November 24, 2025 • 44 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
Security programs fail when they try to do everything at once. We walk through a clear three-phase plan that keeps you focused and effective: start with a real gap assessment anchored in leadership’s risk tolerance, convert findings into decisions to mitigate, accept, or transfer risk, and then implement with a balanced mix of people, process, and tools. Along the way, we share what to look for when hiring a virtual CISO and how to turn that engagement into actionable momentum instead of another shelfware report.
From there, we tighten the perimeter by defining bounds that keep systems within safe lanes: role-based access control, data classification, DLP, segmentation, encryption, and change management that shrinks blast radius. We get tactical with process isolation, sandboxing, capability-based security, and application whitelisting, plus a grounded comparison of MAC vs DAC and when a hybrid model makes sense. Defense in depth ties it together with physical safeguards, network protections, EDR and patching, application security practices, and data security. We keep the human layer practical with targeted awareness training and a tested incident response plan.
Resilience is the throughline. We advocate for secure defaults and least privilege by design, logging that’s actually reviewed, and updates that apply on a measured cadence. When things break, fail safely: graceful degradation, clean error handling, separation of concerns, redundancy, and real-world drills that expose weak spots early. Governance keeps the program honest with separation of duties, dual control, job rotation, and change boards that prevent unilateral risk. Finally, we demystify zero trust: start small, micro-segment your crown jewels, verify continuously, and respect cloud nuances without overcomplicating your stack.
If this helps you clarify your next move, follow the show, share it with a teammate, and leave a quick review so others can find it. Tell us: which phase are you tackling first?
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Chun Gerbert, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
All right, let's get started.
SPEAKER_01 (00:25):
Hey all Chung Gerber with CISSP Cyber Training, and
hope you all are having abeautiful day today.
Today is what?
Today is the podcast that we goover various aspects of the
CISSP as it relates to intoday's podcast, is going to be
3.1.
So we are in domain three of theCISSP and we're going to be
focusing on failing securely.
(00:47):
We're going to be getting intoseparation of duties, zero
trust, keeping it simple, and soforth.
But before we do, we we uh aregoing to get into this one
little thing that actuallyhappened to me this week that I
think it's really important foryou all if you're in the
security space trying to figureout what you should do.
Um I had a couple engagementsaround a virtual CISO role, and
(01:07):
one aspect that came up wasunderstanding what does it take
if you're looking to hire avirtual CISO.
And so I thought this would bekind of be good because I know
many of my audience are formeror currently IT folks that have
been around for a little whileand they are looking to increase
their cybersecuritycapabilities.
Well, this is something that youmay just be interested in to
understand if you are everlooking for a security leader
(01:30):
for your organization, or ifyou're trying to just maybe get
virtual SISO, but it's justsomething a little piece that
would be valuable to you whenyou're especially as it relates
to the CISSP as well.
So they all kind of tie togetherbecause we talk about that a
lot.
So what I want to just kind ofgo over real quick is an
engagement.
If you're looking to bring on asecurity professional to help
your organization, what I wouldrecommend is one, obviously vet
(01:53):
out who this person is and arethey do their credentials meet
what they actually say they are?
I will say over the years I haveinterviewed plenty of people for
roles, uh a lot of them indevelopment, but in for roles
that have actually their resumesays one thing, but when you
start talking to them anddigging deeper into their
knowledge, it is a differentstory once you start to unravel
(02:14):
a little of that.
But you need to understand whothey are, obviously get
recommendations, and if you canget them from a maybe if they're
dealing with a consultantconsulting company, that would
be good.
Or if you're just looking forthem online, but make sure you
valid validate who theyspecifically are and what their
knowledge is.
But outside of that, let's justtalk about what is a way that
(02:34):
you would want to do if youbrought on a security
professional.
If you bring somebody on, ifyou're validating them, you want
you'll want them to do what theycall a gap assessment.
And what a gap assessment is, isthe security person will come in
and they're going to do anevaluation of your overall
infrastructure, uh, what thesecurity controls you have in
(02:54):
place, what are the differenttypes of processes you have in
place, the policies, and soforth.
And this gap assessment shouldtake a period of time, anywhere
from a month to a couple of,well, it can be probably two to
three months.
And I say that it wouldn't takethat long to do the physical
assessment, but what it will dois that that two to three month
period is actually getting withpeople, interviewing them,
(03:17):
understanding more about howtheir environment works, and
what are all some of thelimitations and and areas of
concern that you may dig up.
And it may deal with interviewswith multiple people, it may be
the interviews with the sameperson, but you have to break it
up into different chunks to tryto get to know the individual
and also to get to know some oftheir environment and their
network.
(03:38):
So a gap assessment is reallygood.
It's also important for you tomeet with their leadership to
understand what is the risktolerance and what is their risk
profile.
What I mean by that is are theya targeted company?
Are they criticalinfrastructure?
Are they the financialinstitutions?
And based on that, then alsowhat is their tolerance for
risk?
Are they like, eh, I'm notworried about it, or yeah, this
(04:00):
is really bad.
And it also will change overtime.
Some of the clients I met withthis past week, they are at the
beginning of their businessjourney, they were very risk
tolerant.
They actually didn't really carea whole lot.
But then as time went on andtheir organization grew, they
made or had more money, they hadmore opportunities, their risk
(04:21):
tolerance became less and less.
And they also realized that astime goes on, that, you know
what, more people, bad guys areout there trying to catch them
or trying to, you know,basically attack their
companies.
So understand that gapassessment through risk
tolerance and risk profile willbe good.
Then you want to provide adetailed report, and you want
them to provide a detailedreport to you on what are the
recommendations to theirorganization and move down the
(04:43):
path of that.
Now, if you're dealing withthat's this the gap assessment,
once that is complete, then youwould move on to your next
couple phases of your of yourplan and what the security
professional should do with youand your company.
And one of those would be thenext phase would be to what are
a develop a strategy tomitigate, accept, or transfer
risks based on the overallbusiness objectives.
(05:05):
So again, you're gonna have tounderstand as you understand the
business through the gapassessment, you understand what
is their pain points, youunderstand what is critical to
them, you're gonna want to comeup with some way to help them
understand the risk and thenmitigate, accept, or transfer
that risk.
And so, and then come back withthose recommendations.
And if they take any of those,then you'll need to work on
(05:26):
implementing this strategy forthe organization.
Now, that this will this takes acomes a different test or a
different task, I should say.
What'll happen is phase one isjust they may take your gap
assessment and that's all theywant.
And that's great, and that's allthey should need.
Uh if they have the people to gothrough and make that happen,
great.
Let them take that gapassessment and run with it.
(05:47):
If they want you or you wantsomebody else to do this for
you, then you would want tofigure out a strategy by which
you would have them implementthis for you and your company.
And then the last thing is Ilook at this from a virtual CISO
standpoint.
My ultimate goal is to help thecustomer reach what they their
goals, their security goals.
And by reaching that, that maybe with me working with them as
(06:08):
on a retainer basis or full-timeor however they want to pay for
it.
But it also may be where I settheir people up for success and
you develop an overall strategyfor that person.
So a way to basically package itup, put it in a bundle, and hand
it back over to them once theengagement is over.
So you're gonna want to helpunderstand the people, the
(06:28):
processes, and the tools andhelp them to reach their
security objectives.
And that may happen with youcreating training programs, it
may create by you just helpingwhenever they hire the person
walk them through step by step.
And so the reason I'm tellingyou all this as far as the CISP
goes is it's a really importantfactor, just because when you're
dealing with looking at asecurity professional, whether
(06:50):
it's a security leader for yourorganization or whether you're
going to be the security leaderfor your organization, if you
look at your company and youwere to put it into these three
specific phases, it's a reallygood way to at least try to
break it down into bite-sizedpieces.
So if you're gonna be the CISO,phase one, do a gap assessment.
Then from there, if you're gonnabe the CISO or the security
(07:11):
leader, then figure out what isthe strategy to mitigate,
accept, and transfer the risk.
And then you want to implementthat strategy.
And I know it's very simple, butif you break it down into these
three buckets, it's going tohelp you understand what you
need to do first.
And that you don't just, becauseit'll be overwhelming.
There's so much that you willget lost in everything.
And then you'll sit back, sitback and go, what did I
(07:33):
accomplish over the next year?
So again, break it down intothree phases: your risk
tolerance, or you do a gapassessment on a risk tolerance
and risk profile, provide areport to your senior leaders,
no different.
Phase two, you gotta mitigate,accept, or transfer your risks
and then implement thatstrategy.
And then phase three, you justfocus on your people, your
processes, and your tools andfigure out your long-term
(07:54):
strategy and then implement it.
If you do that, you know what?
You're gonna be in a really goodspot.
Okay, so one of the topics we'regonna be talking about is
bounds.
Now, bounds refers to the limitsor constraints that are imposed
on a system to protect it fromunauthorized access or malicious
activity.
(08:14):
So you put these in place toprotect yourself, and a lot of
times an EDR solution will havesomething like this as well, but
they're designed to basicallyprotect from unauthorized
disclosure or modification.
There are different types ofaspects that will tie into the
bounds.
So we're just going to kind ofgo into a few of those.
One is access control.
So you want to implement strongaccess controls on those systems
(08:36):
to put basically guardrails inplace to keep an individual's or
to keep the application fromstaying within the context of
what it's supposed to do.
You can implement role-basedaccess controls to grant users
only access to specificprivileges they need to
specifically do their job.
So that's a part of putting inbounds for access controls.
(08:57):
Another part of bounds would bewithin data classification.
So you'd have separation, or notseparation of duty, you have
classification of the dataitself, would help to ensure
that there's security measuresin place for the data and
protecting it.
Another one is separation ofduties, which we'll talk about
here in just a little bit, andthat's to prevent fraud, where a
separation of duties might be ifone single person isn't allowed
(09:19):
to send EDI transfers.
That would be a separation ofduties.
And I would say it's reallyimportant as a security
professional to implement somelevel of separation of duties
within your organization.
Uh it and it may be just in verysmall niche areas, but it's an
important factor and it will payoff.
I mean, just with my wife'sbusiness, I understand that
separation of duties on who cancollect money and who can't
(09:40):
collect money will help you saveyourself from money being
stolen, which it does,unfortunately.
Data loss prevention, again,putting in controls around the
documents themselves,applications specifically, also
looking at network traffic andso forth.
So that's another piece ofputting in some levels of bounds
and protecting the data andthose systems.
(10:03):
Network segmentation will dothat.
And you know, we talk aboutsegmentation a lot in this
podcast, and that's having oneseparate network that would be
focused specifically on IoT, onenetwork that would be focused on
your overall IP or intellectualproperty.
Data encryption, obviously,talking through, making sure
data at rest and transit isprotected.
(10:24):
Change management, changemanagement is one that I think
gets overlooked a lot, where youhave to implement certain change
processes before you can deploysomething.
And that change managementprocess will do a lot to protect
your organization one fromaccidental challenges, which
still won't protect itcompletely, but it does limit
some of the blast radius aroundit.
(10:46):
And then also some of the uhprevent unauthorized changes
that may occur due to securityincidents as well.
So that's where the changemanagement piece kind of comes
into play.
Where, you know, a document or aprocess that has to occur within
your organization, there, thosechanges are submitted for
approval and documented.
I'm dealing with that right nowwith a company where every
(11:07):
change I make, I have todocument it within uh email and
it also has to be put within alike ServiceNow or some type of
other service situation so thatit's documented what has
actually occurred.
You also have to have a plan onhow you're gonna back all that
out, but that's a differentsubject.
Monitor and logging, obviously,looking at anything that's going
on within your environment, thatyour sim will help you with
(11:28):
that.
So you have specific criteria bywhich this application should
operate, and outside of thatspecific criteria, then the SIM
will alert and make noise basedon that.
It'll it'll light up.
Uh it depends on how you havethis.
Now, not I would say that's apretty um master's level type of
(11:49):
configuration that you would setwithin your organization.
A lot of companies don't do thatbecause it takes a lot of extra
tweaking.
But you wouldn't do that to yourentire organization.
You would do that in a veryspecific subset just because it
is it would be so hard andcomplicated, it would just make
your life more painful.
But in very niche or specificsituations, it could be very
(12:09):
valuable.
Now we're going to get intoprocess isolation.
Now, this is what involvesseparating processes from each
other to limit the potentialdamage that can be caused by a
security breach.
And this can be done in variousdifferent ways.
You have virtualization, right?
So if you virtualize yourenvironments, it makes it very
difficult for these something'spotentially malicious to spread
(12:30):
throughout your organization.
The other part that kind ofcomes into play from an IP
protection, uh, if for somereason I was in a country that I
will not name, uh, if you wouldhave someone would come in and
steal the data, you wouldbecause it's virtualized, you
can shut off all those systemsimmediately and therefore limit
some of that uh theft that couldpotentially occur.
(12:51):
Sandboxing, uh, this is whereyou run untrusted or suspect
suspicious code in a sandboxenvironment.
A lot of times when data iscoming into a company, I worked
with a product a long time agocalled FireEye, and it did that
same thing, right?
Any data coming in would beexploded within this sandbox or
run within the sandbox to lookif there's any sort of malicious
(13:14):
code built into it.
And then if it wasn't, it wouldallow it on.
Now, the guys got people gotsmart and they would put timers
and all kinds of differentthings in this the malicious
code to try to get it byappliances such as this.
But again, that's the sandboxingpiece.
Memory protection, these arevarious mechanisms to prevent
processes from accessing eachother, uh, accessing memory, and
(13:36):
they're also ones that are notauthorized to use.
So that would be specificallyfocused on the memory.
Capability-based security, thisis where you grant specific
capabilities rather thangranting unrestricted access to
various sources.
Limits the potential damageagain caused by a specific
compromise, and then it'sgranted ability to read-write
files on directories again, notto access other systems.
(13:59):
So you basically have asituation where you're allowed
to read and write in a certaindirectory, and then anything
outside of that directory is notallowed to be accessed.
Again, I'm talking about thingsthat are very, very granular.
And process isolation, if youget into this level, you will
not want to do this to yourentire organization.
(14:20):
You'll want to be very specific.
And kind of we talked aboutearlier with the gap assessment.
If by figuring out what your gapassessment is, where your areas
that are most important to yourcompany, then you can focus
these types of controls on thoseareas specifically.
Application whitelisting isanother one.
(14:40):
That is set up where onlyspecific applications can work
and they prevent authorizedapplications from executing and
potentially causing any sort ofchallenges again.
Great thing with whitelisting isit's it works really well.
The challenge with that isthough, if you forget about it
and if things change, you can beapply whitelisting applications
that maybe you didn't want to.
(15:02):
Talked about segmentation again.
That's another way to get intoprocess isolation and then also
DLP.
So those, they all kind of youcan see they kind of work
together when we're focused onthese different areas.
Now we'll get into mandatory anddiscretionary access controls.
Mandatory access, we kind oftalked about this on various
podcasts that we've hadthroughout CISSP cyber training,
(15:22):
but a mandatory access controlis one that restricts access to
resources based on the securitylabels we have defined in them.
And we've talked about thatnumerous times throughout the
podcast and throughout thecourseware.
Those labels are assigned toboth users and objects.
Now, the characteristics aroundthis is that you would have some
level of centralizedenforcement.
(15:43):
Your Mac is typically enforcedby a central authority.
Okay, so that would be such as asecurity kernel or a security
server.
This can have mandatory rulesthat you have to deal with, and
then they also may have thespecific security labels tied to
the users.
And as we've mentioned, objects.
What are the objects?
Those are different.
They could be the computers,they could be the data itself.
(16:04):
And these labels are to indicatethe overall security level and
of the data itself.
Now, the security implicationsaround this is that it can be,
it allows you to have some verygranular control.
Your Macs can providefine-grained control over access
to resources.
And then the complexity of this,though, is that Macs can be very
complex to implement and theycan be very challenging doing
(16:26):
so, especially when you'redealing with a large company.
And they don't, when you'redealing with a mandatory access
control, they do limit yourflexibility for you to be very
agile and to pivot.
I would highly recommend that ifyou're going to use mandatory
access controls within yourorganization, you use them in a
very narrow margin or verynarrow area, specifically around
(16:46):
maybe engineering, uh, maybe inspecific intellectual property
areas, that would be the a goodplace for mandatory access
controls.
Now you get a discretionaryaccess controls.
This is a model that allowsusers to gain access to
resources based on theirdiscretion.
Okay, so like the title says,it's discretionary.
And this means you can deny orgrant access to people within
(17:10):
your organization.
This works well.
Obviously, SharePoint's a goodexample of how you can have
discretionary access controlsbecause the owner may allow
everybody access to a certainfolder, and that would be more
discretionary.
The challenge with it isobviously as we'll get into is
it can lead to some securitychallenges because now too many
people have access to things.
(17:31):
Now it's got a decentralizedenforcement, so it's typically
enforced by the individuals orthe systems, as we've talked
about.
Uh, it is based on userdiscretion.
Well, I like bill, so I'm gonnaget bill access to my SharePoint
site.
Yeah, no, that's probably not agood idea.
And so something to consider.
I I mean we've had a situationmultiple times, especially when
you're doing SharePoint andSharePoint Online, where uh
(17:53):
owners of that will go, well,hey, I'm working with Bill from
Company X, I'm gonna give themaccess.
SharePoint Online, unless yourcompany has very specific
criteria around it, will allowoutside entities access into
your SharePoint environment.
Teams is another good example.
So you need to make sure thatyou have those controls in place
and you really know what you'redoing, and you educate your
(18:13):
people because if you're giveyour people the ability to make
these kind of decisions, yeah,they're gonna go hog wild crazy
and they're gonna do it all overthe place.
And then you're gonna have abigger problem to try to go back
and clean up.
Uh again, DAX very flexible,again, more much more so than
Mac.
Uh, there is risk because it canincrease your unauthorized
access, and then DAX can becomecomplex to manage large
(18:35):
organizations.
Again, they're very hard, uhthey require careful
administration and userpermissions.
So, again, you need to reallyconsider when you're dealing
with Mac and DAC, what are yourrequirements?
How complex do you want to be?
How flexible do you want to be?
And then are there anyregulatory requirements that
force you to be into some sortof mandatory access controls?
(18:55):
There are different regulatoryrequirements that do force that.
So something to consider there.
And then are you interested inmaybe a hybrid type approach
where you're mixing both the Macand the DAC together?
Okay, so now we're gonna getinto defense in depth.
So defense in depth is astrategy that involves
implementing multiple layers ofsecurity controls to protect
(19:16):
systems again from unauthorizedaccess.
Now, the different ways ofdefense in depth, we're gonna go
through about there's like sixor seven different options
around this, but to consider.
There's physical security,right?
So if you have physical securityin place to protect theft from
theft and vandalism, that wouldbe a defense in depth.
You have cables that are tied toyour computers that are in your
offices.
(19:37):
Another one might be is thatnetwork security specifically.
Do you have IDSs?
Do you have VPNs?
What level of defense do youhave for people gaining network
connectivity to yourenvironment?
Do you have Wi-Fi that's on thesame network as your business
network, or is that on aseparate network completely?
Do you have a guest Wi-Finetwork?
All of those would be networksecurity aspects that would be
(19:59):
give you some level of defensein depth.
Then your system security wouldbe is that what would that
include, such as antivirus, uh,endpoint detection response,
MDRs, uh, patch management, allof those things are just
specifically tied to the systemsecurity as well.
So you have physical security,network security, system
security.
(20:20):
Then you have applicationsecurity.
Now, application security isagain focused on the apps
themselves.
And this can include inputvalidations, output codings,
care of code reviews, anddepending upon your
organization, man, much of thatmight be already built into the
applications that you have.
Maybe you don't do a lot ofin-house development, but you
require that from yourapplications you purchase.
(20:43):
So that's one thing you want toconsider as a security
professional if do you set aminimum standard for
applications before you purchasethem within your company?
That would be an applicationsecurity situation.
Data security, this obviouslyfocused on data loss prevention,
and this would includeencryption, access controls, and
so forth.
So that would be the datasecurity around it.
And as you can see, this kind ofgoes right down the OSI model,
(21:05):
right?
You're not too far off of manyof the things that we talk about
in the OSI model, are the thingsthat you will look at from a
defense in-depth standpoint.
User awareness training, again,that's obviously you want to
trait, treat people, and trainpeople to understand what are
the security implications toyour organization.
And then by educating them, itwill help limit, not prevent.
(21:26):
I mean, I've got prevent on theslide, but it's more or less
help limit some of the humanerror that reduces the risk of
your security incidents.
But it does help prevent it andlimit it.
Uh, a company, you again, youcan come down to different, I
would highly recommend somelevel of security awareness
training for your employees ofsome kind.
Uh phishing, passwordmanagement, data security,
(21:47):
highly recommend it.
Now, one thing you want toconsider is if you are providing
this level of knowledge to youremployees, don't go hog wild.
Keep it, keep it simple.
I would focus on keeping itsimple initially, making sure
everybody understands, and thenfocus on the basics.
Again, this is like it comesdown to football and American
(22:08):
football, I should say, whereyou focus on the blocking and
tackling.
If you can focus on the basics,get the basics down, get those
down really, really well, thenthe rest of it will come later.
Uh and I know a lot of timespeople don't like to hear that,
but I think it's it's animportant factor.
Incident response, obviously,have a good incident response
plan and uh define people thatare going to be implementing
(22:30):
this incident response plan.
This includes identifying,containing, and investigating
all the different incidents thatyou have within your
organization that may come up.
This could be some that aresmall, and then what what
criteria would it take to makeit a large incident, and then
how do you deal with thatspecific incident?
Now we're gonna get into securedefaults.
Secure defaults are a principlein security where you're
(22:53):
basically having theconfiguration of the systems and
the applications to the mostpossible secure setting when you
pull them out of the box.
That means when they'reinstalled initially or set up,
this is where they're set up atas most secure as possible when
they have their default setting.
This is without you going in andtweaking them.
This is just pulling it out ofthe box, flipping it on.
(23:13):
Is it secure?
So the default settings, youneed to really consider your
system, your application, oryour network settings need to be
dialed into where they are,where you want them to be from a
default standpoint.
And this could be the restrict,the most restrictive, but yet
not too restrictive when yoursettings around limiting access
and functionality of the overallsystems.
(23:34):
And you would want to make surethat with your network
applications, you do disableunnecessary features.
One good example would be aroundadmins, and many kinds, many
times the applications will havedefault admins set up, and the
username is admin and thepassword is admin.
You'll want to make sure thatthose application defaults are
not triggered like that.
They're not set up to be thatway.
(23:54):
Same with network defaults aswell.
Again, disabling unnecessaryservices, limiting specific
networks, all of those thingsneed to be considered when
you're deploying them.
Now, again, you may get it fromPalo Alto in a certain way, and
then you have to make sometweaks to it.
But when you say a securedefault, if you're getting it
from Palo and it's set in aperfect way for you, great.
(24:15):
But if you need to make somemodifications, the ultimate goal
is that you modify the policy orthe configuration file that goes
along with it, and then thatwould be your default
configuration file that youwould send out.
But you want to make sure thatyou set it up to where the
default that is set in thatsystem is the most secure that
allows the most secure for basedon the risk for your
(24:36):
organization.
You want to understand the leastprivilege principle.
This is around again havingsystems with only the minimum
necessary privileges to performtheir task.
We talk about this a lot in theCISSP, and it's a lot in
security.
You want them to have theminimum necessary privileges to
perform what tasks they'redoing.
Again, example I have is adatabase admin having full
(24:57):
access to the database.
It's probably not a good idea.
You don't want really anyone tohave godlike credentials with an
application.
You just want to avoid that.
And if you have to have it, thenit should be like in case of
glass, in case of emergency,break glass kind of situation.
Strong default passwords.
Obviously, they the passwordsare a big deal in today's world.
(25:20):
The passwords were really neverdesigned to be what they are
today, but you need to have makesure that you define that they
are at least 12 characters.
They are up and down, you know,high, low, I can't think of the
name of it.
They're special characters,they're capitalized, they're
lowercase, they're all thosethings.
You need to have that set up asyour default.
Um, and one thing I have seenpeople do is they go, well, you
(25:42):
know what, I'll keep the defaultpassword like eight characters,
but I'm gonna have multi-factorenabled.
Okay, well, that that's good.
It's it's not terrible, but atthe same time, is as if you are
you have any accounts that don'trequire multi-factor.
And and so if they do, does thatdefault that you have set up is
that affect those places wheremulti-factor is not enabled?
(26:04):
So it's something to thinkabout.
Security updates, again, youneed to from a uh default
standpoint, the system should beconfigured to automatically
receive security updates.
This has been an ongoing battlewith many organizations,
especially IT folks, is they'relike, well, I am not pushing out
a security update to my companyunless I have thoroughly tested
(26:24):
it.
And that's understandable.
And I'd say in some cases, uhthat is definitely warranted.
However, when you're dealinglike with Microsoft, for
example, do you have time?
How often have you tested aMicrosoft patch and has it
failed?
Now, somebody will come up andsay, well, yeah, it failed on
me, but in most cases, those arepretty solid.
And so do you want to go anddeploy them to your
(26:47):
organization?
Now, maybe it's one of thosethings where on a security
update, you don't update it, youhave it delay the update, maybe
by, I don't know, a week, justto see if it all uh if there's
any issues with it.
But realistically, those arethat's a really good way for you
to help with uh the security ofyour company is ensuring that
your updates are automatically,uh your security updates are
(27:08):
automatic.
Auditing and logging, turn thoseon, obviously, but the way we've
talked about before, yourauditing and logging is only as
good as anybody looking at it oras the amount of storage that
you keep it.
If it's set up for one day andit just basically rewrites over
itself after one day because ofmaybe a limitation on the amount
of storage you have, then it'sreally not that useful.
(27:30):
So you got to consider that.
But one thing again, aroundlogin attempts, password
changes, all of those pieces arean important part.
And then again, around securityawareness training, you need to
educate people on the importanceof all of this.
Again, this isn't intuitive.
It is intuitive for you allbecause you're listening to this
podcast or you're going throughmy training and you understand
(27:51):
the fact that security isimportant.
But most of the people that youwill deal with do not, they see
it as a hindrance, they see itas a problem, and it's just a
pain in the bottom.
So you're gonna have to educatethem on that.
Next topic we're gonna talkabout is failing securely.
What do you mean by failingsecurely?
Well, there's basically ways youwant to have the ability so that
(28:12):
when things go bad, you canrecover from them after they
fail.
And one of those pieces is thefail-safe default.
So, what this involves isbasically disabling certain
features or reverting to a knowngood configuration.
So if something happens, like adatabase, it might automatically
switch to read-only mode if itdetects a potential corruption
(28:35):
challenge.
That would be a fail-safedefault.
Another one is gracefuldegradation.
This is where it gracefullydegrades to a functional state
in the face of different uhfailures.
So it could, again, it's one ofthose that it'll continue to
operate, but it could be at amuch uh degraded position or
state because of the fact thatthere's something going on.
(28:58):
Uh, a good example or an exampleof this might be a web
application might display asimplified error page instead of
crashing if the back-end serverbecomes unavailable.
Again, that's gracefuldegradation.
Another one is error handlingand logging.
Okay, again, obviously we talkedabout this is that this is where
you'll have any sort of errorthat would happen will capture
(29:18):
those logs and it can alert onthose logs specifically.
And this can allow you to helpdevelopers specifically come
back and deal withtroubleshooting area, various
issues that are within theirapplication.
Separation of concerns.
This is dividing the system intosmaller independent components
with various responsibilitiesthat it has.
(29:39):
This reduces the risk of failurein one component versus
catastrophic situation that mayoccur if it all goes down.
So that's the separation ofconcerns.
Web apps can do this, right?
Because you may have specificareas within authorization and
authentication that you may uhmay allow you the application to
still continue to run if thoseare not.
(30:00):
Met to a certain criteria.
Or if you in the case of let'ssay your authentication, like
say it's an internal app andyour authentication isn't
working and it can't sync, thenwill it continue to run or will
it just totally fail and giveyou a logout?
And that might be the case aswell.
But you just have to determinewithin your organization if
that's something that you wouldwant to implement or not.
(30:20):
Redundancy and fault tolerance,obviously, you want to have a
fault tolerance techniques toincrease the system's
reliability.
This could be in replicatingdata using redundant hardware or
implementing failovermechanisms.
This happens a lot with varioussystems that are in the network
to ensure that if they fail,they fail open or they fail in a
(30:43):
way that allows the system tocontinue to run.
Security by design, you want tomake sure that you develop this
system on the onset.
And this comes down to when youdeploy a new application, a new
system, you think about securityat the beginning.
You don't think about it afterthe fact.
And I think in the past that wasdefinitely the case.
It's becoming more and morecommon now, though, that as we
(31:04):
get more security folks withinorganizations, they're thinking
about the overall security ofthese systems before actually
deploying them.
Testing and auditing, that's animportant part of any system
that you put in to ensure thatit fails securely and it fails
safely.
You want to test this and takethese systems down, see what
(31:25):
happens.
But you may have to do thatobviously in a test environment,
or you end up doing it on theweekends when people aren't in
the office.
But you'll want to test andaudit those, either through
tabletop exercises, that mightbe, or actually physically
taking them down.
Another part around failingsecurity is soft failures and
hard failures.
We'll kind of get into thosejust a little bit.
(31:45):
A soft failure is wheretemporary disruptions in the
systems can often be resolvedwithout a human intervention.
So it has a hiccup, right?
And then it picks back up andit's going back again.
Network issues, softwarechallenges, power supply
fluctuations, all of that stuffcan be a soft failure.
A hard failure is obviously whenthings have complete loss of
(32:08):
functionality or the data.
Hardware failures, criticalsoftware bugs, physical damage
to the system.
Again, the hurricane that rolledinto town, uh the taping of
this, it's that they've got alot of physical damage.
So those are different areasthat you'll have to consider.
Now, some different strategiesto deal with soft and hard
failures.
Implementing retry mechanismsfor soft failures is an
(32:30):
important part.
So if they keep retrying overand over again, do you have
redundancy?
Is there backup functionality?
Are you monitoring them, thesesystems for soft failures that
take proactive steps to preventfrom escalating into potential
hard failures?
Are you seeing this happen?
When you have hard failures, youwant to develop a disaster
recovery plan specificallyaround this.
(32:51):
And this also includes do youhave critical systems that you
need to ensure that they don'tgo down?
That's again, you you, ifthey're gonna go down, do they
go down soft or they go downhard?
Now, if you're going withsystems that are critical to
your company, you'll want tobuild in some sort of redundancy
so that maybe they go down in asofter fashion or they don't go
down at all, obviously.
(33:12):
But one thing to consider isthat how do you want to scale
that within your company?
Have backup and recoveryprocedures, and then you want to
implement security measures toprevent unauthorized access to
these.
Again, that it's important foryou to build this out.
You also want to have dependingon your organization, depending
on your risk tolerance,regulatory requirements, and so
(33:34):
forth, you may want to considerpen testing to identify any
weaknesses that you may find aswell.
That just doesn't mean that apen tester has to come from the
outside into your organizationevery time.
A penetration tester mayactually you may give them
internal access to your networkand allow them to operate.
And then you make a decisionwhat they find.
The next topic is separation ofduties.
(33:56):
So separation of duties is afundamental security principle
that involves dividing criticaltasks that individuals use into
multiple individuals, groups, ororganizational structures.
This helps prevent one singleperson from having too much
control over a system orprocess.
I highly recommend this for yourIT folks that are like domain
(34:16):
admins.
There needs to be a level ofseparation of duties.
One thing to consider is that ifthey're going to use your domain
admin credentials, there's likethe two-fact two-person control
or the dual control, where youthen have to have at least two
people approve this type ofactivity.
Parts of job rotation, we'vetalked about this as well, where
an individual works in a certainrole, they then rotate out of
(34:39):
that role into a new role for aperiod of time.
This can be where they havemandatory vacations they have to
do.
It could be where you just dojob shadowing and they move into
another role, but in theprocess, someone else that moves
into the role is looking for anysort of errors that may be
evident.
Dual control, we talked aboutthis where you have one or two
or more people that are approvedcritical actions within your
(35:01):
company.
And this can work really goodwhen you're dealing with
purchase orders, money, anythingalong those lines.
Mandatory vacations, again, youtell them if you're in Europe,
they all get vacations anyway,get like six weeks.
But they're mandatory vacationsand they have to take them at a
certain time.
Now you don't tell them whenthey this is where it gets
really squishy, is that you tellthem, hey, I'm gonna tell you
(35:23):
that you're gonna have to take avacation, but I'm not telling
you when.
And you're gonna take two weeksand you're gonna like it and
have fun.
Uh which kind of may not, I'venever seen this in a job, but I
would think that in that job youmight not be too happy that
going, well, you're gonna takeyours in January, middle of
January, and you're like, wheream I gonna go in the middle of
January?
I guess someplace warm.
(35:44):
You can do that.
But it kind of jacks things upwhen you have kids because kids
don't get off in the middle ofJanuary.
Uh independent oversight, that'san important part as well,
having uh security policies andprocedures that can identify uh
stress potential vulnerabilitiesand risks.
Privilege segregation, again,this is where uh limits the
privileges of people grantedthat are granted the specific
(36:06):
access.
Uh this could be the minimumamount that they need for their
role, and this also helpsprevent authorized access and
reduce the risk of databreaches.
So that's privilegedsegregation.
Then there are change managementcontrols.
These ensure that all changes tosystems and processes are
properly authorized, documented,and tested.
They don't allow anybody to gorogue and do what they want to
(36:27):
do.
Again, this may require thesechanges to be submitted for
approval and documented in achange management format.
And this would be, they usuallyhave like a change management
board that you may have to gothrough.
Okay, so now we're gonna keep itsimple.
So when you're dealing withkeeping it simple, we talk about
this in the C ISC Squared, theysay, well, what is keeping it
(36:48):
simple?
One thing you're gonna learnwith security is complexity is
the nemesis of security.
The more complex you makethings, the more insecure it's
going to be.
Contrary to what you mightbelieve, you may go, if I make
it super complex, it's gonna beobfuscated, it's gonna be hard
for people to do uh to get inand get my data.
You it just makes it hard onyour people to try to understand
(37:09):
where all that data is at.
So you want to avoid complexity.
Don't worry about the hackers.
You can put the defense anddepth in place, you can do a lot
of different areas that willhelp restrict this, but avoid
complexity and keep it simple.
Again, you do the more complexyou make it, it's gonna be hard
on your people.
They're gonna make mistakes, thehackers are gonna take advantage
of it.
That's just the way it's gonnawork.
(37:30):
So avoid crazy network topology.
I oh, I went to a had a um anetwork I looked at and they had
VLANs everywhere.
They were everywhere.
And I'm like, dude, this isreally cool, but way too
complex.
And he's like, no, it's good,it's very good.
And uh yeah, he was French, andso he was very strong-willed in
(37:51):
what he believed.
We finally came to an agreement.
I got him sort of sort of movingin my direction, but it took a
little while.
So again, avoid complexity.
Nothing against the French.
He's just very strong.
He had his opinion, and it washe had some very good opinions,
some were maybe a little bit notas good, but that's okay.
Uh, standardization.
Make this stuff as standardizedas possible.
(38:13):
This includes topologies, itcalls tech technologies,
processes, procedures, avoid toomany technologies.
Oh my gosh.
You it just you don't want tobuy all the new fancy, schwancy
tools.
You want to avoid too much uhtechnology and you want to keep
it simple.
Processes and procedures need tobe simple.
They the people need to knowwhat they're supposed to do,
(38:34):
when they're supposed to do it,how they're supposed to do it.
Again, keep it very to thepoint.
Documentation, createdocumentation that is clear and
concise.
I will tell you this though.
Sometimes the purpose ofdocumentation gets to be
overwhelming.
Depending on what theorganization is and the culture,
they may want too muchdocumentation where everything
has to be signed in triplicate.
So, what does that mean?
(38:54):
Nobody looks at it.
It's never ever touched, everagain.
So keep your documentationsimple, easy to understand by
your staff.
Uh, don't create a user manualis helpful, but watch the detail
around it.
Do just enough that theyunderstand what they're supposed
to do, but not too much that assoon as you created it, it's now
out of date.
So you don't want to createdocumentation for the sake of
(39:16):
documentation.
Another thing is automation.
Automate any task you possiblycan.
Think about automation as muchas you can do it.
Uh, the more automated it is,the I would beg to differ in
many ways that the more secureit is because it helps reduce
some of the human error.
That being said, if you it's theold statement is it's poop in is
(39:36):
poop out.
If you put bad stuff in, you'regonna get bad stuff out.
So uh make sure that whateverautomation you put in, it's spot
on and works.
Uh one of the ideas around thatwas again is obviously
automatically patchingvulnerabilities, which we've
talked about.
Training and education, can'tbeat this drum enough.
Now, I say this (39:54):
people are educated to the point of they
just like go and say, ah, stopthe madness.
You have to teach them stuffthat is important for what they
do, but don't teach them toomuch.
And the reason I say that isbecause they're not going to pay
attention.
Now, again, if you're securityprofessionals, teach them a lot.
If you're an end user that's infinance, he doesn't need to know
(40:15):
about all these crazy differenttechniques that you have in
defense in depth and all thesedifferent aspects, unless he or
she wants to know it.
But in reality, they don't needto.
They need to know what'simportant for their job to
protect the data and thecompany.
So, again, keep it simple,silly.
Regular reviews and updates, youneed to make sure that you do
updates and reviews of all ofyour systems that you currently
(40:35):
have in place.
Again, annual audits, potentialvulnerabilities you look for,
and then any make anyrecommendations and
improvements.
Zero trust.
Zero trust is a security modelthat assumes that any device or
user accessing the network orsystem is a potential threat to
your company.
And therefore, a lot of the USgovernment is requiring zero
trust in all of their variousthe larger areas, and you have
(40:59):
to be able to focus on basicallyanything that connects to the
network is a risk to theorganization.
And so this includes by focusingon perimeter security to a
granular access controls.
And it's one of the aspectsaround it, I think it's a great
concept, and I feel that you dohave to assume that everything
within your environment ispotentially compromised.
(41:20):
The challenge is that you got tounderstand your scope.
If you make it too big and toocomplex, you'll never make it.
And you may ever never get to azero trust model within your
entire network.
It may be certain aspects ofyour environment are zero trust,
and other areas you just can'tget there.
It depends on the company.
Now, you need to have with ZeroTrust continuous verification of
the integrity of the devices.
(41:42):
This includes users,applications, app accessing the
network or the system.
And this can be done throughmulti-factor, device posture
assessments, and so forth.
And again, you need to make surethat you understand how you're
deploying this.
And I would recommend that ifyou're in a company that you
have an organization that's beenaround for a while, maybe get a
third party to help you with itbecause it can be very
(42:02):
challenging.
Micro-segmentation, this isbreaking your network into
smaller, isolated segments,roles, applications, data
sensitivity, and so forth.
Great concept.
Again, you got to do a littlebit in little bites at a time.
If you try to do this too big,too fast, you are gonna break a
lot of stuff and you're gonnamake people mad at you and
you're gonna lose money.
Bad idea.
So you just want to make surethat you have a really good plan
(42:25):
before you deploy Zero Trust.
Least privileges is granting theusers and the devices only the
necessary privileges they needto perform their tasks.
This means you have to get verygranular and understand what
each user is supposed to do,what is their role supposed to
do.
This also helps, though, if youto streamline some of your roles
that you have, because overtime, there are many roles that
are just like huge.
(42:46):
They got all kinds ofcredentials and entitlements
that they shouldn't have.
This will force you to limitthat to a much smaller subset of
roles, which is great, right?
It'll help you with minimizingthat.
But you will have a lot ofcomplaining people.
So start small.
Have I stressed that enough yet?
Start small.
Data-centric security, again,this is where the data is
(43:06):
wherever it resides, regardlessof the location.
It includes encryption,controls, and other security
measures to protect the databoth at rest and in transit.
Again, this is where you want towatch your data and make sure
it's in a certain spot.
Network access controls thisenforces policies and prevents
unauthorized devices fromaccessing your network.
And this requires certainrequirements, such as up-to-date
antivirus software and firewallsas well.
(43:28):
And then cloud native typesecurity.
You want to make sure that youdeploy this.
Now the cloud security versusyour on-prem security, many of
it isn't, much of it is thesame, much of it is very
different.
So the terminology is different,the vernacular is different,
concepts are similar, mostly thesame, but there are very there's
nuances.
So that don't assume that yournetwork, your on-prem network,
(43:51):
and your cloud network are goingto be very alike.
They may not be.
And I it as you make a migrationfrom your on-prem to your cloud,
as many do, just keep that inback of your mind.
And also consider the fact thatyou may never ever get fully to
the cloud.
And I don't think I wouldrecommend that.
I think having it on-prem is animportant part, especially when
you're dealing with your morecritical servers and
(44:12):
applications.
Okay, that's all I have for youtoday.
And thanks so much for joiningme at CISSP Cyber Training.
Hope you guys are enjoying thisstuff.
I hope it's great for you.
Head on over there to CISSPCyber Training.
You can get access to all mycontent and you check it all
out.
Things are good, life is good.
Can't complain at all, neverwill.
Have a wonderful day, and wewill catch you on the flip side.
(44:34):
See ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Chun Gerbert, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
All right, let's get started.
SPEAKER_01 (00:25):
Hey all Chung Gerber with CISSP Cyber Training, and
hope you all are having abeautiful day today.
Today is what?
Today is the podcast that we goover various aspects of the
CISSP as it relates to intoday's podcast, is going to be
3.1.
So we are in domain three of theCISSP and we're going to be
focusing on failing securely.
(00:47):
We're going to be getting intoseparation of duties, zero
trust, keeping it simple, and soforth.
But before we do, we we uh aregoing to get into this one
little thing that actuallyhappened to me this week that I
think it's really important foryou all if you're in the
security space trying to figureout what you should do.
Um I had a couple engagementsaround a virtual CISO role, and
(01:07):
one aspect that came up wasunderstanding what does it take
if you're looking to hire avirtual CISO.
And so I thought this would bekind of be good because I know
many of my audience are formeror currently IT folks that have
been around for a little whileand they are looking to increase
their cybersecuritycapabilities.
Well, this is something that youmay just be interested in to
understand if you are everlooking for a security leader
(01:30):
for your organization, or ifyou're trying to just maybe get
virtual SISO, but it's justsomething a little piece that
would be valuable to you whenyou're especially as it relates
to the CISSP as well.
So they all kind of tie togetherbecause we talk about that a
lot.
So what I want to just kind ofgo over real quick is an
engagement.
If you're looking to bring on asecurity professional to help
your organization, what I wouldrecommend is one, obviously vet
(01:53):
out who this person is and arethey do their credentials meet
what they actually say they are?
I will say over the years I haveinterviewed plenty of people for
roles, uh a lot of them indevelopment, but in for roles
that have actually their resumesays one thing, but when you
start talking to them anddigging deeper into their
knowledge, it is a differentstory once you start to unravel
(02:14):
a little of that.
But you need to understand whothey are, obviously get
recommendations, and if you canget them from a maybe if they're
dealing with a consultantconsulting company, that would
be good.
Or if you're just looking forthem online, but make sure you
valid validate who theyspecifically are and what their
knowledge is.
But outside of that, let's justtalk about what is a way that
(02:34):
you would want to do if youbrought on a security
professional.
If you bring somebody on, ifyou're validating them, you want
you'll want them to do what theycall a gap assessment.
And what a gap assessment is, isthe security person will come in
and they're going to do anevaluation of your overall
infrastructure, uh, what thesecurity controls you have in
(02:54):
place, what are the differenttypes of processes you have in
place, the policies, and soforth.
And this gap assessment shouldtake a period of time, anywhere
from a month to a couple of,well, it can be probably two to
three months.
And I say that it wouldn't takethat long to do the physical
assessment, but what it will dois that that two to three month
period is actually getting withpeople, interviewing them,
(03:17):
understanding more about howtheir environment works, and
what are all some of thelimitations and and areas of
concern that you may dig up.
And it may deal with interviewswith multiple people, it may be
the interviews with the sameperson, but you have to break it
up into different chunks to tryto get to know the individual
and also to get to know some oftheir environment and their
network.
(03:38):
So a gap assessment is reallygood.
It's also important for you tomeet with their leadership to
understand what is the risktolerance and what is their risk
profile.
What I mean by that is are theya targeted company?
Are they criticalinfrastructure?
Are they the financialinstitutions?
And based on that, then alsowhat is their tolerance for
risk?
Are they like, eh, I'm notworried about it, or yeah, this
(04:00):
is really bad.
And it also will change overtime.
Some of the clients I met withthis past week, they are at the
beginning of their businessjourney, they were very risk
tolerant.
They actually didn't really carea whole lot.
But then as time went on andtheir organization grew, they
made or had more money, they hadmore opportunities, their risk
(04:21):
tolerance became less and less.
And they also realized that astime goes on, that, you know
what, more people, bad guys areout there trying to catch them
or trying to, you know,basically attack their
companies.
So understand that gapassessment through risk
tolerance and risk profile willbe good.
Then you want to provide adetailed report, and you want
them to provide a detailedreport to you on what are the
recommendations to theirorganization and move down the
(04:43):
path of that.
Now, if you're dealing withthat's this the gap assessment,
once that is complete, then youwould move on to your next
couple phases of your of yourplan and what the security
professional should do with youand your company.
And one of those would be thenext phase would be to what are
a develop a strategy tomitigate, accept, or transfer
risks based on the overallbusiness objectives.
(05:05):
So again, you're gonna have tounderstand as you understand the
business through the gapassessment, you understand what
is their pain points, youunderstand what is critical to
them, you're gonna want to comeup with some way to help them
understand the risk and thenmitigate, accept, or transfer
that risk.
And so, and then come back withthose recommendations.
And if they take any of those,then you'll need to work on
(05:26):
implementing this strategy forthe organization.
Now, that this will this takes acomes a different test or a
different task, I should say.
What'll happen is phase one isjust they may take your gap
assessment and that's all theywant.
And that's great, and that's allthey should need.
Uh if they have the people to gothrough and make that happen,
great.
Let them take that gapassessment and run with it.
(05:47):
If they want you or you wantsomebody else to do this for
you, then you would want tofigure out a strategy by which
you would have them implementthis for you and your company.
And then the last thing is Ilook at this from a virtual CISO
standpoint.
My ultimate goal is to help thecustomer reach what they their
goals, their security goals.
And by reaching that, that maybe with me working with them as
(06:08):
on a retainer basis or full-timeor however they want to pay for
it.
But it also may be where I settheir people up for success and
you develop an overall strategyfor that person.
So a way to basically package itup, put it in a bundle, and hand
it back over to them once theengagement is over.
So you're gonna want to helpunderstand the people, the
(06:28):
processes, and the tools andhelp them to reach their
security objectives.
And that may happen with youcreating training programs, it
may create by you just helpingwhenever they hire the person
walk them through step by step.
And so the reason I'm tellingyou all this as far as the CISP
goes is it's a really importantfactor, just because when you're
dealing with looking at asecurity professional, whether
(06:50):
it's a security leader for yourorganization or whether you're
going to be the security leaderfor your organization, if you
look at your company and youwere to put it into these three
specific phases, it's a reallygood way to at least try to
break it down into bite-sizedpieces.
So if you're gonna be the CISO,phase one, do a gap assessment.
Then from there, if you're gonnabe the CISO or the security
(07:11):
leader, then figure out what isthe strategy to mitigate,
accept, and transfer the risk.
And then you want to implementthat strategy.
And I know it's very simple, butif you break it down into these
three buckets, it's going tohelp you understand what you
need to do first.
And that you don't just, becauseit'll be overwhelming.
There's so much that you willget lost in everything.
And then you'll sit back, sitback and go, what did I
(07:33):
accomplish over the next year?
So again, break it down intothree phases: your risk
tolerance, or you do a gapassessment on a risk tolerance
and risk profile, provide areport to your senior leaders,
no different.
Phase two, you gotta mitigate,accept, or transfer your risks
and then implement thatstrategy.
And then phase three, you justfocus on your people, your
processes, and your tools andfigure out your long-term
(07:54):
strategy and then implement it.
If you do that, you know what?
You're gonna be in a really goodspot.
Okay, so one of the topics we'regonna be talking about is
bounds.
Now, bounds refers to the limitsor constraints that are imposed
on a system to protect it fromunauthorized access or malicious
activity.
(08:14):
So you put these in place toprotect yourself, and a lot of
times an EDR solution will havesomething like this as well, but
they're designed to basicallyprotect from unauthorized
disclosure or modification.
There are different types ofaspects that will tie into the
bounds.
So we're just going to kind ofgo into a few of those.
One is access control.
So you want to implement strongaccess controls on those systems
(08:36):
to put basically guardrails inplace to keep an individual's or
to keep the application fromstaying within the context of
what it's supposed to do.
You can implement role-basedaccess controls to grant users
only access to specificprivileges they need to
specifically do their job.
So that's a part of putting inbounds for access controls.
(08:57):
Another part of bounds would bewithin data classification.
So you'd have separation, or notseparation of duty, you have
classification of the dataitself, would help to ensure
that there's security measuresin place for the data and
protecting it.
Another one is separation ofduties, which we'll talk about
here in just a little bit, andthat's to prevent fraud, where a
separation of duties might be ifone single person isn't allowed
(09:19):
to send EDI transfers.
That would be a separation ofduties.
And I would say it's reallyimportant as a security
professional to implement somelevel of separation of duties
within your organization.
Uh it and it may be just in verysmall niche areas, but it's an
important factor and it will payoff.
I mean, just with my wife'sbusiness, I understand that
separation of duties on who cancollect money and who can't
(09:40):
collect money will help you saveyourself from money being
stolen, which it does,unfortunately.
Data loss prevention, again,putting in controls around the
documents themselves,applications specifically, also
looking at network traffic andso forth.
So that's another piece ofputting in some levels of bounds
and protecting the data andthose systems.
(10:03):
Network segmentation will dothat.
And you know, we talk aboutsegmentation a lot in this
podcast, and that's having oneseparate network that would be
focused specifically on IoT, onenetwork that would be focused on
your overall IP or intellectualproperty.
Data encryption, obviously,talking through, making sure
data at rest and transit isprotected.
(10:24):
Change management, changemanagement is one that I think
gets overlooked a lot, where youhave to implement certain change
processes before you can deploysomething.
And that change managementprocess will do a lot to protect
your organization one fromaccidental challenges, which
still won't protect itcompletely, but it does limit
some of the blast radius aroundit.
(10:46):
And then also some of the uhprevent unauthorized changes
that may occur due to securityincidents as well.
So that's where the changemanagement piece kind of comes
into play.
Where, you know, a document or aprocess that has to occur within
your organization, there, thosechanges are submitted for
approval and documented.
I'm dealing with that right nowwith a company where every
(11:07):
change I make, I have todocument it within uh email and
it also has to be put within alike ServiceNow or some type of
other service situation so thatit's documented what has
actually occurred.
You also have to have a plan onhow you're gonna back all that
out, but that's a differentsubject.
Monitor and logging, obviously,looking at anything that's going
on within your environment, thatyour sim will help you with
(11:28):
that.
So you have specific criteria bywhich this application should
operate, and outside of thatspecific criteria, then the SIM
will alert and make noise basedon that.
It'll it'll light up.
Uh it depends on how you havethis.
Now, not I would say that's apretty um master's level type of
(11:49):
configuration that you would setwithin your organization.
A lot of companies don't do thatbecause it takes a lot of extra
tweaking.
But you wouldn't do that to yourentire organization.
You would do that in a veryspecific subset just because it
is it would be so hard andcomplicated, it would just make
your life more painful.
But in very niche or specificsituations, it could be very
(12:09):
valuable.
Now we're going to get intoprocess isolation.
Now, this is what involvesseparating processes from each
other to limit the potentialdamage that can be caused by a
security breach.
And this can be done in variousdifferent ways.
You have virtualization, right?
So if you virtualize yourenvironments, it makes it very
difficult for these something'spotentially malicious to spread
(12:30):
throughout your organization.
The other part that kind ofcomes into play from an IP
protection, uh, if for somereason I was in a country that I
will not name, uh, if you wouldhave someone would come in and
steal the data, you wouldbecause it's virtualized, you
can shut off all those systemsimmediately and therefore limit
some of that uh theft that couldpotentially occur.
(12:51):
Sandboxing, uh, this is whereyou run untrusted or suspect
suspicious code in a sandboxenvironment.
A lot of times when data iscoming into a company, I worked
with a product a long time agocalled FireEye, and it did that
same thing, right?
Any data coming in would beexploded within this sandbox or
run within the sandbox to lookif there's any sort of malicious
(13:14):
code built into it.
And then if it wasn't, it wouldallow it on.
Now, the guys got people gotsmart and they would put timers
and all kinds of differentthings in this the malicious
code to try to get it byappliances such as this.
But again, that's the sandboxingpiece.
Memory protection, these arevarious mechanisms to prevent
processes from accessing eachother, uh, accessing memory, and
(13:36):
they're also ones that are notauthorized to use.
So that would be specificallyfocused on the memory.
Capability-based security, thisis where you grant specific
capabilities rather thangranting unrestricted access to
various sources.
Limits the potential damageagain caused by a specific
compromise, and then it'sgranted ability to read-write
files on directories again, notto access other systems.
(13:59):
So you basically have asituation where you're allowed
to read and write in a certaindirectory, and then anything
outside of that directory is notallowed to be accessed.
Again, I'm talking about thingsthat are very, very granular.
And process isolation, if youget into this level, you will
not want to do this to yourentire organization.
(14:20):
You'll want to be very specific.
And kind of we talked aboutearlier with the gap assessment.
If by figuring out what your gapassessment is, where your areas
that are most important to yourcompany, then you can focus
these types of controls on thoseareas specifically.
Application whitelisting isanother one.
(14:40):
That is set up where onlyspecific applications can work
and they prevent authorizedapplications from executing and
potentially causing any sort ofchallenges again.
Great thing with whitelisting isit's it works really well.
The challenge with that isthough, if you forget about it
and if things change, you can beapply whitelisting applications
that maybe you didn't want to.
(15:02):
Talked about segmentation again.
That's another way to get intoprocess isolation and then also
DLP.
So those, they all kind of youcan see they kind of work
together when we're focused onthese different areas.
Now we'll get into mandatory anddiscretionary access controls.
Mandatory access, we kind oftalked about this on various
podcasts that we've hadthroughout CISSP cyber training,
(15:22):
but a mandatory access controlis one that restricts access to
resources based on the securitylabels we have defined in them.
And we've talked about thatnumerous times throughout the
podcast and throughout thecourseware.
Those labels are assigned toboth users and objects.
Now, the characteristics aroundthis is that you would have some
level of centralizedenforcement.
(15:43):
Your Mac is typically enforcedby a central authority.
Okay, so that would be such as asecurity kernel or a security
server.
This can have mandatory rulesthat you have to deal with, and
then they also may have thespecific security labels tied to
the users.
And as we've mentioned, objects.
What are the objects?
Those are different.
They could be the computers,they could be the data itself.
(16:04):
And these labels are to indicatethe overall security level and
of the data itself.
Now, the security implicationsaround this is that it can be,
it allows you to have some verygranular control.
Your Macs can providefine-grained control over access
to resources.
And then the complexity of this,though, is that Macs can be very
complex to implement and theycan be very challenging doing
(16:26):
so, especially when you'redealing with a large company.
And they don't, when you'redealing with a mandatory access
control, they do limit yourflexibility for you to be very
agile and to pivot.
I would highly recommend that ifyou're going to use mandatory
access controls within yourorganization, you use them in a
very narrow margin or verynarrow area, specifically around
(16:46):
maybe engineering, uh, maybe inspecific intellectual property
areas, that would be the a goodplace for mandatory access
controls.
Now you get a discretionaryaccess controls.
This is a model that allowsusers to gain access to
resources based on theirdiscretion.
Okay, so like the title says,it's discretionary.
And this means you can deny orgrant access to people within
(17:10):
your organization.
This works well.
Obviously, SharePoint's a goodexample of how you can have
discretionary access controlsbecause the owner may allow
everybody access to a certainfolder, and that would be more
discretionary.
The challenge with it isobviously as we'll get into is
it can lead to some securitychallenges because now too many
people have access to things.
(17:31):
Now it's got a decentralizedenforcement, so it's typically
enforced by the individuals orthe systems, as we've talked
about.
Uh, it is based on userdiscretion.
Well, I like bill, so I'm gonnaget bill access to my SharePoint
site.
Yeah, no, that's probably not agood idea.
And so something to consider.
I I mean we've had a situationmultiple times, especially when
you're doing SharePoint andSharePoint Online, where uh
(17:53):
owners of that will go, well,hey, I'm working with Bill from
Company X, I'm gonna give themaccess.
SharePoint Online, unless yourcompany has very specific
criteria around it, will allowoutside entities access into
your SharePoint environment.
Teams is another good example.
So you need to make sure thatyou have those controls in place
and you really know what you'redoing, and you educate your
(18:13):
people because if you're giveyour people the ability to make
these kind of decisions, yeah,they're gonna go hog wild crazy
and they're gonna do it all overthe place.
And then you're gonna have abigger problem to try to go back
and clean up.
Uh again, DAX very flexible,again, more much more so than
Mac.
Uh, there is risk because it canincrease your unauthorized
access, and then DAX can becomecomplex to manage large
(18:35):
organizations.
Again, they're very hard, uhthey require careful
administration and userpermissions.
So, again, you need to reallyconsider when you're dealing
with Mac and DAC, what are yourrequirements?
How complex do you want to be?
How flexible do you want to be?
And then are there anyregulatory requirements that
force you to be into some sortof mandatory access controls?
(18:55):
There are different regulatoryrequirements that do force that.
So something to consider there.
And then are you interested inmaybe a hybrid type approach
where you're mixing both the Macand the DAC together?
Okay, so now we're gonna getinto defense in depth.
So defense in depth is astrategy that involves
implementing multiple layers ofsecurity controls to protect
(19:16):
systems again from unauthorizedaccess.
Now, the different ways ofdefense in depth, we're gonna go
through about there's like sixor seven different options
around this, but to consider.
There's physical security,right?
So if you have physical securityin place to protect theft from
theft and vandalism, that wouldbe a defense in depth.
You have cables that are tied toyour computers that are in your
offices.
(19:37):
Another one might be is thatnetwork security specifically.
Do you have IDSs?
Do you have VPNs?
What level of defense do youhave for people gaining network
connectivity to yourenvironment?
Do you have Wi-Fi that's on thesame network as your business
network, or is that on aseparate network completely?
Do you have a guest Wi-Finetwork?
All of those would be networksecurity aspects that would be
(19:59):
give you some level of defensein depth.
Then your system security wouldbe is that what would that
include, such as antivirus, uh,endpoint detection response,
MDRs, uh, patch management, allof those things are just
specifically tied to the systemsecurity as well.
So you have physical security,network security, system
security.
(20:20):
Then you have applicationsecurity.
Now, application security isagain focused on the apps
themselves.
And this can include inputvalidations, output codings,
care of code reviews, anddepending upon your
organization, man, much of thatmight be already built into the
applications that you have.
Maybe you don't do a lot ofin-house development, but you
require that from yourapplications you purchase.
(20:43):
So that's one thing you want toconsider as a security
professional if do you set aminimum standard for
applications before you purchasethem within your company?
That would be an applicationsecurity situation.
Data security, this obviouslyfocused on data loss prevention,
and this would includeencryption, access controls, and
so forth.
So that would be the datasecurity around it.
And as you can see, this kind ofgoes right down the OSI model,
(21:05):
right?
You're not too far off of manyof the things that we talk about
in the OSI model, are the thingsthat you will look at from a
defense in-depth standpoint.
User awareness training, again,that's obviously you want to
trait, treat people, and trainpeople to understand what are
the security implications toyour organization.
And then by educating them, itwill help limit, not prevent.
(21:26):
I mean, I've got prevent on theslide, but it's more or less
help limit some of the humanerror that reduces the risk of
your security incidents.
But it does help prevent it andlimit it.
Uh, a company, you again, youcan come down to different, I
would highly recommend somelevel of security awareness
training for your employees ofsome kind.
Uh phishing, passwordmanagement, data security,
(21:47):
highly recommend it.
Now, one thing you want toconsider is if you are providing
this level of knowledge to youremployees, don't go hog wild.
Keep it, keep it simple.
I would focus on keeping itsimple initially, making sure
everybody understands, and thenfocus on the basics.
Again, this is like it comesdown to football and American
(22:08):
football, I should say, whereyou focus on the blocking and
tackling.
If you can focus on the basics,get the basics down, get those
down really, really well, thenthe rest of it will come later.
Uh and I know a lot of timespeople don't like to hear that,
but I think it's it's animportant factor.
Incident response, obviously,have a good incident response
plan and uh define people thatare going to be implementing
(22:30):
this incident response plan.
This includes identifying,containing, and investigating
all the different incidents thatyou have within your
organization that may come up.
This could be some that aresmall, and then what what
criteria would it take to makeit a large incident, and then
how do you deal with thatspecific incident?
Now we're gonna get into securedefaults.
Secure defaults are a principlein security where you're
(22:53):
basically having theconfiguration of the systems and
the applications to the mostpossible secure setting when you
pull them out of the box.
That means when they'reinstalled initially or set up,
this is where they're set up atas most secure as possible when
they have their default setting.
This is without you going in andtweaking them.
This is just pulling it out ofthe box, flipping it on.
(23:13):
Is it secure?
So the default settings, youneed to really consider your
system, your application, oryour network settings need to be
dialed into where they are,where you want them to be from a
default standpoint.
And this could be the restrict,the most restrictive, but yet
not too restrictive when yoursettings around limiting access
and functionality of the overallsystems.
(23:34):
And you would want to make surethat with your network
applications, you do disableunnecessary features.
One good example would be aroundadmins, and many kinds, many
times the applications will havedefault admins set up, and the
username is admin and thepassword is admin.
You'll want to make sure thatthose application defaults are
not triggered like that.
They're not set up to be thatway.
(23:54):
Same with network defaults aswell.
Again, disabling unnecessaryservices, limiting specific
networks, all of those thingsneed to be considered when
you're deploying them.
Now, again, you may get it fromPalo Alto in a certain way, and
then you have to make sometweaks to it.
But when you say a securedefault, if you're getting it
from Palo and it's set in aperfect way for you, great.
(24:15):
But if you need to make somemodifications, the ultimate goal
is that you modify the policy orthe configuration file that goes
along with it, and then thatwould be your default
configuration file that youwould send out.
But you want to make sure thatyou set it up to where the
default that is set in thatsystem is the most secure that
allows the most secure for basedon the risk for your
(24:36):
organization.
You want to understand the leastprivilege principle.
This is around again havingsystems with only the minimum
necessary privileges to performtheir task.
We talk about this a lot in theCISSP, and it's a lot in
security.
You want them to have theminimum necessary privileges to
perform what tasks they'redoing.
Again, example I have is adatabase admin having full
(24:57):
access to the database.
It's probably not a good idea.
You don't want really anyone tohave godlike credentials with an
application.
You just want to avoid that.
And if you have to have it, thenit should be like in case of
glass, in case of emergency,break glass kind of situation.
Strong default passwords.
Obviously, they the passwordsare a big deal in today's world.
(25:20):
The passwords were really neverdesigned to be what they are
today, but you need to have makesure that you define that they
are at least 12 characters.
They are up and down, you know,high, low, I can't think of the
name of it.
They're special characters,they're capitalized, they're
lowercase, they're all thosethings.
You need to have that set up asyour default.
Um, and one thing I have seenpeople do is they go, well, you
(25:42):
know what, I'll keep the defaultpassword like eight characters,
but I'm gonna have multi-factorenabled.
Okay, well, that that's good.
It's it's not terrible, but atthe same time, is as if you are
you have any accounts that don'trequire multi-factor.
And and so if they do, does thatdefault that you have set up is
that affect those places wheremulti-factor is not enabled?
(26:04):
So it's something to thinkabout.
Security updates, again, youneed to from a uh default
standpoint, the system should beconfigured to automatically
receive security updates.
This has been an ongoing battlewith many organizations,
especially IT folks, is they'relike, well, I am not pushing out
a security update to my companyunless I have thoroughly tested
(26:24):
it.
And that's understandable.
And I'd say in some cases, uhthat is definitely warranted.
However, when you're dealinglike with Microsoft, for
example, do you have time?
How often have you tested aMicrosoft patch and has it
failed?
Now, somebody will come up andsay, well, yeah, it failed on
me, but in most cases, those arepretty solid.
And so do you want to go anddeploy them to your
(26:47):
organization?
Now, maybe it's one of thosethings where on a security
update, you don't update it, youhave it delay the update, maybe
by, I don't know, a week, justto see if it all uh if there's
any issues with it.
But realistically, those arethat's a really good way for you
to help with uh the security ofyour company is ensuring that
your updates are automatically,uh your security updates are
(27:08):
automatic.
Auditing and logging, turn thoseon, obviously, but the way we've
talked about before, yourauditing and logging is only as
good as anybody looking at it oras the amount of storage that
you keep it.
If it's set up for one day andit just basically rewrites over
itself after one day because ofmaybe a limitation on the amount
of storage you have, then it'sreally not that useful.
(27:30):
So you got to consider that.
But one thing again, aroundlogin attempts, password
changes, all of those pieces arean important part.
And then again, around securityawareness training, you need to
educate people on the importanceof all of this.
Again, this isn't intuitive.
It is intuitive for you allbecause you're listening to this
podcast or you're going throughmy training and you understand
(27:51):
the fact that security isimportant.
But most of the people that youwill deal with do not, they see
it as a hindrance, they see itas a problem, and it's just a
pain in the bottom.
So you're gonna have to educatethem on that.
Next topic we're gonna talkabout is failing securely.
What do you mean by failingsecurely?
Well, there's basically ways youwant to have the ability so that
(28:12):
when things go bad, you canrecover from them after they
fail.
And one of those pieces is thefail-safe default.
So, what this involves isbasically disabling certain
features or reverting to a knowngood configuration.
So if something happens, like adatabase, it might automatically
switch to read-only mode if itdetects a potential corruption
(28:35):
challenge.
That would be a fail-safedefault.
Another one is gracefuldegradation.
This is where it gracefullydegrades to a functional state
in the face of different uhfailures.
So it could, again, it's one ofthose that it'll continue to
operate, but it could be at amuch uh degraded position or
state because of the fact thatthere's something going on.
(28:58):
Uh, a good example or an exampleof this might be a web
application might display asimplified error page instead of
crashing if the back-end serverbecomes unavailable.
Again, that's gracefuldegradation.
Another one is error handlingand logging.
Okay, again, obviously we talkedabout this is that this is where
you'll have any sort of errorthat would happen will capture
(29:18):
those logs and it can alert onthose logs specifically.
And this can allow you to helpdevelopers specifically come
back and deal withtroubleshooting area, various
issues that are within theirapplication.
Separation of concerns.
This is dividing the system intosmaller independent components
with various responsibilitiesthat it has.
(29:39):
This reduces the risk of failurein one component versus
catastrophic situation that mayoccur if it all goes down.
So that's the separation ofconcerns.
Web apps can do this, right?
Because you may have specificareas within authorization and
authentication that you may uhmay allow you the application to
still continue to run if thoseare not.
(30:00):
Met to a certain criteria.
Or if you in the case of let'ssay your authentication, like
say it's an internal app andyour authentication isn't
working and it can't sync, thenwill it continue to run or will
it just totally fail and giveyou a logout?
And that might be the case aswell.
But you just have to determinewithin your organization if
that's something that you wouldwant to implement or not.
(30:20):
Redundancy and fault tolerance,obviously, you want to have a
fault tolerance techniques toincrease the system's
reliability.
This could be in replicatingdata using redundant hardware or
implementing failovermechanisms.
This happens a lot with varioussystems that are in the network
to ensure that if they fail,they fail open or they fail in a
(30:43):
way that allows the system tocontinue to run.
Security by design, you want tomake sure that you develop this
system on the onset.
And this comes down to when youdeploy a new application, a new
system, you think about securityat the beginning.
You don't think about it afterthe fact.
And I think in the past that wasdefinitely the case.
It's becoming more and morecommon now, though, that as we
(31:04):
get more security folks withinorganizations, they're thinking
about the overall security ofthese systems before actually
deploying them.
Testing and auditing, that's animportant part of any system
that you put in to ensure thatit fails securely and it fails
safely.
You want to test this and takethese systems down, see what
(31:25):
happens.
But you may have to do thatobviously in a test environment,
or you end up doing it on theweekends when people aren't in
the office.
But you'll want to test andaudit those, either through
tabletop exercises, that mightbe, or actually physically
taking them down.
Another part around failingsecurity is soft failures and
hard failures.
We'll kind of get into thosejust a little bit.
(31:45):
A soft failure is wheretemporary disruptions in the
systems can often be resolvedwithout a human intervention.
So it has a hiccup, right?
And then it picks back up andit's going back again.
Network issues, softwarechallenges, power supply
fluctuations, all of that stuffcan be a soft failure.
A hard failure is obviously whenthings have complete loss of
(32:08):
functionality or the data.
Hardware failures, criticalsoftware bugs, physical damage
to the system.
Again, the hurricane that rolledinto town, uh the taping of
this, it's that they've got alot of physical damage.
So those are different areasthat you'll have to consider.
Now, some different strategiesto deal with soft and hard
failures.
Implementing retry mechanismsfor soft failures is an
(32:30):
important part.
So if they keep retrying overand over again, do you have
redundancy?
Is there backup functionality?
Are you monitoring them, thesesystems for soft failures that
take proactive steps to preventfrom escalating into potential
hard failures?
Are you seeing this happen?
When you have hard failures, youwant to develop a disaster
recovery plan specificallyaround this.
(32:51):
And this also includes do youhave critical systems that you
need to ensure that they don'tgo down?
That's again, you you, ifthey're gonna go down, do they
go down soft or they go downhard?
Now, if you're going withsystems that are critical to
your company, you'll want tobuild in some sort of redundancy
so that maybe they go down in asofter fashion or they don't go
down at all, obviously.
(33:12):
But one thing to consider isthat how do you want to scale
that within your company?
Have backup and recoveryprocedures, and then you want to
implement security measures toprevent unauthorized access to
these.
Again, that it's important foryou to build this out.
You also want to have dependingon your organization, depending
on your risk tolerance,regulatory requirements, and so
(33:34):
forth, you may want to considerpen testing to identify any
weaknesses that you may find aswell.
That just doesn't mean that apen tester has to come from the
outside into your organizationevery time.
A penetration tester mayactually you may give them
internal access to your networkand allow them to operate.
And then you make a decisionwhat they find.
The next topic is separation ofduties.
(33:56):
So separation of duties is afundamental security principle
that involves dividing criticaltasks that individuals use into
multiple individuals, groups, ororganizational structures.
This helps prevent one singleperson from having too much
control over a system orprocess.
I highly recommend this for yourIT folks that are like domain
(34:16):
admins.
There needs to be a level ofseparation of duties.
One thing to consider is that ifthey're going to use your domain
admin credentials, there's likethe two-fact two-person control
or the dual control, where youthen have to have at least two
people approve this type ofactivity.
Parts of job rotation, we'vetalked about this as well, where
an individual works in a certainrole, they then rotate out of
(34:39):
that role into a new role for aperiod of time.
This can be where they havemandatory vacations they have to
do.
It could be where you just dojob shadowing and they move into
another role, but in theprocess, someone else that moves
into the role is looking for anysort of errors that may be
evident.
Dual control, we talked aboutthis where you have one or two
or more people that are approvedcritical actions within your
(35:01):
company.
And this can work really goodwhen you're dealing with
purchase orders, money, anythingalong those lines.
Mandatory vacations, again, youtell them if you're in Europe,
they all get vacations anyway,get like six weeks.
But they're mandatory vacationsand they have to take them at a
certain time.
Now you don't tell them whenthey this is where it gets
really squishy, is that you tellthem, hey, I'm gonna tell you
(35:23):
that you're gonna have to take avacation, but I'm not telling
you when.
And you're gonna take two weeksand you're gonna like it and
have fun.
Uh which kind of may not, I'venever seen this in a job, but I
would think that in that job youmight not be too happy that
going, well, you're gonna takeyours in January, middle of
January, and you're like, wheream I gonna go in the middle of
January?
I guess someplace warm.
(35:44):
You can do that.
But it kind of jacks things upwhen you have kids because kids
don't get off in the middle ofJanuary.
Uh independent oversight, that'san important part as well,
having uh security policies andprocedures that can identify uh
stress potential vulnerabilitiesand risks.
Privilege segregation, again,this is where uh limits the
privileges of people grantedthat are granted the specific
(36:06):
access.
Uh this could be the minimumamount that they need for their
role, and this also helpsprevent authorized access and
reduce the risk of databreaches.
So that's privilegedsegregation.
Then there are change managementcontrols.
These ensure that all changes tosystems and processes are
properly authorized, documented,and tested.
They don't allow anybody to gorogue and do what they want to
(36:27):
do.
Again, this may require thesechanges to be submitted for
approval and documented in achange management format.
And this would be, they usuallyhave like a change management
board that you may have to gothrough.
Okay, so now we're gonna keep itsimple.
So when you're dealing withkeeping it simple, we talk about
this in the C ISC Squared, theysay, well, what is keeping it
(36:48):
simple?
One thing you're gonna learnwith security is complexity is
the nemesis of security.
The more complex you makethings, the more insecure it's
going to be.
Contrary to what you mightbelieve, you may go, if I make
it super complex, it's gonna beobfuscated, it's gonna be hard
for people to do uh to get inand get my data.
You it just makes it hard onyour people to try to understand
(37:09):
where all that data is at.
So you want to avoid complexity.
Don't worry about the hackers.
You can put the defense anddepth in place, you can do a lot
of different areas that willhelp restrict this, but avoid
complexity and keep it simple.
Again, you do the more complexyou make it, it's gonna be hard
on your people.
They're gonna make mistakes, thehackers are gonna take advantage
of it.
That's just the way it's gonnawork.
(37:30):
So avoid crazy network topology.
I oh, I went to a had a um anetwork I looked at and they had
VLANs everywhere.
They were everywhere.
And I'm like, dude, this isreally cool, but way too
complex.
And he's like, no, it's good,it's very good.
And uh yeah, he was French, andso he was very strong-willed in
(37:51):
what he believed.
We finally came to an agreement.
I got him sort of sort of movingin my direction, but it took a
little while.
So again, avoid complexity.
Nothing against the French.
He's just very strong.
He had his opinion, and it washe had some very good opinions,
some were maybe a little bit notas good, but that's okay.
Uh, standardization.
Make this stuff as standardizedas possible.
(38:13):
This includes topologies, itcalls tech technologies,
processes, procedures, avoid toomany technologies.
Oh my gosh.
You it just you don't want tobuy all the new fancy, schwancy
tools.
You want to avoid too much uhtechnology and you want to keep
it simple.
Processes and procedures need tobe simple.
They the people need to knowwhat they're supposed to do,
(38:34):
when they're supposed to do it,how they're supposed to do it.
Again, keep it very to thepoint.
Documentation, createdocumentation that is clear and
concise.
I will tell you this though.
Sometimes the purpose ofdocumentation gets to be
overwhelming.
Depending on what theorganization is and the culture,
they may want too muchdocumentation where everything
has to be signed in triplicate.
So, what does that mean?
(38:54):
Nobody looks at it.
It's never ever touched, everagain.
So keep your documentationsimple, easy to understand by
your staff.
Uh, don't create a user manualis helpful, but watch the detail
around it.
Do just enough that theyunderstand what they're supposed
to do, but not too much that assoon as you created it, it's now
out of date.
So you don't want to createdocumentation for the sake of
(39:16):
documentation.
Another thing is automation.
Automate any task you possiblycan.
Think about automation as muchas you can do it.
Uh, the more automated it is,the I would beg to differ in
many ways that the more secureit is because it helps reduce
some of the human error.
That being said, if you it's theold statement is it's poop in is
(39:36):
poop out.
If you put bad stuff in, you'regonna get bad stuff out.
So uh make sure that whateverautomation you put in, it's spot
on and works.
Uh one of the ideas around thatwas again is obviously
automatically patchingvulnerabilities, which we've
talked about.
Training and education, can'tbeat this drum enough.
Now, I say this (39:54):
people are educated to the point of they
just like go and say, ah, stopthe madness.
You have to teach them stuffthat is important for what they
do, but don't teach them toomuch.
And the reason I say that isbecause they're not going to pay
attention.
Now, again, if you're securityprofessionals, teach them a lot.
If you're an end user that's infinance, he doesn't need to know
(40:15):
about all these crazy differenttechniques that you have in
defense in depth and all thesedifferent aspects, unless he or
she wants to know it.
But in reality, they don't needto.
They need to know what'simportant for their job to
protect the data and thecompany.
So, again, keep it simple,silly.
Regular reviews and updates, youneed to make sure that you do
updates and reviews of all ofyour systems that you currently
(40:35):
have in place.
Again, annual audits, potentialvulnerabilities you look for,
and then any make anyrecommendations and
improvements.
Zero trust.
Zero trust is a security modelthat assumes that any device or
user accessing the network orsystem is a potential threat to
your company.
And therefore, a lot of the USgovernment is requiring zero
trust in all of their variousthe larger areas, and you have
(40:59):
to be able to focus on basicallyanything that connects to the
network is a risk to theorganization.
And so this includes by focusingon perimeter security to a
granular access controls.
And it's one of the aspectsaround it, I think it's a great
concept, and I feel that you dohave to assume that everything
within your environment ispotentially compromised.
(41:20):
The challenge is that you got tounderstand your scope.
If you make it too big and toocomplex, you'll never make it.
And you may ever never get to azero trust model within your
entire network.
It may be certain aspects ofyour environment are zero trust,
and other areas you just can'tget there.
It depends on the company.
Now, you need to have with ZeroTrust continuous verification of
the integrity of the devices.
(41:42):
This includes users,applications, app accessing the
network or the system.
And this can be done throughmulti-factor, device posture
assessments, and so forth.
And again, you need to make surethat you understand how you're
deploying this.
And I would recommend that ifyou're in a company that you
have an organization that's beenaround for a while, maybe get a
third party to help you with itbecause it can be very
(42:02):
challenging.
Micro-segmentation, this isbreaking your network into
smaller, isolated segments,roles, applications, data
sensitivity, and so forth.
Great concept.
Again, you got to do a littlebit in little bites at a time.
If you try to do this too big,too fast, you are gonna break a
lot of stuff and you're gonnamake people mad at you and
you're gonna lose money.
Bad idea.
So you just want to make surethat you have a really good plan
(42:25):
before you deploy Zero Trust.
Least privileges is granting theusers and the devices only the
necessary privileges they needto perform their tasks.
This means you have to get verygranular and understand what
each user is supposed to do,what is their role supposed to
do.
This also helps, though, if youto streamline some of your roles
that you have, because overtime, there are many roles that
are just like huge.
(42:46):
They got all kinds ofcredentials and entitlements
that they shouldn't have.
This will force you to limitthat to a much smaller subset of
roles, which is great, right?
It'll help you with minimizingthat.
But you will have a lot ofcomplaining people.
So start small.
Have I stressed that enough yet?
Start small.
Data-centric security, again,this is where the data is
(43:06):
wherever it resides, regardlessof the location.
It includes encryption,controls, and other security
measures to protect the databoth at rest and in transit.
Again, this is where you want towatch your data and make sure
it's in a certain spot.
Network access controls thisenforces policies and prevents
unauthorized devices fromaccessing your network.
And this requires certainrequirements, such as up-to-date
antivirus software and firewallsas well.
(43:28):
And then cloud native typesecurity.
You want to make sure that youdeploy this.
Now the cloud security versusyour on-prem security, many of
it isn't, much of it is thesame, much of it is very
different.
So the terminology is different,the vernacular is different,
concepts are similar, mostly thesame, but there are very there's
nuances.
So that don't assume that yournetwork, your on-prem network,
(43:51):
and your cloud network are goingto be very alike.
They may not be.
And I it as you make a migrationfrom your on-prem to your cloud,
as many do, just keep that inback of your mind.
And also consider the fact thatyou may never ever get fully to
the cloud.
And I don't think I wouldrecommend that.
I think having it on-prem is animportant part, especially when
you're dealing with your morecritical servers and
(44:12):
applications.
Okay, that's all I have for youtoday.
And thanks so much for joiningme at CISSP Cyber Training.
Hope you guys are enjoying thisstuff.
I hope it's great for you.
Head on over there to CISSPCyber Training.
You can get access to all mycontent and you check it all
out.
Things are good, life is good.
Can't complain at all, neverwill.
Have a wonderful day, and wewill catch you on the flip side.
(44:34):
See ya.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Two Guys, Five Rings: Matt, Bowen & The Olympics
Two Guys (Bowen Yang and Matt Rogers). Five Rings (you know, from the Olympics logo). One essential podcast for the 2026 Milan-Cortina Winter Olympics. Bowen Yang (SNL, Wicked) and Matt Rogers (Palm Royale, No Good Deed) of Las Culturistas are back for a second season of Two Guys, Five Rings, a collaboration with NBC Sports and iHeartRadio. In this 15-episode event, Bowen and Matt discuss the top storylines, obsess over Italian culture, and find out what really goes on in the Olympic Village.