Master Your 2024 CISSP Exam Prep

CISSP Exam Cram Full Course (All 8 Domains) - Good for 2024 exam!

Estimated read time: 1:20

Learn to use AI like a Pro

Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

Summary

Dive into the ultimate CISSP Exam Cram course designed for those preparing for the 2024 exam, provided by Inside Cloud and Security. This comprehensive course covers all eight domains of the CISSP exam, offering insights on effective study strategies, essential concepts, and recent updates from 2021. Whether you're a seasoned professional or new to cyber security, this series promises to sharpen your knowledge and prepare you to ace the CISSP exam, avoiding expensive boot camps and ensuring a practical, focused approach to passing with confidence.

Highlights

Complete insight into all eight CISSP domains prepares you for 2024 🚀
Real-world tips from a CISSP-certified CISO and strategist 🛡️
In-depth restructuring of previous exam materials with new 2021 content 🚀
Detailed coverage of technical subjects like cryptography and security models 🛠️
Streamlined-paced learning designed to compliment your study style and speed ⏩

Key Takeaways

Learn all eight domains included in the CISSP exam for 2024 📚
Experience an optimized learning strategy from a seasoned CISO and cyber strategist 🌍
Grasp complex concepts like TCP/IP, cryptography, and access controls easily 🔍
Understand new topics and their implications for modern cyber security landscapes 🚀
Equip yourself with tools and resources to accelerate your CISSP exam prep journey 🚀

Overview

Inside Cloud and Security brings you the quintessential CISSP exam preparation course, perfectly updated for aspiring 2024 exam takers. Designed by an industry-leading CISO and cyber strategist, this course is industrially structured to cover all newly updated domains, reflecting the latest in cyber security practices and standards.

This comprehensive series distills the often challenging and broad CISSP content into eight digestible domains, emphasizing the exam's most pivotal topics. Enjoy insights into effective studying techniques, real-world applications, and domain-by-domain breakdowns to enhance your understanding and memory retention.

With content adapted for both new entrants to cyber security and seasoned professionals, the course promises to uncover and simplify complex areas like cryptography and network security. The goal is to equip you not just with knowledge to pass, but to thrive in your cyber security career with confidence and expertise.

Chapters

00:00 - 00:30: Introduction This chapter serves as an introduction to the CISSP Exam Cram series, titled the 2022 update. It covers all eight domains of the CISSP exam and outlines the recommended exam preparation strategy. The speaker, a cybersecurity strategist, CISO, and educator, will incorporate multiple learning techniques to aid in quicker and more effective preparation.
00:30 - 01:00: Course Overview In this chapter, the speaker emphasizes the practical application and everyday use of knowledge gained from the CISSP exam. They highlight their personal experience in helping thousands of individuals achieve cybersecurity certifications, like the CISSP, without the need for expensive boot camps. The primary goal is to assist learners in progressing quickly and efficiently in their exam preparation by focusing on key topics and eliminating unnecessary discussions.
01:00 - 01:30: Exam Preparation Strategy The chapter titled 'Exam Preparation Strategy' focuses on mastering key characteristics of concepts to efficiently tackle exams. It emphasizes identifying right and wrong answers quickly, using proven learning methods that have been successful for many candidates, including the speaker. The speaker intends to accelerate learners' progress by sharing useful techniques for individual study. The narration's pace is deliberately set at 115-125 words per minute, accommodating non-native English speakers.
01:30 - 02:00: Course Content This chapter, titled "Course Content," provides guidance on adjusting the playback speed of the course material to suit individual language proficiency levels. It acknowledges that non-native English speakers might find the default speed suitable, whereas native speakers might prefer a faster pace of 1.25. The chapter emphasizes focusing on high-probability exam topics, challenging concepts, and frequent question sources, as opposed to covering every single topic in the official study guide.
02:00 - 03:00: Exam Format and Details The chapter discusses effective strategies for exam preparation, particularly focusing on high-probability and high-difficulty areas to optimize study time. It emphasizes the importance of process memorization and presents an updated strategy that adjusts previous methods for improved outcomes among exam candidates.
03:00 - 04:00: Managerial Approach This chapter discusses a recommended exam preparation strategy for the CISSP exam, suggested by the speaker based on personal experience and insights from previous candidates. It covers techniques to prepare efficiently for all eight domains of the exam. Additionally, shorter videos will be provided to address particularly challenging areas reported by students.
04:00 - 05:00: Learning Techniques The chapter on 'Learning Techniques' introduces a structured approach to navigating the video content, including a table of contents to skip to specific topics. It mentions that viewers can find additional materials such as a PDF presentation and a list of FAQs in the video description, enhancing the learning experience by providing various resources for further exploration.
05:00 - 20:00: Domain 1: Security and Risk Management This chapter provides an introduction to the course and its resources, with a focus on ensuring that learners have access to updated materials and errata. It emphasizes that while the course aims to be a comprehensive study resource, it may not be perfect, but it strives to be affordable and effective. Testimonials from other learners highlight the course's value.
20:00 - 30:00: Domain 2: Asset Security The chapter discusses the eight domains relevant to a particular exam and notes that there has been little change in the weighting of these domains between the 2018 and 2021 releases. Despite some updates in the 2021 syllabus, they are described as incremental, indicating minimal differences from previous versions.
30:00 - 45:00: Domain 3: Security Architecture and Engineering The chapter discusses the changes in experience requirements and the content expansion in subdomains to adapt to the evolving times, although there is almost no change in domain weights. It notes the static nature of the linear exam and the cat exam, despite the expansion in subdomain content.
45:00 - 49:30: Domain 4: Communication and Network Security Domain 4 covers aspects of Communication and Network Security, focusing on the changes in the content to align with modern trends. It mentions that new topics have been introduced reflecting these updates, emphasizing the adaptive nature of the syllabus to keep pace with current demands. The chapter also discusses the format of the CAT exam, which as of March 2022 is a three-hour session encompassing 100 to 150 questions, underlining the computer-adaptive nature of the test.
49:30 - 55:00: Domain 5: Identity and Access Management This chapter focuses on the concept and format of a specific exam, most likely related to the field of Identity and Access Management. It explains how the exam adapts in real-time to the test-taker's performance. As you answer questions, the difficulty adjusts to maintain a 50% chance that you will answer incorrectly, increasing or decreasing based on your previous answers. Once you select an answer, it is final, adding to the challenge of this format, which many, including the speaker, find makes the exam more difficult. The passing threshold is seventy percent, and not all questions contribute to the final score.
55:00 - 57:30: Domain 6: Security Assessment and Testing The chapter discusses the importance of understanding each domain of the CISSP body of knowledge to pass the exam, emphasizing that failing any single domain results in failing the exam. It mentions the presence of unscored pre-test questions used for future exam development, advising not to worry about them since only pass or fail results are recorded. The chapter also highlights an upcoming change to the CAT exam scheduled for June, although the specific details of the change are not provided in the transcript.
57:30 - 70:00: Domain 7: Security Operations The chapter discusses upcoming changes in the exam format for Domain 7: Security Operations. The changes include an increase in the number of pre-test questions from 25 to 50, resulting in a total of 125 to 175 questions over a span of 4 hours. However, there are no changes to the syllabus or content, implying that the preparation strategy remains the same.
70:00 - 78:30: Domain 8: Software Development Security The chapter focuses on Domain 8, which covers Software Development Security. The author recommends a strategy for exam preparation, emphasizing the importance of using the official exam study guide (ninth edition) in electronic form. This version offers access to a wealth of resources including a thousand online practice questions and flashcards, which aid in effective study and preparation for the exam. The electronic format is highlighted for its ease of searchability, enhancing the study experience.
78:30 - 79:30: Conclusion Chapter Conclusion: The chapter provides a recommendation to purchase the ebook from Amazon, specifically the ninth edition updated for the 2021 release of the CISSP exam. The focus is on addressing a common question encountered during preparation for the CISSP exam: 'How to think like a manager?'

CISSP Exam Cram Full Course (All 8 Domains) - Good for 2024 exam! Transcription

00:00 - 00:30 welcome to my cissp exam cram series this is the complete course we'll call it the 2022 update we're covering all eight domains of the cissp exam as well as my recommended exam preparation strategy incorporating multiple learning techniques to help you prepare more quickly and effectively and as a cyber security strategist for organizations around the world and a chief information security officer for a regional bank and an educator i can
00:30 - 01:00 promise you i use the knowledge i gained in the cissp exam every day more importantly for you last year alone i helped thousands achieve cyber security certifications including the cissp all without expensive boot camps and that is quite simply my goal to help you get further faster in your exam prep so we'll be focusing on the key points of every topic we won't spend time speaking unnecessarily
01:00 - 01:30 about any topic we're going to focus on the key characteristics of each concept that will help you identify right and wrong answers quickly on exam day this content utilizes several proven learning methods that have worked for many candidates before you myself included to accelerate your progress and i will share the techniques that you can apply in your study on your own i want to speak for a moment about my pace i intentionally speak at about 115 to 125 words a minute if english is not
01:30 - 02:00 your first language this may be just right for you if you do speak english as a first language you might find that increasing the speed to 1.25 may be better for you whatever works for you i just wanted to make you aware of that small detail and by design i'm not focusing on every single topic that appears in the official study guide i'm focusing on high probability exam topics high difficulty concepts frequent sources of questions from my
02:00 - 02:30 exam candidates and areas that require process memorization at the end of the day i want to direct your focus to the high probability high difficulty areas so you're optimizing your prep you're making the best use of your exam study time and this strategy has proven to work out well for exam candidates thus far and in this update i'm simply turning the knobs a bit tuning this strategy further to make it a little bit better still but
02:30 - 03:00 in terms of what we're covering in this video we're going to talk about my recommended exam prep strategy so the techniques that i suggest you use that many candidates before you have used that i myself have used to prepare for the cissp exam more quickly and effectively we'll touch on domains one through eight so every domain of the exam and i will also offer a few separate shorter videos to drill down on what students report to be the most challenging areas and i will call those
03:00 - 03:30 out at the appropriate points in this video anywhere i can there's a table of contents in the video description so at any point if you should want to skip ahead to a specific topic a specific domain feel free to do that and as with all of my videos you'll find a pdf copy of this presentation available in the video description you can click and download no sign in required and a link to additional resources faqs
03:30 - 04:00 exam updates and errata if there is any will be in the description beneath the video and you can't be the first to benefit from this material but you may be the next and i wanted to just share what a few other learners have said amongst the many testimonials we've seen throughout the last year and while no course is perfect i wanted to give you a comprehensive study resource and system without the hefty price tag
04:00 - 04:30 and if we look at the eight domains of the exam between the 2018 and the 2021 releases you'll see that the same eight domains are present in 2021 as were there in 2018 and the weighting of these domains has changed very little as you can see here if i were to describe the updates in the 2021 release of the cissp i would say the updates are incremental the new syllabus is not that much different from the earlier versions you'll find there's no change in
04:30 - 05:00 experience requirements or the number of domains the content in subdomains of course has been expanded to keep up with the changing times that's no surprise there's almost no change in domain weights as you saw if you happen to live in a country where you don't get the new computer adaptive testing or cat exam you'll find that the linear exam which is 250 questions and six hours long has not changed and there's no change in the cat exam details which
05:00 - 05:30 i'll touch on in just a moment and a few new topics have been introduced in some of the domains to keep up with the changing times i will cover those topics in line as we cover domains one through eight in this course i want to fill you in on the details of the cat exam format cat stands for computerized adaptive testing and as of right now march 2022 the exam is three hours long with a hundred to 150 questions the number of questions
05:30 - 06:00 depends on your performance the exam adapts based on your answer and it aims for a 50 50 probability that you will get the answer to the next question incorrect so it's going to dial the difficulty up and down based on your performance and the answers are final there's no going back which is why many myself included think this makes the cat exam more difficult you need a seventy percent to pass the exam some of the questions are not scored
06:00 - 06:30 they're pre-test unscored questions used for research for future exam changes nothing you can do about it don't worry about it only pass or fail are recorded and if you fail even one domain you fail the exam so it pays to make sure that your knowledge is above the passing bar for every single domain in the cissp body of knowledge as you prepare for the exam i also wanted to tell you about a recently announced change to the cat exam that's coming in june so the
06:30 - 07:00 current exam includes 25 pre-test meaning unscored questions 25 more items will be added to that pool bringing the total to 50 pre-test items so the exam will then be 4 hours and 125 to 175 questions but no other changes to the syllabus or content which means no real change in how you prepare for the exam as you are right now
07:00 - 07:30 and now i want to take you through my recommended strategy for preparing for the exam if you've seen this before feel free to go to the video description and fast forward to domain one but if not we'll start with the materials so i recommend the official exam study guide the ninth edition in its electronic form you'll have access to a thousand practice questions online as well as a little over a thousand flash cards now and the electronic version is easily searchable that's why
07:30 - 08:00 i recommend you get the ebook you can buy it at amazon.com it's a touch over 40 u.s at the current time but do make sure you get the ninth edition which is the update for the 2021 release of the cissp exam so let's start with the million dollar question that we see frequently when we're preparing for the cissp and that is how to think like a manager and i'm
08:00 - 08:30 going to give you here the short version think like a manager in five minutes or less so it starts with due diligence versus do care and it's really about knowing our role so due diligence is practicing the activities that maintain the do care effort that's the book definition not very helpful is it now the do care definition is doing what a reasonable person would do in a given situation it's sometimes called the prudent man rule
08:30 - 09:00 but what you see here right away is that these two concepts work together that due diligence supports do care and these together will reduce senior management's culpability their liability when a loss occurs both their liability for their own organization and those in either direction of their supply chain i want to explain these two concepts to you a bit differently in a way i think will resonate with you so due diligence and do care can really
09:00 - 09:30 be looked at in the context of a decision that line in the middle is our decision so on the left we have due diligence this is the research the planning and the evaluation that frequently happens before the decision not always but largely before the decision and due care includes implementation of security controls operation and upkeep of those controls and reasonable measures to secure our organization and
09:30 - 10:00 its resources that's the doing after the decision so due diligence increases understanding and reduces our risk in a given situation and do care ensures that we take those reasonable measures as outlined in that prudent man rule so i mentioned that due diligence happens largely but not always before do care so that evaluation process is a recurring process we need to make sure
10:00 - 10:30 that our reasonable measures that we put in place continue to be effective over time so we're going to come back and reevaluate on a recurring basis through internal and sometimes external audits another way to look at due diligence and do care that may help you remember these and keep them separate and clear in your mind for the exam is that due diligence is about thinking before you act and do care tells us that actions speak louder than words
10:30 - 11:00 another way we see this labeled is due diligence is do detect the d d and do care is do correct so one of these is about the research and evaluation and the other about taking appropriate action so separating these into the before and after in your mind may be more helpful so let's look at examples of due diligence we have knowledge and research of laws and regulations industry standards and best practices
11:00 - 11:30 and on the do care side we have delivery or execution including reporting security incidents security awareness training and disabling access of users separating from the company in a timely way and thinking like a manager is all about knowing your priorities so if we look at our security planning horizons from operational to strategic so operational being short term and strategic being longer term as a chief information
11:30 - 12:00 security officer you really deal with risks that are escalated to the top and you send down the objectives as you see them in terms of their importance so your focus should really be right up here at the top of the pyramid at the strategic level you're thinking about human safety business continuity protecting profit reducing liability and risk and you are passing objectives down to the tactical and operational teams
12:00 - 12:30 which they will implement in the form of policy and planning and then actually implementing those recommendations and operating the environment on a day-to-day basis and one more perspective that may prove helpful is assume that you are in that organization to advise not to touch so during the exam think of yourself as an outside security consultant advising an organization you're there to advise on strategy priorities and safety you're not doing you're not laying hands on the
12:30 - 13:00 keyboard this may help bring focus to process your role to due diligence and do care now if you're interested in the long version of thinking like a manager check out my cissp mindset video it's right at half an hour it is the full story it does also include me walking through a couple of practice questions to show you how you can use this logic to reason your way to the best answer on exam day now let's take a look at some of those
13:00 - 13:30 learning techniques i promised at the beginning of this video the fact of the matter is there is no award for longest study time whether you prepare for this exam in two weeks or two months or a year and a half a pass is a pass and so if we can prepare effectively actually learning this content for the long term without spending a year and a half doing so we should absolutely do that and the number one reason that i am not a fan of those five-day boot camps where
13:30 - 14:00 you spend two or three thousand dollars and then go take your exam on day six is due to the length of time it takes to memorize anything to truly learn anything i can commit facts to short-term memory you know quickly by repeating my learning spacing my repetition out over a period of hours in fact with my fifth repetition only including a 48 hour gap within a week i can commit facts to memory very quickly now to commit something to memory for
14:00 - 14:30 the long term to really onboard that for the duration of your career typically takes more time and how much time it actually takes depends on your level of exposure and experience to these concepts but you can see if you're starting from scratch to truly memorize anything for a long time can take repetition over a period of days weeks and even months and there's a lot of power in repetition and i'll show you some techniques that we can use to repeat our learning in
14:30 - 15:00 different forms whether we're working on those short-term intervals or the long-term intervals we call this spaced repetition and the fact of the matter is between your sessions what you'll find from your first study session to your second to your third is that with each successive repetition you are remembering for longer and you are forgetting less information what you'll find is that your forgetting curve we call it becomes shallower with each repetition using
15:00 - 15:30 this spaced repetition technique and it's not purely about memorization we do need to identify our weakest areas and focus our repetition on the topics where we need work and we'll talk about how to do that in just a moment but at the end of the day our focus is to understand these concepts not just memorize them studies have long shown that understanding a subject before you memorize greatly improves your retention
15:30 - 16:00 because you're not just memorizing words and the exam will assume that you understand when and where concepts fit you need to be able to apply these concepts in the right scenarios so one learning technique that makes memorization easier is what we call a mnemonic device or a memory device and a common memory device is an acronym and i'll show you an example in a moment but our mnemonic devices are best when they are simple they are relevant to the
16:00 - 16:30 topic and visual where we can make them visual so let's look at a couple of examples here so we'll start with a first letter mnemonic and a good example of a first letter mnemonic is the osi model so back in the 90s i remember memorizing the osi model using a first letter mnemonic please do not throw sausage pizza away that was layers one through seven and then in the reverse all people seem to need data processing so one could argue that we
16:30 - 17:00 could make this more relevant by changing the words in our mnemonic let's try please do not toss security processes aside whatever works for you but we could argue that's more relevant another mnemonic here comes with the incident management framework so our acronym here is drm rrl drum roll if we pronounce it the letters don't spell it out quite right but you see i can add a visual element here as well to make it easier still for me to
17:00 - 17:30 remember that framework that process another technique that's useful when we're dealing with large amounts of information is chunking it's the process of breaking information into smaller pieces or chunks that make sense so let's take cryptography as an example we have asymmetric cryptography we have symmetric cryptography hashes block ciphers so we could break cryptography into these chunks for example and then i can break those
17:30 - 18:00 categories into smaller chunks yet let's take hashes for example i'll break this into chunks based on a unique property i find within these so let's take hash algorithms i'll take the message digest family and i see here that for md 2 4 and 5 they each have a hash value length of 128. i see that by and large they're not still in use with md5 there are some exceptions to that it's still used with file hashes
18:00 - 18:30 but in the cryptographic context not so much let's take the shaw family this is secure hash algorithm what i notice here right away is that the hash value length matches the name i can see here that most of these are still in use certainly all of the sha-2 family is still in use but shaw 1 is not that's a chunk i notice here that the hash value length matches the name of the algorithm that's useful in rounding out our exam prep strategy i
18:30 - 19:00 want to talk you through what i call the 80 20 strategy for identifying your 20 weakest area so you can spend 80 percent of your time there so it starts with the practice exams now whether you get the practice exams from the official study guide or elsewhere doesn't matter so much i'm going to show you how to use the exams in the official study guide to drill down to your weakest areas on a per domain basis and that's really the important question
19:00 - 19:30 here is how can i best use these practice quizzes to assess my exam readiness because the fact of the matter is if you get to exam day and you ask yourself am i ready if you don't know the answer to that question then the answer is no and the way i suggest you do this is by looking at how the book is organized per domain so chapters 1 to 4 in the book for example map to domain 1 security and risk management chapter 5
19:30 - 20:00 maps to asset security chapters 13 and 14 mapped to domain 5 identity and access management so if we use the quizzes at the end of these chapters we can focus our learning to find our weak areas in that domain and one of the more common questions i receive is how do i get access to those online resources that are promised in the book so if i just go to the electronic copy of the book i'm going to search for test bank one word and that will bring me to
20:00 - 20:30 the section here that describes the interactive online learning environment and test bank and you're instructed to go register at wiley.com you'll be prompted with a challenge you can only answer if you've purchased the latest copy of that book and once you sign in to the website you'll be presented with a page similar to this i'll find the cissp i'll log in there and ultimately i come to a page that looks just like this it's efficientlearning.com
20:30 - 21:00 and when i log in here i've gone through the process of registering i'll see the products that are available to me and i can go to the test bank so what you need to know here is that with these 1000 questions they are divided into exams in the quiz builder but we can customize entirely so what i'll do is uncheck question topic so i've unchecked all questions and if i go into those chapters i can select specific chapters to create
21:00 - 21:30 a custom quiz so for example chapters one through four i mentioned were domain one i will select just those four chapters i'll scroll to the bottom and here i can tell the wizard the number of questions i'd like so i want all 80 questions and now i can take a quiz that is only focused on domain 1 which is covered in chapters 1 through 4. and on that same screen where i selected the test bank the practice quizzes you'll
21:30 - 22:00 also see an option to select the flash cards but i commonly find candidates get into the test bank here and they can't quite figure out how do i take a quiz that shows me my weaknesses in a particular domain well that's how you do it you map the chapters out as you see here and again you can download this as a pdf so you'll have this information at your fingertips so moving through the 80 20 strategy as we go through that spaced repetition we have our practice exams that will help
22:00 - 22:30 us understand our weak areas which will spur some targeted reading we'll go read a little more on those topics where we have weakness to better understand the material we'll come back and review the powerpoint in this video and some of the other targeted drill down videos i have we'll look at live quiz or flash cards so the flash cards are great if you don't have a partner to help quiz you for example my spouse my wife helped quiz me as i was preparing but if you
22:30 - 23:00 don't have a partner then you can use those flash cards to quiz yourself on those topics but at the end of the day research has proven that we all function best when we learn using a variety of techniques so variety is the spice of life and it is very effective in learning subjects more quickly and there you have it that's my system which means it's time for domain one which is security and risk management now a few key areas
23:00 - 23:30 you'll be expected to know for domain one include risk and risk analysis you'll be expected to know the quantitative risk analysis formulas and how to apply them threat modeling concepts and processes and the frameworks that go with that compliance legal regulatory and privacy you'll be expected to have some summary knowledge of particular u.s laws and in the case of the eu gdpr a european law
23:30 - 24:00 that applies to u.s companies professional ethics you'll need to know the isc squared code of ethics by heart security governance principles like itil and finally security policies standards procedures and guidelines you'll need to know the difference between these four including which are suggested and which are mandatory in terms of what's new in domain 1 in 2021 when we break down the
24:00 - 24:30 exam syllabus 1.1 is now understand adhere to and promote professional ethics i would say generally speaking this is a non-event there's fundamentally no change from 2018 in terms of what you'll be expected to know for domain one so i mentioned you're going to need to know the cia triad by hearts the cia stands for confidentiality integrity and availability you'll sometimes see this expressed visually in the form of a
24:30 - 25:00 triangle with confidentiality being the first followed by integrity and availability so confidentiality is about secrecy or privacy and in the technology context that means access controls that help ensure only authorized subjects be those people or services can access objects whether that object is data or a system so integrity ensures that our data or system configurations are not modified without authorization
25:00 - 25:30 if a threat actor modifies data without authorization we've now lost integrity that data is now no longer true and reliable and confidentiality and integrity don't matter if we don't have availability so authorized requests for objects those systems that data must be granted to subjects within a reasonable amount of time the cia triad is covered in chapter one of the official cissp study guide you'll want to know cia very well for the exam
25:30 - 26:00 definitely going to come up i mentioned the cissp code of ethics i'm not going to read you the full code here but at a high level it covers protecting society infrastructure the commonwealth acting in a manner that is honest and responsible and legal providing competent service to others and to advance and protect the profession the code of ethics itself is much longer than this you want to give the whole thing a quick read and
26:00 - 26:30 personally i find most of what's in here is common sense but but you'll want to have some familiarity with the terminology they use in here in case it comes up on a question so i want to shift gears and talk about security policy development so at a top tier security policy is your document that defines the scope of security that's needed by your organization the assets that need to be protected and to the extent we should go to to protect them but there are four levels of security policy
26:30 - 27:00 development so it starts with acceptable use policy which is designed to assign roles within an organization and to tie responsibility to those roles then we have security baselines which define a minimum level of security that every system in the organization needs to meet then we have security guidelines which offer recommendations on how standards and baselines should be implemented and these provide operational guidance for both our security professionals and our users and then finally we have procedures
27:00 - 27:30 which are those detailed step-by-step documents that describe the exact actions that are necessary to implement a specific security mechanism a control or a solution in protecting our data or infrastructure so tidbit for the exam when you're developing new safeguards you're establishing a new baseline a new security baseline which means that maintaining compliance with existing baselines is not a valid consideration point now let's move on to risk
27:30 - 28:00 management and risk analysis and i want to start with risk category so a category is a group of potential causes of risk so at a high level you have damage which results in physical loss of an asset or an inability to access that asset and then when it comes to information we have disclosure and disclosing critical information regardless of where or how it was disclosed if this was a malicious act as a result of a threat actor or unintentional
28:00 - 28:30 on the part of a well-meaning user and we have losses so losses might be permanent or temporary which could include altered data or inaccessible data so data altered without authorization affects integrity if we think about it from a cia perspective and then if you think of an attack like ransomware for example which renders data inaccessible and permanently inaccessible unless we can recover and then we have risk factors and risk factors factors are something that
28:30 - 29:00 increase risk or susceptibility to loss so in the realm of risk factors we have physical damage natural disasters power loss vandalism we have malfunctions so whether that's a failure of a system or a network or a peripheral or the hvac system we have attacks now these are purposeful acts of of a threat actor whether that's from the inside to the outside like unauthorized disclosure for example so continuing on risk factors human errors now these are usually considered
29:00 - 29:30 accidental incidents where attacks are generally purposeful incidents then finally we have application errors which would be failures of the application including potentially the operating system now security planning may come up on the exam and there are three types of plans you need to be familiar with the first is the strategic plan this is the long-term plan that's fairly stable it should generally include a risk assessment and the strategic plan typically has a five-year horizon and
29:30 - 30:00 you'll update it annually this helps to align the goals of the security function with the organization's missions and objectives the next one is the tactical plan this is a midterm plan it's developed to provide a little more details on the goals of the strategic plan this is typically going to have a horizon of about one year the tactical plan gives us a little more flexibility we can make some ad hoc adjustments here when circumstances dictate and the final plan
30:00 - 30:30 of the three is the operational plan so this is a short-term highly detailed plan that drills down on the strategic and the tactical plans and by short term we're typically talking about monthly or quarterly the operational plan will have budgetary figures staffing assignments scheduling and typically step-by-step implementation procedures so now let's talk about response to risk
30:30 - 31:00 so we have several ways we can respond to risk the first is risk acceptance and and that means simply doing nothing we simply accept the risk and the potential loss if the threat occurs and if the safeguards or counter measures outweigh the potential loss in terms of their cost then just simply accepting a risk might make sense the next option is risk mitigation or
31:00 - 31:30 sometimes you'll hear this called risk reduction and when we mitigate risk we implement uh countermeasure and we accept the residual risk that's the risk that's left over once our safeguards our security controls are in place now in risk assignment this is also called risk transference we're transferring or assigning that risk to a third party like in purchasing insurance against damage
31:30 - 32:00 and outsourcing to companies with specific expertise is another way we commonly see risk assigned or transferred so next is risk avoidance so when the cost of mitigating or accepting a risk are higher than the benefits of the service itself then avoidance is a good idea so for example i might decide to locate a business in kansas instead of florida to avoid hurricanes if i decide that the cost of
32:00 - 32:30 mitigating the risk of hurricane damage to my business is too great so continuing down this road risk deterrence is another potential response and implementing deterrence to would-be violators of security and and policy is a pretty common response in the real world and deterrence would include things like implementing an audit policy to deter folks from
32:30 - 33:00 malicious behavior for example in the i.t department security cameras are security guards to defer deter unauthorized entry onto our premises or even something as simple as warning signage and then finally we have risk rejection and i want to point out this is generally considered an unacceptable response it's a possibility but it's not acceptable this means to simply reject or or ignore
33:00 - 33:30 the risk just treat it as it doesn't exist obviously never a good idea to just bury our head in the sand because problems don't just go away but remember handling risk is not a one-time process this is an area you're going to have to revisit on a recurring basis and refresh your responses to risks and to determine if the nature of these risks has shifted in some way and require changes on your
33:30 - 34:00 part let's talk about risk management frameworks now the primary risk management framework referenced on the cissp exam is the nist 800-37 framework and that's currently in revision 2. if you'd like to read it end to end i'll have a link to 800-37 in its latest revision down in the description for this video now
34:00 - 34:30 you'll also hear some other risk management frameworks mentioned but i want to point something out here so from the cissp study guide it says consider the following risk management frameworks for use in the real world so the key there is for use in the real world so they mention octave and fair and tara and the fact that they say consider these for use in the real world while mentioning that nist 800-37 is the primary framework that tells me i'm not going to worry much about these i'm going to
34:30 - 35:00 focus on nist 800-37 now this nist framework establishes a process steps and you with any process in cissp you need to make sure you know these steps in order and really it's depicted by some as a preparatory step followed by six main steps i'm going to just give you the seven steps so when we talk about that preparatory step uh preparing to execute
35:00 - 35:30 the risk management framework is that preparatory step so so if you ever see nist 837 presented as six steps it's because they leave the prepare off so second step is categorizing your information systems and we're looking at the information process stored and transmitted by the system based on analysis of the potential impact for loss next is selecting security control so we need an initial set of controls for the
35:30 - 36:00 system and to tailor those controls to our reality to reduce risk to an acceptable level based on our risk assessment step four we implement security controls and we describe or document how those controls are employed within our systems and our environment and then we're going to assess those controls to determine if they're implemented correctly if they're operating as we intended in our environment and most importantly are
36:00 - 36:30 they producing the desired outcomes are they meeting our security and privacy requirements and expectations so next we authorize the system and by that i mean we authorize the system to operate in a normal environment and at that point the organization is accepting the risk formally for the system and because this is not a one-time event your risk management is a process
36:30 - 37:00 uh step seven is monitoring our security controls periodically assessing that our controls are effective documenting any changes to the system and conducting risk assessments periodically as necessary and remember i mentioned this is a process right for any process in cissp we need to know those steps we want to know them in order some folks will use a mnemonic device or a memory device that's called using the first letters of
37:00 - 37:30 these steps in the framework so for example for for these letters for pcs i am i could use the mnemonic device people can see i am always monitoring so at test time if i'm a little foggy on nist 800-37 i can at least get the first letter of each of these seven steps by remembering my mnemonic device people can see i am always monitoring that was something we did very commonly
37:30 - 38:00 with the osi model back in the day and we'll talk about that in a later domain in this series and a few other things for the exam so do remember when you're talking about risk management and and risk analysis not every risk can be mitigated that's just a fact and it's management's job to decide how that risk is handled so when you hear me talk about thinking like a manager when you're taking the cissp exam remember it's the role of a
38:00 - 38:30 security professional to be a risk advisor to advise the decision maker who is the manager and also when multiple priorities are present always remember human safety is the most important i bring that up now that it may not even come up as a part of this domain but it's an important point so i wanted to just mention it early on here left i i forget remember to prioritize human safety when you're presented with many options and
38:30 - 39:00 remember when legal issues are involved calling an attorney is a valid choice it might not seem like a valid choice because it's technical folks you may want to solve every problem but when we put our manager hat on calling an attorney is a great example of risk transference right or or assignment we're outsourcing our problem to an expert so let's talk for a moment about types of risk so residual inherent and total
39:00 - 39:30 are three types of risk so we have residual risk which is the risk that remains even when all our conceivable safeguards are in place that's the risk we can't get rid of and at that point the risk management function has chosen to accept rather than to to mitigate or transfer or assign that residual risk sometimes there's a bit of risk there we just can't shake so we're accepting
39:30 - 40:00 then there's inherent risk newly identified risk not yet addressed with risk management strategies so another way of saying that is its inherent risk is risk that exists in the absence of controls and this is one that that you don't really see in every cissp text i bring it up because i've seen it a time or two and it's worthy of mentioning but total risk is the other that you want to be very familiar with and that's the amount of risk an organization would face if no safeguards were implemented so
40:00 - 40:30 to say it another way if we just look at those three types of risk residual risk is after controls are implemented that's the risk that remains inherent risk is risk that exists before we've implemented our safeguards and then total risks would be the risk present without any safeguard so for the exam you really want to focus on residual risk and total risk these are going to come up in a formula and this is the first time i've mentioned formulas but formulas are very
40:30 - 41:00 much a thing when we talk about risk analysis and management on the cissp exam so a few tidbits for the exam so be able to explain total risk residual risk and the controls gap which is the amount of risk that's reduced by implementing safeguards we'll see controls gap in a formula and talk about that a bit more a little later in this installment so to calculate total risk know this
41:00 - 41:30 formula threats times vulnerabilities times asset value equals total risk and we'll look at some of these formulas later in this installment because you will need to understand the several formulas as they relate to to risk and how to use them to arrive at good decisions so we can also express risk itself as a formula and risk can be defined as as threat times vulnerability so yes you know threat and vulnerability are
41:30 - 42:00 expressed as numeric values as probabilities so stick with me to the end of the video we'll we'll see more formulas here and we'll we'll look at a couple of examples to help you get the ball rolling and if when we're done if maybe you'd like to see a video dedicated to nothing but the formulas that are going to come up for you on the cissp exam just leave me a comment and i can make that happen so i want to shift gears now from risk to risk analysis so so there are two
42:00 - 42:30 ways at the highest level to evaluate risk to our assets there's qualitative risk analysis and quantitative risk analysis so quantitative assigns a dollar value to evaluate the effectiveness of our countermeasures quantitative risk analysis uh really is the more labor-intensive of the two methodologies it employs typically a lot of data collection and analysis
42:30 - 43:00 using cost benefit analysis it results in specific values that we're really what we're doing is removing guesswork and opinions from the process it's really if if i were to describe quantitative risk analysis in one word it's objective it requires a lot of information and effort typically but at the end of the day it's going to assign a tangible dollar value so we can evaluate the effectiveness of our
43:00 - 43:30 response to risk so let's look at the risk analysis steps involved in quantitative risk analysis so this is specific to quantitative risk analysis we're going to talk about qualitative in a moment so step one is inventorying your assets and assigning a value and you might be asking yourself what's that out what's that text out there in red i'm putting some some terms and some
43:30 - 44:00 acronyms out here because these are going to come up in formulas that we discuss later in this module so these are going to be important you'll wind up revisiting this slide to to perhaps think think again through these steps and and what the outputs of the step are so step two we're identifying threats we're going to research our assets we're going to produce a list of all the possible threats to each asset and here we're going to calculate ef
44:00 - 44:30 which is the exposure factor and the sle which is the single loss expectancy we're going to get to what these mean in just a moment i just want to set the stage for you so you know what some of these outputs are and this will all come together when we talk about the formulas step three you'll perform a threat analysis to calculate the likelihood of each threat being realized within a single calendar year you're calculating the annualized rate of occurrence again that acronym is going to show up in a formula here momentarily step four we're
44:30 - 45:00 going to estimate the potential loss by calculating the annualized loss expectancy and the fact that the word annual or the concept of yearly is coming up here should tell you that this process is an ongoing process right this is a recurring process we're going to revisit periodically within our organization it's not a one-time exercise step five we're going to research counter measures for each threat and then we're going to calculate changes to the annualized rate of
45:00 - 45:30 occurrence so in other words how often is is this event going to occur and what is our annualized loss expectancy based on the counter measures that we've applied so if we've done our job right the the annualized rate of occurrence and the annualized lost expectancy are going to be lower than when we started in step six we're going to perform a cost benefit analysis of each of our countermeasures for each threat for each asset
45:30 - 46:00 to determine in a very dollars and sense fashion if we've made good decisions in our selection of countermeasures so let's talk about qualitative risk analysis so qualitative risk analysis uses a scoring system to rank threats and the effectiveness of our countermeasures relative to the system and the environment it requires guesswork and estimation it definitely uses opinions however
46:00 - 46:30 it does provide meaningful results if i if i could summarize qualitative risk analysis in one word it would be object subjective because it involves opinions and while it's going to tend to be less accurate it is a quick way we can make some estimations that we can then use to guide our efforts in the deeper quantitative risk analysis so so a lot of times qualitative risk analysis can serve as that way we take a five minute
46:30 - 47:00 rough cut at the problems we're dealing with i can rank impacts as low medium high i can throw out some percentages to just get to a point that i know what i'm dealing with in terms of the probability and impact of of the threats we're working with of the the risk we're trying to to deal with uh you should be familiar with the delphi technique for the exam as well so in qual qualitative risk analysis this is uh basically anonymous
47:00 - 47:30 feedback and response used to arrive at a consensus a couple of other considerations when it comes to risk analysis uh there's lost potential so so what would be lost if the threat agent is successful in exploiting a vulnerability and then delayed loss and this is the amount of loss that can occur over time because the reality is you don't lose everything all at once in certain situations for example if
47:30 - 48:00 an exploit takes down your firewall and from in front of your web farm and your web farm is unavailable you lose money over time as customers can't reach your website that's delayed loss and i mentioned threat agents here the threat agents are what cause the threats by exploiting vulnerabilities the vulnerabilities are the weaknesses in your assets or in your safeguards for that matter so i promised you we would talk about
48:00 - 48:30 those important formulas and that time has come so we're going to talk about the relevant terms and the formulas that we use to calculate their results so we have exposure factor single loss expectancy annualized rate of occurrence annualized loss expectancy and safeguard evaluation so these all factor into
48:30 - 49:00 some key formulas that are definitely going to show up on the cissp exam so let's dig into these terms and the formulas that go along with them so we'll start with exposure factor ef this is the percentage of loss that an organization would experience if a specific asset were violated by a realized risk so this is a percentage of loss so so ef or exposure factor is expressed as a percentage
49:00 - 49:30 single loss expectancy or sle so this represents the cost associated with a single realized risk against a specific asset so this gives us a one-time loss figure so the formula for single loss expectancy is the asset value times the exposure factor so the asset value is going to be a number a dollar
49:30 - 50:00 figure the exposure factor will be a percentage which is expressed as a decimal when we're doing the math so let's look at a sample here so if i have an asset value on the left here of a hundred thousand dollars and a tornado is estimated to do thirty percent damage to my asset so that's going to be point three my exposure factor is thirty percent uh and my single loss expectancy then
50:00 - 50:30 would be 30 000 or the asset value times the exposure factor okay this is just the tip of the iceberg so let's keep going here so annualized rate of occurrence or aro so this is the expected frequency with which a specific threat or risk will occur within a single year so the annual rate of occurrence is an important input for this next item and that is annualized loss
50:30 - 51:00 expectancy so this is the possible yearly cost of all instances of a specific realized threat against a specific asset so we look at that in a formula the the annualized lost expectancy the ale is the single loss expectancy times the annual rate of occurrence so so the sle is the one time
51:00 - 51:30 uh loss and then we take that times the annualized rate of occurrence so if we have an sle of 50 000 and we have an annualized rate of occurrence of say 0.5 because a particular threat only occurs once every two years 50 000 times 0.5 is 25 000. so i've explained that simply there but i started with an sle we'd already calculated let me take you through an
51:30 - 52:00 end-to-end example of annualized loss expectancy so we have an office building that's worth two hundred thousand dollars and we estimate that hurricane damage uh would be fifty percent uh of the value of this building and hurricane probability is one every ten years so ten percent or point one okay so we have to start by calculating the single loss expectancy right
52:00 - 52:30 so the single loss expectancy is the two hundred thousand dollar building times the damage estimate of fifty percent or point five so our sle is one hundred thousand dollars now we're going to take that sle and that factors into our ale equation so we'll carry that hundred thousand dollars into the next equation here and that is the single loss expectancy of a hundred thousand dollars times
52:30 - 53:00 the annualized rate of a current or aro and our hurricane probability is one every 10 years so the annualized rate of occurrence is 0.1 so so if a hurricane probability was one every single year that would be one even right but one every ten years means point one so we take that hundred thousand times point ten and our annualized loss expectancy
53:00 - 53:30 is ten thousand dollars so what this tells us is that the safeguards we put in place better not cost more than ten thousand dollars a year or we're spending more to protect this building than we're essentially going to save so that gives us the the value of the safeguard so while we're on that subject that that gives you a dollars and cents answer right so while we're on that subject let's talk about how the value of the safeguard is
53:30 - 54:00 expressed then so we call that safeguard evaluation so good security controls will mitigate risk they're transparent to users they're difficult to bypass but the last one here they're also cost effective so in our previous example we saw that the safeguard shouldn't cost us more than ten thousand dollars a year or we were spending too much relative to the reduction in loss so so
54:00 - 54:30 safeguard evaluation has a formula so it's the annualized loss expectancy before the safeguard minus the annualized loss expectancy after the safeguard minus the annual cost of the safeguard that gives us the value of the safeguard so we're really trying to answer the question is the safeguard cost effective if we're spending more to protect an asset than we're saving in ale then we don't
54:30 - 55:00 have a cost effective answer there so there's your formula expressed a little more simply so ale before the safeguard minus ale after the safeguard minus the annual cost of the safeguard so again i hope these examples have been helpful if you need more help with formulas if we need to do a video with just the formulas go down to the comments drop me a note let me know we can make it happen
55:00 - 55:30 so the amount of risk reduced by implementing safeguards is known as the controls gap and to see control's gap in a formula we can look at residual risk then so residual risk is total risk so the risk and absence of controls minus the control's gap gives us that remaining or residual risk so if total risk is a hundred thousand dollars the controls gap is fifty thousand dollars
55:30 - 56:00 our residual then is fifty thousand dollars and the expectation that you know all of these formulas and how to use them make quantitative risk analysis one of the most difficult topics on the cissp exam so one of the most important videos you can watch is my quantitative risk analysis just the formulas video where i walk you through a real world example where we apply those formulas to a realistic use case you'll find a link
56:00 - 56:30 in the video description the cissp exam will also test your knowledge of applying risk-based management concepts to the supply chain so today most services are delivered through a chain of multiple entities that is to say one product like a car for example really you know while it has a car company's label on it likely includes components from multiple companies and certainly may be transported by multiple companies
56:30 - 57:00 to the dealership so a secure supply chain includes vendors who are secure they're reliable they're trustworthy they're reputable and you need to evaluate the vendors in your supply chain to ensure that's true so when evaluating third parties in the chain you want to consider methodologies like on-site assessment visiting an organization interviewing personnel and observing their operating habits to ensure they are as safe as they claim to
57:00 - 57:30 be document exchange and review and this means to investigate the means by which this organization exchanges data sets and documentation as well as the formal processes by which they perform assessments and reviews there's processor policy review so requesting copies of their security policies their processes
57:30 - 58:00 or procedures and you could finally opt for a third-party audit so having an independent auditor provide an unbiased review of an entity security infrastructure our next topic is one where i suspect you'll have some memorization ahead in order to be prepared for exam day and that is threat modeling which
58:00 - 58:30 can be proactive or reactive but the goals are are to eliminate or or at least reduce threats significantly and your threat modeling approaches can take one of three common forms they can focus on assets where asset valuation is is used to identify threats to valuable assets we want to to focus our our spending on assets that have value to the business right focusing on attackers is another common
58:30 - 59:00 approach where the the process is focusing on the attacker's goals and then finally focused on software where considerations center on potential threat against the software the organization develops or implements so let's talk through a few of these models remembering that they can focus on assets attackers or software so one of the more common threat modeling frameworks and it's mentioned in the cissp is stride which was actually developed by
59:00 - 59:30 microsoft so so remember that in case it gets called out as a detail in a question so the stride model focuses on the the potential threat so spoofing tampering repudiation information disclosure denial of service and elevation of privilege so because these were developed by microsoft we see this as a software focus right it's focused on potential threats
59:30 - 60:00 to to software and i believe most of these are going to be pretty well known to you repudiation might be a term that you're not super familiar with and that's the ability of a user or an attacker to deny having performed an action or an activity and that often takes the form of the attacker staging the situation to blame someone else and then there's spoofing that involves falsified identity tampering which is data manipulation you know restaurant
60:00 - 60:30 transit but remember stride is developed by microsoft and remember the terms there that uh that map to the acronym right all right so moving on in the threat modeling discussion let's talk about pasta which focuses on developing counter measures based on asset value and there are seven stages of pasta but the key here it's a threat modeling approach that focuses on asset value
60:30 - 61:00 which really gets to the heart of the matter right because when we're dealing with with risk management it really comes down to implementing cost effective control so when we're modeling threats focusing on asset man on asset value is a great idea okay moving on there's the vast threat modeling approach which stands for visual agile simple threat so this is based on agile project management principles
61:00 - 61:30 so the bottom line goal of vast is to integrate threat management into an agile programming environment so next up is the dread model which is based on the answers to five questions so damage potential so how severe is the damage likely to be of the threats realized reproducibility so how complicated is it for attackers to actually reproduce to
61:30 - 62:00 implement the exploit exploitability so how difficult is it to perform the attack affected users this is really about headcount right how many users are likely to be affected by the attack as a percentage and that could mean internal users and that could mean you pay the bills users your customers and then discoverability so how difficult is it for an attacker to discover this weakness
62:00 - 62:30 because a significant weakness five or six layers deep in our defense and depth may not be such a big problem for us so certainly something we might want to address but maybe we'll will push it down the priority list so rounding out our our threat modeling discussion is the trike model which focuses on acceptable risk it's an open source threat modeling process that implements a requirements model that essentially ensures the assigned level
62:30 - 63:00 of risk for each asset as acceptable to stakeholders so remembering that trike is risk focused and it implements a requirements model should cover you if it comes up on the exam and to round out domain one i want to talk to you about cobit which stands for control objectives for information and related technology it's not a great mapping to the cobit acronym frankly and this is a security control framework sometimes described as a framework for i.t
63:00 - 63:30 management and governance it's based on five principles so meeting stakeholder needs covering the enterprise end to end so treating our our enterprise as as the full scope of our focus applying a single integrated framework so so continuity of a centralized coordinated approach enabling a holistic approach and separating governance from management so holistic approach and
63:30 - 64:00 separating governance from management are key concepts or i think and we're expecting to see little or no coverage on the cissp exam in fact the official study guide mentions it only briefly and goes on to promise that there's going to be no real depth of coverage on the cissp exam so this should get you through with the basics around cobit an important aspect of threat modeling you may not be acquainted with yet is diagramming potential attacks so
64:00 - 64:30 determining potential attack concepts is achieved through visualizing your infrastructure and identifying threats or identifying potential vulnerabilities that may be exploited so let me just sketch out a simple example for you here so let's diagram some potential attack so i have users that come through my perimeter my user web server boundary we'll call it so they hit my web service here
64:30 - 65:00 and i have a database back here a sql server where we'll pull some data from a database so my user starts by logging in to the web service at some point they may make a request that then causes that web service to go back and retrieve data from my sql database i'd imagine there's uh you know maybe even a different authentication process here from a service principal or an entity down to
65:00 - 65:30 that database versus the user logging in manually here and i can perceive different threads here because i'm visualizing so just right off the cuff i can imagine that on a login form brute force password attacks dictionary attacks might be common if attackers wanted to just guess at user names and passwords and if they were to register for our service maybe they could get an idea of the username requirements and then just start you know as i mentioned a
65:30 - 66:00 dictionary attack now if i think about a web service talking to a database the first thing that always comes to mind is sql injection so as an attacker i could try to exploit maybe some poor value handling on a web form to perform a sql injection attack and i'm out of space here but and i could go quite a bit further as you can see but this gives you an idea of that diagramming process at a basic level so let's talk about
66:00 - 66:30 reduction analysis in threat modeling so in reduction analysis i'm going to break a system down into its uh its parts which makes it much easier to identify the essential components of each element and take notice of where we might have vulnerabilities and and you know likely points of attack so just to go through this i could look at trust boundaries so any location where the level of trust or security changes so a trust boundary in your application
66:30 - 67:00 from say a an access control perspective would be where a specific role or privilege is required to access a resource or an operation that would be a change in trust data flow path so looking at the movement of data between locations and what exposures there are that might allow attackers opportunity to to capture or breach that data input points locations where external input is received so in our our diagramming
67:00 - 67:30 example uh a web form where we're logging in or a web form or we're submitting a request that that calls back to sql that's going to be an area that would be most likely a possibility for attack a likely target perhaps privileged operation so any activity that requires greater privileges than that of a standard user account that's going to be a red flag area an area will want to give special
67:30 - 68:00 attention then finally details about security stance and approach so so essentially just the our declaration of security policies foundations are our assumptions in a given scenario for for a service or infrastructure so after we go through that deconstruction and documentation process then we want to rank or rate the threats we can use the dread methodology we just talked about or a high medium low rating for example so i want to clarify a few things around
68:00 - 68:30 security control so your security controls are the measures for countering or minimizing loss or unavailability of your assets your services your apps etc and you'll hear the term safeguards and counter measures we've used those quite a bit today and they may seem to be used interchangeably at the end of the day the main difference between a safeguard and a countermeasure is safeguards tend to be proactive and counter measures tend to be reactive
68:30 - 69:00 let's talk about the categories of controls there are three categories of security controls they're technical or logical or sometimes called which involves the hardware or software mechanisms used to manage access and then you have administrative controls which are policies and procedures that are designed by the org security policy or other regulations and requirements administrative controls for example might include hiring practices
69:00 - 69:30 background checks data classifications and labeling security awareness and training methods and then you have physical uh control so the physical category are items you can physically touch so there we're talking about guards fences motion detectors lock doors seals sealed windows lights laptop locks etc so be familiar with these control categories and be able to name off a few in each category
69:30 - 70:00 as i just did for you now so next let's dig into security control types so you have deterrent control so these are deployed to discourage violation of security policies deterrent controls could include uh you know audit policies security awareness training locks fences security badges they're designed to discourage violation and then we have
70:00 - 70:30 preventative controls these could be technical controls like firewalls or intrusion detection systems or it could be a physical control like a fence or a gate or a man trap and technically there could be some overlap between deterrent controls and preventative controls the main difference here is deterrent controls really rely on on somebody making a decision to not do something where preventative controls are really
70:30 - 71:00 designed to actively stop the unwanted behavior and we have detective controls which are deployed to discover or detect unwanted activity so defining characteristic of detective controls as they really detect the activity after the fact right they detect something in progress motion detectors cctv cameras audit trails honey pots
71:00 - 71:30 and you'll find some surprising elements listed as detective controls like mandatory vacations for example job rotation because if you're rotating people across jobs or in and out on vacations you're going to be able to establish some patterns there that will allow you to detect behavior based on the presence or absence of certain individuals or circumstances then we have compensating controls
71:30 - 72:00 compensating controls provide options to other existing controls to aid in enforcement of the gulf so for example let's say your organization requires that personally identifiable information is encrypted in the database and in fact it is encrypted in the database but someone discovers then that the the uh pii data is being transferred across the network in clear text so a compensating control would be for example
72:00 - 72:30 an additional control to encrypt that data in transit to support the requirement and you want to make sure on the exam that you you understand the key element that defines that control type and you know a few examples off the top of your head so you can you can pick those out uh should you see them in a question so we're actually not done with control types let's keep going here so so we have corrective controls corrective controls can range from
72:30 - 73:00 antivirus that removes uh malicious files to backup software that automatically restores missing files to policy-based configuration management that returns a system to its desired configuration after a breach next up we have recovery controls which are much like corrective controls but they tend to have more advanced capabilities good examples here would
73:00 - 73:30 include server clustering vm shadowing hot sites warm sites alternate processing facilities and finally we have a directive control which is intended to confine or control the actions of the subject to force or encourage compliance with security policies good examples of a directive control would be security policy requirement posted notifications escape route exit signs just to name a few so again
73:30 - 74:00 make sure you understand the defining characteristic and you can rattle off a few examples before you walk into the exam now we're going to talk legal and regulatory which is an area of the cissp exam that requires a lot of memorization i'm going to try to help you focus that in so at a high level the topics here include cyber crimes and data breaches transborder data flow licensing and intellectual property requirements things like trademarks
74:00 - 74:30 patents we'll talk about that in just a moment privacy is very important quite a few laws related to privacy and then import export controls which we'll cover also so let's start by talking about types of law so you have three types you have criminal law which is just what you think it is it covers areas like assault robbery arson murder you have civil law which covers more business disputes contract disputes real estate transactions employment estate
74:30 - 75:00 the high dollar lawsuit type of law then you have administrative law which relates to government agencies they have some leeway to enact administrative law that can cover important topics or areas as mundane as requirements when procuring a phone for an office desk the the cissp exam focuses on security related generalities you're not going to get into the nitty-gritty details of the law but when a question comes up around health care related information customer
75:00 - 75:30 health care information you'd need to know that high tech and hipaa are are laws related to that topic for example so let's talk about some of the the laws that are likely to come up on the exam so the computer fraud and abuse act i think the the most significant thing about cfaa was it was the first piece of u.s cyber crime specific legislation you have federal sentencing guidelines which are laid out to provide punishment
75:30 - 76:00 guidelines to help federal judges interpret computer crime laws the federal information security management act better known as fisma uh had some requirements around formal information security operations uh for for federal government uh the copyright and digital millennium copyright act say that three times fast covers literary musical and dramatic work so that that's really helpful for artists
76:00 - 76:30 let's talk intellectual property and licensing so you have trademarks which cover words slogans logos you use to identify a company in its products or services you want to protect your company name you apply for a trademark patents protect the intellectual property rights of inventors and trade secrets cover intellectual property that is absolutely critical to a business and must not be disclosed for the health of that business
76:30 - 77:00 and then there are four types of licensing you should be familiar with and that's contractual shrink wrap click through and cloud services there are some regulations around encryption and privacy that you'll want to be familiar with so u.s companies cannot export computer technology to certain countries and those include cuba iran north korea sudan and syria there are also restrictions laid out by the department of commerce that detail limitations on the export of encryption
77:00 - 77:30 products outside the us the basis for privacy rights in the u.s is the fourth amendment to the u.s constitution and gdpr is a law you want to be familiar with it is not a u.s law it comes from the european union but it is very likely to be mentioned for one very good reason and that is because it applies to any company with customers in the eu the us included you're going to hear me mention this a couple of times that's
77:30 - 78:00 because i do expect it will be on the exam now let's talk about other u.s privacy laws so you've so when it comes to health care you have uh health care insurance portability and accountability act better known as hipaa you have the health info technology for economic and critical health uh better known as high tech we have graham leech bliley which applies to financial institutions if you see a question on the exam related to law and
78:00 - 78:30 financial institutions i'd bet it's going to be graham leach blighly the children online privacy protection app better known as coppa and the electronic communications privacy act or ecpa and that's one of two laws related to electronic communications that i might expect you'd see on the cissp exam the other being the communications assistant for law enforcement act
78:30 - 79:00 i think i'd be familiar with both of those as well now notice that i've put the acronyms here i find memorizing these acronyms makes everything easier because memorizing all those words is a lot of work but if i memorize hipaa when i see health insurance portability and accountability act i can pick out the h-i-p-a-a right so memorizing those acronyms is going to make this a lot easier for you and you notice how i talked about just the very basic focus of these laws you're really going to be
79:00 - 79:30 dealing with generalities as i mentioned and that's straight from the official cissp exam prep guide and matches right up lines right up with my experience in taking this exam so you're going to be expected to be familiar with the business continuity planning process and issues that pertain to information security in in bcp around things like strategy development processes plan approval plan implementation
79:30 - 80:00 training and education so so important you understand the steps of the process but know that the bcp topics are going to cover you know information security related angles you're not expected to be a certified business continuity planner here by any means i'll give you that same warning i give you for any process when you're looking at a process make sure you you know the steps in order personally i don't think you're going to see a lot about bcp on the the exam it'll be limited
80:00 - 80:30 i want to talk through a couple of business continuity planning related definitions worth knowing just to increase your comprehension of this topic as we prepare for the exam so the business continuity plan is the overall organizational plan for how to continue business the disaster recovery plan is the plan for recovering from a disaster impacting it and returning the i.t infrastructure to operation which of course supports the business
80:30 - 81:00 and there's a continuity of operations plan this is the plan for continuing to do business until the i.t infrastructure can be restored i'm not expecting you'll hear about continuity of operations planned on the exam but it's it is a thing so i wanted to mention it but let's talk about the difference between business continuity planning and disaster recovery planning so what exactly is the difference here well business continuity planning focuses on the whole business it focuses on getting
81:00 - 81:30 back to doing business where disaster recovery focuses more on the technical aspects of recovery so bcp will cover communications and process more broadly another way to think of it is business continuity planning as an umbrella policy and disaster recovery planning falls under that umbrella as part of the broader plan you want to be familiar with education so security awareness education and training
81:30 - 82:00 so the methods and the techniques for different audiences periodic content reviews evaluating your program effectiveness and and you can see a variety of questions here that talk about everything from you know simple user security awareness training to you know what's the the deepest form of training so covering things like classroom training all the way to degree programs but security awareness training is that
82:00 - 82:30 topic that is ubiquitous when it comes to information security so let's start with the consequences of privacy and data breaches the first being reputational damage when we have a security breach it can certainly result in a loss of customer trust and ultimately a loss of revenue and the effects may last for years if the situation is not handled correctly identity theft which involves someone using a person's private information to impersonate that individual
82:30 - 83:00 usually for financial gain and if that breach results in data exfiltration were potentially exposing many people to identity theft if we're losing customer data and if a business experiences intellectual property theft as a consequence of a data breach they can lose customers credit ratings brand reputation and they can even forfeit first to market advantage loss of profitability and they might even lose an entire line of business to competitors or counterfeiters
83:00 - 83:30 fines so failing to report a breach can result in fines that can reach into the millions of dollars in fact gdpr outlines fines of up to four percent of a company's annual global revenues or 20 million euros for failing to report a breach and it may lead to lawsuits but remember any company with a customer in the eu is subject to gdpr and let's talk notifications of breaches
83:30 - 84:00 so if a data breach occurs failing to report that breach as i just mentioned can result in fines into the millions of dollars the eu sets their standard in gdpr and notification of data breaches must be reported within 72 hours now escalations to external sources like law enforcement or outside experts to stop or investigate a breach may well be necessary other countries have their own reporting time scale and delays may sometimes be allowed for
84:00 - 84:30 criminal investigation but we're talking about laws so when in doubt we get the legal department involved and that brings us to the end of domain one up next is domain 2 asset security i want to touch briefly on what's new in domain 2 because we can expect those new topics those new areas of focus in 2021
84:30 - 85:00 are more likely to come up on the exam we do find certification exams tend to focus a bit more on what's shiny and new and relevant and here we see 2.3 provision resources securely 2.4 managing the data lifecycle and 2.6 determining data security controls and compliant requirements drm casbi and dlp those were covered in the 2018 material clearly they've been elevated to some degree here and in in a world of identity
85:00 - 85:30 uh focused security and zero trust it's it's not surprising right our network perimeter doesn't exist as it used to and you're going to hear uh provisioning resources securely in various capacities through the eight domains managing the data life cycle is the the item i want to call attention to in domain two so it was mentioned in a phrase in in 2018 it's clearly going to get a little more attention so here is the data life cycle and you see it
85:30 - 86:00 begins with creation then story use share archive and destroy now i want to call your attention to a similar life cycle that existed in 2018 and it exists in the 2021 version of the course in domain seven in security operations we have the information life cycle and what you're going to see here are some commonalities so you'll notice creation you'll notice archival and destruction use usage and storage what's different here is you notice classification so so
86:00 - 86:30 the information life cycle it focuses a bit more on information protection because you don't see classification called out explicitly in the data life cycle right so another item called out in in domain seven around the information life cycle that's important for you to remember is there isn't a consistent standard used to identify each stage or phase of a data life cycle so conceptually speaking what i would suggest you know for the exam is that immediately after
86:30 - 87:00 creation it's very important that we classify data because classification tells us the requirements for protection and the other key elements that i want you to notice here is that each of these cycles includes archival and destruction right so archival is important because certain regulatory requirements will demand that we have data that we keep around for a period of time in a retrievable state it could be
87:00 - 87:30 a year it could be seven years and data destruction is important because data that remains around longer than is necessary creates risk and it creates liability it can be stolen it can be called as evidence it can be discovered as evidence for for legal actions so more than remembering the steps here i want you to remember those key elements of of the data life cycle of the information life cycle the information life cycle is covered both in domain 7 and it's also covered in the
87:30 - 88:00 processes and frameworks video in depth but knowing these will serve you well but you want to know those you want to be familiar with those practical elements of of the data life cycle and later here in domain 2 we'll talk about data classification you'll see this chart so you want to pay attention because data classification is going to have relevance in multiple domains in the cissp let's start with data security control so marking labeling handling and classification
88:00 - 88:30 may well come up on the exam classification being the most important of these and we'll talk about data classifications in just a moment uh data handling shipping chain of custody you know remembering don't open boxes and with data retention comes data destruction we'll talk through some data redestruction methods like erasing clearing overwriting more on that in a moment and with record retention uh we always need to remember that that data destruction if the retention policy is one year that data
88:30 - 89:00 should be destroyed when it ages out so when it ages beyond one year uh you may even see something related to tape backup this you know this feels like a legacy concept but it may come up because it exists in the real world and and tape backup security having a secure facility tapes labeled will ensure that you know everybody understands the classification of the data which really kind of comes back to that first concept of marking labeling and handling so let's talk about data destruction
89:00 - 89:30 methods and you'll definitely want to understand the difference between these so at a basic level erasing data which is just performing a delete operation so with erasing you'll want to remember that data is typically recoverable using traditional data recovery tools now clearing or overriding prepares media for reuse and ensures that data cannot be recovered using traditional recovery tools
89:30 - 90:00 so purging is a more intense form of clearing and it's used in less secure environments so why do i highlight less secure environments that's because for example the us government doesn't consider any form of purging as an acceptable data destruction method for top secret data degaussing is a process that uses a device called a degausser to create a strong magnetic field that erases data on on some media so so physical media
90:00 - 90:30 obviously and then destruction is the final stage in the life cycle of media and it's the most secure method of sanitizing data methods of data destruction include operations like incineration crushing shredding dissolving using a caustic or a acidic compound and before we step away from data security controls i want to mention one other concept which is a security control baseline which provides
90:30 - 91:00 according to the the cissp exam guide a listing of controls that an organization can apply as a baseline so listing of controls on a baseline it feels a little repetitive another way i might say this is a baseline is a group of controls that can be applied as a base standard or a starting point that we work from not unlike a configuration based line that you'd uh work with as a starting point for securing your endpoints for example so for the exam do be familiar with
91:00 - 91:30 record retention and data destruction i mentioned that you know keeping data around for longer than necessary can can be a problem what it can do is present unnecessary legal issues and in fact if memory serves the cissp exam prep guide outlines a story with uh with a big aeronautical company that had a big lawsuit uh that they settled for a lot more money than necessary because they kept data around for longer than necessary
91:30 - 92:00 so when it comes to data protection confidentiality is often protected through encryption this is mentioned only briefly in domain two this is really more a topic for domain three so we'll cover encryption in lesson three so let's move on to defining sensitive data through data classification so we're going to look at the four levels of data classification for government or non-government or sometimes called
92:00 - 92:30 public data so we have class 0 which in government terms would be unclassified or public data so no damage occurs if this sort of data is revealed outside the organization class one is data that would be confidential or in the non-government space sensitive so this is data that could cause damage to the organization if unintentionally disclosed or intentionally disclosed for that
92:30 - 93:00 matter but but disclosed without authorization so class two we have secret data and private data data that can cause serious damage to the organization if disclosed and then at the highest level in class three we have top secret data or confidential or proprietary data in the uh the public space which is data that can cause exceptionally grave damage if revealed so you'll notice some commonalities here
93:00 - 93:30 the word serious and and then exceptionally grave so you have these juxtaposed standards for government and non-government i would be familiar with both of these uh briefly in domain three we'll actually talk about sensitive uh but unclassified data in uh when we're talking cryptography but generally speaking i think much less likely to come up on the the exam itself so when it comes to asset classifications asset classification should typically match
93:30 - 94:00 data classifications and when it comes to sensitive data there are two types of data you want to be very familiar with and this is sensitive data that isn't public or unclassified there's personally identifiable information or pii data pii data refers to any information that can identify an individual so these would be uh data elements like their name social security number uh birthplace or birth date biometric records uh you know thumb prints retina
94:00 - 94:30 scans and you'll also want to be familiar with protected health information or phi which is health related information that can be related to a specific person this is covered by hipaa which we talked about in domain one so let's talk about data ownership for a moment so know these two roles i think if if we you know think about what are the roles most likely to come up on the exam data owner which is someone who can delegate some day-to-day responsibility for for data
94:30 - 95:00 handling and security and then there's the data custodian so this is someone who doesn't decide what controls are needed but they do implement those controls on behalf of the data owner so just a quick tip if the question mentions day to day they're typically talking about the duties of the custodian and another sort of delineating factor here the data owner is usually a member of senior management the data custodian is typically going to be somebody in the it department so that's another way you can potentially
95:00 - 95:30 pick out which would be the the most appropriate answer so i want to talk to you about some other roles and then gdpr in particular which which is you're relatively new in the world of regulatory standards but i think more and more important all the time because it does apply to a lot of u.s companies so let's talk about some of the other roles so do be prepared to answer questions on some of these other roles so data administrators responsible for granting appropriate access to personnel often via role-based access control a user
95:30 - 96:00 refers to any person who accesses data via a computing system to accomplish their work tasks and we have business or mission owners and this role can actually overlap responsibilities with the system owner sometimes even be the same role and then finally asset owners this is the person who owns the asset or the system that processes sensitive data and the associated security plans i think the key there is associated
96:00 - 96:30 security plans uh so let's talk about gdpr because gdpr calls out some specific terminology relative to gdpr and they treat one or two terms a little bit differently than you'll see elsewhere so definitely know your gdpr terminology and requirements i think this is quite likely to come up on the exam so gdpr defines a data processor which is the entity that processes data on behalf of a data controller that data processor can be a person an authority
96:30 - 97:00 an agency or another body it's but it's the person it's the entity processing the data on behalf of the data controller who is that person or entity that controls processing of the data and then data transfer know that gdpr restricts data transfer to countries outside the eu okay continuing down this road so there is some discussion in domain two around
97:00 - 97:30 reducing your gdpr requirements or exposure so there are a couple of ways you can approach this the first is anonymization which is the process of removing all relevant data so it's impossible to identify the original subject or person so if done effectively gdpr is no longer relevant for the anonymized data now it's important to note here the word remove the words removing an impossible because this is only going to be good if you don't need the data because it will
97:30 - 98:00 be impossible to identify the original subject or person so i think that's one of the keys if this method comes up on the exam so if you need the data there is another way to handle this and that's through pseudonymization that's a big one so i'll say it one more time pseudonymization which is the process of using pseudonyms or aliases to represent other data so you use this in scenarios where you need that information but you want to mask the identity of the user or
98:00 - 98:30 subject to which the data belongs but you definitely need the data so an example of this would be creating a patient number to tie back to the data which then masks the the name of the patient at that point but bearing in mind that you know this will potentially reduce your exposure it will result in less stringent requirements than otherwise would apply under gdpr but bearing in mind that if that pseudonym is ever
98:30 - 99:00 revealed if that patient number is ever tied back and revealed to the patient name then the pseudonym is no longer effective the alias doesn't work anymore so it's a great concept but execution matters is my point uh so if you but you but if you need the data and you want to reduce exposure pseudonymization is going to be the method you'll use versus anonymization and for the exam i would make sure i'm familiar with the gdpr terminology the
99:00 - 99:30 data roles and the security controls and don't worry i'll mention these in more than one spot in this course so you'll definitely hear this again and you want to be aware that the notification of data breach timeline in gdpr is 72 hours and we'll see this again but just remember gdpr applies to any company with customers in the eu and that's a wrap for domain two moving on to domain three
99:30 - 100:00 security architecture and engineering let's take a look at the official exam outline and then we'll talk about what's actually new in domain 3 in the 2021 release of the exam 3.1 is research implement and manage engineering processes using secure design principles 3.2 understand the fundamental concepts of security models so we'll touch on models like biba the star model bella padula
100:00 - 100:30 this is a big area of memorization this is a common area of confusion and i have a full 2022 update i've recorded for you here to address the many questions i've received about security models over the last year 3.3 select controls based on system security requirements so matching controls to requirements understand security capabilities of information systems we'll touch on a number of concepts here including items like tpm and encryption and
100:30 - 101:00 decryption 3.5 assess and mitigate the vulnerabilities of security architectures designs and solution elements 3.6 select and determine cryptographic solutions and then 3.7 understand methods of cryptanalytic attack so this tells us that cryptography is really front and center in domain 3 just based on what we see in 3.6 and 7.
101:00 - 101:30 3.8 apply security principles to site and facility design an area very few folks have much experience so an area you'll want to put some focus on for the exam and finally design site and facility security controls so what's actually new in the 2021 release well domain 3 is a big domain and there are several changes here so
101:30 - 102:00 under item 3.1 which is research implement and manage engineering processes using secure design principles we see several concepts here called out that were present in the 2018 exam threat modeling lease privilege defense and depth secure defaults fail securely separation of duties however we see several net new concepts here as well keep it simple zero trust privacy by design trust but verify and shared responsibility i'm going to cover these for you
102:00 - 102:30 now okay i'm going to cover these for you in a minute because first i want to want to point out the other syllabus line item in domain 3 that is new and that is 3.7 understand methods of cryptanalytic attacks and again quite a large number of attacks mentioned most of these existed in the 2018 version of the exam it's clearly a topic that's getting more attention these are covered these attacks are covered in the
102:30 - 103:00 attacks and counter measures supplemental lesson they are also covered in line in their specific domains uh where they were applicable and what do i mean by in the domains where applicable well for example uh domain five is identity and access management we'll talk about access control attacks in domain five but if you'd like to go through attacks and counter measures all in one setting go check out that supplemental lesson and that will serve you well
103:00 - 103:30 in fact there's the thumbnail you want to look for on on that supplemental video in the playlist so let's get into some of those new concepts that i mentioned are present in domain three we'll start with zero trust security which which is a strategy an approach that addresses the limitations of the legacy network perimeter-based security model where the firewall was the perimeter right so with with work from home mobile devices our users are everywhere right so really
103:30 - 104:00 xero trust security typically treats the user identity as the control plane so you'll hear it in in marketing documents they'll say the identity is the new perimeter uh xero trust assumes compromise or breach in verifying every request so basically no entity is trusted by default we're verifying identity managing devices managing apps and protecting data in all phases of operation so in that category of secure design
104:00 - 104:30 principles secure default is called out in 2021 so this simply means default configuration represents a restrictive and secure configuration and this should apply not only in your own configurations within your organization but you should expect the same of of your hardware software and and service vendors that their service their device their software is is secure by default it's a reasonable
104:30 - 105:00 expectation in 2021. fail securely which simply means that when a component fails it should fail in a state that denies access rather than granting access these two concepts are actually taken from from nist sp 800 800-160 trust but verify is a principle that depends on an initial authentication process to gain access to the internal secured environment and then relies on generic access control methods so due to
105:00 - 105:30 changes in the threat landscape today this is no longer considered sufficient and has largely given way to zero trust security so privacy by design comes up so making privacy an integral part of every system your policies your design process the the best guidance i can give you here comes from the international association of privacy professionals who have published seven principles
105:30 - 106:00 of privacy so privacy as a proactive approach something we consider from the moment we are envisioning a new service or product privacy is the default setting right it's not something that uh that has to be opted opted in it's something you would you would want to to have folks opt out of so privacy is the default uh privacy should be embedded in the design not bolted on later so it should be considered from
106:00 - 106:30 the design phase uh principle number four is that privacy should be a positive sum approach not a zero zom sum approach and you might be asking well what the heck is is a positive sum approach a positive sum occurs when an approach is formulated where the needs of everybody involved are are met so so when we implement privacy in our design we as an organization create a more effective
106:30 - 107:00 more secure service and our customers benefit because we have considered their privacy from the beginning so so another way of saying positive sum i i would say is that you're creating a win-win scenario end-to-end full life cycle data protection right we talked about about data life cycle so protecting our sensitive data making sure that after data is created it's classified and protected super important visibility and and transparency
107:00 - 107:30 there are many ways to facilitate visibility and transparency for example if i'm a software company i have a privacy policy that explains to a user what data i am collecting from that user and what i am doing with that data so so transparency can be communicated through policy and implemented in features of of a service or software what have you and keeping privacy user centric uh you know when i think about
107:30 - 108:00 user-centric privacy i think about gdpr so gdpr is the is the general data protection regulation it's the eu's uh data protection lawn and in gdpr the user has the right to instruct me as a company to forget them so in gdpr regulations i do have to be transparent in my privacy policies the user has the right to request all data that i have collected
108:00 - 108:30 about them and they have the right to tell me as an organization to forget them to basically lose their information lose my number and again i think from a cyber security perspective these are just sensible principles anyway so applying these principles and implementing a layered defense defense in depth we'd call it as part of a zero trust strategy just ensures uh privacy end to end so i think these are good principles that help you help you onboard
108:30 - 109:00 the concept of privacy by design keep it simple is not a new concept this is a concept that's been around for a very long time and it applies to much more than just cyber security so bruce schneier mentioned uh once upon a time that complexity is the worst enemy of security complexity is the worst enemy of of many things and a simple design is the best design we justify uh the addition of complexity so in the world of cloud and hybrid
109:00 - 109:30 security services that leverage you know ai in the cloud machine learning a best and sweet over best in breed approach is generally considered uh the best way to simplify defense in depth because the security suites from the various uh cloud you know cloud focused security vendors will incorporate layers of intelligence that together are better in securing your environment and this simplicity also
109:30 - 110:00 helps to avoid configuration mistakes it means that your layers are going to be integrated better uh it means that your overall solution is generally speaking going to be smarter it does not mean that you're going to have only one security vendor it means that you will likely have fewer security vendors but you will have you know some sort of suite that will serve as the foundation for your organization and whether your foundation is based on on microsoft or google or cisco
110:00 - 110:30 or amazon that that's not so important as the concept in this case but this enables organizations to move forward you know incrementally rather than demanding perfection it's really a a fresh application of the classic keep it simple silly principle that's that's the the kiss principle that they taught us when we were kids honestly when i was a kid it was keep it simple stupid but but we're we're more polite now and so we we don't we don't say stupid
110:30 - 111:00 but when i think about maintaining simplicity in in designing a cyber security strategy these are some tips that i think you'll find helpful but really never underestimate the value of incremental improvement rather than demanding perfection out of the box because when we choose a best in breed strategy and we try to go find the best vendor at every layer we spend a lot of time shopping we spend a lot of time trying to determine how well those
111:00 - 111:30 solutions integrate with one another becomes a lot of work a lot of expense and a lot of complexity so security as a service uh this is a cloud provider concept where the security is provided to an organization through or by an online entity this definition would be applicable to all of those providers that i mentioned just a moment ago internet of things so these are a class of devices connected to the internet to
111:30 - 112:00 provide automation remote control ai processing in a home or business setting we all have iot devices plugs thermostats assistance speakers you name it so so more scenarios involving iot devices are likely to appear on the 2021 exam uh smart devices mobile devices that offer customization typically through installing apps and might use you know on device or in the
112:00 - 112:30 cloud ai processing there are all sorts of devices that can be considered smart devices from smart phones to smart thermostats to doorbells to sensors used in manufacturing scenarios to predict device failure before a device fails and one would think generally speaking on the cissp exam the context the examples around smart
112:30 - 113:00 devices and iot will be more business focused than they would be focused on home scenarios so next we're going to talk about sim and soar so sem is security information event management so think of a sem solution as a system that's going to collect data from many sources within your network it's going to take sign in logs for identity and access management it's going to take syslog and common event format data from your network devices it's going to take event logs from your endpoint it's going to
113:00 - 113:30 take various bits of telemetry from security solutions within your environment and it's going to provide real-time monitoring and analysis typically using ai and machine learning and and yuba user entity behavioral and analytics and and to give you uh notification of potential attacks so soar security orchestration automation and response is centralized alert and response automation generally
113:30 - 114:00 with threat specific playbooks and what i mean by threat specific playbooks is the form of automation may be very different from different vendors but the automation will be threat specific generally speaking because specific threats require specific responses whether that's a particular type of of script or automation tool and the response might be fully automated or sometimes you'll see these solutions come semi-automated out of the box where where essentially
114:00 - 114:30 the potential attack is is identified and then the sore solution gives you the you know click here to remediate sort of response and i soar is actually mentioned in domain eight so why am i talking about it here well i'm talking about it here because sem and sore uh nowadays are very commonly delivered together as components in a single solution so i wanted to talk about them in context
114:30 - 115:00 because the sem part of the equation is going to be doing the the monitoring the analysis and the notification the soar is the response automation whether automated or fully automated or partially automated but i wanted to bring this up earlier in the discussion because uh in terms of context it fits here better than in domain 8 in my opinion so so you know on the exam you know you're not taking the the questions aren't coming to you domain at a time
115:00 - 115:30 so functionally speaking i just wanted to get this out in the open here now but these solutions today are often going to use ai and ml and threat intelligence to uh to come to their conclusions to it to aid in their analysis uh we'll talk about threat intelligence in just a moment so micro services and service oriented architecture soa may come up on the exam in 2021 so soa is the creation of discrete services that that can be accessed by users in a black box fashion
115:30 - 116:00 so basically we don't know what's going on under the hood soa is a concept that's a few years old you don't hear near as much about it anymore it's really been superseded by microservices which are fine-grained services with a discrete function i think of of microservices as a more modern adaptation of soa that's better oriented to cloud computing many times you'll find micro services are built in a fashion that they are containerized so they can run on a container platform like docker and kubernetes
116:00 - 116:30 and it's important that we we identify code level vulnerabilities early in the development life cycle so before software is released you can do this with a combination of static code analysis and dynamic testing basically early in your integration and delivery process so we can identify deficiencies before the release so so another way to say static code analysis is static application security testing
116:30 - 117:00 we're going to talk about that in the changes that come in domain 8 and dynamic testing also dynamic application security testing so so we'll touch on those two in domain 8 in in greater depth so containerization may come up on the exam and and this is really talking about technologies like docker and kubernetes kubernetes really being the de facto industry standard now when it comes to containerization so this is a lightweight granular and portable way to package applications for multiple
117:00 - 117:30 platforms and it's going to reduce the overhead of server virtualization by allowing a containerized app to run on a shared os kernel so we can have multiple applications that are containerized running on the same virtual machines containers don't have their own operating system they are sharing the operating system of the container host on which they run which is going to be you know a linux server typically or sometimes occasionally a windows server linux being the the more common uh container
117:30 - 118:00 host uh now when we get into that more granular level of sharing an operating system we still have many of the same concerns we have around server virtualization in that we need isolation for our applications you know at a host level at a process level at a network level at a storage level and you can imagine in shared environments we might not be comfortable running containerized applications in the same clusters and so you'll hear discussions
118:00 - 118:30 around not just logical separation but but physical isolation as well and you know really devops security can is is really going to focus on the container level we think about application level security so author authentication and authorization we'll talk more about these as we move along here so application programming interfaces or apis may come up on the exam with rest being the the modern standard for api
118:30 - 119:00 development soap was the standard in years past but an api is a set of exposed interfaces that allows for programmatic interaction between services back in the early days of amazon jeff bezos laid down a standard for his his technology groups that when they built a service they had to package that service and make it available for other other teams of the products business units etc for for their consumption as well so rest the modern standard i mentioned
119:00 - 119:30 uses the https protocol for for web communications to offer those api endpoints all your communication between client and server should be encrypted and your access should be limited with api keys which means you also need to ensure that storage distribution and transmission of those access keys is done in a secure fashion because that's effectively a secret if you've never played around with an api you could go sign up for a developer account on twitter for example or facebook and and get into an example of working with
119:30 - 120:00 an api embedded systems another potential exam topic uh coming uh about through the rise of the internet of things so so an embedded system is a technology component of an iot device think of it as a full computer system embedded inside another larger system a good example of this printers typically have embedded systems gps drones semi-autonomous vehicles they have a full computer system that's embedded
120:00 - 120:30 inside that larger system and with embedded devices you'll need to consider authentication practices to ensure they meet with security best practices you want to avoid implied trust so high performance computing another potential exam topic so so this is an alternative to client server computing for compute intensive operations with large data sets that typically require large-scale parallel processing the seti
120:30 - 121:00 project the search for extraterrestrial intelligence is a good example of high performance computing where individuals can volunteer their compute time to help process data so grid computing which we which is high performance computing we often see in a business setting employs a centralized controller that makes computing assignments to grid members and in a grid computing example we have some security concerns particularly
121:00 - 121:30 around that grid controller making sure that that grid controller is safe from bad actors or that the grid can't be used for illicit activities which means there needs to be some governance built in as to how assignments are made and and what compute tasks can be assigned so edge computing may come up and and edge computing really speaks to operations that require processing activities to occur locally
121:30 - 122:00 far from from the cloud so this is really common in iot scenarios the agricultural space science science and space military i even see it in retail scenarios fog computing places a gateway device in in the field to collect and correlate uh data centrally at the edge so fog computing is kind of a nuanced version of edge computing you know i can think of of an edge computing scenario like in uh watering
122:00 - 122:30 plant in a field i have sensors iot sensors that will uh you know sense the uh the moisture level and automate watering so for for those types of operations to happen in a timely way i might need that to happen at the edge i can think of retail scenarios where you go visit a kiosk in a drug store for example to order uh you know especially uh you know crafted cards or photos right there at a kiosk edge processing could be very important in a
122:30 - 123:00 good user experience so with large you know network device counts and varied locations you want to think about data encryption spoofing protection and authentication to avoid bigger security problems because a large number of unsecured iot devices can become somebody's bot army for distributed denial of service attacks right now we're going to shift gears and we're going to talk about cloud
123:00 - 123:30 computing which will definitely receive more attention on the 2021 version of the exam so we'll talk about infrastructure as a service platform as a service software as a service so i as pas and sas and we'll talk about private hybrid and public cloud and we will talk about the shared responsibility model this is going to be key for the exam so let's talk about shared responsibility so when we are on prem responsibility for security is a hundred
123:30 - 124:00 percent ours right all the way down to the wire in our data center we are responsible now when we begin to consume services in a public cloud scenario who's responsible for which components shifts and some of our responsibility is for security is shifted to the csp the cloud service provider so in an is scenario infrastructure as a service think server virtualization running virtual machines the the csp is responsible from the wire
124:00 - 124:30 up to uh that virtualization host we are really deploying virtual machines and configuring and consuming at that level we will have some responsibility for specific types of configurations to ensure availability to ensure slas kick in but but you see there some responsibility has shifted when we look at platform as a service we see that we're giving up more responsibilities to the csp here as well think of
124:30 - 125:00 cloud database models if i'm hosting a database in the cloud where i'm not responsible for the service that runs it you know beyond some some simple configuration of my my database uh if i'm thinking about web applications or or functions that are hosted in a service you'll notice here all the way up to the runtime belongs to the cloud service provider and in a database scenario i'm responsible for my my data and the applications that are talking to my data
125:00 - 125:30 if we think about software as a service you know we're giving away more responsibility yet we're really just responsible for using and consuming the service uh office 365 is a great example of this uh service now the uh the itsm platform great responsibility so you notice as we move into the cloud we're handing over some of that responsibility for security and management to the csp which is a good thing for us so just some examples here and some some details
125:30 - 126:00 to help you cement the the shared responsibility model so in the is scenario the csp the cloud service provider is providing the building blocks like the networking the storage the compute they manage the staff and the hardware and the data center for us right so so good examples of this azure virtual machines amazon ec2 google cloud platform compute engine pass platform as a service the customer is responsible for deployment and
126:00 - 126:30 management of the app so that's we are the customer in that scenario the csp manages the provisioning the configuration the hardware the operating system you know even more underlying details good examples here azure sql databases azure api management azure app service which which is running web apps again in a fashion where we're not worried about servers so before we move on to software as a service i want to touch for a moment on the difference in responsibility and
126:30 - 127:00 functionality between serverless and platform as a service so so serverless may also be called function as a service so so let's take a web application when i deploy a web application let's say i'm a restaurant and i have a web application that has a menu function and an ordering function for example uh in in a a pass scenario i'm going to deploy that application into the service i'm typically going to have to pick a service tier now in its paths it's platform as a service so i'm not worried about servers or any of that but i'll
127:00 - 127:30 have to decide if i want dedicated environment i'll have to pick you know some service tier that gives me an idea of scale now function as a service allows us to break this down one level even more granular i'd say so let's say if i want to move my my restaurant application into function as a service i might break that menu out as as one function and then i break the ordering function out separately and i send that code to my function as a
127:30 - 128:00 service provider they handle the provisioning uh and they handle the scale so what it would do is allow the individual components of my my application in that scenario to scale independently but in a function as a service scenario i'm not worried at all about the scale the platform is handling that behind the scenes for me so function as a service allows me to to make even fewer decisions around around service tier and scale and so forth it's giving me a more granular way to to
128:00 - 128:30 break that up versus platform as a service which is a a level more granular than and less responsibility than infrastructure as a service where we were handling virtual machines so different platforms have different names for it so so microsoft for example in azure they call it uh it's azure functions in aws on the amazon platform it's aws lambda i believe but but what they are both is event driven serverless computing
128:30 - 129:00 platforms all right so let's talk about software as a service so so in the software as a service scenario we're handing even more responsibility over to the csp so in this case you know we as the customer just config we just configure features right the csp is responsible for management operation and availability of the service so good examples of of software as a service that you'd be familiar with would include office 365 service now and
129:00 - 129:30 and salesforce all right now i want to shift gears and talk about cloud models for a moment and i just want to acquaint you with the differences between uh public private and hybrid cloud models so we'll start with public cloud this is where everything runs on the cloud provider's hardware so the advantages here would include scalability we can scale infinitely in the cloud at least in theory right greater agility because we don't have to
129:30 - 130:00 make capital purchases in order to deploy new infrastructure we can push a few buttons and deploy new infrastructure in the cloud and what you're doing in a public cloud scenario is trading some capital expense you know which would be investment in your data center for what we call operational expense so just paying as we go for for services in the cloud for infrastructure in the cloud so that that pay for what you consume model and it allows us to
130:00 - 130:30 to scale more easily more quickly less maintenance and it lowers the skills bar because we don't have to have maybe quite the same server expertise and network expertise in our organization so this is a great equalizer for smaller organizations private cloud so this is a cloud environment in your own data center so server clusters virtualization clusters you know maybe running vmware or hyper-v for example
130:30 - 131:00 the advantages here include that we have legacy support we have control over that environment we can establish the conditions for regulatory compliance so really in private cloud if i had to put it in in a word it's really controlled there because we when we're working in a a public cloud model you know typically you're working on the latest version of a service in a private cloud scenario we can control the pace of versioning we can control configurations to establish compliance
131:00 - 131:30 for specific scenarios so when legacy comes up you know private cloud is a good answer so hybrid cloud combines these two so it allows us to have the best of of both worlds so we can run our applications in the right location if we need to support legacy for a time we can have a private cloud where we run those applications if we have modern apps that we've containerized or that can run in a path or a serverless environment we can run those in the public cloud and quite
131:30 - 132:00 often you will find that the the private cloud in the data center is connected to the the public cloud in some respects perhaps with with some sort of vpn uh or or private network connectivity that connects the two the two entities so you can have communication between them for example if you have applications in the public cloud that need to talk to services in your private cloud so the hybrid cloud allows you to move
132:00 - 132:30 into cloud computing into public cloud at your own pace so there i'm really speaking to the advantages the the main advantage is flexibility in in running our legacy scenarios and dealing with specific compliance and scalability scenarios we can we can move it around pace which allows us to to take on that additional work whether that work is migrating an app or recoding an app we can take on that additional work at our convenience
132:30 - 133:00 so a cloud access security broker or casbi for short may come up on the exam this was a topic in the 2018 study materials i expect it gets more attention in 2021 due to the rise of cloud computing so a casby is a security policy enforcement solution uh so we can enforce policies like ensuring that users only use the approved applications we have in place we can prevent information sensitive information from
133:00 - 133:30 being shared externally from being stored in cloud storage repositories that we don't approve casbis very widely in their functionality the casby industry came about to solve one problem and that is the problem of shadow i.t uh the the scenario where organizations business units within organizations would would go out and find they would work around the i.t department to find applications or services to help them get their job done
133:30 - 134:00 and they would they would purchase those on their corporate cards for example and have a whole new way of doing things in some cases that the i.t department didn't have any control over any any governance over or knowledge of but but when you're thinking about casbi think security policy enforcement and think shadow it prevention so word has it the 2021 version of the cissp exam may bring questions about post-quantum cryptography and quantum resistant
134:00 - 134:30 algorithms so what is post-quantum cryptography exactly well it's the development of new kinds of cryptographic approaches that can be implemented using today's conventional computers but that will be resistant to attacks from tomorrow's quantum computers so first two questions that come to mind are which algorithms are susceptible and which algorithms are resistant well let's start by looking at the two classes but first let
134:30 - 135:00 me give you a quick disclaimer here so number one i am not a professional cryptographer nor am i a professional cryptologist however i'm providing you information from solid authoritative sources including the likes of bruce schneier who you may know as a well-known public cyber security figure he also happens to be the creator of the blowfish in two fish cryptographic algorithms and joel allen who's a pretty widely published cryptographer who who put some
135:00 - 135:30 focus in the area of quantum and i'll have links to to both of their articles in the video description if you're interested in reading further but moving forward how well do current encryption algorithms hold up to the power of quantum computing so let's take our our two major types here symmetric which is which is shared key cryptography and then asymmetric or public key so symmetric the shared key is what we use for bulk encryption of data and asymmetric has uses like key
135:30 - 136:00 exchange and digital signatures so symmetric holds up fairly well to quantum computing and we'll we'll explore that more in just a moment where quantum poses more immediate threats to asymmetric so let's unpack symmetric first so grover's algorithm shows that a quantum computer speeds up attacks to effectively have the key length grover's algorithm is a quantum
136:00 - 136:30 algorithm for unstructured search that basically with a very high probability can identify the unique input for a given output and basically that would mean that a 256-bit key is as strong against a quantum computer as a 128-bit key is against a conventional computer and so you may ask yourself wait a minute uh i'm a quantum computer is only twice as powerful as a conventional no a 256-bit key is not twice as strong as
136:30 - 137:00 128 bit the 256 bit key is 2 to the 128 times as strong because doubling your length increases the possible combinations exponentially so let's talk about asymmetric so public key cryptography so on this side we have shores algorithm which is a quantum algorithm for integer factorization
137:00 - 137:30 can easily break all of the commonly used public key algorithms based on both factoring which means rsa is vulnerable because that rsa depends on factoring of large primes and the discrete logarithm problem which means that elliptic curve is vulnerable because that's the problem it's based on so schneier points out that doubling the key length in the asymmetric scenario increases the difficulty to break by a factor of eight which is not a sustainable advantage so the good news
137:30 - 138:00 uh for the future here is that lattice offers some resistance and some real promise for quantum resistant algorithms so it's based on different types of problems the the shortest vector problem and the closest vector problem uh and and according to allen uh it potentially enables us to replace essentially all of our currently endangered cryptographic schemes and lattice-based cryptographic schemes make up the lion's share of scientific
138:00 - 138:30 publications on post-quantum cryptography and this bit of information comes from from nist's post-quantum cryptography competition which they announced in 2016 and in july of 2020 so last year nist announced uh round three finalists and the bulk of the finalists are in the of the lattice type and that is to say your research selection and standards development is is ongoing
138:30 - 139:00 and you might ask yourself what exactly is a lattice well a lattice is a three-dimensional array of regularly spaced points an example of a lattice is the the image you see right there so for the exam if you see a question asking for which types of public key algorithms are quantum resistant the answer is lattice so that's it for domain three quite a lot of potential uplift there in prepping for the 2021 version of the the cissp
139:00 - 139:30 so now we'll get into the rest of domain three so let's talk cryptography so codes versus cipher so code are are systems of symbols that sometimes uh imply secret but don't always have to be secret they don't always provide confidentiality ciphers on the other hand are meant to hide the true meaning of a message so codes are sometimes secret but don't always provide confidentiality ciphers
139:30 - 140:00 are always secret confidentiality is always going to be implied there so you do need to know the types of ciphers that are out there so stream cipher number one a symmetric key cipher in a stream cipher your your plain text digit is encrypted one at a time it's a stream so to speak because it's not a block of data so where a stream cipher goes one character at a time a block cipher will apply the key in algorithm
140:00 - 140:30 to a block of data like 64 contiguous bits for example so basically as a group rather than one bit at a time so that's the fundamental difference between a stream cipher and a block cipher a substitution cipher uses the algorithm to replace each character or bit of the plain text message with a different character this might be as simple as just shifting the letters of the alphabet so one letter represents another letter i could shift characters three
140:30 - 141:00 to one direction so the letter d represents the letter a for example julius caesar actually developed one of the earliest ciphers of this type that's now known as the caesar cipher transposition uses an encryption algorithm to rearrange the letters of a plain text message forming the ciphertext message and the initialization vector iv is a random bit string that's xored with the message reducing predictability and repeatability now the size of this
141:00 - 141:30 initialization vector varies by algorithm but it's normally the same length as the block size of the cipher or as large as the encryption key really what this is is the cryptographic version of a random number that's injected into the process prior to the xor so caesar vigenere and one time pad are three very similar stream ciphers and the main difference between these ciphers is key length
141:30 - 142:00 so caesar shift cipher uses a key length of one vigenere uses a longer key usually a word or a sentence and the key length in a one-time pad is the same length as the message itself now we need to talk a bit more about one-time pad i do expect you're going to see at least a question on this on the exam so for a one-time pad to be successful the key must be generated randomly without any known pattern
142:00 - 142:30 and it has to be at least as long as the message to be encrypted because remember that's what what differentiates one time pad from visionaire and caesar so the the key is the same size as the message itself and the pads must be protected against physical disclosure you can't give away the secret right and each pad must be used only one time and then discarded because repetition could reveal
142:30 - 143:00 the answer right so basically all of these must be true for a one-time pad to be successful so a concept here zero knowledge proof so this is a communication concept and and basically zero knowledge proof is a specific type of information that's exchanged but no data is is actually transferred this is true with digital signatures and digital certificates so what the heck does that mean let me
143:00 - 143:30 give it to you in plain english to just put it simply zero knowledge proof enables one to prove knowledge of a fact without revealing the fact itself so that's in effect what digital signatures and certificates allow us to do split knowledge so split knowledge means that the information or the privilege required to perform an operation is divided amongst multiple users that makes sense right splitting the knowledge amongst multiple
143:30 - 144:00 people so this ensures that no single person has sufficient privileges to compromise the security of the environment it's it's separation of of the knowledge of the privilege i kind of think of of split knowledge as role separation of a fashion really we talk about role separation in the workplace so one person doesn't have too much privilege that they can carry out some sort of internal threat all on their own another concept work function sometimes
144:00 - 144:30 called work factor so this is a way to measure the strength of a cryptography system by measuring the effort in terms of cost and or time to decrypt the message so that the the cost or time to decrypt the message speaks to the value of the function so usually the time and effort required to perform a complete brute force attack against an encryption system is what a work function rating represents so
144:30 - 145:00 so the security and protection offered by the system is directly proportional to the value of the work function or or factor would you like that in plain english i hear you it's the time and effort required to break a protective measure that's that's the work factor so when you hear work work function or work factor think time and effort required to break a protective measure
145:00 - 145:30 so the importance of key security so cryptographic keys provide a necessary element of secrecy and uh modern systems utilize keys that are at least 128 bits long to provide adequate security and that number is going to increase over time in fact when we see the rise of of quantum computing as a mainstream capability uh that's going to change everything about cryptography we're going to see a
145:30 - 146:00 a massive shift in this space but know that 128 bits is our low water mark so to speak when it comes to key length in modern cryptography so symmetric versus asymmetric cryptography so symmetric relies on the use of a shared key so a shared key versus asymmetric where we have public private key pairs for communication between
146:00 - 146:30 parties so the difference between the two number one symmetric key lack support for scalability it's it's not easy to distribute the key because we only have one key how do you transmit that key secretly you know confidentially between two two people and we don't have a way to implement non-repudiation there so we can't guarantee the the source of the message now asymmetric on the other hand basically gives us that capability to implement a
146:30 - 147:00 solution that guarantees we know who that message came from but it also makes it easy to distribute that key amongst many parties because we have private and public key pairs to to work with stick with me and here in about five minutes we'll actually walk through an asymmetric example so you can see how the public private key pairs are used in a scenario to implement non-repudiation but also to transmit data
147:00 - 147:30 confidentially but symmetric cryptography is going to be faster since we have that shared key asymmetric is going to be stronger and and more scalable generally speaking so so when you think symmetric that's single shared key and it's faster and asymmetric is a private public key pair that's going to be stronger than asymmetric so to speak so confidentiality integrity and non-repudiation of three concepts you'll
147:30 - 148:00 definitely need to know for the exam so confidentiality is really focused on the secrecy of data both you know while it's in rest or while it's in transit integrity basically provides a recipient with an assurance that the data wasn't altered that the integrity of the data remains that the data we received is the data that was sent in other words and non-repudiation gives us undeniable proof
148:00 - 148:30 that the sender of a message is the one who actually authored it it basically prevents the sender from subsequently denying that they sent the original message which is fantastic in certain circumstances so you need to be able to explain the five basic operational modes of data encryption standard des and triple desks so i'm going to cover these for you in a way that i hope is is easier for you to remember because just looking at them on the surface they're not
148:30 - 149:00 just super super easy to remember they don't stand out so the first is electronic code book mode so this is the least secure of the lot and with code book mode it processes a 64-bit block the problem is if it encounters the same block multiple times it produces the same encrypted block which makes it easy to break so i like to say this code book is pretty easy reading cipher block chaining and in cipher block chaining each block of encrypted text is exhored with the block of ciphertext immediately proceeding so the
149:00 - 149:30 previous link in the chain so to speak cipher feedback is basically cipher block chaining in a streaming version it's going to work on the data in real time in memory but but do remember when chaining is involved errors will propagate that's that's a key factor to associate with cipher block chaining and cipher feedback is when they use chaining errors propagate but cipher feedback is basically cipher block chaining in a streaming
149:30 - 150:00 version working in memory buffers now the next one output feedback works a lot like cipher feedback but it exerts the plain text with a seed value which means we're not using chaining anymore it's using a seed value instead of that immediately preceding ciphertex so no no chaining means errors don't propagate in this case and then another variation of that is is counter which uses an incrementing counter instead of a seat and again you know using that increment encounter
150:00 - 150:30 is pretty pretty easy to uh to tie to that fifth mode and then uh how is triple dez different well triple des uh runs dez three times with uh with two or three keys different keys to increase the effective key size to 112 or 168 bits respectively so let's talk about exclusive or xor i said we'd get to this here we are so so this is a concept that's used pretty heavily in cryptology it's a lot
150:30 - 151:00 more complicated than it sounds it's actually just a flipping of bits in a pretty simple systematic fashion so you're looking at my table here you have the original value the key value and the cipher value what you're looking at here is when the the binary values match so when the original and the key value match you get a zero when they don't match original and key value don't match we get a one simple as that so that's xor exclusive or so key clustering is a weakness in cryptography where a plain text message
151:00 - 151:30 generates identical ciphertext messages using the same algorithm but using different keys i'll tell you how i remember this one i think of key cluster as being similar to collisions in hashing so hashes have a collision when two different strings produce the same hash collisions are exact exactly why md5 isn't used as a hashing algorithm anymore so with key clustering
151:30 - 152:00 basically it's when two different keys using the same algorithm produce the same ciphertext so it's similar to collision in that respect so now we're going to talk asymmetric cryptography or public key cryptography so on the asymmetric side of cryptography of public keys that are going to be shared amongst communicating parties so if you and i are going to communicate and share secrets you can see my you have access to my public key and i have access to yours my private
152:00 - 152:30 key is secret only i know my private key and in your case only you know yours and in terms of data to encrypt a message you each can use the recipient's public key so i can use your public key to encrypt a message and then you can decrypt it using your own private key and with a digital signature to sign a message you're going to use your own
152:30 - 153:00 private key which gives us non-repudiation it ensures that if i sign a digitally signed a message with my private key it ensures that it was sent by me and to validate a signature you'll use my public key so asymmetric and symmetric can work together in the sense that remember symmetric cryptography is is fast right so we can use asymmetric cryptography to securely transmit the shared key we're
153:00 - 153:30 going to use in symmetric cryptography so essentially asymmetric solves three problems one of which is distribution of of a secret and with symmetric that's that's a problem right sharing that key amongst many parties on the symmetric side would be really difficult so that's where asymmetric can help out so just remember each party has both a private and public key so let's look at a simple example we have franco and maria so franco sends a
153:30 - 154:00 request to maria requesting her public key maria sends her public key back to franco remember your public key is shared with all and franco is going to encrypt his message using maria's public key and she's going to decrypt the message using her private key as simple as that and the contents of that message could be anything including but not limited to a key a shared key to be used in a symmetric crypto function so hash function so a good hash function
154:00 - 154:30 has five requirements has to allow input of any length and it has to provide fixed length output that is to say no matter how long the input the output must always be the same length the hash must always be the same length it has to make it relatively easy to compute the hash function for any input so it needs to be relatively fast in that respect it has to provide a one-way functionality in other words it can't be reversed or a hash function that's
154:30 - 155:00 easily reversed a two-way functionality would not be so simple and it has to be collision free collisions are exactly why the md5 protocol is not why md5 is no longer used as a hashing algorithm so a collision in hashing means that we could put two different inputs through a hash function and it would generate the same output meaning we can't then determine reliably what the original
155:00 - 155:30 value was that's exactly why md5 is not used anymore let's talk about cryptographic salts so attackers may use something called a rainbow table it's a table of pre-computed values to to try to identify commonly used passwords and a salt is random data that's used as an additional input to a one-way function that hashes data password passphrase whatever and and because we're injecting random data adding salts to passwords before hashing them reduces the
155:30 - 156:00 effectiveness of of the rainbow table attacks because the attacker doesn't know what additional random data has been injected before the hash so digital signature standard so dss uses sha one shot two shot three message digest function functions uh it used to use sha-1 generally speaking shot 2 is going to be more common now the sha-2 is approved with dss and it works in conjunction with
156:00 - 156:30 one of three encryption algorithms so it would work with a digital signature algorithm or dsa an rsa algorithm or elliptic curve dsa so public key infrastructure so this is the certificate server that you'd see commonly in an enterprise environment so certificate authorities are sometimes called certification authorities generate digital certificates that contain public keys of system users every certificate has a public key and a
156:30 - 157:00 private key to be clear and the users can distribute the certificates to people with whom they want to communicate and the recipients verify a certificate using the ca's public key so so that's how one can establish a chain of trust back to the issuing certificate authority so it all goes all the way back to the the root certification authority so in pki you'll sometimes have tiers of servers and you'll have an
157:00 - 157:30 issuing authority but you'll have a root authority at the at the base of the the infrastructure oftentimes that root authority is is maintained offline but it's using uh asymmetric in that case certs are used for web network and email security pretty commonly so in fact let's talk about web network and email security so an email pretty common standards for encrypted messages include s mime and pretty good privacy on the website of the house the de facto
157:30 - 158:00 standard is is http over tls transport layer security which has largely replaced the older ssl standard that was in use for a lot of years then on the network side i the ipsec protocol is is pretty pretty standard framework used for encrypting network traffic uh you may actually see a bit uh uh additional uh in terms of questions on on ipsec so let's talk about ipsec at some greater depth here so ipsec is a security architecture that
158:00 - 158:30 supports frame secure communications over ip and it establishes a channel in one of two modes transport mode or tunnel mode and it can be used to establish direct communication with computers over or over a vpn so i've seen ipsec used between computers without a vpn vpn is a very common use of ipsec though the windows operating system has has capability to do uh you know ipsec
158:30 - 159:00 between computers without a vpn but you can also establish a vpn and it uses one or two protocols authentication header and encapsulating security payload all right common cryptographic attacks just a couple here you should be familiar with for sure from uh from domain three brute force attacks which are attempts to randomly find the correct cryptographic key so it's just using brute force of of computing power
159:00 - 159:30 with known plain text and chosen cipher text to but it requires the attacker to have some extra information there's a meet in the middle attack which exploits protocols that use two rounds of encryption so it's going to exploit some weaker protocols and it require requires the attacker to know something somewhere around at least eight bytes of uh of a message so so if uh an attacker knew the parties involved and weaker
159:30 - 160:00 protocols were in play here i mean the middle attack might be possible but but it uses looking for those two rounds of encryption would be the key i'd remember for the exam in case this comes up man in the middle attack you'll hear a lot more about this this fools both parties into communicating with the attacker in the middle instead of directly with one another so each side actually thinks they're communicating with one another but instead they're communicating with the man in the middle and a birthday attack is an attempt to find collisions in hash functions
160:00 - 160:30 and and remember a collision in a hash function is when a hash function can receive two different values but generates the same output that's a collision then a replay attack is an attempt to reuse authentication requests so basically to get uh the uh the the the hashed um output of the the authentication request and to present that um so that's actually uh pretty pretty common
160:30 - 161:00 so digital rights management you hear this a lot in the entertainment world so it allows content owners to enforce restrictions on the use of their content by others so this used to be a a big deal in the entertainment world with uh with music back in the day it's occasionally found in the enterprise protecting sensitive information stored in in documents but the entertainment content is where where drm was always a big discussion and nobody was ever very happy about it
161:00 - 161:30 so let's talk about symmetric algorithms if you haven't watched my my video on memorization techniques for cissp you get a taste of them here so so i like to break my cryptography down in a process called chunking so i start by breaking it down to the types of algorithms i need to remember because this is the most uh technical topic on the cissp exam and it's a big topic so let's look at symmetric algorithms here so you need to remember these you need to know the block size i'd try to remember the key size as well
161:30 - 162:00 and and remember you know symmetric from asymmetric so so looking at this table i see i have a big chunk of of algorithms here that have a 64-bit block size including blowfish the uh the the des family the uh rc two through five so one of the tricks i use here so i i tied blowfish and skipjack together i remember that they're both 64-bit because blowfish and skipjack are both fish
162:00 - 162:30 okay you're asking what the heck is a skipjack this is a skipjack it's a tuna i i've lived near the coast many times so i happen to to know that and because i know blowfish and skipjack are both the 64-bit block size remembering two fish is easy for me because one fish times two is two fish right so that's 128 so two fish is going to be a little more advanced in that respect and i know that aes is used commonly in the enterprise so that's advanced as well so i just kind of tie those together that the advanced family has a
162:30 - 163:00 128-bit block size uh and rc-5 has three different options there but but i remember that the the greatest is the the 128 so then you just half that and then half again to get your three rc5 algorithms and then streaming you know doesn't have the block size right it's doing it piece at a time as it streams okay hash algorithms we've talked about these a lot today right so these are easy to break down so i break the md5
163:00 - 163:30 family down so that's message digest mdmd24 and five all have a hash value of 128. also notice that none of those are still in use remember i mentioned md5 which is the the newest of the three you see there none of those are still in use they were replaced by multiple other functions and then you have the shaw family and the shaw family is easy to remember here because uh the and these are this is secure hash
163:30 - 164:00 algorithm so you'll notice that with the shaw family that the name maps to the uh the hash value link so so all of those shaw 224 through 512 these are these are sha-2 variants and uh and essentially the the hash value shows up in the name and and shaw one's not really in use anymore but the sha-2 family are still actively used so make sure you you're going to break out md the md family and the shaw families and remember those
164:00 - 164:30 the three major public key crypto systems so you have rsa which is probably the most famous it was it was developed by three folks back in the 1970s you have elgamal which is actually an extension of diffie-hellman key exchange and it depends on modular arithmetic so with rsa i tie rsa back to the uh to prime numbers so rsa involves the difficulty of factoring the product of
164:30 - 165:00 prime numbers diffie diffie-hellman relies on modular arithmetic it's less common than rsa in the last few years but elgamal is based on diffie-hellman and then elliptic curve depends on the elliptic curve discrete logarithm problem and it's going to provide more security than other algorithms when both keys are of the same length but but rsa i think is the the most famous of these and the most likely to
165:00 - 165:30 come up on the exam but try try to kind of tie some of these key facts about these three into your head so you can pick the right one out should a question come up so digital signatures so digital signatures rely on public key cryptography and hashing functions so so digital signatures have to use shot two nowadays and there are three currently approved encryption algorithms for digital signatures you've got dsa you've got rsa and you've got elliptic
165:30 - 166:00 curve dsa and here's the table of asymmetric algorithms we just covered i don't have any memory devices for you here because this is a fairly short table so you have rsa diffie-hellman elgamal and elliptic curve remembering that elgamal is based on diffie-hellman key exchange so as you're preparing for the exam i'd suggest you just chunk these out and focus on asymmetric and then symmetric and hash each separately and it'll be a little easier i think to get those organized in your mind for game
166:00 - 166:30 day now we're going to talk through security models and this is an area i expect you'll need to spend a fair bit of time and study and memorization before you take the exam it's certainly a frequent source of questions from exam candidates this is my 2022 approach to security models in an effort to answer some of those questions proactively so i hope it's helpful we'll start with the million dollar question what is a security model well security models are
166:30 - 167:00 used to determine how security will be implemented what subjects can access the system and what objects they will have access to so remembering that subjects think of those as the people and objects as the resources they will access and where do security models fit in the big picture well they are a way to formalize security policy as you see in the visualization to the right there they're typically implemented by enforcing integrity
167:00 - 167:30 confidentiality or other controls so you'll see these models focus on one of those three typically and each of these models lays out broad guidelines they're not specific in nature it's up to the developer to decide how these models will be used and integrated into specific designs as you can see in the visualization on the right so to state it another way briefly here what is the purpose of the security model it provides a way for designers to
167:30 - 168:00 map abstract statements into a security policy again it determines how security will be implemented what subjects can access the system and what objects what resources they will have access to so the state machine model describes a system that is always secure no matter what state it's in it's based on the computer science definition of a finite state machine a state
168:00 - 168:30 is a snapshot of a system at a specific moment in time all state transitions must be evaluated and if each possible state transition results in another secure state the system can be called a secure state machine an information flow model focuses on the flow of information and information flow models are based on a state machine model so biba and bellapadula are both
168:30 - 169:00 information flow models these are two security models we'll talk about in just a moment below padula focuses on preventing information flow from a high security level to a low security level whereas biba focuses on flow in the opposite direction from low to high you'll find that biba and bella padula are opposite in their characteristics in a couple of respects the non-interference model is loosely based on the information flow model it's
169:00 - 169:30 concerned with how actions of a subject at a higher security level affect the system state or the actions of a subject at a lower security level it ensures that the actions of different objects and subjects aren't seen by and don't interfere with other objects and subjects on the same system and a lattice-based model is based on the interaction between any combination of objects like resources computers and applications
169:30 - 170:00 and subjects such as individuals groups or organizations lattice-based models are used to define the levels of security that an object may have and a subject may have access to and you'll see lattice-based models in bella padula and biba which we'll touch on in just a moment so three properties that will be mentioned repeatedly when talking about security models are the simple security property which describes rules for read operations
170:00 - 170:30 the star security property which describes rules for right and the invocation property which are rules around invocations calls such as calls to subjects i mentioned security models are focused on enforcing integrity confidentiality or other control so let's break these models out into the appropriate category based on their focus to make them a little easier to remember so we have biba which is built on the state machine concept it's an
170:30 - 171:00 information flow model and it focuses on flow from low to high you'll hear the phrase no read down no write up associated with biba more on that in a moment the clark wilson model which features the access control triple go gwen massigure the non-interference model and the sutherland model which is also focused on preventing interference and based in information flow and the state machine concept bel la padula which falls into the
171:00 - 171:30 confidentiality category and it's focused on flow in the opposite direction of biba with bellapadula we're focused on flow from high to low and you'll hear the phrase no read up no write down with bellapadula we have brewer and nash this model is also referred to as the chinese wall take grant a model that employs a directed graph and bel la pajula is
171:30 - 172:00 a model used in government circles most of the rest of these models are used in the commercial space so another difference you can park in the back of your mind and with clark wilson you see i mentioned the access control triple that's the defining characteristic there so if you see a question on the exam that mentions the access control triple you're going to know that it's definitely clerk wilson so bel la padula mentioned this is based on the state machine model it enforces confidentiality
172:00 - 172:30 it uses mandatory access control to enforce the dod multi-level security policy so government again the simple security property which is the read property the subject cannot read data at a higher level of classification that is the no read up and the star property remember is the right property a subject cannot write info to the lower level of classification so no write down
172:30 - 173:00 so in a sensitive information scenario a worker cannot read data at a higher level of classification nor can they down classify data by writing it down to a lower level this is lattice-based multi-level security policy so another way to look at bellapadula i'm just going to give you a visual memory anchor here no read up no write down i had a student give me a mnemonic they used to remember this no running
173:00 - 173:30 under nets with dingoes if that helps you have at it so bel la padula if we just look at it in another way here i'm looking at information classifications from unclassified at the lowest level of sensitivity to top secret at the highest level of sensitivity we have our read and our right property so the subject cannot read classifications uh cannot read information at higher
173:30 - 174:00 classification so that's no read up and they cannot write data into a lower classification so no write down it's enforcing confidentiality biba is another lattice-based model developed to address concerns of integrity so the simple integrity property the subject at one level of integrity is not permitted to read an object of lower integrity so no read down that is the read property then the star
174:00 - 174:30 property which is the right the object at one level of integrity is not allowed to write to an object of higher integrity so no write up and the invocation property prohibits the subject at one level of integrity from invoking a subject at a higher level of integrity so remember the simple property is read the star property is right using the same visualization we used for bel la padula with biba the subject cannot read lower
174:30 - 175:00 classifications no read down and the subject cannot write data to higher classifications no write up so biba focuses on the flow of low to high so clark wilson is a model that uses security labels to grant access to objects constrained data items in the clark wilson model are any data item whose integrity is protected by the security model an unconstrained data item is not controlled by the model
175:00 - 175:30 an integrity verification procedure is one that scans data items and confirms their integrity and transformational procedures are the only procedures that are allowed to modify a constrained data item i mentioned clark wilson features the access control triple which you'll see in the ninth edition of the official study guide is now termed the access control triplet updated language for the
175:30 - 176:00 same concept no worries there so this features the concept of an authenticated principle a user think a subject and then a program that's our transformational procedure in this example the only procedure allowed to modify a constrained data item and then we have our data items the unconstrained data items and the constrained data items think of those as the the object so the access control triplet refers to that relationship
176:00 - 176:30 between an authenticated principle the set of programs the transformational procedures that can operate on a set of data items the cdis and udis the constrained and unconstrained data items touching on a few other models here we have the take grant model which i mentioned is a confidentiality based model it supports four basic operations take grant create and revoke the brewer and nash model the chinese
176:30 - 177:00 wall it's called that was developed to prevent conflict of interest problems it is confidentiality based the graham denning model which uses a formal set of protection rules for which each object has an owner and a controller now it's focused on the secure creation and deletion of both subjects and objects and it's a collection of eight primary
177:00 - 177:30 protection rules or actions that define the boundaries of certain actions remember i mentioned models focus on integrity confidentiality or other controls those eight rules of graham denning revolve around secure creation and deletion of objects and subjects those are our first four rules and the second four of the eight are about securely providing access rights read grant
177:30 - 178:00 delete and transfer of access rights all right so security mode so it starts with dedicated mode so security clearance permits access to all information processed by a system approval for all and valid need to know for all so that's dedicated mode all all right access approval and need to know multi-level mode on the other hand can process information at different levels even when
178:00 - 178:30 all system users don't have the required security clearance to access all information processed by the system so there are some distinctions there so the key there is when when all users don't have the required security clearance multi-level mode can be very useful system high mode requires that each user have valid security clearance access approval for all information processed by the system and valid need to know for at least some of the info on the system
178:30 - 179:00 this this offers of all the models this offers the most granular control over resources and users and then there's compartmented mode which goes one step further than system high and in compartmented mode each user has to have valid security clearance and access approval for all info based processed by the system but it also requires valid need to know for all info so that's how compartmented varies from system high is that it requires valid need to know for all info
179:00 - 179:30 as opposed to uh to only some so so before it gets away from me let's talk about the uh the state machine model uh which i said those security models that we talked about a minute ago are based on so a state machine model describes a system that's always secure no matter what state it's in so it's based on the computer science definition of a finite state machine so a state is a snapshot of a system at a specific moment in time and all your state transitions the transition from
179:30 - 180:00 one state to another has to be evaluated like the transition from onto off for example but if each possible state transition results in another secure state then a system can be called a secure state machine so that's the key and an information flow model focuses on the flow of information information flow models are actually based on a state machine model
180:00 - 180:30 so biba and bellapadula are both in both information flow models remember they were looking at no read up no write down they're talking about the flow of information in read and write to simplify that bill la padula in preventing information flow from a high security level to a low security level right remember it was no right down and biba focuses on flow from low to high remember no write up so so bella padula focuses on enforces
180:30 - 181:00 confidentiality biba focuses on integrity integrity all right trusted computing base you're going to expect it to be able to define a trusted computing base which is a combination of hardware software and controls that work together to form a trusted base to inform your security policy it's a subset of a complete information system it's it's the portion that can be trusted to enforce your security policy to to always adhere to your security rules now security perimeter is another topic that may come up on the exam
181:00 - 181:30 you'll be expected to know what that is a security perimeter is an imaginary boundary that separates the the trusted computing base from the rest of the system from from the not secure parts of the the system so a trusted computing base has to create secure channels trusted paths to communicate with the rest of the system and then it protects users from compromise essentially so reference model and security kernel two two concepts that will come up on the exam potentially as well so the
181:30 - 182:00 reference model reference monitor rather is the logical part of the trusted uh computing base that confirms whether a subject has the right to use a resource prior to granting access and the security kernel is a collection of trusted computing based components that implement functionality of the reference monitor so security kernel implements access control and ref reference model enforces it generally basically if we boil it down
182:00 - 182:30 hopefully that helps kind of solidify that a little more simply than what uh what the official text will tell you so domain three includes some drill down on three sets of evaluation criteria designed to evaluate uh the security criteria around systems and products the first of these is iso iec 15408 also known as the common criteria this was established to enable objective evaluation around a product or a system
182:30 - 183:00 based on a defined set of security requirements okay this is really the gold standard so you're also going to see mentioned trusted computer system evaluation criteria which is an earlier system for evaluating computer security and then you'll also see information technology security evaluation criteria which was actually an attempt uh to create a security evaluation standard in europe basically though the common criteria has
183:00 - 183:30 replaced both uh the trusted computer and information technology standards there so tc sec and itsec have been supplanted by common criteria so that's where you're going to want to put your focus you can't forget about these other two entirely i'll explain why in a moment first though i want to drill down and break down common criteria for you just a bit i want to give you a quick visual of common criteria as a process so it starts with a description of the assets that we need
183:30 - 184:00 to evaluate and then identifying the threats to those assets the potential threats and then analyzing and rating those threats quantifying prioritizing and based on the output of those first three steps then determining what our security objectives are for the for the situation for the product or the the the system that we're dealing with and ultimately establishing our functional requirements so really what you have here amounts to a five
184:00 - 184:30 step process that you could then repeat and refine as necessary so you're making some assumptions establishing security policies based on the assets you're dealing with and the threats to those assets you're performing some risk analysis and then establishing your objectives based on on the system you're evaluating in the environment that it's going to operate and there are actually two flavors of common criteria there's
184:30 - 185:00 the community protection profile or cpp which i think you're going to see a little less on on the exam it comes with it's a black box system that comes with pre-defined requirements or or let's call them standardized sets of requirements where whereas the eal the white box flavor allows for greater scope and flexibility in defining the the set of claims now the the study guide says that you will need to be
185:00 - 185:30 prepared to list the classes of tc sec itsec and common criteria so these are the the levels of each of those systems now remembering that tc second itsec are legacy right they've been supplanted they've been replaced by common criteria uh the official study guide calls out the evaluation assurance level the uh the eal the white box uh version of uh of the levels and they're listed for you
185:30 - 186:00 here and i'm also going to put them for you here with a tighter description according to the common criteria from eal0 up to eal7 with eal7 being the more mature end of the scale so so as i mentioned you it's called out that you should be prepared to lift the levels within these three
186:00 - 186:30 different standards for evaluation criteria but if i were going to prioritize my effort i'd be looking at common criteria as the current standard covert channels you'll be expected to know what a covert channel is so a covert channel is a method used to pass information over a path that's not normally used for communication and because it's not normally used it may not it may not be protected by the system's normal security controls uh so
186:30 - 187:00 for example steganography uh the the the process of transmitting information embedded in a photograph basically a way to to covertly pass information through a seemingly benign object but but it's not normally used it may not be protected by the system's normal security controls as in the case of steganography right there's two types of covert channels there's covert timing and covert
187:00 - 187:30 storage so timing channels are based on on the time it takes to access certain components like systems paging rate uh the time a certain transaction takes to execute or the time it takes to get access to a shared bus and the storage channel occurs when out-of-band data is stored in a message so icmp that what's used for ping that protocol will sometimes have some extra information in the packets which will tell us something about the identity of
187:30 - 188:00 the target operating system so an attacker can use that that extra information covert channels are difficult to detect because it's outside normal communication channels so trusted platform module so this is a chip that resides on the motherboard of a device it's really commonly used in the windows operating system in linux as well for that matter it's multi-purpose it's it's like storage and management for keys used for for disk encryption for example but it provides the operating system with access to keys but
188:00 - 188:30 prevents component removal and access essentially but but the tpm is a chip and you're going to find it in all your modern laptops these days so let's talk about types of access control starting with mandatory access control and this is a policy that's determined by the system not the owner so there is a mandatory uh access control system in place that the the user cannot that the object owner can't define and it relies on classification labels that
188:30 - 189:00 are representative of security domains discretionary access control allows the owner or creator of an object to control access at their discretion that's how you remember discretionary access control access control is at the discretion of the owner or creator non-discrete non-discretionary access control enables enforcement of system-wide restrictions that override
189:00 - 189:30 object specific access control and rule-based access control defines specific functions for access to requested objects specific functions or rules for access so remember discretionary is at the discretion of the owner creator non-discretionary is system wide and mandatory is determined by the system not the owner so role based access controller are back as you're often going to hear it called this uses a well-defined collection of
189:30 - 190:00 named job roles to endow someone with specific permissions for example in the cloud in microsoft azure we have a global administrator who has access to everything we have an access administrator that role can handle issues with relation to access there is a security reader role that has permission to read security information throughout the system so role-based access control
190:00 - 190:30 is is something you'll hear out there frequently and it'll it'll have a role that you can then assign users or groups to quite typically if you think about it in the windows context so back to mandatory access control your your mac models are going to work on one of three environment types classifications you've got a hierarchical environment where where the labels are assigned in an ordered structure from low to to high security low to medium to high you have compartmentalized which requires specific security clearances over
190:30 - 191:00 compartments or domains instead of objects and then you have the hybrid environment which which combines hierarchical and compartmentalized so the security levels you have security levels and within those levels you have sub compartments so that's going to be the most granular and and flexible of the three a key point about the mac model though is that every object and every subject
191:00 - 191:30 has one or more labels classification labels they're predefined and the system determines access based on on the assigned labels so let's talk about just a few terms here so certification this is the the technical evaluation of each part of a computer assist a computer system to assess its concordance with security standards that's the official definition what the heck does concordance mean well it really means
191:30 - 192:00 uh agreement or alignment or compliance with with security standards and then accreditation is the process of formal acceptance of certified configuration from a designated authority it's one thing to have a a certified you know technical compliance accreditation is where a governing body then certifies that configuration an open system these are designed using industry standards are usually easy to integrate with other open systems and
192:00 - 192:30 and and then you have by comparison a closed system that's generally proprietary hardware or software and with these they're kind of black box their specs aren't normally published they're going to be harder to integrate because they are what we'd call a black box they're proprietary and secret uh to a degree so techniques for ensuring cia what do i mean by cia no i'm not i'm not talking about the cia the government cia i'm talking about the cia triad
192:30 - 193:00 confidentiality integrity and availability so confinement restricts a process to reading from and writing to certain memory locations bounds are the limits of memory a process can't exceed when reading or writing and isolation is the mode a process runs in when it's confined through the use of memory bounds so so definitely know the definitions for confinement bounds and and isolation
193:00 - 193:30 because these are all techniques for for ensuring cia so let's talk about authentication factor so with multi-factor authentication you can have something you know like a pin or a password something you have like a trusted device it's quite common in in secure environments that you have to to authenticate with something you know and you have to be attempting to authenticate from a device that is trusted it's known to not be compromised it complies with the organization's standards then something you are like
193:30 - 194:00 biometric like windows hello does face scanning when you when you go to secure data centers many times there's a biometric mechanism like a retina scan or maybe even a fingerprint authentic this is authentication and authorization so authentication often is the process of proving that you are who you say you are then authorization is the act of granting an authenticated party permission to do something
194:00 - 194:30 so that's identity and access control if i were to say it another way so permissions rights and privileges are granted to users based on their identity and if a user has rights to a resource they're granted authorization that's that's basically authenticity and authentication can be achieved with both the metrics and an asymmetric cryptosystems but you know whether it's symmetric or asymmetric will will also factor in on the uh you know how secure it is and the
194:30 - 195:00 speed right and how scalable okay so a few terms around multi x here so multitasking this is simultaneous execution of more than one application on a computer and it's managed by the operating system so i can run multiple applications on windows or on my mobile phone multi-threading permits multiple concurrent tasks to be performed within a single process so multi-threading gives me multiple
195:00 - 195:30 threads within within a process so multiple concurrent tasks is the key to remember in multi-threading then there's multi-processing which is the use of more than one processor to increase computing power pretty much everything i can think of in terms of standards you know desktop and and laptop computing devices now uh have long supported more than one processor and then in uh the mainframe world we have something called multi-programming it's
195:30 - 196:00 similar to multi-tasking but it takes place on mainframe systems and requires some specific programming so think about multi-programming as multitasking for mainframe that's the the bottom line there so single state and multi-state processor pretty pretty simple single state processors are capable of operating only one security level at a time and multi-state can operate at multiple levels of security
196:00 - 196:30 okay processor operating modes there's user mode which is where applications operate with limited instruction sets uh so these are going to be your ordinary end user operations typically and then privileged mode are where it's known as system mode or kernel mode or sometimes supervisory mode but this is where controlled secure privileged operations occur so
196:30 - 197:00 it's often going to be a protected area in terms of of memory under processor and storage access but but think controlled operations i think of user as end user operations and privileged as system or administrator operations you'll want to be familiar with these memory types and the differences between them for the exam so we have read only memory or rom where the contents are burned in at the factory it's not writable we have two flavors of ram static ram
197:00 - 197:30 which uses flip-flops dynamic ram which uses capacitors we have programmable rom it's similar to rom with several subtypes we'll take a look at here so we have erasable prom we're erasing that read-only memory is possible we then have two sub-categories of eprom which are uv e-prom and eeprom so we have ultraviolet eeprom where the chips have a small window that when illuminated with a special ultraviolet light it will
197:30 - 198:00 erase the contents and then there is electronically erasable prom where we use electric voltages to force erasure and flash memory which is a derivative concept from eeprom it's non-volatile and can be electronically erased and rewritten so uh security issues with storage so primary storage is is the same as memory the primary classification secondary storage consists of magnetic flash and optimal media that
198:00 - 198:30 first has to be read into primary memory before the cpu can use the data and then random access storage devices can be read at any any point in time and sequential access storage requires scanning through all the data physically stored before uh the desired location so you have to access all the data in order so sequential would be difficult uh to leverage in some circumstances uh three main security issues around
198:30 - 199:00 secondary storage so not memory right removable media can be used to steal data i can plug a usb key into a computer copy some data and walk out the door right so we have to to secure that channel of moving data access controls and encryption have to be applied to protect data right we have to apply uh you know some sort of limitation of access role-based access control for example and data can remain on the media even after file deletion or media formatting what i just mentioned right that when
199:00 - 199:30 you delete the file you're not always deleting the file i can use forensic means to to find that data after you've deleted it so so you want to to be very aware of that input and output devices so so input and output devices are going to be subject to eavesdropping and tapping so so think back to phone systems you know uh tapping a phone used to be a common um you know mechanism for for uh breaching security of voice conversations a
199:30 - 200:00 network connection a network cable can be tapped as well we can tap directly into a cable with something called a vampire tap so so eavesdropping and tapping are used to smuggle data out of an organization so you have to be careful about securing entry points into your environment this is really where physical security starts to come into play we have to secure the wiring closet for example and we'll talk about securing a wiring closet in a bit uh so the purpose of firmware you'll be expected to know what
200:00 - 200:30 firmware actually does it's basically a software that's stored on a read-only memory chip and it contains basic instructions needed to start a computer or a peripheral device like a printer so vulnerability threats counter measures let's talk about uh processes so process isolation uh ensures that individual processes can only access their own data so so one process can't read from another you can imagine if an attacker knew they could read other processes that would be
200:30 - 201:00 an interesting channel for them to pursue layering creates different security realms within a process and limits communication between them and then abstraction creates a black box interface for programmers to use without knowledge of the devices interworking so you'd see abstraction in a proprietary system and then data hiding prevents information from being read at a different security level so hardware segmentation enforces process
201:00 - 201:30 isolation uh with physical security controls but it prevents information data hiding prevents information from being read from a different security level so so that's the key to remember there so the role of security policy so the the role of a security policy is to inform and guide the design development implementation testing and maintenance of a particular system so so we start for example with our organization security policy and that gives us the rules that we need to adhere to in in
201:30 - 202:00 designing and implementing a solution to solve a problem that gives us the the security standards by which we go it may be the organization it could be a governing body in the case of a regulated environment you know pci dss for example lays out policy related to handling credit card data for example cloud computing you'll be expected to know what cloud computing is right so this is where where processing and storage is performed somewhere else over a network connection rather than locally
202:00 - 202:30 so so really commonly you can think azure amazon and google cloud which which you know have their own data centers that you can rent time in you know you pay as you pay for what you use essentially and and sensitive and confidential data can be at risk if the cloud provider and their personnel don't adhere to the same security standards as your organization i tend to think with the major cloud providers it's actually more secure and and all three of these providers are going to give you some way to see the security standards to which they are they adhere and for which they are
202:30 - 203:00 certified azure last i looked as the most certified in terms of the various standards they adhere to i'm a big believer that that in the cloud the major providers these days do it better than the average i.t department can do in their own data center i think the cloud's come a long way in that respect hypervisors you'll expect it to be known to know that what a hypervisor is and the two types so so there's a type one hypervisor which is a native or bare metal hypervisor so you can think of of um
203:00 - 203:30 an esxi server from vmware that basically there's no operating system you're logging into and using and then launching virtual machines it's just bare metal running vms that's its sole purpose uh hyper-v uh has has a type one hypervisor option as well and then there's a type 2 hypervisor which is a hosted hypervisor so a couple of things you could think about here would be well on windows 10 for example you can light up the hyper-v feature and you can in the windows 10 gui you know create and launch virtual
203:30 - 204:00 machines that would be kind of a type 2 scenario other type 2 hypervisors uh oracle virtualbox vmware workstation you know where you've got a gui and then you can then go in and mess with your your virtual machines a casby a cloud access security broker so this is a security policy enforcement solution that can be installed on premises or in cloud so so casby's haven't been around that long you'll often hear casby's mentioned uh with the
204:00 - 204:30 phrase shadow i.t because we can use casbi's to enforce security policies to ensure that only secure applications are used in our environment and that our data is not stored in unauthorized repositories so we can we can make sure that if we're using cloud storage that it's only approved or sanctioned storage locations security is a service basically a cloud provider concept where security is
204:30 - 205:00 provided to an organization through or by an online entity and there are many flavors of of security as a service there are many services that you can acquire in the cloud to protect information identities uh security information event management systems which can can do some centralized processing of your environment so really just think of of security as a service as outsourcing the security function smart devices so so smart devices are
205:00 - 205:30 typically mobile devices that offer customization options you know often through installing apps and they might use you know technology on the device or in the cloud you know hey the ai can be local or it can be cloud based uh internet of things so that's a class of devices connected to the internet you'd be familiar with the internet of things you know that that can include all the devices in your home automation automation your uh your home assistant like google or alexa uh or or siri for example um
205:30 - 206:00 or or a car connected to the internet right so there are billions of devices that fall into the world of internet of things or iot it's called so be basically familiar with what internet of things refers to so mobile device and mobile app security this is a big space you'll need to know some of the basics here so so a range of potential security features available to a mobile device could include encrypting the device uh which is very common with both ios and android uh remote wiping a device and and
206:00 - 206:30 typically you can wipe just business data you can do what they call a selective wipe with with the right management software so you can wipe just the business data off a device locking screens requiring pins gps controlling which applications access which types of data which leads me to the reality here that mobile application security is also pretty important and likely to come up on any any question around mobile devices so
206:30 - 207:00 these are applications that need to be secured um and and could be related to securing uh you know through credentials uh application whitelisting etc and in the world of of you know enterprise computing byod bring your own devices really popular in large companies and that's a policy that allows employees to use their own personal device to access business information and resources you know this this tends to make people happier but it increases our security risk
207:00 - 207:30 because we have to put some boundaries around what type of device they can bring and what applications they can use to access our corporate data so that's going that's where where device security and mobile application security factor in and your major platforms nowadays major mobile device management platforms nowadays give us the ability to manage the device and to manage applications on devices that we cannot fully control
207:30 - 208:00 mdms would include things like microsoft intune airwatch mobileiron quite quite a few quite a few mobile device management platforms out there intune and airwatcher two that come to mind that give us the the capabilities we're talking about here so let's talk about embedded systems and static environments so an embedded system is typically designed around a limited set of specific functions in relation to a larger product for which it's a component lots of devices that fall into this
208:00 - 208:30 category motion sensors lighting systems cache registers digital signature pads wi-fi routers then static environments are applications uh oss hardware sets or networks that are configured for a specific need capability or function and they're they're set to remain unaltered uh you know change is reality in this world but uh they're set they mean set to remain unaltered even
208:30 - 209:00 uh through interaction with with people with users and administrators and both of these need to be managed and managing these you can use network segmentation security layers firewalls manual updates controlling your firmware versions you know any any sort of wrappers around these but just understand the basic definitions i don't expect to see a lot of focus on this on the exam but just fyi privilege and accountability so there's the
209:00 - 209:30 principle of least privilege this is a foundational component of secure computing and and separation of privilege so so least privilege ensures that only a minimum number of processes are authorized to run in in supervisory mode this also factors in when we grant people role-based access control the principle least privilege means we give someone for the permissions they need to do their job and no more and separation of privilege increases the granularity of secure operations by separating the privileged operations any
209:30 - 210:00 one entity can perform be that a system or a person so so we sometimes call that in the world of people we call that role separation you know maybe the same person can't establish permissions who then administers the system somebody else grants permissions they grant they are the access administrator and then somebody else performs the technical functions of the system administrator so so accountability ensures that through all of this an audit trail exists so we can trace operations back
210:00 - 210:30 to their source so if permissions are granted at a higher level for someone we know who or what did that and and if we don't have proper you know separation of privilege there's an audit trail that shows us where one person maybe was was temporarily granted elevated privileges performed multiple operations that broke our separation of privilege clause and and moved on okay common flaws and vulnerabilities we have the buffer overflow and this this occurs
210:30 - 211:00 when a programmer fails to check the size of of input data prior to writing data to a specific memory location so if we don't if if software is poorly written and it doesn't check the size of the data it can potentially overwrite the bounds of memory to for which it's been granted access and potentially overwrite more important or other important data which can cause a system to to malfunction in a number of ways including crash you know back in the early days of computing you know buffer
211:00 - 211:30 overflows were really common in addition to buffer overflows programmers can leave backdoors and privileged programs on a system after it's deployed that's that's where we have to to employ security um you know policies and and standards to and and tooling to ensure that we we catch anything installed on a system that shouldn't be there uh even and even well-written systems can be susceptible to what we call time of check to time a use attack so any
211:30 - 212:00 any state change presents an opportunity for an attacker to compromise a system so if i if i you know get uh credentials at one time you know credentials captured at one time used it as a at another uh can can factor for example in a replay i think i think of a replay attack as as something i can relate to this because in a replay attack i capture credentials and then i attempt to reuse those credentials at a later time so so i think of that as kind of an equivalent
212:00 - 212:30 concept to time a check time of use the functional order of security controls may come up on the exam and you'll want to know these in order so it starts with deterrence our security controls should deter or discourage any malicious or negative activity and if deterrence fails then our control should deny that activity if denial fails then our controls should detect that activity and allow us to track that
212:30 - 213:00 activity as it occurs and finally it should also help serve to delay the progress of that activity now in 2021 we saw this language evolve just a bit so i saw those terms simplified a bit to deter deny detect and delay and we also saw two additional controls added to the functional order and you see them there determine and
213:00 - 213:30 decide so determine the cause of the incident or assess the situation to understand what is occurring and decide on the response to implement such as apprehending the intruder or collecting evidence for further investigation now we're going to dive into a wide range of material around physical security and this is super important because it's an area that many it folks haven't spent a lot of time with so physical security controls can be divided into three groups
213:30 - 214:00 administrative logical also known as technical if you see technical controls or logical controls two ways to say the same thing and and physical controls now i have some listed here i want to break these out in a way that's easier for you to memorize so let's start with the logical controls the technical control so these will be items like access controls intrusion detection alarms uh closed circuit tv and monitoring hvac systems in your data centers power supplies fire detection
214:00 - 214:30 and suppression and we'll dig into some of these into some of these individual areas uh momentarily here so administrative controls are more focused on policies and procedures facility construction facility selection picking the right site uh site management having proper procedures for managing your site uh personnel controls employee policies security awareness training emergency response
214:30 - 215:00 and then within emergency response having emergency procedures you know laid out at the step-by-step level so administrative controls can be wide-ranging and then physical controls for physical security are exactly what they sound like this will be things like fences lights locks construction materials man traps to allow only one person in at a time bollards to keep someone from driving up on a facility uh dogs guards quite quite a few options there but but remember for the exam there's no
215:00 - 215:30 security without physical security without control over the physical environment uh no amount of administrative or or technology is going to provide adequate security security that's bottom line if a malicious person can gain access to your facility or your equipment like your wiring closet they can do just about anything they want from you know destroying equipment outright to disclosing or changing configurations in a way that may be difficult for you to recover from
215:30 - 216:00 so in terms of physical security controls uh no no your fences so so three to four feet for example decor deters a casual trespasser if you're trying to deal with serious intruders eight feet with barbed wire uh temperature understand that temperatures for computers uh 60 to 75 degrees fahrenheit in the ideal range that's 15 to 23 celsius computer damage at 175 fahrenheit storage device damage at 100 and your ideal humidity is 40 to 60 percent there there are
216:00 - 216:30 negative consequences on both sides of that which i'll talk about in just a moment electrical impacts know the difference between a blackout a brownout fault surge spike sag uh and i've labeled them here to to the degree uh that they will differentiate enough for you to remember for the exam so a blackout is prolonged loss of power where brownout for example is just prolonged low voltage where your your electricity is not consistent and clean so remember these six for sure uh light know that uh lights
216:30 - 217:00 eight feet high with two feet of candle power is the uh the uh the magic and the are the magic numbers for security controls okay humidity and static so so when we're dealing with humidity too much humidity if we get much over percent we can get to a situation where we have uh condensation that can cause corrosion uh your condensation is going to be bad for for uh equipment right and too little humidity causes static electricity even on a non-static carpet low humidity can
217:00 - 217:30 generate a 20 000 volt static discharge which which is enough to damage just about any sort of equipment let's talk about fire suppression agents we're going to go from class a to class d so class a are going to be your common combustibles like wooden paper and these can be extinguished with water or soda acid uh class b boil and you notice i have um the the acronyms there so ash boil so
217:30 - 218:00 class b boil these are burning burning alcohol oil and other petroleum products like gasoline these are extinguishing with with gas or soda acid you should never use water on a class b fire period class c these are electrical fires that are fed by the electricity that started them so electrical fires are conductive fires and and the agent has to be non-conductive i mean meaning it cannot conduct electricity like any type of gas and incidentally when you
218:00 - 218:30 disconnect the power source the electrical fire then becomes another class of fire based on what what is burning so when we remove the power source it becomes a class a b or d fire uh and then cla but any type of gas is good for electrical fire because we need something that doesn't conduct electricity you know water would be catastrophic for example uh class d these fires are burning metals and they're extinguished with dry
218:30 - 219:00 powder uh you know when you get into the into these odd classes of fire like classy these are scary because these are you're putting these out are not going to be common knowledge your organization has to be prepared for these right class k is a kitchen fire that's going to be like burning oil or grease your wet chemicals are used to extinguish class k fires i'm not convinced you'll see anything about kitchen fires on the exam i put it on there just in case uh you know offices have kitchens right so
219:00 - 219:30 worth worth mentioning i think there are three categories of fire detection though they include smoke sensing flame sensing and heat sensing so know your three categories of fire detection as well uh fire extinguisher classes and suppression agents in a table here if you want to memorize these with a bit less detail there's just a table that very comes out for you a little more cleanly voltage and noise so you have two types of electromagnetic interference you have common mode noise which is generated by
219:30 - 220:00 the difference in power between the hot and the ground wires of a power source and then you have traverse mode noise which is generated by the the difference in the hot and the neutral wire so that's that's the key the key differentiators between the two that i would memorize and and radio frequency or rfi interference is generated by you know electrical appliances light sources you know cable circuits etc really any anything you know running on electricity right voltage i mentioned static voltage earlier here are some common levels of static thresholds of static voltage uh
220:00 - 220:30 damage you should you should probably be uh familiar with this this isn't the first thing i'd memorize but if you can if you can park these these voltage levels in your head uh it's worth doing right so damage from from fire suppression itself so the destructive elements of a fire include smoke and heat but also the suppression medium so like like water or soda acid you know what we're using to suppress the fire can cause damage so smoke is damaging to you to most of your storage devices
220:30 - 221:00 heat can damage you know any electronic or computer component uh suppression mediums can cause a variety of problems short circuits they can initiate corrosion uh or or otherwise just render equipment useless you might put the fire out and and really you know the suppression medium might be so so damaging that you know really all you're saving is human life because at the end of the day that's the most important thing right so all of these issues have to be addressed when designing a fire response system but at the end of the day the
221:00 - 221:30 number one concern is always going to be human safety so if you are faced with any sort of choose the best answer if uh or the most important you have human safety is always going to be the top of the list so water suppression systems so so pre-action systems use close sprinkler heads and the pipe is charged with compressed air instead of water uh the water's held held in check by electronically operated sprinkler valves and the compressed air these are going to be good for areas with people and computers wet pipe systems are filled with water
221:30 - 222:00 um dry pipe systems are you know contain compressed gas dry pipe systems also have close sprinkler heads the difference is the pipes are filled with compressed air not water the water is held back by a valve that remains closed as long as there's enough air pressure in the pipe so this is used in areas a lot of times where water might might freeze like like parking garages dailer systems are pretty similar to dry pipe systems except the sprinkler heads
222:00 - 222:30 are open and they're larger than dry pipe heads that's why you get a deluge a large amount the pipes are empty at normal air pressure the water is held back by a deluge valve but but the sprinkler heads are going to be larger which means they can they can disperse more water more quickly but also remember you know just as oil and water don't mix water and electricity do not mix right so that's always that's always an an easy answer when you're thinking about those classes of fire you know elec electrical in particular you know
222:30 - 223:00 we know we're not going to use anything that conducts electricity which would include water uh gas discharge so gas disc discharge systems tend to be more effective than water systems but they shouldn't be used in environments where people are located because gas discharge systems work by removing oxygen from the air so so gas discharge and people don't mix okay uh halon is effective it's bad for the environment though it's ozone depleting and and it turns to toxic gas at 900
223:00 - 223:30 fahrenheit note to self and suitable replacements um a number of suitable replacements here argon energen arrow k so so there's a list here um do your best to memorize this this this is down in the nooks and crannies i'm not sure how uh how detailed a question would ever get to to get down to these levels but know that the halon is effective as a gas system but it's bad for the environment so other gases would be suitable replacements
223:30 - 224:00 for that reason so lock types you've got electronic combination locks which would like a cipher lock that's something you know key card systems which would be something you have the key card in your hand right biometric system something you are like a retina scan a fingerprint scanner uh conventional locks you know where we use a key so those are easily picked or bumped and keys can be duplicated right conventional locks are going to be the least secure of the lot often pick and bump resistant locks are expensive but they make it harder to
224:00 - 224:30 pick and keys aren't as easily duplicated so if you're going to go with conventional locks the the pick and bump resistant locks are are better so for the exam now remember that locks can be picked and which need to be bumped remember how lights and fences need how high lights and fences need to be right so we said lights eight feet to uh candle power two and fences need to be eight feet to deter serious intruders right know the difference the different physical controls related to entry and i want to just mention a
224:30 - 225:00 couple here so this is a man trap in case you've never seen it somebody mentioned out in one of the the public forums that they got a question on on not a man trap but i wanted to show you that in case you don't know what a man trap is you see basically the door opens one person can go in and then when they're cleared the door on the other side opens and then a bollard bollards are these poles you'll see these in front of office buildings these they show up in front of even grocery stores and prevent somebody from driving into a facility that's what a baller does
225:00 - 225:30 so just in case you've never seen them now you've seen them so site selection and facility design so know the key elements in site selection and facility design so for for site selection visibility is important uh composition of the surrounding area how accessible is the area and what are the effects of natural disaster so in terms of visibility can i see threats coming right um are there are there elements in the surrounding area that could hurt me do i am i building a building next to a cliff where rocks could fall um if i have a natural disaster you know
225:30 - 226:00 am i am i building you know near the edge of a riverbank and an earthquake you know causes our building to fall into the water we need to think about all those those elements in in site selection and for facility design we need to think about the level of security that our organization requires and planning for that before we begin construction because we have to deal with a variety of factors when it comes to physical security right we have to have controls for entry we can think about those things like ballers to prevent people from driving into a facility if if driving into a facility
226:00 - 226:30 would be a desirable way to to breach our our site um know how to design and configure secure work areas so there shouldn't be equal access to all locations within a facility which you probably know so areas with the high value assets require restricted access and your valuable assets your confidential assets they should be located at the heart or or the center of protection provided by the facility there should be layers
226:30 - 227:00 of of you know access controls and preventative measures in place so so send and centralize server or computer rooms don't necessarily need to be human compatible because they're they're meant to house server or computer rooms which means they're their temperatures are going to be optimized for computers the the materials are going to be optimized for computers there's a certain level of human safety because people have to go in there at some some level right but the fire suppression for example is going to be optimized to putting out uh electrical fires not not fires that happen in a kitchen right
227:00 - 227:30 uh and and a lot of times those those you know fire fire suppression systems in a computer room assume that the doors are locked or will even kick off a procedure that automatically locks the door so when the system goes off people are not present and and you know put in harm's way threats to physical access control so no matter which physical access control is used a security guard or a monitoring system needs to be deployed to prevent abuses of the controls like propping open secure doors and and bypassing
227:30 - 228:00 locks uh masquerading using somebody else's security id to gain an entry to a facility see this all the time with uh with folks that have vendors on site for the day they'll just lend their card to a vendor that wants to go uh for a smoke break or something you know then potentially giving them access to a server room so you have to watch that sort of thing and then piggybacking which is following someone through a secured gator doorway without being identified or authorized so somebody else swipes a badge for example opens the door and then the the person piggybacking just catches the door
228:00 - 228:30 behind them before it closes right so so no masquerading and piggybacking as well securing a wiring closet so no security concerns of a wiring closet you know first and foremost preventing physical unauthorized access is going to be first and foremost right because i can go in there and i can pull cables and cause disruptions i can potentially put a tap in place so i can eavesdrop on your uh your communications lot lots of negative there but with with the wiring closet secure physical
228:30 - 229:00 security first and foremost everything else is going to be secondary because once i'm in the closet there's little you can do right uh understand how to handle visitors in a secure facility so so if a facility employs restricted areas to control physical security there needs to be a mechanism to handle visitors so so maybe an escort is assigned to visitors and their activities are monitored they have to they have to have somebody accompanying them you may have a badge on them that says your visitor requires escort uh tracking actions of outsiders when
229:00 - 229:30 they're granted access to prevent malicious activity is is going to be key for most protected assets there needs to be you know deterrence and and uh you know some some sort of denial and certainly an audit trail of one sort or another understand needs for media storage as well this could well come up on the exam and this feels less relevant you know in in 2021 but uh you know media storage facilities folks still do use tape out there it's
229:30 - 230:00 not not unheard of and we do have you know all sorts of storage devices so media storage facilities have to be designed to securely store you know blank reusable and installation media so concerns are going to include theft corruption uh data remnant recovery so when we erase something it's not fully erased uh so so for example like with a hard drive i said that you know just deleting data still leaves it there recoverable by forensic means so we can we can kick off an overwrite that right overwrites the drive with ones or zeros we can use
230:00 - 230:30 a degaussing tool to to send a charge through and wipe a device uh your media facility protections should include locked cabinets or safes a librarian or a custodian that is a gate and access gate to those two said cabinets or safes implementing a check-in or check out process which could be facilitated or administered by a librarian or custodian for sure and using media
230:30 - 231:00 sanitation lots of media sanitation we have techniques out there one of the one of the simplest is shredding right we have confidential paper documents we shred you know i mentioned degaussing that's not going to be effective for a lot of the modern uh storage devices but uh check check the uh the cissp official study guide try to try to memorize some of the media sanitation i really don't think that's going to be front and center according to the skills
231:00 - 231:30 measured but but worth having a look at as your time allows and let's talk about evidence storage so so when we think about evidence we need to retrain logs drive images snapshots data sets for for internal investigations or potentially uh you know external forensic investigations with law enforcement so protections for evidence storage include
231:30 - 232:00 locked cabinets or safes dedicated isolated storage facilities offline storage access restrictions and activity tracking and hash management and encryption at the end of the day chain of custody is important for evidence when it comes to legal proceedings we'll touch on this in a later domain but but when it comes to evidence yeah we're trying to to at the end of the day protect that uh chain of custody because the integrity of that evidence would be of paramount
232:00 - 232:30 concern audit trails and access logs very useful tools for managing physical access control because in part you know like like at a front desk right that if we use audit trailing if we use an access log to sign folks in that that helps it's a good deterrent control when we think about electronic uh audit trails for privileged operation so we may need to create access logs manually like by a security guard they can be automated with the right
232:30 - 233:00 equipment if you've got you know smart cards for example that folks used to log in you can also monitor entry points with with closed circuit tv that way we can compare the audit trail with the closed circuit tv to see if what the the the sign in log says happened actually happened if the sign in log says one person entered but but cctv footage shows two people entering then we have a divergence in um the recorded event
233:00 - 233:30 um you know why are these important well at the end of the day it's critical to reconstructing the events of an intrusion and a breach or an attack you know whether we're talking about physical audit trails and access logs to physical entry and exit to a building or or electronic logs you know related to to sign in and administrative activities in a computing system so the need for clean power so power supplied by electric companies isn't always consistent and clean meaning it's
233:30 - 234:00 not always at the same level and coming without spikes and and drop so we remember we talked about the six six impacts to electrical power so most of your equipment requires clean power in order to function properly and to potentially avoid damage um a ups uninterruptible power supply is a type of self-charging battery that can be used to supply consistent complete power consistent clean power to sensitive equipment um in the event of power failure so so number one if we have a problem with the
234:00 - 234:30 consistency of our power and we have to drop back to battery while it's it's repaired we can do that or if power drops altogether we can supply power for minutes or hours depending on the size of our ups and when organizations build data centers they look at a ups that can run their entire data center for a period of hours and then we look to generators to provide power for an extended period of time during recovery and that's what i have for domain three next on our agenda is domain four
234:30 - 235:00 communication and network security so let's take a look at the exam outline for domain four it starts with 4.1 implement secure design principles in network architectures 4.2 secure network components and 4.3 implement secure communication channels according to design and the content really belies the short outline here it's a fairly short list of objectives but quite a lot
235:00 - 235:30 of content around network network protocols and network security technologies here so let's take a look at what's new in domain 4 in the 2021 release of the exam so 4.1 on the syllabus is assess and implement secure design principles in network architectures so micro segmentation is is a topic here so this includes software-defined networks virtual extensible lans
235:30 - 236:00 software-defined wide area networks sd-wans they're called wireless networks will come up now satellite was mentioned at least briefly in the 2018 version of the exam i do want to touch on li-fi and zigbee uh that could come up on the new exam and then cellular networks i want to talk about 5g in particular and security concerns around 5g in particular you know how 5g uh relates back to legacy versions of cellular and then we'll touch on
236:00 - 236:30 content distribution networks or cdns so let's start with virtual extensible land or vxlan so so this is network virtualization that enables network segmentation at high scale specifically what this does is helps us solve a scale limitation in vlanding where we can only create 4096 vlans versus uh in in vxlan we can create millions of vx lands it's and and this is really
236:30 - 237:00 a tunneling protocol that encapsulates an ethernet frame a layer two frame in a udp packet and layer two can generally only be attacked from within uh you know max spoofing or flooding to cause denial of service such as by a rogue host the attack vectors are actually explained to some degree in rfc 7348 which is the rfc where the vxlan concept is described let's shift gears and talk about
237:00 - 237:30 software defined network so this is an architecture approach that enables a network to be intelligently and centrally controlled or programmed basically using software so it has the capacity to reprogram the data plane at any time so so use cases where we see sdn come into play are our sd lan and sd-wan so this is really separating the control plane from the data plane and it's going to open up a
237:30 - 238:00 number of potential security challenges so sdn vulnerabilities can include man-in-the-middle attacks and denial of service attack so we secure an sdn with with tls so encryption helps essentially sd-wan so one of the use cases for for the sdn concept that's a software-defined wide area network this enables users and branch offices to remotely connect to an enterprise's network but what it enables is the use
238:00 - 238:30 of a variety of network services from mpls to cellular to broadband to securely connect users to applications and security is largely based on on ip security vpn tunnels next-gen firewalls and and micro segmentation of of your application traffic but sd-wan uses a centralized control function for intelligent routing and there's a concept called secure access service edge or sas to decentralize connectivity
238:30 - 239:00 where necessary li-fi so light fidelity so li-fi is is a form of wireless networking that uses modulation of of light intensity to transmit data it uses led light essentially it can safely function in areas that are otherwise susceptible to to electromagnetic interference and theoretically li-fi can transmit at speeds of up to 100 gigabits or higher
239:00 - 239:30 so li-fi only requires working led lights that's a big advantage uh you know and and then you know the reality is visible light uh you know can't penetrate opaque walls so we can think of that as a negative for connectivity right because a wall is a barrier uh we might on the other hand think of that as positive in certain security scenarios because it means you know light doesn't penetrate opaque walls so if you're outside those walls
239:30 - 240:00 you're not a threat right you don't hear about li-fi much today so so i think it's still in development is a fair statement and and you know we may see lifi come into more widespread use down the road there's certainly some some scenarios where we're using light over traditional radio would would be a big advantage so let's talk for a moment about
240:00 - 240:30 zigbee which is a personal area network so this is a short range wireless pan developed to support automation machine to machine communication and and remote control and monitoring of iot devices it supports a centralized or distributed security model and mesh topology it does assume that symmetric keys that are used with the devices are transmitted securely that they're encrypted in transit
240:30 - 241:00 you know there's a pre-configuration of a new device in which a single key might be sent unprotected which can create a brief vulnerability so where do people use zigbee zigbee is in widespread use in iot smart home hub scenarios so an amazon echo for example alexa your personal assistants your amazon echo devices are are zigbee ready so we see zigbee and widespread use in
241:00 - 241:30 in the in smart home scenarios but you know that can carry over into commercial scenarios into business scenarios as well for for iot uh device monitoring and control another new concept for 2021 comes with the rise of fifth generation cellular so 5g so 5g brings faster speeds lower latency no longer identifying each device through a sim card
241:30 - 242:00 now there are some air interface threats like session hijacking that are dealt with in 5g now there are there's a standalone version of 5g in a non-standalone version and the the standalone version of 5g will be more secure than the non-standalone because the non-standalone version anchors the control signal signaling of the 5g network to the 4g core so you're relying on a legacy technology there essentially
242:00 - 242:30 so the diameter protocol which provides authentication authorization and accounting in in 5g will potentially be a an attack target and because 5g has to work alongside older tech 3g and 4g specifically old vulnerabilities could be targeted and because of the scale of endpoint counts on 5g being exponentially greater distributed denial of service can be a concern so some some carriers some cellular
242:30 - 243:00 carriers launched originally launched an nsa version of 5g which continues to rely on availability of that 4g core so that problem will go away in time so we'll close out domain four by talking about content delivery network so a content delivery network is a geographically distributed network of proxy servers and and the data centers they live in the goal of a cdn is fast and highly available content
243:00 - 243:30 delivery basically distributes the content out so it's closer to the user cdn networks that serve up javascript have been targeted to inject malicious content into pages for sure but vendor vendors in the cdn space typically offer ddos protection and web app firewalls a couple of common examples of content delivery networks would be for for video and audio streaming or for software download services where you need to move a lot of content to a user
243:30 - 244:00 quickly for a good user experience that's where a cdn can come in really handy because it caches that content out where it's closer to the end user now let's take a look at the rest of domain four for the exam you will be expected to be very familiar with the osi model so there are seven layers here going from physical up to the application layer at seven so the physical is typically considered layer one
244:00 - 244:30 application layer seven i have two memory devices here two acronyms you can use to easily remember these layers if you struggle so if we look at going up we have please do not throw sausage pizza away and you can actually go the other direction with all people seem to need data processing i actually like this one better because it's also relevant to the topic at hand so that tends to make a memory device better when it's when it's relevant but those are some acronyms you can use to lock this in you'll also be expected
244:30 - 245:00 to be familiar with the protocols and services that happen at each layer so just in case you don't know what these layers are i'm going to give you two charts that you can use to prepare your foundational knowledge for the exam so here's the osi model the seven layers starting with the physical layer up to layer seven which is the application layer and here are some protocol examples this will show you where the protocols live in the model and not every protocol
245:00 - 245:30 is terribly simple for example tls shows characteristics of layer four and five but but never mind that this is going to give you a foundation and in case you're unfamiliar here's the osi model by function starting with the physical layer layer one so the physical layer contains the device drivers that tell the protocol how to use the hardware for transmitting data data link is where packet formation happens the protocol data unit at the data link layer is the frame
245:30 - 246:00 at the network layer we're adding routing and addressing information source and destination addresses the protocol data unit at the network layer is the packet so if you hear any discussion of packet they're talking about the network layer the transport layer manages integrity of a connection and controlling the session so you'll have some protocols that will re-transmit lost packets they'll use tcp others will not worry about session and re-transmission those will
246:00 - 246:30 typically use udp at the session layer layer 5 we're establishing maintaining and terminating connection sessions between computers layer 6 is transforming data received from layer 7 from the application layer into a format that any system any protocol following the model can understand and layer 7 is about interfacing user applications services or the operating system with the protocol stack so that's a quick study it'll give you something to look at if you're not already
246:30 - 247:00 familiar with the osi model all right and common tcp udp ports uh this could well come up on the exam you want to be familiar with the common uh protocols and not only the port but whether it's it's tcp or udp noticing that some of these have functions on both tcp and udp so so session oriented and session less or connection oriented and connectionless
247:00 - 247:30 and you'll also be expected uh to be familiar with the the tcp stack versus the osi model so understanding where tcpip falls in relation to the osi reference model so here's here's an approximation of of where the tcp stack falls with osi you'll need to know this for the exam so commit that one to memory and tcp versus udp this is layer 4 this is the
247:30 - 248:00 transport layer and we're going to just break these out you know so how is tcp different from udp so tcp first and foremost is connection oriented where udp is connection less tcp functions on a byte stream so so it's it's transmitting uh at at a byte level which allows it for for re-transmission if there are problems or edp is message stream so it's it's happening at
248:00 - 248:30 a different level and you might ask well why is that important well there are some conversations where getting every bite from from source to destination is very important and getting those bytes properly ordered there are other situations such as video streaming where there's no point in trying to re-transmit right with with video it's it's all about just streaming uh the current video as it's playing so so each of these has its place so udp
248:30 - 249:00 will support multicasting and broadcasting where tcp does not tcp supports full duplex transmission and you may ask what is full duplex exactly well it's simultaneously bi-directional so so both source and destination can can each transmit in both directions simultaneously where with udp we don't have that that full duplex support and if you can think about it in the context of like video streaming for example there's not not
249:00 - 249:30 need for bi-directional right you're streaming from source to destination all right so going down the list reliable service of data transmission so so unreliable doesn't necessarily mean bad but reliable means that we have we have air checking there right there is a connection oriented process that make sure that what's sent by the source is received by the destination essentially a tcp packet is called the segment and the udp packet
249:30 - 250:00 is called a datagram so if you have a question that mentions a segment you'll always know they're talking about tcp and if it's uh if a datagram is mentioned you always know they're talking about udp then finally you know as i mentioned you know tcp provides error detection and flow control so so that that's part of that connection oriented nature of tcp so it's all about it's all about function as to which makes the most sense right so when we're thinking about real time streaming for example you know
250:00 - 250:30 udp makes perfect sense uh versus tcp because we don't have the need to ever re-transmit when it's all about live content so cabling types and throughput not the most exciting topic uh i'll i'll grant you but could well come up on the exam you want to be familiar with the the max length the cable type um which is which is going to be unshielded twisted pair so but you want you want to be familiar
250:30 - 251:00 with the cable types the cat5 through cat6 are the most common generally speaking you could get questions outside that but those are going to be the most common nowadays so so udp equals unshielded twisted pair lock that in in the back of your mind here are the cabling types for 10 base 2 through fiber optic some of these are definitely not entirely common but could well come up on the exam so you want to make sure that you are familiar
251:00 - 251:30 and let's talk through the standard network topologies there's a core four they're going to test you on there's mesh there's ring there's bus and star so let's talk about the nature of each of these and how you identify so starting with the the star network this employs a centralized connection device it oftentimes it's just a hub or a switch but central is the key word here it's centralized mesh means we have all systems
251:30 - 252:00 connecting to all other systems using multiple paths a partial meth partial mesh could connect many systems to many other systems but not necessarily all but a mesh provides redundant connections that's the real advantage here it allows for multiple segment failures without affecting end-to-end connectivity so i could have two or three or four paths go down here and still be able to connect between all of these systems using alternate paths so that's that's
252:00 - 252:30 the big value prop of of mesh ring network connects to each system as a point on a circle the connection medium acts as a unidirectional transmission loop meaning we're going one one direction but only one one system can transmit data at a time so that's a key here only one system can transmit data which means we are avoiding collisions because traffic management is performed by a token and only the system with the
252:30 - 253:00 token can transmit so uh token ring networks are ring based so so really since we're using that token this is collision avoidance we'd call it and finally bus so this connects each system to a trunk or a network backbone cable all the systems on the bus can transmit data simultaneously which means we can have collisions so collisions will not be avoided here a collision occurs any time two systems transmit data at the same time and the
253:00 - 253:30 signals interfere with each other so we have to have some sort of collision detection built into the process so ethernet happens to be a bus uh let's talk about analog versus digital for just a moment so analog is a continuous signal that varies in frequency amplitude phase voltage and so on um it produces a wave shape where where digital are going to be zeros and ones
253:30 - 254:00 analog is a a wave shape so so less precise to be sure and you know in analog that communication can become corrupted because of of attenuation over long distances so attenuation essentially means a reduction in the amplitude of the signal you'll see that word attenuation i just wanted to call that out in case it's not familiar to you and over long distances in the analog world you can expect uh reduction in signal over distance now
254:00 - 254:30 let's juxtapose that or compare that to digital where communications occur through uh an electrical signal and a state change just on off pulses so think zeros and ones it's going to be more reliable than analog over long distances because we don't have that attenuation problem because we're dealing with zeros and ones it's off or it's on it uses current voltage where voltage represents uh voltage on is one and voltage off is is zero but it's it's all about uh electricity at that point and these
254:30 - 255:00 these on off pulses create a stream of binary data that eliminates that that attenuation problem over long distances so synchronous versus asynchronous so so some communications are synchronized with some sort of clock or timing activity so so synchronous rely on on timing or a clock mechanism based on either an independent clock or a time stamp that's embedded in the data stream but there's some sort of timing mechanism as the key here and they're
255:00 - 255:30 typically able to support very high rates of data transfer a good example of this is networking asynchronous relies on a stop and start delimiter bit to manage the transmission of data it's best suited for smaller amounts of data a good example of this would be public switched telephone network pstn you know modems so know that for the exam now let's talk base band versus broadband so baseband can support only a
255:30 - 256:00 single communication channel it uses direct current to the cable the higher level represents the binary one the lower is the binary zero so it's digital right so immediately when you see binary one and zero you know we're talking digital okay good example here is ethernet is going to be baseband communication broadband can support multiple simultaneous signals it uses frequency modulation to support numerous channels
256:00 - 256:30 and each supporting a distinct communication session it's suitable for high throughput rates especially when you you multiplex this is a form of analog signal so base band is digital broadband is analog a good example of uh broadband is a cable modem or isdn or dsl so so your internet connectivity providers that you'd see from from home let's talk broadcast multicast and unicast which determine how many destinations
256:30 - 257:00 a single transmission can reach so broadcast supports communication to all possible recipients and you'll see this in tcp communication a broadcast will go out to all possible recipients you have multicast which can support communications to multiple specific recipients when i think of multicast i think of honestly i think of of windows operating system deployments where you'll see multicast to uh to deploy to uh to multiple
257:00 - 257:30 computer endpoints at once so so multicast in the network world means supporting communication to multiple but not all and then unicast would mean a single communication to a specific recipient so unicast is one multicast as many broadcast is all all right now we're going to talk carrier sense multiple access csma so so
257:30 - 258:00 these are technologies this is technology built into to networking to uh to determine how network tech deals with collisions so it's really developed to decrease the chance of collisions when two or more stations start sending their signals over over layer two over the data link layer uh basically it requires that each station check the state of the medium so that's just carrier sense mult multiple access it's going to require each station first check the state of the medium before
258:00 - 258:30 sending and that'll reduce collisions you have a couple of flavors of csma i'm going to call it csma just to to shorten this up but we're working at the data link layer so lock that in so csma variations and collisions so so csma reduces the chance csmaca is collision avoidance this attempts to avoid collisions by granting uh only a single permission to communicate at any given time so when we
258:30 - 259:00 talked about ring networks and a token for example that's csma ca that's collision avoidance and then there is csma cd which is collision detection so this responds to collisions by having each member of the collision domain wait for a short but random period of time before starting over so ethernet has to detect and deal with collisions where where token ring avoids collisions so
259:00 - 259:30 remember these three as they could you know definitely come up on the exam these are called out in uh the official study guide so just to lay these out i want to lay out csma cd and ca so collision detection and collision avoidance so detection is effective after a collision where uh ca collision avoidance is effective before a collision so make make sure you're familiar with these uh you know i use ethernet as an
259:30 - 260:00 example of of collision detection and token ring as an example of collision avoidance but uh you want to you'll definitely want to be sure of these and you'll notice there that csma on line five that cd is used in the 802.3 standard where ca is used in the 802 11 standard all right let's talk token passing and polling so token passing performs communications using a digital token and once the
260:00 - 260:30 transmission is complete it re releases the token to the next system that wants to communicate and polling performs communications using a master slave configuration by the current description and the primary system pulls each secondary in turn whether they have a need to transmit data so so token passing is going to prevent collisions and ring networks polling is used by sdlc okay let me be crystal clear here so s d
260:30 - 261:00 l c does not mean software development life cycle this means synchronous data link control this is actually a protocol it's a layer two protocol used by ibm systems network architecture so so sdlc is synchronous data link control that's where polling happens so so don't confuse this with software development lifecycle uh all right so moving on so let's talk the what why and how of network segmentation so a common network segmentation strategy is an intranet
261:00 - 261:30 where we have a private network designed to host information that might be available via the internet but we're whittling this down to a specific audience we have an extranet which is really kind of a hybrid of internet and extranet in that it's a network that's sectioned off to act as an intranet for a private network but it also serves information to the public internet so we really see commonly see this in b2b scenarios where maybe we have some business partners who need to access
261:30 - 262:00 this information externally so an extranet i typically see stood up as a way to collaborate with specific business partners rather than just the internet as a whole per se and then we have uh what's commonly referred to as a demilitarized zone it's an extranet for public consumption sometimes called a dmz or a perimeter network we're going to use network segmentation certainly to control traffic and isolate static or sensitive environments so this
262:00 - 262:30 this can give us a few benefits it can boost performance simply by removing access for for unnecessary systems we can eliminate communication problems because we're providing a dedicated environment a clear path a clear set of rules of the road for access uh and authentication and then providing you know a layer of security certainly isolating traffic and user access is going to raise the bar in terms of our our security profile
262:30 - 263:00 so let's talk bluetooth so bluetooth is defined in the ieee 80215 standard sometimes called a personal area network often associated with wireless devices it's how we connect headsets to our cell phones mice and keyboards to our computers and at a host of other devices all the way down to things like a raspberry pi connections are set up using pairing where the primary device is going to scan the the 2.4 gigahertz radio frequency
263:00 - 263:30 for available devices often you'll see a four-digit pairing code provided which which avoids accidental pairings it's not really considered security but it certainly prevents accidents you may be tasked on your knowledge of mobile system attacks so the attacks that would come against your mobile devices so so blue jacking for example is one version of that which is uh basically where more of an annoyance than anything it's where a prankster pushes unsolicited messages to engage or
263:30 - 264:00 annoy nearby users now blue snarfing on the other hand is focused on data theft this is where thieves wirelessly connect to some early bluetooth enabled mobile devices without the owner's knowledge and then there's blue bugging which is an attack that grants hackers remote control over the feature and functions of a bluetooth device so to differentiate these focus on for blue jacking unsolicited messages for
264:00 - 264:30 blue snarfing since it's data theft it's wirelessly connecting and then for blue bugging it's it's remote control over the feature and function of a device so that's how you can differentiate the three just to lock those in your memory so here's the table of wireless technologies so these are your wireless standards and their connection speeds so the 802.11 standard also defines wep so web stands for wired equivalent privacy it was an early form of wireless
264:30 - 265:00 network security don't really see it around much anymore so ssid broadcast so wireless networks are traditionally going to announce their their ssid on a regular basis with a beacon frame when the ssid is broadcast any device with automatic detect and connect can can try to connect to that network hiding the ssid is is considered security through obscurity so folks will
265:00 - 265:30 certainly do it it's going to be detectable through client traffic i could actually sniff traffic on the network and find the ssid in connected devices or in the traffic of those connected devices ssid is the common reference if it's spelled out just just so you have it available to you ssid stands for service set identifier tkip so this is temporal key integrity protocol so this was designed as a replacement
265:30 - 266:00 for for wep without the need to replace the legacy hardware it was implemented in 802.11 wireless networking under the name wpa which is wi-fi protected access so that's kind of the second generation of wireless security and then there is ccm p which is counter mode with cipher block chaining message authentication code protocol say that three times fast
266:00 - 266:30 uh so this was created to replace wep and wpa so this was replacing the original you know gen 1 the wired equivalent privacy and the wi-fi protected access it uses advanced encryption standard it's 128-bit key this is an active supported encryption algorithm this is this is modern wireless security so it was used with wpa2 which replaced both both wep and wpa so
266:30 - 267:00 think wpa2 as your current sort of standard around wireless security so wpa2 this is your new encryption scheme that's the counter mode with cipher block chaining message authentication code protocol and it's based on the aes encryption scheme so this is your current day modern wireless so let's talk uh fiber channel and fiber channel over ethernet the fiber channel is is actually a form of network data storage
267:00 - 267:30 so this is this is accessing storage over your physical network capable of very high speed file transfer so this uses fiber channel cabling to connect the uh the storage typically to a fiber channel switch and then fiber channel over ethernet is used to encapsulate fiber channel over ethernet network so a lot of times your fiber fiber channel is going to have a dedicated network but you can actually run fiber channel over ethernet so just
267:30 - 268:00 just understand these are storage using a network medium and fiber channel over ethernet is going to encapsulate fiber channel over your your ethernet networks iscsi so iscsi is a network storage standard based on ip so this is typically running over your your ethernet and that and that's really the difference between iscsi and and fiber channel other than the physical medium
268:00 - 268:30 right the fiber channel is is going to be very very high very high speed i mean iscsi is going to be high speed by the fact that it's running over a network but iscsi is typically using your uh your ethernet storage more commonly using your ethernet storage uh site survey so this is the process of investigating your wireless reception if i'm going to put it in plain english so this is looking for the presence the strength and the reach of your wireless access points in an environment you know the goal of a
268:30 - 269:00 survey is to basically uh identify if your service is adequate and and how it can be strengthened it usually involves walking around with some sort of portable wireless device taking note of signal strength in different locations on the site and basically mapping signal strength typically marking the information on a plot or a schematic a floor plan of of the building so now let's talk eat peep and leap so the first is extensible authentication
269:00 - 269:30 protocol this is actually an authentication framework more than a specific protocol and what it allows for is new authentication technologies to be introduced that are compatible with existing wireless or point-to-point connection technology so this is bringing new authentication capabilities to existing hardware now peep the second in our list here is a protected version of of peep so it's protection protected extensible authentication protocol peep it in encapsulates
269:30 - 270:00 that extensible authentication protocol within a tls tunnel typically so it provides authentication and and encryption essentially and then leap the third is a cisco proprietary alternative that was actually developed to replace wpa so wi-fi protected access and and that that was created before the wpa2 standard was was ratified so leap of cisco proprietary peep encapsulates
270:00 - 270:30 eep and extensible authentication protocol is your base authentication framework that brought compatibility for existing device the existing hardware with new authentication capabilities so let's talk mac filtering for a second so mac filtering essentially uses a list of authorized wireless client interfaces by allowing us to list their mac addresses their layer 2 addresses in a list usually within the devices and it's used
270:30 - 271:00 by a wireless access point to block non-authorized devices if they're not on the list they can't join the network even if they have the ssid even if we're advertising the ssid and the device tries to auto connect now captive portal in the wireless sense basically redirects wireless web clients to a portal access control page so captive portals in this context is specifically talking about wireless you see this frequently at hotels where you have a
271:00 - 271:30 hoteling uh mechanism in place which is another story altogether but you'll see that captive portal where the the wireless client is then redirected to to a portal to log in with an account or you know agree to terms etc so let's talk about antenna types these may come up on the exam and you have a few different types and i think the main thing is to understand which are uh omnidirectional and which are are more specifically directional so a loop
271:30 - 272:00 antenna for example uh is omnidirectional if you lay it horizontally because it's going to pick up signals from all directions now if it's vertical like you see in the picture there then it's going to work in a specific space so so it could be laid either way to to provide the the signal that you need but it's omnidirectional you know from the edge of that wire but if you lay it if you lay it horizontally it's going to give you
272:00 - 272:30 um omni-directional support across uh a surface monopole so this is an omnidirectional antenna that can send and receive signals in all directions perpendicular to the line of the antenna itself then we have dipole which is essentially uh you know two monopoles it's omnidirectional but it's it's two monopoles together so it can generate powerful signal in a restricted space essentially
272:30 - 273:00 a panel antenna so this is a flat device that's going to focus from only one side of the panel so the the panel that faces away from the pole here so you'll you'll typically see these mounted uh you know up against a wall a lot of times because it's going to provide support in one direction but the key with panel is to understand it focuses from one side a parabolic antenna is going to be very directional it's used to focus signals from very long distances or weak sources you have
273:00 - 273:30 to point a parabolic antenna at the the the source you're trying to amplify essentially so or the destination you're trying to provide service to so uh parabolic antennas are very directional and you know the dish can can catch and receive signals but it's going to be very directional much like satellite television you know a a satellite dish where television has to be focused has to be pointed in the direction of the satellites for which it's receiving broadcast
273:30 - 274:00 uh and then we have a yagi uh which is which is basically these little um bars that are crafted from a straight bar with with these cross sections to catch specific radio frequencies in the direct in the direction of the main bar so that the crossbars are catching radio frequencies from the direction of the main bar i don't expect you're going to see a lot of coverage here but i wanted to at least cover some of the basics because they are called out in the official
274:00 - 274:30 exam study guide that they could show up and then finally there's the cantana which is highly directional so this is this is going to focus signal along the direction of the open end of the tube and if that looks like the popular potato chip can that you'll see in the u.s that's because it's very much that shape in fact you'll find recipes out on the internet for making a cantana from a pringles can is the the type of potato chip i'm talking about
274:30 - 275:00 okay other network devices we have firewalls uh which are essential in managing and controlling network traffic at the perimeter right we use we use a firewall often times to filter inbound and outbound traffic at our parameter blocking unauthorized or malicious traffic at the perimeter we have a switch which repeats traffic only out of the port on which the destination is known to exist so so unlike a hub which is going to transmit on all ports
275:00 - 275:30 the switch is going to be port specific based on layer 2 technology typically it's looking for that mac address sometimes you'll find what's called a layer three switch which is kind of a hybrid device that performs that layer two functionality of a switch but has some routing capability because routing is happening at layer three but think of switches as being layer two unless it's called out as a layer three switch routers are used to control uh flow on networks and are actually
275:30 - 276:00 used to connect similar networks and control traffic between the two it's how we separate collision domain we can separate collision domains and segment traffic so we can separate subnets and then route between those subnets using a router so a router is is happening it's operating on layer 3. with with ip then we have gateways which connect networks that are using sometimes different network protocols these are sometimes called protocol translators they can be
276:00 - 276:30 standalone hardware or we can even see them as a software service so so an example of that would be in in windows for a long time uh when when novell networking was still common you could set up a gateway a protocol gateway on a server in software that would basically connect a no a novell network to a tcp ip network um so these gateways are typically working at layer 3 because they're they're handling a routing capability of sorts connecting
276:30 - 277:00 different protocols so they can communicate repeaters concentrators amplifiers these are you know used to strengthen signals over a cable segment or connect but they're connecting networks that use the same protocol these are typically operating at layer one this is this is a physical the physical layer in the osi model and and if you didn't pick up on that all the layers i'm calling out here layer one layer three uh you know these are these are layer
277:00 - 277:30 two these correspond to the osi model which is seven layers so make sure you know osi right uh bridges these are used to connect two networks uh they operate at layer two these are connecting network segments that use the same same protocols top you know cabling types etc then you have hubs which were used to connect multiple computer systems on honestly you'll see hubs used in in a home but seldom in a business anymore it's a multi-port repeater so the signal gets
277:30 - 278:00 broadcast everywhere unlike the switch remember the switch is going to send the traffic only to the destination to the port on the switch where the the recipient is known to exist your hubs are going to operate at layer one then we have lan extenders which are a remote access multi-layer switch used to connect distant networks over wan link so you're essentially connecting two lands creating a wan
278:00 - 278:30 so wan connections and communication links can include two there are two major types there's private circuit and there's packet switching so you may be tasked to know the difference between the two and to know some examples of each on the exam so private circuit use dedicated physical circuits that's going to be good for security it's going to be more expensive though so private circuits would include dedicated or lease line point-to-point
278:30 - 279:00 uh slip isdn or dsl those last two you'll recognize uh from the world of of internet connectivity and in you know home and business of all sorts but dedicated physical circuits is the key with private circuit make sure you try to lock some of these examples in your mind and then the other option is is packet switching which uses virtual circuits which are going to be efficient and they're going to be cost effective because we're not using dedicated physical circuits which means
279:00 - 279:30 our infrastructure costs are going to be less a few examples of packet switching technologies would include x25 frame relay atm sdlc which we mentioned a bit earlier synchronous data link control or hdlc moving on to firewalls so we'll start with some broad types of firewalls so we have static packet filtering firewalls that filter traffic by examining data from the message header rather than the
279:30 - 280:00 payload these operate at layer 3 and up on the osi model then we have the application level firewall that filters based on a service a protocol or an application as you might guess this operates at layer 7 the application layer of the osi model then we have circuit level firewalls that operate at the session layer layer five and these are used to establish communication sessions between trusted partners often socks is an example of a circuit level firewall
280:00 - 280:30 so i wanted to call it out here sometimes we see that stateful option simply called a stateful inspection firewall but just to juxtapose to the deep packet inspection firewall which filters by looking at the payload contents so that's the difference between a stateful firewall and deep packet inspection because we're moving from the header into the payload so then there are stateless firewalls these watch network traffic and they
280:30 - 281:00 restrict or block based on static values source and destination addresses and ports they're not aware of traffic patterns or data flows or session information these are typically faster and perform better under heavier load frankly because they're doing a bit less work they're examining less when they're not paying attention to those session details or paying attention to packet contents or application values there's a lot less to do
281:00 - 281:30 and then there are stateful firewalls and these can watch traffic streams from end to end they are aware of communication paths and they can implement various ip security functions like tunnels and encryption they're better at identifying unauthorized and forged communications and now let's get a bit more specific so i call these modern firewalls there's the web application firewall often
281:30 - 282:00 abbreviated the waff so this protects web applications by filtering and monitoring http traffic or https traffic if we think about it between a web application and the internet it typically protects against common attacks like cross-site scripting cross-site request forgery and sql injection these are the o-wasp top 10 type attacks and some of these waf options come pre-configured with owasp rule sets which makes them very easy to
282:00 - 282:30 configure then we have what we call next generation firewall sometimes abbreviated ngfw this is a deep packet inspection firewall which tells us it's looking at packet contents it's looking at the payload so it moves beyond port protocol inspection for blocking it adds application level inspection intrusion prevention and brings intelligence typically from outside the firewall you'll see these next-gen firewalls often leveraging threat intelligence feeds which feed it
282:30 - 283:00 information in near real time often about the potential threat actors out there on the internet or about emerging threats so deep packet inspection just to touch on this again this is a firewall that inspects and filters both based on header and payload that's the key i just want you to lock in your mind it can detect protocol non-compliance spam viruses intrusions and then there's
283:00 - 283:30 the utm or unified threat management firewall this is a multi-function device it's composed of several security features in addition to a firewall those features will vary by vendor and implementation they might include intrusion detention or prevention a tls or ssl proxy web filtering quality of service bandwidth throttling nat vpn antivirus because you have so many functions in there
283:30 - 284:00 that's not going to scale as well right because you're doing a lot of work so we for that reason we see this utm option more commonly in small and medium businesses where they need that all-in-one device then there's the nat or network address translation gateway so this allows private subnets to communicate with other cloud services and the internet but it hides the internal network from internet users the nat gateway has the network address
284:00 - 284:30 control list for private subnets you'll typically see this used for users browsing the internet we'll hide our users behind that nat gateway so external entities don't have a path directly back to that end user by ip address or anything else next we have the content or url filter which is going to look at the content on the requested web page and block the request depending on filters
284:30 - 285:00 so it's used to block inappropriate content in the context of the situation so what is inappropriate in a school setting for example with students might be somewhat different from what is inappropriate in a work environment with adults but the content filter is associated with deep packet inspection and just to mention briefly you have open source firewalls out there where the license is freely available and it allows access to the source code though it might ask for an optional donation
285:00 - 285:30 there's no vendor support with open source firewall so you might have to pay a third party to support that in a production environment i don't know that you're going to see this i wanted to call this out because just to make sure you're situationally aware of the uh the consequences of open source and then proprietary firewalls are more expensive but they tend to provide more and or better protection and more functionality and also support at a cost and many vendors operate in this space
285:30 - 286:00 including cisco checkpoint palo alto barracuda but they don't offer you source code access it's proprietary right that's their secret sauce that they're selling you it's a commercial firewall option and then another angle to think about your firewalls from is hardware versus software so a hardware firewall is a piece of purpose-built network hardware it may offer more configurable support for lan and lan connections it often has
286:00 - 286:30 superior throughput versus software because it is hardware designed for the speeds and connections common in an enterprise network then we have the software-based firewall that you might install on your own hardware like a server so this has the advantage of giving you the flexibility to place firewalls anywhere you'd like in your organization you know that can be a server it can be a workstation anywhere you have a host you can put a host-based firewall they're more vulnerable in some aspects
286:30 - 287:00 due to attack vectors for example if i have a software firewall on windows if i can compromise a host i can flip a switch in the windows registry i can disable a service and potentially turn that firewall off which is something that will be much more difficult to do on a purpose-built piece of hardware and then let's talk about the difference between application host-based and virtual firewalls so application based firewalls typically
287:00 - 287:30 cater specifically to application level communications this is often http or web traffic an example is that next generation firewall i mentioned we have the host based firewall which is an application installed on the host os so that's a software firewall and you'll see these for windows and linux both client and server operating systems typically then there's the virtual service so in the cloud firewalls are often implemented as
287:30 - 288:00 virtual network appliances or a virtual service that's transparent in terms of the underlying infrastructure and these are available both from the cloud service provider directly and often third-party partners so by csp i mean microsoft amazon google and then third-party partners like your ciscos and palo altos will often have their own flavor that they offer for those cloud platforms now let's switch gears and talk about intrusion detection and prevention ids
288:00 - 288:30 and ips so intrusion detection systems analyze whole packets both header and payload looking for known events and when a known event is detected a log message is going to be generated intrusion prevention or ips on the other hand analyzes whole packets both header and payload looking for known events but when a known event is detected the packet is rejected so ids reports and or optionally alerts maybe an email alert or an alert on a
288:30 - 289:00 dashboard ips takes action that's the key differentiator you want to remember for ids and ips so let's talk types of ids systems you have behavior based which creates a baseline of activity to identify normal behavior and then measure system performance against that baseline to detect abnormal behavior then we have knowledge based so knowledge based ids uses signatures similar to the signature definitions
289:00 - 289:30 you'd see in an anti-malware antivirus system so the difference here is behavior based can detect previously unknown attack methods where knowledge based are only effective against known attack methods so knowledge base are going to be much less effective today they're at a significant disadvantage and both your host-based and network-based intrusion detection systems can be knowledge-based behavior-based or a combination of both of these
289:30 - 290:00 so let's talk about the difference between host based and based so so what you're seeing here is intrusion detection and intrusion prevention the same definitions we saw earlier so what makes host-based ids and ips is that is it is installed in some form of software often on a server and network based as you can probably guess is at the network level often in hardware form it's a purpose-built appliance quite
290:00 - 290:30 typically i want to unpack a couple of aspects of network-based ids and ips so the modes of operation so there's in-line mode or also known as in-band this is where we place that device on or near the firewall as an additional layer of security so that function might be a switch we can flip on a hardware firewall or it might be that we place that device you know in line near that firewall then there's passive mode or what we
290:30 - 291:00 call out-of-band and this is where the traffic does not go through the the network-based intrusion appliance it basically uses sensors and collectors to forward alerts over to that system and there are advantages to both systems but with those sensors and collectors uh you'll typically see that those can be placed on a network and and they're detecting changes in traffic patterns but one of the interesting scenarios there is you can
291:00 - 291:30 place a sensor on the internet side of the network it can scan all the traffic from the internet i'd be worried about running all of my internet traffic through an inline configuration because that's going to need to be some pretty beefy hardware if it's doing heavy scanning i want to try to limit what i'm doing and these sensors allow us to to place sensors wherever makes sense in our network segments to look for changes in normal traffic patterns
291:30 - 292:00 so secure network design may come up on the exam and i want to dial you into a few details that may help you better select the right answer on the cissp exam so we'll start with a bastion host which is a computer appliance that's exposed on the internet it's been hardened by removing unnecessary elements you know no no services programs protocols reports are are running that don't need to be running right it's running the bare necessities we have a screened host which is a
292:00 - 292:30 firewall protected system logically positioned just inside a private network this is going to be the most secure option so if you see bastion host versus screened host the screened host is going to be the most secure option now a screen subnet is really similar to a screen host in concept except the an entire subnet is placed between two routers or firewall and the bastion host would be located within that subnet so it's kind of a hybrid thereof
292:30 - 293:00 you should also be familiar with for the exam a proxy server which functions on behalf of a client requesting a service and it's going to mask the true origin of the request of the service typically so that proxy server proxies the request and appears as the endpoint making the request a proxy server is commonly used for internet browsing in an enterprise environment so if you're on a corporate computer browsing the internet there is likely a proxy server there that's masking your request and a lot of
293:00 - 293:30 times caching content to improve performance so let's talk about a honeypot this is a term many you're familiar with i'm not sure everyone understands the nuance of of the the purpose of a honeypot so certainly a honeypot is intended to lure bad people into doing bad things so we can watch them but it's really intended only to entice not to entrap uh you're not allowed to let them you know let the the attacker download items with enticement we're just diverting
293:30 - 294:00 their attention so for example allowing download of a fake payroll file that would be entrapment why that's important is if you're entrapping someone when you bring law enforcement into the situation you're going to be unlikely to get positive results because in trap you've entrapped them you you've encouraged them to do this bad thing and enabled it by putting a file out there they could download so so know the difference between enticing and entrapping and essentially it means we're diverting their attention but we're not letting them download items
294:00 - 294:30 that would lead them to that crime right remember this difference though for the exam um the goal with a honey pot is to distract from real assets and isolate in a padded cell essentially until you can track them down and figure out who that malicious actor is and block their ip address on their firewall or whatever you know responsive action you're going to take but but remember it it's distract not not in trap there's a variation of the honey pot called a honey net which is an entire
294:30 - 295:00 network set up for the same purpose so common network attacks this may come up on the exam you're going to need to be familiar with with common network attacks we'll start with teardrop which is a to denial of service attack that involves sending fragmented packet to a targeted machine so fragmented packets is going to be the key a fraggle attack is another denial of service that involves sending a large amount of spoofed udp traffic to a router's
295:00 - 295:30 broadcast address within a network it's actually similar to another attack called a smurf attack which uses spoofed icmp traffic so so the teardrop is fragmented packets fraggle attack is spoofed udp traffic and the smurf attack is spoofed icmp traffic then finally we have the land attack which is a layer for denial of service in which the the attacker sets the source and destination information
295:30 - 296:00 in the tcp segment to be the same value so vulnerable machine in this case is going to crash or freeze you know processing a packet repeatedly because it has the same source and destination so what you'll notice about all these are all denial of service attacks right continuing down this road we have a sin flood in which an attacker sends a succession of sin requests that's that's the first step in the tcp handshake uh but it'll send a send request to a target system in attempt to consume enough uh
296:00 - 296:30 resources to make the system unresponsive to legitimate traffic it keeps getting new uh connection requests and then the handshake never completes and it eventually overwhelms the system then we have the ping of death which involves sending an oversized ping packet so basically it goes over the 65 536 byte limit so notice those are all uh denial of service text all five do know
296:30 - 297:00 the tcp three-way handshake the process used in tcp ic tcp to make a connection between a server and a client so basically it's three steps it's the uh the syn synack ack but the common element you see with the network attacks is there's a lot of playing around a lot of manipulation with packets and network protocols and that's it for domain four
297:00 - 297:30 next up is domain five identity and access management let's take a look at the official exam outline and at the end we'll touch on what's really new in domain 5 and the 2021 release of the exam the 5.1 is control physical and logical access to assets 5.2 manage identification and authentication of people devices and services 5.3 federate identity with a third party service so this is talking about the
297:30 - 298:00 federated identity model been around a long time implement and manage authorization mechanisms so we're talking about authentication and authorization or off in and off z as you'll sometimes hear them referred to not surprising giving the title of this domain 5.5 manage the identity and access provisioning life cycle and finally implement authentication systems so in the 2021 release we see that 5.1 through 5.5 are almost word for word
298:00 - 298:30 exactly as they were in the 2018 release a couple of minor language changes of no real consequence the 5.6 was the net new objective at the top level but when we unpack what's beneath 5.6 we see a lot of content that was here in the 2018 release open id connect and open authorization security assertion markup language or saml kerberos radius
298:30 - 299:00 tacacs terminal access controller access control system plus this was all here in the 2018 release but when we see a new sub domain and we see existing topics under there the hint that gives us is there might be greater focus brought to these topics so we do want to be aware of that make sure we're familiar with everything we see beneath i'm going to add certificate authentication here as well it's not explicitly called out but based on what i see across the domains it's going to be
299:00 - 299:30 important that you understand certificate authentication i'm going to touch on it here as though it's an explicit new topic i'll start by taking a look at some of these topics that are either net new or potentially elevated in their focus in domain five so we have certificate based authentication so digital certificates can be used as an authentication technique for users services or device identities and certificates used in this process are very similar to those that you'd use
299:30 - 300:00 to secure websites their x.509 certificates they have both a public and private key and the certificates are usually issued by a certification authority in a public key infrastructure now whether you're issuing these certificates from your own pki or you're purchasing these from a third party often comes down to whether or not these are going to be publicly facing because if you have a website for example facing the internet you'll usually use a certificate from a trusted provider like a digicert
300:00 - 300:30 now for the exam make sure that when you watch domain three you take a look at the key exchange process described in the asymmetric cryptography section understanding the basics of asymmetric symmetric and how they're used is going to be fairly important we have what we call the aaa protocols they provide centralized authentication authorization and accounting services
300:30 - 301:00 we have a network access server which is a client to a radius server and the radius server provides those authentication authorization and accounting services so we have radius which uses udp and encrypts the password only this is very common in remote access systems we have tacacs which uses tcp and encrypts the entire session very common in admin access to network devices we see this in the cisco world and then diameter
301:00 - 301:30 which is based on radius and improves many of the weaknesses of radius but diameter is not compatible with radius we actually see diameter in the 4g world but radius uses udp and encrypts password only tacx tcp and encrypts the entire session and you have the use cases there in case something pops up but network access or remote access systems use aaa protocol very commonly kerberos on the exam i felt a bit of
301:30 - 302:00 elevated focus so the primary purpose of kerberos is authentication as it allows users to prove their identity it's the authentication protocol we see primarily in active directory in the microsoft world very common in the enterprise on-prem in hybrid identity models it also provides a measure of confidentiality and integrity using symmetric key encryption but these are not its primary purpose it
302:00 - 302:30 doesn't include logging capability so it doesn't provide accountability we'll talk about attacks and counter measures in other domains and and a bit at the end of this domain but common kerberos attacks include replay pass the ticket golden ticket and kerber roasting in terms of attacks if you hear or see pass the hash on the exam that's referring to the ntlm protocol which is your legacy authentication protocol in the microsoft world and then pass the ticket would
302:30 - 303:00 refer to kerberos so also important will be a couple of policies so there's need to know the principle ensures that subjects are granted access to only what they need to know for their work tasks and job functions so subjects with clearance to access is only granted if they actually need it to perform a job the principle of least privilege ensures that subjects are granted only the
303:00 - 303:30 privileges they need to perform their work tasks and job functions this is sometimes lumped together with need to know the only difference is that least privilege will also include rights to take action on a system but only the rights that are necessary providing the least privilege required in order to complete the job and then separation of duties and responsibilities ensures that sensitive functions are split into tasks performed by two or more employees this helps prevent fraud and errors by creating a
303:30 - 304:00 system of checks and balances we'll touch on these in other domains and videos in this series but i wanted to touch on them here as they're relevant in domain five but know these three principles for sure for the exam then i saw in the content what they call modern approaches to least privilege or more granular approaches to leach least privilege so we have just in time access which allows temporary elevation of privilege usually time limited as it's needed revoking privilege at the
304:00 - 304:30 end of the allowed window so we see this in privileged identity management or privileged access management it's sometimes called and it's sometimes implemented through ephemeral accounts or a broker and remove access strategy so where i've seen this most commonly the user can request elevation it may go through an approval process and then they are elevated for a limited period of time usually counted in single digit hours
304:30 - 305:00 that does it for what's new or elevated let's dive into domain five and we'll start by defining identification so this is where a subject claims an identity typically by providing their username and then authentication is where the subject proves their identity typically by providing credentials like a password or in the case of multi-factor authentication providing a password and then something more depending on the system we're working with
305:00 - 305:30 authorization and accountability so authorization comes after authentication where a system will authorize access based on that proven identity then accountability are the auditing logs and trails that record events related to that identity that is performing action so it gives us that historical record so authorization comes after authentication and accountability provides evidence should we need it later on
305:30 - 306:00 but identification plus authentication plus auditing equals accountability so we don't have accountability without identification authentication and that auditing trail so primary authentication factors we talked about multi-factor authentication in a previous domain it comes up here in the form of primary authentication factors you should recognize these principles something you know like a pin or a password something you have like a trusted device
306:00 - 306:30 and then something you are like a fingerprint or a retinal scan retina scan so multi-factor authentication leverages those components which means we're providing two or more authentication factors this is going to be more secure than a single authentication factor for sure now do remember that passwords are considered the weakest form of authentication however password policies can help here
306:30 - 307:00 by enforcing complexity and history so we don't have weak passwords and we don't reuse passwords smart cards are a good option which include typically a microprocessor and and a certificate which would go back to the trusted authority from which it's issued so we could trace that back to a trusted source and then tokens are sometimes used to create one-time passwords these come up in odds and end scenarios like one-time guest scenarios or i've seen it
307:00 - 307:30 in in cases where a user is in a location where they don't have you know cellular access for example to to provide that second factor and then finally biometric methods which identify users based on characteristics like a fingerprint or a retina scan now around biometric you're going to need to know the crossover error rate how to calculate the crossover error rate and the implications of the different air types so let's talk about
307:30 - 308:00 biometrics this is authentication using an individual's physical characteristics which are unique to each individual so there's a fingerprint scanner which are now very common and they're used not only in multi-factor authentication but various travel financial and legal situations so you'll see these at at some airports and even at some banks a retina scanner which works with your eye of course and with appropriate lighting the retina of the eye can be accurately identified as the blood
308:00 - 308:30 vessels of the retina absorb light more readily than the surrounding tissue then there's the iris scanner that confirms the identity of the user by scanning the iris of their eye both retina and iris scanners are physical devices then there's voice recognition where the voice patterns of a person can be stored in a database and used for authentication facial recognition which looks at the shape of the face and the characteristics like mouth jaw cheek bone and nose now light and angle
308:30 - 309:00 direction can be a factor here especially in software microsoft's facial recognition solution called windows hello was released in windows 10 and it uses a special usb infrared camera so it's a little better than some other facial recognition programs that can have problems with light you can look at veins so using blood vessels in the palm can be used as a biometric factor of authentication and then there's gate analysis so that's g-a-i-t
309:00 - 309:30 gate is the way an individual walks and identification or authentication using gate is possible sometimes even with lower video resolution so crossover air rate in the context of biometric so false acceptance occurs when an invalid subject is authenticated someone who shouldn't have been this is sometimes called a false positive authentication then a false rejection occurs when a valid subject is rejected this is sometimes called a false negative
309:30 - 310:00 authentication so false acceptance is also known as a type two error false rejection is a type one error so false rejection is undesirable but false acceptance is generally considered worse for the exam remember far as the acronym for false acceptance rate and fr as the acronym for false rejection rate and then there's the crossover error rate this is in biometrics identifying
310:00 - 310:30 users based on their characteristics and then identifying the accuracy of the method the crossover error rate is where false rejection and false acceptance rates are equal so to move the crossover error rate lower or higher you can increase or decrease the sensitivity of the biometric device until you get to that happy medium so let's talk single sign-on so this is a mechanism that allows our subjects to authenticate once
310:30 - 311:00 and then access multiple objects without authenticating again so some common single sign-on standards out there include saml sesame kryptonite oauth and open id in fact for the exam the three i think you should focus on are saml oauth 2.0 and open id so oauth20 is the standard when it comes to oauth but you'll need to know the high-level scenarios where each of these these more
311:00 - 311:30 or less factor so going down that road security assertion markup language or saml is an xml-based open standard for exchanging authentication between parties in particular between an identity provider and a service provider the most common place i see saml come up is in active directory federation services what i will say about saml is this seems to be kind of on the way out i see some folks that have been using this for years i don't see a lot of organizations adopting
311:30 - 312:00 this sort of uh federation scenario very often oauth20 is an open standard where we see authorization used by authenticating that user using their microsoft google facebook twitter your social accounts without exposing their password you use these every day i'm sure and then open id is another open standard that provides decentralized authentication allowing users to log
312:00 - 312:30 into multiple unrelated websites one set of credentials using a third-party service that's called an open id provider so just a couple of things here so so saml comes up a lot in federation scenarios like i mentioned active directory federation services is where i have seen it most commonly uh oauth2o was developed by the internet engineering task force and updated through rfc which is the same process used for
312:30 - 313:00 maintaining internet protocols like tcp ip for example so let's talk about access control models so like those authorization mechanisms access control models are going to be very important for the exam for domain five so discretionary access control so in this model every object has an owner and the owner can grant or deny access to other objects at their discretion so the fact that the owner can grant or
313:00 - 313:30 deny access at their discretion is what makes it discretionary the ntfs file system that's very commonly used on windows for many years gives us that sort of model role based access control something we also see in the windows world quite uh typically is where we use roles and groups you'll actually see this in many uh cloud platforms like microsoft azure for example where they're using roles or groups so instead of assigning permissions directly to users user
313:30 - 314:00 accounts are placed into a role or or a group to to give them those privileges and basically that allows the system to scale more effectively typically map to job roles so so the the roles of the groups that i'm added to are going to depend on my job roles and in many large organizations they'll have template user accounts where the template account is already a member of the right roles and groups and they will simply clone that as they bring new users in or make a copy of it
314:00 - 314:30 and then there's rule-based access control where you have the key principle here is global rules apply to all subjects and within this model these rules are sometimes called restrictions or filters you'll commonly see this in the world of firewalls where you have a firewall that uses rules that allow or block traffic to all users equally continuing on we have attribute based access control which
314:30 - 315:00 really focuses on rules that can include multiple attributes it's going to be more flexible than the rule-based access control model we were just talking about this is oftentimes used by software-defined networks and then there is mandatory access control which relies on the use of labels applied to both subjects and objects so for example if a user has a label of top secret then they can be granted access to a top secret document but in that example both the
315:00 - 315:30 subject and the object would have matching labels this is sometimes called a lattice-based model and and it's called a lattice-based model based on the way it appears when it's drawn out as a tree so if you see access control and lattice-based mandatory access couldn't could well be your your answer i want to shift gears and talk about a different type of security controls and i put these here because we just talked about access control so logically this
315:30 - 316:00 makes some sense in your memorization work and your study so let's talk security controls countermeasures and safeguards which can be implemented in three broad categories administratively logically or technically it's sometimes called or physically so those are your three categories then we have several types of controls including preventative detective corrective deterrent compensative directive and recovery controls the three primary control types are preventative detective
316:00 - 316:30 and corrective so i want to explain these and give you some examples of each and you'll be expected to know these for the exam so you want to spend some time on this so we have the logical or technical it's sometimes called these are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems so here are a few examples so you see this is the technology encryption smart cards passwords biometrics
316:30 - 317:00 access control list remember we were just talking about access control physical security control so these are focused on providing protection to the facility and real world objects examples here would include guards fences motion detectors sealed windows lights i had someone complain that well lights don't provide physical protection they actually do when we have lights around the perimeter of a facility
317:00 - 317:30 lights will illuminate activity and that discourages would-be intruders administrative that third category these are the policies and procedures defined by an organization's security policy to implement and enforce overall access control focusing on two areas really personnel and business practices examples here are exactly what you'd guess the policies and procedures hiring practices background checks security training
317:30 - 318:00 vacation history job rotation personnel controls we're dealing with the policy and people aspects now when we look at the study guide they lay out these controls logically in this way so we have our assets that we must protect so administrative controls those policies provide the overriding foundation of our approach to security so they are the closest layer in this case because they drive all aspects of our
318:00 - 318:30 approach and then we have the logical and technical so those are the technology protecting us against attacks and exploits and then we have the physical so again we have policies we have the logical protecting against attacks and exploits and then the physical that prevent physical attacks on facilities and devices let's talk through the types of security controls i mentioned so we have preventative which is deployed to stop unwanted or
318:30 - 319:00 unauthorized activity from occurring so examples here would include fences locks biometrics man traps which are now more commonly called access control vestibules we have detective controls which are deployed to discover unwanted or unauthorized activity these are often after the fact controls rather than real time control so examples here would include security guards guard dogs audit trails
319:00 - 319:30 intrusion detection systems then we have corrective controls which are deployed to restore systems to normal after an unwanted or unauthorized activity has occurred such as a security incident examples here might include anti-virus alarms business continuity planning security policies then we have compensating controls which are deployed to provide options to other existing controls to aid in the
319:30 - 320:00 enforcement and support of a security policy an example here would be a disaster recovery plan that includes an alternate office location in the event fire suppression fails and the building is damaged then we have directive controls which are deployed to direct confine or control the actions of a subject to force or encourage compliance with security policies so let's take a couple of simple examples here so security guards when we
320:00 - 320:30 have a security guard at the front desk it's going to direct or encourage someone to comply with our policies if we have notification signs if we have escape route exit signs it's going to direct someone's activity monitoring and supervision are going to direct or encourage compliance with our policies recovery controls which are deployed to repair or restore resources functions and capabilities
320:30 - 321:00 after a violation of security policies so these are going to be more advanced or complex capability to respond to access violations versus what we'd see with a corrective control so examples here would include backups and restores fault tolerant drive systems server clustering and database shadowing so the complexity factor is higher as you can see there and then finally we have the deterrent control which is deployed to discourage the violation of security
321:00 - 321:30 policies a deterrent control picks up where prevention leaves off so locks fences security badges security guards security cameras intrusion alarms so you'll notice here that many controls fit into multiple categories and you'll see the same when you look at the official study guide i wanted to call out the descriptions here in a summary fashion with some examples too to ensure you can commit what sometimes seem to be subtle differences to memory for the exam
321:30 - 322:00 now we're going to switch gears and talk about the elements of risk so risk is the possibility of the likelihood that a threat can actually exploit a vulnerability and cause damage to assets and we can assess risk quantitatively which means using formulas or we can do it qualitatively which is using some some estimates based on our experience so asset valuation identifies the value of the asset so asset valuation is focused on asset value and threat
322:00 - 322:30 modeling identifies threats against these assets vulnerability analysis identifies weaknesses in an organization's valuable assets we're not worried about assets that don't really have value i don't care much about the stack of printer paper over on the table i care about that e-commerce system that holds my customer data right i'm going to run through some common access control attacks with you now but before i do i want to call your attention to another video
322:30 - 323:00 in the cissp exam cram series and that is the dedicated attacks and countermeasures video which covers attacks and countermeasures across all of the domains of the exam i absolutely recommend you give that a look before you head in for the exam so you'll want to be familiar with access control attacks for the exam so dictionary attacks are one example and they would use all dictionary words to
323:00 - 323:30 attempt to find the correct password in the hopes the user has used a standard word out of a dictionary and that's where we can use uh password policies to help a brute force attack is a an attack that attempts to break a password by trying all possible words and and really password complexity and attacker tools and compute power are going to determine the efficacy of that kind of attack a spoofed logon screen so that implements a fake logon screen and when a user attempts to log on the screen
323:30 - 324:00 will send the username and password to the hacker so so a spoofed logon screen could be when we have a compromise system and that that screen has been faked or sometimes you'll see in phishing attacks where you get a fake you know gmail log on screen for example and you're encouraged to change your gmail password so spoofed logon screens are another threat uh sniffer attacks so in a sniffer attack uh the attacker uses a packet capturing tool that's the key
324:00 - 324:30 element here so they can capture analyze and read data that's sent over a network looking for information they can use to you to work against us an attacker can easily read data that's sent over a network and clear tech so encrypting data and transit going to stop this kind of attack spoofing attacks this is this is where the the attackers print pretending to be something or someone else this is used in many kinds of attacks including access control the attacker is often trying to obtain credentials like in the
324:30 - 325:00 the spoofed google logon screen that you know typically comes through a phishing attack many spoofing attacks uh you know like email spoofing phone number spoofing ip spoofing a lot of phishing attacks are going to focus on using spoofing methods another type of access control attack is social engineering this is just any attempt by an attacker to convince someone to provide information they wouldn't normally like a password or to perform an action they wouldn't
325:00 - 325:30 normally like clicking on a malicious link or it could even be uh telling somebody uh information about vacation schedules or you know when somebody comes into the office normally because oftentimes social engineers are trying to gain access to the i t infrastructure or the physical facility and so understanding how people move around the the organization can be really useful to them so the best defense for social engineering is security awareness training you know just training users to
325:30 - 326:00 not give away information to parties they don't know and to not click on links that they aren't sure are legitimate phishing attacks so phishing attacks are commonly used to trick users into giving up personal information via some sort of email a malicious link or a malicious attachment lots of tools out there today to prevent phishing attacks and even tools to simulate phishing attacks so you can educate your users in the real world from day to day so there
326:00 - 326:30 are some fishing variants we want to be familiar with so spear phishing targets specific groups of users you know there there are basic phishing attacks that aren't very clever where you know every user in your organization gets you know blanketed with a hey your your gmail password has been compromised you need to click here and change your password quickly we actually had a government entity a campaign a political campaign that was uh was hacked through that sort of general fishing attempt but a spearfishing
326:30 - 327:00 attempt is going to be a little more nuanced in that the attacker has done some some advanced investigation of your organization and they're targeting specific groups with a more specific type type of attack that seems relevant to their job a variant of this is whaling which is a targeted attack on your high level executives or other high value targets whale whaling is going after that that high value targets and then vishing uses voice to carry out the exploits so phishing is
327:00 - 327:30 really the number one cyber attack in the world today this is a really common uh way in the door to then uh compromise your organization in other ways so you want to know these three variants for the exam for sure i expect you'll see something on fishing come up then finally there's an access aggregation attack that's that's where the attacker combines or aggregates non-sensitive information to learn sensitive information this is used
327:30 - 328:00 often in reconnaissance attacks let me give you an example of an internal access aggregate aggregation of non-sensitive data so let's say we have a a shipping clerk that has access to to order records but the organization restricts access to total sales volume but uh the shipping clerk has access to the order record so they can pull all those individual records together and add them up to total to get that that sensitive total sales volume
328:00 - 328:30 that that's one example but it's combining non-sensitive information to get to the sensitive information so know these common access control attacks and how to prevent them so to prevent these types of attacks i've given you some of that information in line and as we talked about them but but a couple of reminders here so password should be long complex and change so that's where we used password policies to enforce complexity and history so we have to have a strong password policy and then enforcing other
328:30 - 329:00 measures like account lockout after you know x number of logon attempts and for the spoofed logon screens the best prevention is to have secure endpoints where these fake screens can't be implemented and in the case of of the external uh scenario where you're being sent to like a spoofed you know gmail screen for example that's where we're using phishing protections to deal with uh with that sort of exploit so other attacks there are a couple of
329:00 - 329:30 not specifically access control attacks i wanted to talk to you about but just to get these out here because they're sort of fringe so tempest allows electronic emanations that monitors produce to be read from in a distance this is going to be effective on crt monitor so this is something of a legacy attack you know with modern with uh monitor displays you know modern monitor displays shoulder surfing is going to be
329:30 - 330:00 the way you deal with that white noise which is broadcasting false traffic at all times to mask and hide the presence of real emanation so that's sending kind of a distracting signal down the line essentially so i'm not sure you'll see these i want to bring them up because they are definitely called out in the guide rf rfid barcoding and inventory these represent the ability to prevent theft which reduces risk so you'll see rfid barcoding and inventory in in
330:00 - 330:30 the world of asset management and these are intended to prevent theft and reduce risk so these are not going to be you know technical areas but think think of risk reduction around asset theft when you see rfid barcoding and inventory and that's what i have for you in domain five next on the agenda is domain 6 security assessment and testing and the discussion of what's new in
330:30 - 331:00 domain 6 is a fairly short discussion because there are no significant changes in fact when we look at the top line syllabus for this exam it hasn't changed from the 2018 release of the cissp syllabus domain 6 is a short domain but a pretty high bar in terms of what you're expected to know so let's get into it by starting with a look at the exam outline from the official ise squared exam
331:00 - 331:30 outline so it starts with design and validate assessment test and audit strategy so the key word there being design and validate strategy so you're expected to know how to develop a good assessment test and audit strategy six two conduct security control testing so now we're actually talking about doing the work collecting security process data in 63 and then analyzing the output and generating a report so even though this
331:30 - 332:00 is a short domain by the numbers there's a pretty high bar in that you're expected to have some knowledge end to end in the assessment and testing process and remember there's always one fundamental truth you want to remember about the cissp exam and that is that sometimes situations require an expert and so does the cissp assume that you're an expert penetration tester no it does not so remember we're thinking like a
332:00 - 332:30 manager here that may come up and and sometimes call an expert is a valid answer so just park that in the back of your head so let's talk security assessment and testing so assessment and testing programs in the security world provide a mechanism for validating the ongoing effectiveness of security controls and ongoing effectiveness is a good point there because your testing programs are going to have to come back periodically and validate that your controls are still effective it's not a
332:30 - 333:00 one-time situation you know i function in a fractional chief information security officer for organizations and we have some tests that are conducted quarterly you know so so it's an ongoing process vulnerability assessments penetration tests software testing audits security management tasks so we're going to touch on all of these in this domain and the most important thing is that
333:00 - 333:30 every organization should have a security assessment and testing program defined and operational so if you get to one of those choose the best answer questions that's the bottom line when it comes to security and assessment testing is you need a program defined and operational so let's talk about vulnerability assessments versus penetration tests vulnerability assessments use automated tools to search for known vulnerabilities and and these tend to be less expensive than penetration tests generally
333:30 - 334:00 speaking the the flaws might include missing patches missing configurations faulty code uh that expose the organization security to security risks and you'll find they'll they'll call out the automated tools will call out the cve that's applicable to the uh the vulnerability uh penetration tests use these same tools but they supplement this with attack techniques where an assessor attempts to exploit vulnerabilities and gain access to a system so so
334:00 - 334:30 vulnerability assessments will identify some weak spots and then the penetration test goes a step further to to target what we call targets of opportunity in some cases and so generally speaking when you get a quote for a penetration test you're going to quote these two things together from from the company you're working with and and large organizations might have their own penetration testers but they're still going to hire external companies external auditors to do you know this sort of testing
334:30 - 335:00 so some of the strategies that might be employed war dialing which which is a bank of modem sniffing so monitoring the network uh eavesdropping dumpster diving which is just like it sound i've never seen uh uh a penetration test that involved dumpster diving you know the more the more people time that's involved the more expensive it's going to be right if and these last two in particular if somebody's going to go dumpster diving or or go through some social engineering exercises these are going to drive your
335:00 - 335:30 price up because it requires a person really doing some some homework and spending some time um the whole idea of of this you know is the is that you know human interaction is involved and just know that that's going to increase the cost that bank of modem strategy i expect is legacy it's called out in the official uh guide to just park that in the back of your mind that it might come up as a valid strategy and certainly it is it just feels a little less relevant in 2021 doesn't it
335:30 - 336:00 some key areas of security process so employment policies and practices so we know on the front end we have background checks as we're onboarding employees on the back end at separation we have a termination process which would include making sure that we de-provision any access this employee has to the organization's data this is going to be an important part of the identity management lifecycle which we talked about back in domain five
336:00 - 336:30 so roles and responsibilities remember that management sets the standard and verbalizes the policy and around security awareness training so security awareness training is really important in in preventing social engineering it certainly helps with phishing attacks i see in the real world that uh quarterly security awareness training takes our fishing numbers way way down because people become hyper aware of the most common attacks but if we
336:30 - 337:00 look at this in order we we write the policies we communicate the policies and then we train on the policies right so it's it's a a process within a a process sort of encompassing these these processes so software testing so software testing comes in many forms but it's used to validate our code uh that's moving into production and really before production so software testing at its basis just
337:00 - 337:30 verifies that code functions as designed and does not contain security flaws code review typically uses a peer review process to formally or informally validate code so it's quite normal that you'll have senior developers looking over the code from junior developers or or folks cross discipline validating code there's really no hierarchy here but but you always need that second set of eyes
337:30 - 338:00 just to ensure that we're following good practices and uh as a team uh going down the same this the same approach and and certainly there are automated tools out there you can use to scan your source code that will flag bad practices but but a peer review process is is part of the uh the software testing world as well so interface testing focuses on interactions between components and users with api testing
338:00 - 338:30 and physical interface testing so this is really about how you know maybe an interface interacts with a database for example or an interface interacts with an api and you can automate some of this testing a lot of times this will be some of that user experience testing where a skilled software tester goes through a plan validates the experience flags any any variants from the expected result static versus dynamic software testing
338:30 - 339:00 you'll want to know the difference between these two for the exam so static software testing includes things like code reviews that we just talked about evaluating the security of the software the key here is evaluating the security of the software without running it by analyzing source code or the compiled application and then there's dynamic software testing where we evaluate the security of the software in a runtime environment this is
339:00 - 339:30 often the only option for organizations that are deploying applications written by someone else but i do want to point out that dynamic software testing does not mandate that it's written by somewhere else there is a lot of value in running software in a runtime environment to ensure that it functions as design that it's fun that it can scale uh that it is secure because in a runtime environment we can perform all of the evaluation and scanning to ensure that those components come together for
339:30 - 340:00 a successful result before we go to production but when it comes to static software if we boil it down to the most basic element static software testing involves evaluation without running it dynamic testing involves running it we go to a runtime environment all right fuzzing may come up on the exam this is a testing technique so it uses modified inputs to test software under unexpected
340:00 - 340:30 circumstances so changing the input around to see how the application uh responds to unexpected inputs uh you know this this sort of testing can uh can flush out things like uh you know sql injection attacks for example uh or or sql injection vulnerabilities i should say in your your code fuzzing also involves modifying known inputs that may trigger unexpected
340:30 - 341:00 behavior this is the part where you're asking yourself what in the heck is a synthetic input well so it modifies a known input which would be real world data to generate a synthetic input so not real world data but that resembles the real thing this is this is how you can create larger data sets but modifies known inputs to create synthetic inputs basically more examples that may potentially trigger unexpected behavior if i test an interface for example
341:00 - 341:30 with five different options i might not find a problem but if i test that same interface with 5000 options i might find a problem right so variety is good and synthetic inputs give us that capability uh generating generational fuzzing is another type of fuzzing so this develops inputs based on models of unexpected inputs to perform the same task security management oversight so so
341:30 - 342:00 proper oversight of your information security program obviously important questions around oversight may come up on the exam so log reviews particularly for administrator for privileged activities to ensure that systems are not misused periodically we'll also have account management reviews to ensure that only authorized users retain access to information systems in fact in recent
342:00 - 342:30 years there are tools out there that will kick off access reviews in the in the cloud multiple providers have what we call a privileged identity management system that will kick off an access review where the user or user's manager reviews their access and verifies that it's still necessary necessary or says hey i don't need this anymore and the access is re removed backup verification so ensuring that
342:30 - 343:00 the data protection process is actually functioning properly this is the most important thing if you get a question around uh the backup or or recovery program and and asking you know what's the most important element the most important element when it comes to backups and dr is that the process actually works full stop all right key performance and risk indicator so providing a high level review of the security
343:00 - 343:30 program effectiveness so looking at key performance and risk indicators will surface a need for evolution of our process you know security controls don't function at the same level of uh effectiveness or efficacy forever right they need to be evolved over time to deal with uh the the change in in threats and attack vectors internal and external audits so you'll you'll need to deal expected to
343:30 - 344:00 be familiar with conducting or facilitating internal and third party audits so a security audit happens when a third party performs an assessment of the security controls that are protecting an organization's information assets so so third party that means external right and then internal audits are performed by an organization's internal staff and they're intended for management use in fact we we perform internal audits to ensure that we're ready for third-party audit so it's it's part of
344:00 - 344:30 internal audits are part of that process to ensure that our controls are effective but we can also perform an internal audit that reviews specifically the standards the third party is going to bring to bear on our organization for example if we had an external audit coming to us for gdpr we could look at the the kprs kpis around gdpr and make sure through an internal audit that we were ready for the third party on it that way the third party audit is really just
344:30 - 345:00 focused on those edge cases that we missed just just helping us round out our strategy not you know feeding us basics and for the exam i would suggest assuming that any audit mentioned is a third party audit unless otherwise specified if it doesn't say internal audit i would assume that it's a third party and that's what i have for you in domain six that brings us to domain seven
345:00 - 345:30 security operations so let's talk about what's in the official exam outline for domain 7 as well as what's new in the 2021 release we know when we we take a look at what's new that can give us an idea of where we may see some additional focus in this latest iteration of the cissp exam so 7.1 is understand and comply with investigations 7.2 conduct logging and monitoring activities then perform configuration management
345:30 - 346:00 followed by apply foundational security operations concepts 7.5 apply resource protection then conduct incident management and in 7.7 operate and maintain detective and preventative measures so you see a lot of process driven content here because this is after all security operations and we're about halfway home here so 7.8 implement and support patch and vulnerability management if you've been
346:00 - 346:30 in i.t for long this one may be one of the easier concepts to onboard 7.9 understand and participate in change management this may also be easy for some of us implement recovery strategies followed by implementing disaster recovery processes and then testing disaster recovery plans and in 7.13 participating in business continuity planning
346:30 - 347:00 and exercises followed by implementing and managing physical security and finally in 7.15 addressing personnel safety and security concerns after all human safety is our number one priority so that one's important i expect physical security is going to be an area that many are a little less experienced with so maybe a bit more learning and memorization work there and understanding the relationship between
347:00 - 347:30 business continuity and disaster recovery planning is important so i will talk about each of those and how they are related in this chapter now i want to take a look at what's new in 2021 so we saw that 7.4 was essentially removed which was securely provisioning resources and we saw quite a few new technologies mentioned in these existing subdomains so some of the topics we saw pop up were threat feeds
347:30 - 348:00 user and entity behavior analytics next generation firewalls and web application firewalls as well as the use of machine learning and artificial intelligence so i'm going to cover all of what's new right now so we can just get the what's new out of the way and then we'll dive into the rest of domain seven so we'll start with those firewalls and i did mention these two in domain four because i wanted to include all of the firewall information in one place for
348:00 - 348:30 ease of your learning but i'm going to call them out here again simply because they were raised in domain seven so we have web application firewalls often abbreviated as waff these protect web applications by filtering and monitoring http or more likely https traffic between a web application and the internet they typically protect web applications from attacks like cross-site scripting cross-site request forgery and sql injection just to name a few
348:30 - 349:00 some of these waf solutions will come pre-configured with o-wasp rule sets to address the owasp top 10 threat lists and then we have the next generation firewall often abbreviated ngfw which is a deep packet inspection firewall that moves beyond important protocol inspection and blocking it adds application level inspection and additional functions like intrusion prevention and brings intelligence from outside the firewall often in the form
349:00 - 349:30 of threat feeds to feed real-time information about potential threats into the firewalls logic then we have user and entity behavior analytics which is where entity behavior is collected and it's input into a threat model and a baseline of normal behavior is established for entities based on historical data and an entity may be a user it may be a device and over time it establishes that
349:30 - 350:00 baseline of normal which then enables analysis to uncover more details around anomalous events around abnormal activity unusual activity you'll often see an automated investigation feature in solutions that leverage user and entity behavior analytics and machine learning and ai to allow investigation of anomalous behavior at scale so security operations can keep up we then have threat intelligence threat
350:00 - 350:30 feeds these are also called these are activities that an organization undertakes to educate itself about the threat landscape in the form of a feed containing malicious entities ingested by cyber security tools and a single feed may be comprised of many sources including open source intelligence and entity in this case can mean ip website thread actor file hash certificate it's going to vary by vendor but entity can mean many different elements to identify entities that are
350:30 - 351:00 malicious as well as entities that are definitely not malicious you'll also be expected to understand the role of artificial intelligence and machine learning or ai and ml in security operations which really help to analyze and improve our cyber security posture in an automated way so so this analysis is no longer a human scale issue we see that in the form of an automated investigation feature often
351:00 - 351:30 but ai-based tools have emerged from a number of vendors that help us to reduce our breach risk and improve security posture by enabling investigation at scale without the need for a person doing all that work but they can quickly analyze millions of events identify potential incidents and dig into that data to surface those activities that are in fact actual incidents that then humans can review and confirm
351:30 - 352:00 and we see histories of behavior build profiles on users assets networks allowing ai to detect and respond to deviations from those established norms from that baseline of normal if you didn't watch domain 1 i did talk at a bit greater depth about exactly what our artificial intelligence machine learning yuba which we just discussed as well as deep learning so if you want to understand more about what these four are and how they're related go back to
352:00 - 352:30 domain one and watch that i covered it at the beginning for a reason because i think it's going to be important for your learning throughout the the modules but know that ai and machine learning factor in anti-malware and security information event management and intrusion detection and prevention and identity as a service and many other services and that is to say that ai and machine learning are everywhere in security today and those are the deltas for the 2021 release of the exam let's dig into the
352:30 - 353:00 rest of our domain 7 content all right so let's get right into it so we're going to start with some concepts so uh need to know and the principle of least privilege which have come up in other domains in one respect or another two standard principles that are implemented in any secure network and at the the root of it they limit access to data and systems so that users and other subjects only have access to what they require they are preventative
353:00 - 353:30 they prevent security incidents but where they don't prevent they also can limit the scope of incidents when they occur when we have an account that's breached if we've implemented uh security controls access controls the principle of least privilege what we will do is limit the damage because without these principles the the damage can be far greater when we don't prevent entirely so preventing fraud and collusion
353:30 - 354:00 so collusion is an agreement among multiple people to perform some sort of unauthorized or illegal actions uh so a couple of ways to prevent fraud and collusion one would be separation of duties this is where we just make sure that one person can't control all the elements of a critical function so we have one person who maybe assigns those elevated permissions and we have another person who carries out those activities but one person doesn't have that full capability end to end where
354:00 - 354:30 they could complete that entire end and critical process in a vacuum you know maybe going all the way out to deleting critical information for example covering their tracks so separation of duties very important job rotation so rotating employees into different jobs or tasks so we don't have the same person in in the same role within a process for an extended period of time this is actually a way you can flush out
354:30 - 355:00 fraud along with along with rotating vacation schedules etc because we can see patterns based on who's who's on duty right but but implementing these policies helps prevent fraud because it limits uh the actions individuals can perform without colluding with others if we don't have one person with permission with with capability to go in to end in a process without talking to anyone else uh we're going to
355:00 - 355:30 reduce the likelihood it happens because then folks have to be uh working together to some malicious end so monitoring privileged operations so privileged entities are trusted but we know that but we know these people can abuse their privileges right it happens so it's important that we monitor assignment of privileges and the use of privileged operations so we want to monitor who who has been assigned privilege and we want to monitor when
355:30 - 356:00 and where and how they are using it but the goal here is to ensure that trusted employees don't abuse those special privileges that we're granting them and the reality here is that monitoring these operations can also detect many attacks because attackers are commonly going to use special privileges right if an account is breached for example if an identity is compromised they're going to use the attacker will use that privilege to carry out their attack so if we see that
356:00 - 356:30 sally has global admin rights on a cloud platform and she's performing actions right now that require privilege but sally's not on duty we know we have a problem right we've surfaced we've we've flushed out an attack in progress because we were monitoring those operations so the information life cycle so it all begins with creating information right so information can be created by users so you know a user creates a file for example right
356:30 - 357:00 but information can also be created by a system like when a system logs access when we're when we're logging and monitoring privileged operations for example so shortly after creation we want to make sure that data is classified right so if you're in the financial services industry and you have a document that has financial data in it or personally identifiable information we want that information classified as soon as possible so we can properly secure it as it is stored right because if we
357:00 - 357:30 don't have that classification in place so our security controls are applied then we have a window of opportunity where that data can be scooped up or leaked in some fashion because we haven't uh classified quickly enough and the data should be protected with adequate adequate controls based on that classification that's that's why it's so important to get your classification in as soon as possible and when we think about usage usage in
357:30 - 358:00 the context of the information life cycle refers to anytime data is in use or in transit over a network for example archiving data so sometimes we have to to archive data to comply with logs or regulations that require us to retain the data and and there are regulatory requirements out there that might require us to keep data for seven years or even longer in some cases so archival is one way we do that and then
358:00 - 358:30 when we get to the end of information and information's uh life cycle we need to destroy that data and when it's no longer needed it should be destroyed in a way that it is not readable and a couple of things here we talked about in an earlier domain that if we if we let data stick around longer than it's needed it can result in in legal issues right uh but we want to also make sure that it is not readable or recoverable we talked about previously in the series how just
358:30 - 359:00 deleting a file from a hard drive for example doesn't mean that it can't be recovered through forensic means so we want to make sure that when we're destroying data we are destroying data so it is not readable or recoverable all right so service level agreements will definitely come up when we're we're talking about uh when we're covering subjects like disaster recovery and service level agreements stipulate performance
359:00 - 359:30 expectations like maximum downtimes or availability numbers you know the how many nines we're putting out there these are generally going to be used with vendors now can a service level agreement exist between entities within an organization they can generally speaking between departments or business units in an organization you will have what they call olas or operational operations level uh type agreements so secure provisioning which came up in
359:30 - 360:00 the official exam outline so secure provisioning of resources ensures that resources are deployed in a secure manner out of the box and they're maintained in a secure manner throughout their lifecycle so for example when we think about uh secure provisioning we deploy a pc from a secure image we have a gold image if it's a virtual machine we have a vm template if it's an application that runs in docker for example we'll have a container image that's been properly scanned to ensure
360:00 - 360:30 that it is exactly as we we think it to be and doesn't contain any any malicious uh code or applications uh virtual assets so so you know the world is is you know compute and network are virtualized especially when we get to the cloud but virtual assets can include virtual machines they can include virtual desktop infrastructure so vdi has gotten bigger over the years and and in 2020 it really this this industry really
360:30 - 361:00 blew up even more with with work from home increasing uh software-defined networks fall into the category of virtual assets uh virtual storage area networks hypervisors are i think the number one thing we think of when we're talking about uh virtual assets but both uh you know because the hypervisor gives us just another target right if you can if you can compromise the host you can potentially compromise all of the virtual assets that ride on that host
361:00 - 361:30 the virtual networks the virtual machines etc so both your hypervisors and your virtual machines have to be patched right to keep them up to date but you've got compute network and storage there that are all virtualized in some respect all right so continuing down this road of virtual assets we can potentially have security issues around our cloud-based assets so storing data in the cloud in theory increases the risk so we have
361:30 - 362:00 to take steps there to make sure that we're protecting the data depending on its value and and certainly if we're storing data in the cloud they're going to be security recommendations from that cloud provider to make sure that that we're using the service the cloud service in the way it's intended but what you'll also find in cloud storage is shadow i.t can be a problem we find that our users are potentially using
362:00 - 362:30 uh cloud storage apps that we didn't intend so if you're a microsoft shop you're probably using onedrive in sharepoint but you may find with a little looking that your employees are also using dropbox or box and that's what a cloud access security broker or casby uh can really help you with is is flushing out uh unsanctioned apps in your environment that potentially increase our risk further because they're outside of our radar so we talked about
362:30 - 363:00 the the casby uh a domain or two back and when you're leasing cloud-based services you do want to know who is responsible for maintenance and security because the cloud represents what we call a shared responsibility model i'm going to give you a clear diagram of this in about 30 seconds so stick with me and it's the cloud service provider that really gives us uh the least amount of maintenance and it gives us uh security in the the is model
363:00 - 363:30 so it gives us least amount of maintenance but it also gives us security not not least maintenance and lease security it's it's least maintenance and good security in that is model but let's talk about responsibility right so when you have a hypervisor and you're running virtual machines in your data center it's yours right you're responsible from the wire up physical layer to application layer now when we move into the cloud when we're looking at is or infrastructure as a service these are virtual machines you'll notice that the cloud service provider the csp
363:30 - 364:00 has some responsibility there right they're handling the infrastructure for you they're handling the hypervisor the networking the storage the servers as we move into platform as a service you'll see here that the csp is taking on even more responsibility now they're handling the the runtime the middleware the os so so there are many cloud-based uh database platforms for example where you're you can deploy databases uh potentially have your own
364:00 - 364:30 database server but you're not responsible for a lot of that stack right you're you're really focused on your data and your apps at that point and if we go all the way to sas something like office 365 for example you are a consumer of a service so you are really truly just the customer in that that case configuring the services you'd like and all of the responsibility is on the csp but you see as we move across the model they're the responsibility of the the csp the shared responsibility is
364:30 - 365:00 shifted from your organization to uh that cloud service provider so let's talk about configuration and change management so so these are important on their own but they also factor when we're thinking about incidents and outages because good configuration and change management can prevent incidents and outages because it improves they improve our security and the consistency of our configuration so configuration management ensures that
365:00 - 365:30 all of our systems are configured in a similar fashion that those configurations are known and they are documented in fact there's a practice called baselining that ensures our systems are deployed with a common baseline starting point imaging is a common baselining method and and really uh using policy-based configuration of your security is another way to establish consistency in configuration when we use a policy that is automatically deploy applied
365:30 - 366:00 as we deploy new resources we we have confidence that our configuration is consistent uh throughout but that baselining process uh you know start can can start with imaging it can move into to policy based configuration and in configuration management this is a process where we also have to to have uh you know some continuous scanning or periodic scanning to make sure that we don't have shift and drift in our configuration that our configuration remains consistent
366:00 - 366:30 uh that we don't have a gap in access controls that have allowed people to manually change our configurations in a way that we're not aware of or okay with and change management can go hand in hand with this because change management will help reduce our outages or weakness weakened security from those authorized changes right when we have a change management process in place we're going to always make sure that
366:30 - 367:00 those changes have been you know documented discussed tested and they're they're authorized right so versioning uh uses a labeling or a numbering system to track changes in updated versions of software uh these these can be really helpful in the change management process because we know what version we're on if we have a change that rolls out and we need to roll back we know exactly what version of the environment we're going back to but the key here is that this this process requires changes to be requested approved
367:00 - 367:30 tested and documented right and this can also really work as a deterrent control because anyone thinking about making unauthorized changes will be aware of your change management policy and will know that they're breaking the rules if they go outside this this process of request approval testing and documentation the exam may test your knowledge of the patch management process or update management you may sometimes hear it
367:30 - 368:00 called which ensures that our systems are kept up to date with current security patches and the process generally involves evaluating testing approving and then deploying those patches in larger companies you'll see the evaluation test and approval process is fairly well structured and formalized in small to medium businesses oftentimes we'll see this is less formal and in the the smallest businesses many times we'll see that windows for example is
368:00 - 368:30 simply allowed to automatically deploy those patches on its own and then of course after the fact we need to verify the deployment of approved patches to these systems that's where your vulnerability scanner can help and for major patch deployments patches that perhaps involve new functionality for example will want to make sure this is intertwined with their change in configuration management and in larger organizations you'll see the patch management process tied into change
368:30 - 369:00 management so the it organization knows when this is happening and it is a fact that orgs without patch management will experience outages at some point from known issues that could have been prevented had they simply kept their security patches up to date so just to visualize that patch management program as it was articulated there we evaluate patches test the patches approve the patches
369:00 - 369:30 deploy the patches and then verify the patches are deployed now the verification we can do with a vulnerability scanner certainly if you are using a third party or even a microsoft enterprise patch management system generally there will be a report there that can help you verify but a vulnerability scanner is an external source of truth that i think is worth employing on a recurring basis like monthly for example i mentioned vulnerability management was
369:30 - 370:00 going to come up there are three concepts we want to talk about here so vulnerability management includes routine vulnerability scans and periodic vulnerability assessments so so typically when you're getting a penetration test any quote for a pen test is typically going to come with a vulnerability scan as well because they'll use the output of the vulnerability scan to identify targets uh that they can then uh you know go into us do some poking and
370:00 - 370:30 prodding to see if they can breach in the the penetration test and not to say that's the only time you can do that many organizations are the you know the most secure organizations in my opinion are going to be performing their own vulnerability scans on a routine basis which will flush out issues in other processes like patch management as i mentioned vulnerability scanners are the you know the the technical component that can detect those security vulnerabilities and and weaknesses the absence of patches
370:30 - 371:00 or weak passwords and surface that back to us many companies out there uh that produce vulnerability scanners uh you know tenable is a great scanner qualis is another vendor uh that comes up in this space but many out there i'm not recommending either of those i'm just kind of calling out that you have a lot of options out there in the space vulnerability assessments go beyond that technical scan that technical scan is just a piece of software scanning a list of hosts or ip addresses
371:00 - 371:30 the the assessment extends beyond that scan and can include reviews and audits to detect vulnerabilities it uh generally speaking will include a person then applying specialized knowledge to uh to take that one step further the exam focuses on incident response in a seven step process you'll need to memorize these steps in order here is the memory device i use to remember those steps drm rrl the first letter of each of those
371:30 - 372:00 steps drum roll not spelled exactly right but it certainly sounds the same when you look at it right so drum roll is how i commit those seven steps to to memory and if we break those out so we have detection uh which might include our monitoring tools intrusion prevention firewall users notification to management of the help desk we have response triage is it really an incident
372:00 - 372:30 you know here we have a decision to declare yes this is an incident uh mitigation so this is our our first containment effort or step uh this is where we create our our our response team reporting to relevant stakeholders customers vendors law enforcement recovery returning to normal operations then in the remediation step we're addressing root cause and then lessons learned where we talk talk through what
372:30 - 373:00 happened this helps prevent recurrence and improves our incident response process so the those seven steps if i just laid them out here again i want to just call out some key details that you want to commit to memory for the exam okay so limiting damage happens in the response phase that's where we initially respond to the incident mitigation is where we contain that incident we contain the scope reporting and recovery
373:00 - 373:30 are management decisions incidentally so just park that in the back of your mind and then remediation is where root cause analysis is addressed if you have questions that come up on the details beyond the seven steps these are the four areas that i think you'll see questions on so you may just want to commit these to mind you will be expected to know denial of service attacks
373:30 - 374:00 so denial of service attacks prevent a system from responding to legitimate requests for service service it essentially uh chokes the resources of a system or in some way blocks it from properly uh responding and and you often we hear about distributed denial of service attacks where we have ho you know many hosts we have have bots out there zombies you know compromise systems around the world that are used to to really provide a heavy
374:00 - 374:30 um a heavy load in denying services so some common denial of service attacks you have the the sin flood attack which disrupts the the tcp three-way handshake that's the key piece i want to give you sort of a key aspect of each of these attacks so when you see them on the exam you can pick out the right one another common dos attack is a smurf attack which employs an amplification network to send many response packets to a victim and
374:30 - 375:00 now you're asking what the heck is an amplification network uh it's essentially a network of host computers that permits broadcast messages so you're generally speaking they're going to be under control of the bad guy the bad actor that is trying to perform that attack so the smurf attack is is actually uh one of a number of attacks that fall into a category called amplification attacks uh the ping of death attack which is characterized by the fact that it sends oversized ping packets to the victim
375:00 - 375:30 causing causing a freeze crash or a reboot in a system so you'll find that newer attacks are sometimes even variations on older methods you know when security tooling and processes advance sometimes they are able to stop those those legacy attacks cold and that's where the the other bad actors will will improvise or evolve themselves and and tweak those attacks to create a new
375:30 - 376:00 variation that then again uh does the job for them so bot botnets controllers bot herders uh your represent significant threats due to the sheer number of computers that can launch attacks you know it's difficult for um many businesses certainly small and medium businesses that are that are hosting their own services to deal with attacks at a certain level of scale that's that's actually one of the uh the key
376:00 - 376:30 one element of key value of a cloud platform as your your major cloud providers out there are going to have some built-in protection for you against some of these attacks at scales but uh at scale but a botnet is a collection of compromised computing devices there are a lot of times they're called bots or you might hear them called zombies the bot herder is simply a criminal who remotely controls those zombies they have what we call command and control access so they're they're basically
376:30 - 377:00 sending orders uh to to those those bots to the zombies and they often use the the botnet to launch attacks on other systems this is where you know a distributed denial of service attack would come come from or where they might send out you know spam or phishing emails uh a honeypot now we talked about a honeypot in uh in a in a previous uh lesson i want to touch on this from a slightly different perspective just to layer in some additional info for you here so a honeypot is is a system that
377:00 - 377:30 has pseudo flaws and it has fake data to lure intruders the key there is that it lures and distracts the attackers we talked about uh the importance of not actually allowing somebody to uh entrapping somebody to commit an act we're giving them fake data right we don't give them real data to to download to commit an actual crime because that then hurts our chances in the legal process because we have entrapped so we're luring and distracting and as long as the attackers
377:30 - 378:00 are in the honeypot they're not in the live network and our admins can observe right and and some some of your intrusion detection systems will have the ability to transfer attackers into a a padded cell after detection okay and here's another one of those what the heck moments here what what the heck is a padded cell it's a hardened honey pot um like honey pots padded cells are going to be well instrumented they're going to offer unique opportunities for a would-be
378:00 - 378:30 victim you know organization to monitor the activities of an attacker but think of a padded cell as a hardened honey pot at its simplest so blocking malicious code there are multiple approaches here generally used together you know the best the best security strategy is what we call a layered defense sometimes called defense in depth so there are many approaches to blocking malicious code a simple one using anti-malware software anti-virus software sometimes
378:30 - 379:00 called with up-to-date definitions installed on every system at the boundary of a network and you'll have anti-malware sort of protection on your email servers or in your email service if you're using something that's cloud-based and anti-malware software particularly on your clients nowadays well in email too they they generally speaking have a fair bit of intelligence there's some ai and machine learning that are helping to identify unique threats never before seen threats
379:00 - 379:30 identifying suspicious uh potentially malicious behavior you don't you don't see anti-malware software anymore that's working on the old model of just definitions uh policy so enforcing basic security principles like lease privilege for example preventing regular users from installing potentially malicious software i'm a big fan of making sure that my users are not running as local administrator on on their workstations
379:30 - 380:00 for example as one example and we'll use policy based enforcement for example to make sure that users can not only not install software but for example they can't load chrome browser extensions that we don't authorize because there are hundreds of chrome browser extensions out there that are that are compromised in that marketplace in some way or susceptible at least education so educating users through security awareness training about the risks and methods attackers commonly use
380:00 - 380:30 to spread viruses so we're teaching them about phishing we're teaching them about social engineering this is a great recurring activity a lot of organizations do this quarterly and it doesn't have to be a lengthy session you know half an hour once a quarter can greatly improve your uh your your organization scores on your fishing simulations so penetration tests uh start by discovering vulnerabilities and then mimicking an attack to identify what
380:30 - 381:00 vulnerabilities can be exploited so i mentioned that vulnerability scans typically come as a line item on on many penetration tests that's because the vulnerability scan reveals the weak spots and then the the smart penetration tester can come in and do some research on those those potential targets to see if they can be exploited penetration tests should not be done without the express consent and knowledge of your management i i've seen an
381:00 - 381:30 organization that was actually impacted when an engineer got a call and during the day he was getting a pitch from a salesperson about this great vulnerability scan that would reveal weaknesses on their website and uh with that organization they found that they were under what they thought was an attack and it was actually because this engineer said hey yeah give us a scan and let us know and i'll take that to management you know thinking he might be the hero to sell some new software and it actually caused an outage so you
381:30 - 382:00 never authorize or or perform your own pen test without notifying management and that's you know one of those things you want to know for the the exam because it can result in damage so we want to make sure that we're working with with isolated systems or if we're having pen tests you know performed on our production systems we do it at a time of minimal activity we schedule that we inform users and customers so if a system is unavailable it's not a surprise to anyone
382:00 - 382:30 there are three varieties of penetration tests you should be aware of and they are black box white box and gray box testing so with black box testing the pen tester has zero zero knowledge essentially uh with white box testing i kind of call this an open book test you sit down with your penetration test vendor you tell them all about your environment and and you know maybe all the way down to you know the operating systems that are running on these systems so they can really give it their
382:30 - 383:00 best shot to get through your layered uh defense your your defense in depth all your layers of security those protections you put in place and there's a middle ground there where you can provide partial knowledge and and let them have at that too but when you know when an organization is getting uh great scores on the black box testing that's when it's a good idea to move into gray box or white box testing give that give the penetration tester an open book and let's you know let them do their worst and see if they can find some
383:00 - 383:30 weaknesses that we can firm up and and further improve our security posture so let's talk about intrusion detection versus intrusion prevention we've talked about intrusion detection systems and intrusion prevention systems previously i want to go at it from a slightly different angle here so you'll be ready for anything that hits you on the exam so an intrusion detection system can respond by passively logging malicious behavior that it sees it can
383:30 - 384:00 send notifications or it can actively change the environment an intrusion prevention system is typically placed in line with the traffic it includes the ability to block malicious traffic before it reaches the target so in that respect if you look at those two realities the the ips is more proactive because it can it can block malicious traffic before it reaches the target where the ids is letting us know that something potentially happened and then
384:00 - 384:30 potentially correcting that condition but it's more reactive right and and you'll find that there's there are flavors of these so they're flavors of intrusion detection uh there's host based intrusion detection which can monitor activity on a single system and the only one of the drawbacks here is that an attacker can discover that you're running these and and disable them and some of your operating systems for example will have you have some sort of native uh intrusion detection that's host base
384:30 - 385:00 that you can turn on and if the attacker sees what operating system you're running or they have you know a preset scan where they look for the various uh you know intrusion detection systems out there they can potentially find it and disable it that's where a network based uh ids comes in so network-based intrusion detection can monitor that activity on the network and it's not as visible to attackers and and i like to run both of these at the same time that is
385:00 - 385:30 possible you do of course want to do some some testing to make sure you're not doing any any negative damage because you're uh you're you want to make sure you're detecting real malicious activity and not getting false positives from your business applications right many environments i see running host-based and network-based together in harmony for the exam you will also want to know the difference between espionage and sabotage so espionage
385:30 - 386:00 is a threat from an external source so when a competitor tries to steal information for an example now they may use an internal employee to get the job done but it's an external threat sabotage on the other hand is an insider threat so malicious insiders can perform sabotage against an organization if they become disgruntled so you might that might manifest itself in the form of mass file deletion or somebody shutting down a bunch of
386:00 - 386:30 systems in the middle of the day we've seen in the news you know a handful of you know cases of of uh you know fabulously horrible sabotage where somebody carries out a not so clever uh malicious activity that results in damage to an organization and typically results in damage to the disgruntled employee who tries to carry it out so zero day exploits so a zero day exploit is an attack that uses a vulnerability that's either
386:30 - 387:00 unknown to anyone uh but the attack or or maybe only known to a limited group of people but for which there there is you know generally not yet a patch because it's it's zero day it's just just being revealed to the world so basic security practices can still often prevent zero day exploits from from being fully utilized to you know compromise our organization that's where a layered defense comes into play you know if we have a
387:00 - 387:30 zero day exploit on windows for example if we have a layered defense so our attack would be attacker can't get a foothold on that system can't get an employee to download a phishing email they can't exploit that zero day exploit so so basic security practices are often the the best defense against any any sort of zero day attack so i promised you log files was going to come up in this domain and here we are
387:30 - 388:00 so data is recorded in databases for example in different types of log files and it's not just databases cloud services for example any any cloud provider out there microsoft amazon google they're going to have logging that logs for example authentication attempts going to have logs around activities provisioning and de-provisioning activities the applications you're running will have logs firewalls have logs proxy servers
388:00 - 388:30 have logs windows and linux host have logs those those are just a few of many you do want to make sure that you're protecting your logs by centrally storing them somewhere making sure you're using permissions to restrict access because we don't want that that log to be modified in any way archived archived logs if we centrally store and protect them we can ensure that they cannot be modified if we're
388:30 - 389:00 archiving logs over to to to some storage medium for example we would want to make sure that there is some sort of read-only bit there to prevent modification that that storage is immutable that the the record stands and may not be modified because certainly when we move into into investigation mode and particularly where law enforcement is concerned and the legal process is concerned the integrity of that that audit trail is going to be very important
389:00 - 389:30 so monitoring is a form of auditing that focuses on active review of our log file data so this can be used to hold subjects accountable for their actions and it's also used to monitor system performance but but certainly by monitoring our logs we can we can find negative activity it's going to hold subjects accountable but if we're looking at example for a looking at a sign in log so our authentication
389:30 - 390:00 history we can find uh not only subjects potentially doing things that we're not uh that we've not authorized but you can potentially surface attacks from there right so if we have an identity that's compromised if you see that an employee in in toledo is is logging on from tunisia no offense to tunisia you know we know we have a problem right and and tools like intrusion detection systems or or security information event
390:00 - 390:30 management systems which is a centralized uh solution can automate monitoring and do some real-time analysis around these events so so we don't have to do a lot of manual investigation there systems out there that will do the heavy lifting for us and surface that uh questionable activity even sometimes automatically creating an incident for us and doing some scanning to help proactively find the scope and then we focus on uh moving the uh the
390:30 - 391:00 event forward from there so the value of audit trails i mentioned audit trails just a minute ago so these are the records that are created uh by recording information about events into into databases or log files so so if we look at a a server for example we're going to see events recorded around authentication around access around any action we take on a an application or a file on that system you know the same is true in the cloud we'll have what we call
391:00 - 391:30 both data plane and control plane logs up there that tell us about uh of events at different levels you know provisioning events deprovisioning events and then actions uh down within our resources we can use these audit trails to reconstruct an event to extract information about an incident we can use this to prove uh culpability in an event we can prove that somebody you know done it or or didn't do it
391:30 - 392:00 right and this is really a passive form of detective security control but but audit trails are essential evidence in prosecution of criminals so we have to make sure we have that we're collecting enough data so so when you're collecting data you need to make sure you're collecting data at a a level of verbosity that gives you an audit trail in fact windows is the easiest example i can give you here when you're when you're monitoring windows
392:00 - 392:30 many tools out there will ask you what level of monitoring you want to do and there's there's a level somewhere in the middle sometimes called common and it's flagged as this is the minimum level you can you can authorize that gives you the audit trail and if you drop below that then we have a problem right because we're missing uh potentially events that would factor into this audit trail so when you when you pair back your logging always have the audit trail in the back of your mind because when the chips are down when you have an incident when you
392:30 - 393:00 have a breach when there's criminal activity involved this audit trail is going to be important sampling so let's talk about flavors of sampling so sampling is the process of extracting elements from a large body of data to create a a meaningful representation or a summary of the whole so there's a process called statistical sampling that uses mathematical functions to extract meaningful information from a large volume of data so that's typically going to give us a more accurate representation if it's
393:00 - 393:30 done right than just a manual sampling and then there's clipping which is is a non-statistical sampling that records only events that exceed a specific threshold so there may be scenarios where where we only care about events that are over a certain threshold that are only focused perhaps on on a certain level of security clearance for example so so know the difference between sampling statistical sampling and clipping there's your high level difference that i've highlighted for you
393:30 - 394:00 and then maintaining accountability so so accountability for our individual subjects um happens through through auditing for example so a log records user activities and those users can be held accountable for their logged actions so so we talked about subjects and objects when we talked about security models a few domains back so remember the user is typically the subject so users and systems can access objects which are those resources
394:00 - 394:30 that we're we're concerned about this you know account maintaining accountability directly promotes good user behavior compliance with our security policy because it represents a deterrent control and in effect because folks know that the organization is watching and they are monitoring for compliance with the organization's security policy so security audits and reviews may come up on the exam
394:30 - 395:00 so security audits and reviews help ensure that management programs are both effective and actually being followed they're commonly associated with account management practices to prevent violations around lease privilege or need to know principles that we we covered earlier but they can also be used to oversee many programs and processes like patch management vulnerability management change management configuration management so having that that audit process in place so we can go
395:00 - 395:30 back and periodically check to make sure that our our management programs are not only effective but they're actually being implemented as they are documented you know common example we see folks get lazy with with change management or with uh with incident management and somebody will you know slip a change in without without proper documentation or you know a user for example calling somebody or chatting with a help
395:30 - 396:00 desk rep to get help on a problem without logging a ticket in in the help desk system as an incident or a a service request frequency of audits so so what is auditing i suppose it's probably good we start here so so auditing as a methodology is a methodical examination of an environment to ensure compliance with our regulations to detect any abnormalities unauthorized activities outright crimes
396:00 - 396:30 anything outside the scope of our security uh policy and it serves as a primary type of what we call a detective control and the frequency of the audit is based on risk and the degree of risk affects how often that audit is performed so the frequency is is how often it's performed and when risk is higher the frequency of audit will be greater we will we will audit more frequently
396:30 - 397:00 for those higher risk activities involving uh our most valuable assets or processes that that relate to our most valuable assets so secure it environments rely very heavily on auditing and regulations require we talked in a previous domain about internal and external audits so so secure it environments will will carry out their own internal audits frequently
397:00 - 397:30 and that helps them prepare for those external audits they really have their eyes on what is that external entity uh going to be auditing for and particularly for organizations that are subject to specific types of compliance uh you know the stakes are very high in those internal audits you know if you're uh if your organization uh is is beholden to say pci dss which relates to handling a credit card data for example internal audits to make sure you're compliant will be exceedingly important
397:30 - 398:00 so auditing and do care so security audits and and effectiveness reviews are key elements in in displaying what we call do care so without them senior management would would likely be held accountable and liable for any asset losses that occur so so what does do care well do care by definition means that our leadership are acting with common sense prudent management and responsible action that
398:00 - 398:30 they are not being negligent so in a supplemental session in the near future i'm going to talk about how we can decipher questions on the exam to get to the right answer more often and do care is an element we want to be able to recognize within the questions when it comes to do care i i say quite simply actions speak louder than words so we'll we'll touch on on deciphering that in questions in a
398:30 - 399:00 future session so let's talk about controlling access to audit reports so we carry out these audits they're going to be documented in a report and audit reports often contain sensitive information they're going to include the purpose of the audit the scope of the audit what what infrastructure applications you know assets did we look at and what was discovered or revealed by this audit and this can include uh your problems uh you know the standards were working under the the causes
399:00 - 399:30 of the deficiencies and our recommendations so this can be really revealing to uh a malicious entity if this falls into the wrong hands the uh the stakes and the and the potential damage can be great and really only people with sufficient privilege should have access so for example um our senior security administrators would have access to the full detail generally speaking because they're going to to have some response they have expertise in the area and they're going to have some responsibility in
399:30 - 400:00 remediating at that fine grain level of detail potentially senior management on the other hand doesn't need all of the nitty gritty detail right they need the high level summary where where are we as an organization they need to to meet their requirement for due care so they need to understand how are we doing as an organization in this area and if there's something to be remediated they can say hey we didn't do well here make it so and that closes the loop with with management but controlling access to audit reports
400:00 - 400:30 something you'll need to be aware of for the exam so let's talk about access reviews and user entitlements so an access review we've talked about this uh in we've talked about auditing so an access review is something of an audit that ensures that object access and account management practices support our security policy so this goes hand in hand with with user entitlement audits uh which ensure that the principle of least privilege is
400:30 - 401:00 followed and it often focuses on privileged accounts in fact in in some of your your cloud platforms they'll have a a privileged identity feature that will include an access review feature that you can schedule that can kick off and you know managers can can then be asked to perform the review and check the box to just say yes we still ne these individuals all still need this access some of these uh platforms will even include a self
401:00 - 401:30 review capability where an individual with with privileged access can proactively say hey i know you know that project is over i no longer need that access and they can give that access back or ask that it be removed so uh access review and and user entitlement kind of go hand in hand in my mind but but understand access review and user entitlement and you should be in good shape there so auditing your access controls is
401:30 - 402:00 something that needs to happen regularly really continuously in my opinion you want to be watching your your logon success and failure events this will surface attacks you know in the event of of you know mass uh logon failures you can find those malicious entities that are out there trying to to breach uh to compromise identities uh log on successes can reveal anomalous logon events logons that are happening in strange circumstances from unknown
402:00 - 402:30 devices unknown previously unseen locations for example we can we can look for uh anomalous resource or object access if we're thinking about subjects and objects as we talked about in in the security model the the resource the object access could be something that's spotted for example we see a mass file upload data exfiltration that's going to set off an alarm bell right intrusion detection systems and really a
402:30 - 403:00 lot of some of the modern security suites out there the security stacks that come from some of the big players can monitor these logs and and feed data into a central system that that has you know context of the different activities happening at your perimeter in email on your endpoints and identify those attacks and and notify administrators and those those suites uh you know those platforms are often automated auto reporting they're supported by ai they simply require you
403:00 - 403:30 to buy the right licenses and toggle the right switches to turn the features on deploy the agents etc but but in in modern times there's a lot of of intelligence and machine learning and ai even behind uh some of that detection and notification so let's talk about computer crime now when when crime and laws come up on the cissp exam they're largely going to be in the context of the united states though the big exception being gdpr
403:30 - 404:00 um so so some of my my comments around crime are really in the context of the the u.s system so a crime or a violation of a law or regulation is is something directed against or that directly involves a computer that is a computer crime so simple enough uh computer crimes are classified as one of the following six types so we have military and intelligence attacks business attacks
404:00 - 404:30 financial attacks terrorist attacks grudge attacks and thrill attacks these are almost entirely self-explanatory when you when you read them here right um there's a bit of a bit of additional reading here in the official study guide if you want to dig down um you know there's six degrees of kevin bacon and there are six categories of computer crime if you don't know what i'm talking about with six degrees of kevin bacon when you have nothing else to do go look that up and
404:30 - 405:00 you're certainly never going to forget at this point that i've tied these two things together and there are six types six categories of computer crime that you need to be familiar with e-discovery or electronic discovery so organizations that are expecting a lawsuit have a duty to preserve digital evidence and a process that's called e-discovery so that process would include activities like information identification and governance
405:00 - 405:30 preservation and collection of relevant data processing uh review and analysis of that data many times the the collection process is search driven or maybe it's tied to a specific subject you know the the subject remember being a user or a system uh when we get to process review and analysis even more often times human analysis and then uh production and presentation of that that evidence you have an organization is hit with a lawsuit
405:30 - 406:00 they will be asked to produce evidence that meets certain criteria and they would carry out these activities uh identifying the information preserving it collecting it reviewing it to make sure they have all the relevant data uh that meet the uh the legal request that typically comes from the court and then producing that information and a lot of times this involves the use of tagging classification target specific custodians so the custodian of
406:00 - 406:30 data would be the the person responsible for that data sometimes the person who who created that data generally speaking gathering information for investigation so so together sufficient information from equipment software and and data from from equipment that requires a couple of things it requires possession so we have to have possession of the equipment the software the data so we can analyze it to use it as evidence
406:30 - 407:00 and we have to acquire that evidence without modifying it or allowing anyone else to modify it uh in in the in line and without modification is super important in the legal process so law enforcement establishes a chain of evidence a chain of custody to document all who handle evidence so so where that evidence was from its original point of existence to its presence in front of a judge in a
407:00 - 407:30 courtroom is carefully tracked and accounted for so one can prove that it was not in the hands of some unknown or unauthorized party where it was potentially modified so alternatives to confiscating evidence so confiscation is is a an act an aggressive act of of going in through some legal means to to confiscate to collect evidence so we can
407:30 - 408:00 work on voluntary surrender so we can ask the person who owns the evidence to voluntarily surrender it for investigation we can use we can use the subpoena process uh where we where the the courts can compel a subject to surrender the uh the evidence we can use a search warrant uh which is most useful when you need to uh confiscate evidence uh without giving a subject an opportunity to alter it so when is it
408:00 - 408:30 when you want to collect a hard drive from a bad actor a search warrant is a great way to show up with with law enforcement and confiscate that evidence without giving advance notice to that that party so because you're going to discover some incidents after they've occurred you're potentially going to lose valuable evidence unless you ensure that
408:30 - 409:00 critical log files are retained for a reasonable period of time and you can retain your log files and your system status in place or you can do that in an archive uh and and how long is a reasonable period of time depends on the uh the sensitivity of the data the value of the assets to which they apply any regulatory requirements that may mandate a period of of data retention
409:00 - 409:30 data retention should really be defined in your security policies and defined uh individually for different uh you know data classifications or and different assets based on their their value their sensitivity their applicability in in certain regulatory uh requirements that your organization may face but data retention should be defined in your security policy so there's no question about this and when that time comes that you know an
409:30 - 410:00 incident has occurred maybe you don't learn about it for days or months or even years later you haven't lost that evidence because you put the appropriate retention in place so let's talk about evidence so in a word evidence is your proof in a a criminal proceeding when we're talking about crime so there are quite a few different types of evidence the best evidence is original secondary evidence
410:00 - 410:30 would be a copy direct evidence proves or disproves an act based on the five senses most often meaning something that was was seen and or heard in the first person you have conclusive evidence so incontrovertible meaning it just can't be disproven we have you know the act on a camera we we see it in
410:30 - 411:00 in live action so there's no question uh what was carried out circumstantial evidence on the other hand where the action maybe wasn't seen directly but it can be inferred from other information this often comes up in financial crimes for example corroborative corroborative evidence corroborative evidence that's a a lot of syllables there supporting evidence uh that cannot stand on its own it has to
411:00 - 411:30 have other other evidence alongside to be useful um opinions there are expert opinions and non-expert opinions so you'll see expert witnesses in court there to support you know one party or the other's opinions or their assertions by providing their expert opinion on a topic there's hearsay which is evidence not based on firsthand knowledge so so it wasn't um
411:30 - 412:00 wasn't uh seen or heard it's not provable through a first party's five senses but you know maybe somebody else some some intermediary heard something and can provide some some information around the event but your evidence has to be relevant complete sufficient and it has to come has to be reliable it has to come from reliable sources there has to be a chain of custody
412:00 - 412:30 so let's talk about evidence admissibility and taking all of this with the understanding that i am not a lawyer right i am giving you cissp driven information and a lot of time watching crime dramas on television uh so types of evidence that may be used in a criminal or civil trial so so according to the official guide here there's real evidence that consists of actual objects that can be brought into a courtroom there's uh documentary evidence which consists of
412:30 - 413:00 written documents that can provide insight into the facts there's testimonial evidence which consists of verbal or written statements made by witnesses so be familiar with these three for the exam for sure so requirements for evidence to be admissible in a court of law so so the evidence has to be relevant to a facted issue in the case it has to be material to the case they it's also stated that the evidence
413:00 - 413:30 must be competent or legally collected now you've heard the word competent when talking about someone being competent in a particular skill so let's talk about what that means in the world of evidence evidence is considered competent if it complies with what we call traditional notions of reliability so that the court that the court is satisfied that the the source and the handling and the type of evidence all fit into the
413:30 - 414:00 the traditional notions of what is considered reliable and dependable evidence so let's talk about collecting evidence so so when do we need to collect evidence well really as soon as you discover an incident you want to collect evidence and as much information about the incident as as possible because we can use that in a subsequent legal action or potentially in finding the attacker's identity and evidence can also assist us in determining the extent of damage so when we tackle this sooner rather than
414:00 - 414:30 later there's less less information to go through often this goes hand in hand of course with with that audit trail and logging and data retention there but but collecting sooner rather than later is going to improve our chances of success and where people are involved will find individuals memories will be fresher and their recall better when we're talking to them shortly after an incident as opposed to months later so you'll need to know the common types of natural disasters that may threaten
414:30 - 415:00 an organization those will include earthquakes floods storms tsunamis you know tidal waves volcanic eruptions and what what your organization is exposed to is largely dependent on your physical location if you live on the coast uh hurricanes or typhoons may be common if you're in the pacific rim volcanic eruptions if you're exposed to earthquakes earthquakes also are a source of tsunami so an earthquake
415:00 - 415:30 can cause a tidal wave so those kind of go hand in hand man-made disasters you want to be familiar with as well for the exam these could include explosions electrical fires terrorist acts power outages other utility failures and you remember in an earlier domain we talked about you know dealing with fire as one example so let's talk about disaster recovery so you will be expected to be familiar with the different types of recovery sites so let's start with hot warm and cold sites
415:30 - 416:00 so a cold recovery site a recovery cold site essentially is just a data center space it's power and network connectivity that's ready and waiting when you need it to recover your engineering team is going to move your hardware into the data center and get you back up and running so that's going to be a lower cost it's going to be higher effort to recover because you really have an empty room waiting for you to move equipment and there your infrastructure in there to get things running again so recovery time will will also be
416:00 - 416:30 longer so a warm site uh what we call a preventative you know warm site allows you to pre-install your hardware pre-configure your bandwidth needs when when you have that disaster all you have to do is load your software and your data to restore your business systems it's going to be a bit less effort it's going to be a little more expensive so the cost and effort are somewhere in the medium range if i'm i'm comparing this relative to cold and hot sites so the proactive hot site allows you to keep servers and
416:30 - 417:00 a live backup site running and really you're replicating your production environment in that data center so recovery means uh you can you can immediately cut over in case of a disastrous primary site so a hot sites you know typically going to be a must for mission critical site that's going to be more expensive the effort to recover is going to be less uh your failover is going to be uh quicker so going down that road recovery sites and those three recovery sites hot worm cold we're really thinking about
417:00 - 417:30 you know what i described there sounded like infrastructure right so talking about types of recovery sites there's a the concept of a service bureau this is a a company that leases computer time service bureaus own large server farms and often fields of workstations so they can uh i see service bureaus in helping get you know end users back online and running you know these may be on-site or remote you could have employees go to a service bureau they could just remote into a system that's configured to do what you needed to do
417:30 - 418:00 um mobile sites these are you know a non-mainstream alternative to traditional recovery sites they typically consist of self-contained trailers or other easily relocated units and and you know strategy involving multiple sites is just what it sounds like and it may mix and match some combination of the aforementioned options but having multiple sites that you could recover depending on the the nature of and the scope of the uh the disaster
418:00 - 418:30 so rpo and rto these are acronyms you will want to be very familiar with you'll want to know the difference so so rpo is a the recovery point objective this is the age of the files that have to be recovered from from backup storage for normal operations to resume if the system or network goes down and the recovery time objective is the duration of time and a service level within which a business process has to be restored after a disaster to avoid unacceptable
418:30 - 419:00 consequences so rpo and rto these tend to go hand in hand but be familiar with the definition of each mutual assistance agreement so these are are fairly rare in my experience so so just the pros and cons here so a mutual assistance agreement is where entities agree to provide assistance to one another before during and after an emergency uh event to facilitate rapid uh
419:00 - 419:30 mobilization of personnel equipment supplies uh you'll see this happen between you know government agencies at various levels this can happen between commercial organizations as well uh and and this can be mutually beneficial because it can provide an inexpensive alternative to disaster recovery sites where maybe organizations agree to provide some sort of failover capability for one another um you know it does come with some some negatives you know certainly it's it's less expensive the risk you know of organizations participating
419:30 - 420:00 in an mma is that your partners may be shut down by the same disaster and mmas can raise confidentiality concerns um why are these not so common well they're not commonly used for one reason because they're difficult to enforce certainly the risks make them less common but they're difficult to enforce as well if one side lets the other down then it comes down to courts and paperwork and that doesn't help anyone so you see here the four main steps of
420:00 - 420:30 business continuity planning straight from the official study guide you'll be expected to be familiar with these steps so you want to memorize the steps know the goal of business continuity planning as well which is the uh quick calm and efficient response in an emergency to enhance a company's ability to recover from a disruptive event promptly and of course this goes hand in hand with disaster recovery and and you'll see business impact analysis mentioned
420:30 - 421:00 in the official study guide but really really not a lot of detail around there so focus on dr focus on uh some of the basics around business continuity planning you should be good to go there so a few bcp definitions that are definitely worth knowing for the exam so there's the uh the business continuity plans that's the overall organizational plan for how to continue the business right there's the continuity of operations
421:00 - 421:30 plan the plan for continuing to do business until the i.t infrastructure can be restored there's the disaster recovery plan the plan for how we recover from an i.t disaster and having that infrastructure back in operation so continuing down this list business resumption plan the plan to move from the disaster recovery site back to your business environment or back to normal operations meantime between failures so a time determination
421:30 - 422:00 for how long a piece of it infrastructure will continue to work before it fails and then the mean time to repair a time determination for how long it will take to get a piece of hardware software repaired and back online and then finally max tolerable downtime this is the amount of time we can be without an asset you know having it unavailable before we have to declare disaster and initiate our disaster recovery plan
422:00 - 422:30 so i i gave you the kind of core dictionary definition of business continuity planning but let's talk through the core goals of disaster recovery and bcp so minimizing the effects of a disaster essentially by improving responsiveness of our employees in different situations easing confusion by providing written procedures and participation in drills and helping folks make logical decisions
422:30 - 423:00 during a crisis so just the act of practice and documentation and repetition ensures that folks are trained in what they need to do so there is less thinking under extreme stress so it improves our organization's response because we've we've documented it we understand our priorities we know what we're to do because we can simply look at the plan and move forward in a variety of different situations
423:00 - 423:30 there are five types of disaster recovery plan tests you want to be familiar with and and you know i just mentioned repetition and practice are important right so you have five five tests you'll want to be familiar with i'll call them out and then we'll discuss them there's the read through test there's the structured walk-through there's the simulation test the parallel test and the full interruption test so let's talk through each of these briefly so the read-through test you you
423:30 - 424:00 distribute copies of the disaster recovery plans for review there's the structured walkthrough where the members of the disaster recovery team get into a big conference room and they role play in a disaster scenario usually the exact scenario is only known to the test moderator who presents the details to the team at the meeting some folks will call this a tabletop exercise because we're around a big conference table and we have the plans in our hands and we're talking through a scenario
424:00 - 424:30 but the the moderator will know the scenario the team members will refer to the document and discuss appropriate responses to that particular type of disaster so this is a first step in ensuring that the plan is uh appropriate and actionable and complete because we can answer you know what is that appropriate step in a variety of circumstances now what do these two have in common well so far uh everything we're talking about these are all talk right we're not we're not testing anything we are talking through we're reviewing a plan talking through
424:30 - 425:00 scenarios now we move into a simulation test this is uh similar to a structured walkthrough that we just talked about except in this case some of the response measures are then tested generally on non-business critical functions and then there's a parallel test which involves relocating personnel to the alternate recovery site and implementing site activation procedures the employees relocated perform their disaster recovery responsibilities just as they
425:00 - 425:30 would for an actual disaster and then there is the full interruption test which is like parallel tests but it involves actually shutting down operations at the primary site and shifting them to the recovery site so these are the five types of plans and you will you will find that organizations generally speaking require that they validate these plans in inaction at least annually some some more often i find folks that leverage the cloud for their backup site are able
425:30 - 426:00 to test these a little more aggressively sometimes twice a year or even more but but these three uh recovery plan tests these all involve some form of doing right from from something fairly non-invasive to you know that full interruption test which is uh very thorough and and you're very complete so a couple of related terms there's a recovery team which is used to get business critical functions running at the alternate site there's the salvage
426:00 - 426:30 team which is used to return the primary site to normal processing conditions so if you see any talk around recovery versus restore the recovery team as the name indicates is responsible for recovery and then the salvage team is your restore group and the official guide calls out some backup strategies you should be familiar with particularly around databases they mention uh electronic vaulting so transferring database backups to a remote site is part of a bulk transfer
426:30 - 427:00 remote journaling which is transmitting only the the journal of the transaction logs to the off-site facility a lot of your database platforms will have a replication capability that can do do some of these there's remote mirroring where a live database server is maintained at the backup site this is going to be the most advanced database backup solution it tends to be the most expensive it's going to require some expertise in configuring the the mirroring or replication that gets that live copy over there
427:00 - 427:30 and i'm going to mention categories of disruption i'm not sure you'll see this on the exam i know i spotted this in the uh the the common body of knowledge for cissp at some point but i had this in my study notes so the three main categories of disruption you have non-disaster which is a disruption in service from a device malfunction or a user error a disaster where an entire facility is unusable for a day or longer a catastrophe which is a major disruption that destroys the facility
427:30 - 428:00 altogether and that requires a short-term and a long-term solution i'm not sure you'll see these on the exam i wanted to throw these out there just in case i think they're pretty easy to remember and that does it for domain 7. and rounding out our core domains domain 8 software development security so we'll start with what's new in domain 8 and we do see some additions here in
428:00 - 428:30 the syllabus in 8.2 identify and apply security controls and software development ecosystems so we see in their program languages libraries tool sets integrated development environment runtime code repositories uh continuous integration and continuous delivery often abbreviated as ci cd uh security orchestration automation and response we covered soar
428:30 - 429:00 uh back in in domain three because i wanted to talk to you about soar with uh with sem at the same time because those two components are delivered together so consider soar sore the sore box checked off and then software configuration management so we need to talk about all of these new topics in an existing subdomain effectively so code repositories this is where your source code and your related artifacts like your libraries are stored so how do you handle source code securely is is
429:00 - 429:30 the question you really want to be able to answer don't commit sensitive information to your code repository we're not going to store secrets on disk right we want to protect access to our source code repository so we need to have role-based access control we need to have authentication and authorization in place sign your work you know code code signing is a form of you know integrity keep your development tools your ide
429:30 - 430:00 your development environment up to date so that might be visual studio visual studio code is the the most common ide today maybe you're old school and you're using notepad plus plus whatever you're using to write your code your ide keep it up to date most code repositories in the world today use git which is the most widely used modern version control system was actually invented git was invented by linus torvalds the inventor of linux
430:00 - 430:30 um but but that's integrated development environment and that's all i'm going to mention about it there so the main thing you need to know from a security perspective about your ide is keep it up to date keep it patched uh code libraries which i mentioned a moment ago for for some important core functions code libraries can actually improve application security and reduce risk versus writing a function from scratch so for example certain languages can be prone to certain kinds of attack so so c is as
430:30 - 431:00 an example um you know they use safe memory allocation and string manipulation libraries to reduce the risk of buffer overflow attacks um other good uses for a lot good examples of where a library could fit in and you know improve our security libraries that help us with encryption or handling secrets or bulk data transfer you know utility functions that are very important that somebody else has probably already written more effectively and completely than we could
431:00 - 431:30 so when we get to talking about code scanning i'll mention runtime so let's just talk about what runtime is exactly so runtime describes the period of time during which a software program is actually running so this is where dynamic application security testing evaluates the security of an application while it's it's actually running assessing software security at runtime is is oftentimes the only option for purchase software because you don't have access to the source code
431:30 - 432:00 but but when you have access to the source code both source code and runtime scanning doing both of these is a best practice you want to you want to scan your code and look for for vulnerabilities poorly written code code that may be uh prone to buffer overflows for example uh or or injection you know we see forms that that don't have proper input validation that means they may be uh and you know prime for for injection attacks for containers when we're thinking about docker and
432:00 - 432:30 kubernetes uh you know scanning our container images at build time is important because many times in the in the the container world your container is is built your container image is built on base images that come from the open source world so you want to make sure there's no malware all the way down uh through the layers of your uh your container image and you want to have a solution to scan the runtime environment to make sure your containerized application is secure and
432:30 - 433:00 proper isolation is in place i don't think you need to know quite to that level of detail but but what i wanted to impress upon you here is when it comes to code if you have access to the score the source code you want scanning there you want to also scan uh runtime we'll talk about how that happens together and then for containers i just wanted to mention similar reality we need to scan our images at build time and at run time so so cicd you're going to hear this phrase a lot in the world of devops and
433:00 - 433:30 devsecops this is continuous integration and continuous delivery sometimes continuous integration and continuous deployment the d may be expressed differently depending on who you're talking to all means the same thing so securing our delivery pipeline ci cd is how we deliver uh frequent uh and and effective application releases you know multiple releases a day for example uh so to secure that
433:30 - 434:00 pipeline that that release pipeline we call it we need to implement identity and access management including mfa we need to make sure we're restricting who can get into our pipeline to to see and edit that configuration so authentication and authorization we need to store secrets securely and scan our code to make sure we don't have hard-coded secrets you don't want hard-coded secrets in your code you don't want to store them on disk implement role-based access control least privilege access into the
434:00 - 434:30 environment so so you may have a small number of people that have the ability to reconfigure your delivery pipeline and you have others that can come in and maybe run your pipeline and others that can maybe only read the pipeline um automating vulnerability scanning in your pipeline is an excellent idea and most of your your platforms that provide cicd a platform for ci cd many of these these platforms have some
434:30 - 435:00 sort of automated vulnerability scanning capability either natively or through a third party that you can plug into the pipeline to scan at the appropriate time so you can scan your source code etc and release versioning will improve recoverability and and also tracking issues if you have a well-established versioning system for your software i don't believe on an exam like the cissp you're going to be tasked to to talk about effective versioning in detail but just know that release versioning
435:00 - 435:30 will improve recoverability because you'll you'll be able to track issues against different versions of your software uh and this can help you uh you know track current issues but also spot to spot uh regression bugs so bugs that you know resurface that you know are maybe present in an earlier version and written out and somehow creep back uh so let's talk about configuration management so so configuration management tracks the way systems are set up both for for hardware
435:30 - 436:00 and software and os and application settings software configuration management is a phrase you might hear you might also hear it expressed as security configuration management focus on the configuration management piece okay so baselining is an important component of configuration management it's a set effectively a snapshot of an application or a system with an application on it at a given point in time you should also create artifact also create artifacts that might be used to help understand the system
436:00 - 436:30 configuration this can be documentation this can be a diagram and and within configuration management you have system level versioning component level versioning to establish uh you know the the software uh hardware and configuration versions of a system so you you know what you're running on today and you can roll you know roll forward and roll back you know should you have uh problems in a release
436:30 - 437:00 so uh applications depend on compute resources and software components so so your configuration management is going to uh to cross that boundary between hardware and software they both need this capability and you need it in an integrated sense to to to basically track the configuration across an entire system so on a web server for example you know i want to know you know what version of different
437:00 - 437:30 frameworks i'm running what version of uh of uh you know java what jvm am i running you know if i'm running the.net framework what version is that what version of my web server do i have there the os the patch levels etc all of that can be important uh because your software will have a certain dependency so let's talk about code scanning so there's static application security testing so this is analyzing computer software performed without actually executing
437:30 - 438:00 programs so the tester basically has access to the underlying framework the design the implementation so the key characteristic of static application security testing is it requires source code dynamic application security testing on the other hand involves actually executing the application the tester doesn't necessarily have any knowledge of the technologies or frameworks the application is built on and no source code is required an
438:00 - 438:30 important distinction it's often said that static testing tests the application from the inside out and dynamic testing is considered outside in testing and that does it for what's new in domain eight so i'd like to take a look at the syllabus and talk about everything that's not new that i think is important for you to be prepared for on the exam so an 8.1 understand and integrate security in the software development life cycle 8.2 we just covered a lot of
438:30 - 439:00 what's new here which was security controls in development environments 8.3 is assessing the effectiveness of software security 8.4 assessing the security impact of acquired software and 8.5 defining and applying secure coding guidelines and standards there's going to be a lot of process memorization for you in 8.5 so let's start
439:00 - 439:30 with relational database management systems rdbms is the acronym you need to know the basic architecture of relational databases so relational databases contain tables sometimes called relations these a table will contain a number of fields and each attribute corresponds to a column in the table and and i'll talk you through these and then i'm going to show you an example which will lock this in for you so rows
439:30 - 440:00 are essentially data records so one row of data is a record so if it was a database of employees i would be a record you would be a record that would be a row and r and rows are sometimes called record sometimes called tuples typically you're going to hear tables and rows when you're talking to people speaking in plain language but it's a record and then a column uh is a set of data values of a particular type so a column in a
440:00 - 440:30 in a record for example a first name would be a column last name would be a column job title would be a column these are sometimes called fields or attributes and continuing down this row set with with databases i mentioned there's a table right so this is the table right here that's the table so it consists of the the rows and the columns so there's a row that shouldn't surprise you there and
440:30 - 441:00 you'll notice that there's a a company id column there that's that's probably a key a primary key we'll talk about keys in just a moment and then there's a column so let's talk about keys in the context of relational databases so you have the concept of a candidate key so a candidate key is composed of any set of attributes that can uniquely identify any record in a table so no two records in the same table will ever contain the same value for all attributes that
441:00 - 441:30 compose that key so for example first name and last name in an employee database would be pretty good until you have a second employee with the same name as the first person at the moment there are two john smiths that's no longer a good key that's where another column like employee id could come in very handy to uniquely identify any record in that table there can be one or more candidate keys per table now the primary key is selected from the set of
441:30 - 442:00 candidate keys there's only one of these per table it's set by the designer so it's chosen at design time and then there are foreign keys i'll need to show you just a quick example of this foreign keys are used to enforce relationships between two tables in a relational database it enforces what's known as referential integrity so it ensures that if one table contains a foreign key it corresponds to a still existing primary key so what do i mean by that
442:00 - 442:30 let's just have a look so i have here uh the picture of an e-commerce application and this application is one that allows customers to give gifts to one another so we can have customers giving gifts but also receiving gifts so in the the customer table on the left you'll see that we have a customer id right that is the primary key of that table as noted by the pk
442:30 - 443:00 and over in the gift table you'll notice there are two foreign keys one of those is customer id the other is receiver id so there are two relationships between this table there is the idea that a customer is the giver of the gift and also the idea that a customer may be the receiver of the gift so there is a primary key foreign key relationship there between customer id and then over in the gift
443:00 - 443:30 table either customer id or receiver id since that can go in either direction as giver or receiver so if i were to so bottom line if i were to try to delete a customer id the database of the relational database management system should stop me because there is a relationship between these tables i shouldn't be able to delete that record that contains that primary key that is referenced over in that other table where that foreign key relationship
443:30 - 444:00 exists so it enforces referential integrity it's also going to prevent changes to the design of the database in a way that would break that referential integrity so also we'll want to talk about common relational database management threats the two called out in in the exam essentials are the aggregation attack and the inference attack so let's take a look at each of these
444:00 - 444:30 the aggregation attack is based on the individual's ability to create sensitive information by combining non-sensitive data from separate sources so a common example here is a records clerk in the military processing a transfer request for a specific sergeant for example so sergeant smith's transfer request from base a to base b is not sensitive but if that records clerk has access to transfer requests across all the bases if they can use their aggregate access
444:30 - 445:00 in databases to establish say troop numbers located at each base around the world those troop levels would comprise very sensitive information so need to know and least privilege can prevent aggregation attacks and then we have the inference attack which is based on the individual's ability to deduce or assume sensitive information from observing non-sensitive pieces of information
445:00 - 445:30 so for example let's say the accounting clerk in our company has access to salary data but they don't understand which salary data maps to any individual employee now if that accounting clerk can see the salary data from march and they know that only one person was hired in march and they then see the salary data in april they could potentially deduce the salary of that single individual person hired during that period of time so they are deducing
445:30 - 446:00 that information so to prevent an inference attack blurring data meaning providing only data that has been rounded to the nearest level figure like a hundred thousand or a million can help with that database partitioning can help that sort of of attack but the difference here is aggregation attacks are based more on math and inference attacks are based more on human deduction so that's how i'd keep those two separate in your mind for the exam and a
446:00 - 446:30 few other attacks that affect rdbms systems that we've talked about previously include sql injection time a check time of use back door and denial of service to name a few now you'll also be expected to be familiar with the various types of storage and their relative cost and performance on the exam and by relative cost and performance i mean less expensive more expensive faster slower volatile non-volatile etc so so not actual numbers or costs just relative uh
446:30 - 447:00 or comparative costs so there's primary memory which is your ram that's available directly to the the cpu uh volatile ram and we'll talk about volatile and non-volatile in a moment but this is directly available to a system cpu this is going to be the most high performance storage available and operations happening in memory uh are generally speaking always faster than operations that involve writing data out to a disk or storage of some
447:00 - 447:30 sort so secondary storage can consist of of less expensive non-volatile storage available for for long-term use this would be any sort of tape disk hard drive magnetic or optical media cd dvd there's virtual memory now this is interesting if you're not familiar with with virtual memory and operating systems this allows a system to simulate additional primary memory resources through the use of secondary storage so
447:30 - 448:00 for example on a windows system you'll have a setting in the operating system that defines virtual memory by default and if a system is low on on real memory on ram it can make hard disk space available for direct cpu addressing so it creates a memory space on disk so to speak so it can flush data out of real memory to the disk so it can then work in memory how virtual memory works exactly is not
448:00 - 448:30 super important but understand that virtual memory is when a system low on ram makes a disk available for direct cpu addressing moving on here virtual storage this allows a system to simulate secondary storage through the use of primary storage so we said primary storage was ram right that was the the fastest most high performance
448:30 - 449:00 uh now if we're using if we're simulating secondary storage through the use of primary storage we said secondary storage was your non your non-volatile media right so what happens in this case is what we call a ram disk is a great example so it provides a very fast file system for apps but no recovery capability because it's simulating a disk it's it's simulating disk storage
449:00 - 449:30 in memory but it allows us to perform a a file system type operation very quickly it just doesn't have recovery capability because it's sitting in volatile media it's sitting in ram random access storage just allows the operating system to request the contents from any point within the media so ram and hard drives are random access storage now sequential access storage on the other hand requires scanning through
449:30 - 450:00 the entire media from the beginning to reach a specific address a great example of this is magnetic tape backup tapes perfect example of this old-school uh magnetic storage i mentioned volatile and non-volatile so let's just sort that out right quick so volatile storage loses its contents when power is removed from the resource ram that we talked about primary storage the most common example when the system goes down the contents of ram
450:00 - 450:30 are gone because it is volatile storage which means that non-volatile storage by comparison uh does not depend upon the presence of power to maintain its content so certainly magnetic optimal and optical media and non-volatile ram uh would be a couple of of many examples now really any storage you can imagine that uh doesn't lose its contents when it's not connected to power uh that's a good
450:30 - 451:00 example of non-volatile storage so machine learning and neural networks you you'll be expected to have some fundamental knowledge here of of a few uh terms so let's start with expert systems so expert systems consists of two main components there's a knowledge base that contains a series of if then type rules and an inference engine that uses that information to draw conclusions about other data
451:00 - 451:30 but essentially you have the knowledge base that contains you know vast numbers of records of information and then you have the inference engine that evaluates that knowledge to draw conclusions the machine learning techniques that attempt to algorithmically discover knowledge from data sets so using machine learning algorithms and then neural networks so neural networks simulate
451:30 - 452:00 function of the human mind they also require extensive training on a particular problem before they can offer solutions i think those will be the two most uh distinct characteristics of a neural network so know these three for the exam systems development we're really talking about software development here so there's agile which uh places emphasis on the needs of a customer and quickly developing and
452:00 - 452:30 iterating uh in our solution so basically rapidly creating new iterations or new versions of the uh the eventual uh software product so agile is designed to be exactly that agile very responsive to customer needs now waterfall on the other hand describes a sequential development process that results in development of a finished product so waterfall is less
452:30 - 453:00 less responsive i feel like agile and waterfall represent sort of opposing strategies if you if you ask me to pick what's the opposite of agile in terms of software development models i would pick waterfall and we'll we'll look at waterfall agree in greater depth in just a moment and then there's spiral which uses several iterations of the waterfall model to produce a number of fully specified prototypes so spiral really
453:00 - 453:30 addresses some of the problems that we see with with waterfall in fact let's just have a look at those right now so we'll start with agile so agile's a model for software development that's based on four principles individuals and interactions over processes and tools working software over comprehensive documentation customer collaboration over contract negotiation and responding to change over following
453:30 - 454:00 a plan so the idea here is that we can produce a result that is more effective it's it's closer to what the customer wants it gets us to the finish line faster because we can pivot very quickly based on changes in requirements or changing changes in our understanding as we we build the product and and go through new experiences for example user experience testing may tell us that we need to pivot and and change the way
454:00 - 454:30 we're building software and agile is intended to be very responsive in that respect so know those four principles individuals and interactions over processes and tool working software over documentation collaboration over over contracts and responding to change over following the plan agile was actually first described in the manifesto for agile software development that was released back in 2001 and i really started seeing agile back in
454:30 - 455:00 the the early 2000s 2007 and beyond all right the waterfall model is a seven stage process that allows a return to the previous stage for corrections and to make sure that for the cissp exam you look at the seven step waterfall model that is defined defined in the book you will find versions of waterfall that out on the internet that tell you there are only six steps but you see it
455:00 - 455:30 goes from system requirements to software requirements to design to coding and debugging to testing and operations and maintenance so so the waterfall sort of visualized for you there but waterfall i mentioned also allows a return to the previous phase from each phase so each phase can only go back one one phase for correction so so it's by design less flexible
455:30 - 456:00 less agile if you will than agile pun intended and then there's the spiral model so the spiral model is a software development life cycle model that allows for multiple iterations of a waterfall style process so it's known as a a meta model or a model of models each loop of the spiral you see on the right there results in the development of a new system prototype a new iteration if you will
456:00 - 456:30 so it provides a solution to the major criticism of the waterfall model it allows developers to return to the planning stages as demands change so in a word it adds that for that property of of iterative it makes it more flexible so it allows us to leverage you know a waterfall style process in a more customer focused responsive way and allows us to iterate quickly through our through our our product designs
456:30 - 457:00 so software development maturity models these help software organizations improve maturity and quality of their software processes by implementing an evolutionary path from ad hoc development chaotic processes where everybody is kind of on their own they're not really following any sort of organized process or plan and moving to a state of more mature disciplined software processes so for the cissp exam you will want to be
457:00 - 457:30 familiar with the software capability maturity model the sw-cmm and the ideal models so software capability maturity model it's a five-step model for measuring software development organizations so level one is no plan level two is implementation of a repeatable process a
457:30 - 458:00 basic life cycle management it's called level three is defined where we have a documented software development process level four is managed this is where we now have quantitative measures meaning we can reliably measure performance to gain a detailed understanding of results and where improvements can be made and then optimized a continuous development process with feedback loops
458:00 - 458:30 this is the top of the mountain i like to think of this in the world of devops i would call this continuous integration continuous deployment continuous release it's sometimes called but cicd so so this is where we have a high level of maturity and we can release software often and reliably and then the ideal model is a model for development that implements many of the the software capability maturity model
458:30 - 459:00 so there's initiating where our business reasons are outlined support and infrastructure for for the initiative are put in place we have diagnosing where engine engineers analyze the current state of the organization and make recommendation we have establishing where the organization takes those recommendations and they develop plans to achieve those changes acting putting the plan into action and learning so the organization continuously analyzes their efforts
459:00 - 459:30 and proposes new actions to drive better results but notice that for each stage there that's your acronym ideal initiating diagnosing establishing acting and learning i think that's probably all the uh the the memory aids you need to uh to remember ideal this was one of those that since it was based on uh based on an acronym i didn't actually create a memory device to try to remember it i just remember
459:30 - 460:00 the and it's a very logical process right so let's talk about change in configuration management in the context of software development so there's request control which require provides an organized framework so users can request modifications and and managers can look at those ch those requests and basically perform a cost benefit analysis they can prioritize these tasks prioritize the development backlog is the request reasonable is it affordable is it something many other customers
460:00 - 460:30 want for example there's change control this is used by developers to uh to recreate the uh the situation encountered and to analyze the changes to remedy the situation and then there's release control so once the the changes are finalized they can be approved for release through the release control procedure so it should also include acceptance testing to ensure that the
460:30 - 461:00 alterations are were actually understood they were developed as as intended as requested and they are functional so changes in this case really mean code changes that result in functionality changes in the uh the software next up is software testing so we have to test software thoroughly before we distribute that software and the programming team generally speaking should develop special data sets that allow us to exercise all the
461:00 - 461:30 paths of of software navigation in an application to the fullest extent uh that that's feasible and some tests may be automated and others may be manual so user experience testing for example that's typically going to be a manual test where a real person performs tests according to a plan and reports back their experience they perform a task they look at the actual result versus the expected result for example and many other types of tests
461:30 - 462:00 may be automated for example if i want to to test to see if fields in a web form are susceptible to buffer overflow i basically need a way to to replay you know input of a bunch of different values from from a special data set to make sure that my application never throws an error that it always responds as i expect so that's something i could likely automate unlike user experience testing
462:00 - 462:30 virus propagation techniques this is something that may come up on the exam and there are four main propagation techniques you want to be familiar with the first is file infection which infects different types of executable files and trigger when the operating system attempts to execute them so on a windows system for example that's going to be dot exe and com files generally speaking there's a service injection attack and
462:30 - 463:00 service injection uh escapes detection by injecting themselves into trusted runtime processes in the os so on windows for example that could be servicehost.exe winlogon or explorer.exe boot sector infection which essentially just infects the legitimate boot sector and it's loaded into memory during the operating system load process so when you boot the system up or reboot the system and then there's macro infection which spread through code and macros like
463:00 - 463:30 visual basic for apps in microsoft office docs antivirus software so antivirus software comes in in a couple of different flavors so uh many in years past use signature-based detection algorithms to look for telltale patterns of known viruses and and many still use this it is critical that signatures are updated frequently for example on the windows platform is the best example i know to give you we'll see multiple updates daily
463:30 - 464:00 now modern antivirus increasingly operate using behavior-based detection too monitoring target systems for unusual activity and either blocking it or flagging it even if it doesn't match a known malware signature and and modern anti-driver modern anti-virus often relies on some ai driven or machine learning driven intelligence and some modern antivirus software will have you know a cloud connection where it can
464:00 - 464:30 send off samples to to get some input from a cloud-based system that can perform some additional analysis and given that in the modern age you know many uh threats are seen once and never again they're unique behavior-based detection is an absolute requirement so the the the study guide mentions that it's increasingly common everybody's doing this i'll just tell you right now
464:30 - 465:00 so techniques to compromise password security you want to be familiar with all of these so we have password crackers which are designed to basically take credential data stolen in a breach and extract passwords from it and the methods password crackers will use will vary widely dictionary attacks these use a large dictionary file with thousands of words and it basically runs an encryption function against all the words to obtain their encrypted their hashed equivalents
465:00 - 465:30 um but it's using existing words where whereas a brute force attack is when the attacker tries to attempt all possible combinations of a password to gain access to an account so so actually a dictionary attack is a type of brute force attack where the attacker instead of trying to try all possible combinations they try passwords from a dictionary file social engineering attacks these consist
465:30 - 466:00 of simply calling the user and asking for their password or more often posing as a technical support representative or other authority figure who needs information immediately you even see these carried out over the phone where someone will call and say that they are from microsoft support and they need your password or they're from apple support and you need to give them a password and you need to pay them some amount of money to help you
466:00 - 466:30 these are attacks that sometimes feel very realistic i do remember once i was actually traveling internationally and i was on my way back home and someone called me while i was in an airport lounge and said hey i'm on the phone with apple support they're asking me to buy these gift cards to to pay them for support because there's there's a breach on my ipad completely social engineering attack you know the that that sort of demand is
466:30 - 467:00 never going to come from microsoft or apple or any legitimate company and i was thankfully for them able to to advise them and to stop that so social engineering is as powerful a way to stop social engineering is through security awareness training number one countermeasure root kit rootkit is a piece of software freely available on the internet it's used as a second step by attackers to exploit known vulnerabilities to enable attackers to elevate or escalate their privilege to gain greater
467:00 - 467:30 privilege on the system once they have established residence so let's touch on application attacks which are used by attackers to go after poorly written software to exploit poorly written software the most common you'll likely hear about is the buffer overflow where a developer does not validate user input to ensure that it's of an appropriate size this is really common in web forms and if the form doesn't validate the input
467:30 - 468:00 the user can potentially input data that is too large and it can overflow the memory buffer causing an error a buffer overflow air there's a back door this is an undocumented command sequence or sequences that allow individuals with knowledge of the back door to bypass normal access restrictions often used during development and debugging and in the worst cases you know unintentionally or even intentionally left there after
468:00 - 468:30 development and debugging there's time a check to time of use attacks which is a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request so it's a timing issue and rootkit which is escalation of privilege so rootkits are freely available on the internet and they're intended to exploit known vulnerabilities in various
468:30 - 469:00 operating systems enabling attackers to elevate privilege so you'd see this in an escalation of privilege attack scenario web application vulnerabilities there are two very common web app vulnerabilities you want to be aware of and and you'll find that there are vulnerabilities that compromise front-end and front-end you know web interfaces or web systems and back-end databases and sometimes they're using the front-end
469:00 - 469:30 to compromise or access the back end so there is the cross-site scripting which is a type of injection attack in which malicious scripts are injected into and or otherwise benign and trusted websites so these occur when an attacker uses a web application to send malicious code to a different end user they occur when web apps contain reflected input you know for example i put my name into a field on a
469:30 - 470:00 form i hit submit and it says hello pete sql injection attack so these use unexpected input into a web application into a front end to gain unauthorized access to an underlying database there are quite a few different ways i've seen sql injection attacks play out i saw one of these in real time a few years ago where a pen tester was able to put unexpected input into a web form and it caused the database because it
470:00 - 470:30 caused the the code to return information from the database you'd never want exposed next up are reconnaissance techniques so these are techniques used by attackers who are preparing to attack a network so this is data collection and learning ahead of the attack so iprobes automated tools basically pinging each ip address in a range so performing a ping sweep and then systems that respond to the ping
470:30 - 471:00 request are basically logged for further analysis in the next step so then you'll commonly see a port scan which will look for open or listening ports on a system so for example port 80 and 443 would be indicative of a web server port 445 tcp 445 would be a file server so looking for server supporting critical operations are going and services are going to be prime targets and then you have vulnerability scanners that can be
471:00 - 471:30 used to scan for specific vulnerabilities in a system so a few popular tools out there include nessus openvas qualis core impact quite a few vulnerability scanners on the market today i don't think you'll be you know tested on your knowledge of vulnerability scanner brands but i wanted to throw a few out there which incidentally are also mentioned in the book i believe in the the official study guide by the by so protection rings may come up
471:30 - 472:00 these are used to protect data and functionality from fault you'll hear about these in operating system so for example ring zero is is kernel mode ring one and two would be device drivers ring three or applications and then within the system there are special call gates between the rings that are defined to allow the outer rings to to gain access to the inner rings through
472:00 - 472:30 pre-defined mechanisms rather than just arbitrary access the software development life cycle you want to be familiar with the five phases of the software development life cycle so phase one requirements analysis phase two design phase three implementation phase four testing and phase five evolution i have for you here a memory device to help you
472:30 - 473:00 lock these five phases in to your mind real developers ideas take effort so i came up with this memory device because i wanted something that was relevant to the subject at hand which is software development but also uh followed the first letter of each of the phases of the software development life cycle so requirements design implementation testing and evolution real developers ideas take
473:00 - 473:30 effort if you want a memory device there you have it concentric circle security so you if you've spent any time in cyber security you were familiar with concentric circle security although you've probably never heard it referred to as concentric circle security that is a very theoretical phrase that that doesn't come up in the real world very often so this security model
473:30 - 474:00 consists of several mutually independent security applications processes or services that operate toward a single common goal so it avoids a monolithic security stance by having multiple independent applications tools and processes working together to provide better security so basically every individual security mechanism has a flaw or a work around and we have to bear that in mind and by combining uh intelligent combinations of of
474:00 - 474:30 counter measures into what we call a layered defense we can provide significant resistance to persistent attempts to compromise our network this is called a layered defense you'll also hear this referred to as defense in depth so you want to be familiar with concentric circle security but tie this to layered defense defense and depth and avoiding a monolithic
474:30 - 475:00 security stance and finally uh the security impact of acquired software so four categories here there's operating system attack so attackers are always looking for vulnerabilities in an operating system uh buffer overflows other bugs uh systems that simply haven't been patched in a long period of time or patch for specific vulnerabilities their application level attacks we've talked about a few of these uh sql injection cross-site scripting denial of service
475:00 - 475:30 hijacking phishing which is an email-based uh application level attack uh their shrink wrap code attack so these are exploiting holes in unpatched or poorly configured software you buy and install a lot of times software you buy and install will uh you know contain sample scripts or code and those will be exploited if if an attacker can find them then finally misconfiguration attacks which target poorly configured services or devices or one that's left
475:30 - 476:00 in a default configuration a wi-fi router left in the default settings is a fabulous example i can remember back in the day you know netgear routers came with a very simple admin username and password and it was really common that folks would buy that netgear router take it home and not change a thing in a business environment when we see those defaults left in place that usually indicates a process problem at home that's a much different story
476:00 - 476:30 and that's it for domain8 and congratulations you've reached the end of this cissp exam gram course i hope you got value out of this video i hope you're getting value out of the series if you have questions at any point leave me a comment below the video come find me on linkedin and let's have a chat i wish you the best of luck on your exam and until next time take care and stay safe