April 7, 2025 • 43 mins
Digital signatures are coming to AI models as cybersecurity evolves to meet emerging threats. Google's collaboration with NVIDIA and HiddenLayer demonstrates how traditional security controls must adapt to protect machine learning systems vulnerable to new forms of tampering and exploitation. This essential evolution mirrors the broader need for robust security validation across all systems.
Security control testing forms the foundation of effective cybersecurity governance. Without proper validation, organizations operate on blind faith that their protections actually work. In this deep dive into Domain 6.2 of the CISSP, Sean Gerber breaks down the critical differences between assessments, testing, and audits while exploring practical approaches to vulnerability scanning, penetration testing, and log analysis.
Vulnerability assessments serve as your first line of defense by systematically identifying weaknesses across networks, hosts, applications, and wireless infrastructure. The Common Vulnerability Scoring System helps prioritize remediation efforts, but understanding your architecture remains crucial - a low-scoring vulnerability in a critical system might pose more risk than a high-scoring one in an isolated environment. Meanwhile, penetration testing takes validation further by simulating real-world attacks through carefully structured phases from reconnaissance to exploitation.
As organizations increasingly embrace APIs, ML models, and complex software architectures, security testing must evolve beyond traditional boundaries. Code reviews, interface testing, and compliance checks ensure that security is built into systems from the ground up rather than bolted on afterward. The shift toward "security left" integration aims to catch vulnerabilities earlier in the development lifecycle, reducing both costs and risks.
Ready to master security control testing and prepare for your CISSP certification? Visit CISSPCyberTraining.com to access comprehensive study materials and a step-by-step blueprint designed to help you understand not just the exam content, but the practical application of cybersecurity principles in real-world scenarios.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:27):
All right, let's get started.
Good morning everybody.
It's Sean Gerber with CISSP,cyber Trading, and hope you all
are having a beautifully blessedday today.
Today is Monday.
Yes, we're excited about Mondaybecause why?
Well, spring is quickly upon usand, yes, we're coming out of
the frozen tundra that we've hadthis past winter.
So, yeah, I'm very excitedabout that.
But more than that, we aregoing to be talking about domain
6.2, which is we're conductingsecurity control testing for the
(00:51):
CISSP.
So this again, isc squaredCISSP.
Now, before we get into that, Iwanted to just quick article
that I saw in the news and thisis related to Google.
I know, as we've talked aboutin the past, I've kind of get a
little bit deeper into AI and MLas it relates to what I do on
the consulting side of the houseand just kind of wanted to get
to really understand it a bitbetter.
And as it comes down tosecurity right, one of the big
(01:14):
factors we have to consideraround ML and AI is how is that
going to be impacted with thechanges?
Because we're seeing thischange over and over and I was
reading an article just kind ofprepping for today that
Microsoft is pretty much allbought in on AI and ML as the
future of the company is.
The company just turned 50, Iguess this week or last week
sometime.
You know it's getting older,right?
(01:35):
I remember when Microsoft firstcame out and that just shows
how old I am.
But the point of it is is thatit's changing its paradigm and
it's hanging its hat on the AIand ML revolution.
Now, in this article that cameout from Google, it's basically
Google's open source securityteam, their GOS team.
They're working with NVIDIA andalso HiddenLayer under their
(01:57):
overall foundation and the goalis to create better security
related to AI and ML.
And so this is an importantfactor for you all, as you guys
are studying for your CISSP andyou become security
professionals.
Ai and ML if Microsoft is goingall in, you're seeing it in
Google you all are going to haveto know it in some sense and
you're going to have to know adeeper level of it than just
(02:18):
kind of hey, it's out there andI just kind of understand it.
So the article is really cool.
It talks about how theevolution of the LLMs are moving
around and how they're growing,and that there is a big concern
related to the tampering ofthese models, right.
So these models that are outthere, that have got all this
information in them and they'rereally concerned about them
(02:38):
being exploited, especiallyrelated to the supply chain, the
processes, the unspectableweights and then also the times
and the arbitrary code thatmight be injected upon them, and
you know, there's a lot ofdifferent things that can happen
to an ML.
You have data poisoning.
You have Trump not Trump, no,not Trump.
You have prompt injection,prompt leaking and prompt
(02:59):
evasion.
Those are just things, just afew of the things that can
happen in the ML supply chain,and so it's an important part
for you to understand how do wedeal with this.
Well, their focus is going to bearound digital signature.
This article, specifically, isaround digital signatures and
adding them to the overall ML AIenvironment.
The goal of this, obviously, wetalked about in CISSP, cyber
(03:22):
Training for many years now isthat digital signatures are an
important part.
It's a cryptographic functionthat helps just put that
signature, that that key, to saythat this data is legit, this
data is solid, and when thosekeys get compromised, obviously
that can cause all kinds ofpandemonium and chaos.
But the goal, though, is isthat they are going to have some
(03:43):
level of signature based intothese AI ML products.
So you know the actualinformation that you're getting
and it helps you avoid that.
You know if something's beentampered with at all,
specifically with a model, ifthere's any new code been added
to it or any possible issuesthat may run with that.
Now they've created a modelsigning library and this is
(04:05):
specifically set up to handlelarge-scale ML models.
So, as we know, in many caseswe're starting small but as this
overall capability grows largerand larger over time, these
models are going to be extremelybig and they already are large,
right, but they're going to geteven bigger as time goes on.
So it supports signing modelsthat are represented in
directory trees, obviously, andthen it provides command-line
(04:25):
utilities for signing andverifying your model signatures
as well.
So it's a really good articleabout how these signatures can
potentially be added to your MLenvironment.
It walks you through.
The article does around thedifferent types of injection
aspects.
There's a white paper they haveon AI supply chain integrity.
All of those things are in here.
It's a really good article.
(04:46):
It kind of goes from fruit tonuts and everything that you
could possibly see as it relatesto dealing with digital
signatures and the AI MLenvironment.
So I highly recommend you goread it.
Again, it's on Google securityblog.
The name of it is Taming theWild West of ML Practical Model
Signing with Sigstore.
Again, this is something that Ithink is really important for
(05:08):
you all to kind of startunderstanding and getting a good
grasp of how this works withinyour environments.
Okay so let's get started aboutwhat we're going to talk about
today.
Okay, so we're going to betalking about domain six,
conducting security controltesting, and again, this is all
tied back to the CISSP, the ISCsquared manual.
If you go to CISSP CyberTraining, you can get access to
(05:28):
all this content that's outthere.
You get access to my freecontent as well, as you can get
access to all of the videos, allof the audio, everything that
I've put together related to theISC squared CISSP, and you can
get access to my blueprint.
My blueprint is amazing, andI'm not just saying that because
I made it, I'm just kind ofsort of, but no, it's actually
going to step you through, stepby step by step, what you need
(05:49):
to do to study for the CISSP andhelp you get prepared for it.
It's going to give youeverything you need to know day
one, day two, day three, dayfour.
And it's going to help you withthat overall process, because,
just going out and I gotoverwhelmed with the CISSP
because it was just so muchcontent, and then trying to
understand it all, I go throughand I give you a step-by-step
process by even the videos, thecontent, the books, everything
(06:12):
is all there laid out for youspecifically so you can go to
CISSP Cyber Training, purchaseone of the products that I have
and that will give it to youimmediately, so you won't even
have to wait for it.
All right, so let's get intowhat we're going to talk about.
So again, domain 6.2.
One of the things around thisis that we're of 6.2 is to
validate the security controlsthat are correctly implemented
when you're functioning andfunctioning as you planned on.
(06:34):
And again this kind of comesback to the, the article we
talked about with the before wecame into the old training is
it's imperative that you havethese security controls in place
.
You also understand how you'regoing to validate the overall
security, if it's throughdigital signatures or other form
or method, and this helps toensure that your system is
secure, compliant and resilientto emerging threats, and I think
(06:56):
that's one of the biggestfactors people need to
understand as security goes on.
It's about resiliency, and I'mtalking with some clients and
they get the whole securitypiece and they've done it for
years.
They got it.
The part that they're missingin some cases is the resilience
behind.
It is that in today's world,it's incredibly challenging to
(07:16):
try to operate when a piece ofransomware that gets put into
your environment can basicallydisrupt your operations and
cause you millions and millionsof dollars on a daily, if not
minute-by-minute basis,depending upon what kind of
business you are operating in.
All right, so when we're dealingwith security control testing,
there's different types ofsecurity testing.
We have security assessments,security testing, security
(07:39):
audits.
Now, these are some varioustypes that are out there.
Your assessments are typicallya high level evaluation
determine whether your policiesand everything else your
controls you have in place arealready there and they meet your
company's risk toleranceprofile.
So I did personal assessments.
I bring in third parties tohelp me do assessments, but they
are just a high levelevaluation.
Hey, is the stuff there that'ssupposed to be there?
(08:01):
Security testing is when you doa technical assessment, specific
on specific controls.
You may bring in a pen tester,you may bring in just a maybe
even just a third party, butthey are looking at specific
security controls through atechnical means and they're
going to determine if that issufficient for your organization
.
And I look at authentication,encryption, access enforcement.
All of those pieces are part ofthe overall security testing
(08:24):
mantra.
And then security audits.
These are formal reviewsperformed by maybe your second
and third line defense if you'rein the I should say, third line
defense, if you're in a bankingindustry, and they are there to
help you understand.
Is that set up specifically toprotect your organization?
Are you in compliance withinternal and external
regulations and standards?
(08:45):
Are you meeting those?
So again, this is a big deal,right, and a lot of companies,
especially smaller companies,don't necessarily have some of
the bandwidth to do all this,but they should consider.
If you don't have the ability tobring in auditors I mean, say
you're not a highly regulatedenvironment, you don't need
auditors per se you should byall means be doing an assessment
(09:05):
and testing of your environmentBecause of the simple fact is
that at any point in time,especially if you're doing
government contracts, you can beaudited and you don't want to
be in a situation where anauditor comes in and says you
got to shut down because you'renot doing these right things.
So assessments and testing at aminimum are really important,
especially if you do not havesome sort of formal auditing
(09:28):
procedures in place or auditorthat has to come visit you guys.
So one of the things aboutvulnerability assessments this
is a systematic process toidentify and categorize
weaknesses in systems ornetworks before they're
exploited.
It's understanding what's goingon in your environment before
you have a problem.
Right Now.
These can be done in differentways.
You have network-based, whereyou're basically looking for any
(09:49):
sort of open ports, weakprotocols across the network
perimeter or internal segments,and that is something that
should be done on a routinebasis monthly, if not more
sooner than that.
And that's you're looking forany sort of issues that you may
have within your organization.
Host-based this is where you'relooking at the device itself
(10:10):
your mobile devices, yourlaptops, your servers, your
desktops if those even existanymore, all of those pieces you
need to make sure that you aredoing configuration, software,
patch, status, all is beingupdated and managed.
And then you have yourapplication base.
This is where you're testingany application that is tied
into your organization.
This.
You're looking for flaws suchas sql injection, cross-site
(10:32):
scripting, insecure apis.
All of that is based on thevulnerabilities that you may
find within your network.
So you have your network based,host based, application based
and then, if you have time andif you have the, or maybe
depending on if you have a largewireless environment, wireless
assessments, and I will say inmany cases these get put to the
back burner and they probablyshouldn't be, because a lot of
(10:56):
shadow it occurs because ofwireless that's out there.
I've personally had it manytimes where I've had remote
facilities.
People would bring in hotspotsand use them and this evaluates
the wireless footprint for rogueaccess points, weak encryption
and then potentially any sort ofbroadcast leaks that are out
there.
So you have network hostapplication wireless.
(11:16):
Okay, those are some of the keyfactors that are occurring.
Now some common tools.
I'll kind of get into some ofthose, but there's you have
Nessus, openus, openvas.
You have some other ones thatare out there available now when
you're dealing withvulnerabilities.
These are commonly tied to yourcommon vulnerability scoring
system was your cvss, and thisis the principal character of
the vulnerability right and theyhave a range.
It goes from 0 to 10, 10 beingthe most secure, and they
(11:39):
produce a standardized numericalscore based on the severity of
the overall risk.
If you have a CVSS score of 9.8, that's bad.
If you have one of 2.3, that'snot too much to worry about.
Now, granted, everyvulnerability is something that
could lead to something else.
So a 2.8 could lead to a 9.9 ora 10.
(12:00):
But in reality you have toweigh.
There's so many vulnerabilitiesthat can occur within an
organization.
You have to weigh which onesare you going to fix and which
ones are you going to go after.
And most people do awhack-a-mole where they go after
the CVSS of 10 or nines.
But in reality you just have toreally understand the
architecture of your environmentto know could that lower risk
(12:23):
lead to a much higher one in thefuture?
Vulnerability scans these areautomated valuation systems.
They basically are looking forthe applications, different
types of connectivity in yourenvironment, and then you set
those, like we mentioned, on aroutine basis.
You can set them on monthly,you can set them on weekly.
It just really comes down towhat your company wants to do.
You've got network discovery,network vulnerabilities, web
(12:45):
applications and databasevulnerabilities.
All of those can be set upspecifically based within your
organization.
Again, the application may be adatabase one your web
application may be, you know.
Figure out if it's externallyfacing or if it's internally
facing.
That will also determineunderstanding your architecture.
What kind of effort do you putinto it.
If you have a criticalapplication that has high
(13:06):
vulnerabilities on it, that'sexternally facing, that's
sitting out in your DMZ, thatwould be a much bigger problem
than if it's sitting inside yournetwork and everybody sees it
but it's still behind your outerlayers of protection within
your organization.
Now a network discovery scan.
Now these are different typesof activities that will occur
(13:26):
with this.
But again, you're looking foropen systems and ports.
I will say most companies, a lotof companies, have very little
knowledge around their networkassets and the reason is is
people will stand them upwithout them really even having
a true understanding of what'sbeing stood up.
So many companies do notunderstand this.
Now, the ones that have onehighly regulated or have high
(13:48):
financial risks associated, theyhave taken a much more
aggressive approach to this.
But if they don't have thoseaspects where they obviously, if
they go down, they will losemoney, but if they don't have a
regulatory requirement forcingthem to have some of this
information, money, but if theydon't have a regulatory
requirement forcing them to havesome of this information.
A lot of times it is.
It's not sexy, nobody wants todo it.
So what do they do?
They move on to the next thing.
(14:08):
And bad guys and girls knowthis and they, because of that,
they target these systemsensuring that they can get a
long-term foothold within yourenvironment.
Now there's various types ofscanning options available.
You got tcp sin scanning.
You got connect scanning.
You got ax scanning and you gotCONNECT scanning.
You got AXE scanning and yougot Christmas scanning, which I
like because it just everythinglights up like a Christmas tree.
But you have different types ofscanning options that you have.
(14:29):
If you're going to be doingscanning within your environment
, highly recommend you one youunderstand the IP addresses that
you're scanning.
Do not, if you do not knowthose, do not just go out and
start kicking the scanner on tounderstand that what a scanner
can do to your network and howit can affect it.
And then three make sure peopleare aware that you are actually
(14:50):
doing this, because it cancause all kinds of pandemonium
and chaos and people can gowe're being hacked and you're
actually doing it to yourselfand people freak out.
So you got to make sure thatyour everything your t's are
crossed and your i's are dottedbefore you do start doing any
sort of scanning options.
Now, web vulnerability scanningthis scans for vulnerable web
applications on the Internet.
It's usually the first linethat is attacked, right,
(15:10):
everything that's out therethat's facing everybody is
usually the first thing peoplego after.
This can provide a lot of data.
We would usually go after thesesystems.
Lot of data, we would usuallygo after these systems, and just
because they weren't vulnerable, I could get a lot of
information from just sendingqueries to these different
systems and getting informationback.
(15:31):
They are, in many ways, thekeys to enter into your business
.
That's the front, first line ofdefense, and if you for some
reason don't have a way in fromthese external facing ones, they
can create a huge reputationaldamage to your organization if
they're hacked, defaced, shutdown.
Especially, a lot of thirdparties will use these
externally facing applications.
(15:52):
This is where data is comingand going.
If you go and you hack them andthen all of a sudden you
realize that it was a serverthat your third party agreements
would go back and forth with,then you now could have a big
reputational hit and it couldhave some sort of financial
impact to you as well.
So you need to truly understandyour environment, and this is
where a good security architectunderstands architecture and
(16:13):
what is set up within theirnetwork.
You develop processes forscanning sites this is lab
production and then you considerfalse positives that you can
and do occur during this entirescanning process.
There's a link to the OWASPscanning tool list, but bottom
line is that your vulnerabilityscanning web scanning is an
important part of any sort oforganization, whether you have a
(16:34):
web presence or not.
A lot of times, if anorganization says I don't have a
web presence, but they actuallydo and they don't realize it,
those are the really dangerousones, because now there's no
visibility into what's actuallyoccurring in their network.
Database scanning again.
This is typically where it willcontain some of the most
sensitive data to yourorganization.
So this is again applicationscanning, knowing the
(16:55):
application that you're workingwith.
It's usually internal mostdatabases are and then it's tied
to many different types of webapplications.
Now, as everything is moving toa software-as-a-service type
platform, you now have a lot ofthis information is out in the
cloud.
So you really truly need tounderstand what you need to do
within your company and how doesthis work?
(17:18):
Now, some different toolsavailable.
We've got Nessus, openvos andQualys.
Nessus is a highly usedvulnerability scanner.
It does look for a lot ofdifferent misconfigurations.
I've used it.
It works really well.
It is expensive, it's not cheap, but it does look for missing
patches, vulnerabilities andacross a wide range of different
systems.
You have your OpenVASvulnerability scanner.
It's basically designed to lookfor basic and advanced
(17:39):
vulnerability detection.
And then you have Qualys andit's more of a paid product and
it does the same type of thing.
Both all of them have donereally well.
I've used most of them.
I've used Qualys and Nessuspersonally and they do work well
.
The key thing is again you getall this information.
It's great, but if you don'thave a way to disseminate it, it
can be extremely overwhelming.
Now there's some different typesof security testing techniques.
(18:00):
You have pen testing, and wetalked about this briefly
earlier.
But what is a pen test, right?
Well, this is a controlledexploitation of a system's
vulnerabilities and typicallyit's used to target one or two
small areas.
You don't pen test your entirenetwork.
You focus on an area that yougo after.
You have black box, white boxand gray box testing.
Your black box basicallysimulates an external attacker
(18:24):
with no internal knowledge ofthe organization.
They just come in.
They're like Korea coming intrying to get as much
information as they possibly can.
Your white box testing thiswill simulate an internal threat
actor with full access todocumentation and source code.
And then your gray box.
This combines elements of bothto simulate and semi-formal
insider risk threat.
So the ultimate goal, though,is that you have these different
(18:47):
types of testing capabilitiesset up within your organization.
Now the different types oftesting phases.
You have your for a pen test.
You have your planning, whichis basically, as you begin, what
are you going to do?
What is the scope or the rulesof engagement?
Then you're going to do yourreconnaissance.
This is gathering intelligenceusing passive and active methods
, and that's where you're tryingto get as much information as
you possibly can to help youmake your attack successful.
(19:10):
If you don't do a good job inreconnaissance, you can come
across like a person walkinginto a room with a pot and pan
and a pair of wooden spoons andjust banging on stuff.
People will see you coming.
So reconnaissance is animportant part of what you're
trying to gather for all thisinformation, and then scanning
and enumeration.
This will identify live hosts,services, potential entry points
(19:30):
.
All of this will be donethrough your scanning and
enumeration pieces, and thenexploitation was where you
actively leverage discoverablevulnerabilities to gain
unauthorized access to anorganization.
This is where you exploit it.
You've got to be careful withexploitation, though, because
when you do it again, you couldvery quickly become the person
with the pot and pan and thewooden spoon banging on the pots
(19:52):
and pans.
Post-exploitation this is whereyou assess the impact, maintain
access and then you exfiltrateany sort of simulated data that
you want.
Again, this is where you have areally good conversation with
who you're working with.
You never I repeat, never bringout data out of an organization
that, if you have notcommunicated with somebody on
(20:12):
what that is, in many cases youwill pre-position data.
So that way, at the end of thisengagement, when you're just
getting ready to do thesimulated data shipment out,
this is your own data that youhad pre-positioned there.
That just to show hey, if Iship this data out, what would
happen to your system?
Can you see me moving the dataout?
I highly recommend that younever, never, never use customer
(20:34):
data when you're simulatingdata exfiltration.
Don't do it.
Just don't Avoid that at allcosts, because of the fact is
it's then, once the data leaves,it opens up a whole can of
worms one whether or not thedata was important or not
doesn't matter, it's the factthat it's company data, so don't
ever do that.
Post exploitation this is whereyou assess the impact, maintain
(20:54):
access and exfiltrate we talkedabout that and then reporting
you provided actionable insightsand what they can do to protect
themselves and how to fix it.
So there's's a lot of differentthings you can do, especially
when it relates to pen testing.
Now, some of the penetrationtools you can use it's
Metasploit, burp Suite, KaliLinux and then Cobalt Strike.
You've seen Cobalt Strike andMetasploit be used both by the
(21:15):
good guys and by the not so goodguys and girls.
The Metasploit framework I usedthat One of the buddies that I
was started in hacking with wasone of the key people that stood
up metasploit at the time andit was one of the three or four
that actually did it, and itsimulates real world attacks, it
tests defenses and it doesperform post-exploitation
(21:35):
strikes.
Now the cobalt strike you'veheard been used a lot in one for
red team as user, but also itbeing used by the bad guys using
it for their purposes as well.
So there's a lot of differenttools that you can use.
Again, we talk about with yodause your powers for good, not
evil.
Actually, I don't know if yodaactually quoted that, but I use
it.
So use your powers for good,not for evil.
(21:56):
It's an important part of thesecurity testing plan.
Now, log reviews.
What is the purpose of logreviews?
Well, these are like the mostboring thing on the planet and
nobody likes to do them.
So I would highly recommend, ifyou can come up with an AIML
plan around log reviews, which Iknow a lot of security
companies are doing.
It's an important factor and Ithink it would make you a lot of
(22:17):
money.
The reason I say that is isbecause log reviews are a very
important part of looking anddetecting any suspicious
activity, which includes policyviolations, operational
anomalies you name it right.
But you need an automatedformat to be able to do this,
because it's extremely tediousand it's painful and if you're
doing it manually, oh mygoodness, it is no fun.
(22:39):
And as a human, what do I do?
I make mistakes and there's ahigh likelihood that I will look
over something, because youreyes just basically roll in the
back of your head.
You don't see anything after awhile.
They all look the same.
Firewall logs and all thesedifferent types of logs can be
extremely painful.
That's also why you have SIMs,right?
Sims will help you with thatand they will help aggregate
(23:00):
some of that data for you.
But at the end of the day, logreviews are an important part of
what you do and these wouldinclude from firewalls,
operating systems, your IPSs,idss, databases, authentication
servers all that stuff createslogs, depending upon the
organization you're in and theregulatory requirements you have
.
Some logs you may have to keepfor quite an extended period of
(23:21):
time.
Some logs you may not.
Organizations that are not asregularly regulatory-ly that's a
bad one, that's probably noteven a word, but they're ones
that don't have that requirement.
They will keep logs for aperiod of time, mainly to deal
with if they can look forsomething.
But because log retention ondata is so expensive, because
it's so much data, you have tokeep it.
(23:43):
A lot of people just don't keepit for very long.
They'll keep it for maybe sevendays, maybe two weeks.
Some critical applications theymay keep it up to three months.
It just depends.
But log data is something youreally have to have a good
strategy and then implement thatstrategy on your plan.
So some best practices aroundthis is using a centralized sim,
obviously, to correlate andanalyze your events, ensure your
(24:03):
logs are time synced with yournetwork time protocols to
maintain that they have theaccuracy they need, and thenure
your logs are time synced withyour network time protocols to
maintain that they have theaccuracy they need and then
review your logs for any failedlogin attempts and so forth.
But again, you're going to Irecommend some sort of
automation behind this.
But the logs you want togenerate a report to give you an
idea of what has actuallyoccurred within your company.
Now, when you're dealing withlogs, you want to have there's
(24:26):
automated or manual processesthat to help store or to store
the off logs, the logs thatyou're not using anymore.
Now, logging policies they canbe pushed through your GPO and
your Windows Group PolicyObjects can help you with that.
So that's the GPO.
It's just basically thedifferent automation that sets
up to pull those logs and putthem into locations automation
(24:48):
that sets up to pull those logsand put them into locations.
Again, we talked about havingnetwork time protocols and then
also you need to evaluate andlook for any alerting mechanisms
that you may have.
So now some dealing withsynthetic transactions.
What is a synthetic transaction?
Now, this is an automated orscripted activity that simulates
typical user activity within anapplication or service.
I did this a lot with my webdevelopers.
We would have a simulator thatwould then have people go
(25:15):
through the different clicksthat they would do.
How does it work?
What are the areas that causesbreaks?
It's a similar kind of concept,but it's used to proactively
monitor performance,availability and any SLAs
service levels agreements thatyou may have in this situation.
So, as an example, monitoring ashopping cart checkout process
every five minutes to ensurethat the system is reliable, to
ensure that it's working right.
It's doing what it's supposedto be doing.
(25:36):
They also have this occurs nowon the flip side, where they
monitor your shopping cart tosee if you haven't moved in a
little while of going hey, didyou forget about your cart?
Your cart's still stuff outthere in your cart.
You want it, you can buy it.
It's there waiting for you andyou're like, oh yeah, I forgot
Click.
And then you're like why did Ibuy that?
So that's the advanced text,the synthetic transactions Code
(25:58):
review and testing.
So you have static code analysis.
This is where it scans the codefor vulnerabilities without
executing on it, looking forflaws such as insecure APIs or
buffer overflows.
This is where it's justscanning the code, looking for
any issues in the code.
Specifically, you have dynamiccode analysis.
This is where it executes thecode in a test environment.
Usually, this test environmentis within your CICD pipeline and
(26:21):
it will then look for anyissues as it's running this code
.
Now it's not actuallyphysically running the code
outside of this test environment, but it's inside the
environment and it's looking forissues in memory.
It's looking for any raceconditions you know.
Basically, it's trying to takeoff and run.
Any of those aspects is lookingwithin the dynamic code
analysis.
You have a manual code review.
This is where humans will takea look at it, and this is in the
(26:43):
past has been an important partof all sort of software
development in their entire lifecycle.
The goal is to get as muchautomation as you possibly can.
I would have eyes on the codewhen and if I had specific areas
that I felt that I was takingcustomer data that could have a
high regulatory requirement orit could cause some sort of
(27:05):
legal issue with me requirementor it could cause some sort of
legal issue with me, then Iwould have my do a manual code
review specifically on thosepieces of code that were tied to
those aspects.
Again, you're looking forapplication logic and security
critical functions for any flawsthat may be missed during the
automation process.
So again, you got to determinewhether or not that's something
(27:26):
you want to deal with or not.
Some of the tools obviously forthis is you got SonarCube,
fortify, vericode, appscan fromIBM.
All of those are available toyou.
There's different types thatyou have.
I've used Fortify and AppScan abit.
It's not one of those that I'veused a lot and so I would
highly recommend you do anevaluation for you and your
(27:46):
organization based on yourspecific needs.
But again, those are all piecesthat you want to have part of
your CICD pipeline Misuse casetesting.
This is where it tests tosimulate attacker's behavior by
focusing on how the system couldbe intentionally misused.
So what could I put in?
You have a line of code thatgoes into your text box and
(28:09):
you're going to add potentiallysome sort of JavaScript to that
text box, to that line, and thenyou're going to see what
happens if I do that, if I do,it's that and I'm just drawing a
blank.
But it's basically a linemismatch where you're putting
code into that want to see whatcomes out and what does it burp
out at you?
Does it run?
Does it just doesn't know whatto do?
(28:33):
So it basically gives you upall kinds of stuff or does it
just go invalid?
Invalid, uh, and that's thepart where you're gonna.
That can happen with misusecase testing.
Um, it does help you define,identify design flaws, privilege
, escalation opportunities orlogic abuse.
That is not considered asnormal use casting, use case
testing, um, any sort of any waythat you're having a log on
credentials great place.
So, again, if you havelimitations on where you can
test, again, there's so manyplaces you can test in this
(28:55):
environment.
If you have places that arelimited on where you can do,
focus on the areas that wouldcreate the most damage to your
organization.
One is credential input output.
If you're having sort ofdatabase queries, any area that
would potentially returnsensitive information, give out
sensitive information, allowaccess to your organization or
(29:19):
query data or put data insomething that could potentially
deal with the confidentialityand more or less the integrity
of the data itself Test coverageanalysis.
The goal of this, though, is howmuch of the code base or system
functionality is actuallycovered by the testing efforts,
so you're trying to determinewhether or not all the logical
paths and statements have beentested.
You're kind of trying to figureout where is this code covered,
(29:42):
from zero to hero.
Is it all there?
Are there any securityrequirements that have been
given to you through theagreements that you may have,
that have to have some sort ofcorresponding test with them as
well?
So you need to look at where'sthe code, is it all covered?
Or, two, is there anyrequirements that I specifically
have to cover because of thissituation?
And the ultimate goal of thisis to help identify any blind
(30:04):
spots in the testing that couldpotentially harbor undetected
vulnerabilities.
And, again, you have todetermine if you have a large
testing shop, if you have a verylarge coding shop, how will all
of these things work togetherand it's important that you have
a good, strong SDLC plan andhow you're going to deal with
all the code in your environment.
The next one is interfacetesting.
(30:25):
This is where you validatesecure and reliable
communications betweencomponents such as APIs, user
faces and then, obviously,back-end servers.
That's where you're looking at.
Between the two interfaces.
How are they communicating?
I'll beat this drum again, overand over again Interface
testing with APIs is a crucialfactor and it's really that way.
(30:45):
You need to set this up at thebeginning because you're going
to be having, in many cases, apiconnections with third parties.
You are transferring, in a lotof ways, sensitive data between
these two parties.
You need to have a strong APIpolicy and a security plan when
dealing with APIs, because APIsare so easy to connect and so
easy to integrate within yourorganization that they real
(31:07):
quickly can go from having agood control of something to
having little to no control.
You need to verify validationand session controls and error
handling of these interfaces.
You need to make sure there'sno security controls or no
security credentials that areinside these interfaces.
Apis is a really good exampleof this, where folks are
actually sharing storedcredentials between APIs.
(31:29):
So again, you need to test forinsecure exposure to this data
that's going through there and,again, highly recommend that you
talk to somebody within yourarchitecture team and make sure
you have this pretty muchbuttoned up.
So some of the tools are Postman, soapui and Fiddler.
Again, these are differenttypes of ways to help you track
and deal with the differenttypes of aspects.
(31:49):
Postman, I know there's anotherone that I use and I can't
think of it.
I'm drawing a blank on it, butthis one here is used for
RESTful APIs, looking forsecurity headers and input
validation pieces to it SOAP UI,rest APIs, and it's supporting
regression and functionaltesting.
And then there's, obviouslyFiddler that deals with HTTP and
(32:14):
HTTPS.
So, again, go check them out,see which ones work best for you
and your company.
So you have breach attacksimulations.
This is where there's acontinuous and automated testing
to look at your defenses,acting like a real world
emulation.
So it's like a pen test on anautomated factor.
So it's Hal is acting as thepen tester and they're bashing
on the front door of yourbuilding, of your network, and
(32:35):
it simulates malware, phishing,lateral movements, data
exfiltration activities.
All of those pieces are allbuilt into this BAS and again,
it is a automated piece ofequipment or software that will
do this for you.
It is a automated piece ofequipment or software that will
do this for you.
It evaluates effectiveness anddetection response capabilities
in real time.
And so you put the BAS, you letit run and then it's evaluating
how do your people respond toits activities.
(32:58):
I've never used one, to behonest I might be a little bit
old in this regard of sayingit's a bit scary of letting
something like this runautomated on your network.
It's a bit scary of lettingsomething like this run
automated on your network.
I say you do this maybepotentially in a simulated
environment where maybe you havea section that's off network
that you're practicing on this,just to get your SOC teams up to
speed on how to respond.
(33:19):
I would say putting it on yourproduction network would be, in
my mind, to be a bit risky, butI've never used it, so maybe it
works like a champ and it willnever ever give you any problems
.
Again, I kind of lean towards.
I like to accept some risk insome cases, but in other cases
I'm very risk averse and puttinganything on my business network
(33:39):
that I don't have a true handleon it makes me very risk averse
, because I've seen thingshappen where it causes so much
chaos and pandemonium that theyears of building up trust
within your organization can beexploded and destroyed within
seconds putting something likethis out there.
So just something to consider.
So some different tools AttackIQ, safebreach and Simulate.
(34:02):
These are all different typesof BAS tools.
Attackiq is focused on theMITRE ATT&CK framework, safe
Breach is proactively validatesorganization's defense and
looking for gaps.
And then BAS, like simulate, isacross your email gateways, web
gateways and then obviouslylooking for any sort of lateral
movement within your environment.
Again, if you've used it, thatis awesome.
(34:23):
I'd love to hear from you allif there's someone that's used
it and really liked it or hadsome issues with it, because
I've never actually used itmyself.
Now, compliance checks.
What is this?
This is where you are verifyingthat your organization is
relevant with the securitypolicies, frameworks and the
regulations, so you may have anew policy that you put in place
.
How does this compliance check?
Are you following your passwordpolicies?
(34:45):
Do you put a framework in thatyou're utilizing?
I will use an example of in thefinancial industry.
It's CRI, which is your CyberSecurity Risk Institute, has
their own framework.
It's tied to NIST.
Are you following that?
Are you following CRI?
Are you following NIST?
Does your company comply withthat?
And then, are there anyregulations that you need to be
worried about?
This is related to GDPR,chinese cyber law, nydfs,
(35:09):
whatever that might be.
Are you following thosecompliance aspects around it.
So you have different types.
You have a system check systemconfiguration, which looks at
the CIAS benchmarks and yourSTIGs that are out there and
it's making sure, hey, are youmeeting those baselines.
Then there's a regulatorycompliance aspects which is
looking for, like we mentionedearlier, pci, dss, hipaa, gdpr
(35:32):
and so forth.
A lot of the tools that you canuse will have some level of a
compliance add-on.
You can see the tools withNessus and OpenScap.
I don't know how to say thatother than that's what it is and
I've seen in both Nessus wehave a compliance module that
you can use and then it willhelp you determine are you
meeting some of the requirementsaround that?
Again, it's designed to helpguide you in this very
(35:56):
convoluted and confusing manner.
In some respects, it supportsaudit readiness and reduces the
risk of regulatory penalties,because that you're doing it Now
.
Reporting and remediationthere's a reporting remediation
aspects.
You need to interpret thevarious test results you get and
then how do you report these topeople?
How do you let them know whatyou're going to do?
Now?
(36:17):
This is a risk-basedprioritization.
I highly recommend that youunderstand the risk profile for
your organization.
If you don't know what they arerisk averse to and they are
risk acceptance to.
You need to really trulyunderstand that, because any
sort of result that you giveback to them needs to be tied to
risk to your company.
If you have a company thatdoesn't have any external facing
(36:37):
stuff and your risk comes backand it comes back and says
you're good, well, they're goingto go, oh, see, we're good,
we're awesome.
You say, well, yeah, we onlyhave one server and that one
server is patched and we don'tdo anything with it and it
doesn't touch the inside.
So you're giving some sort ofreporting of going, hey, we're
awesome, well, yeah, you'reawesome, but you really don't
have any that much risk.
If you have a full webenvironment and you're JP Morgan
(37:02):
and you have all kinds of stuffthat's shared back and forth
Bank of America, yeah, yourexternal web facing is much
bigger risk than it would be ifyou were a manufacturing company
.
So you got to understand thoseresults and make sure that
people understand the risk thatthey're actually seeing.
So you need to categorize theissues as low, medium and high
are critical to streamline theremediation planning.
You need to collaborate withdevelopment and IT teams to
implement patches, reconfiguresystems and then deploy
(37:24):
compensated controls, documenttimelines, owners and
verification steps for eachaction.
And then you need to have somesort of technical reports and
executive summaries as well onall of these factors.
So it's an important part ofwhat you do is to provide this
reporting and remediation piece.
Now there'll be securityreporting.
You have technical reports andyou have executive summaries.
So when you're dealing withthese different types of reports
(37:45):
, again, understand youraudience.
Knowing who your audience is isan important part on any of
these reports.
You don't want to be givingsomething extremely technical to
the CEO and expect he or she isactually going to understand
what the heck you're talkingabout.
So you need to understand youraudience before you provide
these executive summaries andthen make the information
valuable.
(38:05):
Don't just hit, mash a buttonand say, oh look, there's my
report, it means nothing.
You need to be able to filterthrough that information, if
anything, if you give the report, have a summary at the
beginning of saying this is whatyou need to be worried about or
concerned about, or this iswhat the good spot that we're in
.
Again, you have to be involved.
Don't just mash a button andsay the report is done.
(38:26):
You have to have engagementwith that Continuous testing
approach.
This is where you integrate theautomated security tests into
your CICD pipelines to ensurethat they're detecting them
early in the developmentlifecycle and then that you can
one make those changes ahead oftime.
Now, depending upon how you aredoing your development if it's
waterfall, agile, whatever thatmight be spiral, you need to
(38:48):
then build that into youroverall development lifecycle.
That way, shift left security.
This will help catch flawsbefore they enter production.
I hear this term used a lot andwhat it really just comes down
to is you detect it before ithits production and that you can
then get those things in placebefore the things that the
security aspects that hitproduction are limited and
(39:09):
minimized.
So you're just shifting thesecurity piece, because in the
past it used to be you develop,develop, develop, develop.
You have this product, then youput security on it and they go.
Oh well, there's issues.
Now I've got to go back to thedevelopment piece.
This is where building securityat the beginning moving it left
is an important part in thesecurity of your overall
organization.
And then security testinglifecycle.
(39:29):
This is applying securitytesting at all stages of the
development.
This includes the design,development and post-development
stages, includes threatmodeling, static code analysis
and use of static and dynamiccode analysis, early detection
like again moving it left, andthen at the end conducting pen
tests, reviews and compliancescans to validate the production
(39:51):
and readiness of your overallplan.
So, again, there's a securitytesting piece that goes with
that.
It's an important part and Ithink it's in domain eight.
We get into the various levelsof SDLC, but it's an important
piece that you do, that youunderstand for your organization
, especially when you'reintegrating security into your
company.
Again, we've talked about thisstuff over and over again, but,
(40:12):
as you're studying for the CISSP, these are things that the
CISSP is trying to inherentlyput into you through the
questions that it asks, tryingto have you think through these
different topics.
And that's why it's importantthat, as a CISSP, you have so
many years of experience,because their goal is that
you've been exposed to many ofthese different pieces.
That is why this podcast is, inreal honesty, it's very
(40:35):
valuable, because you're gettingexposure from folks that have
had this kind of experience foryears and years and years, and
now, when you go take the CISSP,you get an understanding of
their thought process with thequestions that are being asked
to you.
Okay, that is all I have foryou today at CISSP Cyber
Training.
Hope you guys are enjoying it.
Going out to CISSP CyberTraining, check out the content
(40:56):
that's out there.
I got some really good freestuff for you.
Also have some paid stuff aswell.
Again, it does not cost muchfor the bronze tier that I have
to study for the CISSP.
If you're serious about gettingthe CISSP, look at my bronze
tier.
It is relatively inexpensive.
It gives you everything youneed to be successful and pass
the test.
Again, you've got to study it.
It's not going to be automatic,but if you're willing to put
(41:17):
the work in to study for theCISSP and think about it, just
think about this for a secondthe amount that it costs for the
CISSP bronze package right nowRight now I'm running it for
very inexpensive.
I think it's like a hundreddollars for the bronze package.
If you go in at the bronzepackage at a hundred dollars and
you figure out how many hoursyou're going to spend on
studying for the CISSP over aperiod of time, it's pennies,
(41:39):
pennies on the dollar thatyou're spending to help you get
you to step up on the CISSP exam.
Don't short circuit this.
It isn't just about getting acertification.
It's about understanding thecontent so that when you go for
the interview and they ask youquestions, you can actually
answer the questions andunderstand what the heck they're
saying.
Again, this isn't about gettinga certification.
It isn't about somebody outthere online saying, hey, you
(42:00):
can make six figures in threemonths by being in cybersecurity
.
That's BS.
I'm sorry, that is bull.
You can't just go do that.
You've got to understand thecontent.
That's in here for you to besuccessful.
But if you understand thecontent, you understand the
background.
You then can be communitativelyunderstanding when you're
talking to somebody about whatyou're trying to accomplish.
So an important part go to CISSPCyber Training.
(42:22):
Check out the bronze package.
I guarantee you it is amazing.
It'll give you what you need tohelp you pass the CISSP.
If you need any consulting work, go on out to
reducecyberriskcom and check outmy website.
I'm working with a companycalled NextPeak and others as we
provide consulting services tothe masses.
Okay, I hope you have a greatday and we will catch you all on
(42:43):
the flip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:27):
All right, let's get started.
Good morning everybody.
It's Sean Gerber with CISSP,cyber Trading, and hope you all
are having a beautifully blessedday today.
Today is Monday.
Yes, we're excited about Mondaybecause why?
Well, spring is quickly upon usand, yes, we're coming out of
the frozen tundra that we've hadthis past winter.
So, yeah, I'm very excitedabout that.
But more than that, we aregoing to be talking about domain
6.2, which is we're conductingsecurity control testing for the
(00:51):
CISSP.
So this again, isc squaredCISSP.
Now, before we get into that, Iwanted to just quick article
that I saw in the news and thisis related to Google.
I know, as we've talked aboutin the past, I've kind of get a
little bit deeper into AI and MLas it relates to what I do on
the consulting side of the houseand just kind of wanted to get
to really understand it a bitbetter.
And as it comes down tosecurity right, one of the big
(01:14):
factors we have to consideraround ML and AI is how is that
going to be impacted with thechanges?
Because we're seeing thischange over and over and I was
reading an article just kind ofprepping for today that
Microsoft is pretty much allbought in on AI and ML as the
future of the company is.
The company just turned 50, Iguess this week or last week
sometime.
You know it's getting older,right?
(01:35):
I remember when Microsoft firstcame out and that just shows
how old I am.
But the point of it is is thatit's changing its paradigm and
it's hanging its hat on the AIand ML revolution.
Now, in this article that cameout from Google, it's basically
Google's open source securityteam, their GOS team.
They're working with NVIDIA andalso HiddenLayer under their
(01:57):
overall foundation and the goalis to create better security
related to AI and ML.
And so this is an importantfactor for you all, as you guys
are studying for your CISSP andyou become security
professionals.
Ai and ML if Microsoft is goingall in, you're seeing it in
Google you all are going to haveto know it in some sense and
you're going to have to know adeeper level of it than just
(02:18):
kind of hey, it's out there andI just kind of understand it.
So the article is really cool.
It talks about how theevolution of the LLMs are moving
around and how they're growing,and that there is a big concern
related to the tampering ofthese models, right.
So these models that are outthere, that have got all this
information in them and they'rereally concerned about them
(02:38):
being exploited, especiallyrelated to the supply chain, the
processes, the unspectableweights and then also the times
and the arbitrary code thatmight be injected upon them, and
you know, there's a lot ofdifferent things that can happen
to an ML.
You have data poisoning.
You have Trump not Trump, no,not Trump.
You have prompt injection,prompt leaking and prompt
(02:59):
evasion.
Those are just things, just afew of the things that can
happen in the ML supply chain,and so it's an important part
for you to understand how do wedeal with this.
Well, their focus is going to bearound digital signature.
This article, specifically, isaround digital signatures and
adding them to the overall ML AIenvironment.
The goal of this, obviously, wetalked about in CISSP, cyber
(03:22):
Training for many years now isthat digital signatures are an
important part.
It's a cryptographic functionthat helps just put that
signature, that that key, to saythat this data is legit, this
data is solid, and when thosekeys get compromised, obviously
that can cause all kinds ofpandemonium and chaos.
But the goal, though, is isthat they are going to have some
(03:43):
level of signature based intothese AI ML products.
So you know the actualinformation that you're getting
and it helps you avoid that.
You know if something's beentampered with at all,
specifically with a model, ifthere's any new code been added
to it or any possible issuesthat may run with that.
Now they've created a modelsigning library and this is
(04:05):
specifically set up to handlelarge-scale ML models.
So, as we know, in many caseswe're starting small but as this
overall capability grows largerand larger over time, these
models are going to be extremelybig and they already are large,
right, but they're going to geteven bigger as time goes on.
So it supports signing modelsthat are represented in
directory trees, obviously, andthen it provides command-line
(04:25):
utilities for signing andverifying your model signatures
as well.
So it's a really good articleabout how these signatures can
potentially be added to your MLenvironment.
It walks you through.
The article does around thedifferent types of injection
aspects.
There's a white paper they haveon AI supply chain integrity.
All of those things are in here.
It's a really good article.
(04:46):
It kind of goes from fruit tonuts and everything that you
could possibly see as it relatesto dealing with digital
signatures and the AI MLenvironment.
So I highly recommend you goread it.
Again, it's on Google securityblog.
The name of it is Taming theWild West of ML Practical Model
Signing with Sigstore.
Again, this is something that Ithink is really important for
(05:08):
you all to kind of startunderstanding and getting a good
grasp of how this works withinyour environments.
Okay so let's get started aboutwhat we're going to talk about
today.
Okay, so we're going to betalking about domain six,
conducting security controltesting, and again, this is all
tied back to the CISSP, the ISCsquared manual.
If you go to CISSP CyberTraining, you can get access to
(05:28):
all this content that's outthere.
You get access to my freecontent as well, as you can get
access to all of the videos, allof the audio, everything that
I've put together related to theISC squared CISSP, and you can
get access to my blueprint.
My blueprint is amazing, andI'm not just saying that because
I made it, I'm just kind ofsort of, but no, it's actually
going to step you through, stepby step by step, what you need
(05:49):
to do to study for the CISSP andhelp you get prepared for it.
It's going to give youeverything you need to know day
one, day two, day three, dayfour.
And it's going to help you withthat overall process, because,
just going out and I gotoverwhelmed with the CISSP
because it was just so muchcontent, and then trying to
understand it all, I go throughand I give you a step-by-step
process by even the videos, thecontent, the books, everything
(06:12):
is all there laid out for youspecifically so you can go to
CISSP Cyber Training, purchaseone of the products that I have
and that will give it to youimmediately, so you won't even
have to wait for it.
All right, so let's get intowhat we're going to talk about.
So again, domain 6.2.
One of the things around thisis that we're of 6.2 is to
validate the security controlsthat are correctly implemented
when you're functioning andfunctioning as you planned on.
(06:34):
And again this kind of comesback to the, the article we
talked about with the before wecame into the old training is
it's imperative that you havethese security controls in place
.
You also understand how you'regoing to validate the overall
security, if it's throughdigital signatures or other form
or method, and this helps toensure that your system is
secure, compliant and resilientto emerging threats, and I think
(06:56):
that's one of the biggestfactors people need to
understand as security goes on.
It's about resiliency, and I'mtalking with some clients and
they get the whole securitypiece and they've done it for
years.
They got it.
The part that they're missingin some cases is the resilience
behind.
It is that in today's world,it's incredibly challenging to
(07:16):
try to operate when a piece ofransomware that gets put into
your environment can basicallydisrupt your operations and
cause you millions and millionsof dollars on a daily, if not
minute-by-minute basis,depending upon what kind of
business you are operating in.
All right, so when we're dealingwith security control testing,
there's different types ofsecurity testing.
We have security assessments,security testing, security
(07:39):
audits.
Now, these are some varioustypes that are out there.
Your assessments are typicallya high level evaluation
determine whether your policiesand everything else your
controls you have in place arealready there and they meet your
company's risk toleranceprofile.
So I did personal assessments.
I bring in third parties tohelp me do assessments, but they
are just a high levelevaluation.
Hey, is the stuff there that'ssupposed to be there?
(08:01):
Security testing is when you doa technical assessment, specific
on specific controls.
You may bring in a pen tester,you may bring in just a maybe
even just a third party, butthey are looking at specific
security controls through atechnical means and they're
going to determine if that issufficient for your organization
.
And I look at authentication,encryption, access enforcement.
All of those pieces are part ofthe overall security testing
(08:24):
mantra.
And then security audits.
These are formal reviewsperformed by maybe your second
and third line defense if you'rein the I should say, third line
defense, if you're in a bankingindustry, and they are there to
help you understand.
Is that set up specifically toprotect your organization?
Are you in compliance withinternal and external
regulations and standards?
(08:45):
Are you meeting those?
So again, this is a big deal,right, and a lot of companies,
especially smaller companies,don't necessarily have some of
the bandwidth to do all this,but they should consider.
If you don't have the ability tobring in auditors I mean, say
you're not a highly regulatedenvironment, you don't need
auditors per se you should byall means be doing an assessment
(09:05):
and testing of your environmentBecause of the simple fact is
that at any point in time,especially if you're doing
government contracts, you can beaudited and you don't want to
be in a situation where anauditor comes in and says you
got to shut down because you'renot doing these right things.
So assessments and testing at aminimum are really important,
especially if you do not havesome sort of formal auditing
(09:28):
procedures in place or auditorthat has to come visit you guys.
So one of the things aboutvulnerability assessments this
is a systematic process toidentify and categorize
weaknesses in systems ornetworks before they're
exploited.
It's understanding what's goingon in your environment before
you have a problem.
Right Now.
These can be done in differentways.
You have network-based, whereyou're basically looking for any
(09:49):
sort of open ports, weakprotocols across the network
perimeter or internal segments,and that is something that
should be done on a routinebasis monthly, if not more
sooner than that.
And that's you're looking forany sort of issues that you may
have within your organization.
Host-based this is where you'relooking at the device itself
(10:10):
your mobile devices, yourlaptops, your servers, your
desktops if those even existanymore, all of those pieces you
need to make sure that you aredoing configuration, software,
patch, status, all is beingupdated and managed.
And then you have yourapplication base.
This is where you're testingany application that is tied
into your organization.
This.
You're looking for flaws suchas sql injection, cross-site
(10:32):
scripting, insecure apis.
All of that is based on thevulnerabilities that you may
find within your network.
So you have your network based,host based, application based
and then, if you have time andif you have the, or maybe
depending on if you have a largewireless environment, wireless
assessments, and I will say inmany cases these get put to the
back burner and they probablyshouldn't be, because a lot of
(10:56):
shadow it occurs because ofwireless that's out there.
I've personally had it manytimes where I've had remote
facilities.
People would bring in hotspotsand use them and this evaluates
the wireless footprint for rogueaccess points, weak encryption
and then potentially any sort ofbroadcast leaks that are out
there.
So you have network hostapplication wireless.
(11:16):
Okay, those are some of the keyfactors that are occurring.
Now some common tools.
I'll kind of get into some ofthose, but there's you have
Nessus, openus, openvas.
You have some other ones thatare out there available now when
you're dealing withvulnerabilities.
These are commonly tied to yourcommon vulnerability scoring
system was your cvss, and thisis the principal character of
the vulnerability right and theyhave a range.
It goes from 0 to 10, 10 beingthe most secure, and they
(11:39):
produce a standardized numericalscore based on the severity of
the overall risk.
If you have a CVSS score of 9.8, that's bad.
If you have one of 2.3, that'snot too much to worry about.
Now, granted, everyvulnerability is something that
could lead to something else.
So a 2.8 could lead to a 9.9 ora 10.
(12:00):
But in reality you have toweigh.
There's so many vulnerabilitiesthat can occur within an
organization.
You have to weigh which onesare you going to fix and which
ones are you going to go after.
And most people do awhack-a-mole where they go after
the CVSS of 10 or nines.
But in reality you just have toreally understand the
architecture of your environmentto know could that lower risk
(12:23):
lead to a much higher one in thefuture?
Vulnerability scans these areautomated valuation systems.
They basically are looking forthe applications, different
types of connectivity in yourenvironment, and then you set
those, like we mentioned, on aroutine basis.
You can set them on monthly,you can set them on weekly.
It just really comes down towhat your company wants to do.
You've got network discovery,network vulnerabilities, web
(12:45):
applications and databasevulnerabilities.
All of those can be set upspecifically based within your
organization.
Again, the application may be adatabase one your web
application may be, you know.
Figure out if it's externallyfacing or if it's internally
facing.
That will also determineunderstanding your architecture.
What kind of effort do you putinto it.
If you have a criticalapplication that has high
(13:06):
vulnerabilities on it, that'sexternally facing, that's
sitting out in your DMZ, thatwould be a much bigger problem
than if it's sitting inside yournetwork and everybody sees it
but it's still behind your outerlayers of protection within
your organization.
Now a network discovery scan.
Now these are different typesof activities that will occur
(13:26):
with this.
But again, you're looking foropen systems and ports.
I will say most companies, a lotof companies, have very little
knowledge around their networkassets and the reason is is
people will stand them upwithout them really even having
a true understanding of what'sbeing stood up.
So many companies do notunderstand this.
Now, the ones that have onehighly regulated or have high
(13:48):
financial risks associated, theyhave taken a much more
aggressive approach to this.
But if they don't have thoseaspects where they obviously, if
they go down, they will losemoney, but if they don't have a
regulatory requirement forcingthem to have some of this
information, money, but if theydon't have a regulatory
requirement forcing them to havesome of this information.
A lot of times it is.
It's not sexy, nobody wants todo it.
So what do they do?
They move on to the next thing.
(14:08):
And bad guys and girls knowthis and they, because of that,
they target these systemsensuring that they can get a
long-term foothold within yourenvironment.
Now there's various types ofscanning options available.
You got tcp sin scanning.
You got connect scanning.
You got ax scanning and you gotCONNECT scanning.
You got AXE scanning and yougot Christmas scanning, which I
like because it just everythinglights up like a Christmas tree.
But you have different types ofscanning options that you have.
(14:29):
If you're going to be doingscanning within your environment
, highly recommend you one youunderstand the IP addresses that
you're scanning.
Do not, if you do not knowthose, do not just go out and
start kicking the scanner on tounderstand that what a scanner
can do to your network and howit can affect it.
And then three make sure peopleare aware that you are actually
(14:50):
doing this, because it cancause all kinds of pandemonium
and chaos and people can gowe're being hacked and you're
actually doing it to yourselfand people freak out.
So you got to make sure thatyour everything your t's are
crossed and your i's are dottedbefore you do start doing any
sort of scanning options.
Now, web vulnerability scanningthis scans for vulnerable web
applications on the Internet.
It's usually the first linethat is attacked, right,
(15:10):
everything that's out therethat's facing everybody is
usually the first thing peoplego after.
This can provide a lot of data.
We would usually go after thesesystems.
Lot of data, we would usuallygo after these systems, and just
because they weren't vulnerable, I could get a lot of
information from just sendingqueries to these different
systems and getting informationback.
(15:31):
They are, in many ways, thekeys to enter into your business
.
That's the front, first line ofdefense, and if you for some
reason don't have a way in fromthese external facing ones, they
can create a huge reputationaldamage to your organization if
they're hacked, defaced, shutdown.
Especially, a lot of thirdparties will use these
externally facing applications.
(15:52):
This is where data is comingand going.
If you go and you hack them andthen all of a sudden you
realize that it was a serverthat your third party agreements
would go back and forth with,then you now could have a big
reputational hit and it couldhave some sort of financial
impact to you as well.
So you need to truly understandyour environment, and this is
where a good security architectunderstands architecture and
(16:13):
what is set up within theirnetwork.
You develop processes forscanning sites this is lab
production and then you considerfalse positives that you can
and do occur during this entirescanning process.
There's a link to the OWASPscanning tool list, but bottom
line is that your vulnerabilityscanning web scanning is an
important part of any sort oforganization, whether you have a
(16:34):
web presence or not.
A lot of times, if anorganization says I don't have a
web presence, but they actuallydo and they don't realize it,
those are the really dangerousones, because now there's no
visibility into what's actuallyoccurring in their network.
Database scanning again.
This is typically where it willcontain some of the most
sensitive data to yourorganization.
So this is again applicationscanning, knowing the
(16:55):
application that you're workingwith.
It's usually internal mostdatabases are and then it's tied
to many different types of webapplications.
Now, as everything is moving toa software-as-a-service type
platform, you now have a lot ofthis information is out in the
cloud.
So you really truly need tounderstand what you need to do
within your company and how doesthis work?
(17:18):
Now, some different toolsavailable.
We've got Nessus, openvos andQualys.
Nessus is a highly usedvulnerability scanner.
It does look for a lot ofdifferent misconfigurations.
I've used it.
It works really well.
It is expensive, it's not cheap, but it does look for missing
patches, vulnerabilities andacross a wide range of different
systems.
You have your OpenVASvulnerability scanner.
It's basically designed to lookfor basic and advanced
(17:39):
vulnerability detection.
And then you have Qualys andit's more of a paid product and
it does the same type of thing.
Both all of them have donereally well.
I've used most of them.
I've used Qualys and Nessuspersonally and they do work well
.
The key thing is again you getall this information.
It's great, but if you don'thave a way to disseminate it, it
can be extremely overwhelming.
Now there's some different typesof security testing techniques.
(18:00):
You have pen testing, and wetalked about this briefly
earlier.
But what is a pen test, right?
Well, this is a controlledexploitation of a system's
vulnerabilities and typicallyit's used to target one or two
small areas.
You don't pen test your entirenetwork.
You focus on an area that yougo after.
You have black box, white boxand gray box testing.
Your black box basicallysimulates an external attacker
(18:24):
with no internal knowledge ofthe organization.
They just come in.
They're like Korea coming intrying to get as much
information as they possibly can.
Your white box testing thiswill simulate an internal threat
actor with full access todocumentation and source code.
And then your gray box.
This combines elements of bothto simulate and semi-formal
insider risk threat.
So the ultimate goal, though,is that you have these different
(18:47):
types of testing capabilitiesset up within your organization.
Now the different types oftesting phases.
You have your for a pen test.
You have your planning, whichis basically, as you begin, what
are you going to do?
What is the scope or the rulesof engagement?
Then you're going to do yourreconnaissance.
This is gathering intelligenceusing passive and active methods
, and that's where you're tryingto get as much information as
you possibly can to help youmake your attack successful.
(19:10):
If you don't do a good job inreconnaissance, you can come
across like a person walkinginto a room with a pot and pan
and a pair of wooden spoons andjust banging on stuff.
People will see you coming.
So reconnaissance is animportant part of what you're
trying to gather for all thisinformation, and then scanning
and enumeration.
This will identify live hosts,services, potential entry points
(19:30):
.
All of this will be donethrough your scanning and
enumeration pieces, and thenexploitation was where you
actively leverage discoverablevulnerabilities to gain
unauthorized access to anorganization.
This is where you exploit it.
You've got to be careful withexploitation, though, because
when you do it again, you couldvery quickly become the person
with the pot and pan and thewooden spoon banging on the pots
(19:52):
and pans.
Post-exploitation this is whereyou assess the impact, maintain
access and then you exfiltrateany sort of simulated data that
you want.
Again, this is where you have areally good conversation with
who you're working with.
You never I repeat, never bringout data out of an organization
that, if you have notcommunicated with somebody on
(20:12):
what that is, in many cases youwill pre-position data.
So that way, at the end of thisengagement, when you're just
getting ready to do thesimulated data shipment out,
this is your own data that youhad pre-positioned there.
That just to show hey, if Iship this data out, what would
happen to your system?
Can you see me moving the dataout?
I highly recommend that younever, never, never use customer
(20:34):
data when you're simulatingdata exfiltration.
Don't do it.
Just don't Avoid that at allcosts, because of the fact is
it's then, once the data leaves,it opens up a whole can of
worms one whether or not thedata was important or not
doesn't matter, it's the factthat it's company data, so don't
ever do that.
Post exploitation this is whereyou assess the impact, maintain
(20:54):
access and exfiltrate we talkedabout that and then reporting
you provided actionable insightsand what they can do to protect
themselves and how to fix it.
So there's's a lot of differentthings you can do, especially
when it relates to pen testing.
Now, some of the penetrationtools you can use it's
Metasploit, burp Suite, KaliLinux and then Cobalt Strike.
You've seen Cobalt Strike andMetasploit be used both by the
(21:15):
good guys and by the not so goodguys and girls.
The Metasploit framework I usedthat One of the buddies that I
was started in hacking with wasone of the key people that stood
up metasploit at the time andit was one of the three or four
that actually did it, and itsimulates real world attacks, it
tests defenses and it doesperform post-exploitation
(21:35):
strikes.
Now the cobalt strike you'veheard been used a lot in one for
red team as user, but also itbeing used by the bad guys using
it for their purposes as well.
So there's a lot of differenttools that you can use.
Again, we talk about with yodause your powers for good, not
evil.
Actually, I don't know if yodaactually quoted that, but I use
it.
So use your powers for good,not for evil.
(21:56):
It's an important part of thesecurity testing plan.
Now, log reviews.
What is the purpose of logreviews?
Well, these are like the mostboring thing on the planet and
nobody likes to do them.
So I would highly recommend, ifyou can come up with an AIML
plan around log reviews, which Iknow a lot of security
companies are doing.
It's an important factor and Ithink it would make you a lot of
(22:17):
money.
The reason I say that is isbecause log reviews are a very
important part of looking anddetecting any suspicious
activity, which includes policyviolations, operational
anomalies you name it right.
But you need an automatedformat to be able to do this,
because it's extremely tediousand it's painful and if you're
doing it manually, oh mygoodness, it is no fun.
(22:39):
And as a human, what do I do?
I make mistakes and there's ahigh likelihood that I will look
over something, because youreyes just basically roll in the
back of your head.
You don't see anything after awhile.
They all look the same.
Firewall logs and all thesedifferent types of logs can be
extremely painful.
That's also why you have SIMs,right?
Sims will help you with thatand they will help aggregate
(23:00):
some of that data for you.
But at the end of the day, logreviews are an important part of
what you do and these wouldinclude from firewalls,
operating systems, your IPSs,idss, databases, authentication
servers all that stuff createslogs, depending upon the
organization you're in and theregulatory requirements you have
.
Some logs you may have to keepfor quite an extended period of
(23:21):
time.
Some logs you may not.
Organizations that are not asregularly regulatory-ly that's a
bad one, that's probably noteven a word, but they're ones
that don't have that requirement.
They will keep logs for aperiod of time, mainly to deal
with if they can look forsomething.
But because log retention ondata is so expensive, because
it's so much data, you have tokeep it.
(23:43):
A lot of people just don't keepit for very long.
They'll keep it for maybe sevendays, maybe two weeks.
Some critical applications theymay keep it up to three months.
It just depends.
But log data is something youreally have to have a good
strategy and then implement thatstrategy on your plan.
So some best practices aroundthis is using a centralized sim,
obviously, to correlate andanalyze your events, ensure your
(24:03):
logs are time synced with yournetwork time protocols to
maintain that they have theaccuracy they need, and thenure
your logs are time synced withyour network time protocols to
maintain that they have theaccuracy they need and then
review your logs for any failedlogin attempts and so forth.
But again, you're going to Irecommend some sort of
automation behind this.
But the logs you want togenerate a report to give you an
idea of what has actuallyoccurred within your company.
Now, when you're dealing withlogs, you want to have there's
(24:26):
automated or manual processesthat to help store or to store
the off logs, the logs thatyou're not using anymore.
Now, logging policies they canbe pushed through your GPO and
your Windows Group PolicyObjects can help you with that.
So that's the GPO.
It's just basically thedifferent automation that sets
up to pull those logs and putthem into locations automation
(24:48):
that sets up to pull those logsand put them into locations.
Again, we talked about havingnetwork time protocols and then
also you need to evaluate andlook for any alerting mechanisms
that you may have.
So now some dealing withsynthetic transactions.
What is a synthetic transaction?
Now, this is an automated orscripted activity that simulates
typical user activity within anapplication or service.
I did this a lot with my webdevelopers.
We would have a simulator thatwould then have people go
(25:15):
through the different clicksthat they would do.
How does it work?
What are the areas that causesbreaks?
It's a similar kind of concept,but it's used to proactively
monitor performance,availability and any SLAs
service levels agreements thatyou may have in this situation.
So, as an example, monitoring ashopping cart checkout process
every five minutes to ensurethat the system is reliable, to
ensure that it's working right.
It's doing what it's supposedto be doing.
(25:36):
They also have this occurs nowon the flip side, where they
monitor your shopping cart tosee if you haven't moved in a
little while of going hey, didyou forget about your cart?
Your cart's still stuff outthere in your cart.
You want it, you can buy it.
It's there waiting for you andyou're like, oh yeah, I forgot
Click.
And then you're like why did Ibuy that?
So that's the advanced text,the synthetic transactions Code
(25:58):
review and testing.
So you have static code analysis.
This is where it scans the codefor vulnerabilities without
executing on it, looking forflaws such as insecure APIs or
buffer overflows.
This is where it's justscanning the code, looking for
any issues in the code.
Specifically, you have dynamiccode analysis.
This is where it executes thecode in a test environment.
Usually, this test environmentis within your CICD pipeline and
(26:21):
it will then look for anyissues as it's running this code
.
Now it's not actuallyphysically running the code
outside of this test environment, but it's inside the
environment and it's looking forissues in memory.
It's looking for any raceconditions you know.
Basically, it's trying to takeoff and run.
Any of those aspects is lookingwithin the dynamic code
analysis.
You have a manual code review.
This is where humans will takea look at it, and this is in the
(26:43):
past has been an important partof all sort of software
development in their entire lifecycle.
The goal is to get as muchautomation as you possibly can.
I would have eyes on the codewhen and if I had specific areas
that I felt that I was takingcustomer data that could have a
high regulatory requirement orit could cause some sort of
(27:05):
legal issue with me requirementor it could cause some sort of
legal issue with me, then Iwould have my do a manual code
review specifically on thosepieces of code that were tied to
those aspects.
Again, you're looking forapplication logic and security
critical functions for any flawsthat may be missed during the
automation process.
So again, you got to determinewhether or not that's something
(27:26):
you want to deal with or not.
Some of the tools obviously forthis is you got SonarCube,
fortify, vericode, appscan fromIBM.
All of those are available toyou.
There's different types thatyou have.
I've used Fortify and AppScan abit.
It's not one of those that I'veused a lot and so I would
highly recommend you do anevaluation for you and your
(27:46):
organization based on yourspecific needs.
But again, those are all piecesthat you want to have part of
your CICD pipeline Misuse casetesting.
This is where it tests tosimulate attacker's behavior by
focusing on how the system couldbe intentionally misused.
So what could I put in?
You have a line of code thatgoes into your text box and
(28:09):
you're going to add potentiallysome sort of JavaScript to that
text box, to that line, and thenyou're going to see what
happens if I do that, if I do,it's that and I'm just drawing a
blank.
But it's basically a linemismatch where you're putting
code into that want to see whatcomes out and what does it burp
out at you?
Does it run?
Does it just doesn't know whatto do?
(28:33):
So it basically gives you upall kinds of stuff or does it
just go invalid?
Invalid, uh, and that's thepart where you're gonna.
That can happen with misusecase testing.
Um, it does help you define,identify design flaws, privilege
, escalation opportunities orlogic abuse.
That is not considered asnormal use casting, use case
testing, um, any sort of any waythat you're having a log on
credentials great place.
So, again, if you havelimitations on where you can
test, again, there's so manyplaces you can test in this
(28:55):
environment.
If you have places that arelimited on where you can do,
focus on the areas that wouldcreate the most damage to your
organization.
One is credential input output.
If you're having sort ofdatabase queries, any area that
would potentially returnsensitive information, give out
sensitive information, allowaccess to your organization or
(29:19):
query data or put data insomething that could potentially
deal with the confidentialityand more or less the integrity
of the data itself Test coverageanalysis.
The goal of this, though, is howmuch of the code base or system
functionality is actuallycovered by the testing efforts,
so you're trying to determinewhether or not all the logical
paths and statements have beentested.
You're kind of trying to figureout where is this code covered,
(29:42):
from zero to hero.
Is it all there?
Are there any securityrequirements that have been
given to you through theagreements that you may have,
that have to have some sort ofcorresponding test with them as
well?
So you need to look at where'sthe code, is it all covered?
Or, two, is there anyrequirements that I specifically
have to cover because of thissituation?
And the ultimate goal of thisis to help identify any blind
(30:04):
spots in the testing that couldpotentially harbor undetected
vulnerabilities.
And, again, you have todetermine if you have a large
testing shop, if you have a verylarge coding shop, how will all
of these things work togetherand it's important that you have
a good, strong SDLC plan andhow you're going to deal with
all the code in your environment.
The next one is interfacetesting.
(30:25):
This is where you validatesecure and reliable
communications betweencomponents such as APIs, user
faces and then, obviously,back-end servers.
That's where you're looking at.
Between the two interfaces.
How are they communicating?
I'll beat this drum again, overand over again Interface
testing with APIs is a crucialfactor and it's really that way.
(30:45):
You need to set this up at thebeginning because you're going
to be having, in many cases, apiconnections with third parties.
You are transferring, in a lotof ways, sensitive data between
these two parties.
You need to have a strong APIpolicy and a security plan when
dealing with APIs, because APIsare so easy to connect and so
easy to integrate within yourorganization that they real
(31:07):
quickly can go from having agood control of something to
having little to no control.
You need to verify validationand session controls and error
handling of these interfaces.
You need to make sure there'sno security controls or no
security credentials that areinside these interfaces.
Apis is a really good exampleof this, where folks are
actually sharing storedcredentials between APIs.
(31:29):
So again, you need to test forinsecure exposure to this data
that's going through there and,again, highly recommend that you
talk to somebody within yourarchitecture team and make sure
you have this pretty muchbuttoned up.
So some of the tools are Postman, soapui and Fiddler.
Again, these are differenttypes of ways to help you track
and deal with the differenttypes of aspects.
(31:49):
Postman, I know there's anotherone that I use and I can't
think of it.
I'm drawing a blank on it, butthis one here is used for
RESTful APIs, looking forsecurity headers and input
validation pieces to it SOAP UI,rest APIs, and it's supporting
regression and functionaltesting.
And then there's, obviouslyFiddler that deals with HTTP and
(32:14):
HTTPS.
So, again, go check them out,see which ones work best for you
and your company.
So you have breach attacksimulations.
This is where there's acontinuous and automated testing
to look at your defenses,acting like a real world
emulation.
So it's like a pen test on anautomated factor.
So it's Hal is acting as thepen tester and they're bashing
on the front door of yourbuilding, of your network, and
(32:35):
it simulates malware, phishing,lateral movements, data
exfiltration activities.
All of those pieces are allbuilt into this BAS and again,
it is a automated piece ofequipment or software that will
do this for you.
It is a automated piece ofequipment or software that will
do this for you.
It evaluates effectiveness anddetection response capabilities
in real time.
And so you put the BAS, you letit run and then it's evaluating
how do your people respond toits activities.
(32:58):
I've never used one, to behonest I might be a little bit
old in this regard of sayingit's a bit scary of letting
something like this runautomated on your network.
It's a bit scary of lettingsomething like this run
automated on your network.
I say you do this maybepotentially in a simulated
environment where maybe you havea section that's off network
that you're practicing on this,just to get your SOC teams up to
speed on how to respond.
(33:19):
I would say putting it on yourproduction network would be, in
my mind, to be a bit risky, butI've never used it, so maybe it
works like a champ and it willnever ever give you any problems
.
Again, I kind of lean towards.
I like to accept some risk insome cases, but in other cases
I'm very risk averse and puttinganything on my business network
(33:39):
that I don't have a true handleon it makes me very risk averse
, because I've seen thingshappen where it causes so much
chaos and pandemonium that theyears of building up trust
within your organization can beexploded and destroyed within
seconds putting something likethis out there.
So just something to consider.
So some different tools AttackIQ, safebreach and Simulate.
(34:02):
These are all different typesof BAS tools.
Attackiq is focused on theMITRE ATT&CK framework, safe
Breach is proactively validatesorganization's defense and
looking for gaps.
And then BAS, like simulate, isacross your email gateways, web
gateways and then obviouslylooking for any sort of lateral
movement within your environment.
Again, if you've used it, thatis awesome.
(34:23):
I'd love to hear from you allif there's someone that's used
it and really liked it or hadsome issues with it, because
I've never actually used itmyself.
Now, compliance checks.
What is this?
This is where you are verifyingthat your organization is
relevant with the securitypolicies, frameworks and the
regulations, so you may have anew policy that you put in place
.
How does this compliance check?
Are you following your passwordpolicies?
(34:45):
Do you put a framework in thatyou're utilizing?
I will use an example of in thefinancial industry.
It's CRI, which is your CyberSecurity Risk Institute, has
their own framework.
It's tied to NIST.
Are you following that?
Are you following CRI?
Are you following NIST?
Does your company comply withthat?
And then, are there anyregulations that you need to be
worried about?
This is related to GDPR,chinese cyber law, nydfs,
(35:09):
whatever that might be.
Are you following thosecompliance aspects around it.
So you have different types.
You have a system check systemconfiguration, which looks at
the CIAS benchmarks and yourSTIGs that are out there and
it's making sure, hey, are youmeeting those baselines.
Then there's a regulatorycompliance aspects which is
looking for, like we mentionedearlier, pci, dss, hipaa, gdpr
(35:32):
and so forth.
A lot of the tools that you canuse will have some level of a
compliance add-on.
You can see the tools withNessus and OpenScap.
I don't know how to say thatother than that's what it is and
I've seen in both Nessus wehave a compliance module that
you can use and then it willhelp you determine are you
meeting some of the requirementsaround that?
Again, it's designed to helpguide you in this very
(35:56):
convoluted and confusing manner.
In some respects, it supportsaudit readiness and reduces the
risk of regulatory penalties,because that you're doing it Now
.
Reporting and remediationthere's a reporting remediation
aspects.
You need to interpret thevarious test results you get and
then how do you report these topeople?
How do you let them know whatyou're going to do?
Now?
(36:17):
This is a risk-basedprioritization.
I highly recommend that youunderstand the risk profile for
your organization.
If you don't know what they arerisk averse to and they are
risk acceptance to.
You need to really trulyunderstand that, because any
sort of result that you giveback to them needs to be tied to
risk to your company.
If you have a company thatdoesn't have any external facing
(36:37):
stuff and your risk comes backand it comes back and says
you're good, well, they're goingto go, oh, see, we're good,
we're awesome.
You say, well, yeah, we onlyhave one server and that one
server is patched and we don'tdo anything with it and it
doesn't touch the inside.
So you're giving some sort ofreporting of going, hey, we're
awesome, well, yeah, you'reawesome, but you really don't
have any that much risk.
If you have a full webenvironment and you're JP Morgan
(37:02):
and you have all kinds of stuffthat's shared back and forth
Bank of America, yeah, yourexternal web facing is much
bigger risk than it would be ifyou were a manufacturing company
.
So you got to understand thoseresults and make sure that
people understand the risk thatthey're actually seeing.
So you need to categorize theissues as low, medium and high
are critical to streamline theremediation planning.
You need to collaborate withdevelopment and IT teams to
implement patches, reconfiguresystems and then deploy
(37:24):
compensated controls, documenttimelines, owners and
verification steps for eachaction.
And then you need to have somesort of technical reports and
executive summaries as well onall of these factors.
So it's an important part ofwhat you do is to provide this
reporting and remediation piece.
Now there'll be securityreporting.
You have technical reports andyou have executive summaries.
So when you're dealing withthese different types of reports
(37:45):
, again, understand youraudience.
Knowing who your audience is isan important part on any of
these reports.
You don't want to be givingsomething extremely technical to
the CEO and expect he or she isactually going to understand
what the heck you're talkingabout.
So you need to understand youraudience before you provide
these executive summaries andthen make the information
valuable.
(38:05):
Don't just hit, mash a buttonand say, oh look, there's my
report, it means nothing.
You need to be able to filterthrough that information, if
anything, if you give the report, have a summary at the
beginning of saying this is whatyou need to be worried about or
concerned about, or this iswhat the good spot that we're in
.
Again, you have to be involved.
Don't just mash a button andsay the report is done.
(38:26):
You have to have engagementwith that Continuous testing
approach.
This is where you integrate theautomated security tests into
your CICD pipelines to ensurethat they're detecting them
early in the developmentlifecycle and then that you can
one make those changes ahead oftime.
Now, depending upon how you aredoing your development if it's
waterfall, agile, whatever thatmight be spiral, you need to
(38:48):
then build that into youroverall development lifecycle.
That way, shift left security.
This will help catch flawsbefore they enter production.
I hear this term used a lot andwhat it really just comes down
to is you detect it before ithits production and that you can
then get those things in placebefore the things that the
security aspects that hitproduction are limited and
(39:09):
minimized.
So you're just shifting thesecurity piece, because in the
past it used to be you develop,develop, develop, develop.
You have this product, then youput security on it and they go.
Oh well, there's issues.
Now I've got to go back to thedevelopment piece.
This is where building securityat the beginning moving it left
is an important part in thesecurity of your overall
organization.
And then security testinglifecycle.
(39:29):
This is applying securitytesting at all stages of the
development.
This includes the design,development and post-development
stages, includes threatmodeling, static code analysis
and use of static and dynamiccode analysis, early detection
like again moving it left, andthen at the end conducting pen
tests, reviews and compliancescans to validate the production
(39:51):
and readiness of your overallplan.
So, again, there's a securitytesting piece that goes with
that.
It's an important part and Ithink it's in domain eight.
We get into the various levelsof SDLC, but it's an important
piece that you do, that youunderstand for your organization
, especially when you'reintegrating security into your
company.
Again, we've talked about thisstuff over and over again, but,
(40:12):
as you're studying for the CISSP, these are things that the
CISSP is trying to inherentlyput into you through the
questions that it asks, tryingto have you think through these
different topics.
And that's why it's importantthat, as a CISSP, you have so
many years of experience,because their goal is that
you've been exposed to many ofthese different pieces.
That is why this podcast is, inreal honesty, it's very
(40:35):
valuable, because you're gettingexposure from folks that have
had this kind of experience foryears and years and years, and
now, when you go take the CISSP,you get an understanding of
their thought process with thequestions that are being asked
to you.
Okay, that is all I have foryou today at CISSP Cyber
Training.
Hope you guys are enjoying it.
Going out to CISSP CyberTraining, check out the content
(40:56):
that's out there.
I got some really good freestuff for you.
Also have some paid stuff aswell.
Again, it does not cost muchfor the bronze tier that I have
to study for the CISSP.
If you're serious about gettingthe CISSP, look at my bronze
tier.
It is relatively inexpensive.
It gives you everything youneed to be successful and pass
the test.
Again, you've got to study it.
It's not going to be automatic,but if you're willing to put
(41:17):
the work in to study for theCISSP and think about it, just
think about this for a secondthe amount that it costs for the
CISSP bronze package right nowRight now I'm running it for
very inexpensive.
I think it's like a hundreddollars for the bronze package.
If you go in at the bronzepackage at a hundred dollars and
you figure out how many hoursyou're going to spend on
studying for the CISSP over aperiod of time, it's pennies,
(41:39):
pennies on the dollar thatyou're spending to help you get
you to step up on the CISSP exam.
Don't short circuit this.
It isn't just about getting acertification.
It's about understanding thecontent so that when you go for
the interview and they ask youquestions, you can actually
answer the questions andunderstand what the heck they're
saying.
Again, this isn't about gettinga certification.
It isn't about somebody outthere online saying, hey, you
(42:00):
can make six figures in threemonths by being in cybersecurity
.
That's BS.
I'm sorry, that is bull.
You can't just go do that.
You've got to understand thecontent.
That's in here for you to besuccessful.
But if you understand thecontent, you understand the
background.
You then can be communitativelyunderstanding when you're
talking to somebody about whatyou're trying to accomplish.
So an important part go to CISSPCyber Training.
(42:22):
Check out the bronze package.
I guarantee you it is amazing.
It'll give you what you need tohelp you pass the CISSP.
If you need any consulting work, go on out to
reducecyberriskcom and check outmy website.
I'm working with a companycalled NextPeak and others as we
provide consulting services tothe masses.
Okay, I hope you have a greatday and we will catch you all on
(42:43):
the flip side, see ya.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com