransomware as an example, that
is a really good way to be ableto.
If you have these systems inplace that you have gone and
you've changed theconfigurations of your
environment, you've hardenedsome of these systems.
Now this ransomware does notnot in all cases, but does not
(14:30):
have a foothold within yourorganization.
There may be other things ittries to leverage, but if some
of those pieces have been firmedup and you now don't have to
worry about them as much, systemhardening can go a long ways to
protecting your companyDetection and response.
Now we talk about SIM tools.
Now these are securityinformation event management
(14:50):
tools, or otherwise known as SIM.
Now, sim tools can range invarious forms.
You can see them as ArcSight,they are Azure Sentinel, there's
XOR from Palo Alto, there'snumerous companies, splunk.
They all have a various SIMcapability.
Now these are designed to havea centralized, or they call a
(15:10):
single pane of glass, as itrelates to security tools,
providing centralized view oftheir security activity.
This allows all this stuff tobe aggregated into one location.
Then from there, you can thenset up a triage like tier one,
two or three to be able totriage these different incidents
as they come into yourorganization, triage these
(15:31):
different incidents as they comeinto your organization, and
this deals with identifying,containing, eradicating and then
recovering from varioussecurity incidents within your
company.
Now do you have to have a SIMfor your company?
No, you do not.
You can outsource that to athird party.
You also can get SIMs that aremuch smaller in size and scope.
They're not as large as whatyou would anticipate you would
see in a large enterprise.
(15:52):
So there's lots of differentthings that you can do when it
comes to a SIEM.
So a big factor we get into isabstraction.
Now the CISSP book talks aboutwhat is abstraction?
How does this work?
Well, abstraction hides theinternal workings of a system
from users, the applications,from exposing them to
unnecessary or from necessaryfunctionality.
(16:12):
So it's basically hiding it offto keep it from people from
seeing it, so that it abstracts,it, removes it from view.
Now, this simplifies theinteraction with your users and
it reduces the risk ofinadvertently causing potential
security issues.
Right?
So what it comes right down tois like a more simplistic
version of this is if you thinkabout your driving, your vehicle
(16:34):
, you do not need to understandhow the more complex aspects of
your vehicle work.
So, as an example, I have atruck and this truck has a
diesel motor and this dieselmotor has two fuel systems or
two cooling systems, one for thetransmission, one for the
engine.
If I didn't know that Iwouldn't really care right, all
(16:55):
I care about is the fact thatthe truck runs.
Now, it's important to knowthese things if you're trying to
maintain it.
But in reality, you don't needto know the inner workings of
your vehicle, you just need toknow that it runs.
So that's what part aboutabstraction is is removing that
from people's view, so theydon't need to worry about it.
Now, some of the protectionmechanisms that are available in
(17:16):
this space is you haveoperating systems.
Obviously, these operatingsystems operate with limited
privileges to restrict yourusers from modifying critical
systems or critical data that'son this system, right?
An example of that would be RAM.
Right?
You have RAM that's availableand that the system does all of
this for you so that you don'tphysically have to be modifying
(17:38):
it.
So virtual memory, all of thosepieces are operating within the
operating system, abstractedfrom your view.
Networking is another examplewhere TCP IP will hide the
underlying network technologyand it will then do the internal
routing of applications,allowing them to communicate
without the detailed knowledgeof what your overall network
(18:01):
infrastructure looks like.
That being said, if you are insecurity, you need to understand
the networking concepts aroundthis and why they are important,
but you may not have to know,especially as a user, how does
all of this work within yourcompany Databases.
These are views of virtualtables that expose the subset of
data from the underlyingdatabase tables, restricting
(18:24):
users from accessing alldatabase type elements.
So, again, you have thedatabase in place.
You don't need people going inand knowing all the different
fields that are tied to thatdatabase, all the records that
are tied to that database.
You just want them to be ableto access that database and
therefore, that information isabstracted from your view.
Another one is APIs.
(18:44):
Apis work really great andthey're awesome for your
organization.
One thing to think about as itrelates to APIs, though they are
probably one of the mostpotentially abused pieces of
technology within your company,and those are areas where we
talk about configuring andknowing how they work.
You, as a security professional, need to understand how do the
(19:04):
APIs connect into yourenvironment, how do they leave
from your environment, but howthey would potentially, as an
individual user connect.
That would be abstracted away.
How does an API work?
Does it go into a gateway?
The data comes in, is itauthenticated?
Those are the pieces that youwant to abstract away from the
user so that they don't have todig into it and understand it.
Now, one thing I've seen this bea little bit problematic is
(19:27):
when you have a citizen-typedeveloper creating APIs of their
own.
That can then create somepotential challenges for you.
But again, it's important foryou to understand these concepts
for the CISSP one, so that whenyou implement them within your
organization, you understand theconcept, and two, also to help
you pass the test the first time.
Oh, speaking of which, I hadone individual just pinged me
(19:49):
just recently that I've beenlistening to the podcast for a
while and the podcast and theblueprint have been extremely
helpful to him, and he was ableto get past the CISSP the first
time.
So sorry, I get these on adaily basis, but it just came to
my mind when he made thatcomment.
In my email he says he passedthe first time, so he did that.
Anyway, sorry to digress, allright.
(20:10):
So data hiding what exactly isthat?
So this is where it concealsthe existence or the contents of
the data within the system, soyou're hiding it, you're moving
it away so that people cannoteven see it as it relates to
sensitive information and it'sdesigned to protect that
sensitive information or preventunauthorized access of this
information as well, Because,again, if it's found, it could
(20:33):
be a huge factor right Now.
One of these things that wouldhelp, that is, you get
individuals who will try to hidedata within pictures as an
example, and this is what theycall steganography.
This is where you're embeddingdata within another file.
Pictures is an example.
It's happened with that.
I've seen that personally,where you'll get a file, a
picture that should say, let'ssay, it's like two meg in size
(20:57):
and for some reason it's 35 meg.
That doesn't make a whole lotof sense.
Or if it should be two meg andthat all that picture is always
two meg and now it is 2.8 meg.
Now that would be one thatwould be really hard to find,
but it is possible and I've seenpeople do it.
And again, they're hiding datawithin another file itself.
(21:17):
There's access controls.
Again, those are you wanna havethese in place to help limit
what people have access to, suchas read, write and execute.
Those are access controlsyou'll typically see within a
firewall, but that doesn't meanthey can't be used in
applications as well, and all itis is just allowing what people
have the ability to read, whatpeople have the ability to write
(21:37):
and also to execute any sort ofprogram that they may have.
And then our last one isobfuscation.
Again, this is where you alterthe data representing to make it
harder to understand withoutthe appropriate key or
decryption method.
Now, this could be tokenizationwill replace, like such as
credit card numbers as anexample.
You'll get systems that will,instead of, let's say, you
(22:00):
process a lot of sensitive data,such as credit card numbers or
social security numbers.
They will use a tokenization oranonymization type technology
which will then replace thatcredit card number.
So, let's say, credit card onethrough nine and it will replace
it with XYZ 345678.
But there is the underlyingtechnology behind the scenes
(22:22):
that will know that XYZ 73578,whatever that number was, I said
is credit card number onethrough nine, and that is
obfuscation.
Right, that's a tokenizationwill help hide that information
and it then obfuscates it frompeople's field of view.
Another area is encryption.
Now, encryption is we talkabout this, the different types
(22:44):
of encryption.
I'm not gonna get into thatdetail because that's not really
for this podcast right now, atthis moment, but there's
different types of encryptionthat's available to you.
You have symmetric andasymmetric encryption.
Now, each of those will bedetermined different aspects
around what you're trying to doas relates to protecting the
document and the data itself,but understand that each of
(23:06):
those has the ability to addanother layer of protection
against people trying to gainaccess to it.
So, between the fact of that Iknow I have a laptop and on this
laptop it is encrypted withBitLocker and I now lose my
laptop or it is stolen I nowhave the ability to one,
(23:26):
potentially depend on thesoftware that's in place to
remote wipe it.
Two, I know that it's encrypted, so them being able to get
access to it is extremelylimited, and so, therefore, all
of those different types ofprotection mechanisms can be a
laying on feature, an additionalconcept.
Okay, so let's just kind ofroll this back a little bit and
(23:48):
talk about what we just, orrecap what we talked about here.
Defense in depth is an importantpart of what we do, and, as a
security professional, you needto always be thinking about how
do I ensure that I protect thisdata in a way that allows it to
be.
The defense and depth aspectsare maintained.
So, like we talked about, doyou have the ability of
(24:10):
encrypting the data?
Do you have the ability ofadding other protections such as
IPS or IDS?
Do you have the ability to putin role-based access controls?
All of those things have to belayered on top of that and then
you have the abstraction piece.
Are you hiding the system'scomplexity and the functionality
for user simplicity and forsecurity?
(24:30):
Are there ways that you canabstract this information from
the user?
Does the user need to have theability to modify, have
administrative rights to be ableto modify things within that
system?
If you can remove that orabstract that from their field
of view, then you nowpotentially reduce some of your
risk as well.
Do you have data hiding, whereyou're concealing data in its
(24:51):
existence to preventunauthorized access?
Do they need to know that thatdata even exists?
And then, do you haveencryption in place to ensure
confidentiality, both that theycan gain access, but then also
that unauthorized users cannotgain access to this data?
So again, it's a reallyimportant dance you're going to
be doing, but understanding howyou do that isn't a big factor
(25:12):
in this overall concept.
So the thing you need toconsider when you're dealing
with all of theseimplementations and these big
three things come back time andtime again Complexity.
You need to ensure that you havea complex system that's in
place, that you have.
Each mechanisms add acomplexity to it, so therefore
they can cause you one a lotmore concern with.
(25:34):
If they break they, thenpotentially what could they
release to the, the user?
As an example, we used to hitservers from the external side
and you, if you sent a certaincommand to a server, uh, it
would give back an error.
Right, I like a 404 error, buta little bit different.
505.
I can't remember the 505 error,but it gives you a specific
error.
Right, I like a 404 error, buta little bit different 505 error
, but it gives you a specificerror.
And that error will then tellyou what kind of server it is,
(25:56):
what, what is the patch that'srunning on it currently.
It'll give you information.
So the more complex you makethese systems, then what ends up
happening is it doespotentially have the ability to
cause you problems in the future.
And again, you've got to findthe right balance between
security and manageability,because the more complexity you
make, make products or makesystems, the better chance one
(26:19):
it's going to break, but at thesame time, you have to make it
complex enough so that it's justnot open to everybody.
Another thing is we talk about alot in security is the
performance aspects.
So every time you add securityto a system, it's going to cause
some level of performance hit.
I'm working on a project rightnow that deals with decryption.
One of the points that's comeup is how much of a performance
(26:41):
hit is that going to affect thecompany that is trying to
implement this?
And so anytime you add anylevel of security, it's going to
have some level of performancechallenges that you're going to
have to run through.
Usability again, the userexperience is very important,
and overcomplicating this withcomplex security challenges can
(27:02):
make it very challenging for theindividual, and so because of
that, then they will look forways to try to get around your
security controls, which wedon't want them to do right.
We want to avoid that by allcosts.
We want to make it as secure aswe possibly can but at the same
time, allow the user to be ableto do their daily job, because
(27:22):
then if you make it too painful,then you get fired because they
find somebody better that willallow them to do that.
It's a vicious cycle, I know itis Okay.
One area we wanna get into is athing called secure defaults,
and this is in 3.1.3.
And this is a area that theCISSP book talks about.
So we're just gonna kind ofjust pull on this a little bit
and dig into it just a littlebit deeper, go just a few more
(27:44):
minutes into this.
So what it does is it helpsalign around the security of the
systems, but it has a securedefault in place.
What exactly does that mean?
Well, it basically comes up andsets up the example of you have
an apartment and you have thisapartment that you live in or
this flat that you live in.
It comes by default.
(28:04):
The doors are equipped withdeadbolt bolts and security
chains, which basically meansyou chain, you put over the door
.
That is the default setup forthe home.
Depending upon that could be anapartment or a flat.
Whatever they have locks on thedoors.
They don't come without locks.
They have a lock.
Well, that is a defaultsecurity mechanism that is in
(28:26):
place.
Well, when you're implementingthis, you want to ensure that.
How do you set up securedefaults within your
organization, a reason.
I say this because most peoplewill bring, especially in the
past.
You'd bring a software andyou'd unpackage it right Like a
YouTube video.
You'd pull back the cellophane,unpackage it and say, hey, look
what I have.
But instead you do that and youstart running it.
(28:47):
The problem is is, in manycases, this software is not set
up to be secure from thebeginning.
It's opened in a or it's set upin an open mode.
Why?
Because they know that peopleare going to take it out of the
box, their shiny new toy, andthey're going to want to run it.
And when they run it, theydon't want things to break.
So you, as a securityprofessional, need to help your
(29:08):
teams understand how to set up a, basically a default security
mechanism when it the momentthat it comes out of the box.
Now it may not be where you getit from Microsoft and you it's
right away, it's secure.
But your security team shouldthen tweak it and modify it so
that now, as it gets deployed toyour individuals within your
organization, it is securityconfigured the way it's supposed
(29:31):
to be out of the box as far asthey are concerned.
And so what are some things youcan do, and real quickly.
We're going to get into strongpasswords, right, that can be
something that can be set up asa configuration, as a default.
Having that set up where youcan't allow, like an eight
character password or less, withjust ones and zeros.
Disabling unnecessary services,right.
(29:51):
Setting up automatic securityupdates these are example of
secure defaults.
Now, applications again.
You might want to set up wherein the application you have file
sharing options that areautomatically configured within
the application.
You may want to turn those off.
You may want to turn onencryption.
Maybe the application has it,but they didn't configure it
(30:12):
that way.
When it came home to you, whenyou got it as a nice little
present under your Christmastree, it didn't have encryption.
So now you turn encryption onAgain.
You want to test all theseaspects because typically when
you don't test them, they breakthings, and even when you do
test them they break things.
But you'll want to test thesedifferent applications within
your organization.
(30:33):
Network devices again somepre-configure would deny all
rules by default.
Well, okay, that would be bad,right, that would cause all
kinds of challenges.
But this would only allowauthorized traffic.
Well, you may have to make somechanges so that it has a look
beyond basically deny all.
So just things you're going tohave to work through and then
(30:55):
ensure your security tools arein place with your SIM and your
IDS and IPS.
Again, they're pre-configuredwith basic security rules.
You will have to go in andtweak them to make them set up
as a default to be configuredfor security.
So what are some of thechallenges when it comes into
this?
Vendor flexibility, again,vendors sometimes do not offer a
(31:16):
lot of flexibility in this areaand the reason is is because
they don't want support calls.
They want to be able to giveyou your shiny little toy.
You then go play with your toyand everybody's happy the moment
that they allow you to makechanges to it.
That deals with higher supportcalls that they're going to have
to field to understand what'sgoing on.
(31:37):
So just keep that in mind.
Usability concerns.
So when you set this up, ittakes special people to be able
to configure these systems rightand to make changes to them.
Well, you may not have theright people to help you with
that, so therefore, it may besomething that you have to
outsource to a contractor tohelp you.
So you have to help understandthe balance between usability
(32:00):
and security.
But another piece aroundusability is the individual
users themselves.
Do they have the ability toactually have access to the
system without it causing themlots of drama?
So usability concerns areanother challenge.
And then legacy systems.
Implementing secure defaults onolder systems can be extremely
difficult, if not nearimpossible, because they just
(32:22):
can't do it.
I've worked on systems fromback in the 70s and early 80s
and you know what they don'thave defaults that you can
really change.
The passwords are sixcharacters, if they even have a
password.
So it's understanding.
Legacy systems can be achallenge in this space.
So what are some best practices?
We finish this up and tie itall up and put a bow on it.
(32:43):
Is you want to have documentyour secure default?
So you want to specificallydefine what are the secure
defaults you haven't set inplace.
One thing to consider is aminimum security expectations or
minimum security standards.
If you set that for yourorganization and then you
document that, that gives peoplesomething to come back to to
understand.
Okay, this is what the basicsecurity product should look
(33:06):
like.
You should also regularlyreview and update the security
best practices to ensure yourdefaults have been reviewed and
updated.
Right, you want to go over that.
It's like doing assessments.
You want to have yearlyassessments that are completed.
You want to finalize that andthen automate the configuration
management.
You want to leverage tools forconfiguration management to
automate this process as much aspossible.
(33:27):
You do not want to be theperson that is going out and
manually hand jamming each ofthese configuration changes
within your organization.
One, you're going to goof it upand two, you don't have the
time for that.
So you want to have some way ofautomating this entire process
to help you with your securityin your company.
Okay, all right, so that is itwe have for today and our
(33:50):
podcast on domain 3.1.3 and3.1.4.
But just want to let you knowgo to CISSP Cyber Training.
There's some great content outthere.
All the videos are out there aswell.
This video will be there andyou can check it out.
You want my blueprint Sign upfor that.
There's going to be some changes.
I've been saying that but it'sbeen pretty busy lately.
(34:10):
My wife's business has justbeen kicking my tail a little
bit.
But will be some changes as itrelates to my software and the
trainings not necessarily thesoftware, but the training
program itself.
That's going to allow forgreater access and more ability,
because you know what it'simportant that you all get the
ability to learn your CISSP andto gain the access you need to
(34:30):
be successful in yourcybersecurity career.
We need more people like youdoing security.
We do.
We definitely do so.
Something to keep in mind I havegreat people that are sending
me feedback.
You can go to that contact atCISSP Cyber Training and send me
any feedback that you havefeedback.
You can go to that contact atCISSP Cyber Training and send me
any feedback that you have.
I get lots of emails that comein of people that are interested
(34:54):
in getting their CISSP, thathave been in business or have
been in the IT space for manyyears.
It's important that, as you seethat, like we talked about in
the article today, as a CISO,you need to make sure you have a
good plan in place for gettingyour security stuff and document
it well.
But you can do this.
You really can, and there's noquestion in my mind that you can
get all the goals you want foryour CISSP.
(35:14):
All right.
So head on over to CISSP CyberTraining and check it out.
Sign up for my 360 freequestions.
It's easy peasy, lemon squeezy.
All right, have a great day and.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:24):
All right, let's get started.
Good morning everybody.
This is Sean Gerber with CISSPCyber Training, and hope you all
are having a wonderfullyblessed day today.
Today is an amazing day here inKansas.
Yeah, it's actually going to belike 75 degrees, 75 to 85
degrees.
It's going to be amazing.
The sun is out, so it's reallyquite pleasant for this time of
(00:44):
year.
The interesting part, though,is the 125 degree weather is
soon around the corner.
Well, actually I'm exaggeratingjust a little bit it's not
going to quite get to 125, maybe120, but it gets really warm
here and sticky, and yeah, it'snot fun, but that's okay.
We enjoy it while we can whenit's pleasant.
But you're not here to hearabout the weather.
(01:06):
Yeah, no, this is not a weatherpodcast.
This is about the CISSP, andtoday we're going to be talking
about domain 3.1.2 and basically3.1.3.
And we're going to be gettingover defense in depth and secure
defaults.
This is all part of domainthree of the CISSP exam, and so
this is going to be some funstuff, right, but actually it's
(01:27):
a little bit apropos that one ofthe things that happened in the
news yesterday that I sawactually is a little bit
disconcerting.
If you are a securityprofessional that doesn't have
the experience.
I'm saying this not to scareanybody off, but it's actually
quite interesting.
In the register there was, a USSenator had claimed that the
UnitedHealthcare debacle thatoccurred, where basically the
(01:50):
ransomware occurred, cost $22million all kinds of stuff.
Right, then who knows how muchmore they're going to gain, how
much more it's going to end upcosting UnitedHealthcare.
But if you all aren't connected, unitedhealthcare was one of
the main UnitedHealthcare, butif you all aren't connected,
unitedhealthcare was one of themain.
Basically it's kind of aclearinghouse for what do they
(02:11):
call it?
Insurance products that aregoing out there from when you go
.
I have an insurance companysuch as UnitedHealthcare and
then they go through anotherclearinghouse and that's like
there's lots of stuff thatbasically has to happen.
So, as you can tell realquickly, I don't know what the
crud I'm talking about when itcomes to all that healthcare
stuff.
So we'll just keep moving on.
But bottom line, it's like aclearinghouse of some sort.
But what ended up happening isthey had a ransomware attack
(02:34):
back this last year and it waspretty traumatic.
It cost a lot of money, cost alot of drama.
It was a big deal.
Well, come to find out thatthere now is going to be some
situations that are coming outwith the unqualified CISO for
UnitedHealthcare's CEO.
Basically he had appointed, sothis CEO had appointed the CISO,
(02:56):
and then the hack occurred andnow they're trying to find
somebody's head to lop off.
And again, I don't know thisindividual at all.
It's a gentleman by the name ofSteve Martin.
He was appointed CISO in 2023.
And the interesting part isthey said he didn't hold any
security specific role duringhis career, despite his high
(03:17):
level experience in other techroles, and it is interesting.
So this kind of flies in theface of what we talk about here
in security, where you need towork your way up through the
corporation, get some level ofexperience, and you may bounce
around from job to job a littlebit to do that, but you need
some level of experience insecurity and when you start off,
you may not have that andthat's okay, but you really need
(03:40):
to have, when you deal in yourroles, that you have some level
of security tied to your role,that you understand the concepts
.
Now, I don't know Mr Martin, sonor am I to say whether he does
or doesn't know it.
He looks like he has a verysolid career and he's done a lot
of stuff in IT.
But bottom line is they'relooking for somebody's head to
chop off and he's in thesituation where he didn't have a
(04:02):
specific security role in hisjob job title per se so he
wasn't the director of security,he wasn't the security analyst,
he wasn't whatever that mightbe.
So when he ended up getting therole as the CISO, they're
saying that well, because hedidn't have that experience,
they should have never done that.
So they're really going afterthe CEO and they're going after
(04:24):
him.
Now I will say that if you readthrough the article, there's
some pretty bonehead things thatdid occur where they didn't
have any multi-factorauthentication on remote access
server.
You know that's kind of a bigbasic practice type of aspect.
However, if you've been insecurity long enough to know
that there may be a good reasonwhy I don't think I could
(04:46):
actually figure that one out butthere might have been a good
reason why they didn't have MFAon those systems.
And I would also say sometimesyou get into the political
schema that rolls into theselarge corporations and you get a
lot of pushback for puttingstuff like MFA on the remote
access because it causesdisruption, maybe causes some
(05:07):
level of outage just goingthrough that whole process.
So I don't know the details,nor am I going to comment on
whether it's right or wrong.
The only other thing I want tobring up was the fact that now
in this article they're havingpeople within the legislative
groups are wanting him, they'rewanting somebody's head, and the
point is that they're sayingthat careless activities.
(05:29):
You know you wouldn't have abrain surgeon work on somebody's
brain if they never went toschool to be a brain surgeon or
they never had the background ofbeing a brain surgeon.
So I understand what he'ssaying.
It's a little bit more nuancedthan that and unfortunately, a
lot of times the politicianswill say things that they don't
truly understand.
(05:50):
So I hope for Mr Martin and forthe CEO that they can work this
out.
But it's a good lesson for allof us to know that if you are
working as a securityprofessional, you need to make
sure that you are working to getyour title to match up with it
and you need to follow bestpractices.
Especially if you're in apublicly held company where
(06:10):
there's people's livelihoods areon the line, especially when it
comes to stock and shareholders, you are under a lot more
scrutiny and, as such, thosearticles that I put out there.
You need to also be compensatedfor this, because I'm hoping
that Mr Martin had beencompensated well for his
activities, because there's alot of responsibility that he
had.
So check it out Again.
(06:31):
Us Senator claimsUnitedHealthcare CEO and board
appointed an unqualified CISO.
So, yeah, it's an interestingworld we live in, but you don't
want to hear about all of that.
We could go down many differenttangents.
So we're going to get intodomain 3.1.2 and 3.1.3.
And this is around the overallpiece of defense in depth and
(06:53):
secure defaults.
So, when we talk about securedefense in depth, one of the key
concepts around this is we talkabout just in the case of what
we had with this last articlewith MFA, mfa would be
considered a defense in depth.
It's one of the first thingsthat you would run into if
you're an outsider.
Just in the case of what we hadwith this last article with MFA
, mfa would be considered adefense in depth.
It's one of the first thingsthat you would run into if
you're an outsider trying to getinto a network.
Is you run into MFA?
Well, it's a layer to securityapproach that you must have
(07:14):
multiple controls in place tohelp mitigate the potential
risks, and so, therefore, youneed to have these controls in
place to do that.
This layered approach, again,is designed so that if one layer
fails, the other still canprovide some level of protection
against basically everythingfalling apart.
So this layered approachensures that this is set up in
(07:35):
place.
Now.
One example that you've seen ormaybe you've heard of people
talking about is the medievalcastle where you have the moat.
So you'll have this if you lookat it from a mind's eye, you
have this medieval castlesitting on a hill Probably not a
hill, probably more of a flatplain, because a moat won't
really work too well on a bighill but you have this castle
(07:56):
sitting out there and there'sthis moat, a big trench dug
around it, and inside thattrench is all kinds of there's
water and alligators and snakesand whatever else things.
Those are just basicallydesigned that if you want to get
into this really tall castle,you've got to go through this
moat to get to the castle.
Well, the same kind of conceptit has in security is that you
(08:16):
want to have this set up so thatif one of your protection
mechanisms fails, there'sanother one waiting to catch the
attacker and I try to bringthis up when I was talking about
security to partners and toindividuals is that the fact is
that these controls are notdesigned to necessarily stop the
individual.
I mean, you want them to stopthe individual, but there's many
(08:37):
cases if there's one control,they'll find a way around it and
you want them to run intoanother one.
There's two different conceptswith this.
One is you want to slow themdown enough that they get
frustrated and they move on tosomebody else.
Fortunately, that's how itworks.
Right, it's the law of the, notlaw of the fittest.
That's where, okay, if you'rethe little tiny gazelle and
(08:57):
there's tigers everywhere andyou broke your leg, you're gonna
get eaten.
Yeah, it's the law of issomething like that, but bottom
line is you're going to geteaten right.
So we want to have it so thatyour gazelle has all four legs,
maybe six legs, and can runreally, really fast.
So by having these protectionmechanisms in place, you are
(09:19):
that gazelle with six legs.
I know it's a really weirdtangent, but it kind of sort of
works.
The bottom line is then theywill move on to somebody else
and eat somebody's other gazelle, but if they penetrate one, you
also want to have.
The second concept is that ifthey are determined to get into
your network and they're goingto bridge your moat and they're
going to bridge and cross yourhigh walls of your castle, you
want to have sentries that aregoing to be alerting you that
(09:40):
hey, somebody just did something.
You that, hey, somebody justdid something.
So another reason about havingthese multiple controls is the
fact that they can be triggers.
They can be alerts to go okay,someone has just crossed this
line.
Okay, now, someone has justcrossed this line, and by doing
so, you now have the ability tohave better situational
awareness of what are some ofthe attackers trying to do
within your environment.
So it's really important tohave a defense strategy around
(10:05):
with multiple controls.
Now, also, knowing this fullwell, you're going to be in
security.
At any point in time in yourcareer.
You're going to realize thatthat isn't always the case.
There may be situations whereyou've only got one control and
that is it.
It may happen.
You may not have the luxury ofputting in multiple controls in
place for a specific area.
(10:26):
So if that is the case, thenyou have to be keenly aware of
what you're going to put thereto protect yourself and alert on
it, so that if anybody getsinto the inner sanctum of this
one thing because you only haveone control, then you better
have all kinds of fireworks gooff, bells and whistles, you
name it, you need to know aboutit.
So just keep that in mind asyou're thinking about this from
(10:48):
an attacker's perspective.
Now, some of the protectionmechanisms we're going to talk
about and this is not allinclusive this is just a good
example of some of them that youcan use.
Perimeter security is one ofthe first ones, and that is like
the firewall.
The firewall will act as yourfirst line of defense as far as
coming into the network.
So, again, though, there's manyother controls, it isn't just
(11:10):
the first one, a lot of onecomes into.
Another one is that you'reallowing who has access to your
network is another really greatcontrol that you have in place.
So your firewalls, they're yourfirst line of defense.
They filter incoming andoutgoing traffic based on rules
that are maybe predefined, setup already.
Some of the firewalls today canactually be thinking on the fly
(11:31):
, and they can do that work foryou, but that's your first line
coming in Now.
You could then run into IDS andIPS systems, which is your
intrusion detection andprevention systems.
These two will monitor trafficand they'll look for suspicious
activity and in many cases, yourIDS IPS can be embedded and
ingrained within your firewalland, again, they're designed
(11:53):
specifically to block attacks.
Now the downside of this is iswhen you block anything, you're
causing a disruption, so you'redisrupting the bad guys or you
potentially could be disruptingyourself if there's a problem.
Okay, so role-based access we'retalking about access controls
is the next level down fromperimeter security.
Role-based access controls theyassign permissions to users, to
(12:15):
an individual users based ontheir specific job role within
their company, and this ensuresthat they only have access to
the data and functionality thatthey need to perform their
specific duties.
Now, that would be where theywould have one individual is
able to do I don't know they'reable to pull out data for their
EDI system, which deals withelectronic file transfers.
(12:37):
Another person is not allowedto do that, but they're allowed
to have access to the HR system,and so it's based on their
specific role and what they'reallowed to do within the company
.
Data security is where it's abeyond.
The encryption piece of this,data security rolls into.
The encryption obviously is abig factor where you've got data
at rest, data in transit, databasically in use, so you have
(13:01):
those different types of accessthat are within the encryption
mechanisms.
However, what you can also addis data loss prevention tools
that will help limit or restrictthe access to individuals
gaining to that data itself thatthese tools are limiting that.
One of the things can be donethrough emails, usb drives and
other types of channels that canbe put in place to limit those
(13:25):
activities.
I've seen it time and againwhere individuals, if they can't
use a USB drive, they will thentry to use Bluetooth or they
will try to email it, which isthe typical one they use, but
they're trying to look fordifferent ways to get the data
out of their organization.
Another one is system hardening.
This is where this involvessecurity updates to fix
(13:45):
vulnerabilities in the specificsoftware.
Now, this could be software ofthe application, it could be the
hardware itself that you'retrying to update, it could be
the operating system software,many different factors that roll
into it, but system hardeningis an important factor within
trying to create various levelsof defense in depth.
(14:05):
Now One thing to think aboutwith system hardening it's not
sexy, it's not something thatpeople like to do a lot with.
But when you're dealing withransomware as an example, that
is a really good way to be ableto.
If you have these systems inplace that you have gone and
you've changed theconfigurations of your
environment, you've hardenedsome of these systems.
Now this ransomware does notnot in all cases, but does not
(14:30):
have a foothold within yourorganization.
There may be other things ittries to leverage, but if some
of those pieces have been firmedup and you now don't have to
worry about them as much, systemhardening can go a long ways to
protecting your companyDetection and response.
Now we talk about SIM tools.
Now these are securityinformation event management
(14:50):
tools, or otherwise known as SIM.
Now, sim tools can range invarious forms.
You can see them as ArcSight,they are Azure Sentinel, there's
XOR from Palo Alto, there'snumerous companies, splunk.
They all have a various SIMcapability.
Now these are designed to havea centralized, or they call a
(15:10):
single pane of glass, as itrelates to security tools,
providing centralized view oftheir security activity.
This allows all this stuff tobe aggregated into one location.
Then from there, you can thenset up a triage like tier one,
two or three to be able totriage these different incidents
as they come into yourorganization, triage these
(15:31):
different incidents as they comeinto your organization, and
this deals with identifying,containing, eradicating and then
recovering from varioussecurity incidents within your
company.
Now do you have to have a SIMfor your company?
No, you do not.
You can outsource that to athird party.
You also can get SIMs that aremuch smaller in size and scope.
They're not as large as whatyou would anticipate you would
see in a large enterprise.
(15:52):
So there's lots of differentthings that you can do when it
comes to a SIEM.
So a big factor we get into isabstraction.
Now the CISSP book talks aboutwhat is abstraction?
How does this work?
Well, abstraction hides theinternal workings of a system
from users, the applications,from exposing them to
unnecessary or from necessaryfunctionality.
(16:12):
So it's basically hiding it offto keep it from people from
seeing it, so that it abstracts,it, removes it from view.
Now, this simplifies theinteraction with your users and
it reduces the risk ofinadvertently causing potential
security issues.
Right?
So what it comes right down tois like a more simplistic
version of this is if you thinkabout your driving, your vehicle
(16:34):
, you do not need to understandhow the more complex aspects of
your vehicle work.
So, as an example, I have atruck and this truck has a
diesel motor and this dieselmotor has two fuel systems or
two cooling systems, one for thetransmission, one for the
engine.
If I didn't know that Iwouldn't really care right, all
(16:55):
I care about is the fact thatthe truck runs.
Now, it's important to knowthese things if you're trying to
maintain it.
But in reality, you don't needto know the inner workings of
your vehicle, you just need toknow that it runs.
So that's what part aboutabstraction is is removing that
from people's view, so theydon't need to worry about it.
Now, some of the protectionmechanisms that are available in
(17:16):
this space is you haveoperating systems.
Obviously, these operatingsystems operate with limited
privileges to restrict yourusers from modifying critical
systems or critical data that'son this system, right?
An example of that would be RAM.
Right?
You have RAM that's availableand that the system does all of
this for you so that you don'tphysically have to be modifying
(17:38):
it.
So virtual memory, all of thosepieces are operating within the
operating system, abstractedfrom your view.
Networking is another examplewhere TCP IP will hide the
underlying network technologyand it will then do the internal
routing of applications,allowing them to communicate
without the detailed knowledgeof what your overall network
(18:01):
infrastructure looks like.
That being said, if you are insecurity, you need to understand
the networking concepts aroundthis and why they are important,
but you may not have to know,especially as a user, how does
all of this work within yourcompany Databases.
These are views of virtualtables that expose the subset of
data from the underlyingdatabase tables, restricting
(18:24):
users from accessing alldatabase type elements.
So, again, you have thedatabase in place.
You don't need people going inand knowing all the different
fields that are tied to thatdatabase, all the records that
are tied to that database.
You just want them to be ableto access that database and
therefore, that information isabstracted from your view.
Another one is APIs.
(18:44):
Apis work really great andthey're awesome for your
organization.
One thing to think about as itrelates to APIs, though they are
probably one of the mostpotentially abused pieces of
technology within your company,and those are areas where we
talk about configuring andknowing how they work.
You, as a security professional, need to understand how do the
(19:04):
APIs connect into yourenvironment, how do they leave
from your environment, but howthey would potentially, as an
individual user connect.
That would be abstracted away.
How does an API work?
Does it go into a gateway?
The data comes in, is itauthenticated?
Those are the pieces that youwant to abstract away from the
user so that they don't have todig into it and understand it.
Now, one thing I've seen this bea little bit problematic is
(19:27):
when you have a citizen-typedeveloper creating APIs of their
own.
That can then create somepotential challenges for you.
But again, it's important foryou to understand these concepts
for the CISSP one, so that whenyou implement them within your
organization, you understand theconcept, and two, also to help
you pass the test the first time.
Oh, speaking of which, I hadone individual just pinged me
(19:49):
just recently that I've beenlistening to the podcast for a
while and the podcast and theblueprint have been extremely
helpful to him, and he was ableto get past the CISSP the first
time.
So sorry, I get these on adaily basis, but it just came to
my mind when he made thatcomment.
In my email he says he passedthe first time, so he did that.
Anyway, sorry to digress, allright.
(20:10):
So data hiding what exactly isthat?
So this is where it concealsthe existence or the contents of
the data within the system, soyou're hiding it, you're moving
it away so that people cannoteven see it as it relates to
sensitive information and it'sdesigned to protect that
sensitive information or preventunauthorized access of this
information as well, Because,again, if it's found, it could
(20:33):
be a huge factor right Now.
One of these things that wouldhelp, that is, you get
individuals who will try to hidedata within pictures as an
example, and this is what theycall steganography.
This is where you're embeddingdata within another file.
Pictures is an example.
It's happened with that.
I've seen that personally,where you'll get a file, a
picture that should say, let'ssay, it's like two meg in size
(20:57):
and for some reason it's 35 meg.
That doesn't make a whole lotof sense.
Or if it should be two meg andthat all that picture is always
two meg and now it is 2.8 meg.
Now that would be one thatwould be really hard to find,
but it is possible and I've seenpeople do it.
And again, they're hiding datawithin another file itself.
(21:17):
There's access controls.
Again, those are you wanna havethese in place to help limit
what people have access to, suchas read, write and execute.
Those are access controlsyou'll typically see within a
firewall, but that doesn't meanthey can't be used in
applications as well, and all itis is just allowing what people
have the ability to read, whatpeople have the ability to write
(21:37):
and also to execute any sort ofprogram that they may have.
And then our last one isobfuscation.
Again, this is where you alterthe data representing to make it
harder to understand withoutthe appropriate key or
decryption method.
Now, this could be tokenizationwill replace, like such as
credit card numbers as anexample.
You'll get systems that will,instead of, let's say, you
(22:00):
process a lot of sensitive data,such as credit card numbers or
social security numbers.
They will use a tokenization oranonymization type technology
which will then replace thatcredit card number.
So, let's say, credit card onethrough nine and it will replace
it with XYZ 345678.
But there is the underlyingtechnology behind the scenes
(22:22):
that will know that XYZ 73578,whatever that number was, I said
is credit card number onethrough nine, and that is
obfuscation.
Right, that's a tokenizationwill help hide that information
and it then obfuscates it frompeople's field of view.
Another area is encryption.
Now, encryption is we talkabout this, the different types
(22:44):
of encryption.
I'm not gonna get into thatdetail because that's not really
for this podcast right now, atthis moment, but there's
different types of encryptionthat's available to you.
You have symmetric andasymmetric encryption.
Now, each of those will bedetermined different aspects
around what you're trying to doas relates to protecting the
document and the data itself,but understand that each of
(23:06):
those has the ability to addanother layer of protection
against people trying to gainaccess to it.
So, between the fact of that Iknow I have a laptop and on this
laptop it is encrypted withBitLocker and I now lose my
laptop or it is stolen I nowhave the ability to one,
(23:26):
potentially depend on thesoftware that's in place to
remote wipe it.
Two, I know that it's encrypted, so them being able to get
access to it is extremelylimited, and so, therefore, all
of those different types ofprotection mechanisms can be a
laying on feature, an additionalconcept.
Okay, so let's just kind ofroll this back a little bit and
(23:48):
talk about what we just, orrecap what we talked about here.
Defense in depth is an importantpart of what we do, and, as a
security professional, you needto always be thinking about how
do I ensure that I protect thisdata in a way that allows it to
be.
The defense and depth aspectsare maintained.
So, like we talked about, doyou have the ability of
(24:10):
encrypting the data?
Do you have the ability ofadding other protections such as
IPS or IDS?
Do you have the ability to putin role-based access controls?
All of those things have to belayered on top of that and then
you have the abstraction piece.
Are you hiding the system'scomplexity and the functionality
for user simplicity and forsecurity?
(24:30):
Are there ways that you canabstract this information from
the user?
Does the user need to have theability to modify, have
administrative rights to be ableto modify things within that
system?
If you can remove that orabstract that from their field
of view, then you nowpotentially reduce some of your
risk as well.
Do you have data hiding, whereyou're concealing data in its
(24:51):
existence to preventunauthorized access?
Do they need to know that thatdata even exists?
And then, do you haveencryption in place to ensure
confidentiality, both that theycan gain access, but then also
that unauthorized users cannotgain access to this data?
So again, it's a reallyimportant dance you're going to
be doing, but understanding howyou do that isn't a big factor
(25:12):
in this overall concept.
So the thing you need toconsider when you're dealing
with all of theseimplementations and these big
three things come back time andtime again Complexity.
You need to ensure that you havea complex system that's in
place, that you have.
Each mechanisms add acomplexity to it, so therefore
they can cause you one a lotmore concern with.
(25:34):
If they break they, thenpotentially what could they
release to the, the user?
As an example, we used to hitservers from the external side
and you, if you sent a certaincommand to a server, uh, it
would give back an error.
Right, I like a 404 error, buta little bit different.
505.
I can't remember the 505 error,but it gives you a specific
error.
Right, I like a 404 error, buta little bit different 505 error
, but it gives you a specificerror.
And that error will then tellyou what kind of server it is,
(25:56):
what, what is the patch that'srunning on it currently.
It'll give you information.
So the more complex you makethese systems, then what ends up
happening is it doespotentially have the ability to
cause you problems in the future.
And again, you've got to findthe right balance between
security and manageability,because the more complexity you
make, make products or makesystems, the better chance one
(26:19):
it's going to break, but at thesame time, you have to make it
complex enough so that it's justnot open to everybody.
Another thing is we talk about alot in security is the
performance aspects.
So every time you add securityto a system, it's going to cause
some level of performance hit.
I'm working on a project rightnow that deals with decryption.
One of the points that's comeup is how much of a performance
(26:41):
hit is that going to affect thecompany that is trying to
implement this?
And so anytime you add anylevel of security, it's going to
have some level of performancechallenges that you're going to
have to run through.
Usability again, the userexperience is very important,
and overcomplicating this withcomplex security challenges can
(27:02):
make it very challenging for theindividual, and so because of
that, then they will look forways to try to get around your
security controls, which wedon't want them to do right.
We want to avoid that by allcosts.
We want to make it as secure aswe possibly can but at the same
time, allow the user to be ableto do their daily job, because
(27:22):
then if you make it too painful,then you get fired because they
find somebody better that willallow them to do that.
It's a vicious cycle, I know itis Okay.
One area we wanna get into is athing called secure defaults,
and this is in 3.1.3.
And this is a area that theCISSP book talks about.
So we're just gonna kind ofjust pull on this a little bit
and dig into it just a littlebit deeper, go just a few more
(27:44):
minutes into this.
So what it does is it helpsalign around the security of the
systems, but it has a securedefault in place.
What exactly does that mean?
Well, it basically comes up andsets up the example of you have
an apartment and you have thisapartment that you live in or
this flat that you live in.
It comes by default.
(28:04):
The doors are equipped withdeadbolt bolts and security
chains, which basically meansyou chain, you put over the door
.
That is the default setup forthe home.
Depending upon that could be anapartment or a flat.
Whatever they have locks on thedoors.
They don't come without locks.
They have a lock.
Well, that is a defaultsecurity mechanism that is in
(28:26):
place.
Well, when you're implementingthis, you want to ensure that.
How do you set up securedefaults within your
organization, a reason.
I say this because most peoplewill bring, especially in the
past.
You'd bring a software andyou'd unpackage it right Like a
YouTube video.
You'd pull back the cellophane,unpackage it and say, hey, look
what I have.
But instead you do that and youstart running it.
(28:47):
The problem is is, in manycases, this software is not set
up to be secure from thebeginning.
It's opened in a or it's set upin an open mode.
Why?
Because they know that peopleare going to take it out of the
box, their shiny new toy, andthey're going to want to run it.
And when they run it, theydon't want things to break.
So you, as a securityprofessional, need to help your
(29:08):
teams understand how to set up a, basically a default security
mechanism when it the momentthat it comes out of the box.
Now it may not be where you getit from Microsoft and you it's
right away, it's secure.
But your security team shouldthen tweak it and modify it so
that now, as it gets deployed toyour individuals within your
organization, it is securityconfigured the way it's supposed
(29:31):
to be out of the box as far asthey are concerned.
And so what are some things youcan do, and real quickly.
We're going to get into strongpasswords, right, that can be
something that can be set up asa configuration, as a default.
Having that set up where youcan't allow, like an eight
character password or less, withjust ones and zeros.
Disabling unnecessary services,right.
(29:51):
Setting up automatic securityupdates these are example of
secure defaults.
Now, applications again.
You might want to set up wherein the application you have file
sharing options that areautomatically configured within
the application.
You may want to turn those off.
You may want to turn onencryption.
Maybe the application has it,but they didn't configure it
(30:12):
that way.
When it came home to you, whenyou got it as a nice little
present under your Christmastree, it didn't have encryption.
So now you turn encryption onAgain.
You want to test all theseaspects because typically when
you don't test them, they breakthings, and even when you do
test them they break things.
But you'll want to test thesedifferent applications within
your organization.
(30:33):
Network devices again somepre-configure would deny all
rules by default.
Well, okay, that would be bad,right, that would cause all
kinds of challenges.
But this would only allowauthorized traffic.
Well, you may have to make somechanges so that it has a look
beyond basically deny all.
So just things you're going tohave to work through and then
(30:55):
ensure your security tools arein place with your SIM and your
IDS and IPS.
Again, they're pre-configuredwith basic security rules.
You will have to go in andtweak them to make them set up
as a default to be configuredfor security.
So what are some of thechallenges when it comes into
this?
Vendor flexibility, again,vendors sometimes do not offer a
(31:16):
lot of flexibility in this areaand the reason is is because
they don't want support calls.
They want to be able to giveyou your shiny little toy.
You then go play with your toyand everybody's happy the moment
that they allow you to makechanges to it.
That deals with higher supportcalls that they're going to have
to field to understand what'sgoing on.
(31:37):
So just keep that in mind.
Usability concerns.
So when you set this up, ittakes special people to be able
to configure these systems rightand to make changes to them.
Well, you may not have theright people to help you with
that, so therefore, it may besomething that you have to
outsource to a contractor tohelp you.
So you have to help understandthe balance between usability
(32:00):
and security.
But another piece aroundusability is the individual
users themselves.
Do they have the ability toactually have access to the
system without it causing themlots of drama?
So usability concerns areanother challenge.
And then legacy systems.
Implementing secure defaults onolder systems can be extremely
difficult, if not nearimpossible, because they just
(32:22):
can't do it.
I've worked on systems fromback in the 70s and early 80s
and you know what they don'thave defaults that you can
really change.
The passwords are sixcharacters, if they even have a
password.
So it's understanding.
Legacy systems can be achallenge in this space.
So what are some best practices?
We finish this up and tie itall up and put a bow on it.
(32:43):
Is you want to have documentyour secure default?
So you want to specificallydefine what are the secure
defaults you haven't set inplace.
One thing to consider is aminimum security expectations or
minimum security standards.
If you set that for yourorganization and then you
document that, that gives peoplesomething to come back to to
understand.
Okay, this is what the basicsecurity product should look
(33:06):
like.
You should also regularlyreview and update the security
best practices to ensure yourdefaults have been reviewed and
updated.
Right, you want to go over that.
It's like doing assessments.
You want to have yearlyassessments that are completed.
You want to finalize that andthen automate the configuration
management.
You want to leverage tools forconfiguration management to
automate this process as much aspossible.
(33:27):
You do not want to be theperson that is going out and
manually hand jamming each ofthese configuration changes
within your organization.
One, you're going to goof it upand two, you don't have the
time for that.
So you want to have some way ofautomating this entire process
to help you with your securityin your company.
Okay, all right, so that is itwe have for today and our
(33:50):
podcast on domain 3.1.3 and3.1.4.
But just want to let you knowgo to CISSP Cyber Training.
There's some great content outthere.
All the videos are out there aswell.
This video will be there andyou can check it out.
You want my blueprint Sign upfor that.
There's going to be some changes.
I've been saying that but it'sbeen pretty busy lately.
(34:10):
My wife's business has justbeen kicking my tail a little
bit.
But will be some changes as itrelates to my software and the
trainings not necessarily thesoftware, but the training
program itself.
That's going to allow forgreater access and more ability,
because you know what it'simportant that you all get the
ability to learn your CISSP andto gain the access you need to
(34:30):
be successful in yourcybersecurity career.
We need more people like youdoing security.
We do.
We definitely do so.
Something to keep in mind I havegreat people that are sending
me feedback.
You can go to that contact atCISSP Cyber Training and send me
any feedback that you havefeedback.
You can go to that contact atCISSP Cyber Training and send me
any feedback that you have.
I get lots of emails that comein of people that are interested
(34:54):
in getting their CISSP, thathave been in business or have
been in the IT space for manyyears.
It's important that, as you seethat, like we talked about in
the article today, as a CISO,you need to make sure you have a
good plan in place for gettingyour security stuff and document
it well.
But you can do this.
You really can, and there's noquestion in my mind that you can
get all the goals you want foryour CISSP.
(35:14):
All right.
So head on over to CISSP CyberTraining and check it out.
Sign up for my 360 freequestions.
It's easy peasy, lemon squeezy.
All right, have a great day and.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com