August 11, 2025 • 28 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
A sophisticated banking network breach using tiny Raspberry Pi devices sets the stage for our comprehensive examination of CISSP Domain 3 Security Architecture fundamentals. The attack—which gave hackers persistent remote access to ATM systems—demonstrates how physical security failures can lead to devastating network compromises, perfectly illustrating why Domain 3's holistic approach to security is critical in modern environments.
We systematically explore the security requirements for diverse system architectures—from traditional client-server setups to cutting-edge containerization and serverless deployments. You'll gain clarity on why different systems demand specialized protection strategies: how industrial control systems prioritize availability over confidentiality, why cloud environments operate under shared responsibility models, and what makes IoT devices particularly vulnerable to compromise.
The cryptographic section demystifies key management practices, explaining why even mathematically sound algorithms fail when implementation is flawed. We break down symmetric versus asymmetric encryption, digital signatures, and hashing techniques essential for data integrity. More importantly, you'll understand the complete cryptographic lifecycle from generation through destruction—knowledge directly applicable to real-world security operations and exam scenarios alike.
Our detailed examination of attack methodologies covers everything from brute force attempts to sophisticated side-channel attacks that extract secrets through power consumption analysis. The physical security portion reveals why facility design, environmental controls, and power management form essential layers in your defense strategy.
Whether you're preparing for the CISSP exam or strengthening your organization's security posture, this episode delivers actionable insights into creating robust, multi-layered security architectures. Ready to build stronger defenses? Visit CISSPCyberTraining.com for free practice questions and additional resources to accelerate your cybersecurity mastery.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey, I'm Sean Gerber.
With CISSP Cyber Training andtoday's podcast, we are going to
be going over the CISSP RapidReview Exam Prep, domain 3, Part
2.
Yes, we're going to be focusingon Part 2 of the CISSP Rapid
Review Exam Prep for thispodcast today, so I'm pretty
(00:46):
excited about that.
Last week you had domain two,you had domain three, part one,
and now we have domain three,part two.
So we're going to go over thoseand then the ultimate goal is
to provide you all the skillsyou need to pass the CISSP exam
the first time, and this is agood way for you to do that.
So let's go about the breakdownrelated to domain three.
(01:11):
We're just going to reaffirmthat information if you haven't
already heard it Domain threethere's about 13% of the CISSP
questions are on domain three,and so therefore, it's a pretty
substantial amount, and theamount that knowledge you have
to know from domain three ispretty good.
You're going to have tobasically have a lot of
questions on this, so having agood grasp of it is an important
part, and you can get all ofthis content at CISSP Cyber
(01:31):
Training.
There's a lot of free resourcesout there.
There's a lot of paid resources.
But the bottom line is I wantto help you pass the exam the
first time.
So, ultimately, go go out there, find all kinds of free content
, can head to cissp, cybertraining, and get some more free
content, but all of mine'scurated in one stop shop.
You don't have to go to a lotof different places to find it.
It's there and available foryou.
(01:52):
It's free.
You can go to it.
Just just sign up.
Easy peasy, lemon squeezy.
Okay, so we're going to quickly.
Before we get into this domain,we're going to go over some
things that I saw in the newstoday.
Okay, so, I've just got anaffinity for ICS and OT
environments and I'm just kindof this is going to follow suit
with that.
In the news today, this articlecomes out of Ars Technica, and
(02:13):
this is a search of riches.
Hackers plant 4G-enabledRaspberry Pis into a bank
network.
So, as we all know, raspberryPis are very small and very,
very powerful.
For a little tiny piece ofequipment, they can do a lot of
things, and so these folksdecided to install a Raspberry
Pi within a banking network.
(02:33):
Now, for this to occur, a lotof things had to happen that
didn't quite work out right.
So if you're in the bankingspace, this is a huge failure.
If you're in the banking space,this is a huge failure.
And somehow or another, thesefolks had physical access to the
network facility where thebanking ATM systems were placed.
So what ended up happening isthey have this device and it has
(02:56):
hosted on it a tiny shell backdoor and it's able to be
communicated over mobile data,obviously and then it creates a
persistent remote connection.
They were able to get access tothe network switching room for
this ATM environment and theyplugged this rascal in there.
(03:18):
By doing so, they had remoteaccess to the overall ATM
environment and they were ableto basically do whatever they
wish to do.
In addition, they also had theability.
They added some anti-forensicscapabilities more or less some
masquerading pieces and theywould have the system do Linux
bind mounts.
It would also help add networktraffic across it as well, to
(03:40):
make it look like everything issupposed to be there.
So these folks knew what theywere doing when they put this
system in place.
The question I have is how didthey get access to the network
switching room?
That is not good, right?
I mean, that's a huge failure.
These switching rooms shouldhave some sort of cat card
(04:00):
capability or some sort of Icall them the beep beep
capability to be able to gainaccess.
Cat card capability or somesort of I call them the beep
beep capability to be able togain access.
So physical access along withnetwork access falls very much
in line with what I used to dowith the military in the red
teaming.
So we talk about is why youhave red teams are so important
to have within your organization, or to at least have them come
(04:20):
against your organization,because they can look for
different places that wouldallow access into it.
So the bottom line is that thisis a really good article.
It gets pretty deep into someareas around how emails would be
sent out, the different typesof forensics capabilities that
were there specifically, andit's just an awesome read, real
quick read around the OTenvironment.
(04:42):
Now I come back to say banksdon't really.
People will say, well, banksdon't have operational
technology environment.
They do and they have IoTenvironments.
They have all kinds of thingsin their networks and this is an
interesting part is the factthat most manufacturing
facilities understand networksegmentation very well when it
comes to related to the overallOT space, because many of the
(05:05):
processes we have will blow upand kill people.
When it comes to the bankingindustry, I think they
understand it, especially someof the bigger banks, but the
smaller banks may not have asgood a grasp on it as well.
So it's really important if youare in one of the financial
sectors and you maybe are not ona large top tier bank, but
you're maybe like in a mid tier,mid to lower tier bank, you
(05:26):
need to be just as in tune tothis information as anybody else
because, realistically, you'rethe ones that are out there
hanging out to dry.
I've seen plenty of bankprofessionals that do really
really well in what they do, butthe problem is they're wearing
too many hats.
And this is a good example ofif you don't have good control
over your network switchingenvironment and maybe you forget
(05:48):
to lock the door, maybe youforget to whatever that is.
A rock gets stuck in there.
There's people can gain accessto your network switching and
can cause you all kinds of drama, so you don't want that to
happen.
But again, good article fromArs Technica.
Good article from Ars Technica.
It's related to the ATMswitching networks and hackers
planting 4G-enabled RaspberryPis into a banking network.
(06:10):
Okay, so let's get into whatwe're going to talk about today
Client-based systems.
He's focused on endpointsecurity, protecting against
malware, data loss anduser-driven vulnerabilities.
They require robust I meanrobust patch management systems,
and you want to make sure thatthey are being patched.
Obviously, user awareness,training and authentication
(06:31):
methods are an important part ofall this.
Server-based systems, thesecentralized points of data
storage and processing, makingthem high-value targets.
Obviously, because yourclient-based systems are usually
the first door in, but thelong-term play is the servers.
They demand strong hardeningand you want to make sure that
your servers are set up in a waythat is protecting them.
Database systems primary focusis on data confidentiality,
(06:54):
integrity and availability, andit requires access controls with
obviously least privilege,encryption whether data is at
rest, and then regular backupsand auditing of these data
sources forms Cryptographicsystems.
These systems rely heavily onthe strength of the algorithms
and the proper key management.
Having good key management isan imperative part of any sort
(07:15):
of cryptographic system.
Vulnerabilities often stem fromweak generation or poor key
storage or potentially incorrectprotocol usage, rather than the
algorithm's flaws itself.
Most problems with thesealgorithms these have been
around for a while a while.
They're bulletproof it's thefact that people just don't
configure them correctly.
Okay, continuing to 3.5.
(07:36):
Industrial control systems.
You need to prioritize safetyand availability over
confidentiality.
Often operating in real-timeenvironments, this face unique
challenges due to legacy systems, because they are challenging.
They are, and specializedprotocols are, and specialized
protocols.
Convergence with IT networks,incorporating ICS and IT can be
a bit of a challenge.
We talk more about that inCISSP, cyber Training and
(07:59):
overall in my course that Itaught in Industrial Controls,
cloud-based systems.
These operate under a sharedresponsibility model where
security duties are dividedbetween the cloud provider and
the customer.
Again, the cloud provider willprovide some of this, but a lot
of times it's up to the customerand if you don't know how to
protect the cloud environment,you could be in trouble.
These require carefulconsideration of data governance
(08:19):
, compliance, vendor lock-in andsecure configurations in the
cloud.
We talked about configurationsas an important part and you
need to have a good plan whenyou're dealing with any sort of
cloud infrastructure.
Distributed systems this iscomposed of multiple independent
components communicating over anetwork, increasing complexity
and attack surface.
Now, again, when you havedistributed systems, you got to
(08:40):
understand how do theycommunicate, what is the data
consistency between these andthen overall, managing these.
Decentralized identities forthese systems, internet of
Things, managing thesedecentralized identities for
these systems.
Internet of Things IoT this ischaracterized by a vast number
and a very diverse group ofsystems that really basically
have a huge, massive attacksurface, because everything can
(09:01):
be IoT, from the echoes that youhave in your house to your
sensors that are determiningyour temperature within some
other buildings.
All that stuff is part of anIoT network.
Common issues include weakdefault credentials, unpatchable
firmware, insecure comms andprivacy concerns with these
systems.
Again, you can buy it off ofAmazon and get yourself a great
(09:22):
product, put it in place andyou're running, but you don't
know what kind ofvulnerabilities you just
incurred.
Microservices this is wherearchitectural style, where
applications are built ascollections of small,
independently deployed servicesand these are security
configurations shift to securingAPIs, which is, these
interconnections between them,inter-service communications and
(09:43):
managing the decentralizedsecurity policies.
So when you deal withmicroservices, how are they
communicating?
How are they protected from astandpoint of what they're
running?
Basically, microservices, allit really is is, instead of
having a computer running aspecific script, it's just the
script running itself and youdon't have to have a server
stood up to run that specificscript.
(10:04):
You can do that, but theservices are designed to run
independently.
Continuing with 3.5,containerization these are
packages and applications andtheir dependencies on isolated
units or containers that sharethe host OS kernel.
There's key security aspects ofthese, including images,
runtime protection, host OShardening and the orchestrator
(10:25):
security, obviously part of theKubernetes clusters.
Containerization is a greattool, but you need to understand
it before you startimplementing within your
organization and you need tounderstand the security
implications of doing that.
Serverless.
This allows for developers tobuild and run applications
without managing servers orabstracting infrastructure.
Very similar to microservices,same kind of concept, but it's
(10:46):
just developed on a serverlesspiece.
These security focuses onsecurity functions, code and
event triggers, identity andaccess, management for functions
and managing third-partydependencies.
You're going to run into a lotof third parties with serverless
.
A lot of third parties will dothat and that's part of their
SaaS offering Embedded systems.
These are dedicated computersystems designed specifically
(11:08):
for functions in largermechanical or electrical systems
.
You'll run this in like yourHVAC, all these dedicated
computer systems set upspecifically to run them as
embedded.
They're in cars, they're inappliances, they're in all kinds
of things, and they often havevery limited resources and they
have fixed functionality, whichbasically means they can only do
(11:29):
certain things, but they are inplace for a long time.
So many of these embeddedsystems still may be running
Windows NT or Windows 95.
I would hope not, but I thinkthey're still out there and so,
if that's the case, you may havea challenge.
Just may have a small challenge.
Continuing with 3.5,high-performance computing
systems HPCs these are designedfor massive computational tasks
(11:52):
and handling large data sets.
They're the supercomputers,right.
These include processing vastamounts of sensitive data,
including inter-nodalcommunications, and managing
access to powerful resources.
Edge computing this is wherethe process of data closer to
the source of the generation.
We would do edge computing inthe industrial control
environments because they wouldcompute it at the facilities and
(12:13):
not go to the cloud.
There are security challengesinvolved securing distributed
physical systems and managingremote updates, ensuring that
there's integrity at the edge.
You're maintaining these edgesystems.
You've got to think about them,you can't forget about them,
and they're just one more wayand one more vulnerability
within your organization.
Virtualized systems theseinvolve running multiple virtual
(12:33):
instances on a single physicalhost managed by a hypervisor.
We talked about the hypervisora little bit ago, but hypervisor
security is paramount.
If you can control thehypervisor, you control the vms
and you don't want to controlthe vms.
What bad guys do, but you don'twant.
You want them to be protectedin their own little enclave.
Domain 3.6 access and mitigatevulnerabilities in web-based
(12:56):
systems.
Cryptographic life cycle thisencompasses all stages of the
key generation, distribution,storage and usage to include
revocation and destruction.
This is what happens to yourlife, the cryptographic aspects
of this, your keys, yourcertificates.
When do they begin and when dothey die?
What happens to them as well?
This ensures that yourcryptographic assets are managed
(13:18):
securely throughout theirentire existence, from when
they're birthed to when they areput in the grave Again.
That's the overall life cycle.
It's an important part of anyorganization is to understand
that completely Cryptographicmethods.
We've got some various thingsyou'll hear about on the CISSP
Symmetric encryption this is asingle shared secret key for
both encryption and decryption.
(13:38):
And this is a single sharedsecret key for both encryption
and decryption.
Asymmetric uses a public keycrypto right so you're dealing
with PKI and it usesmathematically linked keys for
public and private forencryption and decryption.
That's your asymmetric and thenyour elliptic curve crypto ECC
this is a type of asymmetriccryptography that provides
similar security strength withsmaller key sizes, making it
(14:00):
much more efficient, especiallyin the mobile space.
And then, obviously, quantumyes, the big quantum.
This is where it is looking atcryptographic techniques based
on quantum mechanics principlesand often theoretical air quotes
unbreakable security One of thethings around quantum is that
it will crack old symmetric typeencryption.
We'll see how that plays out.
(14:22):
Pki this is a framework ofpolicies and standards than
software that enables the use ofpublic key crypto and it
provides a means to create,manage and distribute the use of
revoked digital certificates.
It's just the overall frameworkusing these various types of
cryptographic methods to ensurethat you are using it in a way
that is consistent throughoutthe organization.
(14:43):
Key management practices thisis crucial Again we talked about
this a little bit already isthat you have these key
management things in place.
This includes secure generationof keys, storage, distribution,
backup, recovery anddestruction of the cryptographic
keys all part of the life cycle.
Poor key management can be verybad and it can set you up in a
situation where yourorganization can be taken over.
(15:05):
So you want to have a reallygood, strong key management,
especially if you're using cloudresources as well.
You're going to have apotentially different key
management system for that, soyou need to have a good plan in
place.
Digital signatures and digitalcertificates A digital signature
is a cryptographic mechanismused to verify the
authentication and integrity ofdigital messages or documents.
(15:26):
This ensures non-repudiation.
Digital certs these areelectronic documents that bind
the public key to an individualor entity used by a certificate
authority.
Okay, so you'll get a digitalcertificate for your website.
Those are binding that to you.
Non-repudiation this providesundeniable proof that a specific
(15:46):
action or event has occurredand cannot be falsely denied by
the sender or receiver.
This often is achieved throughdigital signatures which link
the action to the specificprivate key holder.
Integrity this is basically thehashing piece.
Hashing is a one-waycryptographic function that
takes input, obviously from thedata, and produces a fixed
string character or a hash value.
(16:08):
This hashing is used to verifythat the data is what it is.
So if you have it hashed in one, you compare it to a hash in
another.
If they are the same, then yourdata has not been manipulated.
If they are different, then youhave a problem.
This indicates potentialtampering with your overall
systems.
Domain 3.7, understandingmethods of cryptoanalytic
(16:30):
attacks.
Big words, sorry, big words.
Okay, so we have a brute force.
This is an attack that attemptsevery possible combination of a
password until the correct oneis found.
That's brute force attempt.
It often is mitigated by havingsome sort of lockout policies
or multi-factor set up.
Ciphertext only this is a cryptoanalysis attack where the
attacker only has access to theciphertext and attempts to
(16:53):
deduce the plain text or the keyfrom the ciphertext.
This is very challengingbecause you've got to have a lot
of unknowns.
Now this works really well ornot really well.
This will work if you do nothave a good, strong encryption
strategy in place.
If you have a strong encryptionstrategy, it's pretty much darn
near impossible.
Known plaintext this is acryptoanalysis attack where the
attacker has access to both thecipher and the corresponding
(17:15):
plaintext.
This does allow them to analyzepatterns and potentially deduce
the encryption key or thealgorithm.
Frequency analysis Cryptoanalysis technique that exploits
the non-uniform frequency ofletters or symbols in a specific
language.
It's most effective againstsimple substitution ciphers and
it's less so against modern,more complex encryption.
(17:36):
Chosen ciphertext this is acipher analysis attack where the
attacker can choose arbitraryplaintext to be encrypted and
obtain corresponding ciphertext.
This provides significantinformation to the attacker,
making it a very powerful attackagainst certain cryptographic
schemes.
Implementation attack this is anexploits vulnerabilities, the
implementation of crypto or theprotocol, rather than the flaws
(18:00):
in the algorithm itself, whichcan be challenging.
It's more role after theimplementation.
This can include software bugs,hardware flaws and incorrect
configurations.
Side channel attack thisattacks extract the secret
information or the cryptographickeys by observing indirect
effects of the system'soperation.
This includes analyzing powerconsumption, electromagnetic
emissions and acoustic signals.
(18:21):
Again, these are getting verychallenging if you want to try
to do some of these.
Fault injection, deliberatelyinducing errors or faults into
the system, basicallymanipulating voltage or clock
signals to cause it to behaveunexpected.
This can be used to bypasssecurity mechanisms or extract
secret information specificallyfrom that.
Again, all of these can be verychallenging, but to the person
(18:42):
who has time on their hands theymay be able to be doable.
Continuing with 3.7, timing, atype of side channel attack that
analyzes the time taken forcryptographic operations to
complete.
Variations in timing can revealinformation about the secret
key or the data being processed.
Man in the middle this is anattack where the attacker
secretly intercepts the relaycommunications between two
(19:05):
parties who believe they'recommunicating specifically to
themselves, but someone's in themiddle.
This allows the attacker toeavesdrop, alter or inject
messages into the communication.
Happens a lot with SMS texts,but man in the middle is a true
attack.
That is out there and peopleare using it quite frequently.
Pass the hash this is where theattacker will authenticate to a
remote server by usingunderlying NTLM or landman
(19:27):
hashes basically what theattacker's or the user's
password is, rather than theplain text password itself and
they just basically impersonatethe person using the hash.
It's common in Windowsenvironments where hashes are
stored and used forauthentication.
This should be addressed andmany companies should patch for
this.
But if it hasn't been patched,patch the hash works very well.
(19:49):
Kerberos exploitation thisattacks targeting
vulnerabilities in the Kerberosauthentication protocol and
involves ticket manipulation orbrute forcing.
This includes kerb roasting,which is extracting the service
principal's names.
Hashes and the golden ticketattacks forging the curb roast
tickets Very similar to whatwe're dealing with with pass the
hash.
Very similar kind of conceptRansomware malicious software
(20:12):
that encrypts the victim's filesand demands ransom payment,
usually in crypto.
You deal with this all the time.
You hear about it a lot, soobviously you probably are very
well familiar with what aransomware attack is Often
spreads via phishing emails orexploiting software
vulnerabilities, causingsignificant operational
disruption and data loss andthat's pretty much an
understatement.
(20:32):
It can cause all kinds of dramaand it's very painful.
Domain 3.8, we're dealing withsecurity facility plans.
This is a comprehensivedocument outlining the security
measures, controls andprocedures for physical security
at a facility.
This indicates physicalsecurity with logical security
and considering the threats,vulnerabilities and risk
(20:53):
tolerance of the organization.
Site selection this involveschoosing a location or facility
that is inherently minimizes asecurity risk one that you'd
have it out in the middle of thedesert, it's a great way.
And considerations includingnatural disasters,
susceptibility, proximity tohigh crime areas, utilities all
of those are an important partof a site selection.
Political stability is anotherone.
(21:13):
At the company we're workingwith, we deal with the political
ramifications in othercountries.
Facility design thisincorporates security principles
into architectural layout andconstruction of buildings.
It aims to create layers ofdefenses that would be perimeter
and buildings shells, all thoseand it's designed to deter,
(21:33):
detect, delay and respond to thevarious threats.
Domain 3.9.
Design, site and facilitysecurity controls, wiring,
closets and intermediatedistribution facilities.
This is where you have a securearea.
This is where you'd implementphysical security access, such
as locked doors, card readers,alarms.
All of these would containcritical network infrastructure
(21:55):
and they're all tied together.
Your environmental monitoring.
This would be monitoringtemperature, humidity, water
leaks.
All of that would be part ofyour intermediate distribution
facilities and your wiringclosets.
They want to make sure that youhave all of that in place to
ensure that you don't havedamage in those facilities and
that they maintain their uptime.
Server rooms and data centersthis will employ multiple layers
(22:16):
of defense for your datacenters and your server rooms,
include fencing, access controls, video surveillance, and you
want to have some level ofredundancy built into this, such
as to maintain these servers,which is cooling, network
connectivity and highavailability and fault tolerance
.
You want to have server roomsthat are set up that, if they go
down or if there's a power flux, they can continue to operate
(22:37):
Media storage facilities.
These maintain stabletemperature, humidity to prevent
degradation of storage mediasuch as tapes, discs, anything
that's old school like that.
They need to have heat and cold.
Heat and cold will destroythese types of systems.
You need to have goodenvironmental controls
established, strict accesscontrol and inventory.
Again, many times thisinformation is under legal hold
(22:59):
and you want to ensure you haverobust access controls, detailed
inventory management and audittrails to track media and
movement and then evidencestorage.
This is to establish unbrokenchain of custody, to maintain
integrity and admissibility oftheir digital and physical
evidence, store the evidence insecure, tamper evident
containers or locations withrestricted access and continuous
(23:20):
monitoring.
Again, all those are done inyour facility.
Controls, security, accesscontrols and segregation you
want to implement appropriateaccess controls, such as key
cards and biometrics, torestrict entry to sensitive base
systems.
Now, clear zoning this is whereyou define clear security zones
to separate the public,semi-public and highly
(23:40):
restricted areas within afacility.
Do you have a facility that hasboth where people can come in
and then where people are?
The public can come in and thenyou would have an area where
maybe some people can sit andwait for them to be allowed in,
and then you have an area that'srestricted.
I dealt a lot with this in themanufacturing space, special
chemical manufacturing.
There was a very controlled,staged process in this entire
(24:02):
thing.
Utilities and heating,ventilation and air conditioning
, hvac systems these arephysical protection.
They secure utility entrypoints such as water, gas and
electricity and HVAC systemsfrom unauthorized access or
sabotage.
Again, you want to have thoseput in place for your HVAC
systems.
They are a crucial part.
Many people don't believe howcrucial your HVAC system is to
(24:23):
your organization.
You have environmentalmonitoring and alarms.
This would implement sensors ortemperature, humidity and
airflow when it will give youalerts if deviation could impact
your equipment.
It's an important part, right?
If these systems go down, ifthey get too hot, they shut
themselves down or they burnthemselves up.
All of those are bad, fromdowntime to actual having
physical hardware to loss ofdata.
(24:44):
Environmental issues you havewater detection Deploy water
sensors in critical areas togive you immediate alerts if
there is a water issue.
You have this in your homes.
You can put alerts for your hotwater heater if it were to
start to leak.
Air quality and contaminantsthis is where you monitor the
air quality and prevent damagefrom dust, pollutants and
(25:04):
corrosive gases, especially indata centers.
Fire prevention detection andsuppression.
Prevention this implements fireresistant building materials
and strict electrical safetystandards on your systems
themselves.
Are they in tubing?
Are they in some sort of metaltubing and your wires are going
through conduit of some kind?
Detection using multi-zonesmoke and heat detectors
(25:25):
integrating with alarm systems.
And then suppression, employingappropriate suppression systems
such as pre-action sprinklersand or gas systems for different
locations.
Considering looking for datapreservation.
Power if you're looking foruninterruptible power supplies,
or UPSs.
They provide immediateshort-term power during outages
and allow for graceful shutdownsor generator startup.
(25:46):
The ultimate point of a UPS isnot to run the system forever.
It's to allow it to shut downgracefully so it doesn't break
things or give you time to getyour UPS up and running.
Generators offer a long-termbackup power for extended
outages requiring regulartesting and fuel management.
Again, you have to run themfrequently, these systems.
If you don't run them, theybreak.
This would be independentmultiple power feeds that come
(26:09):
in from different grids toensure continuous power to your
organization, and all of thoseare around design, site and
facility security controls.
Thank you all again for joiningme today on this podcast.
If you like what you heard,head on over to your local
podcast hosting like iTunes,whatever that might be, and
please leave me a rating.
(26:29):
Ratings are wonderful.
People like ratings, ratingsare good.
So, again, head on over there.
Give me a rating on what youthink.
Again, good, bad ugly, that'sfine too.
Whatever you need.
If you thought it was terrible,that's fine too.
But bottom line is I'm here tohelp provide you the information
you need to pass the CISSP exam.
Also, if you are interested inany of this content.
It is available to you at CISSPCyber Training.
(26:51):
There's a lot of free content.
Again, my bronze package on myCISSP is all about giving you as
much free content as I can.
Everything out there, I mean,you can get it anywhere on the
web.
You can go to different videos,you can watch all this
different stuff.
But if you go to CISSP CyberTraining, I have curated free
content that's available for youstep by step, by step by step
to help you pass the CISSP.
(27:12):
If you want more of a deep diveand understand what you need to
do to pass the exam and reallyget into some of this content in
more of a deeper level, and youneed just maybe a little bit
more depth in understanding ofthe content, you can get my paid
resources that are out there.
There's over 36 hours ofcontent way more than that it's
probably close to 40 now are outthere.
There's over 36 hours ofcontent way more than that it's
(27:34):
probably close to 40 now, with1500 hours or 1500 CISSP
questions.
I've got deep dive topics,mentorship.
I got all kinds of aspectsavailable to you at CISSP Cyber
Training.
So head on over there, check itout, see what you like, and
then we'll go from there.
All right, have a wonderful dayand we will catch you on the
flip side, see you.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
(27:55):
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
To help you pass the CISSP examthe first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
(28:18):
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey, I'm Sean Gerber.
With CISSP Cyber Training andtoday's podcast, we are going to
be going over the CISSP RapidReview Exam Prep, domain 3, Part
2.
Yes, we're going to be focusingon Part 2 of the CISSP Rapid
Review Exam Prep for thispodcast today, so I'm pretty
(00:46):
excited about that.
Last week you had domain two,you had domain three, part one,
and now we have domain three,part two.
So we're going to go over thoseand then the ultimate goal is
to provide you all the skillsyou need to pass the CISSP exam
the first time, and this is agood way for you to do that.
So let's go about the breakdownrelated to domain three.
(01:11):
We're just going to reaffirmthat information if you haven't
already heard it Domain threethere's about 13% of the CISSP
questions are on domain three,and so therefore, it's a pretty
substantial amount, and theamount that knowledge you have
to know from domain three ispretty good.
You're going to have tobasically have a lot of
questions on this, so having agood grasp of it is an important
part, and you can get all ofthis content at CISSP Cyber
(01:31):
Training.
There's a lot of free resourcesout there.
There's a lot of paid resources.
But the bottom line is I wantto help you pass the exam the
first time.
So, ultimately, go go out there, find all kinds of free content
, can head to cissp, cybertraining, and get some more free
content, but all of mine'scurated in one stop shop.
You don't have to go to a lotof different places to find it.
It's there and available foryou.
(01:52):
It's free.
You can go to it.
Just just sign up.
Easy peasy, lemon squeezy.
Okay, so we're going to quickly.
Before we get into this domain,we're going to go over some
things that I saw in the newstoday.
Okay, so, I've just got anaffinity for ICS and OT
environments and I'm just kindof this is going to follow suit
with that.
In the news today, this articlecomes out of Ars Technica, and
(02:13):
this is a search of riches.
Hackers plant 4G-enabledRaspberry Pis into a bank
network.
So, as we all know, raspberryPis are very small and very,
very powerful.
For a little tiny piece ofequipment, they can do a lot of
things, and so these folksdecided to install a Raspberry
Pi within a banking network.
(02:33):
Now, for this to occur, a lotof things had to happen that
didn't quite work out right.
So if you're in the bankingspace, this is a huge failure.
If you're in the banking space,this is a huge failure.
And somehow or another, thesefolks had physical access to the
network facility where thebanking ATM systems were placed.
So what ended up happening isthey have this device and it has
(02:56):
hosted on it a tiny shell backdoor and it's able to be
communicated over mobile data,obviously and then it creates a
persistent remote connection.
They were able to get access tothe network switching room for
this ATM environment and theyplugged this rascal in there.
(03:18):
By doing so, they had remoteaccess to the overall ATM
environment and they were ableto basically do whatever they
wish to do.
In addition, they also had theability.
They added some anti-forensicscapabilities more or less some
masquerading pieces and theywould have the system do Linux
bind mounts.
It would also help add networktraffic across it as well, to
(03:40):
make it look like everything issupposed to be there.
So these folks knew what theywere doing when they put this
system in place.
The question I have is how didthey get access to the network
switching room?
That is not good, right?
I mean, that's a huge failure.
These switching rooms shouldhave some sort of cat card
(04:00):
capability or some sort of Icall them the beep beep
capability to be able to gainaccess.
Cat card capability or somesort of I call them the beep
beep capability to be able togain access.
So physical access along withnetwork access falls very much
in line with what I used to dowith the military in the red
teaming.
So we talk about is why youhave red teams are so important
to have within your organization, or to at least have them come
(04:20):
against your organization,because they can look for
different places that wouldallow access into it.
So the bottom line is that thisis a really good article.
It gets pretty deep into someareas around how emails would be
sent out, the different typesof forensics capabilities that
were there specifically, andit's just an awesome read, real
quick read around the OTenvironment.
(04:42):
Now I come back to say banksdon't really.
People will say, well, banksdon't have operational
technology environment.
They do and they have IoTenvironments.
They have all kinds of thingsin their networks and this is an
interesting part is the factthat most manufacturing
facilities understand networksegmentation very well when it
comes to related to the overallOT space, because many of the
(05:05):
processes we have will blow upand kill people.
When it comes to the bankingindustry, I think they
understand it, especially someof the bigger banks, but the
smaller banks may not have asgood a grasp on it as well.
So it's really important if youare in one of the financial
sectors and you maybe are not ona large top tier bank, but
you're maybe like in a mid tier,mid to lower tier bank, you
(05:26):
need to be just as in tune tothis information as anybody else
because, realistically, you'rethe ones that are out there
hanging out to dry.
I've seen plenty of bankprofessionals that do really
really well in what they do, butthe problem is they're wearing
too many hats.
And this is a good example ofif you don't have good control
over your network switchingenvironment and maybe you forget
(05:48):
to lock the door, maybe youforget to whatever that is.
A rock gets stuck in there.
There's people can gain accessto your network switching and
can cause you all kinds of drama, so you don't want that to
happen.
But again, good article fromArs Technica.
Good article from Ars Technica.
It's related to the ATMswitching networks and hackers
planting 4G-enabled RaspberryPis into a banking network.
(06:10):
Okay, so let's get into whatwe're going to talk about today
Client-based systems.
He's focused on endpointsecurity, protecting against
malware, data loss anduser-driven vulnerabilities.
They require robust I meanrobust patch management systems,
and you want to make sure thatthey are being patched.
Obviously, user awareness,training and authentication
(06:31):
methods are an important part ofall this.
Server-based systems, thesecentralized points of data
storage and processing, makingthem high-value targets.
Obviously, because yourclient-based systems are usually
the first door in, but thelong-term play is the servers.
They demand strong hardeningand you want to make sure that
your servers are set up in a waythat is protecting them.
Database systems primary focusis on data confidentiality,
(06:54):
integrity and availability, andit requires access controls with
obviously least privilege,encryption whether data is at
rest, and then regular backupsand auditing of these data
sources forms Cryptographicsystems.
These systems rely heavily onthe strength of the algorithms
and the proper key management.
Having good key management isan imperative part of any sort
(07:15):
of cryptographic system.
Vulnerabilities often stem fromweak generation or poor key
storage or potentially incorrectprotocol usage, rather than the
algorithm's flaws itself.
Most problems with thesealgorithms these have been
around for a while a while.
They're bulletproof it's thefact that people just don't
configure them correctly.
Okay, continuing to 3.5.
(07:36):
Industrial control systems.
You need to prioritize safetyand availability over
confidentiality.
Often operating in real-timeenvironments, this face unique
challenges due to legacy systems, because they are challenging.
They are, and specializedprotocols are, and specialized
protocols.
Convergence with IT networks,incorporating ICS and IT can be
a bit of a challenge.
We talk more about that inCISSP, cyber Training and
(07:59):
overall in my course that Itaught in Industrial Controls,
cloud-based systems.
These operate under a sharedresponsibility model where
security duties are dividedbetween the cloud provider and
the customer.
Again, the cloud provider willprovide some of this, but a lot
of times it's up to the customerand if you don't know how to
protect the cloud environment,you could be in trouble.
These require carefulconsideration of data governance
(08:19):
, compliance, vendor lock-in andsecure configurations in the
cloud.
We talked about configurationsas an important part and you
need to have a good plan whenyou're dealing with any sort of
cloud infrastructure.
Distributed systems this iscomposed of multiple independent
components communicating over anetwork, increasing complexity
and attack surface.
Now, again, when you havedistributed systems, you got to
(08:40):
understand how do theycommunicate, what is the data
consistency between these andthen overall, managing these.
Decentralized identities forthese systems, internet of
Things, managing thesedecentralized identities for
these systems.
Internet of Things IoT this ischaracterized by a vast number
and a very diverse group ofsystems that really basically
have a huge, massive attacksurface, because everything can
(09:01):
be IoT, from the echoes that youhave in your house to your
sensors that are determiningyour temperature within some
other buildings.
All that stuff is part of anIoT network.
Common issues include weakdefault credentials, unpatchable
firmware, insecure comms andprivacy concerns with these
systems.
Again, you can buy it off ofAmazon and get yourself a great
(09:22):
product, put it in place andyou're running, but you don't
know what kind ofvulnerabilities you just
incurred.
Microservices this is wherearchitectural style, where
applications are built ascollections of small,
independently deployed servicesand these are security
configurations shift to securingAPIs, which is, these
interconnections between them,inter-service communications and
(09:43):
managing the decentralizedsecurity policies.
So when you deal withmicroservices, how are they
communicating?
How are they protected from astandpoint of what they're
running?
Basically, microservices, allit really is is, instead of
having a computer running aspecific script, it's just the
script running itself and youdon't have to have a server
stood up to run that specificscript.
(10:04):
You can do that, but theservices are designed to run
independently.
Continuing with 3.5,containerization these are
packages and applications andtheir dependencies on isolated
units or containers that sharethe host OS kernel.
There's key security aspects ofthese, including images,
runtime protection, host OShardening and the orchestrator
(10:25):
security, obviously part of theKubernetes clusters.
Containerization is a greattool, but you need to understand
it before you startimplementing within your
organization and you need tounderstand the security
implications of doing that.
Serverless.
This allows for developers tobuild and run applications
without managing servers orabstracting infrastructure.
Very similar to microservices,same kind of concept, but it's
(10:46):
just developed on a serverlesspiece.
These security focuses onsecurity functions, code and
event triggers, identity andaccess, management for functions
and managing third-partydependencies.
You're going to run into a lotof third parties with serverless
.
A lot of third parties will dothat and that's part of their
SaaS offering Embedded systems.
These are dedicated computersystems designed specifically
(11:08):
for functions in largermechanical or electrical systems
.
You'll run this in like yourHVAC, all these dedicated
computer systems set upspecifically to run them as
embedded.
They're in cars, they're inappliances, they're in all kinds
of things, and they often havevery limited resources and they
have fixed functionality, whichbasically means they can only do
(11:29):
certain things, but they are inplace for a long time.
So many of these embeddedsystems still may be running
Windows NT or Windows 95.
I would hope not, but I thinkthey're still out there and so,
if that's the case, you may havea challenge.
Just may have a small challenge.
Continuing with 3.5,high-performance computing
systems HPCs these are designedfor massive computational tasks
(11:52):
and handling large data sets.
They're the supercomputers,right.
These include processing vastamounts of sensitive data,
including inter-nodalcommunications, and managing
access to powerful resources.
Edge computing this is wherethe process of data closer to
the source of the generation.
We would do edge computing inthe industrial control
environments because they wouldcompute it at the facilities and
(12:13):
not go to the cloud.
There are security challengesinvolved securing distributed
physical systems and managingremote updates, ensuring that
there's integrity at the edge.
You're maintaining these edgesystems.
You've got to think about them,you can't forget about them,
and they're just one more wayand one more vulnerability
within your organization.
Virtualized systems theseinvolve running multiple virtual
(12:33):
instances on a single physicalhost managed by a hypervisor.
We talked about the hypervisora little bit ago, but hypervisor
security is paramount.
If you can control thehypervisor, you control the vms
and you don't want to controlthe vms.
What bad guys do, but you don'twant.
You want them to be protectedin their own little enclave.
Domain 3.6 access and mitigatevulnerabilities in web-based
(12:56):
systems.
Cryptographic life cycle thisencompasses all stages of the
key generation, distribution,storage and usage to include
revocation and destruction.
This is what happens to yourlife, the cryptographic aspects
of this, your keys, yourcertificates.
When do they begin and when dothey die?
What happens to them as well?
This ensures that yourcryptographic assets are managed
(13:18):
securely throughout theirentire existence, from when
they're birthed to when they areput in the grave Again.
That's the overall life cycle.
It's an important part of anyorganization is to understand
that completely Cryptographicmethods.
We've got some various thingsyou'll hear about on the CISSP
Symmetric encryption this is asingle shared secret key for
both encryption and decryption.
(13:38):
And this is a single sharedsecret key for both encryption
and decryption.
Asymmetric uses a public keycrypto right so you're dealing
with PKI and it usesmathematically linked keys for
public and private forencryption and decryption.
That's your asymmetric and thenyour elliptic curve crypto ECC
this is a type of asymmetriccryptography that provides
similar security strength withsmaller key sizes, making it
(14:00):
much more efficient, especiallyin the mobile space.
And then, obviously, quantumyes, the big quantum.
This is where it is looking atcryptographic techniques based
on quantum mechanics principlesand often theoretical air quotes
unbreakable security One of thethings around quantum is that
it will crack old symmetric typeencryption.
We'll see how that plays out.
(14:22):
Pki this is a framework ofpolicies and standards than
software that enables the use ofpublic key crypto and it
provides a means to create,manage and distribute the use of
revoked digital certificates.
It's just the overall frameworkusing these various types of
cryptographic methods to ensurethat you are using it in a way
that is consistent throughoutthe organization.
(14:43):
Key management practices thisis crucial Again we talked about
this a little bit already isthat you have these key
management things in place.
This includes secure generationof keys, storage, distribution,
backup, recovery anddestruction of the cryptographic
keys all part of the life cycle.
Poor key management can be verybad and it can set you up in a
situation where yourorganization can be taken over.
(15:05):
So you want to have a reallygood, strong key management,
especially if you're using cloudresources as well.
You're going to have apotentially different key
management system for that, soyou need to have a good plan in
place.
Digital signatures and digitalcertificates A digital signature
is a cryptographic mechanismused to verify the
authentication and integrity ofdigital messages or documents.
(15:26):
This ensures non-repudiation.
Digital certs these areelectronic documents that bind
the public key to an individualor entity used by a certificate
authority.
Okay, so you'll get a digitalcertificate for your website.
Those are binding that to you.
Non-repudiation this providesundeniable proof that a specific
(15:46):
action or event has occurredand cannot be falsely denied by
the sender or receiver.
This often is achieved throughdigital signatures which link
the action to the specificprivate key holder.
Integrity this is basically thehashing piece.
Hashing is a one-waycryptographic function that
takes input, obviously from thedata, and produces a fixed
string character or a hash value.
(16:08):
This hashing is used to verifythat the data is what it is.
So if you have it hashed in one, you compare it to a hash in
another.
If they are the same, then yourdata has not been manipulated.
If they are different, then youhave a problem.
This indicates potentialtampering with your overall
systems.
Domain 3.7, understandingmethods of cryptoanalytic
(16:30):
attacks.
Big words, sorry, big words.
Okay, so we have a brute force.
This is an attack that attemptsevery possible combination of a
password until the correct oneis found.
That's brute force attempt.
It often is mitigated by havingsome sort of lockout policies
or multi-factor set up.
Ciphertext only this is a cryptoanalysis attack where the
attacker only has access to theciphertext and attempts to
(16:53):
deduce the plain text or the keyfrom the ciphertext.
This is very challengingbecause you've got to have a lot
of unknowns.
Now this works really well ornot really well.
This will work if you do nothave a good, strong encryption
strategy in place.
If you have a strong encryptionstrategy, it's pretty much darn
near impossible.
Known plaintext this is acryptoanalysis attack where the
attacker has access to both thecipher and the corresponding
(17:15):
plaintext.
This does allow them to analyzepatterns and potentially deduce
the encryption key or thealgorithm.
Frequency analysis Cryptoanalysis technique that exploits
the non-uniform frequency ofletters or symbols in a specific
language.
It's most effective againstsimple substitution ciphers and
it's less so against modern,more complex encryption.
(17:36):
Chosen ciphertext this is acipher analysis attack where the
attacker can choose arbitraryplaintext to be encrypted and
obtain corresponding ciphertext.
This provides significantinformation to the attacker,
making it a very powerful attackagainst certain cryptographic
schemes.
Implementation attack this is anexploits vulnerabilities, the
implementation of crypto or theprotocol, rather than the flaws
(18:00):
in the algorithm itself, whichcan be challenging.
It's more role after theimplementation.
This can include software bugs,hardware flaws and incorrect
configurations.
Side channel attack thisattacks extract the secret
information or the cryptographickeys by observing indirect
effects of the system'soperation.
This includes analyzing powerconsumption, electromagnetic
emissions and acoustic signals.
(18:21):
Again, these are getting verychallenging if you want to try
to do some of these.
Fault injection, deliberatelyinducing errors or faults into
the system, basicallymanipulating voltage or clock
signals to cause it to behaveunexpected.
This can be used to bypasssecurity mechanisms or extract
secret information specificallyfrom that.
Again, all of these can be verychallenging, but to the person
(18:42):
who has time on their hands theymay be able to be doable.
Continuing with 3.7, timing, atype of side channel attack that
analyzes the time taken forcryptographic operations to
complete.
Variations in timing can revealinformation about the secret
key or the data being processed.
Man in the middle this is anattack where the attacker
secretly intercepts the relaycommunications between two
(19:05):
parties who believe they'recommunicating specifically to
themselves, but someone's in themiddle.
This allows the attacker toeavesdrop, alter or inject
messages into the communication.
Happens a lot with SMS texts,but man in the middle is a true
attack.
That is out there and peopleare using it quite frequently.
Pass the hash this is where theattacker will authenticate to a
remote server by usingunderlying NTLM or landman
(19:27):
hashes basically what theattacker's or the user's
password is, rather than theplain text password itself and
they just basically impersonatethe person using the hash.
It's common in Windowsenvironments where hashes are
stored and used forauthentication.
This should be addressed andmany companies should patch for
this.
But if it hasn't been patched,patch the hash works very well.
(19:49):
Kerberos exploitation thisattacks targeting
vulnerabilities in the Kerberosauthentication protocol and
involves ticket manipulation orbrute forcing.
This includes kerb roasting,which is extracting the service
principal's names.
Hashes and the golden ticketattacks forging the curb roast
tickets Very similar to whatwe're dealing with with pass the
hash.
Very similar kind of conceptRansomware malicious software
(20:12):
that encrypts the victim's filesand demands ransom payment,
usually in crypto.
You deal with this all the time.
You hear about it a lot, soobviously you probably are very
well familiar with what aransomware attack is Often
spreads via phishing emails orexploiting software
vulnerabilities, causingsignificant operational
disruption and data loss andthat's pretty much an
understatement.
(20:32):
It can cause all kinds of dramaand it's very painful.
Domain 3.8, we're dealing withsecurity facility plans.
This is a comprehensivedocument outlining the security
measures, controls andprocedures for physical security
at a facility.
This indicates physicalsecurity with logical security
and considering the threats,vulnerabilities and risk
(20:53):
tolerance of the organization.
Site selection this involveschoosing a location or facility
that is inherently minimizes asecurity risk one that you'd
have it out in the middle of thedesert, it's a great way.
And considerations includingnatural disasters,
susceptibility, proximity tohigh crime areas, utilities all
of those are an important partof a site selection.
Political stability is anotherone.
(21:13):
At the company we're workingwith, we deal with the political
ramifications in othercountries.
Facility design thisincorporates security principles
into architectural layout andconstruction of buildings.
It aims to create layers ofdefenses that would be perimeter
and buildings shells, all thoseand it's designed to deter,
(21:33):
detect, delay and respond to thevarious threats.
Domain 3.9.
Design, site and facilitysecurity controls, wiring,
closets and intermediatedistribution facilities.
This is where you have a securearea.
This is where you'd implementphysical security access, such
as locked doors, card readers,alarms.
All of these would containcritical network infrastructure
(21:55):
and they're all tied together.
Your environmental monitoring.
This would be monitoringtemperature, humidity, water
leaks.
All of that would be part ofyour intermediate distribution
facilities and your wiringclosets.
They want to make sure that youhave all of that in place to
ensure that you don't havedamage in those facilities and
that they maintain their uptime.
Server rooms and data centersthis will employ multiple layers
(22:16):
of defense for your datacenters and your server rooms,
include fencing, access controls, video surveillance, and you
want to have some level ofredundancy built into this, such
as to maintain these servers,which is cooling, network
connectivity and highavailability and fault tolerance
.
You want to have server roomsthat are set up that, if they go
down or if there's a power flux, they can continue to operate
(22:37):
Media storage facilities.
These maintain stabletemperature, humidity to prevent
degradation of storage mediasuch as tapes, discs, anything
that's old school like that.
They need to have heat and cold.
Heat and cold will destroythese types of systems.
You need to have goodenvironmental controls
established, strict accesscontrol and inventory.
Again, many times thisinformation is under legal hold
(22:59):
and you want to ensure you haverobust access controls, detailed
inventory management and audittrails to track media and
movement and then evidencestorage.
This is to establish unbrokenchain of custody, to maintain
integrity and admissibility oftheir digital and physical
evidence, store the evidence insecure, tamper evident
containers or locations withrestricted access and continuous
(23:20):
monitoring.
Again, all those are done inyour facility.
Controls, security, accesscontrols and segregation you
want to implement appropriateaccess controls, such as key
cards and biometrics, torestrict entry to sensitive base
systems.
Now, clear zoning this is whereyou define clear security zones
to separate the public,semi-public and highly
(23:40):
restricted areas within afacility.
Do you have a facility that hasboth where people can come in
and then where people are?
The public can come in and thenyou would have an area where
maybe some people can sit andwait for them to be allowed in,
and then you have an area that'srestricted.
I dealt a lot with this in themanufacturing space, special
chemical manufacturing.
There was a very controlled,staged process in this entire
(24:02):
thing.
Utilities and heating,ventilation and air conditioning
, hvac systems these arephysical protection.
They secure utility entrypoints such as water, gas and
electricity and HVAC systemsfrom unauthorized access or
sabotage.
Again, you want to have thoseput in place for your HVAC
systems.
They are a crucial part.
Many people don't believe howcrucial your HVAC system is to
(24:23):
your organization.
You have environmentalmonitoring and alarms.
This would implement sensors ortemperature, humidity and
airflow when it will give youalerts if deviation could impact
your equipment.
It's an important part, right?
If these systems go down, ifthey get too hot, they shut
themselves down or they burnthemselves up.
All of those are bad, fromdowntime to actual having
physical hardware to loss ofdata.
(24:44):
Environmental issues you havewater detection Deploy water
sensors in critical areas togive you immediate alerts if
there is a water issue.
You have this in your homes.
You can put alerts for your hotwater heater if it were to
start to leak.
Air quality and contaminantsthis is where you monitor the
air quality and prevent damagefrom dust, pollutants and
(25:04):
corrosive gases, especially indata centers.
Fire prevention detection andsuppression.
Prevention this implements fireresistant building materials
and strict electrical safetystandards on your systems
themselves.
Are they in tubing?
Are they in some sort of metaltubing and your wires are going
through conduit of some kind?
Detection using multi-zonesmoke and heat detectors
(25:25):
integrating with alarm systems.
And then suppression, employingappropriate suppression systems
such as pre-action sprinklersand or gas systems for different
locations.
Considering looking for datapreservation.
Power if you're looking foruninterruptible power supplies,
or UPSs.
They provide immediateshort-term power during outages
and allow for graceful shutdownsor generator startup.
(25:46):
The ultimate point of a UPS isnot to run the system forever.
It's to allow it to shut downgracefully so it doesn't break
things or give you time to getyour UPS up and running.
Generators offer a long-termbackup power for extended
outages requiring regulartesting and fuel management.
Again, you have to run themfrequently, these systems.
If you don't run them, theybreak.
This would be independentmultiple power feeds that come
(26:09):
in from different grids toensure continuous power to your
organization, and all of thoseare around design, site and
facility security controls.
Thank you all again for joiningme today on this podcast.
If you like what you heard,head on over to your local
podcast hosting like iTunes,whatever that might be, and
please leave me a rating.
(26:29):
Ratings are wonderful.
People like ratings, ratingsare good.
So, again, head on over there.
Give me a rating on what youthink.
Again, good, bad ugly, that'sfine too.
Whatever you need.
If you thought it was terrible,that's fine too.
But bottom line is I'm here tohelp provide you the information
you need to pass the CISSP exam.
Also, if you are interested inany of this content.
It is available to you at CISSPCyber Training.
(26:51):
There's a lot of free content.
Again, my bronze package on myCISSP is all about giving you as
much free content as I can.
Everything out there, I mean,you can get it anywhere on the
web.
You can go to different videos,you can watch all this
different stuff.
But if you go to CISSP CyberTraining, I have curated free
content that's available for youstep by step, by step by step
to help you pass the CISSP.
(27:12):
If you want more of a deep diveand understand what you need to
do to pass the exam and reallyget into some of this content in
more of a deeper level, and youneed just maybe a little bit
more depth in understanding ofthe content, you can get my paid
resources that are out there.
There's over 36 hours ofcontent way more than that it's
probably close to 40 now are outthere.
There's over 36 hours ofcontent way more than that it's
(27:34):
probably close to 40 now, with1500 hours or 1500 CISSP
questions.
I've got deep dive topics,mentorship.
I got all kinds of aspectsavailable to you at CISSP Cyber
Training.
So head on over there, check itout, see what you like, and
then we'll go from there.
All right, have a wonderful dayand we will catch you on the
flip side, see you.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
(27:55):
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
To help you pass the CISSP examthe first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
(28:18):
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!