August 28, 2025 • 32 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
The digital world has opened up unprecedented opportunities for scammers, and seniors have become prime targets. In this alarming and informative episode, we dive deep into the FBI's recent warning about AI-driven "Phantom Hacker" scams that have already stolen over a billion dollars from American seniors through sophisticated three-stage attacks.
What makes these scams particularly devastating is the deployment of AI voice cloning technology. With just a small sample of someone's speech, scammers can create perfect voice replicas that sound exactly like trusted family members or financial advisors. This technology has advanced to the point where distinguishing between real and AI-generated voices is nearly impossible for most people. As cybersecurity professionals, we have a responsibility to protect vulnerable populations through education and clear verification protocols.
The episode transitions into a comprehensive review of CISSP Domain 4, covering essential communication and network security concepts. We explore voice communications security for both traditional telephone networks and modern VoIP systems, email security protocols including SPF, DKIM, and DMARC, and remote access considerations with VPNs. The discussion covers critical decisions between split and full tunneling, network address translation complexities, and third-party risk management through formal agreements and vendor assessments.
Whether you're preparing for the CISSP exam or looking to strengthen your organization's communication security posture, this episode provides actionable insights on protecting against today's most sophisticated threats. The convergence of AI technology with traditional social engineering tactics demands a new approach to security awareness and technical controls—one that acknowledges voice is no longer a reliable authentication factor on its own.
Ready to continue your CISSP journey? Visit CISSPCyberTraining.com for free resources including practice questions, rapid review videos, and a comprehensive study plan designed to help you pass the exam on your first attempt.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started.
Hey, I'm Sean Gerber with CISSPCyber Training and hope you all
are having a beautifullyblessed day today.
Today is part two of the CISSPRapid Review for Domain 4.
You can get all these RapidReview videos and audio at CISSP
Cyber Training, so head on overthere to get it and it's
available to you.
If you just sign up with myfree program, you can get access
(00:49):
to all the rapid review videosas they come out, so it's pretty
awesome.
But before we do, I wanted tokind of quickly talk about an
article that I saw in the news.
This was from the FBI and it'son Fox News, but it was FBI
warns seniors of a devastatingAI driven scam.
Now I will tell you, this isprobably one of the biggest
concerns I have related to AI,and I've got parents that are
(01:13):
seniors and they are in asituation where they don't
really do much online, which isa good thing.
However, they because their potof money is so important to
them they are also very what doyou say?
Trusting in some regard, andthis is bad.
I mean, this is really bad, andI need you guys, as
cybersecurity professionals, tostart really thinking about how
(01:33):
do we help mitigate this risk?
And a lot of it is done througheducation, and you all are the
smart people in the room, so youneed to educate as many people
as you possibly can, and thisisn't just seniors, this is
everybody.
But this situation, this isfrom the Phantom Hacker scam and
they've already cost Americanseniors over a billion dollars
and they continue to targettheir obviously their different
(01:53):
savings that they have.
Now there's three stages withthis A tech support imposter,
right.
So this is where someone cancome in from tech support.
They can come in from the bank.
Even I've seen this where, hey,I know you bank at XYZ.
(02:15):
Go there and you can get access.
We're going to help you withyour system because it's slow
and they know that you bank atthis location, so they may even
do that.
Or they may say I'm fromMicrosoft and they may gain
access to the victim's computerbecause of that.
So these people don't reallyknow what they're doing.
Right, they're very good atwhat they did when they were
younger.
They're very, very good at whatthey as a great senior citizens
, they have a lot of experience.
But when it comes to this ITstuff, on many cases not all,
(02:36):
but in many cases, they are justnot adequately prepared.
So the tech support imposterwill come in, gain remote access
.
Then a bank imposter willconvince them to transfer funds
for security reasons.
So someone from the bank willair quotes call them and this
can be done through AI as welland the government imposter then
there's a third person willadvise them about moving money
to a safe alias account.
(02:57):
So all of this can be done indifferent ways.
But if I have one person who'susing different AI tools to help
basically personalize theattacks and this can happen
through sending messages,through what the hobbies maybe
they posted on Facebook or othertypes of social media to
increase the level of trust thatthey have so it's really really
(03:17):
bad and it's imperative thatyou, as security professionals,
work to understand a lot ofthese situations, to help your
seniors out and to help anybodyout, because this this won't
just affect the seniors.
This can affect a lot of people, because ai is so good and it
can be such a an imposter topeople's voice that it is.
(03:37):
People will make mistakes andand so therefore, I mean it's
into the point now where they'vegot folks out there that can,
if you have a little bit ofsamples of your voice, such as
what we do with this podcast.
It can create podcasts for you.
I mean, that's pretty spooky,and it can actually do it based
on how I speak, and so thereforeit makes it really challenging
for someone who maybe trusts thename and goes hey, you know
(03:59):
what I'm going to talk to,so-and-so, maybe she can help me
out with all of this.
So it's imperative that you workreally hard with your seniors
to educate them on the fact thatno one will call you from the
bank and ask you to transfermoney.
That will not happen and if youneed to, you physically get up
and go to the bank if you haveany questions.
Do not do anything over thephone.
(04:20):
Don't transfer money.
Do not allow anybody to haveremote access to your systems.
If you have a problem with yourcomputer, then you need to call
somebody to have them come outto your computer.
Somebody calling you saying,hey, we're here to help.
That never works.
That's usually a bad idea.
So the recovery rates itmentions in the article are very
bad right 10% to 15% of gettingthe funds back, which basically
(04:42):
means your money is gone andthese people work their entire
lives and then the money is gone.
And then what do they do?
Right, they have nothing.
So it's imperative that youhelp them.
I'm trying to beat on this drumbecause I've got parents of
this age and I've seen it happenand just destroy people's lives
to the point where they don'twant to be here anymore and they
end up hurting themselvesbecause of it.
So it's just imperative thatyou guys work to help people out
(05:05):
on this and we take thesepeople down as much as we
possibly can, because it's justit's bad.
It's really really, really bad,okay.
So again, have openconversations with your loved
ones.
Make sure you teach your peopleto watch that out.
Make sure you educate youremployees.
I would honestly, if you havenew security within your company
, I would talk with your seniorleaders and see about putting
something out for your companyto have your employees talk with
(05:28):
their more senior parents aboutthese situations.
This is big deal, guys, reallybig, and I can't stress this
enough because it will impactand hurt people badly that are
probably some of the mostvulnerable and they don't need
to be hurt.
So, again, go check it out.
Fox News it's basically FBIwarns seniors about
billion-dollar scam drainingretirement funds and then
(05:50):
they're saying AI is driving alot of this.
Okay, so we're going to nowroll into part two.
Speaker 1 (05:57):
Part two of the CISSP rapid review for P4.
So this is actually just adomain four.
So part two of domain uh forthe cisp for voice communication
rapid review, and it does relyon copper wires and switching
centers to do the to do the work.
Speaker 2 (06:13):
So this is the old school where you had somebody
sitting in behind a desk andthey're plugging in different
wires into different ports tomake the communication, the
connection.
Uh, this is a pstn now.
Now, granted, obviously thatwas really old school, but it's
the traditional old type ofphone network.
It is susceptible towiretapping and eavesdropping
and denial of services as well.
(06:34):
They still exist in differentplaces.
Obviously, in areas that aremaybe a little less developed,
they're more prevalent.
But bottom line is, pstn isstill out there and you, as a
security professional, need tounderstand what is a PSTN
network Voice over IP.
This is what allows for voiceand multimedia communications
over IP networks such as theinternet, and then, obviously,
(06:54):
it's instead of the traditionalphone lines that you would have,
such as a PSTN network.
They do are.
They're becoming more and moredeveloped and deployed
throughout.
Most companies have these andthey will include various
different types of threats thatcan affect them, such as
eavesdropping, dos attacks.
Obviously, they can target yourvoice over IP clients if
(07:15):
they're high IP or high valueclients, and they will also
target the servers as well.
Gaining access to these systemscan be a plethora of
information, and so bad guys andgirls will attack those systems
.
They really truly do want theVoIP systems, and if you don't
have good security enabled onthem, they are a high target and
(07:35):
they can also incorporate a lotof risk for you and your
organization.
Hence, if they were to bebreached or compromised, you now
are running in a situationwhere you become liable because
you didn't put in adequatecontrols for them.
Voice we have to deal withvishing and freaking.
So vishing is a socialengineering attack that conducts
over the phone, where attackerswill use voice calls, often
(07:57):
spoofing the caller ID, to trickvictims into revealing
sensitive information.
This also can be now, with AIand the voices.
You people cannot distinguishbetween who is who.
So you need to really teachyour employees that you don't
just provide information tosomeone that sounds like you or
sounds like somebody else,because now, with AI, that can
all change everything.
(08:18):
So historically, this is thewhen you're dealing with
freaking.
This is an act of exploitingvulnerabilities in telephone
networks to make free calls orgain unauthorized access to
services.
Freaking isn't as prevalenttoday, again, in more
undeveloped networks that mayhave more freaking than there is
what we see traditionally intoday's networks, but it is a
(08:39):
risk that you need to be awareof.
For the CISSP, it highlightshuman element of security, the
important part of dealing withvoice and, again, vishing
exploits the trust and the lackof verification.
Freaking demonstrates the needfor strong authentication,
especially in the AI world thatwe live in today.
Now, pbx fraud and abuse this isyour private branch exchange.
(08:59):
That's what a PBX is called.
It's a telephone system,basically with an enterprise
that switches calls betweeninternal users and allows them
to share certain numbers ofexternal phone lines.
Again, a bit old school, butit's still out there.
You need to be aware of what itdoes and you need to be aware
of how PBX systems work.
The biggest issues orvulnerabilities you run in with
them is weak passwords,unpatched software and
(09:21):
misconfigurations.
Obviously, since systems aren'twell maintained, there's even
becomes a bigger problem withPBX systems.
These can run into substantialfinancial losses for an
organization, especially ifthey're using older type systems
to communicate, such as, likeEDR, the electronic data
exchange.
So those are different types ofcapabilities.
(09:43):
If you're using PBX systemssystems someone's able to get in
there and actually payattention to what is being
transmitted then you couldactually incur some more risk to
your organization.
So pbx fraud, in a view, stillis there.
It's just not as prevalent thatyou may see in the outside
world.
Now we're dealing with remotemeetings, so you have virtual
gatherings, obviously conductedvia an online platform.
Obviously that's like your zoomand all outside world.
Now we're dealing with remotemeetings, so you have virtual
(10:05):
gatherings, obviously conductedvia an online platform.
Obviously that's like your Zoomand all the other things that
you can discuss presentations,collaborations, all of those
kind of things and that all justkind of blew up once we had
COVID right.
But the problem is is this isyou've got Zoom bombing right,
unauthorized intrusions into aZoom meeting, and when you're
dealing with Zoom meetings, whoare all the people that are
(10:26):
there?
Especially when you get a largegroup that's got like 30 people
, 40 people how can you confirmeach person's in that group?
The other part you run into nowthat is a different, unique
aspect that didn't have evenlike six to eight well, six
months to a year ago is the AIchatbots that are put into these
meetings that are then takingnotes.
So now you have somebody that'sactually taking notes for you
(10:48):
and you might be discussingpersonal and sensitive
information and this bot is nowrecording that.
So again, it requires strongpasswords, waiting rooms, host
controls a big factor in all ofthese when you're dealing with
remote meetings, instantmessaging and chat obviously,
real-time chats, dealing withmicrosoft team, slack, whatsapp
all of these are an importantpoint for one-on-one or group
(11:10):
communications.
They.
But again, on the downside, yougot insider issues, you got
impersonation issues, you've gotdealing with data retention
issues.
All of that is a big factorwith instant messaging and chat.
So you need to have a good,strong policy on how you're
going to handle chat.
You also need to enforce thepolicies when you're dealing
with your chat and your overallteam's plans.
(11:31):
Multimedia collaboration bigfactors that you need to be
aware of as it relates to thecissp, remote access and
telecommuting telecommutingtechniques, right, so methods
that allow users to connect toan organization's internal
network and resources fromexternal locations.
Now you're dealing with vpns.
This is you've got your vpns,you got ipsec, you got ssl, tls
(11:52):
all of those pieces are remoteaccess.
You've got remote desktopprotocols.
It's being used all the timeand so you need to ensure that
anybody that is using thatwithin your network has good
policy.
They need to understand thepolicies.
They also understand thesecurity related to protecting
this network and the data that'sgoing on there.
Each of these should havespecific vulnerability, or each
(12:13):
of these does have specificvulnerabilities related to the
VPNsns, rdp and so forth, andyou, as a security professional,
need to be aware of each ofthese vulnerabilities.
And this also comes down tounderstanding your overall
network topology and yournetwork architecture so that you
can control the data coming inand leaving your organization.
All of those are an importantpart and you need to make sure
(12:33):
that you understand each ofthese to include cloud access,
security brokers, casbs for theCISSP exam.
So, again, those are importantparts, I'd say.
From my standpoint, remoteaccess is probably one of the
biggest areas that mostcompanies struggle with because
they put it in place, but theydon't have a good handle on
remote access long-term.
(12:53):
It's a short term.
Just get it up, get it runningand we'll go from there.
Now, remote connection securityyou got to have mandatory
strong authentication.
This would be multi-factorauthentication for all remote
access Encryption this is whereall data is transmitted over
remote connections and must beencrypted from end to end.
This would be your TLS, ssl andIPsec as well.
(13:14):
We talk about this a lot andthis is an important part of all
security within your companyand having a good architectural
plan related to it.
Endpoint security, dealing withEDR agents.
This is with your endpointdetection and response.
And then network segmentation,as it relates specifically
around VPNs and network accesscontrols.
You want to base these on leastprivilege and you want to limit
(13:34):
your segmentation based on that.
Without robust security, remoteconnections become a significant
attack vector, obviously forunauthorized access, data
interception and malwareintroduction into a corporate
network.
So, again, remote security isan important part, and this is
all part of domain 4.3 of theCISSP, managing your email
(13:54):
security.
The purpose of this is toprotect your confidentiality,
integrity and availability ofyour email communications, and
it is a primary vector of manycybersecurity attacks.
Why?
Because people communicate onemail all the time and so,
therefore, because they do that,it's one of the primary places
where bad guys and girls will goafter you.
Implementing policies foracceptable use is an important
(14:17):
part.
Secure configurations to ensurethat, and then monitoring the
access of email that's going inand out of your network is an
important part as well.
If your email communication canbe so voluminous, it's hard to
do.
You want to target, maybepotentially specific people that
have the highest risk to yourorganization and, again, those
are the folks that you wouldwant to make sure you have
really good policies in place.
(14:38):
You also have a gooddocumentation telling them hey,
I'm going to be watching you andthis is why we're going to be
watching you Now.
A well-managed email securityprogram is vital for defending
your network.
It truly is, and includingemail deliveries or malware
deliveries, phishing, businessemail compromises all of those
are an important part thatyou're going to have to be aware
of for the CISSP and as asecurity professional, and
(15:01):
they're going to look to you tohelp them put things in place to
help mitigate this potentialrisk.
Email security issues you havephishing.
You have spear phishing.
You have malware delivery.
All of those can happen throughemail Spam, and unsolicited
mail obviously comes throughemail as well and then your
business email compromises.
This is where you havefraudulent schemes that are
targeting, usually impersonatingsenior leaders, to try to get
(15:24):
you to transfer money tooffshore accounts.
Becs kind of come in waves, butthey are very effective,
especially now with the AI.
You could do an BEC really easywith somebody's voice,
especially if you have somedifferent voice samples that you
could use.
So it would be a really easytarget to target some of the
right people and saying, hey,I'm going to follow this up with
(15:45):
a phone call.
And then you go hey, bill, youleave a message saying this is
the CEO, I'm authorizing the useof this money transfer.
And Bill goes well, that soundsjust like my person, so let me
go ahead and allow theauthorization of the money.
So again, big, big deal Dataleakage, unintentional and
malicious disclosure ofsensitive information via email,
(16:06):
and then lack of encryptionobviously isn't a big factor in
all of this.
Email remains the top attackvector and it does require
robust, multi-layered defensesand monitoring to ensure that it
is properly protected.
So, as we're dealing with emailsecurity solutions, you now are
also dealing with spam filters.
(16:27):
So these will help identify andblock unsolicited emails that
may come in and, as you all know, you have to check your spam
filters routinely as you'redealing with your different
Outlook and email type productsout there.
In addition, you haveanti-malware and anti-virus
gateways.
These will be used within yourarchitecture to help scan email
(16:47):
attachments for anything that'spotentially malicious coming in
or anything that may maliciouslybe going out.
Now we'll run in and talk aboutDLP, but a lot of it is the DLP
content is the data going outbut malicious content coming in?
Your anti-malware or gatewaysthat are allowing any of the
scanning of the content comingin from your emails?
We'll be looking at that.
(17:07):
You have email authenticationprotocols, which is SPF, dkim
and DMARC.
Spf is your sender policyframework.
This helps with email spoofingand it does help ensure that the
sender's IP address isconfirmed.
Dkim is your domain keysidentification email and this
uses digital signatures toverify your email sender's
(17:28):
identity as well as theintegrity of the overall message
itself.
Those are all important partsof PKI and you will understand
that as you're looking throughthe different email capabilities
.
These are really key parts thatare brought up a lot within the
CISSP exam.
Dmarc is your domain-basedmessage authentication,
reporting and conformance.
(17:49):
This is also help built on SPFand DKIM.
So, again, understanding thoseacronyms is an important part of
the CISSP exam.
Email encryption using SMIMEand PGP are good for end-to-end
encryption capabilities andhighly recommended.
You'll need to understand theuse of PGP and SMIME within the
PKI structure for emailencryption.
(18:11):
Dlp is a big factor as itrelates to data loss prevention.
This scans outgoing emails forany potential content that might
be added to the email itselfthat might violate policies that
you may have in place, and thenit could block or at least at a
minimum, alert type ofactivities.
Sometimes they have a delaywhere the content has to be
(18:31):
approved before it's actuallyallowed to leave the
organization.
So different types of DLPproducts are out there.
You just have to determinewhich one would be best for you
and your organization.
Also, as you read the questionsfor the CISSP, they may ask
that, specifically, do you wantto allow blocking or do you want
to allow an approval process?
Security awareness trainingthis is where you're educating
(18:52):
users about phishing, businessemail compromises and safe email
practices.
Obviously, awareness trainingis an important part of any
program, and you should havesomething in place in each of
these areas specifically toeducate the end user, as they
are the ones that, in most cases, are the ones that start the
overall process of gettinginfected.
But again, implementing any ofthese solutions will go a long
(19:14):
ways in helping reduce the riskto your company as well, as
these are concepts that arebrought up highly within the
CISSP exam.
Network address translation thisis something that is done as
far as to translate betweenprivate IP addresses and public
IP addresses, and, as you'redealing with routers and various
other access points.
(19:35):
They will do that translationfor you.
It basically modifies thenetwork address information on
the IP header and the packetsand basically communicates
between the two entities.
So it allows you to have NAT,which is one-to-one, or dynamic
NAT, which is one many-to-many.
There's also port addresstranslation and then there's NAT
overload, which is many to one,using ports.
(19:55):
So again, nat translation is avery good thing to have.
It can be a challenge becauseit can make things complicated
when you're dealing with loggingand monitoring NAT translation.
So it's basically an externalIP address comes to an internal
IP address and it's beingtranslated.
The logs that will give youthat information from both one
to the other can be verycomplicated and can be very
(20:17):
challenging to actuallyunderstand and ascertain.
So having good plans in placeis an important part.
Also, ensuring that youincorporate IPsec in various
other types of securitymechanisms with these various
connections is also an importantpart of what you're trying to
deploy from an architecturalstandpoint.
Private IP addresses there'sdifferent, various private IP
(20:39):
addresses that you may findwithin your organization.
That's the 10 series, 172 or192 series.
These are typically within,like your house.
You may have your.
All of the IP addresses withinyour home are based on 192, but
the external IP address may belike 13.2.3.4, whatever that is,
and those private IP addressesare specifically, they're
(20:59):
non-routable for external.
They're all routable internaland this is where you'll have
the NAT that will help you withoverall helping translate
between external IP addresses toyour internal private IP
address space.
So you'll need to understandthat.
And what are the private IPaddresses that you may
anticipate?
Seeing as they ask you aquestion, they may ask that
(21:20):
specific thing of giving you anIP address of, let's say, 169,
which we'll talk about here in aminute, and they'll say that's
a private IP address.
But it is actually not aprivate IP address.
It's an automatic IP addressset up for the system, but it's
not something that's routablewithin your organization.
Now, automatic private IPaddressing APIPA this is a
feature that Windows and otheroperating systems automatically
(21:42):
assign an IP address, especiallywhen they cannot use DHCP and
they can't network.
It does give them an IP addressso that it's actually
discoverable internal to yournetwork.
However, because it's a 169, itis not something that can be
routable outside of yourorganization and it doesn't work
with NAT.
So, as you're understanding,when you realize that maybe your
DHCP server may be down and yousee an IP address of 169, you
(22:06):
will know that it is anetworking problem that you're
dealing with and that you wouldhave to try to figure out the
issue.
If you're dealing with an IPaddress that says 192.168, you
know, then it potentially mightnot be a networking issue.
It might be something else.
But 169, again, this allows fordevices to basically have small
local networks to communicatewith each other without a DHCP
(22:27):
network, but it doesn't allowyou to do much other than that.
So, depending upon where you'reusing it, 169 may or may not be
something you would want toincorporate within your network.
I would not.
It's more or less designed assomething that is a fallback to
that.
You're having to troubleshoot anetworking challenge.
Vpns these are the basics aroundthese.
They create secure, encryptedtunnels over untrusted networks.
(22:50):
Vpns are talked about a lotwithin an organization and
they're used extensively.
The thing you have to watch outfor with VPNs, obviously, is
your third parties, and you'reallowing third parties to VPN
into your network.
It basically allows theinternal network to be exposed
to an external entity of somekind.
So therefore, having VPNs is animportant part.
(23:10):
It does help with encapsulatingthe communications back and
forth are encapsulated and theyare protected, but they're.
The amount of data going acrossthese networks can be a lot and
they also can Not be asmonitored as you may want them
to be.
So I would highly dis Assuadeyou from using VPNs for third
parties.
You you have employees that useVPNs.
(23:31):
The bad thing with the VPNs onhaving employees is, again, if
they're at home using theircomputer and they're using a VPN
, their home network may be partof the business network, which
can cause all kinds of drama.
So you need to have a very goodplan in place on how you're
going to deal with VPN tunneling.
But again, it does provideconfidentiality, integrity and
authenticity for the data intransit over untrusted networks
(23:56):
and it does have protections.
But again, it does open up awhole set of challenges as well.
Split tunnel versus full tunnel.
So split tunnel this is onlythe traffic destined for the
corporate network goes to theVPN.
All of their traffic is shuntedand goes directly.
Not shunted, it goes directlyto the internet and this works
really well if you havebandwidth challenges,
potentially, and you don't havea circuit dedicated specifically
for the internet.
And this works really well ifyou have bandwidth challenges,
potentially and you don't have acircuit dedicated specifically
(24:18):
for the internet, or you do haveone.
That was where split tunnelwill come into play.
Now, full tunnel is where allnetwork traffic from the client
device is forced through the VPNtunnel to the corporate network
and then out to the internet.
The positive with that is thatall that data is potentially
being monitored, whereas a splittunnel, only the data that is
corporate specific is beingmonitored.
(24:39):
Any internet traffic would notbe monitored in the same
capability.
So there's pros and cons withall of this right.
So full tunnel, again, it'sgenerally they consider it more
secure as all the traffic issent through your corporate
security controls.
However, the split tunnel canreduce some risk, obviously from
remote devices.
However, one of the things toconsider when you're dealing
with is bandwidth.
Is bandwidth an issue, um, atyour locations that you might
(25:03):
might need to do some splittunneling?
And, like anything in all ofthese security mechanisms we
talk about, it really trulycomes down to are you putting in
place the right configurationsto manage the security of each
of these tools that you'readding?
So, again, everything can be,has pros and cons associated
with it, but it really comesdown to how are you configuring
(25:24):
it?
How are you managing thesecurity of each of these
specific tools?
So what are some common VPNprotocols?
We've got IPsec, which is yourinternet protocol security.
It's a suite of protocols usedto have secure IP communications
and it operates at the networklevel.
And it operates at the networklevel.
It does provide forauthentication, encryption, and
it's usually typically usedaround remote, or should say
(25:46):
site-to-site type of connections.
A lot of remote VPNs are partof that.
You have SSL and TLS, typicallyused with HTTPS, and it's often
clientless or browser-based.
You can get lightweight clientswith the TLS aspects of it, but
it again is very common forremote access.
You have PPTP, which is yourpoint-to-point tunneling
(26:06):
protocol.
It is older and it is lesssecure, but if you're dealing
with external networks ornetworks that are older, you
will have P2P aspects of this,and so you shouldn't discount it
just because it is older andinsecure.
However, that being said,you're going to want to make
sure that architecturally, youhave it in a position where it
is best in a most secureenvironment.
L2tp was your layer twotunneling protocol and this is
(26:28):
often paired with IPSec forsecurity reasons.
Obviously, ipsec and SSL arerecommended secure choices.
They help with secureencryption and authentication.
Again, older protocols likePPTP have known vulnerabilities
and should be avoided ifpossible.
But again I come back to this,you may have to use them
depending upon the situationthat you're in and operating in
(26:50):
Switching and virtual LANs.
So you're dealing with aswitching network.
This is layer two.
It's your data link network andthe devices that are formed in
frames based on MAC addresses.
You create separate collisiondomains and it also improves the
network efficiency as well.
Then, when you deal withvirtual LANs, or VLANs, these
are logical segments that arebasically single physical
switches into multiple broadcastdomains, and your VLANs are
(27:13):
tied to the fact that you mayhave multiple VLANs within your
network.
Now, vlans are great, they'reawesome, I love them.
However, one of the things isthey can add more complexity to
your overall network, and so,therefore, you should look at,
utilize them, but, in the sametime, determine not to go
overboard with your VLANs.
Proper VLAN configurationsobviously is critical, and
that's with anything we dealwith is the overall
(27:35):
configuration aspects tied to it.
Mac flooding attacks.
What is a MAC flooding attack?
Well, basically, this is wherethe attacker floods a switch MAC
address table and then willfake potential MAC addresses and
it does cause the table tooverflow and when then,
basically, you end up havingdealing with denial of service
type of impacts.
When the table is full, theswitch may revert to acting like
(27:55):
a hub broadcasting all trafficor potentially just failing
closed.
It may fail open, but it justwhen you deal with these
situations.
It can happen different ways.
It does allow the attacker toeavesdrop on network traffic
that would normally be switchedonly on the intended recipient
and it may compromise theoverall confidentiality.
Mac cloning this is where anattacker will change the MAC
(28:17):
address of their networkinterface card, a NIC, to mimic
the legitimate's MAC address.
Now, you would do this,sometimes from a legitimate
reason, when you're trying towork with different wireless
networks.
They will have MAC addresscloning, but you can bypass the
MAC based on the access controlsthat are there or impersonate
legitimate devices on thenetwork.
Now, what this can happen is itwill compromise the
(28:39):
authentication and the accesscontrol mechanisms that rely
solely on the MAC address.
Now, obviously we want to havemore than just MAC address
controls in place, but in thissituation, if it would
compromise that, specifically onthese situations where the MAC
address is the key protectionmechanism around it, it does
highlight weaknesses in MACaddresses as the sole
authentication factor, and it isnot recommended that that would
(29:01):
be it.
Memorandum of understanding soa formal agreement between two
or more parties outlining theterms of an understanding.
This is often used to establisha framework or cooperation and
potentially shareresponsibilities in security.
It's an MOU and this is justpart of domain 4.3.
Risk assessments of thirdparties.
This is an important part thatI feel gets left.
(29:23):
A lot is third-party riskassessments, and how do you deal
with third parties within yourorganization?
Conducting thorough evaluationsof third-party vendors,
security postures, controls andcompliance before and during any
engagement?
This would be very commensuratewith the risk they pose and the
data they control.
Third-party connectivity riskswe talk about this as far as
even having VPNs, but these arespecific threats arising from
(29:46):
network connections to externalentities, such as insecure VPNs,
unmanaged access points, dataexfiltration through email or
other ways, or lateral movementfrom compromised vendor within
your organization.
Again, this is why contractorsare a big risk to many
corporations, and so therefore,getting people access to your
company that are contractors orthird parties, you need to have
(30:08):
a really good plan in place tohelp ensure the security is
maintained.
So managing third partyconnections is critical and it's
a do extend the organization'sattack service, but they also
help the organization create abetter product in many ways.
So MOUs, risk assessments allof these are an essential part
of any organization, especiallyif you're dealing with
third-party risk, and they dohelp you identify
(30:29):
vulnerabilities, mitigate therisks associated with this,
especially when you're dealingwith overall within your company
, and I highly recommendthird-party risk assessments
done for any organization.
You'd be surprised how manydifferent companies have
third-party risk they didn'teven know were a big factor
within their company.
So, again, that is what comesdown to domain 4.3.
Okay, that is it for the rapidreview for domain 4.
(30:54):
Again, you can go to CISSP'scyber training and get access to
all of this content.
You can sign up for my bronzepackage and get access to all of
my rapid review videos as wellas the study plan that I have
available over 360 questions.
There's different types ofvideos and audios that's
available specifically for myfree resources and I guarantee
you they will be extremelyvaluable to you.
Again, it doesn't cost you adime.
(31:15):
All it asks for is your emailaddress.
That's it, and that way I cansend you information as needed
related to the CISSP or inwhatever else you want to do.
When it comes to paid resources, I've got all the CISSP content
available to you in videoformat and audio format, as well
as numerous questions over 1500different questions right now
that are available, with deepdive topics, mentorship.
(31:37):
All of those things areavailable specifically to you as
part of the overall paidprograms.
I have, so, again, super excitedabout what we can provide for
you at CISSP Cyber Training.
Head on over there, get accessto this video and many, many
more, and again, I hope you allhave a great day, enjoy your
CISSP studying and we will catchyou on the flip side, see ya.
(31:58):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
(32:23):
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started.
Hey, I'm Sean Gerber with CISSPCyber Training and hope you all
are having a beautifullyblessed day today.
Today is part two of the CISSPRapid Review for Domain 4.
You can get all these RapidReview videos and audio at CISSP
Cyber Training, so head on overthere to get it and it's
available to you.
If you just sign up with myfree program, you can get access
(00:49):
to all the rapid review videosas they come out, so it's pretty
awesome.
But before we do, I wanted tokind of quickly talk about an
article that I saw in the news.
This was from the FBI and it'son Fox News, but it was FBI
warns seniors of a devastatingAI driven scam.
Now I will tell you, this isprobably one of the biggest
concerns I have related to AI,and I've got parents that are
(01:13):
seniors and they are in asituation where they don't
really do much online, which isa good thing.
However, they because their potof money is so important to
them they are also very what doyou say?
Trusting in some regard, andthis is bad.
I mean, this is really bad, andI need you guys, as
cybersecurity professionals, tostart really thinking about how
(01:33):
do we help mitigate this risk?
And a lot of it is done througheducation, and you all are the
smart people in the room, so youneed to educate as many people
as you possibly can, and thisisn't just seniors, this is
everybody.
But this situation, this isfrom the Phantom Hacker scam and
they've already cost Americanseniors over a billion dollars
and they continue to targettheir obviously their different
(01:53):
savings that they have.
Now there's three stages withthis A tech support imposter,
right.
So this is where someone cancome in from tech support.
They can come in from the bank.
Even I've seen this where, hey,I know you bank at XYZ.
(02:15):
Go there and you can get access.
We're going to help you withyour system because it's slow
and they know that you bank atthis location, so they may even
do that.
Or they may say I'm fromMicrosoft and they may gain
access to the victim's computerbecause of that.
So these people don't reallyknow what they're doing.
Right, they're very good atwhat they did when they were
younger.
They're very, very good at whatthey as a great senior citizens
, they have a lot of experience.
But when it comes to this ITstuff, on many cases not all,
(02:36):
but in many cases, they are justnot adequately prepared.
So the tech support imposterwill come in, gain remote access
.
Then a bank imposter willconvince them to transfer funds
for security reasons.
So someone from the bank willair quotes call them and this
can be done through AI as welland the government imposter then
there's a third person willadvise them about moving money
to a safe alias account.
(02:57):
So all of this can be done indifferent ways.
But if I have one person who'susing different AI tools to help
basically personalize theattacks and this can happen
through sending messages,through what the hobbies maybe
they posted on Facebook or othertypes of social media to
increase the level of trust thatthey have so it's really really
(03:17):
bad and it's imperative thatyou, as security professionals,
work to understand a lot ofthese situations, to help your
seniors out and to help anybodyout, because this this won't
just affect the seniors.
This can affect a lot of people, because ai is so good and it
can be such a an imposter topeople's voice that it is.
(03:37):
People will make mistakes andand so therefore, I mean it's
into the point now where they'vegot folks out there that can,
if you have a little bit ofsamples of your voice, such as
what we do with this podcast.
It can create podcasts for you.
I mean, that's pretty spooky,and it can actually do it based
on how I speak, and so thereforeit makes it really challenging
for someone who maybe trusts thename and goes hey, you know
(03:59):
what I'm going to talk to,so-and-so, maybe she can help me
out with all of this.
So it's imperative that you workreally hard with your seniors
to educate them on the fact thatno one will call you from the
bank and ask you to transfermoney.
That will not happen and if youneed to, you physically get up
and go to the bank if you haveany questions.
Do not do anything over thephone.
(04:20):
Don't transfer money.
Do not allow anybody to haveremote access to your systems.
If you have a problem with yourcomputer, then you need to call
somebody to have them come outto your computer.
Somebody calling you saying,hey, we're here to help.
That never works.
That's usually a bad idea.
So the recovery rates itmentions in the article are very
bad right 10% to 15% of gettingthe funds back, which basically
(04:42):
means your money is gone andthese people work their entire
lives and then the money is gone.
And then what do they do?
Right, they have nothing.
So it's imperative that youhelp them.
I'm trying to beat on this drumbecause I've got parents of
this age and I've seen it happenand just destroy people's lives
to the point where they don'twant to be here anymore and they
end up hurting themselvesbecause of it.
So it's just imperative thatyou guys work to help people out
(05:05):
on this and we take thesepeople down as much as we
possibly can, because it's justit's bad.
It's really really, really bad,okay.
So again, have openconversations with your loved
ones.
Make sure you teach your peopleto watch that out.
Make sure you educate youremployees.
I would honestly, if you havenew security within your company
, I would talk with your seniorleaders and see about putting
something out for your companyto have your employees talk with
(05:28):
their more senior parents aboutthese situations.
This is big deal, guys, reallybig, and I can't stress this
enough because it will impactand hurt people badly that are
probably some of the mostvulnerable and they don't need
to be hurt.
So, again, go check it out.
Fox News it's basically FBIwarns seniors about
billion-dollar scam drainingretirement funds and then
(05:50):
they're saying AI is driving alot of this.
Okay, so we're going to nowroll into part two.
Speaker 1 (05:57):
Part two of the CISSP rapid review for P4.
So this is actually just adomain four.
So part two of domain uh forthe cisp for voice communication
rapid review, and it does relyon copper wires and switching
centers to do the to do the work.
Speaker 2 (06:13):
So this is the old school where you had somebody
sitting in behind a desk andthey're plugging in different
wires into different ports tomake the communication, the
connection.
Uh, this is a pstn now.
Now, granted, obviously thatwas really old school, but it's
the traditional old type ofphone network.
It is susceptible towiretapping and eavesdropping
and denial of services as well.
(06:34):
They still exist in differentplaces.
Obviously, in areas that aremaybe a little less developed,
they're more prevalent.
But bottom line is, pstn isstill out there and you, as a
security professional, need tounderstand what is a PSTN
network Voice over IP.
This is what allows for voiceand multimedia communications
over IP networks such as theinternet, and then, obviously,
(06:54):
it's instead of the traditionalphone lines that you would have,
such as a PSTN network.
They do are.
They're becoming more and moredeveloped and deployed
throughout.
Most companies have these andthey will include various
different types of threats thatcan affect them, such as
eavesdropping, dos attacks.
Obviously, they can target yourvoice over IP clients if
(07:15):
they're high IP or high valueclients, and they will also
target the servers as well.
Gaining access to these systemscan be a plethora of
information, and so bad guys andgirls will attack those systems
.
They really truly do want theVoIP systems, and if you don't
have good security enabled onthem, they are a high target and
(07:35):
they can also incorporate a lotof risk for you and your
organization.
Hence, if they were to bebreached or compromised, you now
are running in a situationwhere you become liable because
you didn't put in adequatecontrols for them.
Voice we have to deal withvishing and freaking.
So vishing is a socialengineering attack that conducts
over the phone, where attackerswill use voice calls, often
(07:57):
spoofing the caller ID, to trickvictims into revealing
sensitive information.
This also can be now, with AIand the voices.
You people cannot distinguishbetween who is who.
So you need to really teachyour employees that you don't
just provide information tosomeone that sounds like you or
sounds like somebody else,because now, with AI, that can
all change everything.
(08:18):
So historically, this is thewhen you're dealing with
freaking.
This is an act of exploitingvulnerabilities in telephone
networks to make free calls orgain unauthorized access to
services.
Freaking isn't as prevalenttoday, again, in more
undeveloped networks that mayhave more freaking than there is
what we see traditionally intoday's networks, but it is a
(08:39):
risk that you need to be awareof.
For the CISSP, it highlightshuman element of security, the
important part of dealing withvoice and, again, vishing
exploits the trust and the lackof verification.
Freaking demonstrates the needfor strong authentication,
especially in the AI world thatwe live in today.
Now, pbx fraud and abuse this isyour private branch exchange.
(08:59):
That's what a PBX is called.
It's a telephone system,basically with an enterprise
that switches calls betweeninternal users and allows them
to share certain numbers ofexternal phone lines.
Again, a bit old school, butit's still out there.
You need to be aware of what itdoes and you need to be aware
of how PBX systems work.
The biggest issues orvulnerabilities you run in with
them is weak passwords,unpatched software and
(09:21):
misconfigurations.
Obviously, since systems aren'twell maintained, there's even
becomes a bigger problem withPBX systems.
These can run into substantialfinancial losses for an
organization, especially ifthey're using older type systems
to communicate, such as, likeEDR, the electronic data
exchange.
So those are different types ofcapabilities.
(09:43):
If you're using PBX systemssystems someone's able to get in
there and actually payattention to what is being
transmitted then you couldactually incur some more risk to
your organization.
So pbx fraud, in a view, stillis there.
It's just not as prevalent thatyou may see in the outside
world.
Now we're dealing with remotemeetings, so you have virtual
gatherings, obviously conductedvia an online platform.
Obviously that's like your zoomand all outside world.
Now we're dealing with remotemeetings, so you have virtual
(10:05):
gatherings, obviously conductedvia an online platform.
Obviously that's like your Zoomand all the other things that
you can discuss presentations,collaborations, all of those
kind of things and that all justkind of blew up once we had
COVID right.
But the problem is is this isyou've got Zoom bombing right,
unauthorized intrusions into aZoom meeting, and when you're
dealing with Zoom meetings, whoare all the people that are
(10:26):
there?
Especially when you get a largegroup that's got like 30 people
, 40 people how can you confirmeach person's in that group?
The other part you run into nowthat is a different, unique
aspect that didn't have evenlike six to eight well, six
months to a year ago is the AIchatbots that are put into these
meetings that are then takingnotes.
So now you have somebody that'sactually taking notes for you
(10:48):
and you might be discussingpersonal and sensitive
information and this bot is nowrecording that.
So again, it requires strongpasswords, waiting rooms, host
controls a big factor in all ofthese when you're dealing with
remote meetings, instantmessaging and chat obviously,
real-time chats, dealing withmicrosoft team, slack, whatsapp
all of these are an importantpoint for one-on-one or group
(11:10):
communications.
They.
But again, on the downside, yougot insider issues, you got
impersonation issues, you've gotdealing with data retention
issues.
All of that is a big factorwith instant messaging and chat.
So you need to have a good,strong policy on how you're
going to handle chat.
You also need to enforce thepolicies when you're dealing
with your chat and your overallteam's plans.
(11:31):
Multimedia collaboration bigfactors that you need to be
aware of as it relates to thecissp, remote access and
telecommuting telecommutingtechniques, right, so methods
that allow users to connect toan organization's internal
network and resources fromexternal locations.
Now you're dealing with vpns.
This is you've got your vpns,you got ipsec, you got ssl, tls
(11:52):
all of those pieces are remoteaccess.
You've got remote desktopprotocols.
It's being used all the timeand so you need to ensure that
anybody that is using thatwithin your network has good
policy.
They need to understand thepolicies.
They also understand thesecurity related to protecting
this network and the data that'sgoing on there.
Each of these should havespecific vulnerability, or each
(12:13):
of these does have specificvulnerabilities related to the
VPNsns, rdp and so forth, andyou, as a security professional,
need to be aware of each ofthese vulnerabilities.
And this also comes down tounderstanding your overall
network topology and yournetwork architecture so that you
can control the data coming inand leaving your organization.
All of those are an importantpart and you need to make sure
(12:33):
that you understand each ofthese to include cloud access,
security brokers, casbs for theCISSP exam.
So, again, those are importantparts, I'd say.
From my standpoint, remoteaccess is probably one of the
biggest areas that mostcompanies struggle with because
they put it in place, but theydon't have a good handle on
remote access long-term.
(12:53):
It's a short term.
Just get it up, get it runningand we'll go from there.
Now, remote connection securityyou got to have mandatory
strong authentication.
This would be multi-factorauthentication for all remote
access Encryption this is whereall data is transmitted over
remote connections and must beencrypted from end to end.
This would be your TLS, ssl andIPsec as well.
(13:14):
We talk about this a lot andthis is an important part of all
security within your companyand having a good architectural
plan related to it.
Endpoint security, dealing withEDR agents.
This is with your endpointdetection and response.
And then network segmentation,as it relates specifically
around VPNs and network accesscontrols.
You want to base these on leastprivilege and you want to limit
(13:34):
your segmentation based on that.
Without robust security, remoteconnections become a significant
attack vector, obviously forunauthorized access, data
interception and malwareintroduction into a corporate
network.
So, again, remote security isan important part, and this is
all part of domain 4.3 of theCISSP, managing your email
(13:54):
security.
The purpose of this is toprotect your confidentiality,
integrity and availability ofyour email communications, and
it is a primary vector of manycybersecurity attacks.
Why?
Because people communicate onemail all the time and so,
therefore, because they do that,it's one of the primary places
where bad guys and girls will goafter you.
Implementing policies foracceptable use is an important
(14:17):
part.
Secure configurations to ensurethat, and then monitoring the
access of email that's going inand out of your network is an
important part as well.
If your email communication canbe so voluminous, it's hard to
do.
You want to target, maybepotentially specific people that
have the highest risk to yourorganization and, again, those
are the folks that you wouldwant to make sure you have
really good policies in place.
(14:38):
You also have a gooddocumentation telling them hey,
I'm going to be watching you andthis is why we're going to be
watching you Now.
A well-managed email securityprogram is vital for defending
your network.
It truly is, and includingemail deliveries or malware
deliveries, phishing, businessemail compromises all of those
are an important part thatyou're going to have to be aware
of for the CISSP and as asecurity professional, and
(15:01):
they're going to look to you tohelp them put things in place to
help mitigate this potentialrisk.
Email security issues you havephishing.
You have spear phishing.
You have malware delivery.
All of those can happen throughemail Spam, and unsolicited
mail obviously comes throughemail as well and then your
business email compromises.
This is where you havefraudulent schemes that are
targeting, usually impersonatingsenior leaders, to try to get
(15:24):
you to transfer money tooffshore accounts.
Becs kind of come in waves, butthey are very effective,
especially now with the AI.
You could do an BEC really easywith somebody's voice,
especially if you have somedifferent voice samples that you
could use.
So it would be a really easytarget to target some of the
right people and saying, hey,I'm going to follow this up with
(15:45):
a phone call.
And then you go hey, bill, youleave a message saying this is
the CEO, I'm authorizing the useof this money transfer.
And Bill goes well, that soundsjust like my person, so let me
go ahead and allow theauthorization of the money.
So again, big, big deal Dataleakage, unintentional and
malicious disclosure ofsensitive information via email,
(16:06):
and then lack of encryptionobviously isn't a big factor in
all of this.
Email remains the top attackvector and it does require
robust, multi-layered defensesand monitoring to ensure that it
is properly protected.
So, as we're dealing with emailsecurity solutions, you now are
also dealing with spam filters.
(16:27):
So these will help identify andblock unsolicited emails that
may come in and, as you all know, you have to check your spam
filters routinely as you'redealing with your different
Outlook and email type productsout there.
In addition, you haveanti-malware and anti-virus
gateways.
These will be used within yourarchitecture to help scan email
(16:47):
attachments for anything that'spotentially malicious coming in
or anything that may maliciouslybe going out.
Now we'll run in and talk aboutDLP, but a lot of it is the DLP
content is the data going outbut malicious content coming in?
Your anti-malware or gatewaysthat are allowing any of the
scanning of the content comingin from your emails?
We'll be looking at that.
(17:07):
You have email authenticationprotocols, which is SPF, dkim
and DMARC.
Spf is your sender policyframework.
This helps with email spoofingand it does help ensure that the
sender's IP address isconfirmed.
Dkim is your domain keysidentification email and this
uses digital signatures toverify your email sender's
(17:28):
identity as well as theintegrity of the overall message
itself.
Those are all important partsof PKI and you will understand
that as you're looking throughthe different email capabilities
.
These are really key parts thatare brought up a lot within the
CISSP exam.
Dmarc is your domain-basedmessage authentication,
reporting and conformance.
(17:49):
This is also help built on SPFand DKIM.
So, again, understanding thoseacronyms is an important part of
the CISSP exam.
Email encryption using SMIMEand PGP are good for end-to-end
encryption capabilities andhighly recommended.
You'll need to understand theuse of PGP and SMIME within the
PKI structure for emailencryption.
(18:11):
Dlp is a big factor as itrelates to data loss prevention.
This scans outgoing emails forany potential content that might
be added to the email itselfthat might violate policies that
you may have in place, and thenit could block or at least at a
minimum, alert type ofactivities.
Sometimes they have a delaywhere the content has to be
(18:31):
approved before it's actuallyallowed to leave the
organization.
So different types of DLPproducts are out there.
You just have to determinewhich one would be best for you
and your organization.
Also, as you read the questionsfor the CISSP, they may ask
that, specifically, do you wantto allow blocking or do you want
to allow an approval process?
Security awareness trainingthis is where you're educating
(18:52):
users about phishing, businessemail compromises and safe email
practices.
Obviously, awareness trainingis an important part of any
program, and you should havesomething in place in each of
these areas specifically toeducate the end user, as they
are the ones that, in most cases, are the ones that start the
overall process of gettinginfected.
But again, implementing any ofthese solutions will go a long
(19:14):
ways in helping reduce the riskto your company as well, as
these are concepts that arebrought up highly within the
CISSP exam.
Network address translation thisis something that is done as
far as to translate betweenprivate IP addresses and public
IP addresses, and, as you'redealing with routers and various
other access points.
(19:35):
They will do that translationfor you.
It basically modifies thenetwork address information on
the IP header and the packetsand basically communicates
between the two entities.
So it allows you to have NAT,which is one-to-one, or dynamic
NAT, which is one many-to-many.
There's also port addresstranslation and then there's NAT
overload, which is many to one,using ports.
(19:55):
So again, nat translation is avery good thing to have.
It can be a challenge becauseit can make things complicated
when you're dealing with loggingand monitoring NAT translation.
So it's basically an externalIP address comes to an internal
IP address and it's beingtranslated.
The logs that will give youthat information from both one
to the other can be verycomplicated and can be very
(20:17):
challenging to actuallyunderstand and ascertain.
So having good plans in placeis an important part.
Also, ensuring that youincorporate IPsec in various
other types of securitymechanisms with these various
connections is also an importantpart of what you're trying to
deploy from an architecturalstandpoint.
Private IP addresses there'sdifferent, various private IP
(20:39):
addresses that you may findwithin your organization.
That's the 10 series, 172 or192 series.
These are typically within,like your house.
You may have your.
All of the IP addresses withinyour home are based on 192, but
the external IP address may belike 13.2.3.4, whatever that is,
and those private IP addressesare specifically, they're
(20:59):
non-routable for external.
They're all routable internaland this is where you'll have
the NAT that will help you withoverall helping translate
between external IP addresses toyour internal private IP
address space.
So you'll need to understandthat.
And what are the private IPaddresses that you may
anticipate?
Seeing as they ask you aquestion, they may ask that
(21:20):
specific thing of giving you anIP address of, let's say, 169,
which we'll talk about here in aminute, and they'll say that's
a private IP address.
But it is actually not aprivate IP address.
It's an automatic IP addressset up for the system, but it's
not something that's routablewithin your organization.
Now, automatic private IPaddressing APIPA this is a
feature that Windows and otheroperating systems automatically
(21:42):
assign an IP address, especiallywhen they cannot use DHCP and
they can't network.
It does give them an IP addressso that it's actually
discoverable internal to yournetwork.
However, because it's a 169, itis not something that can be
routable outside of yourorganization and it doesn't work
with NAT.
So, as you're understanding,when you realize that maybe your
DHCP server may be down and yousee an IP address of 169, you
(22:06):
will know that it is anetworking problem that you're
dealing with and that you wouldhave to try to figure out the
issue.
If you're dealing with an IPaddress that says 192.168, you
know, then it potentially mightnot be a networking issue.
It might be something else.
But 169, again, this allows fordevices to basically have small
local networks to communicatewith each other without a DHCP
(22:27):
network, but it doesn't allowyou to do much other than that.
So, depending upon where you'reusing it, 169 may or may not be
something you would want toincorporate within your network.
I would not.
It's more or less designed assomething that is a fallback to
that.
You're having to troubleshoot anetworking challenge.
Vpns these are the basics aroundthese.
They create secure, encryptedtunnels over untrusted networks.
(22:50):
Vpns are talked about a lotwithin an organization and
they're used extensively.
The thing you have to watch outfor with VPNs, obviously, is
your third parties, and you'reallowing third parties to VPN
into your network.
It basically allows theinternal network to be exposed
to an external entity of somekind.
So therefore, having VPNs is animportant part.
(23:10):
It does help with encapsulatingthe communications back and
forth are encapsulated and theyare protected, but they're.
The amount of data going acrossthese networks can be a lot and
they also can Not be asmonitored as you may want them
to be.
So I would highly dis Assuadeyou from using VPNs for third
parties.
You you have employees that useVPNs.
(23:31):
The bad thing with the VPNs onhaving employees is, again, if
they're at home using theircomputer and they're using a VPN
, their home network may be partof the business network, which
can cause all kinds of drama.
So you need to have a very goodplan in place on how you're
going to deal with VPN tunneling.
But again, it does provideconfidentiality, integrity and
authenticity for the data intransit over untrusted networks
(23:56):
and it does have protections.
But again, it does open up awhole set of challenges as well.
Split tunnel versus full tunnel.
So split tunnel this is onlythe traffic destined for the
corporate network goes to theVPN.
All of their traffic is shuntedand goes directly.
Not shunted, it goes directlyto the internet and this works
really well if you havebandwidth challenges,
potentially, and you don't havea circuit dedicated specifically
for the internet.
And this works really well ifyou have bandwidth challenges,
potentially and you don't have acircuit dedicated specifically
(24:18):
for the internet, or you do haveone.
That was where split tunnelwill come into play.
Now, full tunnel is where allnetwork traffic from the client
device is forced through the VPNtunnel to the corporate network
and then out to the internet.
The positive with that is thatall that data is potentially
being monitored, whereas a splittunnel, only the data that is
corporate specific is beingmonitored.
(24:39):
Any internet traffic would notbe monitored in the same
capability.
So there's pros and cons withall of this right.
So full tunnel, again, it'sgenerally they consider it more
secure as all the traffic issent through your corporate
security controls.
However, the split tunnel canreduce some risk, obviously from
remote devices.
However, one of the things toconsider when you're dealing
with is bandwidth.
Is bandwidth an issue, um, atyour locations that you might
(25:03):
might need to do some splittunneling?
And, like anything in all ofthese security mechanisms we
talk about, it really trulycomes down to are you putting in
place the right configurationsto manage the security of each
of these tools that you'readding?
So, again, everything can be,has pros and cons associated
with it, but it really comesdown to how are you configuring
(25:24):
it?
How are you managing thesecurity of each of these
specific tools?
So what are some common VPNprotocols?
We've got IPsec, which is yourinternet protocol security.
It's a suite of protocols usedto have secure IP communications
and it operates at the networklevel.
And it operates at the networklevel.
It does provide forauthentication, encryption, and
it's usually typically usedaround remote, or should say
(25:46):
site-to-site type of connections.
A lot of remote VPNs are partof that.
You have SSL and TLS, typicallyused with HTTPS, and it's often
clientless or browser-based.
You can get lightweight clientswith the TLS aspects of it, but
it again is very common forremote access.
You have PPTP, which is yourpoint-to-point tunneling
(26:06):
protocol.
It is older and it is lesssecure, but if you're dealing
with external networks ornetworks that are older, you
will have P2P aspects of this,and so you shouldn't discount it
just because it is older andinsecure.
However, that being said,you're going to want to make
sure that architecturally, youhave it in a position where it
is best in a most secureenvironment.
L2tp was your layer twotunneling protocol and this is
(26:28):
often paired with IPSec forsecurity reasons.
Obviously, ipsec and SSL arerecommended secure choices.
They help with secureencryption and authentication.
Again, older protocols likePPTP have known vulnerabilities
and should be avoided ifpossible.
But again I come back to this,you may have to use them
depending upon the situationthat you're in and operating in
(26:50):
Switching and virtual LANs.
So you're dealing with aswitching network.
This is layer two.
It's your data link network andthe devices that are formed in
frames based on MAC addresses.
You create separate collisiondomains and it also improves the
network efficiency as well.
Then, when you deal withvirtual LANs, or VLANs, these
are logical segments that arebasically single physical
switches into multiple broadcastdomains, and your VLANs are
(27:13):
tied to the fact that you mayhave multiple VLANs within your
network.
Now, vlans are great, they'reawesome, I love them.
However, one of the things isthey can add more complexity to
your overall network, and so,therefore, you should look at,
utilize them, but, in the sametime, determine not to go
overboard with your VLANs.
Proper VLAN configurationsobviously is critical, and
that's with anything we dealwith is the overall
(27:35):
configuration aspects tied to it.
Mac flooding attacks.
What is a MAC flooding attack?
Well, basically, this is wherethe attacker floods a switch MAC
address table and then willfake potential MAC addresses and
it does cause the table tooverflow and when then,
basically, you end up havingdealing with denial of service
type of impacts.
When the table is full, theswitch may revert to acting like
(27:55):
a hub broadcasting all trafficor potentially just failing
closed.
It may fail open, but it justwhen you deal with these
situations.
It can happen different ways.
It does allow the attacker toeavesdrop on network traffic
that would normally be switchedonly on the intended recipient
and it may compromise theoverall confidentiality.
Mac cloning this is where anattacker will change the MAC
(28:17):
address of their networkinterface card, a NIC, to mimic
the legitimate's MAC address.
Now, you would do this,sometimes from a legitimate
reason, when you're trying towork with different wireless
networks.
They will have MAC addresscloning, but you can bypass the
MAC based on the access controlsthat are there or impersonate
legitimate devices on thenetwork.
Now, what this can happen is itwill compromise the
(28:39):
authentication and the accesscontrol mechanisms that rely
solely on the MAC address.
Now, obviously we want to havemore than just MAC address
controls in place, but in thissituation, if it would
compromise that, specifically onthese situations where the MAC
address is the key protectionmechanism around it, it does
highlight weaknesses in MACaddresses as the sole
authentication factor, and it isnot recommended that that would
(29:01):
be it.
Memorandum of understanding soa formal agreement between two
or more parties outlining theterms of an understanding.
This is often used to establisha framework or cooperation and
potentially shareresponsibilities in security.
It's an MOU and this is justpart of domain 4.3.
Risk assessments of thirdparties.
This is an important part thatI feel gets left.
(29:23):
A lot is third-party riskassessments, and how do you deal
with third parties within yourorganization?
Conducting thorough evaluationsof third-party vendors,
security postures, controls andcompliance before and during any
engagement?
This would be very commensuratewith the risk they pose and the
data they control.
Third-party connectivity riskswe talk about this as far as
even having VPNs, but these arespecific threats arising from
(29:46):
network connections to externalentities, such as insecure VPNs,
unmanaged access points, dataexfiltration through email or
other ways, or lateral movementfrom compromised vendor within
your organization.
Again, this is why contractorsare a big risk to many
corporations, and so therefore,getting people access to your
company that are contractors orthird parties, you need to have
(30:08):
a really good plan in place tohelp ensure the security is
maintained.
So managing third partyconnections is critical and it's
a do extend the organization'sattack service, but they also
help the organization create abetter product in many ways.
So MOUs, risk assessments allof these are an essential part
of any organization, especiallyif you're dealing with
third-party risk, and they dohelp you identify
(30:29):
vulnerabilities, mitigate therisks associated with this,
especially when you're dealingwith overall within your company
, and I highly recommendthird-party risk assessments
done for any organization.
You'd be surprised how manydifferent companies have
third-party risk they didn'teven know were a big factor
within their company.
So, again, that is what comesdown to domain 4.3.
Okay, that is it for the rapidreview for domain 4.
(30:54):
Again, you can go to CISSP'scyber training and get access to
all of this content.
You can sign up for my bronzepackage and get access to all of
my rapid review videos as wellas the study plan that I have
available over 360 questions.
There's different types ofvideos and audios that's
available specifically for myfree resources and I guarantee
you they will be extremelyvaluable to you.
Again, it doesn't cost you adime.
(31:15):
All it asks for is your emailaddress.
That's it, and that way I cansend you information as needed
related to the CISSP or inwhatever else you want to do.
When it comes to paid resources, I've got all the CISSP content
available to you in videoformat and audio format, as well
as numerous questions over 1500different questions right now
that are available, with deepdive topics, mentorship.
(31:37):
All of those things areavailable specifically to you as
part of the overall paidprograms.
I have, so, again, super excitedabout what we can provide for
you at CISSP Cyber Training.
Head on over there, get accessto this video and many, many
more, and again, I hope you allhave a great day, enjoy your
CISSP studying and we will catchyou on the flip side, see ya.
(31:58):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
(32:23):
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!