December 29, 2025 • 43 mins
A neighboring Wi‑Fi, a handful of stolen credentials, and a quiet leap into a high‑value network—the kind of pivot that sounds cinematic until you realize how practical it is. We unpack that playbook and turn it into concrete defenses you can deploy across your environment, from client endpoints and browsers to databases, servers, and industrial control systems.
We start at the edge, where phishing, drive‑by downloads, and man‑in‑the‑middle still win far too often. You’ll get a clear blueprint for upgrading endpoint security with EDR, strict patching, and browser hardening, plus when to retire or sandbox legacy applets and how to stop sensitive data bleeding from local caches. From there we map the landscape of modern data platforms: the internal, conceptual, and external layers of databases; the resilience of distributed DBs; the interoperability and pitfalls of ODBC; and the security tradeoffs between NoSQL flexibility and relational ACID guarantees. Expect practical guardrails like TLS on every link, parameterized queries for SQLi defense, and role‑based access with tight segregation of duties.
Finally, we focus on servers and ICS, where downtime costs real money and, in OT, can impact safety. Learn how to prioritize hardening and patching without breaking legacy apps, isolate critical services to reduce blast radius, centralize logging to a SIEM, and apply the Purdue model to segment OT from IT. We share tested moves for OT environments—firewalls and DMZs, constrained remote access, realistic backup and recovery plans—and explain how to integrate safety and cybersecurity so alarms, procedures, and people work as one.
If you find this valuable, subscribe, share it with a teammate who owns Wi‑Fi or databases, and leave a quick review telling us the first control you’ll implement this week. Your feedback helps more practitioners discover tools that actually reduce risk.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerbert, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
Alright, let's get started.
SPEAKER_01 (00:25):
Hey, I'm Sean Gerbert with CISSP Cyber
Training, and hope you all arehaving a beautifully blessed day
today.
Today is amazing.
We're gonna be talking aboutsubdomain 3.5 and mitigating
vulnerabilities in securityarchitectures.
Yeah, this one's gonna be fun.
A lot of fun.
Yeah.
So as you look at CISSP CyberTraining, there's a lot of
content that we have availablefor you.
(00:46):
And you can go get all of thatavailable to you if you just go
to CISSP Cyber Training.
This will be one aspect,obviously, of the 3.5.
I will tell you, 3.5 is prettygnarly.
It's pretty big.
Um, and uh we'll only be goingover a small portion of it
today, but it is.
It's gonna be an incredible,action-packed, awesome podcast.
You guys will just you'll stayriveted, I know you will.
(01:08):
But before we get started, Iwanted to talk about an article
I saw just actually it was acouple days ago, and it's quite
interesting.
So one of the things that I didwhen I was a uh hacker for the
way basically tied to the redteam, the US Air Force Red
Teams, was we would try to breakinto different types of networks
on a routine basis.
And we would one of the thingswe would use is we would end up
(01:28):
utilizing the Wi-Fi networks ofan organization, and we would
use Yagi antennas, we would useall kinds of different types of
tools and techniques to gainaccess to a Wi-Fi from a
geographic location.
Now, the thing is we had toactually go to that physical
location to compromise thenetwork and the Wi-Fi network.
Well, now, yeah, the theRussians have been very, very um
(01:50):
how do you say that adventurous?
And uh they honestly it's a veryneat technique what they did.
It's pretty cool.
I'm I'm not happy that they didit, but on the flip side, I'm
sure if the Russians are doingit, uh the United States and
other countries are doing it aswell.
But they did decide describewhat occurred here.
I've seen it in Wired and nowit's also an Rs Technica, but
really basically what ended uphappening is that uh there's a
(02:13):
situation where the Russian GRUbroke into a network of a high
value target after firstcompromising the Wi-Fi enabled
device in a nearby building.
Basically, they're using it toexploit the target's Wi-Fi
network.
So, what they did in the past,well, we've done this where, or
I say we, I did this where youwould go from one server to
another server around the globe,and your ultimate goal is to get
(02:35):
back to one location.
Well, that they did was is theyended up compromising this
network.
So if you can kind of see thescreen, you might be able to see
it.
If not, uh we'll you'll hear itobviously on the podcast.
But they compromise a networkthat was in a building from a
remote location, and in theprocess of compromising that
network, they did a credentialstuffing on the adjacent
(02:56):
building's Wi-Fi network withthe goal of breaking into it.
Now, if you didn't havemulti-factor on your Wi-Fi
network, it's very possible thatif they stole credentials from
somebody else, uh they would beable to gain access to that
Wi-Fi network from the networkthat they compromised.
So it's a very similar techniqueas if you were instead of just
considering all networks onenetwork, and if you can get
(03:18):
close enough to a Wi-Fi network,you can now hack into it with
the credentials from somebodyelse.
And we all know that ourcredentials have been
compromised numerous times fromvarious uh attacks that have
occurred over the years.
So you have to assume that yourcredentials are compromised and
gone.
So assuming that this is thecase, it does demonstrate the
(03:40):
ability for the Russians to beable to, or anybody else, to be
able to take your credentialsonce they have a persistent
presence on a network, then usethose credentials to connect to
another Wi-Fi network and thenbe able to exploit it and run
from that direction.
Now, all of this sounds great,all of it sounds super Gucci,
and I'll be honest with you,it's pretty scary, right?
(04:02):
It could it could happen toanybody.
That being said, after doingthis for many years, this isn't
as easy as it looks on a pieceof paper.
You know, I just jump from onenetwork to the other network.
Now, it can be that easy, right?
It can happen where thesituation will go very quickly,
and you can gain access and youcan gain a foothold.
I mean, ideally, what they wouldwant to do is once they jump to
this second second network, iscreate some level of persistence
(04:24):
within that network.
And then that way that cantunnel outbound to wherever
they're at.
They they wouldn't want to usethis Wi-Fi network to
communicate data in and out ofthe network.
You just really wouldn't becauseit's just too flaky.
You can run into a lot ofissues, but it does give you
that initial toe hold into anetwork where before you didn't
have it.
So the interesting part isthough, is that this occurred,
(04:46):
they recommended that you putsome level of multi-factor on
your Wi-Fi networks and don'tassume that just because they
are segregated from someplaceelse that someone can't gain
access to them.
So just something to keep inmind.
I will say I've never seenanything before like this.
It's it's pretty cool.
Uh, and I'm sure now that it'sgot people like little hornets
(05:06):
and a in a hornet's nest allbuzzing around trying to figure
out how to address this issue.
But again, it was an ArsTechnica.
You can also see it there, andyou can see it on Wired
magazine.
And it's just about spies hackWi-Fi networks in a far-off land
to launch an attack, target nextdoor.
Okay, again, Russian GRUbreaking into systems and
hacking them to the end of time.
(05:28):
Okay, now let's get into whatwe're going to talk about today.
Okay, so domain 3.5, how toassess and mitigate
vulnerabilities of securityarchitectures.
So the ultimate goal, again, isyou can get all this information
at CISSP Cyber Training, and youcan get all this training there
and available to you.
Uh, again, we're going to berunning a uh a Black Friday
(05:49):
Cyber Monday ad here to kind ofreduce some of the price as far
as our silver and uh platinum orgold gold platforms.
But bottom line is that we wantyou to have this training that's
available to you so you can passthe CISSP.
The CISSP is not an easy test.
I I I would love to sayeverybody that joins CISSP Cyber
Training passes the test inflying colors.
(06:09):
That isn't always the case,right?
The the thing is it's up to youto study and be able to
understand the information.
And the goal of this is to beable to provide this information
for you so that you can betterunderstand what are some of the
questions that are being asked.
So let's get started withclient-based systems.
Now, what is a client-basedsystem?
This is a uh there'sclient-based attacks that are
(06:31):
occurring, they're tying againstvarious systems that result in
gaining unauthorized access,stealing information,
compromising systems integrity,and they can exploit various
client-side or at the individualside applications, operating
systems, and misconfigurations.
Just what we talked aboutrecently in that article from Rs
Technica can happen to you.
(06:51):
So these are types of clients'attacks, client-based attacks
that you can have that canoccur.
You have phishing, right?
So this is where the attackerswill trick you into phishing
through emails, sensitiveinformation, usernames, and
passwords.
They'll ask for it and you mayprovide it to them.
This happens a lot.
I mean, it really does.
And I've have a friend that'sshe's a little bit older and she
(07:12):
was she's very concerned aboutthese things, and we helped her
get set up with a passwordmanager to manage all of those
things.
But when it comes right down toit, people will try to
manipulate others to try to getgain access to very sensitive
information.
Malware, this is going to beinfected by obviously my
viruses, ransomware, spyware,all of these things are types of
malware that can affect a clientsystem.
(07:33):
There's if we talk about the manin the middle attacks.
This is where an individual isconnects, basically is in
between.
So if you have from point A iswhere one server is located or
the client's located, and pointB is where the information is
going, they act in the middle,right?
So they can intercept or altercommunications between the
client and the server,especially if the secure, if
(07:54):
it's insecure communication,such as maybe HTTP and not
HTTPS.
So again, man in the middle,important part for you to
understand.
Drive-by downloads.
This is where a malicious scriptwill occur on a website, and as
you go to that website, filesare automatically downloaded to
the client system.
These are things to considerwhen you have lots of employees
(08:14):
within your organization and youwonder where it's what sites
they go to.
Hence, you want to putprotections in place to limit
potentially where your employeesmay go.
So you can limit some of thesedrive-by download situations
that could occur.
Exploiting client-sidevulnerabilities.
This is where attackers willexploit bugs or weaknesses in
web browsers or plugins, andagain, that way we'll download
(08:37):
information to the individualsthat are seeing them.
So again, this can be JavaFlash, you know, PDF readers,
all those types of things is theclient side.
Now, what are some defensestrategies around this?
Obviously, we talked aboutnumerous on CISSP cyber
training.
You want to have updates,regular updates that are
occurring.
Antivirus or anti-malware.
Now, I will say in the past,antiviruses was the go-to.
(09:00):
Now it's you need more of anintegrated concierge type
solution where it's like EDR,endpoint detection response,
some level of maturation at theendpoint is important, not just
antivirus.
And then obviously, usertraining is an important part in
all of this.
The next topic is applets.
Applets are small applicationsthat are designed to be embedded
(09:21):
within a larger application,obviously, such as a web page,
right?
Or to execute client code on themachine side or on the side,
right?
So the client side, you havesome sort of machine code that's
going to be running.
These were typically used toenhance the functionality of web
pages.
Obviously, Java applets in theweb browsers is one of the
different areas, but they'reless used today.
(09:43):
You will still see themdepending upon the size, the age
of your environment that you'reoperating out of.
So, what are some of the risksof applets that you may see?
One is security vulnerabilities.
They could be in a vector forsomeone that could use a
security vulnerability againstthem, especially since it's a
bit older, has they haven't beenupdated.
It could be a situation wheresuch like a Java applet could be
(10:03):
exploited and therefore pass offmalicious code to the client
systems.
So that's that's a risk ofthose.
Cross-site scripting orJavaScript injections.
This is where if they're notproperly sandboxed, applets may
interact with the browser orother parts of the system in
unsafe ways.
And because of that, then itwould allow the remote code to
be able to go transfer into thebrowser itself.
(10:25):
In its communications, if theapplets are allowed to
communicate with the web serverin a manner that's not secure,
obviously in SSL or TLS, then itcan expose sensitive data to the
attack from the attackers aswell.
Some of the measures that youcan do, obviously, disabling or
getting rid of applets is animportant part.
They are outdated, they areolder, you probably want to move
on to something else besidesthem.
(10:46):
Sandboxing is another part ofthis, is where the applet itself
is sitting in a critical or inan isolated sandboxed area.
This would be extremelyimportant on critical systems
that you may have within yourenvironment.
Code signing and validation.
This is ensuring that the data,the application itself, has been
properly signed and is validatedwith a trusted certificate to
(11:08):
ensure that it's not tamperedwith or replaced by malicious
code.
So that's what you would dealwith an applet.
Local caches.
Local caches are temporarystorage locations on client
systems where the data is storedto improve performance by
reducing the need for repeatedaccess to these remote
resources.
Okay, so it's just basicallycached in a location where you
can pull it from, right?
(11:28):
So this could be browsers,applications, operating systems,
all these different places is acache, right?
That's where this data isstored.
Now, these caches can provide alot of information to
individuals if they would liketo gain access to it.
So if one, you can run intosituations with cache where it's
sensitive data leakage.
If you have data that's storedin this cache, such as login
credentials, personal data,confidential documents, all
(11:51):
these aspects could be availableto people if they were to try to
get it.
Also can have cache poisoning.
This is where they alter thecontents of the cache so that
the client receives a maliciousdata or a package to manipulate
the version.
So their ultimate goal there isjust that you put a little
program out there so that thecache, when it's accessed, it
will then do a dropper into youractual client system.
(12:14):
Outdated or stale data, thesecaches are not properly managed.
It can be served with outdateddata, potentially leading to
operational errors, right?
So if the more data you have outthere that is potentially not
being refreshed can lead toissues with your overall system.
Now, this can be critical whenyou're dealing with industrial
control type systems if theydon't have, if they have
outdated cache type activities.
(12:35):
Best practice for cashmanagement, obviously cash
encryption.
I have never seen this myself.
I'm sure it's out there andpeople do it, but I've never
actually seen it done.
Uh, this is where the data isencrypted and it's prevented so
that you don't you can't getunauthorized access to it.
I think that makes it a littlebit more of a challenge if you
were to encrypt the cache, butI'm sure it can be done.
Cache expiration, this is whereyour cache will delete itself or
(12:59):
refresh itself so that it doesnot become outdated or stale.
So that's your cache expiration.
Regular cache clearing, this isI've seen this a lot with
systems where they will actuallygo in and have an automated
script that will clear the cachewithin your different systems.
And this will help reduce therisk of data leakage and cache
poisoning.
And then no cache for sensitivedata.
(13:20):
So, right, you you're notallowing any sort of sensitive
data to be in the cache itself,that it would only be like
operational type files, notpasswords, not sensitive
information, and so forth.
All right, so database systemarchitecture.
So, what are the data, what doesthis mean?
Well, we're gonna get intovarious aspects around a
database so you understand whathow if you hear these or see
these terms on the test, youunderstand what they're actually
(13:43):
talking about.
So, a database managementsystem, this is typically
designed as a software that'sdesigned to store, manage, and
interact with the databases, soa DBMS.
And you'll see you'll hear DBMSin many different places within
an enterprise.
I've I've dealt with multipleclients, and they've included
the one I used to work with, andthey all deal with some form of
a DBMS system.
(14:03):
And it's designed to create andmaintain and control access to
these different databases.
And this provides interfaces formanaging data efficiently and
securely, right?
You hope it's secure at least.
Now, the internal level of this,you have a physical schema.
Now, this describes how the datais stored on a storage media.
It involves defining thephysical storage structure such
(14:25):
as files, indices, and theblocks of storage that are set
up specifically.
You then have the conceptuallevel, which is your logical
schema.
This is the logical view of theentire database, including the
tables, views, therelationships, all of that stuff
is all tied up into theconceptual level.
So you have internal,conceptual, and then you have
external.
Now, the external level isuser-specific views of the
(14:48):
database showing only the datathat's relevant to the specific
user or their application.
Now, that being said, differentusers can have different views
of the data depending upon theaccess privileges and what
they're allowed to actually seeand not see.
So you have your overall dataDBS, you have an internal level,
you have an conceptual level,and then you have an external
(15:10):
level.
Now, when you're dealing withdatabases, there's hierarchical
databases and they organize thedata into three tree-like
structures, right?
So you've heard about you'veheard, I mean, I can't even
speak.
You've heard about thesedifferent types of uh
hierarchical structures.
We're gonna get into some keycharacteristics around this.
But the ultimate goal is thatthese are you have well, each
(15:31):
parent has only one child foreach of the branches.
So there's a one-to-manyrelationship.
The data is structured in aparent-child relationship where
the parent record can have manychild records, but each child
has only one parent.
Okay, so you can only have oneparent, but you can have
multiple child records.
The data retrieval part is anefficient, yet while filing
(15:52):
hierarchical, but it becomesmore complex when you get into
non-hierarchical queries.
So one example of that would beXML databases.
These use hierarchical structurefor organizing your data.
And if you've ever looked at anXML file, you'll see that it's
very structured, it's veryhierarchical kind of flow.
I don't know how to reallyexplain it other than the fact
that it you can it can makesense just seeing it that it is
(16:13):
in that kind of format.
Now we're gonna get intodistributed databases.
A distributed database consistsof multiple databases, okay,
that are physically locatedacross different locations.
And these are logicallyconnected to work as one unified
system.
So now you instead of havingjust one database, one DBMS, you
now have a distributed DBMSwhere you have multiple
(16:34):
databases all tied together andthey act as one.
Obviously, you can see this alot with AWS and the overall
cloud environment where if youget into a database out there,
those are, I mean, you can getthem very relational, very
specific, but if you're doingany sort of like backup data, uh
DR type planning, those are setup in a distributed DBS type
format.
(16:54):
And this ensures that there'sdata consistency and
transparency across the entiresystem.
This works out really wellwithin manufacturing facilities
where you have multipledatabases that are tied to make
sure that you have all thedocumentation and the products.
In the beginning, many of theseindustrial control environments
had a very single databasethat's done for a specific
purpose.
But as time has gone on, they'vebecome more distributed because
(17:17):
they know the value of the dataitself and how important that it
can be within your industrialcontrol environment.
So, what are some keycharacteristics around this?
Data distribution.
Data can be distributed acrossdifferent sites for load
balancing, redundancy, and faulttolerance.
If you're getting into theoverall part about maintaining
your business resiliency, havinga distributed data set is a very
(17:38):
important part.
You wouldn't want all of yourdata stuck in one location
because if that site goes downand becomes a smoking crater,
you then at least have the datain other locations.
Replication, some of all thedata can be replicated across
sites for availability andreliability.
An important part is do you havea good replication in place?
If you have, and this is usuallytied to some sort of DR plan,
(17:59):
have you had a chance to go andexercise and reconstitute that
data?
It's an important part that yougo out and you test this to
ensure that you're actuallyproperly have the ability to
recover in the event that youhave a problem that goes bad.
Transparency, users do not uhusers do not need to know where
the data resides and how it'sdistributed.
That's another part about this,is that if it is distributed,
(18:22):
the users don't need to knowthat, okay, that database is
sitting over there.
Oh, wait, I'm a bad person.
I'm gonna go steal some frominformation from that database.
Yeah, nope.
You you want that it'sdistributed because then they
don't need to know specificallywhere it's at.
That being said, one of your keyrisk factors for your company is
your database admins.
Yes, those people are naughty.
(18:42):
No, they they're the ones you'regonna have to watch out for
because, or I should say, theiraccounts more not.
I mean, you should watch out forthem.
You should watch out foreverybody, but you should watch
out for their accounts becausethose folks have the ability to
do all kinds of damage and stealall kinds of data.
Because where does the datareside?
In databases most of the time.
Now, consider securityconsiderations.
You want consistency andintegrity.
(19:03):
This is ensuring that dataacross multiple sites remains
consistent, especially duringfailures or updates.
Again, that's an important part.
If you have all this informationin a database, you want to make
sure that it's consistent andit's there and that you can
recover from it if needed.
Network security is an importantpart of this, though, because it
also helps ensure that if thedata going between those
databases is properly protectedand from risk of interception.
(19:27):
So you have encryption, you havesecure communication protocols,
all of those things should be inplace.
And then access controls.
Distributed systems must be wellmanaged, yes, with role-based
access and clear segregation ofduties.
Again, watch out for thosenaughty database admins because
they are they are like justthey're they're on rate.
They're on rate, yes.
No, you want to make sure youhave good role-based access in
(19:49):
place for all people gainingaccess to any sort of database
within your organization.
Now, ODBC databases.
This is an open databaseconnectivity.
That's what the ODB stands for,ODBC.
Is a standard API for accessingdatabase management systems.
Now it follows the DBMS andprovides an ODBC driver, making
the platform independent andenabling interoperability
(20:11):
between different databases andapplications.
It's a lot of words.
But what it comes right down tois ODBC databases there work
really well in the manufacturingfacilities because the databases
are all very different.
It allows you basically to havean interaction between two
databases that are of differentnature, different manufacturers,
different stuff.
And that's where the ODBCconnection comes in.
(20:33):
It's just an API type connectionand it's very, very useful.
The downside is that you do losesome data when you have these
ODB connectivities.
Not lose data is not the rightword, but some of the context,
some of the granularity youwould have between databases
that you would like if they wereall the same type is lost a
little bit unless you havereally good coding around your
APIs.
(20:54):
Now key characteristics relatedto this.
This is standardization.
Now the ODBC allows forapplications to communicate with
various types of databaseswithout the needing to know
their underlying implementationplan, right?
So it's ha ha, it works.
It's what your ultimate goal isthat it is some level of stream,
streamlicity.
Yeah, that's not even a word,but it'll be a word for today.
(21:14):
It is a it's allowsstandardization between them.
There's a driver model.
The ODBC uses drivers specificto databases being accessed,
such as you have MySQL, you haveSQL, you have um, they talk,
they have one that I saw wasPostgree SQL.
Never heard of that one.
GRE post GRE SQL.
Never heard of it.
But there's lots of differenttypes of databases that are
(21:38):
available to people.
Uh but the ODBC does havedrivers specific to each
individual database.
Then the security considerationsaround this is authentication,
right?
So ODBC connectors should haveused strong authentication.
Yeah, they don't always do that.
And I will say that I've seen ittime and time again where I've
had to implement strongauthentication with ODBC.
But when you're dealing with themanufacturing facilities
(22:00):
specifically, that can be a bitof a challenge and problematic.
So you want to make sure thatyou can put that authentication
in there somehow.
However, you can do it is ahighly recommended.
Encryption.
The connection should be securedwith some level of encryption to
protect the data.
Again, they're API calls.
Don't store the keys in the APIcall if you can.
(22:21):
Again, depending up, you alsogot to weigh the risk out within
your organization.
If this is something that thisODBC connector is with your web
server facing the world, yes,you want all this stuff tight as
possible.
If this was within yourindustrial control environment,
that's maybe following thePurdue model, and it's 12
barriers below the seven levelsto hell.
(22:42):
Um, I don't even know what I'mtalking about, but that, you
know, it's it's like buried inthe bowels of this thing, then
you may not, due to a risksituation, want to want to is
not the right word.
You may to choose, you may electto not encrypt encrypt that data
because it's so far buriedwithin your organization.
And in reality, if an attackergets that far down within your
(23:03):
company, that's probably theleast of your worries.
So something to consider ifyou're looking at database
systems.
NoSQL databases.
So NoSQL, it's called not SQL,which that doesn't mean like
it's there is NoSQL, just meansit's not SQL.
Um and they're designed forlarge-scale distributed data
storage.
And because if you deal withSQL, okay, so the regular SQL,
(23:25):
yeah, you have to deal with alot of licensing challenges.
I mean, it's super expensive.
So NoSQL is a great alternativeto that in the fact that it
works very, very well.
Uh, and it works very similar towhat SQL would do.
However, it is uh used primarilya lot within distributed data
storage locations.
And I've seen it worked bothwith SQL and with NoSQL in the
(23:49):
same environment, but it's usedto store unstructured and
semi-structured data.
They're typically more flexibleand scalable than the
traditional relationaldatabases.
Now, the types of NoSQLdatabases, I'm just focusing on
these because of the fact thatyou may see these more out there
than you will other types ofdatabases.
Uh, document-based, you gotMongo MongoDB.
I use that a lot when we'redealing with my developers and
(24:12):
the various types ofdocumentation they had.
They have CouchDB, these allstore JSON-like type device
documents.
Key value stores, this is Redis,Diamond O DB, column family
stores, this is Cassandra andHBase.
Uh, this is where they storedata in columns rather than
rows.
I have never seen this.
I've heard of Cassandra, butI've never actually seen it
myself.
(24:32):
And then graph databases.
These are taking off.
Graph databases are uh theirdata is stored in nodes and
relationships in a graph.
So much more useful from acontextual standpoint, from what
I understand.
I've never I've just heardthey're being used more.
I've never actually used thegraph database a whole lot
myself.
Scalability.
The NoSQL databases are oftendesigned for horizontal scaling
(24:54):
and making them suitable forhandling large amounts of data
and high velocity transactions.
So that's the key with a NoSQL.
Again, NoSQL databases oftenlack the robust access controls
of relational databases.
So you need to require a specialattention on those and make sure
that they are in a positionwhere they're best protecting
your organization.
And then data integrity.
There is NoSQL databases oftentrade off asset properties for
(25:17):
better scalability to ensureeventual consistency and data
integrity.
Okay, so they're again therethey don't there is some level
of data integrity becausethey're just trying to roll
through them the data, is put asin there as transactally as
quickly as possible.
Again, you can make this as goodas you want.
You can make these changes toyour NoSQL databases.
It just requires a bit morefinesse to do so.
(25:39):
And then obviously, encryption.
It's important for you to put alevel of encryption on your
NoSQL databases when possible.
Now, relational databases, theseare organized as data into
tables, also called asrelations.
Okay, they have rows and columnsand attributes, and these are
all set up within a structuredquery language.
(26:00):
Okay, this is the querying andmanaging of data.
Now, these are in tables becausethe data is stored in tables,
and relationships between thetables are defined where using
the keys.
Now, normalization data isorganized to reduce the
redundancy and improve dataintegrity by decomposing the
tables into smaller relatedtables.
So it just basically takes frombig to small.
Now, the acid transaction, whichI talked about before on the
(26:23):
last one, but I didn't reallyget into it.
This deals with atomic,consistent, isolated, and
durable, which guarantees dataintegrity even in the event of
system failures.
That's the acid test that wetalked about there earlier.
And this is where the relationaldatabases can have that.
That adds a level of overheadthat you're gonna have to work
through if you decide you wantto utilize these SQL type
(26:43):
databases within yourorganization.
Um, you're dealing withcandidates and primary keys.
So the primary key is a key thatis in the field or a set of
fields that is uniquelyidentifies the record within a
table.
Now you'll have these keys andthey are unique, and you'll need
to understand that how, andagain, real quickly, you'll
understand that I am not adatabase guy.
(27:04):
I just I've dealt with these abit to the point of
understanding how they typicallywork, but to the level that you
may want to get into at somepoint in your life, uh, I'm not
your guy.
But this will be helpful a lotwith your CISSP just to
understand the key terms thatyou're gonna potentially they
may ask you on the test itself.
A candidate key is a field or aset of fields that can serve as
(27:26):
a unique identifier for arecord.
So you have a primary key, youhave a candidate key, and then
you have a foreign key.
And this is the table whereuniquely identifies the row in
another table, establishingrelationships between the two
tables.
So the foreign key allows youthe two tables to connect and
establish those relationships.
So primary, candidate, andforeign key.
(27:46):
Now, some securityconsiderations, obviously, with
relational databases.
Access control, similar toNoSQL.
Got to make sure you have theright people having the right
access to the databases andavoid those database admins who
are kind of just, you just neverknow.
Just never know what they'regonna do.
Your data encryption, dataencryption both in storage and
at rest during the transmissionas to as well.
(28:07):
Now, I will tell you the onething about databases that I've
always struggled a little bitwith is data at rest.
The data is really, in manycases, especially in a large
organization, it's never trulyat rest.
Uh, it's just you're you havethe data in a database to
protect it from the event thatsomebody might walk off and
steal it.
Because at any point in time,something is querying a
(28:27):
database.
So this is the part, it's just Igo, well, but when data is at
rest, like it's sitting there,it's lounging on a couch, eating
grapes and drinking wine.
It's not doing that.
It's being queried on a numerousbasis, being written to uh or
modified in some form or fashionon a continuous basis.
So it's really never truly atrest.
(28:48):
Well, I mean, I'm sure some is,but for the most part, it's not.
Now, data encryption is animportant part, though, that if
you're talking about dataleaving an organization or a
database, you want to ensurethat it is encrypted because of
the fact that who could besnooping it and sniffing it, you
just don't know.
And then SQL injectionprevention.
This is the proper inputvalidation, prioritize queries,
and escaping special charactersare essential for SQL injection
(29:12):
attacks.
What you want to avoid,obviously, is the inputs that
come in and what and then thecontent that you have set up
with your SQL environment toavoid that if there's special
characters used, what kind ofwhat happens?
Does it barf all over itself andgive out all kinds of
information?
You want to make sure that youhave some level of injection
protection against yourdatabases because they again,
(29:33):
like we mentioned before, theycontain all of your data.
Okay, so next I'm gonna focus onsecurity for multi-level
databases.
Now, these are databases thatstore manage data within
different securityclassifications, such as top
secret, secret, unclassifieddata.
And you will see this obviouslyin military or government type
context.
So these are the multi-leveldatabases.
(29:55):
Obviously, when you're dealingwith multi-level databases, you
want to have multi-levelsecurity.
This ensures the data isprotected according to the
classification level, and youdon't want the streams to match
or to cross.
You don't want top secret intosecret and vice versa.
And so, therefore, it enforcesthe clearance levels and the
need to know policies that areset up within that database.
You also have a strong level oflabeling when you're dealing
(30:18):
with some sort ofclassification, such as top
secret, secret, you want to havea labeled based on the security
level in which it's going to beprotected.
And users can only access thedata for which they have the
appropriate clearance.
Important part when you'redealing with classified
information.
And as in this doesn't have tohappen with a contracting
company, or with, I should say,with the military government,
(30:39):
uh, or with the military and thegovernment, it can happen with a
contractor, it can happen with adifferent sort of third party.
Uh, but as you're looking now,we talk at CISSP cyber training
at CMMC rules that are comingout now, the cybersecurity
maturation, maturity, uh, yeah,something like that, uh,
certification.
I think that's what that acronymis for.
(30:59):
But bottom line is if you are adefense contractor or work for
the government in sensitivedata, you have to manage this
data in a way that is protectingit.
In the past, they haven'treally, they've tried to do some
things, but it's all been prettyad hoc.
Now the government's coming downand cracking down on that
because what they have learned,come to learn is that most of
the third parties have amajority of the data for the
(31:20):
government, and therefore theyneed to put in some in some
level of standardization andprotections of this information.
Security considerations,obviously, access controls are
an important part, and you needthat to for users to access the
data and that matches theirspecific clearance level.
And then data inference.
This is preventing unauthorizedinference, right?
Or sensitive information whoonly have access to the lower
(31:41):
level but might deduce, that's abig$10 word, might deduce the
higher level information.
Basically means I used to dothis in the military when we
were hackers, we would be ableto gain access to all kinds of
unclassified information, but wewould be able to deduce what was
else was going on.
And so that was an importantpart.
Now you that that's because weare able to gain access to all
(32:02):
this information, it actuallypaints a picture of what else
was going on in thoseorganizations.
That's what it can happen withinany company, right?
So if you have a lot of companythat's like say you have
intellectual property that'sprotected uh by this big 10-foot
door that normally one personcan go into twice a year, uh,
then but everybody talks aboutit.
Well, the secrets in open, plainand open.
(32:25):
I can't think of that word.
It's just basically an opensite.
Uh you you can see it, right?
Because everybody talks aboutit.
So it's really not a secretanymore, other than the fact
that you pretend that it's asecret, but yet everybody all
understands what the secret is.
So yeah, that's one of thosethings you should kind of want
to avoid.
Now let's get into server-basedsystems.
Now, server-based systems arecentral components of the most
(32:46):
IT environments.
These systems host and providevarious services, applications,
and data to clients, users, andother people, other servers,
right?
So servers are an importantpart.
They are typically where amajority of your data resides.
It isn't usually in the share,it is in SharePoint in those
different places, but themajority of the server of the
data is residing in the servers.
(33:06):
These are designed to bescalable, especially now in the
cloud environment.
You can scale these babies up,you can do all kinds of fun
things with them.
But that's the server-basedsystems.
Now, key securityconsiderations.
You have access controls, right?
You want to make sure that youhave, like we've talked about
time and again, there's properaccess controls in place.
RBAC, role-based accesscontrols, awesome.
Strong passwords, leastprivilege, least privileges as
(33:28):
well.
It's an important part of yourservers.
You want to limit who has accessto this.
Patch management, make sure thebloody buggers are patched and
kept up to date.
Server operating systems andapplications must regularly be
patched.
I see this time and again, theydon't get patched as well.
Uh they the client-based systemswill, because they are tied to
Microsoft or some other companyand they're just automatically
(33:51):
patched.
Servers, on the other hand, theydon't put these on an automatic
patching cycle because if youautomatically patch servers,
what ends up typically happeningis things break.
And especially if you have anold legacy type application
running, they will break.
And if they break, then peopleget mad.
And then people don't likegetting mad and they don't like
things breaking.
So what do they do?
They don't patch them.
So patching your servers is animportant part.
(34:13):
Hardening them as well isobviously because depending on
where they sit, you can protectthem from denial of service
attacks.
Now, this denial of serviceattack, if it's obviously a web
server sitting out in the cloud,yeah, that you definitely need
to protect against that.
But could you deny have a denialof service within your network?
Oh, yes, you can, and you shouldprotect against that.
What does that mean?
It means if you have like a setof servers that are critical to
(34:34):
your organization, it would behighly behoove you to put them
into a spot that would protectthem from the other parts of the
servers within yourorganization.
One, it would limit the amountof tax from outside entities,
potentially.
Two, if there is a denial ofservice, it wouldn't potentially
impact your organization orthose servers that are sitting
in an off a little island off onthemselves.
(34:56):
So something to consider withthat.
Monitoring and logging.
You want to have all this stuffgoing into a sim.
It's your security informationand event management system.
So all of this data from thesesystems need to go in there,
right?
They need to go in, and that wayyou can monitor them, you know
what's going on.
So you need to have some levelof logging, whether even if it
is just basic logging with thosesystems, you should have
(35:17):
something in place.
Data protection.
This is often where the data isyour most critical data.
It should be uh protected.
Now, again, we talk about thedata encryption at rest and in
transit.
It's an important part.
Uh, you need to define what isbest on your organization based
on the risk profile to yourcompany.
So, how much do you want to do?
The data, like I said before,the data that is tied to
servers, usually databases thatare connected to these servers,
(35:40):
are some of your most sensitivedata.
So you need to consider how doyou best protect it.
That being said, some of theseorganizations may have
gazillions of servers, right?
Lots and lots of servers.
So take a risk-based approach.
Uh, I struggle withorganizations that don't do this
and they just say, well, protectit all.
Well, if you're gonna protect itall, you're gonna protect any of
it.
I'm sorry to say.
It's just really gonna be achallenge for you.
(36:01):
So you want to make sure thatyou have a take a risk-based
approach.
Now, as a CISO or as a securityprofessional, you're gonna have
to communicate that to thesenior leaders so they
understand what you're gettingat.
Because when it comes right downto it, if they don't understand
it, uh, it ain't gonna happen.
So make sure they understandwhat you're trying to
accomplish.
If this is the important partwhere you make your money is
(36:21):
being that influencer andhelping people understand the
risk.
So, some examples ofservice-based systems, obviously
web servers, applicationservers, file servers, all of
those pieces can be tied to uh aserver, right?
And that those are ones youshould protect.
Next, we're gonna get intoindustrial control systems, so
ICSs.
So work extensively inindustrial control environments
(36:41):
and understand those prettywell, right?
I mean, you know, honestly, youdon't really get those unless
you work in them and understandhow that they work from a
standpoint of a manufacturingpoint of view.
I worked for a chemicalmanufacturing company in the
past, so uh understood thosepretty well.
And ICS systems, they are, andalso taught it in college, but
an ICS system they include awide range of control systems
(37:02):
used to monitor and controlphysical processes.
Now, this includesmanufacturing, energy
production, water treatment, andtransportation.
ICSs typically consist of asupervisory control and data
acquisition or SCADA typesystems.
Uh, they included also just DCS,which is a distributed control
systems, and a PLCs, which isyour programmable logic
(37:24):
controllers.
So that's the that's the typicalarchitecture of an ICS
environment.
These are tied to, again, allkinds of things, from something
that makes like a hole punch tosomething that controls chemical
manufacturing, nuclearfacilities, you name it.
They all they they go theyspread the gamut.
And so if you have amanufacturing facility of some
(37:44):
kind, you probably have an ICSenvironment in your environment.
Now, in a lot of times and a lotof cases, these ICS environments
are blended in with your overallenterprise, which makes them a
bit of an easy target.
And because of the fact that youcan get access to the
enterprise, you can get accessto your ICS.
ICSs typically are not asprotected from updates and
(38:05):
patching and all those wonderfulthings as your traditional
enterprise environment isbecause you're dealing with a
lot of proprietary typeequipment, which can struggle to
be updated.
So, some key securityconsiderations when you're
dealing with ICS is segmentationand isolation.
They should be physically orlogically isolated from their
corporate IT environment.
(38:26):
The Purdue model is one of thoseaspects that was almost a
physical, it's actually alogical separation, but you can
get into a more of a physicalseparation.
If you are dealing with anuclear facility, yeah, they
would be physically separated.
You cannot connect the twotogether.
But depends on yourorganization, you may or may not
have that.
Now, network segmentation,firewalls, and DMZs will help
(38:48):
control traffic between IT andOT environments.
And that's an important part ofyour organization is to have
this segmentation in isolation.
Legacy systems and patching,many ICS components are legacy
systems with limited support forupdates, right?
We just like I mentioned before,there's very little, I shouldn't
say little, there are updatesbecoming more and more important
(39:08):
and more critical fororganizations to do this.
But at the same time, there arenot nearly enough patching
that's occurring.
Access control and monitoring,there's strict access controls
should be in place for bothphysical and network access to
ICS important or uh components,and you should have that
available.
There should be this verysimilar access controls that you
would have within your network,your enterprise network, that
(39:30):
you should have within your ICSenvironment.
And if you can't get thatbecause they're segregated, you
need to come up with a plan onhow to do that.
Incident response and recovery.
You need to have a good businessresiliency incident response
plan for your ICS environment.
It's just an important part, andyou need to plan for that.
Safety and security integration.
When many ICS environments,safety and security do overlap.
(39:51):
Things go boom, they tend to goboom when you're dealing with
ICS environments.
And so, therefore, the securityhas a physical consequence
around it.
Uh And it this has probably beenone of the biggest challenges
that people have had in the pastis to understand that the
coexistence between cyber andphysical security.
It's always been there, but it'sbeen they've always thought that
(40:12):
they're separate.
Well, as we're seeing more andmore today, there's a big blend
between physical and cybersecurity.
There they really truly do.
And you're gonna need to, as anexperienced professional, to
help your physical securitypeople understand that
connection together.
It's less obvious when you'redealing with your enterprise
network, but it's much moreobvious when you're dealing with
(40:33):
your ICS or manufacturingfacilities.
That can be something they canequate to and they can
understand because most all ofthe physical security guys, when
I bring it up to them, they allcome back and say, Yeah, I kind
of use a computer to log in andto understand my network.
Right.
So they understand it.
Uh, and so therefore, it'simportant that you, as a
security professional, help thembecome a better adroit to what
is actually going on.
(40:54):
Now we talked about someexamples, right?
So SCADA systems, PLCs, andDCSs.
Uh, they are all part of theoverall ICS import uh ecosystem.
That being said, DCS, adistributed control system, is
usually tied to large enterprisetype systems where they have
large industrial processes.
Small uh mom and pop shops won'thave a DCS, they're just super
(41:16):
expensive and there's really noneed.
But they may have PLCs on theirshop equipment.
So I know it being here inWichita, Kansas, we have lots of
manufacturers for the aerospaceindustry.
They have PLCs that are on thesesystems that are making,
punching out all kinds of stuff.
But they don't have a DCS.
They're all tied into oneserver, and ideally they would
(41:36):
be separated, but most likelythey're all on the their own
business network.
Now, that being said, if ahacker gets over of a punch, uh
yeah, that's not a whole lot heor she can do.
However, potentially they couldhurt somebody with it.
Uh, not that they would do thaton purpose.
Most times is they just do aransomware attack and try to get
money.
And but the part is if thatsystem becomes infected and is
(41:59):
up for ransomware, now it'sunavailable and maybe something,
some process is happening and itcould potentially hurt somebody
and the whole facility.
So it's important for you tohave really good security on
ICS.
I you I kind of spent a littleextra time here just because the
ICS environment is a huge partthat has just gone under serve.
And uh I will focus on the watertreatment facilities for your
(42:22):
where you live.
That's under an ICS.
And you know what, as a securityprofessional, like we've
mentioned before in thispodcast, you should be using
your skills for good and helpingthose people, not for evil.
Not and really, you shouldn't doany for evil at all, but you
shouldn't you should definitelybe doing them for good.
So that's what I'm gonna talkabout with the ICS.
Okay, that's all I've got foryou today.
(42:42):
So I hope you all have gotten alot out of this podcast.
Again, go to CISSP CyberTraining and check it out.
Or you can go to my other site,that's reducesyberrisk.com if
you're looking for a securityprofessional uh to help you with
your security needs.
Reduce cyber risk can help youwith that.
Again, all purchases at CISSPCyber Training all go to
nonprofit, uh the Shepherd'sHope, I think that's what it's
(43:03):
called.
Um, and that will be fully liveand active here in December.
Yes, I have to get that done.
Uh, but all act all funds aregoing to the shepherd's hope and
is for adoptive families.
So anybody who is looking toadopt a child uh that really
needs an extra help, this iswhat all the funds that go for
it from CISP Cyber Training allgo to help those people because
(43:23):
it is extremely expensive toadopt a child.
And that's what our ultimategoal is to create something to
help people out.
Because in reality, there justneeds to be more help, right?
We just all need to help more.
All right, I hope you guysenjoyed this.
Again, go to CISSP CyberTraining, get access to all of
this content.
Again, this is about this is asmall subset of section 3.5.
There's at least another,probably 20 more slides that we
(43:45):
go through on all this aspect.
And this is all available atCISSP Cyber Training.
All right, have a wonderful day,and we will catch you on the
flip side.
See ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerbert, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
Alright, let's get started.
SPEAKER_01 (00:25):
Hey, I'm Sean Gerbert with CISSP Cyber
Training, and hope you all arehaving a beautifully blessed day
today.
Today is amazing.
We're gonna be talking aboutsubdomain 3.5 and mitigating
vulnerabilities in securityarchitectures.
Yeah, this one's gonna be fun.
A lot of fun.
Yeah.
So as you look at CISSP CyberTraining, there's a lot of
content that we have availablefor you.
(00:46):
And you can go get all of thatavailable to you if you just go
to CISSP Cyber Training.
This will be one aspect,obviously, of the 3.5.
I will tell you, 3.5 is prettygnarly.
It's pretty big.
Um, and uh we'll only be goingover a small portion of it
today, but it is.
It's gonna be an incredible,action-packed, awesome podcast.
You guys will just you'll stayriveted, I know you will.
(01:08):
But before we get started, Iwanted to talk about an article
I saw just actually it was acouple days ago, and it's quite
interesting.
So one of the things that I didwhen I was a uh hacker for the
way basically tied to the redteam, the US Air Force Red
Teams, was we would try to breakinto different types of networks
on a routine basis.
And we would one of the thingswe would use is we would end up
(01:28):
utilizing the Wi-Fi networks ofan organization, and we would
use Yagi antennas, we would useall kinds of different types of
tools and techniques to gainaccess to a Wi-Fi from a
geographic location.
Now, the thing is we had toactually go to that physical
location to compromise thenetwork and the Wi-Fi network.
Well, now, yeah, the theRussians have been very, very um
(01:50):
how do you say that adventurous?
And uh they honestly it's a veryneat technique what they did.
It's pretty cool.
I'm I'm not happy that they didit, but on the flip side, I'm
sure if the Russians are doingit, uh the United States and
other countries are doing it aswell.
But they did decide describewhat occurred here.
I've seen it in Wired and nowit's also an Rs Technica, but
really basically what ended uphappening is that uh there's a
(02:13):
situation where the Russian GRUbroke into a network of a high
value target after firstcompromising the Wi-Fi enabled
device in a nearby building.
Basically, they're using it toexploit the target's Wi-Fi
network.
So, what they did in the past,well, we've done this where, or
I say we, I did this where youwould go from one server to
another server around the globe,and your ultimate goal is to get
(02:35):
back to one location.
Well, that they did was is theyended up compromising this
network.
So if you can kind of see thescreen, you might be able to see
it.
If not, uh we'll you'll hear itobviously on the podcast.
But they compromise a networkthat was in a building from a
remote location, and in theprocess of compromising that
network, they did a credentialstuffing on the adjacent
(02:56):
building's Wi-Fi network withthe goal of breaking into it.
Now, if you didn't havemulti-factor on your Wi-Fi
network, it's very possible thatif they stole credentials from
somebody else, uh they would beable to gain access to that
Wi-Fi network from the networkthat they compromised.
So it's a very similar techniqueas if you were instead of just
considering all networks onenetwork, and if you can get
(03:18):
close enough to a Wi-Fi network,you can now hack into it with
the credentials from somebodyelse.
And we all know that ourcredentials have been
compromised numerous times fromvarious uh attacks that have
occurred over the years.
So you have to assume that yourcredentials are compromised and
gone.
So assuming that this is thecase, it does demonstrate the
(03:40):
ability for the Russians to beable to, or anybody else, to be
able to take your credentialsonce they have a persistent
presence on a network, then usethose credentials to connect to
another Wi-Fi network and thenbe able to exploit it and run
from that direction.
Now, all of this sounds great,all of it sounds super Gucci,
and I'll be honest with you,it's pretty scary, right?
(04:02):
It could it could happen toanybody.
That being said, after doingthis for many years, this isn't
as easy as it looks on a pieceof paper.
You know, I just jump from onenetwork to the other network.
Now, it can be that easy, right?
It can happen where thesituation will go very quickly,
and you can gain access and youcan gain a foothold.
I mean, ideally, what they wouldwant to do is once they jump to
this second second network, iscreate some level of persistence
(04:24):
within that network.
And then that way that cantunnel outbound to wherever
they're at.
They they wouldn't want to usethis Wi-Fi network to
communicate data in and out ofthe network.
You just really wouldn't becauseit's just too flaky.
You can run into a lot ofissues, but it does give you
that initial toe hold into anetwork where before you didn't
have it.
So the interesting part isthough, is that this occurred,
(04:46):
they recommended that you putsome level of multi-factor on
your Wi-Fi networks and don'tassume that just because they
are segregated from someplaceelse that someone can't gain
access to them.
So just something to keep inmind.
I will say I've never seenanything before like this.
It's it's pretty cool.
Uh, and I'm sure now that it'sgot people like little hornets
(05:06):
and a in a hornet's nest allbuzzing around trying to figure
out how to address this issue.
But again, it was an ArsTechnica.
You can also see it there, andyou can see it on Wired
magazine.
And it's just about spies hackWi-Fi networks in a far-off land
to launch an attack, target nextdoor.
Okay, again, Russian GRUbreaking into systems and
hacking them to the end of time.
(05:28):
Okay, now let's get into whatwe're going to talk about today.
Okay, so domain 3.5, how toassess and mitigate
vulnerabilities of securityarchitectures.
So the ultimate goal, again, isyou can get all this information
at CISSP Cyber Training, and youcan get all this training there
and available to you.
Uh, again, we're going to berunning a uh a Black Friday
(05:49):
Cyber Monday ad here to kind ofreduce some of the price as far
as our silver and uh platinum orgold gold platforms.
But bottom line is that we wantyou to have this training that's
available to you so you can passthe CISSP.
The CISSP is not an easy test.
I I I would love to sayeverybody that joins CISSP Cyber
Training passes the test inflying colors.
(06:09):
That isn't always the case,right?
The the thing is it's up to youto study and be able to
understand the information.
And the goal of this is to beable to provide this information
for you so that you can betterunderstand what are some of the
questions that are being asked.
So let's get started withclient-based systems.
Now, what is a client-basedsystem?
This is a uh there'sclient-based attacks that are
(06:31):
occurring, they're tying againstvarious systems that result in
gaining unauthorized access,stealing information,
compromising systems integrity,and they can exploit various
client-side or at the individualside applications, operating
systems, and misconfigurations.
Just what we talked aboutrecently in that article from Rs
Technica can happen to you.
(06:51):
So these are types of clients'attacks, client-based attacks
that you can have that canoccur.
You have phishing, right?
So this is where the attackerswill trick you into phishing
through emails, sensitiveinformation, usernames, and
passwords.
They'll ask for it and you mayprovide it to them.
This happens a lot.
I mean, it really does.
And I've have a friend that'sshe's a little bit older and she
(07:12):
was she's very concerned aboutthese things, and we helped her
get set up with a passwordmanager to manage all of those
things.
But when it comes right down toit, people will try to
manipulate others to try to getgain access to very sensitive
information.
Malware, this is going to beinfected by obviously my
viruses, ransomware, spyware,all of these things are types of
malware that can affect a clientsystem.
(07:33):
There's if we talk about the manin the middle attacks.
This is where an individual isconnects, basically is in
between.
So if you have from point A iswhere one server is located or
the client's located, and pointB is where the information is
going, they act in the middle,right?
So they can intercept or altercommunications between the
client and the server,especially if the secure, if
(07:54):
it's insecure communication,such as maybe HTTP and not
HTTPS.
So again, man in the middle,important part for you to
understand.
Drive-by downloads.
This is where a malicious scriptwill occur on a website, and as
you go to that website, filesare automatically downloaded to
the client system.
These are things to considerwhen you have lots of employees
(08:14):
within your organization and youwonder where it's what sites
they go to.
Hence, you want to putprotections in place to limit
potentially where your employeesmay go.
So you can limit some of thesedrive-by download situations
that could occur.
Exploiting client-sidevulnerabilities.
This is where attackers willexploit bugs or weaknesses in
web browsers or plugins, andagain, that way we'll download
(08:37):
information to the individualsthat are seeing them.
So again, this can be JavaFlash, you know, PDF readers,
all those types of things is theclient side.
Now, what are some defensestrategies around this?
Obviously, we talked aboutnumerous on CISSP cyber
training.
You want to have updates,regular updates that are
occurring.
Antivirus or anti-malware.
Now, I will say in the past,antiviruses was the go-to.
(09:00):
Now it's you need more of anintegrated concierge type
solution where it's like EDR,endpoint detection response,
some level of maturation at theendpoint is important, not just
antivirus.
And then obviously, usertraining is an important part in
all of this.
The next topic is applets.
Applets are small applicationsthat are designed to be embedded
(09:21):
within a larger application,obviously, such as a web page,
right?
Or to execute client code on themachine side or on the side,
right?
So the client side, you havesome sort of machine code that's
going to be running.
These were typically used toenhance the functionality of web
pages.
Obviously, Java applets in theweb browsers is one of the
different areas, but they'reless used today.
(09:43):
You will still see themdepending upon the size, the age
of your environment that you'reoperating out of.
So, what are some of the risksof applets that you may see?
One is security vulnerabilities.
They could be in a vector forsomeone that could use a
security vulnerability againstthem, especially since it's a
bit older, has they haven't beenupdated.
It could be a situation wheresuch like a Java applet could be
(10:03):
exploited and therefore pass offmalicious code to the client
systems.
So that's that's a risk ofthose.
Cross-site scripting orJavaScript injections.
This is where if they're notproperly sandboxed, applets may
interact with the browser orother parts of the system in
unsafe ways.
And because of that, then itwould allow the remote code to
be able to go transfer into thebrowser itself.
(10:25):
In its communications, if theapplets are allowed to
communicate with the web serverin a manner that's not secure,
obviously in SSL or TLS, then itcan expose sensitive data to the
attack from the attackers aswell.
Some of the measures that youcan do, obviously, disabling or
getting rid of applets is animportant part.
They are outdated, they areolder, you probably want to move
on to something else besidesthem.
(10:46):
Sandboxing is another part ofthis, is where the applet itself
is sitting in a critical or inan isolated sandboxed area.
This would be extremelyimportant on critical systems
that you may have within yourenvironment.
Code signing and validation.
This is ensuring that the data,the application itself, has been
properly signed and is validatedwith a trusted certificate to
(11:08):
ensure that it's not tamperedwith or replaced by malicious
code.
So that's what you would dealwith an applet.
Local caches.
Local caches are temporarystorage locations on client
systems where the data is storedto improve performance by
reducing the need for repeatedaccess to these remote
resources.
Okay, so it's just basicallycached in a location where you
can pull it from, right?
(11:28):
So this could be browsers,applications, operating systems,
all these different places is acache, right?
That's where this data isstored.
Now, these caches can provide alot of information to
individuals if they would liketo gain access to it.
So if one, you can run intosituations with cache where it's
sensitive data leakage.
If you have data that's storedin this cache, such as login
credentials, personal data,confidential documents, all
(11:51):
these aspects could be availableto people if they were to try to
get it.
Also can have cache poisoning.
This is where they alter thecontents of the cache so that
the client receives a maliciousdata or a package to manipulate
the version.
So their ultimate goal there isjust that you put a little
program out there so that thecache, when it's accessed, it
will then do a dropper into youractual client system.
(12:14):
Outdated or stale data, thesecaches are not properly managed.
It can be served with outdateddata, potentially leading to
operational errors, right?
So if the more data you have outthere that is potentially not
being refreshed can lead toissues with your overall system.
Now, this can be critical whenyou're dealing with industrial
control type systems if theydon't have, if they have
outdated cache type activities.
(12:35):
Best practice for cashmanagement, obviously cash
encryption.
I have never seen this myself.
I'm sure it's out there andpeople do it, but I've never
actually seen it done.
Uh, this is where the data isencrypted and it's prevented so
that you don't you can't getunauthorized access to it.
I think that makes it a littlebit more of a challenge if you
were to encrypt the cache, butI'm sure it can be done.
Cache expiration, this is whereyour cache will delete itself or
(12:59):
refresh itself so that it doesnot become outdated or stale.
So that's your cache expiration.
Regular cache clearing, this isI've seen this a lot with
systems where they will actuallygo in and have an automated
script that will clear the cachewithin your different systems.
And this will help reduce therisk of data leakage and cache
poisoning.
And then no cache for sensitivedata.
(13:20):
So, right, you you're notallowing any sort of sensitive
data to be in the cache itself,that it would only be like
operational type files, notpasswords, not sensitive
information, and so forth.
All right, so database systemarchitecture.
So, what are the data, what doesthis mean?
Well, we're gonna get intovarious aspects around a
database so you understand whathow if you hear these or see
these terms on the test, youunderstand what they're actually
(13:43):
talking about.
So, a database managementsystem, this is typically
designed as a software that'sdesigned to store, manage, and
interact with the databases, soa DBMS.
And you'll see you'll hear DBMSin many different places within
an enterprise.
I've I've dealt with multipleclients, and they've included
the one I used to work with, andthey all deal with some form of
a DBMS system.
(14:03):
And it's designed to create andmaintain and control access to
these different databases.
And this provides interfaces formanaging data efficiently and
securely, right?
You hope it's secure at least.
Now, the internal level of this,you have a physical schema.
Now, this describes how the datais stored on a storage media.
It involves defining thephysical storage structure such
(14:25):
as files, indices, and theblocks of storage that are set
up specifically.
You then have the conceptuallevel, which is your logical
schema.
This is the logical view of theentire database, including the
tables, views, therelationships, all of that stuff
is all tied up into theconceptual level.
So you have internal,conceptual, and then you have
external.
Now, the external level isuser-specific views of the
(14:48):
database showing only the datathat's relevant to the specific
user or their application.
Now, that being said, differentusers can have different views
of the data depending upon theaccess privileges and what
they're allowed to actually seeand not see.
So you have your overall dataDBS, you have an internal level,
you have an conceptual level,and then you have an external
(15:10):
level.
Now, when you're dealing withdatabases, there's hierarchical
databases and they organize thedata into three tree-like
structures, right?
So you've heard about you'veheard, I mean, I can't even
speak.
You've heard about thesedifferent types of uh
hierarchical structures.
We're gonna get into some keycharacteristics around this.
But the ultimate goal is thatthese are you have well, each
(15:31):
parent has only one child foreach of the branches.
So there's a one-to-manyrelationship.
The data is structured in aparent-child relationship where
the parent record can have manychild records, but each child
has only one parent.
Okay, so you can only have oneparent, but you can have
multiple child records.
The data retrieval part is anefficient, yet while filing
(15:52):
hierarchical, but it becomesmore complex when you get into
non-hierarchical queries.
So one example of that would beXML databases.
These use hierarchical structurefor organizing your data.
And if you've ever looked at anXML file, you'll see that it's
very structured, it's veryhierarchical kind of flow.
I don't know how to reallyexplain it other than the fact
that it you can it can makesense just seeing it that it is
(16:13):
in that kind of format.
Now we're gonna get intodistributed databases.
A distributed database consistsof multiple databases, okay,
that are physically locatedacross different locations.
And these are logicallyconnected to work as one unified
system.
So now you instead of havingjust one database, one DBMS, you
now have a distributed DBMSwhere you have multiple
(16:34):
databases all tied together andthey act as one.
Obviously, you can see this alot with AWS and the overall
cloud environment where if youget into a database out there,
those are, I mean, you can getthem very relational, very
specific, but if you're doingany sort of like backup data, uh
DR type planning, those are setup in a distributed DBS type
format.
(16:54):
And this ensures that there'sdata consistency and
transparency across the entiresystem.
This works out really wellwithin manufacturing facilities
where you have multipledatabases that are tied to make
sure that you have all thedocumentation and the products.
In the beginning, many of theseindustrial control environments
had a very single databasethat's done for a specific
purpose.
But as time has gone on, they'vebecome more distributed because
(17:17):
they know the value of the dataitself and how important that it
can be within your industrialcontrol environment.
So, what are some keycharacteristics around this?
Data distribution.
Data can be distributed acrossdifferent sites for load
balancing, redundancy, and faulttolerance.
If you're getting into theoverall part about maintaining
your business resiliency, havinga distributed data set is a very
(17:38):
important part.
You wouldn't want all of yourdata stuck in one location
because if that site goes downand becomes a smoking crater,
you then at least have the datain other locations.
Replication, some of all thedata can be replicated across
sites for availability andreliability.
An important part is do you havea good replication in place?
If you have, and this is usuallytied to some sort of DR plan,
(17:59):
have you had a chance to go andexercise and reconstitute that
data?
It's an important part that yougo out and you test this to
ensure that you're actuallyproperly have the ability to
recover in the event that youhave a problem that goes bad.
Transparency, users do not uhusers do not need to know where
the data resides and how it'sdistributed.
That's another part about this,is that if it is distributed,
(18:22):
the users don't need to knowthat, okay, that database is
sitting over there.
Oh, wait, I'm a bad person.
I'm gonna go steal some frominformation from that database.
Yeah, nope.
You you want that it'sdistributed because then they
don't need to know specificallywhere it's at.
That being said, one of your keyrisk factors for your company is
your database admins.
Yes, those people are naughty.
(18:42):
No, they they're the ones you'regonna have to watch out for
because, or I should say, theiraccounts more not.
I mean, you should watch out forthem.
You should watch out foreverybody, but you should watch
out for their accounts becausethose folks have the ability to
do all kinds of damage and stealall kinds of data.
Because where does the datareside?
In databases most of the time.
Now, consider securityconsiderations.
You want consistency andintegrity.
(19:03):
This is ensuring that dataacross multiple sites remains
consistent, especially duringfailures or updates.
Again, that's an important part.
If you have all this informationin a database, you want to make
sure that it's consistent andit's there and that you can
recover from it if needed.
Network security is an importantpart of this, though, because it
also helps ensure that if thedata going between those
databases is properly protectedand from risk of interception.
(19:27):
So you have encryption, you havesecure communication protocols,
all of those things should be inplace.
And then access controls.
Distributed systems must be wellmanaged, yes, with role-based
access and clear segregation ofduties.
Again, watch out for thosenaughty database admins because
they are they are like justthey're they're on rate.
They're on rate, yes.
No, you want to make sure youhave good role-based access in
(19:49):
place for all people gainingaccess to any sort of database
within your organization.
Now, ODBC databases.
This is an open databaseconnectivity.
That's what the ODB stands for,ODBC.
Is a standard API for accessingdatabase management systems.
Now it follows the DBMS andprovides an ODBC driver, making
the platform independent andenabling interoperability
(20:11):
between different databases andapplications.
It's a lot of words.
But what it comes right down tois ODBC databases there work
really well in the manufacturingfacilities because the databases
are all very different.
It allows you basically to havean interaction between two
databases that are of differentnature, different manufacturers,
different stuff.
And that's where the ODBCconnection comes in.
(20:33):
It's just an API type connectionand it's very, very useful.
The downside is that you do losesome data when you have these
ODB connectivities.
Not lose data is not the rightword, but some of the context,
some of the granularity youwould have between databases
that you would like if they wereall the same type is lost a
little bit unless you havereally good coding around your
APIs.
(20:54):
Now key characteristics relatedto this.
This is standardization.
Now the ODBC allows forapplications to communicate with
various types of databaseswithout the needing to know
their underlying implementationplan, right?
So it's ha ha, it works.
It's what your ultimate goal isthat it is some level of stream,
streamlicity.
Yeah, that's not even a word,but it'll be a word for today.
(21:14):
It is a it's allowsstandardization between them.
There's a driver model.
The ODBC uses drivers specificto databases being accessed,
such as you have MySQL, you haveSQL, you have um, they talk,
they have one that I saw wasPostgree SQL.
Never heard of that one.
GRE post GRE SQL.
Never heard of it.
But there's lots of differenttypes of databases that are
(21:38):
available to people.
Uh but the ODBC does havedrivers specific to each
individual database.
Then the security considerationsaround this is authentication,
right?
So ODBC connectors should haveused strong authentication.
Yeah, they don't always do that.
And I will say that I've seen ittime and time again where I've
had to implement strongauthentication with ODBC.
But when you're dealing with themanufacturing facilities
(22:00):
specifically, that can be a bitof a challenge and problematic.
So you want to make sure thatyou can put that authentication
in there somehow.
However, you can do it is ahighly recommended.
Encryption.
The connection should be securedwith some level of encryption to
protect the data.
Again, they're API calls.
Don't store the keys in the APIcall if you can.
(22:21):
Again, depending up, you alsogot to weigh the risk out within
your organization.
If this is something that thisODBC connector is with your web
server facing the world, yes,you want all this stuff tight as
possible.
If this was within yourindustrial control environment,
that's maybe following thePurdue model, and it's 12
barriers below the seven levelsto hell.
(22:42):
Um, I don't even know what I'mtalking about, but that, you
know, it's it's like buried inthe bowels of this thing, then
you may not, due to a risksituation, want to want to is
not the right word.
You may to choose, you may electto not encrypt encrypt that data
because it's so far buriedwithin your organization.
And in reality, if an attackergets that far down within your
(23:03):
company, that's probably theleast of your worries.
So something to consider ifyou're looking at database
systems.
NoSQL databases.
So NoSQL, it's called not SQL,which that doesn't mean like
it's there is NoSQL, just meansit's not SQL.
Um and they're designed forlarge-scale distributed data
storage.
And because if you deal withSQL, okay, so the regular SQL,
(23:25):
yeah, you have to deal with alot of licensing challenges.
I mean, it's super expensive.
So NoSQL is a great alternativeto that in the fact that it
works very, very well.
Uh, and it works very similar towhat SQL would do.
However, it is uh used primarilya lot within distributed data
storage locations.
And I've seen it worked bothwith SQL and with NoSQL in the
(23:49):
same environment, but it's usedto store unstructured and
semi-structured data.
They're typically more flexibleand scalable than the
traditional relationaldatabases.
Now, the types of NoSQLdatabases, I'm just focusing on
these because of the fact thatyou may see these more out there
than you will other types ofdatabases.
Uh, document-based, you gotMongo MongoDB.
I use that a lot when we'redealing with my developers and
(24:12):
the various types ofdocumentation they had.
They have CouchDB, these allstore JSON-like type device
documents.
Key value stores, this is Redis,Diamond O DB, column family
stores, this is Cassandra andHBase.
Uh, this is where they storedata in columns rather than
rows.
I have never seen this.
I've heard of Cassandra, butI've never actually seen it
myself.
(24:32):
And then graph databases.
These are taking off.
Graph databases are uh theirdata is stored in nodes and
relationships in a graph.
So much more useful from acontextual standpoint, from what
I understand.
I've never I've just heardthey're being used more.
I've never actually used thegraph database a whole lot
myself.
Scalability.
The NoSQL databases are oftendesigned for horizontal scaling
(24:54):
and making them suitable forhandling large amounts of data
and high velocity transactions.
So that's the key with a NoSQL.
Again, NoSQL databases oftenlack the robust access controls
of relational databases.
So you need to require a specialattention on those and make sure
that they are in a positionwhere they're best protecting
your organization.
And then data integrity.
There is NoSQL databases oftentrade off asset properties for
(25:17):
better scalability to ensureeventual consistency and data
integrity.
Okay, so they're again therethey don't there is some level
of data integrity becausethey're just trying to roll
through them the data, is put asin there as transactally as
quickly as possible.
Again, you can make this as goodas you want.
You can make these changes toyour NoSQL databases.
It just requires a bit morefinesse to do so.
(25:39):
And then obviously, encryption.
It's important for you to put alevel of encryption on your
NoSQL databases when possible.
Now, relational databases, theseare organized as data into
tables, also called asrelations.
Okay, they have rows and columnsand attributes, and these are
all set up within a structuredquery language.
(26:00):
Okay, this is the querying andmanaging of data.
Now, these are in tables becausethe data is stored in tables,
and relationships between thetables are defined where using
the keys.
Now, normalization data isorganized to reduce the
redundancy and improve dataintegrity by decomposing the
tables into smaller relatedtables.
So it just basically takes frombig to small.
Now, the acid transaction, whichI talked about before on the
(26:23):
last one, but I didn't reallyget into it.
This deals with atomic,consistent, isolated, and
durable, which guarantees dataintegrity even in the event of
system failures.
That's the acid test that wetalked about there earlier.
And this is where the relationaldatabases can have that.
That adds a level of overheadthat you're gonna have to work
through if you decide you wantto utilize these SQL type
(26:43):
databases within yourorganization.
Um, you're dealing withcandidates and primary keys.
So the primary key is a key thatis in the field or a set of
fields that is uniquelyidentifies the record within a
table.
Now you'll have these keys andthey are unique, and you'll need
to understand that how, andagain, real quickly, you'll
understand that I am not adatabase guy.
(27:04):
I just I've dealt with these abit to the point of
understanding how they typicallywork, but to the level that you
may want to get into at somepoint in your life, uh, I'm not
your guy.
But this will be helpful a lotwith your CISSP just to
understand the key terms thatyou're gonna potentially they
may ask you on the test itself.
A candidate key is a field or aset of fields that can serve as
(27:26):
a unique identifier for arecord.
So you have a primary key, youhave a candidate key, and then
you have a foreign key.
And this is the table whereuniquely identifies the row in
another table, establishingrelationships between the two
tables.
So the foreign key allows youthe two tables to connect and
establish those relationships.
So primary, candidate, andforeign key.
(27:46):
Now, some securityconsiderations, obviously, with
relational databases.
Access control, similar toNoSQL.
Got to make sure you have theright people having the right
access to the databases andavoid those database admins who
are kind of just, you just neverknow.
Just never know what they'regonna do.
Your data encryption, dataencryption both in storage and
at rest during the transmissionas to as well.
(28:07):
Now, I will tell you the onething about databases that I've
always struggled a little bitwith is data at rest.
The data is really, in manycases, especially in a large
organization, it's never trulyat rest.
Uh, it's just you're you havethe data in a database to
protect it from the event thatsomebody might walk off and
steal it.
Because at any point in time,something is querying a
(28:27):
database.
So this is the part, it's just Igo, well, but when data is at
rest, like it's sitting there,it's lounging on a couch, eating
grapes and drinking wine.
It's not doing that.
It's being queried on a numerousbasis, being written to uh or
modified in some form or fashionon a continuous basis.
So it's really never truly atrest.
(28:48):
Well, I mean, I'm sure some is,but for the most part, it's not.
Now, data encryption is animportant part, though, that if
you're talking about dataleaving an organization or a
database, you want to ensurethat it is encrypted because of
the fact that who could besnooping it and sniffing it, you
just don't know.
And then SQL injectionprevention.
This is the proper inputvalidation, prioritize queries,
and escaping special charactersare essential for SQL injection
(29:12):
attacks.
What you want to avoid,obviously, is the inputs that
come in and what and then thecontent that you have set up
with your SQL environment toavoid that if there's special
characters used, what kind ofwhat happens?
Does it barf all over itself andgive out all kinds of
information?
You want to make sure that youhave some level of injection
protection against yourdatabases because they again,
(29:33):
like we mentioned before, theycontain all of your data.
Okay, so next I'm gonna focus onsecurity for multi-level
databases.
Now, these are databases thatstore manage data within
different securityclassifications, such as top
secret, secret, unclassifieddata.
And you will see this obviouslyin military or government type
context.
So these are the multi-leveldatabases.
(29:55):
Obviously, when you're dealingwith multi-level databases, you
want to have multi-levelsecurity.
This ensures the data isprotected according to the
classification level, and youdon't want the streams to match
or to cross.
You don't want top secret intosecret and vice versa.
And so, therefore, it enforcesthe clearance levels and the
need to know policies that areset up within that database.
You also have a strong level oflabeling when you're dealing
(30:18):
with some sort ofclassification, such as top
secret, secret, you want to havea labeled based on the security
level in which it's going to beprotected.
And users can only access thedata for which they have the
appropriate clearance.
Important part when you'redealing with classified
information.
And as in this doesn't have tohappen with a contracting
company, or with, I should say,with the military government,
(30:39):
uh, or with the military and thegovernment, it can happen with a
contractor, it can happen with adifferent sort of third party.
Uh, but as you're looking now,we talk at CISSP cyber training
at CMMC rules that are comingout now, the cybersecurity
maturation, maturity, uh, yeah,something like that, uh,
certification.
I think that's what that acronymis for.
(30:59):
But bottom line is if you are adefense contractor or work for
the government in sensitivedata, you have to manage this
data in a way that is protectingit.
In the past, they haven'treally, they've tried to do some
things, but it's all been prettyad hoc.
Now the government's coming downand cracking down on that
because what they have learned,come to learn is that most of
the third parties have amajority of the data for the
(31:20):
government, and therefore theyneed to put in some in some
level of standardization andprotections of this information.
Security considerations,obviously, access controls are
an important part, and you needthat to for users to access the
data and that matches theirspecific clearance level.
And then data inference.
This is preventing unauthorizedinference, right?
Or sensitive information whoonly have access to the lower
(31:41):
level but might deduce, that's abig$10 word, might deduce the
higher level information.
Basically means I used to dothis in the military when we
were hackers, we would be ableto gain access to all kinds of
unclassified information, but wewould be able to deduce what was
else was going on.
And so that was an importantpart.
Now you that that's because weare able to gain access to all
(32:02):
this information, it actuallypaints a picture of what else
was going on in thoseorganizations.
That's what it can happen withinany company, right?
So if you have a lot of companythat's like say you have
intellectual property that'sprotected uh by this big 10-foot
door that normally one personcan go into twice a year, uh,
then but everybody talks aboutit.
Well, the secrets in open, plainand open.
(32:25):
I can't think of that word.
It's just basically an opensite.
Uh you you can see it, right?
Because everybody talks aboutit.
So it's really not a secretanymore, other than the fact
that you pretend that it's asecret, but yet everybody all
understands what the secret is.
So yeah, that's one of thosethings you should kind of want
to avoid.
Now let's get into server-basedsystems.
Now, server-based systems arecentral components of the most
(32:46):
IT environments.
These systems host and providevarious services, applications,
and data to clients, users, andother people, other servers,
right?
So servers are an importantpart.
They are typically where amajority of your data resides.
It isn't usually in the share,it is in SharePoint in those
different places, but themajority of the server of the
data is residing in the servers.
(33:06):
These are designed to bescalable, especially now in the
cloud environment.
You can scale these babies up,you can do all kinds of fun
things with them.
But that's the server-basedsystems.
Now, key securityconsiderations.
You have access controls, right?
You want to make sure that youhave, like we've talked about
time and again, there's properaccess controls in place.
RBAC, role-based accesscontrols, awesome.
Strong passwords, leastprivilege, least privileges as
(33:28):
well.
It's an important part of yourservers.
You want to limit who has accessto this.
Patch management, make sure thebloody buggers are patched and
kept up to date.
Server operating systems andapplications must regularly be
patched.
I see this time and again, theydon't get patched as well.
Uh they the client-based systemswill, because they are tied to
Microsoft or some other companyand they're just automatically
(33:51):
patched.
Servers, on the other hand, theydon't put these on an automatic
patching cycle because if youautomatically patch servers,
what ends up typically happeningis things break.
And especially if you have anold legacy type application
running, they will break.
And if they break, then peopleget mad.
And then people don't likegetting mad and they don't like
things breaking.
So what do they do?
They don't patch them.
So patching your servers is animportant part.
(34:13):
Hardening them as well isobviously because depending on
where they sit, you can protectthem from denial of service
attacks.
Now, this denial of serviceattack, if it's obviously a web
server sitting out in the cloud,yeah, that you definitely need
to protect against that.
But could you deny have a denialof service within your network?
Oh, yes, you can, and you shouldprotect against that.
What does that mean?
It means if you have like a setof servers that are critical to
(34:34):
your organization, it would behighly behoove you to put them
into a spot that would protectthem from the other parts of the
servers within yourorganization.
One, it would limit the amountof tax from outside entities,
potentially.
Two, if there is a denial ofservice, it wouldn't potentially
impact your organization orthose servers that are sitting
in an off a little island off onthemselves.
(34:56):
So something to consider withthat.
Monitoring and logging.
You want to have all this stuffgoing into a sim.
It's your security informationand event management system.
So all of this data from thesesystems need to go in there,
right?
They need to go in, and that wayyou can monitor them, you know
what's going on.
So you need to have some levelof logging, whether even if it
is just basic logging with thosesystems, you should have
(35:17):
something in place.
Data protection.
This is often where the data isyour most critical data.
It should be uh protected.
Now, again, we talk about thedata encryption at rest and in
transit.
It's an important part.
Uh, you need to define what isbest on your organization based
on the risk profile to yourcompany.
So, how much do you want to do?
The data, like I said before,the data that is tied to
servers, usually databases thatare connected to these servers,
(35:40):
are some of your most sensitivedata.
So you need to consider how doyou best protect it.
That being said, some of theseorganizations may have
gazillions of servers, right?
Lots and lots of servers.
So take a risk-based approach.
Uh, I struggle withorganizations that don't do this
and they just say, well, protectit all.
Well, if you're gonna protect itall, you're gonna protect any of
it.
I'm sorry to say.
It's just really gonna be achallenge for you.
(36:01):
So you want to make sure thatyou have a take a risk-based
approach.
Now, as a CISO or as a securityprofessional, you're gonna have
to communicate that to thesenior leaders so they
understand what you're gettingat.
Because when it comes right downto it, if they don't understand
it, uh, it ain't gonna happen.
So make sure they understandwhat you're trying to
accomplish.
If this is the important partwhere you make your money is
(36:21):
being that influencer andhelping people understand the
risk.
So, some examples ofservice-based systems, obviously
web servers, applicationservers, file servers, all of
those pieces can be tied to uh aserver, right?
And that those are ones youshould protect.
Next, we're gonna get intoindustrial control systems, so
ICSs.
So work extensively inindustrial control environments
(36:41):
and understand those prettywell, right?
I mean, you know, honestly, youdon't really get those unless
you work in them and understandhow that they work from a
standpoint of a manufacturingpoint of view.
I worked for a chemicalmanufacturing company in the
past, so uh understood thosepretty well.
And ICS systems, they are, andalso taught it in college, but
an ICS system they include awide range of control systems
(37:02):
used to monitor and controlphysical processes.
Now, this includesmanufacturing, energy
production, water treatment, andtransportation.
ICSs typically consist of asupervisory control and data
acquisition or SCADA typesystems.
Uh, they included also just DCS,which is a distributed control
systems, and a PLCs, which isyour programmable logic
(37:24):
controllers.
So that's the that's the typicalarchitecture of an ICS
environment.
These are tied to, again, allkinds of things, from something
that makes like a hole punch tosomething that controls chemical
manufacturing, nuclearfacilities, you name it.
They all they they go theyspread the gamut.
And so if you have amanufacturing facility of some
(37:44):
kind, you probably have an ICSenvironment in your environment.
Now, in a lot of times and a lotof cases, these ICS environments
are blended in with your overallenterprise, which makes them a
bit of an easy target.
And because of the fact that youcan get access to the
enterprise, you can get accessto your ICS.
ICSs typically are not asprotected from updates and
(38:05):
patching and all those wonderfulthings as your traditional
enterprise environment isbecause you're dealing with a
lot of proprietary typeequipment, which can struggle to
be updated.
So, some key securityconsiderations when you're
dealing with ICS is segmentationand isolation.
They should be physically orlogically isolated from their
corporate IT environment.
(38:26):
The Purdue model is one of thoseaspects that was almost a
physical, it's actually alogical separation, but you can
get into a more of a physicalseparation.
If you are dealing with anuclear facility, yeah, they
would be physically separated.
You cannot connect the twotogether.
But depends on yourorganization, you may or may not
have that.
Now, network segmentation,firewalls, and DMZs will help
(38:48):
control traffic between IT andOT environments.
And that's an important part ofyour organization is to have
this segmentation in isolation.
Legacy systems and patching,many ICS components are legacy
systems with limited support forupdates, right?
We just like I mentioned before,there's very little, I shouldn't
say little, there are updatesbecoming more and more important
(39:08):
and more critical fororganizations to do this.
But at the same time, there arenot nearly enough patching
that's occurring.
Access control and monitoring,there's strict access controls
should be in place for bothphysical and network access to
ICS important or uh components,and you should have that
available.
There should be this verysimilar access controls that you
would have within your network,your enterprise network, that
(39:30):
you should have within your ICSenvironment.
And if you can't get thatbecause they're segregated, you
need to come up with a plan onhow to do that.
Incident response and recovery.
You need to have a good businessresiliency incident response
plan for your ICS environment.
It's just an important part, andyou need to plan for that.
Safety and security integration.
When many ICS environments,safety and security do overlap.
(39:51):
Things go boom, they tend to goboom when you're dealing with
ICS environments.
And so, therefore, the securityhas a physical consequence
around it.
Uh And it this has probably beenone of the biggest challenges
that people have had in the pastis to understand that the
coexistence between cyber andphysical security.
It's always been there, but it'sbeen they've always thought that
(40:12):
they're separate.
Well, as we're seeing more andmore today, there's a big blend
between physical and cybersecurity.
There they really truly do.
And you're gonna need to, as anexperienced professional, to
help your physical securitypeople understand that
connection together.
It's less obvious when you'redealing with your enterprise
network, but it's much moreobvious when you're dealing with
(40:33):
your ICS or manufacturingfacilities.
That can be something they canequate to and they can
understand because most all ofthe physical security guys, when
I bring it up to them, they allcome back and say, Yeah, I kind
of use a computer to log in andto understand my network.
Right.
So they understand it.
Uh, and so therefore, it'simportant that you, as a
security professional, help thembecome a better adroit to what
is actually going on.
(40:54):
Now we talked about someexamples, right?
So SCADA systems, PLCs, andDCSs.
Uh, they are all part of theoverall ICS import uh ecosystem.
That being said, DCS, adistributed control system, is
usually tied to large enterprisetype systems where they have
large industrial processes.
Small uh mom and pop shops won'thave a DCS, they're just super
(41:16):
expensive and there's really noneed.
But they may have PLCs on theirshop equipment.
So I know it being here inWichita, Kansas, we have lots of
manufacturers for the aerospaceindustry.
They have PLCs that are on thesesystems that are making,
punching out all kinds of stuff.
But they don't have a DCS.
They're all tied into oneserver, and ideally they would
(41:36):
be separated, but most likelythey're all on the their own
business network.
Now, that being said, if ahacker gets over of a punch, uh
yeah, that's not a whole lot heor she can do.
However, potentially they couldhurt somebody with it.
Uh, not that they would do thaton purpose.
Most times is they just do aransomware attack and try to get
money.
And but the part is if thatsystem becomes infected and is
(41:59):
up for ransomware, now it'sunavailable and maybe something,
some process is happening and itcould potentially hurt somebody
and the whole facility.
So it's important for you tohave really good security on
ICS.
I you I kind of spent a littleextra time here just because the
ICS environment is a huge partthat has just gone under serve.
And uh I will focus on the watertreatment facilities for your
(42:22):
where you live.
That's under an ICS.
And you know what, as a securityprofessional, like we've
mentioned before in thispodcast, you should be using
your skills for good and helpingthose people, not for evil.
Not and really, you shouldn't doany for evil at all, but you
shouldn't you should definitelybe doing them for good.
So that's what I'm gonna talkabout with the ICS.
Okay, that's all I've got foryou today.
(42:42):
So I hope you all have gotten alot out of this podcast.
Again, go to CISSP CyberTraining and check it out.
Or you can go to my other site,that's reducesyberrisk.com if
you're looking for a securityprofessional uh to help you with
your security needs.
Reduce cyber risk can help youwith that.
Again, all purchases at CISSPCyber Training all go to
nonprofit, uh the Shepherd'sHope, I think that's what it's
(43:03):
called.
Um, and that will be fully liveand active here in December.
Yes, I have to get that done.
Uh, but all act all funds aregoing to the shepherd's hope and
is for adoptive families.
So anybody who is looking toadopt a child uh that really
needs an extra help, this iswhat all the funds that go for
it from CISP Cyber Training allgo to help those people because
(43:23):
it is extremely expensive toadopt a child.
And that's what our ultimategoal is to create something to
help people out.
Because in reality, there justneeds to be more help, right?
We just all need to help more.
All right, I hope you guysenjoyed this.
Again, go to CISSP CyberTraining, get access to all of
this content.
Again, this is about this is asmall subset of section 3.5.
There's at least another,probably 20 more slides that we
(43:45):
go through on all this aspect.
And this is all available atCISSP Cyber Training.
All right, have a wonderful day,and we will catch you on the
flip side.
See ya.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Two Guys, Five Rings: Matt, Bowen & The Olympics
Two Guys (Bowen Yang and Matt Rogers). Five Rings (you know, from the Olympics logo). One essential podcast for the 2026 Milan-Cortina Winter Olympics. Bowen Yang (SNL, Wicked) and Matt Rogers (Palm Royale, No Good Deed) of Las Culturistas are back for a second season of Two Guys, Five Rings, a collaboration with NBC Sports and iHeartRadio. In this 15-episode event, Bowen and Matt discuss the top storylines, obsess over Italian culture, and find out what really goes on in the Olympic Village.