CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 234: Mastering Security Control Testing (CISSP Domain 6.2)
Digital signatures are coming to AI models as cybersecurity evolves to meet emerging threats. Google's collaboration with NVIDIA and HiddenLayer demonstrates how traditional security controls must adapt to protect machine learning systems vulnerable to new forms of tampering and exploitation. This essential evolution mirrors the broader need for robust security validation across all systems.
Security control testing forms the foundation of effective cybersecurity governance. Without proper validation, organizations operate on blind faith that their protections actually work. In this deep dive into Domain 6.2 of the CISSP, Sean Gerber breaks down the critical differences between assessments, testing, and audits while exploring practical approaches to vulnerability scanning, penetration testing, and log analysis.
Vulnerability assessments serve as your first line of defense by systematically identifying weaknesses across networks, hosts, applications, and wireless infrastructure. The Common Vulnerability Scoring System helps prioritize remediation efforts, but understanding your architecture remains crucial - a low-scoring vulnerability in a critical system might pose more risk than a high-scoring one in an isolated environment. Meanwhile, penetration testing takes validation further by simulating real-world attacks through carefully structured phases from reconnaissance to exploitation.
As organizations increasingly embrace APIs, ML models, and complex software architectures, security testing must evolve beyond traditional boundaries. Code reviews, interface testing, and compliance checks ensure that security is built into systems from the ground up rather than bolted on afterward. The shift toward "security left" integration aims to catch vulnerabilities earlier in the development lifecycle, reducing both costs and risks.
Ready to master security control testing and prepare for your CISSP certification? Visit CISSPCyberTraining.com to access comprehensive study materials and a step-by-step blueprint designed to help you understand not just the exam content, but the practical application of cybersecurity principles in real-world scenarios.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go cybersecurity knowledge.
Speaker 2:All right, let's get started. Good morning everybody. It's Sean Gerber with CISSP, cyber Trading, and hope you all are having a beautifully blessed day today. Today is Monday. Yes, we're excited about Monday because why? Well, spring is quickly upon us and, yes, we're coming out of the frozen tundra that we've had this past winter. So, yeah, I'm very excited about that. But more than that, we are going to be talking about domain 6.2, which is we're conducting security control testing for the CISSP. So this again, isc squared CISSP.
Speaker 2:Now, before we get into that, I wanted to just quick article that I saw in the news and this is related to Google. I know, as we've talked about in the past, I've kind of get a little bit deeper into AI and ML as it relates to what I do on the consulting side of the house and just kind of wanted to get to really understand it a bit better. And as it comes down to security right, one of the big factors we have to consider around ML and AI is how is that going to be impacted with the changes? Because we're seeing this change over and over and I was reading an article just kind of prepping for today that Microsoft is pretty much all bought in on AI and ML as the future of the company is. The company just turned 50, I guess this week or last week sometime. You know it's getting older, right? I remember when Microsoft first came out and that just shows how old I am. But the point of it is is that it's changing its paradigm and it's hanging its hat on the AI and ML revolution. Now, in this article that came out from Google, it's basically Google's open source security team, their GOS team. They're working with NVIDIA and also HiddenLayer under their overall foundation and the goal is to create better security related to AI and ML. And so this is an important factor for you all, as you guys are studying for your CISSP and you become security professionals.
Speaker 2:Ai and ML if Microsoft is going all in, you're seeing it in Google you all are going to have to know it in some sense and you're going to have to know a deeper level of it than just kind of hey, it's out there and I just kind of understand it. So the article is really cool. It talks about how the evolution of the LLMs are moving around and how they're growing, and that there is a big concern related to the tampering of these models, right. So these models that are out there, that have got all this information in them and they're really concerned about them being exploited, especially related to the supply chain, the processes, the unspectable weights and then also the times and the arbitrary code that might be injected upon them, and you know, there's a lot of different things that can happen to an ML. You have data poisoning. You have Trump not Trump, no, not Trump. You have prompt injection, prompt leaking and prompt evasion. Those are just things, just a few of the things that can happen in the ML supply chain, and so it's an important part for you to understand how do we deal with this.
Speaker 2:Well, their focus is going to be around digital signature. This article, specifically, is around digital signatures and adding them to the overall ML AI environment. The goal of this, obviously, we talked about in CISSP, cyber Training for many years now is that digital signatures are an important part. It's a cryptographic function that helps just put that signature, that that key, to say that this data is legit, this data is solid, and when those keys get compromised, obviously that can cause all kinds of pandemonium and chaos. But the goal, though, is is that they are going to have some level of signature based into these AI ML products. So you know the actual information that you're getting and it helps you avoid that. You know if something's been tampered with at all, specifically with a model, if there's any new code been added to it or any possible issues that may run with that. Now they've created a model signing library and this is specifically set up to handle large-scale ML models. So, as we know, in many cases we're starting small but as this overall capability grows larger and larger over time, these models are going to be extremely big and they already are large, right, but they're going to get even bigger as time goes on. So it supports signing models that are represented in directory trees, obviously, and then it provides command-line utilities for signing and verifying your model signatures as well.
Speaker 2:So it's a really good article about how these signatures can potentially be added to your ML environment. It walks you through. The article does around the different types of injection aspects. There's a white paper they have on AI supply chain integrity. All of those things are in here. It's a really good article. It kind of goes from fruit to nuts and everything that you could possibly see as it relates to dealing with digital signatures and the AI ML environment. So I highly recommend you go read it. Again, it's on Google security blog. The name of it is Taming the Wild West of ML Practical Model Signing with Sigstore. Again, this is something that I think is really important for you all to kind of start understanding and getting a good grasp of how this works within your environments.
Speaker 2:Okay so let's get started about what we're going to talk about today. Okay, so we're going to be talking about domain six, conducting security control testing, and again, this is all tied back to the CISSP, the ISC squared manual. If you go to CISSP Cyber Training, you can get access to all this content that's out there. You get access to my free content as well, as you can get access to all of the videos, all of the audio, everything that I've put together related to the ISC squared CISSP, and you can get access to my blueprint. My blueprint is amazing, and I'm not just saying that because I made it, I'm just kind of sort of, but no, it's actually going to step you through, step by step by step, what you need to do to study for the CISSP and help you get prepared for it. It's going to give you everything you need to know day one, day two, day three, day four. And it's going to help you with that overall process, because, just going out and I got overwhelmed with the CISSP because it was just so much content, and then trying to understand it all, I go through and I give you a step-by-step process by even the videos, the content, the books, everything is all there laid out for you specifically so you can go to CISSP Cyber Training, purchase one of the products that I have and that will give it to you immediately, so you won't even have to wait for it.
Speaker 2:All right, so let's get into what we're going to talk about. So again, domain 6.2. One of the things around this is that we're of 6.2 is to validate the security controls that are correctly implemented when you're functioning and functioning as you planned on. And again this kind of comes back to the, the article we talked about with the before we came into the old training is it's imperative that you have these security controls in place. You also understand how you're going to validate the overall security, if it's through digital signatures or other form or method, and this helps to ensure that your system is secure, compliant and resilient to emerging threats, and I think that's one of the biggest factors people need to understand as security goes on. It's about resiliency, and I'm talking with some clients and they get the whole security piece and they've done it for years. They got it. The part that they're missing in some cases is the resilience behind. It is that in today's world, it's incredibly challenging to try to operate when a piece of ransomware that gets put into your environment can basically disrupt your operations and cause you millions and millions of dollars on a daily, if not minute-by-minute basis, depending upon what kind of business you are operating in.
Speaker 2:All right, so when we're dealing with security control testing, there's different types of security testing. We have security assessments, security testing, security audits. Now, these are some various types that are out there. Your assessments are typically a high level evaluation determine whether your policies and everything else your controls you have in place are already there and they meet your company's risk tolerance profile. So I did personal assessments. I bring in third parties to help me do assessments, but they are just a high level evaluation. Hey, is the stuff there that's supposed to be there?
Speaker 2:Security testing is when you do a technical assessment, specific on specific controls. You may bring in a pen tester, you may bring in just a maybe even just a third party, but they are looking at specific security controls through a technical means and they're going to determine if that is sufficient for your organization. And I look at authentication, encryption, access enforcement. All of those pieces are part of the overall security testing mantra. And then security audits. These are formal reviews performed by maybe your second and third line defense if you're in the I should say, third line defense, if you're in a banking industry, and they are there to help you understand. Is that set up specifically to protect your organization? Are you in compliance with internal and external regulations and standards? Are you meeting those? So again, this is a big deal, right, and a lot of companies, especially smaller companies, don't necessarily have some of the bandwidth to do all this, but they should consider.
Speaker 2:If you don't have the ability to bring in auditors I mean, say you're not a highly regulated environment, you don't need auditors per se you should by all means be doing an assessment and testing of your environment Because of the simple fact is that at any point in time, especially if you're doing government contracts, you can be audited and you don't want to be in a situation where an auditor comes in and says you got to shut down because you're not doing these right things. So assessments and testing at a minimum are really important, especially if you do not have some sort of formal auditing procedures in place or auditor that has to come visit you guys. So one of the things about vulnerability assessments this is a systematic process to identify and categorize weaknesses in systems or networks before they're exploited. It's understanding what's going on in your environment before you have a problem. Right Now.
Speaker 2:These can be done in different ways. You have network-based, where you're basically looking for any sort of open ports, weak protocols across the network perimeter or internal segments, and that is something that should be done on a routine basis monthly, if not more sooner than that. And that's you're looking for any sort of issues that you may have within your organization. Host-based this is where you're looking at the device itself your mobile devices, your laptops, your servers, your desktops if those even exist anymore, all of those pieces you need to make sure that you are doing configuration, software, patch, status, all is being updated and managed. And then you have your application base. This is where you're testing any application that is tied into your organization. This. You're looking for flaws such as sql injection, cross-site scripting, insecure apis. All of that is based on the vulnerabilities that you may find within your network. So you have your network based, host based, application based and then, if you have time and if you have the, or maybe depending on if you have a large wireless environment, wireless assessments, and I will say in many cases these get put to the back burner and they probably shouldn't be, because a lot of shadow it occurs because of wireless that's out there. I've personally had it many times where I've had remote facilities. People would bring in hotspots and use them and this evaluates the wireless footprint for rogue access points, weak encryption and then potentially any sort of broadcast leaks that are out there. So you have network host application wireless. Okay, those are some of the key factors that are occurring.
Speaker 2:Now some common tools. I'll kind of get into some of those, but there's you have Nessus, openus, openvas. You have some other ones that are out there available now when you're dealing with vulnerabilities. These are commonly tied to your common vulnerability scoring system was your cvss, and this is the principal character of the vulnerability right and they have a range. It goes from 0 to 10, 10 being the most secure, and they produce a standardized numerical score based on the severity of the overall risk. If you have a CVSS score of 9.8, that's bad. If you have one of 2.3, that's not too much to worry about. Now, granted, every vulnerability is something that could lead to something else. So a 2.8 could lead to a 9.9 or a 10. But in reality you have to weigh. There's so many vulnerabilities that can occur within an organization. You have to weigh which ones are you going to fix and which ones are you going to go after. And most people do a whack-a-mole where they go after the CVSS of 10 or nines. But in reality you just have to really understand the architecture of your environment to know could that lower risk lead to a much higher one in the future?
Speaker 2:Vulnerability scans these are automated valuation systems. They basically are looking for the applications, different types of connectivity in your environment, and then you set those, like we mentioned, on a routine basis. You can set them on monthly, you can set them on weekly. It just really comes down to what your company wants to do. You've got network discovery, network vulnerabilities, web applications and database vulnerabilities. All of those can be set up specifically based within your organization. Again, the application may be a database one your web application may be, you know. Figure out if it's externally facing or if it's internally facing. That will also determine understanding your architecture. What kind of effort do you put into it. If you have a critical application that has high vulnerabilities on it, that's externally facing, that's sitting out in your DMZ, that would be a much bigger problem than if it's sitting inside your network and everybody sees it but it's still behind your outer layers of protection within your organization. Now a network discovery scan. Now these are different types of activities that will occur with this. But again, you're looking for open systems and ports.
Speaker 2:I will say most companies, a lot of companies, have very little knowledge around their network assets and the reason is is people will stand them up without them really even having a true understanding of what's being stood up. So many companies do not understand this. Now, the ones that have one highly regulated or have high financial risks associated, they have taken a much more aggressive approach to this. But if they don't have those aspects where they obviously, if they go down, they will lose money, but if they don't have a regulatory requirement forcing them to have some of this information, money, but if they don't have a regulatory requirement forcing them to have some of this information. A lot of times it is. It's not sexy, nobody wants to do it. So what do they do? They move on to the next thing. And bad guys and girls know this and they, because of that, they target these systems ensuring that they can get a long-term foothold within your environment.
Speaker 2:Now there's various types of scanning options available. You got tcp sin scanning. You got connect scanning. You got ax scanning and you got CONNECT scanning. You got AXE scanning and you got Christmas scanning, which I like because it just everything lights up like a Christmas tree. But you have different types of scanning options that you have. If you're going to be doing scanning within your environment, highly recommend you one you understand the IP addresses that you're scanning. Do not, if you do not know those, do not just go out and start kicking the scanner on to understand that what a scanner can do to your network and how it can affect it. And then three make sure people are aware that you are actually doing this, because it can cause all kinds of pandemonium and chaos and people can go we're being hacked and you're actually doing it to yourself and people freak out. So you got to make sure that your everything your t's are crossed and your i's are dotted before you do start doing any sort of scanning options.
Speaker 2:Now, web vulnerability scanning this scans for vulnerable web applications on the Internet. It's usually the first line that is attacked, right, everything that's out there that's facing everybody is usually the first thing people go after. This can provide a lot of data. We would usually go after these systems. Lot of data, we would usually go after these systems, and just because they weren't vulnerable, I could get a lot of information from just sending queries to these different systems and getting information back. They are, in many ways, the keys to enter into your business. That's the front, first line of defense, and if you for some reason don't have a way in from these external facing ones, they can create a huge reputational damage to your organization if they're hacked, defaced, shut down. Especially, a lot of third parties will use these externally facing applications. This is where data is coming and going. If you go and you hack them and then all of a sudden you realize that it was a server that your third party agreements would go back and forth with, then you now could have a big reputational hit and it could have some sort of financial impact to you as well. So you need to truly understand your environment, and this is where a good security architect understands architecture and what is set up within their network. You develop processes for scanning sites this is lab production and then you consider false positives that you can and do occur during this entire scanning process. There's a link to the OWASP scanning tool list, but bottom line is that your vulnerability scanning web scanning is an important part of any sort of organization, whether you have a web presence or not. A lot of times, if an organization says I don't have a web presence, but they actually do and they don't realize it, those are the really dangerous ones, because now there's no visibility into what's actually occurring in their network.
Speaker 2:Database scanning again. This is typically where it will contain some of the most sensitive data to your organization. So this is again application scanning, knowing the application that you're working with. It's usually internal most databases are and then it's tied to many different types of web applications. Now, as everything is moving to a software-as-a-service type platform, you now have a lot of this information is out in the cloud. So you really truly need to understand what you need to do within your company and how does this work?
Speaker 2:Now, some different tools available. We've got Nessus, openvos and Qualys. Nessus is a highly used vulnerability scanner. It does look for a lot of different misconfigurations. I've used it. It works really well. It is expensive, it's not cheap, but it does look for missing patches, vulnerabilities and across a wide range of different systems. You have your OpenVAS vulnerability scanner. It's basically designed to look for basic and advanced vulnerability detection. And then you have Qualys and it's more of a paid product and it does the same type of thing. Both all of them have done really well. I've used most of them. I've used Qualys and Nessus personally and they do work well. The key thing is again you get all this information. It's great, but if you don't have a way to disseminate it, it can be extremely overwhelming.
Speaker 2:Now there's some different types of security testing techniques. You have pen testing, and we talked about this briefly earlier. But what is a pen test, right? Well, this is a controlled exploitation of a system's vulnerabilities and typically it's used to target one or two small areas. You don't pen test your entire network. You focus on an area that you go after. You have black box, white box and gray box testing. Your black box basically simulates an external attacker with no internal knowledge of the organization. They just come in. They're like Korea coming in trying to get as much information as they possibly can. Your white box testing this will simulate an internal threat actor with full access to documentation and source code. And then your gray box. This combines elements of both to simulate and semi-formal insider risk threat. So the ultimate goal, though, is that you have these different types of testing capabilities set up within your organization.
Speaker 2:Now the different types of testing phases. You have your for a pen test. You have your planning, which is basically, as you begin, what are you going to do? What is the scope or the rules of engagement? Then you're going to do your reconnaissance. This is gathering intelligence using passive and active methods, and that's where you're trying to get as much information as you possibly can to help you make your attack successful. If you don't do a good job in reconnaissance, you can come across like a person walking into a room with a pot and pan and a pair of wooden spoons and just banging on stuff. People will see you coming. So reconnaissance is an important part of what you're trying to gather for all this information, and then scanning and enumeration. This will identify live hosts, services, potential entry points. All of this will be done through your scanning and enumeration pieces, and then exploitation was where you actively leverage discoverable vulnerabilities to gain unauthorized access to an organization. This is where you exploit it. You've got to be careful with exploitation, though, because when you do it again, you could very quickly become the person with the pot and pan and the wooden spoon banging on the pots and pans.
Speaker 2:Post-exploitation this is where you assess the impact, maintain access and then you exfiltrate any sort of simulated data that you want. Again, this is where you have a really good conversation with who you're working with. You never I repeat, never bring out data out of an organization that, if you have not communicated with somebody on what that is, in many cases you will pre-position data. So that way, at the end of this engagement, when you're just getting ready to do the simulated data shipment out, this is your own data that you had pre-positioned there. That just to show hey, if I ship this data out, what would happen to your system? Can you see me moving the data out? I highly recommend that you never, never, never use customer data when you're simulating data exfiltration. Don't do it. Just don't Avoid that at all costs, because of the fact is it's then, once the data leaves, it opens up a whole can of worms one whether or not the data was important or not doesn't matter, it's the fact that it's company data, so don't ever do that.
Speaker 2:Post exploitation this is where you assess the impact, maintain access and exfiltrate we talked about that and then reporting you provided actionable insights and what they can do to protect themselves and how to fix it. So there's's a lot of different things you can do, especially when it relates to pen testing. Now, some of the penetration tools you can use it's Metasploit, burp Suite, Kali Linux and then Cobalt Strike. You've seen Cobalt Strike and Metasploit be used both by the good guys and by the not so good guys and girls. The Metasploit framework I used that One of the buddies that I was started in hacking with was one of the key people that stood up metasploit at the time and it was one of the three or four that actually did it, and it simulates real world attacks, it tests defenses and it does perform post-exploitation strikes. Now the cobalt strike you've heard been used a lot in one for red team as user, but also it being used by the bad guys using it for their purposes as well. So there's a lot of different tools that you can use.
Speaker 2:Again, we talk about with yoda use your powers for good, not evil. Actually, I don't know if yoda actually quoted that, but I use it. So use your powers for good, not for evil. It's an important part of the security testing plan. Now, log reviews. What is the purpose of log reviews? Well, these are like the most boring thing on the planet and nobody likes to do them. So I would highly recommend, if you can come up with an AIML plan around log reviews, which I know a lot of security companies are doing. It's an important factor and I think it would make you a lot of money.
Speaker 2:The reason I say that is is because log reviews are a very important part of looking and detecting any suspicious activity, which includes policy violations, operational anomalies you name it right. But you need an automated format to be able to do this, because it's extremely tedious and it's painful and if you're doing it manually, oh my goodness, it is no fun. And as a human, what do I do? I make mistakes and there's a high likelihood that I will look over something, because your eyes just basically roll in the back of your head. You don't see anything after a while. They all look the same. Firewall logs and all these different types of logs can be extremely painful. That's also why you have SIMs, right? Sims will help you with that and they will help aggregate some of that data for you. But at the end of the day, log reviews are an important part of what you do and these would include from firewalls, operating systems, your IPSs, idss, databases, authentication servers all that stuff creates logs, depending upon the organization you're in and the regulatory requirements you have.
Speaker 2:Some logs you may have to keep for quite an extended period of time. Some logs you may not. Organizations that are not as regularly regulatory-ly that's a bad one, that's probably not even a word, but they're ones that don't have that requirement. They will keep logs for a period of time, mainly to deal with if they can look for something. But because log retention on data is so expensive, because it's so much data, you have to keep it. A lot of people just don't keep it for very long. They'll keep it for maybe seven days, maybe two weeks. Some critical applications they may keep it up to three months. It just depends. But log data is something you really have to have a good strategy and then implement that strategy on your plan.
Speaker 2:So some best practices around this is using a centralized sim, obviously, to correlate and analyze your events, ensure your logs are time synced with your network time protocols to maintain that they have the accuracy they need, and thenure your logs are time synced with your network time protocols to maintain that they have the accuracy they need and then review your logs for any failed login attempts and so forth. But again, you're going to I recommend some sort of automation behind this. But the logs you want to generate a report to give you an idea of what has actually occurred within your company. Now, when you're dealing with logs, you want to have there's automated or manual processes that to help store or to store the off logs, the logs that you're not using anymore. Now, logging policies they can be pushed through your GPO and your Windows Group Policy Objects can help you with that. So that's the GPO. It's just basically the different automation that sets up to pull those logs and put them into locations automation that sets up to pull those logs and put them into locations. Again, we talked about having network time protocols and then also you need to evaluate and look for any alerting mechanisms that you may have.
Speaker 2:So now some dealing with synthetic transactions. What is a synthetic transaction? Now, this is an automated or scripted activity that simulates typical user activity within an application or service. I did this a lot with my web developers. We would have a simulator that would then have people go through the different clicks that they would do. How does it work? What are the areas that causes breaks? It's a similar kind of concept, but it's used to proactively monitor performance, availability and any SLAs service levels agreements that you may have in this situation. So, as an example, monitoring a shopping cart checkout process every five minutes to ensure that the system is reliable, to ensure that it's working right. It's doing what it's supposed to be doing. They also have this occurs now on the flip side, where they monitor your shopping cart to see if you haven't moved in a little while of going hey, did you forget about your cart? Your cart's still stuff out there in your cart. You want it, you can buy it. It's there waiting for you and you're like, oh yeah, I forgot Click. And then you're like why did I buy that? So that's the advanced text, the synthetic transactions Code review and testing.
Speaker 2:So you have static code analysis. This is where it scans the code for vulnerabilities without executing on it, looking for flaws such as insecure APIs or buffer overflows. This is where it's just scanning the code, looking for any issues in the code. Specifically, you have dynamic code analysis. This is where it executes the code in a test environment. Usually, this test environment is within your CICD pipeline and it will then look for any issues as it's running this code. Now it's not actually physically running the code outside of this test environment, but it's inside the environment and it's looking for issues in memory. It's looking for any race conditions you know. Basically, it's trying to take off and run. Any of those aspects is looking within the dynamic code analysis.
Speaker 2:You have a manual code review. This is where humans will take a look at it, and this is in the past has been an important part of all sort of software development in their entire life cycle. The goal is to get as much automation as you possibly can. I would have eyes on the code when and if I had specific areas that I felt that I was taking customer data that could have a high regulatory requirement or it could cause some sort of legal issue with me requirement or it could cause some sort of legal issue with me, then I would have my do a manual code review specifically on those pieces of code that were tied to those aspects. Again, you're looking for application logic and security critical functions for any flaws that may be missed during the automation process. So again, you got to determine whether or not that's something you want to deal with or not. Some of the tools obviously for this is you got SonarCube, fortify, vericode, appscan from IBM. All of those are available to you. There's different types that you have. I've used Fortify and AppScan a bit. It's not one of those that I've used a lot and so I would highly recommend you do an evaluation for you and your organization based on your specific needs. But again, those are all pieces that you want to have part of your CICD pipeline Misuse case testing.
Speaker 2:This is where it tests to simulate attacker's behavior by focusing on how the system could be intentionally misused. So what could I put in? You have a line of code that goes into your text box and you're going to add potentially some sort of JavaScript to that text box, to that line, and then you're going to see what happens if I do that, if I do, it's that and I'm just drawing a blank. But it's basically a line mismatch where you're putting code into that want to see what comes out and what does it burp out at you? Does it run? Does it just doesn't know what to do? So it basically gives you up all kinds of stuff or does it just go invalid? Invalid, uh, and that's the part where you're gonna. That can happen with misuse case testing. Um, it does help you define, identify design flaws, privilege, escalation opportunities or logic abuse. That is not considered as normal use casting, use case testing, um, any sort of any way that you're having a log on credentials great place. So, again, if you have limitations on where you can test, again, there's so many places you can test in this environment. If you have places that are limited on where you can do, focus on the areas that would create the most damage to your organization. One is credential input output. If you're having sort of database queries, any area that would potentially return sensitive information, give out sensitive information, allow access to your organization or query data or put data in something that could potentially deal with the confidentiality and more or less the integrity of the data itself Test coverage analysis.
Speaker 2:The goal of this, though, is how much of the code base or system functionality is actually covered by the testing efforts, so you're trying to determine whether or not all the logical paths and statements have been tested. You're kind of trying to figure out where is this code covered, from zero to hero. Is it all there? Are there any security requirements that have been given to you through the agreements that you may have, that have to have some sort of corresponding test with them as well? So you need to look at where's the code, is it all covered? Or, two, is there any requirements that I specifically have to cover because of this situation? And the ultimate goal of this is to help identify any blind spots in the testing that could potentially harbor undetected vulnerabilities. And, again, you have to determine if you have a large testing shop, if you have a very large coding shop, how will all of these things work together and it's important that you have a good, strong SDLC plan and how you're going to deal with all the code in your environment.
Speaker 2:The next one is interface testing. This is where you validate secure and reliable communications between components such as APIs, user faces and then, obviously, back-end servers. That's where you're looking at. Between the two interfaces. How are they communicating? I'll beat this drum again, over and over again Interface testing with APIs is a crucial factor and it's really that way.
Speaker 2:You need to set this up at the beginning because you're going to be having, in many cases, api connections with third parties. You are transferring, in a lot of ways, sensitive data between these two parties. You need to have a strong API policy and a security plan when dealing with APIs, because APIs are so easy to connect and so easy to integrate within your organization that they real quickly can go from having a good control of something to having little to no control. You need to verify validation and session controls and error handling of these interfaces. You need to make sure there's no security controls or no security credentials that are inside these interfaces. Apis is a really good example of this, where folks are actually sharing stored credentials between APIs. So again, you need to test for insecure exposure to this data that's going through there and, again, highly recommend that you talk to somebody within your architecture team and make sure you have this pretty much buttoned up.
Speaker 2:So some of the tools are Postman, soapui and Fiddler. Again, these are different types of ways to help you track and deal with the different types of aspects. Postman, I know there's another one that I use and I can't think of it. I'm drawing a blank on it, but this one here is used for RESTful APIs, looking for security headers and input validation pieces to it SOAP UI, rest APIs, and it's supporting regression and functional testing. And then there's, obviously Fiddler that deals with HTTP and HTTPS. So, again, go check them out, see which ones work best for you and your company.
Speaker 2:So you have breach attack simulations. This is where there's a continuous and automated testing to look at your defenses, acting like a real world emulation. So it's like a pen test on an automated factor. So it's Hal is acting as the pen tester and they're bashing on the front door of your building, of your network, and it simulates malware, phishing, lateral movements, data exfiltration activities. All of those pieces are all built into this BAS and again, it is a automated piece of equipment or software that will do this for you. It is a automated piece of equipment or software that will do this for you. It evaluates effectiveness and detection response capabilities in real time. And so you put the BAS, you let it run and then it's evaluating how do your people respond to its activities.
Speaker 2:I've never used one, to be honest I might be a little bit old in this regard of saying it's a bit scary of letting something like this run automated on your network. It's a bit scary of letting something like this run automated on your network. I say you do this maybe potentially in a simulated environment where maybe you have a section that's off network that you're practicing on this, just to get your SOC teams up to speed on how to respond. I would say putting it on your production network would be, in my mind, to be a bit risky, but I've never used it, so maybe it works like a champ and it will never ever give you any problems. Again, I kind of lean towards. I like to accept some risk in some cases, but in other cases I'm very risk averse and putting anything on my business network that I don't have a true handle on it makes me very risk averse, because I've seen things happen where it causes so much chaos and pandemonium that the years of building up trust within your organization can be exploded and destroyed within seconds putting something like this out there. So just something to consider.
Speaker 2:So some different tools AttackIQ, safebreach and Simulate. These are all different types of BAS tools. Attackiq is focused on the MITRE ATT&CK framework, safe Breach is proactively validates organization's defense and looking for gaps. And then BAS, like simulate, is across your email gateways, web gateways and then obviously looking for any sort of lateral movement within your environment. Again, if you've used it, that is awesome. I'd love to hear from you all if there's someone that's used it and really liked it or had some issues with it, because I've never actually used it myself.
Speaker 2:Now, compliance checks. What is this? This is where you are verifying that your organization is relevant with the security policies, frameworks and the regulations, so you may have a new policy that you put in place. How does this compliance check? Are you following your password policies? Do you put a framework in that you're utilizing? I will use an example of in the financial industry. It's CRI, which is your Cyber Security Risk Institute, has their own framework. It's tied to NIST. Are you following that? Are you following CRI? Are you following NIST? Does your company comply with that? And then, are there any regulations that you need to be worried about? This is related to GDPR, chinese cyber law, nydfs, whatever that might be.
Speaker 2:Are you following those compliance aspects around it. So you have different types. You have a system check system configuration, which looks at the CIAS benchmarks and your STIGs that are out there and it's making sure, hey, are you meeting those baselines. Then there's a regulatory compliance aspects which is looking for, like we mentioned earlier, pci, dss, hipaa, gdpr and so forth. A lot of the tools that you can use will have some level of a compliance add-on. You can see the tools with Nessus and OpenScap. I don't know how to say that other than that's what it is and I've seen in both Nessus we have a compliance module that you can use and then it will help you determine are you meeting some of the requirements around that? Again, it's designed to help guide you in this very convoluted and confusing manner. In some respects, it supports audit readiness and reduces the risk of regulatory penalties, because that you're doing it Now.
Speaker 2:Reporting and remediation there's a reporting remediation aspects. You need to interpret the various test results you get and then how do you report these to people? How do you let them know what you're going to do? Now? This is a risk-based prioritization. I highly recommend that you understand the risk profile for your organization. If you don't know what they are risk averse to and they are risk acceptance to.
Speaker 2:You need to really truly understand that, because any sort of result that you give back to them needs to be tied to risk to your company. If you have a company that doesn't have any external facing stuff and your risk comes back and it comes back and says you're good, well, they're going to go, oh, see, we're good, we're awesome. You say, well, yeah, we only have one server and that one server is patched and we don't do anything with it and it doesn't touch the inside. So you're giving some sort of reporting of going, hey, we're awesome, well, yeah, you're awesome, but you really don't have any that much risk. If you have a full web environment and you're JP Morgan and you have all kinds of stuff that's shared back and forth Bank of America, yeah, your external web facing is much bigger risk than it would be if you were a manufacturing company. So you got to understand those results and make sure that people understand the risk that they're actually seeing.
Speaker 2:So you need to categorize the issues as low, medium and high are critical to streamline the remediation planning. You need to collaborate with development and IT teams to implement patches, reconfigure systems and then deploy compensated controls, document timelines, owners and verification steps for each action. And then you need to have some sort of technical reports and executive summaries as well on all of these factors. So it's an important part of what you do is to provide this reporting and remediation piece. Now there'll be security reporting. You have technical reports and you have executive summaries. So when you're dealing with these different types of reports, again, understand your audience. Knowing who your audience is is an important part on any of these reports. You don't want to be giving something extremely technical to the CEO and expect he or she is actually going to understand what the heck you're talking about. So you need to understand your audience before you provide these executive summaries and then make the information valuable.
Speaker 2:Don't just hit, mash a button and say, oh look, there's my report, it means nothing. You need to be able to filter through that information, if anything, if you give the report, have a summary at the beginning of saying this is what you need to be worried about or concerned about, or this is what the good spot that we're in. Again, you have to be involved. Don't just mash a button and say the report is done. You have to have engagement with that Continuous testing approach.
Speaker 2:This is where you integrate the automated security tests into your CICD pipelines to ensure that they're detecting them early in the development lifecycle and then that you can one make those changes ahead of time. Now, depending upon how you are doing your development if it's waterfall, agile, whatever that might be spiral, you need to then build that into your overall development lifecycle. That way, shift left security. This will help catch flaws before they enter production. I hear this term used a lot and what it really just comes down to is you detect it before it hits production and that you can then get those things in place before the things that the security aspects that hit production are limited and minimized. So you're just shifting the security piece, because in the past it used to be you develop, develop, develop, develop. You have this product, then you put security on it and they go. Oh well, there's issues. Now I've got to go back to the development piece.
Speaker 2:This is where building security at the beginning moving it left is an important part in the security of your overall organization. And then security testing lifecycle. This is applying security testing at all stages of the development. This includes the design, development and post-development stages, includes threat modeling, static code analysis and use of static and dynamic code analysis, early detection like again moving it left, and then at the end conducting pen tests, reviews and compliance scans to validate the production and readiness of your overall plan. So, again, there's a security testing piece that goes with that. It's an important part and I think it's in domain eight. We get into the various levels of SDLC, but it's an important piece that you do, that you understand for your organization, especially when you're integrating security into your company.
Speaker 2:Again, we've talked about this stuff over and over again, but, as you're studying for the CISSP, these are things that the CISSP is trying to inherently put into you through the questions that it asks, trying to have you think through these different topics. And that's why it's important that, as a CISSP, you have so many years of experience, because their goal is that you've been exposed to many of these different pieces. That is why this podcast is, in real honesty, it's very valuable, because you're getting exposure from folks that have had this kind of experience for years and years and years, and now, when you go take the CISSP, you get an understanding of their thought process with the questions that are being asked to you. Okay, that is all I have for you today at CISSP Cyber Training. Hope you guys are enjoying it.
Speaker 2:Going out to CISSP Cyber Training, check out the content that's out there. I got some really good free stuff for you. Also have some paid stuff as well. Again, it does not cost much for the bronze tier that I have to study for the CISSP. If you're serious about getting the CISSP, look at my bronze tier. It is relatively inexpensive. It gives you everything you need to be successful and pass the test. Again, you've got to study it. It's not going to be automatic, but if you're willing to put the work in to study for the CISSP and think about it, just think about this for a second the amount that it costs for the CISSP bronze package right now Right now I'm running it for very inexpensive. I think it's like a hundred dollars for the bronze package. If you go in at the bronze package at a hundred dollars and you figure out how many hours you're going to spend on studying for the CISSP over a period of time, it's pennies, pennies on the dollar that you're spending to help you get you to step up on the CISSP exam.
Speaker 2:Don't short circuit this. It isn't just about getting a certification. It's about understanding the content so that when you go for the interview and they ask you questions, you can actually answer the questions and understand what the heck they're saying. Again, this isn't about getting a certification. It isn't about somebody out there online saying, hey, you can make six figures in three months by being in cybersecurity. That's BS. I'm sorry, that is bull. You can't just go do that. You've got to understand the content. That's in here for you to be successful. But if you understand the content, you understand the background. You then can be communitatively understanding when you're talking to somebody about what you're trying to accomplish.
Speaker 2:So an important part go to CISSP Cyber Training. Check out the bronze package. I guarantee you it is amazing. It'll give you what you need to help you pass the CISSP. If you need any consulting work, go on out to reducecyberriskcom and check out my website. I'm working with a company called NextPeak and others as we provide consulting services to the masses. Okay, I hope you have a great day and we will catch you all on the flip side, see ya.
