Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
The core principles of cybersecurity aren't just theoretical concepts—they're the practical foundation every security professional needs to master. In this deep-dive episode, Sean Gerber breaks down the critical components of Domain 1.2 of the CISSP exam, unpacking confidentiality, integrity, availability, authenticity, and non-repudiation in clear, actionable terms.
Starting with breaking news about Microsoft ending Windows 10 support on October 14th, Sean highlights the urgent security implications for organizations still running this widely-embedded operating system. He emphasizes the importance of comprehensive inventory management—especially for IoT devices that may contain embedded Windows components—and the available extension options for critical systems.
The heart of the episode delivers a comprehensive exploration of the CIA triad. Sean walks through each element with real-world examples: confidentiality through encryption and access controls; integrity via change management and validation processes; and availability through redundant systems and business continuity planning. But he doesn't stop there. The discussion expands to cover the DAD triad (Disclosure, Alteration, Destruction) which helps identify security failures, and the AAA framework (Authentication, Authorization, Accounting) that provides essential security controls.
What makes this episode particularly valuable is Sean's practical advice drawn from 25 years of cybersecurity experience. He emphasizes the importance of defense-in-depth strategies, network segmentation, and prioritizing critical systems rather than attempting to fix everything at once—"eating the elephant one toenail at a time." His methodical approach helps listeners understand not just the concepts themselves, but how to implement them effectively in real-world environments.
Whether you're preparing for the CISSP exam or looking to strengthen your organization's security posture, this episode provides the foundational knowledge and practical strategies you need. Visit CISSP Cyber Training for free study materials, practice questions, and mentoring options to accelerate your cybersecurity career.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started.
Hey, I'm Sean Gerber with CISSPCyber Training, and hope you
all are having a beautifullyblessed day today.
Today we're going to be gettinginto domain 1.2 and we're going
to be getting into overconfidentiality, integrity,
availability, authenticity andnon-repudiation.
So that's the goal for today.
Again, you can get all thiscontent at CISSP Cyber Training
anytime you want.
Just head on over there and getit.
(00:49):
I hope you all are doing good,though.
I mean, right now in Wichita,kansas, it's a whopping 100
degrees, with a heat index ofaround 107.
So, yeah, I'm enjoying life,and as you walk outside, you
just start to melt.
So it's good, it's awesome, butyou're in a comfortable car or
in your home listening to thisvideo or listening to this audio
(01:10):
.
Hopefully, you are staying cool.
So let's get started about whatwe're going to talk about today
.
So Microsoft is ending supportof Windows 10.
Yes, that is true.
I remember when Windows 10first came out, it was like, oh,
this is awesome, especiallyfrom Windows 7.
And now Windows 10 is goingaway, and the interesting part
of this is it's going to beending.
(01:30):
October 14th, I think, is thedate in which they have called
out in this article, and thisarticle came from the bleeping
computer.
One of the things about this isthat you can extend service,
and we did this a lot in theenterprises that we would extend
service on critical apps, or Ishould say critical operating
systems, for a period of timeuntil an update would be
available, or I should say a newversion.
We could get it tested, andit's $30 for individuals and
(01:54):
it's $61 right now and climbingfor enterprises.
So if you want to keep it up todate until October 13th of 2026
, it basically gives you atwo-year extension.
You will have to get this donesoon.
Now, the interesting part inall of this is that Windows 10,
similar to what happened withWindows 95, has been embedded in
(02:14):
almost everything, because itwas really a stable Windows
version that came out afterWindows 7, which wasn't so
stable, and therefore it gotembedded in a lot of different
things.
So if you are dealing withWindows 10 still and continuing
to operate in it, you need toconsider getting off of it as
fast as you possibly can.
So just kind of put this in theback of your mind If you are
managing an enterprise forsomebody, if you're the security
(02:37):
person for this, if you're theIT person for this.
You better start thinking aboutit if you haven't already done
it.
Now.
One thing that you may want toconsider and really kind of dig
into is IoT-type devices.
Anybody that put in a Windows10-type of light version of
their operating system withinIoT.
Those you're going to have tokeep an eye on and you probably
(02:58):
are going to be going.
You won't be updating them muchat all because a lot of those
are in a sensor-type ofsituation, but this is where we
talk about a lot in the CISSPand in cybersecurity as a whole.
You understand your inventorywithin your company, because if
you don't know what yourinventory is, this IoT device
that's managing your fishbowlcould end up leading to a
compromise of a casino.
(03:19):
We've heard that before.
I wonder where.
So it's.
Something to consider is thatyou just really need to make
sure you understand all thedevices that are going on with
your network so that you canhave a proper plan on how to
deal with them.
Again, all updates will nolonger be available as of
October 14th.
You can get an extension fortwo years, but after that
two-year bingo point, they turninto a pumpkin and can't be
updated at all.
(03:40):
So just keep that in the backof your mind, all right.
All right, let's get into whatwe're going to talk about today.
Okay, so this is domain 1.2confidentiality, integrity,
availability, authenticity andnon-repudiation.
So again, domain 1, this is afocus on the CISSP, cyber
training, or actually on theCISSP not cyber training, but
(04:00):
CISSP, and this is domain 1.2 ofthe CISSP.
You can gain all of thiscontent available to you at
CISSP Cyber Training.
Go to it.
You get a lot of free stuff.
I've got a free bronze package.
I guarantee you'll love it.
It'll give you all kinds offree stuff.
Just sign up for the package.
That's what it is.
Doesn't cost you a dime.
It's free, doesn't nothing?
Get you on my email list.
(04:20):
Any things that come out that'snew.
You will get updated on that,and that gives you my domain
access, or it gives you accessto a lot of the content that
I've created.
It also gives you access to mydomain rapid reviews.
It gives you access to othertypes of study materials.
Basically, it's designed foranybody who wants to self-study
but doesn't really want to payfor any additional products.
(04:41):
It's a good program for thatand it'll help give you a good
direction on what you need to doto study self-study for the
CISSP.
If you want to have moredetailed information, such as
the videos that I'm showing hereor other types of videos, you
go and you can purchase myproduct that I have as well as
mentoring.
I have that available.
Go and check that out.
Really, it's the best moneyyou'll spend, especially if
(05:09):
you're trying to take your CISSPand you're trying to expand
your career in cybersecurity,because I've got like 25 years
of doing this.
I can help you in manydifferent ways.
So go check it out at CISSPcyber training.
Okay, so domain 1, 1.2 let's getinto it.
So confidentiality what aresome key concepts around
confidentiality?
This is the secrecy of datathat is not made available or
disclosed to people, and youreally want to limit the
(05:30):
unauthorized individuals orentities from having access to
it.
Now, one of the key points onthis as well is the processes,
because you're going to run into, especially in today's world
where you have LLMs connectinginto networks you have all kinds
of webhooks going into networksthere are the processes as well
that are occurring in the backend, and this can be very
(05:51):
challenging, because you have toknow where are these processes
taking this data and what arethey doing with them and then
are they maintaining theconfidentiality of it.
You are responsible for theseprocesses, so you can't say you
didn't have the ability to knowit.
If you don't know it, you gotto find it out.
So those are again unauthorizedindividuals, entities or
processes ensuring that thingsare confidential.
(06:11):
Again, only the persons withauthorized or the persons slash,
entities or processes withauthorized access.
Unauthorized access would be abreach of confidentiality.
So you have different types ofhow it's maintained and one is
through encryption.
You have encryption at rest andencryption during transmission.
Encryption at rest this iswhere you have disk and type
(06:34):
encryption.
You may have it on your SSDs,you may have it on your thumb
drives, you may have it in yourphone itself.
Right, those are all types ofdisk encryption that's available
.
You may have traditional harddrive disks where it's encrypted
as well.
Network connections.
This is where the data istransferred from one location to
another.
Is that data encrypted throughSSL, ipsec tunnels and so forth?
(06:56):
Then how do you store the data?
You have password storagevaults or some sort of managed
key vaults that are available.
This is where you would storepasswords or key data that would
be available to decrypt thisencryption.
There's a lot more countries nowthat are focused on the data
encryption and they're trying tobasically crack it so that,
(07:18):
because they know more and moreencryption is being involved
with the type of data transfersthat are occurring.
I just saw an article by Russiawanting to do this, which is
kind of surprising, because theyshould be doing this by now
already.
In the past, russia has had avery specific place where keys
are stored and that you cannotstore your keys anywhere outside
of where they can have accessto them.
I don't know if that's stillthe case anymore, but because of
(07:43):
the data transfers is becomingso rampant, they also see the
need to ensure that they canhave control over the data
traveling in and out of theircountries.
Access controls this is whereyou have put access controls on
folders, applications, any placewhere data is stored or
transmitted, and and so thisisn't like if you have a
location such as you're doingfile transfers for money, is
(08:04):
that data being stored there?
Are there access controls onthose files?
Are there access controls onthose folders?
Is there some level ofprotection that is then limiting
the amount of data that's goingout from that location as well?
So again, confidentialitymaintained.
Now where confidentiality canbe compromised.
This is where data is shipped inplain text or stored
(08:26):
unprotected.
This happens a lot, way morethan it should, but this is
something for you, as a securityprofessional, need to be aware
of Now.
Does that mean that if data isbeing shipped in plain text,
that is bad?
No, not necessarily.
There may be situations due torisk to your company that you
may go.
You know what.
It's not a big deal, I don'tcare.
(08:46):
That being said, that means youhave a really true, good
understanding of all the datapaths within your company.
Where does the data go?
Where does it leave?
Where does it originate?
Where does it terminate?
If you have really goodunderstanding of all the data
paths within your company, youcan take a risk approach and say
you know what, I'm not going toencrypt that data.
(09:07):
If you don't have that, youhave to be buyer.
Beware.
You need to be thinking aboutthis strongly to go.
Yeah, I don't know.
So do you want to take the risk?
Passwords being shared orstored in unprotected file
structures?
What's that?
That's an Excel spreadsheetwithout a password on it.
I would say that for sure.
Or in emails or in memos.
That would be a bad thing.
(09:28):
Everyone who has access to afile, folder or structure
without audit.
What does that mean?
It means that is there a filefolder that everybody in your
company can see, and is thatreally truly what you want them
to do?
In most cases that is probablynot the case, because there's
probably data in there.
So let's just use an exampleyou have an employee but you
have a contractor.
Do the contractors need to haveaccess to that folder?
(09:51):
Been in many organizationswhere contractors have access to
folders and data they shouldnot have access to.
So again, you need tounderstand the access to the
file folder, structure and allof that done without audit.
And then employees are sociallyengineered they click on links
allowing for unauthorized access.
That's where confidentialitycan be compromised.
(10:12):
Once again.
Other considerations aroundconfidentiality data sensitivity
how sensitive is the data toyour organization or company?
Is there intellectualproperties or critical business
processes?
And then operators' decisionrights what do they get to do
with the data?
Then this comes down to areally big part.
We talk about a lot in Domain 1, but we'd really talk
throughout all the entire CISSPtraining is who owns the data
(10:35):
and who has a decision rightspecifically for that data?
Is it IT?
Is it the data owner?
Is it the CEO?
Is it somebody else?
Is it legal?
Who owns that data?
And that is one of the key cruxquestions you need to ask when
you're dealing with theprotection of any data within
your company and looking at itfrom an organizational
standpoint who owns it, who'sresponsible for it, who's a
(10:58):
custodian of it, et cetera.
Now some other considerationsthat you need to consider about
confidentiality, datacriticality Does your business
require data to remainconfidential?
Is it required to run yourorganization or does it give out
business critical informationthat is specifically for your
company?
Data privacy, regulatoryrequirements for keeping data
confidential Are there any thatyou have to deal with and
(11:20):
maintain?
If there are, you need to knowwhat these are and your
leadership needs to know whatthese are.
They will rely on you, as thesecurity professional, to keep
them out of trouble, but at theend of it, you need to
understand it and you, as asecurity professional, need to
be briefing your senior leaders.
What are the regulatoryrequirements?
What are they now and what doyou see coming in the future?
You can run into reputationaldamage for data loss if you are
(11:45):
allowing people's private datato be leaked and expunged.
That could cause all kinds ofissues with your company.
So again, data privacy is a bigdeal.
Data system isolation Do thesesystems and the data need to
remain isolated specifically toprotect them?
Do they need to be in their ownprotective bubble?
Do they have to have their ownreduced or, I should say,
(12:07):
segregated network that'sspecifically for them?
Is there based on any sort ofregulatory or compliance
requirement that's forcing youto put them in this bubble?
That's a question you have toask yourself.
Data systems or seclusionstoring the data in and out of
the way of locations?
Is the data going in and out?
How is it best?
Secluded and maintained, andthen using strict access
(12:29):
controls to maintain theseclusion and keeping it whole.
Data secrecy the act of keepingsomething secret or preventing
disclosure.
You want to make sure all thedata there is kept in a secret
and protected environment, andit does help prevent disclosure
from something happening.
So that's what data secrecy is.
So you got data criticality,data privacy, data isolation,
(12:51):
data seclusion and data secrecyIntegrity.
What are we doing to deal withintegrity?
Integrity is dependent upon theconfidentiality of the data.
Specifically, it maintains theassurances around accuracy and
completeness of the data.
Is it complete?
Is it something that you're nothaving missing data, missing
information.
One thing, that if you have thedata that is missing
(13:11):
information, you become notreally positive about it.
Right?
You think, okay, now if I'mmissing data in this spot, am I
missing it over here?
And you lose confidence in theoverall data integrity itself.
This also includes the dataintegrity from the life cycle,
from the birth of the data tothe death of the data, and that
means that there's times whenyou will go through and
(13:32):
completely gut your.
I mean you'll go to manyorganizations and there is data
glut, and what that means is isthey have been keeping data and
hoarding data for years andyears and years, and now they
have all of this discoverableinformation that one could be
very damaging to a company,especially if it's looked
through the eyes of a legal team, because they can twist it in
(13:52):
all kinds of differentdirections.
And then, two, the data is old,and if it is old, is it really
valuable to your organization?
So this maintaining theassurances around the integrity
of it from the time you birthedit to the time you killed it is
an important part that you haveto consider, and it really most
companies do not do this andthey don't do it well unless
(14:13):
they're highly regulated, and so, therefore, it's imperative
that, if you're looking at thisfrom a small company standpoint,
you need to think about how doI do this and how do I keep my
data clean and how do I get ridof the old data that it's not
needed anymore?
Data cannot be modified orunauthorized in an undetected
manner.
When you're dealing withintegrity, again, that's
transmission and storage thatkeeps the bad guys and girls
(14:35):
from going in and making changesto logs.
It also it makes builds theintegrity and the confidence of
the data itself.
And then you need to ensure, orprocess to ensure, proper
change of the data.
So, if the data just needs tobe changed, is there a process
by which it's changed, it'smodified, it's tweaked, and is
that process duplicatable?
Is it being managed?
(14:56):
Is it being properly monitored?
So those are all part of theintegrity piece.
Now, integrity maintainedsecurity mechanisms are in place
to ensure the data has not beencompromised, like we talked
about.
You have encryption in transitand in rest.
There's also proper access isprovided the data via
authentication.
Do you have multi-factor?
Do you keep authentication logsin each of those folders that
(15:19):
have the ability to understandwho had access to the data.
Last, keeping unauthorizedpeople, ie contractors, away
from the data is an importantpart.
Audit and oversight trail youhave proper logging, monitoring
and ensuring that only properaccess to the systems is allowed
.
How does integrity compromise?
Well, when the data istransmitted or stored in an
(15:41):
unprotected containers or mediawithout encryption.
A person put a whole bunch ofstuff out there on the web to
share it in a Google Drive anddidn't protect it.
You know that's the key oneright there.
Inadequate authenticationmethods that are in place.
You're not allowingauthentication or you don't have
a good one in place.
That is incorporating thatwithin your organization and now
(16:02):
anybody can gain access to theinformation.
Systems are not logged,monitored to ensure data
integrity.
Therefore, if you don't havelogging in place, how do you
know who has access?
How do you know who got access,who doesn't have access anymore
?
That's your integritycompromised.
And then other considerationsaround availability would be
accurate.
Is the data correct and precise?
(16:22):
Is it specifically what youneed?
I would say I'm probably guiltyof this more than ever.
Is that is my data that goes inalways what it's supposed to be
?
Is it the right numbers, is itthe right information?
And that isn't always the case,and so do you have mechanisms
in place to ensure that the datathat is placed into these files
is correct and is precise?
Accountability the person who'sresponsible for the data.
(16:45):
This would be the action or theresult, which we talked about
again earlier is the fact thatdo you have the right people
that own the data, that are thecustodians for the data, that
manage the data, and is thatdefined in their roles,
responsibilities and potentialexpectations for their job?
Other considerations aroundintegrity would be
non-repudiation.
Now you cannot deny or anaction event that has been
(17:07):
performed or has occurred.
This is what they considernon-repudiation Certificates,
transaction logs, etc.
These are all non-repudiationaspects.
That's the essential partaround integrity, and if you
doubt the data, then this wholething kind of falls apart.
So non-repudiation is a veryimportant part of integrity.
It needs to be complete, havingeverything you need as a result
(17:29):
, within the data.
Is it all there, as you expect?
There's nothing missing, nogaps?
Again, responsibility who hascontrol of the data and has that
been well defined?
And then the completeness Isall the data included?
Does it have all the necessarypieces and parts needed to
ensure that you feel confidentthe data has full integrity and
is available to you.
(17:50):
That moves us into availability.
So availability this is whereauthorized items are granted
timely and uninterrupted access,and this is available for when
it is needed.
So high availability systemsmust remain available at all
times, and that's an HA system.
In many HA systems, you willhave redundant systems.
To ensure high availability Now, this includes efficient,
(18:12):
uninterrupted access, whichwould be prevention of denial of
service attacks operating.
It could be a mass flood ofdata coming in through a SYN
flood or something along thoselines.
It could be as simple as abackhoe chopping a line.
That would be a denial ofservice.
But it helps to understand thatif you have backups in place,
(18:32):
if you have redundant systems inplace, this will ensure that
you have availability.
There's intentional andunintentional accidents, like I
said about the backhoe, but allof that's where availability is
an important part in thinkingabout.
How do I maintain the data Now?
How is availability maintained?
Power is maintained and keptavailable, right.
(18:55):
So do you have UPSs?
Do you have an uninterruptedpower supply that's keeping the
data center active andoperational?
Do you have highly availablesystems and devices?
Are hardware in place to ensurethe system stay operational in
the event of a failure?
Are there policies andprocedures that are defined
specifically on how to deal withdisaster recovery and business
continuity?
Are those policies in place andis there a testing plan in
(19:17):
place as well?
And this is used to address anycritical business systems out
there.
So, again, availability is animportant part of your policies,
procedures and your systems andthe overall devices.
Availability compromise.
So this is where you have adenial of service causing an
outage, which we talked aboutjust a brief minute ago, dealing
with SIN floods within thenetwork.
(19:38):
Do you have it from an internaldenial of service or is it an
external attack from outsideparties?
Which one is it?
This is where availability willensure that you have these
systems up and operational andavailable to you.
There's critical systems thatare available.
Do you have power protection inplace to help these critical
systems?
Have you defined what thesecritical systems are?
(19:59):
Do you know what these criticalsystems are?
Is your business aligned withthat?
They are actually critical toyour organization.
Those are big key factors youreally got to think about.
I've dealt with that a lot andthat's something to consider.
But again, critical systemsfocus.
Focus on something like that.
If you're going to be trying toprotect your entire environment
.
Focus on the critical ones,first Figure out what is
(20:22):
critical and then go from there.
Other considerations aroundavailability, usability, how
easy is it for you to use it andcan it be understood by the
layperson?
And what I mean by that.
Can it be understood by a thirdgrader?
I mean, ideally, as adults wego well, we're smarter than a
third grader.
Well, a third grader is prettysmart, but if you can get to a
third grade level when you'recommunicating with people, that
(20:49):
is huge.
That's really, really big.
And then that means most peoplecan understand exactly what's
going on.
Is the system easy to stand up,restart, reconfigure in the
event of an incident?
Do you have that planned out?
Do you have the documentationto support that?
Accessibility how easy is it orhard to manage?
Can individuals manage itrelatively quickly or is it take
a lot of time to do that?
Do that?
Can others interact with asystem or is it extremely
(21:10):
limited to only those who canmanage the system?
Accessibility big factor.
You give too much accessibility, well, you can have problems.
You take too much away anddon't give people access, you
can have problems.
There's that fine line betweentheir timelines, is it?
Is it promptness on time?
Is it a reasonable time forrecovery?
Is it I can have it recoveredwithin a day, within an hour,
(21:31):
within minutes, or is it goingto take me two weeks?
Those you have to determine thetimeliness of that availability
.
Is that important to yourcompany?
Maybe two weeks is fine, but ona critical system probably not.
Two weeks probably won't cut it.
It's probably more like yeah,you said you'd have it up in a
day, but we want it in hours,especially after it happens.
So can the system be restarted,reconfigured, reinitiated in a
(21:53):
quick timeframe?
Things you need to kind ofthink about Now.
Security mechanisms outside ofthe CIA triad, you have your
network and system layering.
This is commonly called defensein depth, and I kind of talk
about that here just a littlebit further down in the slides
too, this is a series ofrestrictions, limitations.
As you travel farther down thestack, you have issues that you
(22:15):
have to work through.
This is the different layers ofdepth and this is the defenses
that are tied with that.
This includes logging,monitoring during each of these
steps and then differentauthentications during the
various steps as well.
This would include.
One example I have on here isindustrial control systems.
If you go to an industrialcontrol system, you should have
it segregated from your businessnetwork, which means if I jump
(22:36):
on your business network fromthe internet, I should not have
direct access to your industrialcontrol systems.
That controls your power,electricity, toilets, you know
whatever you want to call it,doesn't control that.
That would be a good way oflayering your protections.
If you have it all in onenetwork, that's not really a
good defense.
In depth thing.
That's like flat network opento the world.
(22:57):
Obfuscation this is hiding ofthe data.
This prevents the data orinformation from being
discovered and or accessible.
Intentionally hiding datawithin a network or
infrastructure would beconsidered obfuscation.
Now, that being said, we'll getinto some more details around
obfuscation, the benefits of it.
I hear pros and cons with it.
So it just kind of depends onyour situation and where you're
(23:19):
at with your company if youthink obfuscation is a good
example.
But as an example, we havelabeling.
You have secret sauce, right?
You label that secret saucewhich I, as a hacker, would go
after and go ha-ha, secret sauce, let's go there and find out
what's in that.
To file 1, 2, 3, 4, 5, 6, 7, 8,9, x, 9, 2, 6, 7, 7, 2, 4.
Okay, whatever you want to, itdoesn't transmit right.
(23:41):
The naming convention does notmatch.
So you think well, as a bad guyor girl, it's not a big deal
and that's true.
That works really well.
However, it does confuse thedickens out of people.
Second, what it does is youhave to refer to it at some
point in some of yourdocumentation.
And so if you have a person whodoes OSINT operational security
(24:02):
intelligence if you havesomeone that's actually doing
osyn and looking at your networkand pulling down the data,
pretty quickly, they'll find anemail that'll say 12345 is
actually secret sauce.
And so what do they then?
Do you change your algorithmsand your scanning to look for
12345?
So again, it does slow downpeople.
It does.
You can put triggers to makealerts in place that would say
hey, why is somebody scanningfor 12345 or secret sauce?
(24:26):
But Bottom line is it has mixedreviews.
The system is so buried, it'sintentional, it can't be found.
People do that.
But again, I still strugglewith that whole piece.
There's one thing that asoftware one of the examples we
had as well is a softwareprogrammer creates a program
with a flaw and releases it,hoping it will not be exploited.
(24:48):
Basically, they went throughtheir entire development process
, know there's a flaw in there,don't want to go back through it
.
So they're like, yeah, it's soburied in the code, no one will
know it, just release it andyeah, somebody will find it.
They usually do, and at themost inopportune time.
Okay, so what's another thingoutside of the CIA triad is
encryption.
(25:08):
This is where it's extremelyimportant parts of any security
program and it can be applied toany file type and is extremely
versatile.
But it also is extremelychallenging, right, depending on
how you use it and how it'sused within your company.
There's a lot of unencrypt,decrypt, recrypt, yeah, all that
fun stuff Storing withencryption keys.
There's lots of moving partswhen you're dealing with
(25:28):
encryption, and so people tendto just either don't do it or
they tend to just kind of turnit on for some stuff, but for
most stuff they don't.
Because of this, they have poorencryption practices, and then
these can be extremelydetrimental to an organization.
It gives you a false sense ofsecurity, thinking ha ha, I'm
good, but yet, oh, you're not.
And so therefore, you struggle,struggle, something bad happens
(25:52):
and you're like I thought youhad security.
I did, but they didn't use thefile that had security.
They used the file that didn'thave security.
Yeah, then your kind of name ismud and nobody's happy and then
things go badly for you.
So you need to really considerthis.
I mean, I mean it, I'mstressing this stuff hard.
You are probably a securityprofessional going into an
(26:13):
organization and you probablydeal with a whole bunch of
nastiness, like Medusa.
It's got lots of heads.
But you're going to have towork through it one step at a
time, and I would recommendeating this elephant one little
toenail at a time, because it'sgoing to be a big challenge for
you to try to do it all at once.
You will fail.
I'll just be blunt.
You will fail if you try to doit all at once.
(26:34):
Pick something, work on that,then, after that's complete,
pick something else, work onthat and then try to fight the
fires in between.
Okay, the dad triad right.
So we're dealing with the dad.
Now what is the dad?
It's disclosure, alteration anddestruction.
Not the dad bod, but dadDisclosure, alteration and
destruction.
So what is this?
(26:55):
This represents failures ofsecurity protection of the CIA
triad.
It's useful to recognizefailures of mechanisms when
you're dealing with the dad.
So the failures of the triadare dad Disclosure right.
You have disclosure of sensitiveor confidential material that
is accessed by unauthorizedentities.
That breaks confidentialityBoom, baby.
(27:17):
So this would be your like.
You see on a daily basisSo-and-so's data just got
compromised.
18 gazillion passwords just gotcompromised.
So-and-so's data is also nowout in the wind.
So that's disclosure.
Alteration this occurs when datais either maliciously or
accidentally changed.
I've seen this happen where badguys and girls have gone in and
(27:38):
changed the data specificallyto try to get us off the scent,
and after was, we are chasingthem.
This also.
I've seen employees do thisbecause they're doing bad things
that they shouldn't be andthey're trying to hide their
what they're doing.
So alteration and then Ddestruction.
This occurs when resources aredamaged or made inaccessible to
users A denial of serviceattacks or a logic bomb,
(28:00):
something like that.
Seen that happen, where an ITemployee decides to go I'm going
to make your life painful, andthen they go and they did it
with that accent even and whatthey end up doing is putting a
logic bomb and once they leavethe organization after a certain
date, it goes boom.
And when it goes boom,everything goes away.
Yeah, that causes all kinds ofchaos and pandemonium for quite
(28:21):
a while, and it's quiteexpensive.
That person, though, isbreaking big rocks into little
rocks, so don't do it.
I highly recommend it.
Use your powers for good, notfor evil.
All right, now we have the dadbod.
Now we're in the AAA, right Forold people.
No, that's I don't.
Yeah, that's not.
I think it's old people.
No, that's AARP, that's for oldpeople, aaa services.
(28:42):
Okay, the key concepts aroundthis is authentication,
authorization and accounting.
Now, there are five elements ofthe three A's.
So, again, the three A's areauthentication, authorization
and accounting, but there arefive elements to each of these,
or to the overall three A's.
One is identification.
This is claiming to be anentity while attempting to
access a secure area.
This is understanding,identification.
(29:04):
Now, this starts the processfor authentication,
authorization and accountability, and that is what you need to
tie though people is that whenyou're identifying something you
need to and they're attemptingaccess, it's through identifying
that you have the right person.
Another element isauthentication.
This provides that you are theclaimed entity, right, so you
requires a person to provideadditional information that
(29:26):
matches the identity.
Now, in some cases, if yourphone, it could be your eyeballs
, it could be your fingerprint,it could be a password, could be
a cat card, a lot of differentthings right.
Identification andauthentication are commonly used
together.
They're considered in many wayskind of symbiotic, but without
both you cannot access thesystem or the device.
(29:46):
So it's an important part foryou to be able to control what
you gain access to.
It also has a good audit trailto find out.
Did you do something youshouldn't do as well?
Now authorization another one ofthe five elements is defining
the permissions which would beallow, grant, deny.
Those have to be defined well.
Now I would say authorizationis probably where we fall down
quite a bit, because, ratherthan trying to figure out what
(30:08):
Sean should have, I just sayallow all, sean can have it all,
don't worry about it.
It's one less thing I got todeal with.
They got it all, and then thatmay be fine for the first four
or five people, but then youhave 500 and then you got a
problem.
Once authenticated, then theauthorization must ensue and
then this ensures that request,activity or access is granted to
the individuals.
(30:29):
The individual may haveidentity or authentication but
potentially may not haveauthorization.
And that does happen where thatperson has the name, their ad,
or the name, their password, butthey are not authorized to gain
access to the file or folder,so therefore they're blocked.
So that's a good thing.
The more you can integrate thatwithin your multi-factor
(30:50):
authentication schema, that isgoing to be great.
There are lots of programs outthere, like SailPoint and other
types of activities, that canprovide you a really good,
seamless experience, but in mostcases most companies it's Bill
who's clicking allow, deny,allow, deny.
And what does Bill do?
He goes.
I don't want to deny, it takestoo much work.
Allow, allow, allow, allow andyes, then you have fun things.
(31:15):
Another element is auditing,right?
Oh yes, I know auditing is adirty a word, uh, but it's
important, right?
So, recording of log events andactivities related to the
systems is it being monitored,is it being logged, is it being
watched?
Uh, this is probably one of theareas that people definitely do
not do much of.
If they do, it's a very limited.
And this comes back to thecritical aspects that I
(31:36):
mentioned earlier.
If you know the criticalsystems, those should be logged.
Yes, indeed, and you shouldkeep those logs for a period of
time long enough to know that ifyou need to go back and look at
them, you have the data thatyou can go look at.
Don't make the log data goodfor like three days.
That's on a critical system.
That's not a good idea.
That's a bad idea.
You need to really have itlonger, like 30 days or probably
(31:59):
90 would be even better,because it usually takes between
anywhere from six months, 90days to six months to find a bad
guy or girl in your network.
So having log data on criticalsystems at least 90 days would
probably be valuable.
But that all costs money andyou got to kind of determine
what is what's it worth to youHolding a person accountable for
their actions Important part ofauditing.
(32:19):
Yes, why are you accessing thosefile folders that say plush
kitty videos?
Those are only for the CEO andyet you're watching them.
Why is that that?
That would you need to holdpeople accountable.
They're not allowed to watchthose plush video kiddie videos.
Additionally, is it a processfor looking through unauthorized
or abnormal activity?
(32:39):
Again, you don't know what's.
You don't know until you startlooking and then, when you start
looking, you go, oh, why isthis?
Now I will tell you thatsometimes you may look at logs
and go, oh, why is this?
And then you chase a rabbitthat doesn't exist and you waste
a lot of time.
So you've got to be verycareful when you're looking at
logs, because logs are notalways perfect and they can give
you advice or they can give youguidance or direction that may
(33:02):
not actually exist.
Accounting this is reviewing thelog files and looking for
complete compliance andviolations.
Again, bringing out the hammerand schwacking people over the
head with it Not physically,that's assault, just I mean
talking to them.
Right.
Accountability must bemaintained.
And then, linking an individualto online activities is an
important part.
All of that's done through theaccounting piece of this.
(33:23):
So those are the five elementstied to the three A's.
Now, key concepts Securityconcept that data is authentic
or genuine.
Again, authenticity it's animportant part.
This originates from thealleged source.
Where did it come from?
And this is very close in thenature to integrity on the CIA
triad change in transit or whileit's being stored.
(33:54):
This is the confidence in thevalidity of the transmission or
the message or the messageoriginator.
Again, you want to make surethat whatever message or
document you're using isauthentic, it isn't a forgery
and it hasn't been tampered with.
So, again, it gives you a highlevel of confidence around it.
I will say that with the PKIsystem that has been developed,
you do get a really strong senseof integrity and authenticity,
specifically when you're dealingwith email messages.
(34:16):
But if it's not deployed well,then you may have started having
questions about that.
Non-repudiation yes, this iswhere the subject activity or
person who caused the eventcannot deny the event happened.
The back to the point with theplush kitty videos yes, I wasn't
me, it was my dog that did it.
Yeah, was your dog log ingerber s?
(34:37):
No, but so then it's you.
Um, so again, ensure subjectactivity or the person who
caused the event cannot deny theevent occurred.
This prevents people fromclaiming they have not sent the
message, perform the actions oretc.
This is made possible throughidentification, authentication,
authorization, accountabilityand auditing Non-repudiation Did
you do that?
(34:58):
And yes, I have employees thatgo and they will.
They bent my fin on one of myKona trucks.
Did anybody do it?
No, it wasn't me, it wasn't me.
But oh wait, thenon-repudiation piece was you
were working that day and itwasn't bent the day before.
So it is you, it'snon-repudiation.
But then they came and said no,it wasn't me, somebody else
borrowed the truck.
So, yeah, you got to havenon-repudiation.
(35:20):
It's important.
Established through digitalcertificates, session
identifiers, transaction logsand access controls.
Digital certs are really good.
Again, they work really reallywell.
They also can be verychallenging depending on how you
have to deploy them.
If you have an automated system, they deploy wonderfully.
If you don't have an automatedsystem, they suck, that's just.
That's just.
They're painful.
(35:40):
Essential part of accountability, again is an important part of
non-repudiation If you want tobe accountable, have things
accountable, you've got to beable to prove that the person,
who or systems that wereaccessing it are truly them.
This is a really important partwhen you're dealing with
service accounts, because nowanybody potentially can have a
service account.
So if a service account isconnecting to something and you
know that it's connecting to it,you need to be able to
(36:02):
understand who has access.
And then are we sure that thatwas the actual service account
and it wasn't somebody posing tobe just utilizing the service
account for something else?
Protection mechanisms, the rolewe finalize all this up.
We kind of talked about thisearlier, but one of the things I
wanted to just kind of comeback to is defense in depth and
this we talk about layeredprotections.
(36:23):
This combines tools such asfirewalls, intrusion detection,
access controls.
All of those are done foroverlapping the safeguards as
well, and this mitigates therisk through redundant and
diversity.
So the redundancy and diversitywill help mitigate this through
the different layers that youhave within your organizations,
like a cake.
If you have a multi-layeredcake, you eat one part, you come
to another, eat another part,come to another.
(36:44):
It does reduce the likelihoodof a successful attack if one
layer is potentially breached.
If you have a flat networkwhere your business network and
your industrial control networkare on the same network, that is
a one-layer cake.
That's a sheet cake.
No sheet cakes.
You want multi-layered cakes.
I'm getting hungry as I saythis, but that's true.
You want multi-layered cakes.
An example would be a corporatenetwork uses perimeter
(37:05):
firewalls, then they haveendpoints, then they have have
multi-factor to protect each ofthese sensitive datas.
If an attacker will go past afirewall and the MFA, there's
still other mechanisms to catchthem, and if you bypass an MFA,
then you've got bigger problemsas well.
Abstraction and hiding data Somethings to think about there.
This is where data hidingrestricts access to sensitive
(37:26):
data based on the role, and italso will help conceal the
potential raw data that's there.
It does enforce least privilegeand it's a core principle of
protecting confidentiality whenyou're dealing with restrictions
.
It limits exposure to criticalsystem components of
unauthorized users.
And I would say, if you havecritical systems, putting them
in separate networks is animportant part R&D networks,
(37:48):
good example.
If you have a research anddevelopment network, it should
be in a separate, segregatednetwork and it should have
protections going in and out ofit to protect the data that's
coming in and potentiallyleaving.
You may not even have the dataallowed to leave.
Only data can come in, whichwould be a great way to help
protect any sort of data theft.
But again, this you know, like ahospital database is an example
(38:09):
you have.
Nurses will access a simplifiedinterface, obviously showing
the vitals, but they cannot getinto the underlying tables and
any of the content that's inthere.
They're unauthorized to do so.
So that would be theabstraction piece or the data
hiding piece of this.
Again, you want to have astrong company that you'll go
through and you make sure thatthese protections are in place
(38:30):
and you, as a securityprofessional, need to go and
audit these.
You need to verify that theyare in place, that the nurses
can't have access to the data,especially they can't have any
sort of right access to the data, and then encryption and
security boundaries to fortifydata protections.
So you have security boundariessuch as DMZs or process
isolation that will segregate atrusted or untrusted network.
(38:52):
So we've talked about this justbriefly a little bit ago.
It reduces the attack surfaceand supports risk reduction,
maintains compliance withsecurity policies by controlling
data and systems interactions,and the thing with that is you
are going to run into countriesthat will require you to have
segregations and that you willmaintain those segregations and
that you will document wherethose segregations are in place.
(39:12):
So I highly suggest that if youare in any sort of regulatory
environment and in today's world, especially if you're dealing
with defense contractors at allin the United States you're
regulated, whether you like itor not.
So it's important that you havegood security policies in place
and that it's defined well withyour employees.
Now, an example of this wouldbe a company's web server and a
(39:32):
DMZ uses HTTPS with TLS 1.3, andthen they use a secure customer
transactions right, and fromthere you can't just gain access
to the database.
It's not front facing at alland this would protect anybody
from the outside gaining accessto your web server and then
gaining access to the underlyingdatabases.
You've got to make sure thatyou have protections in place
(39:56):
for all these specificactivities.
So, again, an important part ofthe overall plan.
Okay, here are the referencesfor today's stuff.
Thanks so much for joining me.
This is all I have for youtoday.
Head on over to CISSP, cyberTraining, and catch out what
I've got.
I got a bunch of free stuff, mybronze package.
You'll love it.
It's amazing.
Check it out.
All my free stuff is there.
It's all in one spot for you.
(40:20):
I just wanted to make it easyon you.
You can get my blogs.
You can get access to thevideos, the rapid review
questions.
You can get access to my 365questions that I provide for
people who sign up on my emaillist.
You gain all kinds of greatstuff that's there just through
the bronze package.
If you want more details, youwant this video, you want this
in a curated format.
Look at what my other packageis my silver, my goal.
Those will provide you all thiscontent to help you pass the
(40:42):
CISSP the first time.
That's the goal.
We want to help you do that aswell, as I'm here and available
to you to mentor you, to giveyou the knowledge and guidance
you need to help navigate thiswhole cybersecurity space.
It's here for you, from resumeprep, interview prep.
All of those pieces areavailable at CISSP Cyber
Training, so go check it out.
All right, I hope you all had abeautifully blessed day today.
(41:04):
Please stay warm.
Actually, I shouldn't say staycold, stay cool, stay cool.
Go float around in a pool, ifyou got one, but if you're
listening to this and it's thewinter, well then, go find
someplace warm so that you cansnuggle up.
All right, have a wonderful dayand we'll catch you on the flip
side, see you.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
(41:25):
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
(41:48):
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started.
Hey, I'm Sean Gerber with CISSPCyber Training, and hope you
all are having a beautifullyblessed day today.
Today we're going to be gettinginto domain 1.2 and we're going
to be getting into overconfidentiality, integrity,
availability, authenticity andnon-repudiation.
So that's the goal for today.
Again, you can get all thiscontent at CISSP Cyber Training
anytime you want.
Just head on over there and getit.
(00:49):
I hope you all are doing good,though.
I mean, right now in Wichita,kansas, it's a whopping 100
degrees, with a heat index ofaround 107.
So, yeah, I'm enjoying life,and as you walk outside, you
just start to melt.
So it's good, it's awesome, butyou're in a comfortable car or
in your home listening to thisvideo or listening to this audio
(01:10):
.
Hopefully, you are staying cool.
So let's get started about whatwe're going to talk about today
.
So Microsoft is ending supportof Windows 10.
Yes, that is true.
I remember when Windows 10first came out, it was like, oh,
this is awesome, especiallyfrom Windows 7.
And now Windows 10 is goingaway, and the interesting part
of this is it's going to beending.
(01:30):
October 14th, I think, is thedate in which they have called
out in this article, and thisarticle came from the bleeping
computer.
One of the things about this isthat you can extend service,
and we did this a lot in theenterprises that we would extend
service on critical apps, or Ishould say critical operating
systems, for a period of timeuntil an update would be
available, or I should say a newversion.
We could get it tested, andit's $30 for individuals and
(01:54):
it's $61 right now and climbingfor enterprises.
So if you want to keep it up todate until October 13th of 2026
, it basically gives you atwo-year extension.
You will have to get this donesoon.
Now, the interesting part inall of this is that Windows 10,
similar to what happened withWindows 95, has been embedded in
(02:14):
almost everything, because itwas really a stable Windows
version that came out afterWindows 7, which wasn't so
stable, and therefore it gotembedded in a lot of different
things.
So if you are dealing withWindows 10 still and continuing
to operate in it, you need toconsider getting off of it as
fast as you possibly can.
So just kind of put this in theback of your mind If you are
managing an enterprise forsomebody, if you're the security
(02:37):
person for this, if you're theIT person for this.
You better start thinking aboutit if you haven't already done
it.
Now.
One thing that you may want toconsider and really kind of dig
into is IoT-type devices.
Anybody that put in a Windows10-type of light version of
their operating system withinIoT.
Those you're going to have tokeep an eye on and you probably
(02:58):
are going to be going.
You won't be updating them muchat all because a lot of those
are in a sensor-type ofsituation, but this is where we
talk about a lot in the CISSPand in cybersecurity as a whole.
You understand your inventorywithin your company, because if
you don't know what yourinventory is, this IoT device
that's managing your fishbowlcould end up leading to a
compromise of a casino.
(03:19):
We've heard that before.
I wonder where.
So it's.
Something to consider is thatyou just really need to make
sure you understand all thedevices that are going on with
your network so that you canhave a proper plan on how to
deal with them.
Again, all updates will nolonger be available as of
October 14th.
You can get an extension fortwo years, but after that
two-year bingo point, they turninto a pumpkin and can't be
updated at all.
(03:40):
So just keep that in the backof your mind, all right.
All right, let's get into whatwe're going to talk about today.
Okay, so this is domain 1.2confidentiality, integrity,
availability, authenticity andnon-repudiation.
So again, domain 1, this is afocus on the CISSP, cyber
training, or actually on theCISSP not cyber training, but
(04:00):
CISSP, and this is domain 1.2 ofthe CISSP.
You can gain all of thiscontent available to you at
CISSP Cyber Training.
Go to it.
You get a lot of free stuff.
I've got a free bronze package.
I guarantee you'll love it.
It'll give you all kinds offree stuff.
Just sign up for the package.
That's what it is.
Doesn't cost you a dime.
It's free, doesn't nothing?
Get you on my email list.
(04:20):
Any things that come out that'snew.
You will get updated on that,and that gives you my domain
access, or it gives you accessto a lot of the content that
I've created.
It also gives you access to mydomain rapid reviews.
It gives you access to othertypes of study materials.
Basically, it's designed foranybody who wants to self-study
but doesn't really want to payfor any additional products.
(04:41):
It's a good program for thatand it'll help give you a good
direction on what you need to doto study self-study for the
CISSP.
If you want to have moredetailed information, such as
the videos that I'm showing hereor other types of videos, you
go and you can purchase myproduct that I have as well as
mentoring.
I have that available.
Go and check that out.
Really, it's the best moneyyou'll spend, especially if
(05:09):
you're trying to take your CISSPand you're trying to expand
your career in cybersecurity,because I've got like 25 years
of doing this.
I can help you in manydifferent ways.
So go check it out at CISSPcyber training.
Okay, so domain 1, 1.2 let's getinto it.
So confidentiality what aresome key concepts around
confidentiality?
This is the secrecy of datathat is not made available or
disclosed to people, and youreally want to limit the
(05:30):
unauthorized individuals orentities from having access to
it.
Now, one of the key points onthis as well is the processes,
because you're going to run into, especially in today's world
where you have LLMs connectinginto networks you have all kinds
of webhooks going into networksthere are the processes as well
that are occurring in the backend, and this can be very
(05:51):
challenging, because you have toknow where are these processes
taking this data and what arethey doing with them and then
are they maintaining theconfidentiality of it.
You are responsible for theseprocesses, so you can't say you
didn't have the ability to knowit.
If you don't know it, you gotto find it out.
So those are again unauthorizedindividuals, entities or
processes ensuring that thingsare confidential.
(06:11):
Again, only the persons withauthorized or the persons slash,
entities or processes withauthorized access.
Unauthorized access would be abreach of confidentiality.
So you have different types ofhow it's maintained and one is
through encryption.
You have encryption at rest andencryption during transmission.
Encryption at rest this iswhere you have disk and type
(06:34):
encryption.
You may have it on your SSDs,you may have it on your thumb
drives, you may have it in yourphone itself.
Right, those are all types ofdisk encryption that's available
.
You may have traditional harddrive disks where it's encrypted
as well.
Network connections.
This is where the data istransferred from one location to
another.
Is that data encrypted throughSSL, ipsec tunnels and so forth?
(06:56):
Then how do you store the data?
You have password storagevaults or some sort of managed
key vaults that are available.
This is where you would storepasswords or key data that would
be available to decrypt thisencryption.
There's a lot more countries nowthat are focused on the data
encryption and they're trying tobasically crack it so that,
(07:18):
because they know more and moreencryption is being involved
with the type of data transfersthat are occurring.
I just saw an article by Russiawanting to do this, which is
kind of surprising, because theyshould be doing this by now
already.
In the past, russia has had avery specific place where keys
are stored and that you cannotstore your keys anywhere outside
of where they can have accessto them.
I don't know if that's stillthe case anymore, but because of
(07:43):
the data transfers is becomingso rampant, they also see the
need to ensure that they canhave control over the data
traveling in and out of theircountries.
Access controls this is whereyou have put access controls on
folders, applications, any placewhere data is stored or
transmitted, and and so thisisn't like if you have a
location such as you're doingfile transfers for money, is
(08:04):
that data being stored there?
Are there access controls onthose files?
Are there access controls onthose folders?
Is there some level ofprotection that is then limiting
the amount of data that's goingout from that location as well?
So again, confidentialitymaintained.
Now where confidentiality canbe compromised.
This is where data is shipped inplain text or stored
(08:26):
unprotected.
This happens a lot, way morethan it should, but this is
something for you, as a securityprofessional, need to be aware
of Now.
Does that mean that if data isbeing shipped in plain text,
that is bad?
No, not necessarily.
There may be situations due torisk to your company that you
may go.
You know what.
It's not a big deal, I don'tcare.
(08:46):
That being said, that means youhave a really true, good
understanding of all the datapaths within your company.
Where does the data go?
Where does it leave?
Where does it originate?
Where does it terminate?
If you have really goodunderstanding of all the data
paths within your company, youcan take a risk approach and say
you know what, I'm not going toencrypt that data.
(09:07):
If you don't have that, youhave to be buyer.
Beware.
You need to be thinking aboutthis strongly to go.
Yeah, I don't know.
So do you want to take the risk?
Passwords being shared orstored in unprotected file
structures?
What's that?
That's an Excel spreadsheetwithout a password on it.
I would say that for sure.
Or in emails or in memos.
That would be a bad thing.
(09:28):
Everyone who has access to afile, folder or structure
without audit.
What does that mean?
It means that is there a filefolder that everybody in your
company can see, and is thatreally truly what you want them
to do?
In most cases that is probablynot the case, because there's
probably data in there.
So let's just use an exampleyou have an employee but you
have a contractor.
Do the contractors need to haveaccess to that folder?
(09:51):
Been in many organizationswhere contractors have access to
folders and data they shouldnot have access to.
So again, you need tounderstand the access to the
file folder, structure and allof that done without audit.
And then employees are sociallyengineered they click on links
allowing for unauthorized access.
That's where confidentialitycan be compromised.
(10:12):
Once again.
Other considerations aroundconfidentiality data sensitivity
how sensitive is the data toyour organization or company?
Is there intellectualproperties or critical business
processes?
And then operators' decisionrights what do they get to do
with the data?
Then this comes down to areally big part.
We talk about a lot in Domain 1, but we'd really talk
throughout all the entire CISSPtraining is who owns the data
(10:35):
and who has a decision rightspecifically for that data?
Is it IT?
Is it the data owner?
Is it the CEO?
Is it somebody else?
Is it legal?
Who owns that data?
And that is one of the key cruxquestions you need to ask when
you're dealing with theprotection of any data within
your company and looking at itfrom an organizational
standpoint who owns it, who'sresponsible for it, who's a
(10:58):
custodian of it, et cetera.
Now some other considerationsthat you need to consider about
confidentiality, datacriticality Does your business
require data to remainconfidential?
Is it required to run yourorganization or does it give out
business critical informationthat is specifically for your
company?
Data privacy, regulatoryrequirements for keeping data
confidential Are there any thatyou have to deal with and
(11:20):
maintain?
If there are, you need to knowwhat these are and your
leadership needs to know whatthese are.
They will rely on you, as thesecurity professional, to keep
them out of trouble, but at theend of it, you need to
understand it and you, as asecurity professional, need to
be briefing your senior leaders.
What are the regulatoryrequirements?
What are they now and what doyou see coming in the future?
You can run into reputationaldamage for data loss if you are
(11:45):
allowing people's private datato be leaked and expunged.
That could cause all kinds ofissues with your company.
So again, data privacy is a bigdeal.
Data system isolation Do thesesystems and the data need to
remain isolated specifically toprotect them?
Do they need to be in their ownprotective bubble?
Do they have to have their ownreduced or, I should say,
(12:07):
segregated network that'sspecifically for them?
Is there based on any sort ofregulatory or compliance
requirement that's forcing youto put them in this bubble?
That's a question you have toask yourself.
Data systems or seclusionstoring the data in and out of
the way of locations?
Is the data going in and out?
How is it best?
Secluded and maintained, andthen using strict access
(12:29):
controls to maintain theseclusion and keeping it whole.
Data secrecy the act of keepingsomething secret or preventing
disclosure.
You want to make sure all thedata there is kept in a secret
and protected environment, andit does help prevent disclosure
from something happening.
So that's what data secrecy is.
So you got data criticality,data privacy, data isolation,
(12:51):
data seclusion and data secrecyIntegrity.
What are we doing to deal withintegrity?
Integrity is dependent upon theconfidentiality of the data.
Specifically, it maintains theassurances around accuracy and
completeness of the data.
Is it complete?
Is it something that you're nothaving missing data, missing
information.
One thing, that if you have thedata that is missing
(13:11):
information, you become notreally positive about it.
Right?
You think, okay, now if I'mmissing data in this spot, am I
missing it over here?
And you lose confidence in theoverall data integrity itself.
This also includes the dataintegrity from the life cycle,
from the birth of the data tothe death of the data, and that
means that there's times whenyou will go through and
(13:32):
completely gut your.
I mean you'll go to manyorganizations and there is data
glut, and what that means is isthey have been keeping data and
hoarding data for years andyears and years, and now they
have all of this discoverableinformation that one could be
very damaging to a company,especially if it's looked
through the eyes of a legal team, because they can twist it in
(13:52):
all kinds of differentdirections.
And then, two, the data is old,and if it is old, is it really
valuable to your organization?
So this maintaining theassurances around the integrity
of it from the time you birthedit to the time you killed it is
an important part that you haveto consider, and it really most
companies do not do this andthey don't do it well unless
(14:13):
they're highly regulated, and so, therefore, it's imperative
that, if you're looking at thisfrom a small company standpoint,
you need to think about how doI do this and how do I keep my
data clean and how do I get ridof the old data that it's not
needed anymore?
Data cannot be modified orunauthorized in an undetected
manner.
When you're dealing withintegrity, again, that's
transmission and storage thatkeeps the bad guys and girls
(14:35):
from going in and making changesto logs.
It also it makes builds theintegrity and the confidence of
the data itself.
And then you need to ensure, orprocess to ensure, proper
change of the data.
So, if the data just needs tobe changed, is there a process
by which it's changed, it'smodified, it's tweaked, and is
that process duplicatable?
Is it being managed?
(14:56):
Is it being properly monitored?
So those are all part of theintegrity piece.
Now, integrity maintainedsecurity mechanisms are in place
to ensure the data has not beencompromised, like we talked
about.
You have encryption in transitand in rest.
There's also proper access isprovided the data via
authentication.
Do you have multi-factor?
Do you keep authentication logsin each of those folders that
(15:19):
have the ability to understandwho had access to the data.
Last, keeping unauthorizedpeople, ie contractors, away
from the data is an importantpart.
Audit and oversight trail youhave proper logging, monitoring
and ensuring that only properaccess to the systems is allowed
.
How does integrity compromise?
Well, when the data istransmitted or stored in an
(15:41):
unprotected containers or mediawithout encryption.
A person put a whole bunch ofstuff out there on the web to
share it in a Google Drive anddidn't protect it.
You know that's the key oneright there.
Inadequate authenticationmethods that are in place.
You're not allowingauthentication or you don't have
a good one in place.
That is incorporating thatwithin your organization and now
(16:02):
anybody can gain access to theinformation.
Systems are not logged,monitored to ensure data
integrity.
Therefore, if you don't havelogging in place, how do you
know who has access?
How do you know who got access,who doesn't have access anymore
?
That's your integritycompromised.
And then other considerationsaround availability would be
accurate.
Is the data correct and precise?
(16:22):
Is it specifically what youneed?
I would say I'm probably guiltyof this more than ever.
Is that is my data that goes inalways what it's supposed to be
?
Is it the right numbers, is itthe right information?
And that isn't always the case,and so do you have mechanisms
in place to ensure that the datathat is placed into these files
is correct and is precise?
Accountability the person who'sresponsible for the data.
(16:45):
This would be the action or theresult, which we talked about
again earlier is the fact thatdo you have the right people
that own the data, that are thecustodians for the data, that
manage the data, and is thatdefined in their roles,
responsibilities and potentialexpectations for their job?
Other considerations aroundintegrity would be
non-repudiation.
Now you cannot deny or anaction event that has been
(17:07):
performed or has occurred.
This is what they considernon-repudiation Certificates,
transaction logs, etc.
These are all non-repudiationaspects.
That's the essential partaround integrity, and if you
doubt the data, then this wholething kind of falls apart.
So non-repudiation is a veryimportant part of integrity.
It needs to be complete, havingeverything you need as a result
(17:29):
, within the data.
Is it all there, as you expect?
There's nothing missing, nogaps?
Again, responsibility who hascontrol of the data and has that
been well defined?
And then the completeness Isall the data included?
Does it have all the necessarypieces and parts needed to
ensure that you feel confidentthe data has full integrity and
is available to you.
(17:50):
That moves us into availability.
So availability this is whereauthorized items are granted
timely and uninterrupted access,and this is available for when
it is needed.
So high availability systemsmust remain available at all
times, and that's an HA system.
In many HA systems, you willhave redundant systems.
To ensure high availability Now, this includes efficient,
(18:12):
uninterrupted access, whichwould be prevention of denial of
service attacks operating.
It could be a mass flood ofdata coming in through a SYN
flood or something along thoselines.
It could be as simple as abackhoe chopping a line.
That would be a denial ofservice.
But it helps to understand thatif you have backups in place,
(18:32):
if you have redundant systems inplace, this will ensure that
you have availability.
There's intentional andunintentional accidents, like I
said about the backhoe, but allof that's where availability is
an important part in thinkingabout.
How do I maintain the data Now?
How is availability maintained?
Power is maintained and keptavailable, right.
(18:55):
So do you have UPSs?
Do you have an uninterruptedpower supply that's keeping the
data center active andoperational?
Do you have highly availablesystems and devices?
Are hardware in place to ensurethe system stay operational in
the event of a failure?
Are there policies andprocedures that are defined
specifically on how to deal withdisaster recovery and business
continuity?
Are those policies in place andis there a testing plan in
(19:17):
place as well?
And this is used to address anycritical business systems out
there.
So, again, availability is animportant part of your policies,
procedures and your systems andthe overall devices.
Availability compromise.
So this is where you have adenial of service causing an
outage, which we talked aboutjust a brief minute ago, dealing
with SIN floods within thenetwork.
(19:38):
Do you have it from an internaldenial of service or is it an
external attack from outsideparties?
Which one is it?
This is where availability willensure that you have these
systems up and operational andavailable to you.
There's critical systems thatare available.
Do you have power protection inplace to help these critical
systems?
Have you defined what thesecritical systems are?
(19:59):
Do you know what these criticalsystems are?
Is your business aligned withthat?
They are actually critical toyour organization.
Those are big key factors youreally got to think about.
I've dealt with that a lot andthat's something to consider.
But again, critical systemsfocus.
Focus on something like that.
If you're going to be trying toprotect your entire environment
.
Focus on the critical ones,first Figure out what is
(20:22):
critical and then go from there.
Other considerations aroundavailability, usability, how
easy is it for you to use it andcan it be understood by the
layperson?
And what I mean by that.
Can it be understood by a thirdgrader?
I mean, ideally, as adults wego well, we're smarter than a
third grader.
Well, a third grader is prettysmart, but if you can get to a
third grade level when you'recommunicating with people, that
(20:49):
is huge.
That's really, really big.
And then that means most peoplecan understand exactly what's
going on.
Is the system easy to stand up,restart, reconfigure in the
event of an incident?
Do you have that planned out?
Do you have the documentationto support that?
Accessibility how easy is it orhard to manage?
Can individuals manage itrelatively quickly or is it take
a lot of time to do that?
Do that?
Can others interact with asystem or is it extremely
(21:10):
limited to only those who canmanage the system?
Accessibility big factor.
You give too much accessibility, well, you can have problems.
You take too much away anddon't give people access, you
can have problems.
There's that fine line betweentheir timelines, is it?
Is it promptness on time?
Is it a reasonable time forrecovery?
Is it I can have it recoveredwithin a day, within an hour,
(21:31):
within minutes, or is it goingto take me two weeks?
Those you have to determine thetimeliness of that availability
.
Is that important to yourcompany?
Maybe two weeks is fine, but ona critical system probably not.
Two weeks probably won't cut it.
It's probably more like yeah,you said you'd have it up in a
day, but we want it in hours,especially after it happens.
So can the system be restarted,reconfigured, reinitiated in a
(21:53):
quick timeframe?
Things you need to kind ofthink about Now.
Security mechanisms outside ofthe CIA triad, you have your
network and system layering.
This is commonly called defensein depth, and I kind of talk
about that here just a littlebit further down in the slides
too, this is a series ofrestrictions, limitations.
As you travel farther down thestack, you have issues that you
(22:15):
have to work through.
This is the different layers ofdepth and this is the defenses
that are tied with that.
This includes logging,monitoring during each of these
steps and then differentauthentications during the
various steps as well.
This would include.
One example I have on here isindustrial control systems.
If you go to an industrialcontrol system, you should have
it segregated from your businessnetwork, which means if I jump
(22:36):
on your business network fromthe internet, I should not have
direct access to your industrialcontrol systems.
That controls your power,electricity, toilets, you know
whatever you want to call it,doesn't control that.
That would be a good way oflayering your protections.
If you have it all in onenetwork, that's not really a
good defense.
In depth thing.
That's like flat network opento the world.
(22:57):
Obfuscation this is hiding ofthe data.
This prevents the data orinformation from being
discovered and or accessible.
Intentionally hiding datawithin a network or
infrastructure would beconsidered obfuscation.
Now, that being said, we'll getinto some more details around
obfuscation, the benefits of it.
I hear pros and cons with it.
So it just kind of depends onyour situation and where you're
(23:19):
at with your company if youthink obfuscation is a good
example.
But as an example, we havelabeling.
You have secret sauce, right?
You label that secret saucewhich I, as a hacker, would go
after and go ha-ha, secret sauce, let's go there and find out
what's in that.
To file 1, 2, 3, 4, 5, 6, 7, 8,9, x, 9, 2, 6, 7, 7, 2, 4.
Okay, whatever you want to, itdoesn't transmit right.
(23:41):
The naming convention does notmatch.
So you think well, as a bad guyor girl, it's not a big deal
and that's true.
That works really well.
However, it does confuse thedickens out of people.
Second, what it does is youhave to refer to it at some
point in some of yourdocumentation.
And so if you have a person whodoes OSINT operational security
(24:02):
intelligence if you havesomeone that's actually doing
osyn and looking at your networkand pulling down the data,
pretty quickly, they'll find anemail that'll say 12345 is
actually secret sauce.
And so what do they then?
Do you change your algorithmsand your scanning to look for
12345?
So again, it does slow downpeople.
It does.
You can put triggers to makealerts in place that would say
hey, why is somebody scanningfor 12345 or secret sauce?
(24:26):
But Bottom line is it has mixedreviews.
The system is so buried, it'sintentional, it can't be found.
People do that.
But again, I still strugglewith that whole piece.
There's one thing that asoftware one of the examples we
had as well is a softwareprogrammer creates a program
with a flaw and releases it,hoping it will not be exploited.
(24:48):
Basically, they went throughtheir entire development process
, know there's a flaw in there,don't want to go back through it
.
So they're like, yeah, it's soburied in the code, no one will
know it, just release it andyeah, somebody will find it.
They usually do, and at themost inopportune time.
Okay, so what's another thingoutside of the CIA triad is
encryption.
(25:08):
This is where it's extremelyimportant parts of any security
program and it can be applied toany file type and is extremely
versatile.
But it also is extremelychallenging, right, depending on
how you use it and how it'sused within your company.
There's a lot of unencrypt,decrypt, recrypt, yeah, all that
fun stuff Storing withencryption keys.
There's lots of moving partswhen you're dealing with
(25:28):
encryption, and so people tendto just either don't do it or
they tend to just kind of turnit on for some stuff, but for
most stuff they don't.
Because of this, they have poorencryption practices, and then
these can be extremelydetrimental to an organization.
It gives you a false sense ofsecurity, thinking ha ha, I'm
good, but yet, oh, you're not.
And so therefore, you struggle,struggle, something bad happens
(25:52):
and you're like I thought youhad security.
I did, but they didn't use thefile that had security.
They used the file that didn'thave security.
Yeah, then your kind of name ismud and nobody's happy and then
things go badly for you.
So you need to really considerthis.
I mean, I mean it, I'mstressing this stuff hard.
You are probably a securityprofessional going into an
(26:13):
organization and you probablydeal with a whole bunch of
nastiness, like Medusa.
It's got lots of heads.
But you're going to have towork through it one step at a
time, and I would recommendeating this elephant one little
toenail at a time, because it'sgoing to be a big challenge for
you to try to do it all at once.
You will fail.
I'll just be blunt.
You will fail if you try to doit all at once.
(26:34):
Pick something, work on that,then, after that's complete,
pick something else, work onthat and then try to fight the
fires in between.
Okay, the dad triad right.
So we're dealing with the dad.
Now what is the dad?
It's disclosure, alteration anddestruction.
Not the dad bod, but dadDisclosure, alteration and
destruction.
So what is this?
(26:55):
This represents failures ofsecurity protection of the CIA
triad.
It's useful to recognizefailures of mechanisms when
you're dealing with the dad.
So the failures of the triadare dad Disclosure right.
You have disclosure of sensitiveor confidential material that
is accessed by unauthorizedentities.
That breaks confidentialityBoom, baby.
(27:17):
So this would be your like.
You see on a daily basisSo-and-so's data just got
compromised.
18 gazillion passwords just gotcompromised.
So-and-so's data is also nowout in the wind.
So that's disclosure.
Alteration this occurs when datais either maliciously or
accidentally changed.
I've seen this happen where badguys and girls have gone in and
(27:38):
changed the data specificallyto try to get us off the scent,
and after was, we are chasingthem.
This also.
I've seen employees do thisbecause they're doing bad things
that they shouldn't be andthey're trying to hide their
what they're doing.
So alteration and then Ddestruction.
This occurs when resources aredamaged or made inaccessible to
users A denial of serviceattacks or a logic bomb,
(28:00):
something like that.
Seen that happen, where an ITemployee decides to go I'm going
to make your life painful, andthen they go and they did it
with that accent even and whatthey end up doing is putting a
logic bomb and once they leavethe organization after a certain
date, it goes boom.
And when it goes boom,everything goes away.
Yeah, that causes all kinds ofchaos and pandemonium for quite
(28:21):
a while, and it's quiteexpensive.
That person, though, isbreaking big rocks into little
rocks, so don't do it.
I highly recommend it.
Use your powers for good, notfor evil.
All right, now we have the dadbod.
Now we're in the AAA, right Forold people.
No, that's I don't.
Yeah, that's not.
I think it's old people.
No, that's AARP, that's for oldpeople, aaa services.
(28:42):
Okay, the key concepts aroundthis is authentication,
authorization and accounting.
Now, there are five elements ofthe three A's.
So, again, the three A's areauthentication, authorization
and accounting, but there arefive elements to each of these,
or to the overall three A's.
One is identification.
This is claiming to be anentity while attempting to
access a secure area.
This is understanding,identification.
(29:04):
Now, this starts the processfor authentication,
authorization and accountability, and that is what you need to
tie though people is that whenyou're identifying something you
need to and they're attemptingaccess, it's through identifying
that you have the right person.
Another element isauthentication.
This provides that you are theclaimed entity, right, so you
requires a person to provideadditional information that
(29:26):
matches the identity.
Now, in some cases, if yourphone, it could be your eyeballs
, it could be your fingerprint,it could be a password, could be
a cat card, a lot of differentthings right.
Identification andauthentication are commonly used
together.
They're considered in many wayskind of symbiotic, but without
both you cannot access thesystem or the device.
(29:46):
So it's an important part foryou to be able to control what
you gain access to.
It also has a good audit trailto find out.
Did you do something youshouldn't do as well?
Now authorization another one ofthe five elements is defining
the permissions which would beallow, grant, deny.
Those have to be defined well.
Now I would say authorizationis probably where we fall down
quite a bit, because, ratherthan trying to figure out what
(30:08):
Sean should have, I just sayallow all, sean can have it all,
don't worry about it.
It's one less thing I got todeal with.
They got it all, and then thatmay be fine for the first four
or five people, but then youhave 500 and then you got a
problem.
Once authenticated, then theauthorization must ensue and
then this ensures that request,activity or access is granted to
the individuals.
(30:29):
The individual may haveidentity or authentication but
potentially may not haveauthorization.
And that does happen where thatperson has the name, their ad,
or the name, their password, butthey are not authorized to gain
access to the file or folder,so therefore they're blocked.
So that's a good thing.
The more you can integrate thatwithin your multi-factor
(30:50):
authentication schema, that isgoing to be great.
There are lots of programs outthere, like SailPoint and other
types of activities, that canprovide you a really good,
seamless experience, but in mostcases most companies it's Bill
who's clicking allow, deny,allow, deny.
And what does Bill do?
He goes.
I don't want to deny, it takestoo much work.
Allow, allow, allow, allow andyes, then you have fun things.
(31:15):
Another element is auditing,right?
Oh yes, I know auditing is adirty a word, uh, but it's
important, right?
So, recording of log events andactivities related to the
systems is it being monitored,is it being logged, is it being
watched?
Uh, this is probably one of theareas that people definitely do
not do much of.
If they do, it's a very limited.
And this comes back to thecritical aspects that I
(31:36):
mentioned earlier.
If you know the criticalsystems, those should be logged.
Yes, indeed, and you shouldkeep those logs for a period of
time long enough to know that ifyou need to go back and look at
them, you have the data thatyou can go look at.
Don't make the log data goodfor like three days.
That's on a critical system.
That's not a good idea.
That's a bad idea.
You need to really have itlonger, like 30 days or probably
(31:59):
90 would be even better,because it usually takes between
anywhere from six months, 90days to six months to find a bad
guy or girl in your network.
So having log data on criticalsystems at least 90 days would
probably be valuable.
But that all costs money andyou got to kind of determine
what is what's it worth to youHolding a person accountable for
their actions Important part ofauditing.
(32:19):
Yes, why are you accessing thosefile folders that say plush
kitty videos?
Those are only for the CEO andyet you're watching them.
Why is that that?
That would you need to holdpeople accountable.
They're not allowed to watchthose plush video kiddie videos.
Additionally, is it a processfor looking through unauthorized
or abnormal activity?
(32:39):
Again, you don't know what's.
You don't know until you startlooking and then, when you start
looking, you go, oh, why isthis?
Now I will tell you thatsometimes you may look at logs
and go, oh, why is this?
And then you chase a rabbitthat doesn't exist and you waste
a lot of time.
So you've got to be verycareful when you're looking at
logs, because logs are notalways perfect and they can give
you advice or they can give youguidance or direction that may
(33:02):
not actually exist.
Accounting this is reviewing thelog files and looking for
complete compliance andviolations.
Again, bringing out the hammerand schwacking people over the
head with it Not physically,that's assault, just I mean
talking to them.
Right.
Accountability must bemaintained.
And then, linking an individualto online activities is an
important part.
All of that's done through theaccounting piece of this.
(33:23):
So those are the five elementstied to the three A's.
Now, key concepts Securityconcept that data is authentic
or genuine.
Again, authenticity it's animportant part.
This originates from thealleged source.
Where did it come from?
And this is very close in thenature to integrity on the CIA
triad change in transit or whileit's being stored.
(33:54):
This is the confidence in thevalidity of the transmission or
the message or the messageoriginator.
Again, you want to make surethat whatever message or
document you're using isauthentic, it isn't a forgery
and it hasn't been tampered with.
So, again, it gives you a highlevel of confidence around it.
I will say that with the PKIsystem that has been developed,
you do get a really strong senseof integrity and authenticity,
specifically when you're dealingwith email messages.
(34:16):
But if it's not deployed well,then you may have started having
questions about that.
Non-repudiation yes, this iswhere the subject activity or
person who caused the eventcannot deny the event happened.
The back to the point with theplush kitty videos yes, I wasn't
me, it was my dog that did it.
Yeah, was your dog log ingerber s?
(34:37):
No, but so then it's you.
Um, so again, ensure subjectactivity or the person who
caused the event cannot deny theevent occurred.
This prevents people fromclaiming they have not sent the
message, perform the actions oretc.
This is made possible throughidentification, authentication,
authorization, accountabilityand auditing Non-repudiation Did
you do that?
(34:58):
And yes, I have employees thatgo and they will.
They bent my fin on one of myKona trucks.
Did anybody do it?
No, it wasn't me, it wasn't me.
But oh wait, thenon-repudiation piece was you
were working that day and itwasn't bent the day before.
So it is you, it'snon-repudiation.
But then they came and said no,it wasn't me, somebody else
borrowed the truck.
So, yeah, you got to havenon-repudiation.
(35:20):
It's important.
Established through digitalcertificates, session
identifiers, transaction logsand access controls.
Digital certs are really good.
Again, they work really reallywell.
They also can be verychallenging depending on how you
have to deploy them.
If you have an automated system, they deploy wonderfully.
If you don't have an automatedsystem, they suck, that's just.
That's just.
They're painful.
(35:40):
Essential part of accountability, again is an important part of
non-repudiation If you want tobe accountable, have things
accountable, you've got to beable to prove that the person,
who or systems that wereaccessing it are truly them.
This is a really important partwhen you're dealing with
service accounts, because nowanybody potentially can have a
service account.
So if a service account isconnecting to something and you
know that it's connecting to it,you need to be able to
(36:02):
understand who has access.
And then are we sure that thatwas the actual service account
and it wasn't somebody posing tobe just utilizing the service
account for something else?
Protection mechanisms, the rolewe finalize all this up.
We kind of talked about thisearlier, but one of the things I
wanted to just kind of comeback to is defense in depth and
this we talk about layeredprotections.
(36:23):
This combines tools such asfirewalls, intrusion detection,
access controls.
All of those are done foroverlapping the safeguards as
well, and this mitigates therisk through redundant and
diversity.
So the redundancy and diversitywill help mitigate this through
the different layers that youhave within your organizations,
like a cake.
If you have a multi-layeredcake, you eat one part, you come
to another, eat another part,come to another.
(36:44):
It does reduce the likelihoodof a successful attack if one
layer is potentially breached.
If you have a flat networkwhere your business network and
your industrial control networkare on the same network, that is
a one-layer cake.
That's a sheet cake.
No sheet cakes.
You want multi-layered cakes.
I'm getting hungry as I saythis, but that's true.
You want multi-layered cakes.
An example would be a corporatenetwork uses perimeter
(37:05):
firewalls, then they haveendpoints, then they have have
multi-factor to protect each ofthese sensitive datas.
If an attacker will go past afirewall and the MFA, there's
still other mechanisms to catchthem, and if you bypass an MFA,
then you've got bigger problemsas well.
Abstraction and hiding data Somethings to think about there.
This is where data hidingrestricts access to sensitive
(37:26):
data based on the role, and italso will help conceal the
potential raw data that's there.
It does enforce least privilegeand it's a core principle of
protecting confidentiality whenyou're dealing with restrictions
.
It limits exposure to criticalsystem components of
unauthorized users.
And I would say, if you havecritical systems, putting them
in separate networks is animportant part R&D networks,
(37:48):
good example.
If you have a research anddevelopment network, it should
be in a separate, segregatednetwork and it should have
protections going in and out ofit to protect the data that's
coming in and potentiallyleaving.
You may not even have the dataallowed to leave.
Only data can come in, whichwould be a great way to help
protect any sort of data theft.
But again, this you know, like ahospital database is an example
(38:09):
you have.
Nurses will access a simplifiedinterface, obviously showing
the vitals, but they cannot getinto the underlying tables and
any of the content that's inthere.
They're unauthorized to do so.
So that would be theabstraction piece or the data
hiding piece of this.
Again, you want to have astrong company that you'll go
through and you make sure thatthese protections are in place
(38:30):
and you, as a securityprofessional, need to go and
audit these.
You need to verify that theyare in place, that the nurses
can't have access to the data,especially they can't have any
sort of right access to the data, and then encryption and
security boundaries to fortifydata protections.
So you have security boundariessuch as DMZs or process
isolation that will segregate atrusted or untrusted network.
(38:52):
So we've talked about this justbriefly a little bit ago.
It reduces the attack surfaceand supports risk reduction,
maintains compliance withsecurity policies by controlling
data and systems interactions,and the thing with that is you
are going to run into countriesthat will require you to have
segregations and that you willmaintain those segregations and
that you will document wherethose segregations are in place.
(39:12):
So I highly suggest that if youare in any sort of regulatory
environment and in today's world, especially if you're dealing
with defense contractors at allin the United States you're
regulated, whether you like itor not.
So it's important that you havegood security policies in place
and that it's defined well withyour employees.
Now, an example of this wouldbe a company's web server and a
(39:32):
DMZ uses HTTPS with TLS 1.3, andthen they use a secure customer
transactions right, and fromthere you can't just gain access
to the database.
It's not front facing at alland this would protect anybody
from the outside gaining accessto your web server and then
gaining access to the underlyingdatabases.
You've got to make sure thatyou have protections in place
(39:56):
for all these specificactivities.
So, again, an important part ofthe overall plan.
Okay, here are the referencesfor today's stuff.
Thanks so much for joining me.
This is all I have for youtoday.
Head on over to CISSP, cyberTraining, and catch out what
I've got.
I got a bunch of free stuff, mybronze package.
You'll love it.
It's amazing.
Check it out.
All my free stuff is there.
It's all in one spot for you.
(40:20):
I just wanted to make it easyon you.
You can get my blogs.
You can get access to thevideos, the rapid review
questions.
You can get access to my 365questions that I provide for
people who sign up on my emaillist.
You gain all kinds of greatstuff that's there just through
the bronze package.
If you want more details, youwant this video, you want this
in a curated format.
Look at what my other packageis my silver, my goal.
Those will provide you all thiscontent to help you pass the
(40:42):
CISSP the first time.
That's the goal.
We want to help you do that aswell, as I'm here and available
to you to mentor you, to giveyou the knowledge and guidance
you need to help navigate thiswhole cybersecurity space.
It's here for you, from resumeprep, interview prep.
All of those pieces areavailable at CISSP Cyber
Training, so go check it out.
All right, I hope you all had abeautifully blessed day today.
(41:04):
Please stay warm.
Actually, I shouldn't say staycold, stay cool, stay cool.
Go float around in a pool, ifyou got one, but if you're
listening to this and it's thewinter, well then, go find
someplace warm so that you cansnuggle up.
All right, have a wonderful dayand we'll catch you on the flip
side, see you.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
(41:25):
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
(41:48):
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!