July 10, 2025 • 46 mins
Microsoft recently released 137 security patches, with 14 critical vulnerabilities that could allow attackers to seize control of Windows systems with minimal user interaction. Among these, the Windows authentication negotiation flaw rated at 9.8 severity poses a significant threat to all current Windows versions. For security professionals, this underscores the crucial importance of effective patch management strategies—balancing timely updates against thorough testing procedures.
When approaching CISSP certification, understanding different investigation types provides essential context for security operations. Administrative investigations address potential policy violations and inappropriate resource usage, while criminal investigations gather evidence when laws are broken. Civil investigations resolve disputes between parties, regulatory investigations examine compliance with industry mandates, and standards investigations assess adherence to best practices like ISO 27001. Each investigation type requires distinct approaches and yields different outcomes, from disciplinary actions to legal proceedings.
The security documentation hierarchy—policies stating high-level objectives, standards specifying mandatory requirements, procedures providing step-by-step instructions, and guidelines offering flexible recommendations—creates a comprehensive framework for organizational security. However, these documents must use clear, accessible language that employees can understand and apply, not just legal jargon that looks impressive but goes unread.
Business continuity planning begins with a thorough Business Impact Analysis that identifies critical functions and establishes recovery objectives. This foundational work must involve stakeholders from across the organization to ensure operational reality aligns with security requirements. Similarly, personnel security extends beyond employee screening to include robust onboarding, transfer, and termination procedures—with equivalent controls for third-party relationships.
Risk management concepts form the core of security operations, from identifying threats and vulnerabilities to selecting appropriate controls. Understanding the distinction between preventative, detective, corrective, deterrent, and compensating controls enables security professionals to build comprehensive protection strategies. Combined with threat modeling methodologies like STRIDE and PASTA, these concepts create the framework for proactive security postures.
Ready to deepen your CISSP knowledge? Visit CISSP Cyber Training for both free resources and comprehensive paid training options that will help you pass your exam the first time while building practical security expertise.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge Allright let's get started.
Speaker 2 (00:32):
Hey all, sean Gerber with CISSP Cyber Training and
this is part two of the CISSPRapid Review exam prep.
But before we get started, Iwanted to bring up an article
that I've just read from Krebson Security around the security
updates.
Okay, this is from Krebs onSecurity and this is around
Microsoft's Patch Tuesday andthey you know obviously Patch
Tuesday.
You might be going what's PatchTuesday?
Why is it that important?
But there's an interesting partabout this, and usually Krebs
(00:54):
is pretty sharp.
I mean, he's not pretty, he'svery sharp guy and if he picks
up on something then it'susually something that you
should probably take some noticeof.
But the interesting part thathe brought up in this article is
there's 137 vulnerabilitiesacross Windows OS and the
supporting software specificallythat are in this.
But the interesting part ofthat is there are 14 flaws that
(01:17):
basically came up as criticalratings, which means they could
be exploited to seize controlover any sort of vulnerable
Windows PC that's out there, andthis is a remote code execution
vulnerabilities specifically.
So obviously, this is why wetalk about it.
Your patch management is anextremely important part of any
organization and we talk aboutthat at the CISSP that you need
(01:40):
to understand the assets withinyour organization as well as
understanding which ones shouldbe patched.
Right now there isn't anyactive exploitation that's
occurring, but because they'vereleased these exploits I should
say released these differentcritical flaws that are out
there, you can know that there'sgoing to be some exploits
against them coming very, veryquickly.
(02:01):
One of the aspects they thoughtwas around the SQL server.
They're very concerned that thedata that could be uh, absorbed
or should say, taken out of aSQL Server anybody.
As we all know, sql Serverdatabases are used primarily in
a lot of different places aroundin various Windows systems that
are potentially front-facingsystems, and now they're worried
(02:22):
that potentially all that thatdata from a supply chain
standpoint could be exfiltratedand used.
One of the things I thought wasinteresting is that it didn't
take much user interaction to beable to take control of these
systems.
So it wasn't like in the pastwhere the user would have to do
many different steps.
They've said they didn't get inthe details, other than to say
(02:42):
that it did not take much userinteraction to make that happen.
So there's various ones that areout there.
There's a couple of them thatare on a Windows authentication
negotiation, which is a criticalrating of 9.8.
This is all Windows Plussystems and current Windows
Server versions.
This is a more likely one, theysay, to be weaponized, and
(03:02):
that's cve 20, 25, 47, 981, butthat is an interesting part.
There's also those fourcritical vulnerabilities within
windows office, as well aswindows defender and their
configuration manager.
So a lot of different piecesthat are there, but, bottom line
, there's 137 patches, 14criticals that were there as
(03:24):
well.
So obviously you need a patch,right.
But I would say, in the companythat I used to work with, we
used to go through our patchesand it would be multiple.
You would do a patch or youwould do a testing.
You then run to the CanaryGroup.
You then would push it out to asmaller subset of people and
then you would patch.
And that was a huge process tobring on any patches and it
(03:47):
could be in the upwards of two,three weeks, possibly even a
month, before that update isactually pushed out.
I highly recommend that if youhave Windows which majority of
the companies out there utilizeWindows for their basic user
interfaces that you set it up onautomatic update.
Now the problem is is with theSQL server aspects.
It is the ones that are nolonger in support is the 2012.
(04:11):
And if those are exposed, theyare going to be vulnerable to
this exploit, and so you canassume that people do not
upgrade the SQL servers very,very often because of the cost
that goes with them.
The licensing itself isextremely expensive, so
sometimes those might not getupdated.
You need to really trulyunderstand the assets within
(04:31):
your organization.
You need to understand howthere could be affected by
situations such as this and thendevelop a plan in which you can
deploy a new system andtherefore then be able to
mitigate some of this risk.
I can't stress this enough.
Your patch management, orvulnerability management, is an
extremely critical part of anyorganization, obviously,
(04:53):
especially the front facingservers, but all systems within
your organization.
And I know you hear about it.
It's not sexy, it's not fun,it's not something people really
truly want to do, but it'ssomething you really must
consider, especially with yoursecurity career.
All right.
So that's all we're going totalk about on this.
Let's move on to what we'regoing to talk about today.
(05:15):
Okay, so, as we know, this ispart two of the CISSP Rapid
Review, but before we getstarted on that, I want to just
again put a plug out there forCISSP Cyber Training.
Head on over to CISSP CyberTraining.
There's a lot of great stuffand a lot of free content
available for you out there.
This is just part of it.
The ultimate goal is to provideas much free content as I can
for you, but on the flip side ishave some content that's
(05:36):
available to you that if youwant to go deeper into the CISSP
, it's available to you, butit's at a price point that you
can manage.
The ultimate goal is to helpyou pass the CISSP right the
first time, but on the flip sideof that is also to provide you
the skills you need to enhanceyour cybersecurity career and
help you grow and become abetter practitioner of the
(05:56):
security trade as you go forwardin your career in security.
All right, so let's get started.
So we have administrativeinvestigations, no-transcript
(06:25):
company resources, potentialpolicy breaches that may have
happened.
Are employees installingsoftware they should not or are
they non-compliant with the datahandling?
Are they transferring data fromEurope to the United States
without the proper rules and arethey talking to the right
people, the data owners or thechief privacy officers in each
of these locations?
(06:45):
The outcome can be disciplinaryaction, policy updates and,
potentially training.
The disciplinary action alsocould be termination as well.
So you have to have a good planin place to understand how
you're going to implementadministrative investigations If
you roll into the criminalinvestigations.
This is to determine if there'sa crime has been committed and
to gather the evidence forprosecution, involving law
(07:08):
enforcement in this and ensuringthat you have proper due
diligence around your overallprotection of the data and
especially during yourinvestigation, you're going to
need to make sure that theirchain of custody factors have
been played into this.
This could include hacking,fraud, data theft, any sort of
industrial espionage.
All of those aspects can bepulled into a criminal
(07:28):
investigation.
It could be your employees, itcould be somebody that's not
your employees.
So you need to really considerhaving a plan on how you're
going to manage this goingforward.
If you go to a company and theydon't have a plan, then you can
come in and say, hey, whatwould you think about doing this
?
Now?
The outcome again arrest,prosecution and potential
convictions can all be a part ofthe criminal investigations.
(07:51):
We're dealing with civilinvestigations.
This is resolved disputesbetween parties determining
liability for damages andtypically leading to specific
lawsuits.
Some examples around this couldbe contractual intellectual
property infringement,negligence leading to data
breaches or wrongful termination.
Those are all civilinvestigations and sometimes a
criminal investigation that doesnot pan out can turn around and
(08:13):
they can just come and sue youfrom a civil standpoint.
So you need to.
I've been in both of thesecriminal and civil
investigations and I've had oneof my CEOs go well, let's just
have them lawyer up and we'vegot deep pockets.
They don't, especially when itcame to intellectual property.
So you need to make sure thatyou have a good plan on how
you're going to deal with IPprotection.
For a company.
(08:34):
Outcome could be monetarydamages, injunctions or other
civil remedies that can happendue to the civil investigations.
Regulatory investigations theseare determined for organizations
that have violated specificlaws or regulations governing
the industry or operations, andthese can be conducted by
government agencies HIPAAviolations in healthcare.
(08:55):
You have GLBA or NYDFS.
Those are also ones that couldbe potentially investigated, and
each of these come with fines,penalties, mandated changes and
practices.
Practices potentially differenttypes of the findings will then
cause you to spend more moneyAgain loss of license, operating
authority and so forth.
So regulatory investigationsare done by the regulatory
(09:16):
bodies.
Industry standardsinvestigations this is to assess
the organization's adherence tonon-mandatory but widely
accepted industry best practicesand standards.
Adherence to non-mandatory butwidely accepted industry best
practices and standards I willsay I have not seen a lot of
these but they do exist anddepending on the organization or
the vertical you're in, youcould be dealing with that.
So non-compliance with PCI DSSthough DSS has regulatory-like
(09:41):
enforcement, which it does,there may not be as many
outcomes that come of this.
You may lose your certification.
Depending upon like, let's say,for example, you're ISO 27001
certified and you find out thatyou're not meeting the
requirements for ISO, you couldlose that certification.
Now it's not as simple as Ijust get the certification.
Getting ISO 27001 cert isextremely expensive and time
consuming, so you don't want tojust lose that right.
(10:04):
It's an important part of youroverall business strategy.
So it's imperative that you dounderstand what you're trying to
accomplish with these Domain1.7, policy standards,
procedures and guidelines.
So these are to develop asecurity documentation.
You need to have high levelstatements defining your
security objectives and therules of the what and the why.
So we're going to get into eachof these just a little bit.
(10:25):
Standards these are mandatoryrequirements for specific
technologies and configurationsor methods that support policies
.
They basically give you the howand you have the standard in
place of what you should do, andthese are really important to
have.
These.
I can't stress these enough.
Working as a consultant, I'mseeing this in various
organizations that don't havethis Procedures.
(10:46):
These are detailed, step-by-stepinstructions for performing
tasks in compliance withpolicies and standards, and the
step-by-step they walk youthrough.
They can be consideredplaybooks and they walk you
through step-by-step on how todeal with compliance and the
various policies and standardsyou may have in place.
Your guidelines these arerecommended best practices or
general advice for offeringflexibility in the
(11:07):
implementation, or suggestions,right?
These guidelines kind of giveyou a plan on what you should do
.
You don't have to necessarilyfollow those, but they're
recommended to do so.
These help ensure that you havealignment with your business
strategy, your risk assessments,your legal and regulatory
requirements as well.
So the ultimate goal of thepolicy, standards and procedures
they're all there specificallyto help move you down the path
(11:31):
to ensure that your organizationis maintaining alignment with
your overall strategy.
And then document securitydocumentation this is where you
maintain a centralized andaccessible version, controlled
repository of all your securitydocumentation.
This is where you use clear,concise and unambiguous language
when you're dealing with yourlanguage or with your documents.
(11:51):
I have been in so manydifferent situations looking at
documents that I'm like, oh mygoodness, they use these big $10
words and you don't understandhalf of it.
It's legal language and so ifyou understand it, that's great,
but you got to give it thethird grade test and if a third
grader can read it probably morelike high school, if a high
school person can read it andunderstand it, then it's good,
(12:13):
but if they can't understand itand read it, then it's not good.
Don't make these documents soI'm legally important.
And then you put these thingsout there and nobody actually
ever reads them because no onecan even understand them.
And then you put these thingsout there and nobody actually
ever reads them because no onecould even understand them.
Establish formal review andapproval process involving
relevant stakeholders, such asyour legal compliance and your
senior management.
You need to make sure that theyall understand what is the
(12:33):
documentation that you'reputting in place.
So now that the fact is you'vedocumented, now you need to
implement the securitydocumentation.
This is where you communicatethe documents effectively
through training and awarenessprograms for all your people.
They need to understand what isactually important and what is
not and what are the purposearound these policies.
What is the purpose aroundthese standards?
Again, I can't stress thisenough, working on this right
(12:55):
now, whether folks just don'twant to teach their people what
is this policy and standard for.
It becomes a checklistmentality of going I've got a
policy check, I've got a policycheck, I've got a standard check
.
They're not training theirpeople and that's not effective.
Integrate security requirementsfor documents into daily ops and
your business processes.
You need to make sure thatthey're integrated in your daily
(13:15):
things and what you do.
Enforce compliance throughmonitoring, auditing and
disciplinary action if necessaryfor violations.
Hopefully it doesn't go to thatpoint, but yes, that's a
possibility.
Regularly review and update thedocumentation based on changes
in threats and technology andthe regulations that are going
on.
So you need to keep up andabreast of everything going on
(13:36):
within the security space so ifsomething does change, you are
better prepared for it.
Domain 1.8, business continuityrequirements.
Okay, so we're going to do acouple of things with business
continuity.
One is a business impactanalysis.
Now, the purpose of this is tohelp prioritize critical
business functions, processesand systems.
I've seen it time and againwhere I've done a BIA and come
(13:56):
to find out that there's acomputer sitting in a closet at
a really different location thatruns your entire company.
Yeah, I've seen it done it.
It's crazy.
It quantifies and qualifies thepotential financial,
operational and reputationalaspects of this and it helps to
avoid the consequences of adisruption.
(14:17):
Now it will take a lot ofresources to do a BIA and this
is in personnel and technologyand the data.
So you're going to need to planfor this and you need to make
sure you have financialresources available to it and,
mainly, the people to do it.
To do it right.
It's going to take some time.
Some key outcomes is going tobe establishing your recovery
time objectives, your RTOs andyour recovery point objectives
as well, and that's going tocome out of your BIA.
(14:38):
Now you need to develop adocument, the scope and the plan
.
So you need to clearly definethe business units, the
processes and the systems.
This is important that you workwith your business units to
understand this.
If your business units do nothave a plan already, then help
educate them on this.
They will understand thesystems.
They will also understand thedata.
Now you may have to tell themwhere the data is stored, but
(15:01):
you need to understand from themwhat is the most important data
that needs to be included inyour BIA.
This does a focus on themanageability of it and it does
provide you some guidance aroundwhat you should do Now.
Stakeholder identification thisinvolves key personnel from the
business units, it, legalcompliance and risk management
units in the BIA process.
You need to get them involvedfrom the beginning, and the
(15:23):
methodology includes outliningthe approach for conducting a
BIA.
This includes interviews,workshops, surveys, data
analysts.
All of those aspects would be apart of the BIA.
Have you done interviews?
Have you done workshops?
Documentation formalize allfindings, assumptions and
identified impacts.
There'd be any dependencies,such as RTOs, rpos.
(15:45):
All of those aspects need to bedocumented and in a central
repository where you have themstored.
The other thing is, thisdocument will be the
foundational artifact fordeveloping your BC and your
disaster recovery plans, and youreally need to do that and it's
very important.
Now, if you just get startedand you go, well, I'm just going
to try to do one thing and do aBC for a specific application.
(16:09):
That's fine, but you reallyneed to look at an overall
business impact to reallyunderstand what are the most
critical within your companyOkay, personal security policies
and procedures.
Now, part of the aspects of theCISp is you need to understand
how does this work from an hrstandpoint, but also from a
cyber security point of view.
So, candidates screening andhiring you need to be able to
(16:30):
conduct background checks,understand the criminal history,
education verification,reference checks and so forth.
One of the areas that I haveseen, not personally, but is
around education verification.
Now, with the advancement of AIand the ability for people to
make resumes that look and soundpretty amazing, understanding
(16:51):
the education of people that youhave or that you're actually
trying to hire is an importantpart of all of this.
One of the things that kind ofis strong because of this is the
fact that you havesensitivities of the various
roles that you're trying to putpeople into, and so, therefore,
you need to do a backgroundcheck on these individuals, both
from an education standpointand from a criminal history
(17:12):
standpoint.
You also need to verify thequalifications and experience to
ensure they have the competence.
Now you guys are all taking theCISSP, so there is some steps
in place to ensure that you havethe right education or, mainly,
the right experience, beforeyou can even take for the test.
Well, you can take the test,but before you actually get the
certificate, and so the thingthat comes out of that is that
(17:33):
you also, as a cybersecurityprofessional, may want to see
certifications that people mayhave, if that is something that
you're actually looking for tohelp someone with the role.
Now you also want to implementthe screening process to
identify potential insider risksthat may be there before you
actually get started.
I've had a situation where wewere hiring individuals that
(17:53):
were in a very sensitive area.
We had hired an intelligencecompany, and this intelligence
company did background checks, adeep dive into their overall
associations, and it was very,very good, helped us out.
Amazingly, there's a companycalled Strider, very good at
doing that kind of stuff.
So you may want to implement athird party to help you.
Now, employment agreements andpolicies.
(18:13):
You'd want security clauses inthese policies, in these
agreements, to ensure you.
One, you have NDAs in place.
Two, they have acceptable usepolicies within your company,
security awareness policies ormandates.
You may want those within yourorganization as well, and so
this is where the employmentagreements and policies come
into play in this section ofDomain 1.9.
(18:34):
You need to have clear policieson data handling, intellectual
property and acceptable use.
It's very important that youwork with your legal team to
make sure that you have theright language in there.
Now.
The language may already be setup within your IP protection
people or within your legalteams.
They may not think about thecyber aspects, so it's important
(18:54):
that you inject yourself intothe conversation to try to get
that conversation going further.
They may want to make somechanges to their documents based
on feedback that you canprovide them.
Onboarding, transfer andtermination process this is
where you securely provisionaccess based on the principle of
least privilege, whichbasically means it's the least
amount that they can have accessto and you provide mandatory
(19:17):
security awareness training anddistribute the security policies
that are out there, make thatavailable for people.
So that's where the onboarding,transfer and termination
process begins.
Now the transfer is where youreview and adjust privileges
when the employee changes rolesor departments.
I've seen this time and againwhere a company or a person will
move from one role to anotherrole and they take their
(19:38):
credentials with them, which iswhat we call credential creep,
and they end up moving into thisnew role with a lot of
capability that they should nothave.
Termination you should ensureyou have swift and comprehensive
checklist that helps to getpeople on and off the
organization.
Ideally you'd want thisautomated, but you remove all
physical and logical access thatthey may have, recover company
(20:02):
assets that's laptops, phonesand so forth and then conduct
exit interviews to ensure yougather feedback and reinforce
the security obligations thatyou are expecting with them,
such as NDAs, those types ofaspects.
So it's important that you havea good onboarding, transfer and
termination process within yourcompany, and this is part where
CISSP helps you with that andkind of gives you guidance on
(20:23):
what you should do.
Vendor consultant, contractagreements and controls Again
beginning of 1.9.
So you need to extend thepersonnel and security
principles that you're planningwith employees to your third
party engagements, and thismeans that any third party
that's coming on, you haverobust contracts.
You have legal agreements thatare set up with these third
parties to help you or to ensurethat they are protecting your
(20:47):
information just as much asyou're having your employees
protect this information.
So the same type of aspectsthat you would provide to an
employee, you need to providethose to a contractor as well.
Now you need to implementcontinuous monitoring and
oversight of your third partyaccess and ensure that they are
being watched just as much, ifnot more so, than your employees
(21:07):
.
I've had plenty of contractorstry to move data outside of my
organization without peopleknowing about it, and so
contractors can be a definitewin.
They can help your company alot, because I am one, but they
also can be a risk to yourorganization, because I am one,
but they also can be a risk toyour organization.
Now, compliance policyrequirements.
(21:27):
You need to also ensure thatyour policies are meeting the
various compliance aspectsrelated to regulatory pieces,
such as HIPAA, glba, gdpr, pci,dss, and so in the test, they're
going to ask you questionsrelated to these different areas
and do you understand them?
Do you understand that youshould do them?
One of the big aspects you needto keep in mind is, when it
comes to regulatory pieces,they're non-negotiable.
(21:53):
Now I will say there have been.
Depending upon the regulatoryaspect and the language of the
regulatory point, there may besome wiggle room on what you can
and cannot do, or what youshould and should not do, but
that's where you work with yourlegal team to ensure you have
the right plan in place.
You want to document compliancemeasures and conduct regular
audits and ensure that those arecompleted on a regular, at
least on an annual basis.
(22:14):
Privacy policy requirementsensure that the CISSP wants you
to integrate privacyconsiderations into personal
security practices, especiallyconcerning background checks and
monitoring your activities.
So you need to make sure thatyour employees have a document
that has been signed aboutprivacy and the fact is that you
are going to be monitoringtheir activities.
It's important that they getthis.
(22:34):
They understand what they'reactually signing as well,
because we've had it in.
I've had a situation where theemployee was complaining that
they don't want to be monitored.
However, on the onboardingprocess and their employee
contract, it specifically calledout that they would be
monitored on a daily basis.
It didn't go into the detailsof how they're being monitored,
(22:55):
it just said they're beingmonitored.
The language was prettyopen-ended.
Now you want to ensurecompliance with employee and
privacy laws and internalprivacy policies when handling
employee personal information.
So, again, all of these piecesare going to be part of the
overall CISSP training packagethat they want for domain 1.9.
(23:17):
Now risk management concepts.
This is domain 1.10.
This is where you identifythreats and vulnerabilities.
Okay, so what is a threat?
Identifies potential dangersthat could exploit
vulnerabilities, such as malware, natural disasters, insider
malice, folks that maybe aren'treally happy with your
organization that is a potentialthreat.
The vulnerability obviously isthe weakness in the system or
(23:40):
process and controls that couldbe exploited by the threats
themselves.
So you need to make sure thatyou have a good plan to address
your vulnerabilities.
These could be anything fromunpatched software to not having
strong passwords,misconfigurations I'm working on
a policy right now aboutmisconfigurations or about, I
should say, configurations.
So again, this is where theCISSP wants you to understand
(24:02):
these key concepts Riskassessments and analysis.
The purpose of a risk assessmentis to determine the likelihood
of a threat exploiting avulnerability and the potential
impact of this event occurring.
Now you have two differenttypes of analysis.
You have qualitative and youhave quantitative analysis.
The qualitative analysis andthis gets goofed up a lot by
people, including myself.
(24:23):
I've made mistakes around thisI say one and mean the other.
The qualitative analysis is thesubject assessment.
This is where you're getting inhigh, medium or low, and then
you, based on your expertjudgment.
Now I will say I went to anorganization and they had high,
high, medium, low, medium,medium, low, low.
That was way too many choices.
(24:44):
Don't do that.
Keep it simple High, medium andlow.
If there's a critical, thenmaybe get rid of the low.
But bottom line is keep it verysimple.
Quantitative analysis this iswhere you object, object,
numeric, objective.
You have numeric.
I can't even speak.
It's basically numbers.
Numbers assessment involvingcalculations such as your ALE,
your single loss expectancy,annual rate of occurrence.
(25:07):
All of those are all detailedwith numbers.
That is your quantitativeanalysis.
That's just basically numbers.
Quantities.
Qualitative is more of aquality thought process around
it.
How do I feel that it's goingto be?
I've had to do qualityassessments, qualitative
assessments on does this companyfeel they're going to actually
be able to meet the demands ofthis requirement?
(25:29):
Now, risk response this isavoidance.
There's different types of riskand the first one we're going
to get into is avoidance.
This is eliminating the risk byceasing the activity that it
causes it.
Stop it.
That's what you're basicallyavoiding it.
You're getting rid of it oryou're not getting rid of it.
You're just stopping theactivities.
Transference is where you'reshifting the risk to another
party, such as insurance,outsourcing it.
(25:49):
This risk is going on tosomeone other than yourself and
your organization.
Mitigation Mitigation is whereyou're implementing controls to
reduce the likelihood orpotential impact of the risk.
Now, one thing you also willunderstand is that, as you're
going to the board and you'redealing with different folks,
mitigation does not mean thecomplete ending of the risk.
It just means that you aremitigating it.
(26:10):
It may still be there and youmay be able to get rid of it to
zero, but in most cases it'sstill there.
It's just dramatically reduceddue to your controls that you
are putting in place.
Acceptance this is where you'reacknowledging the risk and
deciding not to take any action,often due to low likelihood or
impact or cost benefit analysis.
You're basically accepting therisk.
(26:32):
You see there's a problem, butyou know what, due to whatever
reason.
Basically accepting the risk.
You see there's a problem, butyou know what, due to whatever
reason, you are not going to doanything more to it.
So that is acceptance underrisk response all part of what
you need to know for domain 1.10.
Continuing to 1.10, you havecountermeasure selection
implementation this is selectingappropriate security controls
based on the risk assessmentfindings.
This would be costeffectiveness alignment with
(26:54):
organizational goals.
All of those pieces areselecting the appropriate
security control and thenimplementing the countermeasures
effectively to reduce theseidentified risks.
So this is your countermeasureselection and implementation.
This is all part of your riskmanagement concepts, basically.
And then applicable types forcontrols.
You have different types ofcontrols.
(27:14):
You have five different types.
You have your preventative,your detective, corrective,
deterrent and compensating.
So what is a preventive?
This is a control to stop theincidents from occurring, such
as your firewalls,authentication, all of those
different types of aspects thatare set up for you to prevent
this from occurring within yourcompany.
Detective these are designed toidentify the incidents once
(27:37):
they occur.
So your IDSs, your audit logs,potentially, if you have
physical security, your securitycameras, those are the
detective parts of the controls.
Then you have corrective thesecontrols are designed to fix
issues after the incident occurs, such as you may have an
incident response plan that youhave to execute to make to fix
the issues.
You have Backups or patches.
(27:59):
All of those as well areimportant parts that you would
have to correct the issue.
Deterrent this is a controlsare designed to discourage
attackers, such as having mantraps, security guards, visible
warnings saying there's aproblem All of those are
deterrents to try to stop people.
Razor wire, constantino wireall those are aspects to help
determine or deter people fromgaining access to your facility
(28:21):
or to your data.
Compensating.
This is where your controlsthat are designed to provide an
alternate or primary controlthat cannot be met.
So what happens If you have acontrol that can't be met?
You would then incorporate acompensating control, something
that would be to help mitigatepart of the issue.
Say, for instance, you have todeploy I'm trying to think some
sort of password change.
(28:42):
Right, and you're deploying MFA, for example.
Let's just say you have todeploy MFA to your organization
and you still are relying onpasswords.
Well, what would you do?
Well, you could have changedyour passwords or force
everybody to do a passwordchange, and maybe before you had
only an eight characterpassword and now you're forcing
people to do 15 character.
That would be a compensatingcontrol until your MFA is in
(29:04):
place.
So just things you need tothink about that you would put
in the interim until that actualcontrol can be utilized.
Control assessments you havesecurity and privacy control
assessments.
This is where you regularlyevaluate the effectiveness of
the implemented security controlin achieving their intended
objectives.
You'll assess the controlsspecifically for privacy
(29:25):
compliance and then ensuringthat you have PII covered.
And again, these are controlassessments that you would do,
or you would work with yourcompliance and security teams to
help you do and these happen alot in the financial industry
you will do a RCSA, and thisRCSA is a control, security
assessment, and the ultimategoal is that you would put those
(29:47):
in place to try to determineokay, where are we at, what do
we need to do and are there anyaspects that we need to cover
right at this moment?
Continue on to domain 1.10, youhave monitoring and measuring.
This is where you continuouslymonitor the effectiveness and
controls and the overall riskposture through metrics.
So, and what they call KPIs,which is your key performance
(30:07):
indicators, you have key KPIsand you have KRIs.
Your KRIs are key riskindicators.
Now you monitor and affect it.
The thing comes right down tois this is a metrics program.
You really want to have metricswithin your company, because
it's really hard to know whatyou have going on if you're not
actually measuring it.
Then, once you get thiscompleted, you would report,
you'd communicate your currentrisk posture, your control
(30:29):
effectiveness and your riskchanges significant risk changes
to the relevant stakeholders.
This could be your, could beyour ciso.
Who would that be?
And that is an important partof the reporting piece of this
he said you one.
You track it.
You determine what you'retracking.
You then provide a report tohelp show how you're doing with
this overall plan.
Continuous improvement this iswhere you regularly review
(30:50):
entire risk management process,incorporating lessons learned
and adapting to involvingthreats and your organizational
changes.
Utilize models such as riskmaturity models to assess and
advance the organization's riskmanagement capabilities.
The ultimate point of this isyou're just looking back over it
over time and you're looking atthe maturity of your
organization and you'rereevaluating it.
See this time and again wherepeople will go and put something
(31:12):
in place but they won't go backand reevaluate the maturity of
their company and what they'reactually trying to accomplish.
Risk frameworks these are adoptand utilize established risk
management frameworks that arethere specifically for you to be
able to provide a repeatableand comprehensive approach.
Now, some of these are paid.
Some of these are not, but you,such as NIST, you have your
risk management framework.
(31:32):
That's there.
You have your ISO 31000.
You have FAIR.
Those are other ones that FAIRwill cost you some money to help
you with risk as well, butthere's different types of
programs that you can use tohelp guide you down this overall
risk plan Domain 1.11 or 111.
Threat modeling concepts andmethodologies.
So you need to understandthreat modeling concepts.
(31:55):
Because why, well, you need tounderstand threat modeling
concepts because why, well, as acissp, you got to be able to
pass the test and they're goingto ask you questions and two, a
lot of the stuff.
You're dealing with a threatyou need to model.
What is the threat actuallygoing to go against my company?
Who are these people and whatwould they be looking for?
So let's, it breaks us downinto four areas.
You have your purpose.
This is where you identifypotential threats and
vulnerabilities early in thedevelopment lifecycle to address
(32:17):
them proactively.
Basically, you want to figureout who they are and start
getting on it.
Goals is to understand what cango wrong.
Specifically, if these peopleor things were to get access to
my organization.
What can go wrong?
What could they get access to?
And you need to focus on theapplied systems and applications
, the scope of what they cangain access to as well.
(32:40):
So if it's an external facingsystem and all they can't get
anywhere other than the externalside, well, now you know that's
your scope, that's what you'relimited to.
But what could they do?
They could deface these webservers.
That could be a problem.
Then the benefits reduce thecost by addressing security
issues early.
So the point of it is is, ifyou get hacked and now you have
to build in an incident responseteam, it's very expensive.
So by understanding all ofthese aspects in place, you can
(33:04):
then potentially come forwardwith telling the board or
whoever provides the funds foryou, that by doing these things
we will reduce our risk by X.
So again, this improvescommunication between teams and
enhances overall securityposture.
So that's understanding thethreat modeling as it relates to
domain 1.1, some common threatmodeling methodologies.
(33:24):
We're going to go through justa few of these and we go through
these in cissp, cyber training,in the course, where we have
stride this is where you havespoofing, tampering, repudiation
, information disclosure, denialof service and elevation of
privilege.
These are the different typesof threats and it's just a
mnemonic that's used to help youwith those.
So stride, dread Dread isdamage, potential reproductivity
(33:49):
it can be reproduced, that wordExploitability, affected users
and discoverability.
This is a quantitative orqualitative risk and ranking
model used to prioritize theidentified threats.
And then PASTA this is theprocess for attack simulation
and threat analysis.
So it's a seven-step plan orrisk methodology that will
(34:11):
integrate the objectives and thetechnical requirements and it
will help you understand whatwould be a potential attack
scenario and simulation thatthey would come after you with
TRIKE, it's a methodology thatfocuses on defensible perimeters
.
And then VAST.
This is the Visual, agile,simple Threat.
It's a scalable methodologythat's used to help agile and
DevOps teams.
(34:31):
I've worked with VAST a littlebit in the past.
It works very, very well and,especially when you're dealing
with DevSecOps environment, itworks really, really good.
Now, as we continue on withdomain 1.11, you have key steps
in threat modeling, so you havebasically five different steps
that you're going to have todeal with when you're focused on
this.
You decompose the applicationor system.
(34:53):
You need to understand thearchitecture of the system,
understand its components, wheredoes the data go?
And then you're decomposingthis to find out what are some
of the flaws.
You're going to find out alittle bit more about that
system.
I had to do this with a devicethat is in our ERC environment
and it was focused on data flowsoutside of the United States,
(35:14):
so I had to focus on how to getthat.
Where does that data go, who istouching that data, how is that
data managed, and so forth.
You identify the threats.
You brainstorm potentialthreats using methodologies like
stride, and then you alsodetermine and document
vulnerabilities within thisdiscovery.
And the point of it is that youdocument these vulnerabilities
(35:34):
and you then will go and put anaction plan together to help
understand these weaknesses andthen go and implement a plan.
You determine and document thecountermeasures what are some
potential security controls thatyou can put in place to
mitigate the risks and then youvalidate and verify, you ensure
that the threats are adequatelyaddressed and the
countermeasures are effective.
So again, that's your threatmodeling plan.
(35:56):
You decompose the application,understand it, identify the
threats that could come after it, determine and document the
vulnerabilities against it andthen determine the
countermeasures to protect itand then validate and verify
that it's actually what it is.
So those are the differentsteps related to threat modeling
.
Moving on to domain 1.12, risksassociated with hardware,
(36:17):
software and services Hardwarethis is associated with risks
that are in embedded maliciouscomponents, counterfeit devices,
tampering during transit,insecure firmware.
All of those fall within thehardware piece of this.
Now, one thing to keep in mindI had a counterfeit equipment in
Europe I had to work through,and this happens especially with
(36:38):
organizations that will go outand purchase the equipment on
their own, you run intomalicious and, I should say,
counterfeit devices, so beprepared for that.
Have a plan encompassesvulnerabilities in third-party
code, malicious dependencies,insecure libraries and supply
chain attacks.
So this what are the differentrisks that are associated in
software and then also with yourservices.
(37:04):
This includes cloud and yourmanaged service providers.
This would be vendor security,posture, data residency, access
controls, incident responsecapabilities.
All of those fall within theservices that an organization
may provide you, and so you needto understand the risks with
that.
One would be around incidentresponse.
If there's a situation thatoccurs where you have to call
your incident response team andthey are unavailable, how do you
(37:26):
handle that?
And maybe you have to pay sothat they become more available.
I don't know.
Something you're going to haveto consider Third-party
assessments and monitoring whenyou're dealing with supply chain
risk is due diligence.
You need to conduct thoroughsecurity assessments before
engaging the third party.
Unfortunately, sometimes ithappens where the third party is
already getting ready to besigned on the contract and now
they're going.
(37:47):
We need this risk assessmentdone.
That makes things very awkward.
Very awkward and veryuncomfortable.
Contractual agreements you needto ensure that you've gone
through the contractualagreements with them.
This includes defining auditrights, incident notification
processes and data protectionclauses.
So, again, third-partyassessments, contractual
agreements important factor, youneed to get involved with them
(38:09):
early.
And then ongoing monitoring youneed to monitor your third
parties.
Most of these different typesof regulatory requirements
require something along thoselines.
Nydfs does require thirdparties to be monitored, and
there's various frameworks thatI would highly recommend for
financial institutions, toinclude CRI, which would help
you kind of helps give you theguidance on what you need to do
(38:31):
as it relates to monitoringfolks.
But the ongoing monitoring is,again, it's where your third
party security posture,performance and compliance
throughout the entire contractlifecycle.
This may involve regularsecurity reviews, vulnerability
scans, all these types ofaspects that could occur to your
third parties, and I highlyrecommend that you do this.
Focus on your third parties.
They are one of the biggestrisks to your organization.
(38:53):
Continuing with 1.12, you haveminimum security requirements.
Now, this is an important part.
Like I say, oh, this is animportant part, right, but your
CISSP this is an important part.
Around minimum securityrequirements, you need to
establish and enforce a baselineof mandatory security controls
that all third-party providersmust meet.
Okay, important factor, youneed to do this now.
(39:16):
If you're a security person,I'd highly recommend it.
If you're taking your CISSP, Ihighly recommend it.
You need to make sure that youhave a good plan for this.
Again, this is the commensuratewith the risk that they pose.
If they don't pose a whole lotof risk, well then maybe it
isn't such a big deal.
I would just actually getfigure out what is your minimum
base security posture for yourorganization and then focus that
(39:37):
on everybody and then work fromthere.
If somebody has access to yourmost sensitive crown jewels,
then you add on layer ondifferent types of requirements
for them and then you build thatinto your contracts.
These requirements should coverareas like access management,
data encryption, patchmanagement, incident response
all those pieces.
(39:57):
Again, you need to set minimumsecurity requirements and call
that out within your policiesand your standards.
Service level requirements thisis your SLRs and your service
level agreements.
You'll need to know those forthe test.
You need to find clearsecurity-related performance
expectations and metrics withinyour contracts.
If they are an MSP for you, youneed to have clear expectations
around resiliency, backup andrecovery.
(40:19):
This would include recoverytime objectives, recovery point
objectives.
You need to have instantresponse notification timelines.
All of those would need to bebuilt into your service level
agreements or service levelrequirements based on the
contractual language you have is.
(40:44):
What does that mean?
It means you don't have RPOsand RTOs that may be different
for your third parties than youwould for internal.
Yeah, you may, and that's fine,because maybe they are a full
SaaS provider and you'reexpecting RTOs and RPOs at a
higher level.
But you need to make sure thatif you have a higher standard
for your RTOs and RPOsinternally, that you don't have
loose standards for your thirdparties.
You need to have as strong, ifnot greater, for your third
(41:06):
parties.
Now 1.13, the last melon.
This is the last subsection ofDomain 1's Rapid Review Security
awareness and education andtraining.
This is an important part and alot of times it is lost, but
it's a very, very important partand it's one of those where, if
you work this with your people,it's going to go a long ways
(41:26):
and it will help you amazinglyover time.
But this does take time.
So, methods and techniques forpresenting awareness and
training.
One social engineeringawareness you need to educate
your employees on socialengineering tactics.
I was Jennifer and I used to goafter pilots and no, I did not
change my gender, I just wasthat online and I did that, and
(41:47):
I would do that online towardsthese pilots and guess what?
They gave me all kinds of stuff.
Social engineering yes, socialengineering tactics are an
important part.
Teach your people to do that,how to identify and report them,
and conduct simulated phishingcampaigns.
That's what you need to doAlways.
Do those Phishing simulationsAgain.
You need to send simulatedphishing emails to employees
(42:08):
because why?
That's one of the main reasonsthe bad guys and girls can get
into your organization and theemployees test their vigilance
and identify vulnerableindividuals and then fire them.
No, try not to fire them rightaway, but you may want to give
them some counseling before youfire them.
Security Champions Program thisis where you train enthusiastic
employees from variousdepartments to act as local
(42:28):
security advocates.
This works really well.
Actually, I had one.
I had this program operatingwithin my company and you have
some really strong people thatreally enjoy security and they
are a big advocate and thosefacilities were the strongest
because of them and it was avery, very good program.
Gamification incorporategame-like elements, leaderboards
(42:49):
, badges, challenges and allthat stuff to motivate people to
make sure that they don't clickon the wrong links Works good.
It can come with a cost, so youjust need to be aware of that.
Interactive modules and videosengaging, short, relevant
e-learning modules and videothat focuses on practical
security behaviors I would saythe stuff that you can buy is
really good, but what also workswell is when you, as a security
(43:10):
professional, are talking topeople directly.
Even if you put little videostogether, those things go a long
way because they see actualpeople like you.
Regular communication utilizevarious channels, such as
internal newsletters, posters,intranet announcements, team
meetings anything like that is acommunication that goes out
from the security team.
That's an important part.
That way, if people know thatyou are engaged and you are
(43:32):
involved, that they like that.
That's an important part of anysecurity awareness training
program.
Continuing on, we have periodiccontent reviews.
You need to update your content.
So update training content toreflect your current threats,
because they do change newtechnologies, obviously ai, and
then changes in yourorganizational policies due to a
new ciso or whomever is nowrunning the show.
(43:53):
So you need to make sure thatyou have content reviews on a
routine basis.
You ensure the content remainsrelevant, engaging to the
audience.
It's not just boring.
I will tell you that some ofyou might be listening to this
and you're falling asleep.
I'm sorry, but some of youmight be listening to this going
oh, this is awesome and sotherefore, you need to try to
keep it engaging.
One of the guys that listens tomy podcast on a routine basis
(44:16):
sent me a note saying yeah, asI'm feeding my child at 2 am,
I'm listening to you and I'mlike, oh dear Lord, I feel bad
for your child because you'llprobably fall asleep as you're
feeding your child.
Program effectivenessevaluations because I did that a
lot.
Yeah, when I was feeding mykids, I was asleep when I did it
.
Oh, sorry, Try to digress.
(44:38):
Program effective evaluationsMetrics Ensure that the success
of the program through variousmetrics Reducing the phishing
click, as well as throughsecurity quizzes, decreased
incidents, specific securitypolicy violations and the number
of reported activities.
The metrics help amazingly tohelp you with all of these
different aspects, but if you'renot tracking it, you're not
measuring it.
It's really hard to do muchabout it.
Feedback you need to collectfeedback from employees training
(45:01):
and the training content as aswell.
There be your best source totell you whether it's good or
not, and you need to try to getthat information from them as
quickly as you possibly can.
Adjustments use evaluationresults to refine your methods
and content frequency as wellyour and your frequency,
ensuring the programcontinuously improves and meets
the objectives that you have setout again Again.
(45:23):
So it's important for you notjust to put out the training,
for you to actually go review itand then look at the
effectiveness of the trainingand then pivot if it's not being
effective.
Thank you again for joining metoday.
Again, you can go to CISSPCyber Training and get access to
all of my free resources Again,from podcasts to study plans,
to questions, to my blog.
All of that is at CISSP CyberTraining.
(45:44):
Or, if you really truly want toget into the details of it and
have it walk you throughstep-by-step, including the book
itself, you can go to my paidsite where there's 36 hours of
all my CISSP content.
There's CISSP questions, deepdive topics, you name it.
It's all available to you onthe paid site as well.
Whatever works for you freeresources, paid resource, it
(46:05):
doesn't matter head on over tocissp cyber training and I can
get you everything you need.
All right, have a wonderful dayand we will catch you all on
the flip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge Allright let's get started.
Speaker 2 (00:32):
Hey all, sean Gerber with CISSP Cyber Training and
this is part two of the CISSPRapid Review exam prep.
But before we get started, Iwanted to bring up an article
that I've just read from Krebson Security around the security
updates.
Okay, this is from Krebs onSecurity and this is around
Microsoft's Patch Tuesday andthey you know obviously Patch
Tuesday.
You might be going what's PatchTuesday?
Why is it that important?
But there's an interesting partabout this, and usually Krebs
(00:54):
is pretty sharp.
I mean, he's not pretty, he'svery sharp guy and if he picks
up on something then it'susually something that you
should probably take some noticeof.
But the interesting part thathe brought up in this article is
there's 137 vulnerabilitiesacross Windows OS and the
supporting software specificallythat are in this.
But the interesting part ofthat is there are 14 flaws that
(01:17):
basically came up as criticalratings, which means they could
be exploited to seize controlover any sort of vulnerable
Windows PC that's out there, andthis is a remote code execution
vulnerabilities specifically.
So obviously, this is why wetalk about it.
Your patch management is anextremely important part of any
organization and we talk aboutthat at the CISSP that you need
(01:40):
to understand the assets withinyour organization as well as
understanding which ones shouldbe patched.
Right now there isn't anyactive exploitation that's
occurring, but because they'vereleased these exploits I should
say released these differentcritical flaws that are out
there, you can know that there'sgoing to be some exploits
against them coming very, veryquickly.
(02:01):
One of the aspects they thoughtwas around the SQL server.
They're very concerned that thedata that could be uh, absorbed
or should say, taken out of aSQL Server anybody.
As we all know, sql Serverdatabases are used primarily in
a lot of different places aroundin various Windows systems that
are potentially front-facingsystems, and now they're worried
(02:22):
that potentially all that thatdata from a supply chain
standpoint could be exfiltratedand used.
One of the things I thought wasinteresting is that it didn't
take much user interaction to beable to take control of these
systems.
So it wasn't like in the pastwhere the user would have to do
many different steps.
They've said they didn't get inthe details, other than to say
(02:42):
that it did not take much userinteraction to make that happen.
So there's various ones that areout there.
There's a couple of them thatare on a Windows authentication
negotiation, which is a criticalrating of 9.8.
This is all Windows Plussystems and current Windows
Server versions.
This is a more likely one, theysay, to be weaponized, and
(03:02):
that's cve 20, 25, 47, 981, butthat is an interesting part.
There's also those fourcritical vulnerabilities within
windows office, as well aswindows defender and their
configuration manager.
So a lot of different piecesthat are there, but, bottom line
, there's 137 patches, 14criticals that were there as
(03:24):
well.
So obviously you need a patch,right.
But I would say, in the companythat I used to work with, we
used to go through our patchesand it would be multiple.
You would do a patch or youwould do a testing.
You then run to the CanaryGroup.
You then would push it out to asmaller subset of people and
then you would patch.
And that was a huge process tobring on any patches and it
(03:47):
could be in the upwards of two,three weeks, possibly even a
month, before that update isactually pushed out.
I highly recommend that if youhave Windows which majority of
the companies out there utilizeWindows for their basic user
interfaces that you set it up onautomatic update.
Now the problem is is with theSQL server aspects.
It is the ones that are nolonger in support is the 2012.
(04:11):
And if those are exposed, theyare going to be vulnerable to
this exploit, and so you canassume that people do not
upgrade the SQL servers very,very often because of the cost
that goes with them.
The licensing itself isextremely expensive, so
sometimes those might not getupdated.
You need to really trulyunderstand the assets within
(04:31):
your organization.
You need to understand howthere could be affected by
situations such as this and thendevelop a plan in which you can
deploy a new system andtherefore then be able to
mitigate some of this risk.
I can't stress this enough.
Your patch management, orvulnerability management, is an
extremely critical part of anyorganization, obviously,
(04:53):
especially the front facingservers, but all systems within
your organization.
And I know you hear about it.
It's not sexy, it's not fun,it's not something people really
truly want to do, but it'ssomething you really must
consider, especially with yoursecurity career.
All right.
So that's all we're going totalk about on this.
Let's move on to what we'regoing to talk about today.
(05:15):
Okay, so, as we know, this ispart two of the CISSP Rapid
Review, but before we getstarted on that, I want to just
again put a plug out there forCISSP Cyber Training.
Head on over to CISSP CyberTraining.
There's a lot of great stuffand a lot of free content
available for you out there.
This is just part of it.
The ultimate goal is to provideas much free content as I can
for you, but on the flip side ishave some content that's
(05:36):
available to you that if youwant to go deeper into the CISSP
, it's available to you, butit's at a price point that you
can manage.
The ultimate goal is to helpyou pass the CISSP right the
first time, but on the flip sideof that is also to provide you
the skills you need to enhanceyour cybersecurity career and
help you grow and become abetter practitioner of the
(05:56):
security trade as you go forwardin your career in security.
All right, so let's get started.
So we have administrativeinvestigations, no-transcript
(06:25):
company resources, potentialpolicy breaches that may have
happened.
Are employees installingsoftware they should not or are
they non-compliant with the datahandling?
Are they transferring data fromEurope to the United States
without the proper rules and arethey talking to the right
people, the data owners or thechief privacy officers in each
of these locations?
(06:45):
The outcome can be disciplinaryaction, policy updates and,
potentially training.
The disciplinary action alsocould be termination as well.
So you have to have a good planin place to understand how
you're going to implementadministrative investigations If
you roll into the criminalinvestigations.
This is to determine if there'sa crime has been committed and
to gather the evidence forprosecution, involving law
(07:08):
enforcement in this and ensuringthat you have proper due
diligence around your overallprotection of the data and
especially during yourinvestigation, you're going to
need to make sure that theirchain of custody factors have
been played into this.
This could include hacking,fraud, data theft, any sort of
industrial espionage.
All of those aspects can bepulled into a criminal
(07:28):
investigation.
It could be your employees, itcould be somebody that's not
your employees.
So you need to really considerhaving a plan on how you're
going to manage this goingforward.
If you go to a company and theydon't have a plan, then you can
come in and say, hey, whatwould you think about doing this
?
Now?
The outcome again arrest,prosecution and potential
convictions can all be a part ofthe criminal investigations.
(07:51):
We're dealing with civilinvestigations.
This is resolved disputesbetween parties determining
liability for damages andtypically leading to specific
lawsuits.
Some examples around this couldbe contractual intellectual
property infringement,negligence leading to data
breaches or wrongful termination.
Those are all civilinvestigations and sometimes a
criminal investigation that doesnot pan out can turn around and
(08:13):
they can just come and sue youfrom a civil standpoint.
So you need to.
I've been in both of thesecriminal and civil
investigations and I've had oneof my CEOs go well, let's just
have them lawyer up and we'vegot deep pockets.
They don't, especially when itcame to intellectual property.
So you need to make sure thatyou have a good plan on how
you're going to deal with IPprotection.
For a company.
(08:34):
Outcome could be monetarydamages, injunctions or other
civil remedies that can happendue to the civil investigations.
Regulatory investigations theseare determined for organizations
that have violated specificlaws or regulations governing
the industry or operations, andthese can be conducted by
government agencies HIPAAviolations in healthcare.
(08:55):
You have GLBA or NYDFS.
Those are also ones that couldbe potentially investigated, and
each of these come with fines,penalties, mandated changes and
practices.
Practices potentially differenttypes of the findings will then
cause you to spend more moneyAgain loss of license, operating
authority and so forth.
So regulatory investigationsare done by the regulatory
(09:16):
bodies.
Industry standardsinvestigations this is to assess
the organization's adherence tonon-mandatory but widely
accepted industry best practicesand standards.
Adherence to non-mandatory butwidely accepted industry best
practices and standards I willsay I have not seen a lot of
these but they do exist anddepending on the organization or
the vertical you're in, youcould be dealing with that.
So non-compliance with PCI DSSthough DSS has regulatory-like
(09:41):
enforcement, which it does,there may not be as many
outcomes that come of this.
You may lose your certification.
Depending upon like, let's say,for example, you're ISO 27001
certified and you find out thatyou're not meeting the
requirements for ISO, you couldlose that certification.
Now it's not as simple as Ijust get the certification.
Getting ISO 27001 cert isextremely expensive and time
consuming, so you don't want tojust lose that right.
(10:04):
It's an important part of youroverall business strategy.
So it's imperative that you dounderstand what you're trying to
accomplish with these Domain1.7, policy standards,
procedures and guidelines.
So these are to develop asecurity documentation.
You need to have high levelstatements defining your
security objectives and therules of the what and the why.
So we're going to get into eachof these just a little bit.
(10:25):
Standards these are mandatoryrequirements for specific
technologies and configurationsor methods that support policies
.
They basically give you the howand you have the standard in
place of what you should do, andthese are really important to
have.
These.
I can't stress these enough.
Working as a consultant, I'mseeing this in various
organizations that don't havethis Procedures.
(10:46):
These are detailed, step-by-stepinstructions for performing
tasks in compliance withpolicies and standards, and the
step-by-step they walk youthrough.
They can be consideredplaybooks and they walk you
through step-by-step on how todeal with compliance and the
various policies and standardsyou may have in place.
Your guidelines these arerecommended best practices or
general advice for offeringflexibility in the
(11:07):
implementation, or suggestions,right?
These guidelines kind of giveyou a plan on what you should do
.
You don't have to necessarilyfollow those, but they're
recommended to do so.
These help ensure that you havealignment with your business
strategy, your risk assessments,your legal and regulatory
requirements as well.
So the ultimate goal of thepolicy, standards and procedures
they're all there specificallyto help move you down the path
(11:31):
to ensure that your organizationis maintaining alignment with
your overall strategy.
And then document securitydocumentation this is where you
maintain a centralized andaccessible version, controlled
repository of all your securitydocumentation.
This is where you use clear,concise and unambiguous language
when you're dealing with yourlanguage or with your documents.
(11:51):
I have been in so manydifferent situations looking at
documents that I'm like, oh mygoodness, they use these big $10
words and you don't understandhalf of it.
It's legal language and so ifyou understand it, that's great,
but you got to give it thethird grade test and if a third
grader can read it probably morelike high school, if a high
school person can read it andunderstand it, then it's good,
(12:13):
but if they can't understand itand read it, then it's not good.
Don't make these documents soI'm legally important.
And then you put these thingsout there and nobody actually
ever reads them because no onecan even understand them.
And then you put these thingsout there and nobody actually
ever reads them because no onecould even understand them.
Establish formal review andapproval process involving
relevant stakeholders, such asyour legal compliance and your
senior management.
You need to make sure that theyall understand what is the
(12:33):
documentation that you'reputting in place.
So now that the fact is you'vedocumented, now you need to
implement the securitydocumentation.
This is where you communicatethe documents effectively
through training and awarenessprograms for all your people.
They need to understand what isactually important and what is
not and what are the purposearound these policies.
What is the purpose aroundthese standards?
Again, I can't stress thisenough, working on this right
(12:55):
now, whether folks just don'twant to teach their people what
is this policy and standard for.
It becomes a checklistmentality of going I've got a
policy check, I've got a policycheck, I've got a standard check
.
They're not training theirpeople and that's not effective.
Integrate security requirementsfor documents into daily ops and
your business processes.
You need to make sure thatthey're integrated in your daily
(13:15):
things and what you do.
Enforce compliance throughmonitoring, auditing and
disciplinary action if necessaryfor violations.
Hopefully it doesn't go to thatpoint, but yes, that's a
possibility.
Regularly review and update thedocumentation based on changes
in threats and technology andthe regulations that are going
on.
So you need to keep up andabreast of everything going on
(13:36):
within the security space so ifsomething does change, you are
better prepared for it.
Domain 1.8, business continuityrequirements.
Okay, so we're going to do acouple of things with business
continuity.
One is a business impactanalysis.
Now, the purpose of this is tohelp prioritize critical
business functions, processesand systems.
I've seen it time and againwhere I've done a BIA and come
(13:56):
to find out that there's acomputer sitting in a closet at
a really different location thatruns your entire company.
Yeah, I've seen it done it.
It's crazy.
It quantifies and qualifies thepotential financial,
operational and reputationalaspects of this and it helps to
avoid the consequences of adisruption.
(14:17):
Now it will take a lot ofresources to do a BIA and this
is in personnel and technologyand the data.
So you're going to need to planfor this and you need to make
sure you have financialresources available to it and,
mainly, the people to do it.
To do it right.
It's going to take some time.
Some key outcomes is going tobe establishing your recovery
time objectives, your RTOs andyour recovery point objectives
as well, and that's going tocome out of your BIA.
(14:38):
Now you need to develop adocument, the scope and the plan
.
So you need to clearly definethe business units, the
processes and the systems.
This is important that you workwith your business units to
understand this.
If your business units do nothave a plan already, then help
educate them on this.
They will understand thesystems.
They will also understand thedata.
Now you may have to tell themwhere the data is stored, but
(15:01):
you need to understand from themwhat is the most important data
that needs to be included inyour BIA.
This does a focus on themanageability of it and it does
provide you some guidance aroundwhat you should do Now.
Stakeholder identification thisinvolves key personnel from the
business units, it, legalcompliance and risk management
units in the BIA process.
You need to get them involvedfrom the beginning, and the
(15:23):
methodology includes outliningthe approach for conducting a
BIA.
This includes interviews,workshops, surveys, data
analysts.
All of those aspects would be apart of the BIA.
Have you done interviews?
Have you done workshops?
Documentation formalize allfindings, assumptions and
identified impacts.
There'd be any dependencies,such as RTOs, rpos.
(15:45):
All of those aspects need to bedocumented and in a central
repository where you have themstored.
The other thing is, thisdocument will be the
foundational artifact fordeveloping your BC and your
disaster recovery plans, and youreally need to do that and it's
very important.
Now, if you just get startedand you go, well, I'm just going
to try to do one thing and do aBC for a specific application.
(16:09):
That's fine, but you reallyneed to look at an overall
business impact to reallyunderstand what are the most
critical within your companyOkay, personal security policies
and procedures.
Now, part of the aspects of theCISp is you need to understand
how does this work from an hrstandpoint, but also from a
cyber security point of view.
So, candidates screening andhiring you need to be able to
(16:30):
conduct background checks,understand the criminal history,
education verification,reference checks and so forth.
One of the areas that I haveseen, not personally, but is
around education verification.
Now, with the advancement of AIand the ability for people to
make resumes that look and soundpretty amazing, understanding
(16:51):
the education of people that youhave or that you're actually
trying to hire is an importantpart of all of this.
One of the things that kind ofis strong because of this is the
fact that you havesensitivities of the various
roles that you're trying to putpeople into, and so, therefore,
you need to do a backgroundcheck on these individuals, both
from an education standpointand from a criminal history
(17:12):
standpoint.
You also need to verify thequalifications and experience to
ensure they have the competence.
Now you guys are all taking theCISSP, so there is some steps
in place to ensure that you havethe right education or, mainly,
the right experience, beforeyou can even take for the test.
Well, you can take the test,but before you actually get the
certificate, and so the thingthat comes out of that is that
(17:33):
you also, as a cybersecurityprofessional, may want to see
certifications that people mayhave, if that is something that
you're actually looking for tohelp someone with the role.
Now you also want to implementthe screening process to
identify potential insider risksthat may be there before you
actually get started.
I've had a situation where wewere hiring individuals that
(17:53):
were in a very sensitive area.
We had hired an intelligencecompany, and this intelligence
company did background checks, adeep dive into their overall
associations, and it was very,very good, helped us out.
Amazingly, there's a companycalled Strider, very good at
doing that kind of stuff.
So you may want to implement athird party to help you.
Now, employment agreements andpolicies.
(18:13):
You'd want security clauses inthese policies, in these
agreements, to ensure you.
One, you have NDAs in place.
Two, they have acceptable usepolicies within your company,
security awareness policies ormandates.
You may want those within yourorganization as well, and so
this is where the employmentagreements and policies come
into play in this section ofDomain 1.9.
(18:34):
You need to have clear policieson data handling, intellectual
property and acceptable use.
It's very important that youwork with your legal team to
make sure that you have theright language in there.
Now.
The language may already be setup within your IP protection
people or within your legalteams.
They may not think about thecyber aspects, so it's important
(18:54):
that you inject yourself intothe conversation to try to get
that conversation going further.
They may want to make somechanges to their documents based
on feedback that you canprovide them.
Onboarding, transfer andtermination process this is
where you securely provisionaccess based on the principle of
least privilege, whichbasically means it's the least
amount that they can have accessto and you provide mandatory
(19:17):
security awareness training anddistribute the security policies
that are out there, make thatavailable for people.
So that's where the onboarding,transfer and termination
process begins.
Now the transfer is where youreview and adjust privileges
when the employee changes rolesor departments.
I've seen this time and againwhere a company or a person will
move from one role to anotherrole and they take their
(19:38):
credentials with them, which iswhat we call credential creep,
and they end up moving into thisnew role with a lot of
capability that they should nothave.
Termination you should ensureyou have swift and comprehensive
checklist that helps to getpeople on and off the
organization.
Ideally you'd want thisautomated, but you remove all
physical and logical access thatthey may have, recover company
(20:02):
assets that's laptops, phonesand so forth and then conduct
exit interviews to ensure yougather feedback and reinforce
the security obligations thatyou are expecting with them,
such as NDAs, those types ofaspects.
So it's important that you havea good onboarding, transfer and
termination process within yourcompany, and this is part where
CISSP helps you with that andkind of gives you guidance on
(20:23):
what you should do.
Vendor consultant, contractagreements and controls Again
beginning of 1.9.
So you need to extend thepersonnel and security
principles that you're planningwith employees to your third
party engagements, and thismeans that any third party
that's coming on, you haverobust contracts.
You have legal agreements thatare set up with these third
parties to help you or to ensurethat they are protecting your
(20:47):
information just as much asyou're having your employees
protect this information.
So the same type of aspectsthat you would provide to an
employee, you need to providethose to a contractor as well.
Now you need to implementcontinuous monitoring and
oversight of your third partyaccess and ensure that they are
being watched just as much, ifnot more so, than your employees
(21:07):
.
I've had plenty of contractorstry to move data outside of my
organization without peopleknowing about it, and so
contractors can be a definitewin.
They can help your company alot, because I am one, but they
also can be a risk to yourorganization, because I am one,
but they also can be a risk toyour organization.
Now, compliance policyrequirements.
(21:27):
You need to also ensure thatyour policies are meeting the
various compliance aspectsrelated to regulatory pieces,
such as HIPAA, glba, gdpr, pci,dss, and so in the test, they're
going to ask you questionsrelated to these different areas
and do you understand them?
Do you understand that youshould do them?
One of the big aspects you needto keep in mind is, when it
comes to regulatory pieces,they're non-negotiable.
(21:53):
Now I will say there have been.
Depending upon the regulatoryaspect and the language of the
regulatory point, there may besome wiggle room on what you can
and cannot do, or what youshould and should not do, but
that's where you work with yourlegal team to ensure you have
the right plan in place.
You want to document compliancemeasures and conduct regular
audits and ensure that those arecompleted on a regular, at
least on an annual basis.
(22:14):
Privacy policy requirementsensure that the CISSP wants you
to integrate privacyconsiderations into personal
security practices, especiallyconcerning background checks and
monitoring your activities.
So you need to make sure thatyour employees have a document
that has been signed aboutprivacy and the fact is that you
are going to be monitoringtheir activities.
It's important that they getthis.
(22:34):
They understand what they'reactually signing as well,
because we've had it in.
I've had a situation where theemployee was complaining that
they don't want to be monitored.
However, on the onboardingprocess and their employee
contract, it specifically calledout that they would be
monitored on a daily basis.
It didn't go into the detailsof how they're being monitored,
(22:55):
it just said they're beingmonitored.
The language was prettyopen-ended.
Now you want to ensurecompliance with employee and
privacy laws and internalprivacy policies when handling
employee personal information.
So, again, all of these piecesare going to be part of the
overall CISSP training packagethat they want for domain 1.9.
(23:17):
Now risk management concepts.
This is domain 1.10.
This is where you identifythreats and vulnerabilities.
Okay, so what is a threat?
Identifies potential dangersthat could exploit
vulnerabilities, such as malware, natural disasters, insider
malice, folks that maybe aren'treally happy with your
organization that is a potentialthreat.
The vulnerability obviously isthe weakness in the system or
(23:40):
process and controls that couldbe exploited by the threats
themselves.
So you need to make sure thatyou have a good plan to address
your vulnerabilities.
These could be anything fromunpatched software to not having
strong passwords,misconfigurations I'm working on
a policy right now aboutmisconfigurations or about, I
should say, configurations.
So again, this is where theCISSP wants you to understand
(24:02):
these key concepts Riskassessments and analysis.
The purpose of a risk assessmentis to determine the likelihood
of a threat exploiting avulnerability and the potential
impact of this event occurring.
Now you have two differenttypes of analysis.
You have qualitative and youhave quantitative analysis.
The qualitative analysis andthis gets goofed up a lot by
people, including myself.
(24:23):
I've made mistakes around thisI say one and mean the other.
The qualitative analysis is thesubject assessment.
This is where you're getting inhigh, medium or low, and then
you, based on your expertjudgment.
Now I will say I went to anorganization and they had high,
high, medium, low, medium,medium, low, low.
That was way too many choices.
(24:44):
Don't do that.
Keep it simple High, medium andlow.
If there's a critical, thenmaybe get rid of the low.
But bottom line is keep it verysimple.
Quantitative analysis this iswhere you object, object,
numeric, objective.
You have numeric.
I can't even speak.
It's basically numbers.
Numbers assessment involvingcalculations such as your ALE,
your single loss expectancy,annual rate of occurrence.
(25:07):
All of those are all detailedwith numbers.
That is your quantitativeanalysis.
That's just basically numbers.
Quantities.
Qualitative is more of aquality thought process around
it.
How do I feel that it's goingto be?
I've had to do qualityassessments, qualitative
assessments on does this companyfeel they're going to actually
be able to meet the demands ofthis requirement?
(25:29):
Now, risk response this isavoidance.
There's different types of riskand the first one we're going
to get into is avoidance.
This is eliminating the risk byceasing the activity that it
causes it.
Stop it.
That's what you're basicallyavoiding it.
You're getting rid of it oryou're not getting rid of it.
You're just stopping theactivities.
Transference is where you'reshifting the risk to another
party, such as insurance,outsourcing it.
(25:49):
This risk is going on tosomeone other than yourself and
your organization.
Mitigation Mitigation is whereyou're implementing controls to
reduce the likelihood orpotential impact of the risk.
Now, one thing you also willunderstand is that, as you're
going to the board and you'redealing with different folks,
mitigation does not mean thecomplete ending of the risk.
It just means that you aremitigating it.
(26:10):
It may still be there and youmay be able to get rid of it to
zero, but in most cases it'sstill there.
It's just dramatically reduceddue to your controls that you
are putting in place.
Acceptance this is where you'reacknowledging the risk and
deciding not to take any action,often due to low likelihood or
impact or cost benefit analysis.
You're basically accepting therisk.
(26:32):
You see there's a problem, butyou know what, due to whatever
reason.
Basically accepting the risk.
You see there's a problem, butyou know what, due to whatever
reason, you are not going to doanything more to it.
So that is acceptance underrisk response all part of what
you need to know for domain 1.10.
Continuing to 1.10, you havecountermeasure selection
implementation this is selectingappropriate security controls
based on the risk assessmentfindings.
This would be costeffectiveness alignment with
(26:54):
organizational goals.
All of those pieces areselecting the appropriate
security control and thenimplementing the countermeasures
effectively to reduce theseidentified risks.
So this is your countermeasureselection and implementation.
This is all part of your riskmanagement concepts, basically.
And then applicable types forcontrols.
You have different types ofcontrols.
(27:14):
You have five different types.
You have your preventative,your detective, corrective,
deterrent and compensating.
So what is a preventive?
This is a control to stop theincidents from occurring, such
as your firewalls,authentication, all of those
different types of aspects thatare set up for you to prevent
this from occurring within yourcompany.
Detective these are designed toidentify the incidents once
(27:37):
they occur.
So your IDSs, your audit logs,potentially, if you have
physical security, your securitycameras, those are the
detective parts of the controls.
Then you have corrective thesecontrols are designed to fix
issues after the incident occurs, such as you may have an
incident response plan that youhave to execute to make to fix
the issues.
You have Backups or patches.
(27:59):
All of those as well areimportant parts that you would
have to correct the issue.
Deterrent this is a controlsare designed to discourage
attackers, such as having mantraps, security guards, visible
warnings saying there's aproblem All of those are
deterrents to try to stop people.
Razor wire, constantino wireall those are aspects to help
determine or deter people fromgaining access to your facility
(28:21):
or to your data.
Compensating.
This is where your controlsthat are designed to provide an
alternate or primary controlthat cannot be met.
So what happens If you have acontrol that can't be met?
You would then incorporate acompensating control, something
that would be to help mitigatepart of the issue.
Say, for instance, you have todeploy I'm trying to think some
sort of password change.
(28:42):
Right, and you're deploying MFA, for example.
Let's just say you have todeploy MFA to your organization
and you still are relying onpasswords.
Well, what would you do?
Well, you could have changedyour passwords or force
everybody to do a passwordchange, and maybe before you had
only an eight characterpassword and now you're forcing
people to do 15 character.
That would be a compensatingcontrol until your MFA is in
(29:04):
place.
So just things you need tothink about that you would put
in the interim until that actualcontrol can be utilized.
Control assessments you havesecurity and privacy control
assessments.
This is where you regularlyevaluate the effectiveness of
the implemented security controlin achieving their intended
objectives.
You'll assess the controlsspecifically for privacy
(29:25):
compliance and then ensuringthat you have PII covered.
And again, these are controlassessments that you would do,
or you would work with yourcompliance and security teams to
help you do and these happen alot in the financial industry
you will do a RCSA, and thisRCSA is a control, security
assessment, and the ultimategoal is that you would put those
(29:47):
in place to try to determineokay, where are we at, what do
we need to do and are there anyaspects that we need to cover
right at this moment?
Continue on to domain 1.10, youhave monitoring and measuring.
This is where you continuouslymonitor the effectiveness and
controls and the overall riskposture through metrics.
So, and what they call KPIs,which is your key performance
(30:07):
indicators, you have key KPIsand you have KRIs.
Your KRIs are key riskindicators.
Now you monitor and affect it.
The thing comes right down tois this is a metrics program.
You really want to have metricswithin your company, because
it's really hard to know whatyou have going on if you're not
actually measuring it.
Then, once you get thiscompleted, you would report,
you'd communicate your currentrisk posture, your control
(30:29):
effectiveness and your riskchanges significant risk changes
to the relevant stakeholders.
This could be your, could beyour ciso.
Who would that be?
And that is an important partof the reporting piece of this
he said you one.
You track it.
You determine what you'retracking.
You then provide a report tohelp show how you're doing with
this overall plan.
Continuous improvement this iswhere you regularly review
(30:50):
entire risk management process,incorporating lessons learned
and adapting to involvingthreats and your organizational
changes.
Utilize models such as riskmaturity models to assess and
advance the organization's riskmanagement capabilities.
The ultimate point of this isyou're just looking back over it
over time and you're looking atthe maturity of your
organization and you'rereevaluating it.
See this time and again wherepeople will go and put something
(31:12):
in place but they won't go backand reevaluate the maturity of
their company and what they'reactually trying to accomplish.
Risk frameworks these are adoptand utilize established risk
management frameworks that arethere specifically for you to be
able to provide a repeatableand comprehensive approach.
Now, some of these are paid.
Some of these are not, but you,such as NIST, you have your
risk management framework.
(31:32):
That's there.
You have your ISO 31000.
You have FAIR.
Those are other ones that FAIRwill cost you some money to help
you with risk as well, butthere's different types of
programs that you can use tohelp guide you down this overall
risk plan Domain 1.11 or 111.
Threat modeling concepts andmethodologies.
So you need to understandthreat modeling concepts.
(31:55):
Because why, well, you need tounderstand threat modeling
concepts because why, well, as acissp, you got to be able to
pass the test and they're goingto ask you questions and two, a
lot of the stuff.
You're dealing with a threatyou need to model.
What is the threat actuallygoing to go against my company?
Who are these people and whatwould they be looking for?
So let's, it breaks us downinto four areas.
You have your purpose.
This is where you identifypotential threats and
vulnerabilities early in thedevelopment lifecycle to address
(32:17):
them proactively.
Basically, you want to figureout who they are and start
getting on it.
Goals is to understand what cango wrong.
Specifically, if these peopleor things were to get access to
my organization.
What can go wrong?
What could they get access to?
And you need to focus on theapplied systems and applications
, the scope of what they cangain access to as well.
(32:40):
So if it's an external facingsystem and all they can't get
anywhere other than the externalside, well, now you know that's
your scope, that's what you'relimited to.
But what could they do?
They could deface these webservers.
That could be a problem.
Then the benefits reduce thecost by addressing security
issues early.
So the point of it is is, ifyou get hacked and now you have
to build in an incident responseteam, it's very expensive.
So by understanding all ofthese aspects in place, you can
(33:04):
then potentially come forwardwith telling the board or
whoever provides the funds foryou, that by doing these things
we will reduce our risk by X.
So again, this improvescommunication between teams and
enhances overall securityposture.
So that's understanding thethreat modeling as it relates to
domain 1.1, some common threatmodeling methodologies.
(33:24):
We're going to go through justa few of these and we go through
these in cissp, cyber training,in the course, where we have
stride this is where you havespoofing, tampering, repudiation
, information disclosure, denialof service and elevation of
privilege.
These are the different typesof threats and it's just a
mnemonic that's used to help youwith those.
So stride, dread Dread isdamage, potential reproductivity
(33:49):
it can be reproduced, that wordExploitability, affected users
and discoverability.
This is a quantitative orqualitative risk and ranking
model used to prioritize theidentified threats.
And then PASTA this is theprocess for attack simulation
and threat analysis.
So it's a seven-step plan orrisk methodology that will
(34:11):
integrate the objectives and thetechnical requirements and it
will help you understand whatwould be a potential attack
scenario and simulation thatthey would come after you with
TRIKE, it's a methodology thatfocuses on defensible perimeters
.
And then VAST.
This is the Visual, agile,simple Threat.
It's a scalable methodologythat's used to help agile and
DevOps teams.
(34:31):
I've worked with VAST a littlebit in the past.
It works very, very well and,especially when you're dealing
with DevSecOps environment, itworks really, really good.
Now, as we continue on withdomain 1.11, you have key steps
in threat modeling, so you havebasically five different steps
that you're going to have todeal with when you're focused on
this.
You decompose the applicationor system.
(34:53):
You need to understand thearchitecture of the system,
understand its components, wheredoes the data go?
And then you're decomposingthis to find out what are some
of the flaws.
You're going to find out alittle bit more about that
system.
I had to do this with a devicethat is in our ERC environment
and it was focused on data flowsoutside of the United States,
(35:14):
so I had to focus on how to getthat.
Where does that data go, who istouching that data, how is that
data managed, and so forth.
You identify the threats.
You brainstorm potentialthreats using methodologies like
stride, and then you alsodetermine and document
vulnerabilities within thisdiscovery.
And the point of it is that youdocument these vulnerabilities
(35:34):
and you then will go and put anaction plan together to help
understand these weaknesses andthen go and implement a plan.
You determine and document thecountermeasures what are some
potential security controls thatyou can put in place to
mitigate the risks and then youvalidate and verify, you ensure
that the threats are adequatelyaddressed and the
countermeasures are effective.
So again, that's your threatmodeling plan.
(35:56):
You decompose the application,understand it, identify the
threats that could come after it, determine and document the
vulnerabilities against it andthen determine the
countermeasures to protect itand then validate and verify
that it's actually what it is.
So those are the differentsteps related to threat modeling
.
Moving on to domain 1.12, risksassociated with hardware,
(36:17):
software and services Hardwarethis is associated with risks
that are in embedded maliciouscomponents, counterfeit devices,
tampering during transit,insecure firmware.
All of those fall within thehardware piece of this.
Now, one thing to keep in mindI had a counterfeit equipment in
Europe I had to work through,and this happens especially with
(36:38):
organizations that will go outand purchase the equipment on
their own, you run intomalicious and, I should say,
counterfeit devices, so beprepared for that.
Have a plan encompassesvulnerabilities in third-party
code, malicious dependencies,insecure libraries and supply
chain attacks.
So this what are the differentrisks that are associated in
software and then also with yourservices.
(37:04):
This includes cloud and yourmanaged service providers.
This would be vendor security,posture, data residency, access
controls, incident responsecapabilities.
All of those fall within theservices that an organization
may provide you, and so you needto understand the risks with
that.
One would be around incidentresponse.
If there's a situation thatoccurs where you have to call
your incident response team andthey are unavailable, how do you
(37:26):
handle that?
And maybe you have to pay sothat they become more available.
I don't know.
Something you're going to haveto consider Third-party
assessments and monitoring whenyou're dealing with supply chain
risk is due diligence.
You need to conduct thoroughsecurity assessments before
engaging the third party.
Unfortunately, sometimes ithappens where the third party is
already getting ready to besigned on the contract and now
they're going.
(37:47):
We need this risk assessmentdone.
That makes things very awkward.
Very awkward and veryuncomfortable.
Contractual agreements you needto ensure that you've gone
through the contractualagreements with them.
This includes defining auditrights, incident notification
processes and data protectionclauses.
So, again, third-partyassessments, contractual
agreements important factor, youneed to get involved with them
(38:09):
early.
And then ongoing monitoring youneed to monitor your third
parties.
Most of these different typesof regulatory requirements
require something along thoselines.
Nydfs does require thirdparties to be monitored, and
there's various frameworks thatI would highly recommend for
financial institutions, toinclude CRI, which would help
you kind of helps give you theguidance on what you need to do
(38:31):
as it relates to monitoringfolks.
But the ongoing monitoring is,again, it's where your third
party security posture,performance and compliance
throughout the entire contractlifecycle.
This may involve regularsecurity reviews, vulnerability
scans, all these types ofaspects that could occur to your
third parties, and I highlyrecommend that you do this.
Focus on your third parties.
They are one of the biggestrisks to your organization.
(38:53):
Continuing with 1.12, you haveminimum security requirements.
Now, this is an important part.
Like I say, oh, this is animportant part, right, but your
CISSP this is an important part.
Around minimum securityrequirements, you need to
establish and enforce a baselineof mandatory security controls
that all third-party providersmust meet.
Okay, important factor, youneed to do this now.
(39:16):
If you're a security person,I'd highly recommend it.
If you're taking your CISSP, Ihighly recommend it.
You need to make sure that youhave a good plan for this.
Again, this is the commensuratewith the risk that they pose.
If they don't pose a whole lotof risk, well then maybe it
isn't such a big deal.
I would just actually getfigure out what is your minimum
base security posture for yourorganization and then focus that
(39:37):
on everybody and then work fromthere.
If somebody has access to yourmost sensitive crown jewels,
then you add on layer ondifferent types of requirements
for them and then you build thatinto your contracts.
These requirements should coverareas like access management,
data encryption, patchmanagement, incident response
all those pieces.
(39:57):
Again, you need to set minimumsecurity requirements and call
that out within your policiesand your standards.
Service level requirements thisis your SLRs and your service
level agreements.
You'll need to know those forthe test.
You need to find clearsecurity-related performance
expectations and metrics withinyour contracts.
If they are an MSP for you, youneed to have clear expectations
around resiliency, backup andrecovery.
(40:19):
This would include recoverytime objectives, recovery point
objectives.
You need to have instantresponse notification timelines.
All of those would need to bebuilt into your service level
agreements or service levelrequirements based on the
contractual language you have is.
(40:44):
What does that mean?
It means you don't have RPOsand RTOs that may be different
for your third parties than youwould for internal.
Yeah, you may, and that's fine,because maybe they are a full
SaaS provider and you'reexpecting RTOs and RPOs at a
higher level.
But you need to make sure thatif you have a higher standard
for your RTOs and RPOsinternally, that you don't have
loose standards for your thirdparties.
You need to have as strong, ifnot greater, for your third
(41:06):
parties.
Now 1.13, the last melon.
This is the last subsection ofDomain 1's Rapid Review Security
awareness and education andtraining.
This is an important part and alot of times it is lost, but
it's a very, very important partand it's one of those where, if
you work this with your people,it's going to go a long ways
(41:26):
and it will help you amazinglyover time.
But this does take time.
So, methods and techniques forpresenting awareness and
training.
One social engineeringawareness you need to educate
your employees on socialengineering tactics.
I was Jennifer and I used to goafter pilots and no, I did not
change my gender, I just wasthat online and I did that, and
(41:47):
I would do that online towardsthese pilots and guess what?
They gave me all kinds of stuff.
Social engineering yes, socialengineering tactics are an
important part.
Teach your people to do that,how to identify and report them,
and conduct simulated phishingcampaigns.
That's what you need to doAlways.
Do those Phishing simulationsAgain.
You need to send simulatedphishing emails to employees
(42:08):
because why?
That's one of the main reasonsthe bad guys and girls can get
into your organization and theemployees test their vigilance
and identify vulnerableindividuals and then fire them.
No, try not to fire them rightaway, but you may want to give
them some counseling before youfire them.
Security Champions Program thisis where you train enthusiastic
employees from variousdepartments to act as local
(42:28):
security advocates.
This works really well.
Actually, I had one.
I had this program operatingwithin my company and you have
some really strong people thatreally enjoy security and they
are a big advocate and thosefacilities were the strongest
because of them and it was avery, very good program.
Gamification incorporategame-like elements, leaderboards
(42:49):
, badges, challenges and allthat stuff to motivate people to
make sure that they don't clickon the wrong links Works good.
It can come with a cost, so youjust need to be aware of that.
Interactive modules and videosengaging, short, relevant
e-learning modules and videothat focuses on practical
security behaviors I would saythe stuff that you can buy is
really good, but what also workswell is when you, as a security
(43:10):
professional, are talking topeople directly.
Even if you put little videostogether, those things go a long
way because they see actualpeople like you.
Regular communication utilizevarious channels, such as
internal newsletters, posters,intranet announcements, team
meetings anything like that is acommunication that goes out
from the security team.
That's an important part.
That way, if people know thatyou are engaged and you are
(43:32):
involved, that they like that.
That's an important part of anysecurity awareness training
program.
Continuing on, we have periodiccontent reviews.
You need to update your content.
So update training content toreflect your current threats,
because they do change newtechnologies, obviously ai, and
then changes in yourorganizational policies due to a
new ciso or whomever is nowrunning the show.
(43:53):
So you need to make sure thatyou have content reviews on a
routine basis.
You ensure the content remainsrelevant, engaging to the
audience.
It's not just boring.
I will tell you that some ofyou might be listening to this
and you're falling asleep.
I'm sorry, but some of youmight be listening to this going
oh, this is awesome and sotherefore, you need to try to
keep it engaging.
One of the guys that listens tomy podcast on a routine basis
(44:16):
sent me a note saying yeah, asI'm feeding my child at 2 am,
I'm listening to you and I'mlike, oh dear Lord, I feel bad
for your child because you'llprobably fall asleep as you're
feeding your child.
Program effectivenessevaluations because I did that a
lot.
Yeah, when I was feeding mykids, I was asleep when I did it
.
Oh, sorry, Try to digress.
(44:38):
Program effective evaluationsMetrics Ensure that the success
of the program through variousmetrics Reducing the phishing
click, as well as throughsecurity quizzes, decreased
incidents, specific securitypolicy violations and the number
of reported activities.
The metrics help amazingly tohelp you with all of these
different aspects, but if you'renot tracking it, you're not
measuring it.
It's really hard to do muchabout it.
Feedback you need to collectfeedback from employees training
(45:01):
and the training content as aswell.
There be your best source totell you whether it's good or
not, and you need to try to getthat information from them as
quickly as you possibly can.
Adjustments use evaluationresults to refine your methods
and content frequency as wellyour and your frequency,
ensuring the programcontinuously improves and meets
the objectives that you have setout again Again.
(45:23):
So it's important for you notjust to put out the training,
for you to actually go review itand then look at the
effectiveness of the trainingand then pivot if it's not being
effective.
Thank you again for joining metoday.
Again, you can go to CISSPCyber Training and get access to
all of my free resources Again,from podcasts to study plans,
to questions, to my blog.
All of that is at CISSP CyberTraining.
(45:44):
Or, if you really truly want toget into the details of it and
have it walk you throughstep-by-step, including the book
itself, you can go to my paidsite where there's 36 hours of
all my CISSP content.
There's CISSP questions, deepdive topics, you name it.
It's all available to you onthe paid site as well.
Whatever works for you freeresources, paid resource, it
(46:05):
doesn't matter head on over tocissp cyber training and I can
get you everything you need.
All right, have a wonderful dayand we will catch you all on
the flip side, see ya.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.