CCT 261: CISSP Rapid Review Exam Prep - Domain 1 - Part II

Show Notes

Microsoft recently released 137 security patches, with 14 critical vulnerabilities that could allow attackers to seize control of Windows systems with minimal user interaction. Among these, the Windows authentication negotiation flaw rated at 9.8 severity poses a significant threat to all current Windows versions. For security professionals, this underscores the crucial importance of effective patch management strategies—balancing timely updates against thorough testing procedures.

When approaching CISSP certification, understanding different investigation types provides essential context for security operations. Administrative investigations address potential policy violations and inappropriate resource usage, while criminal investigations gather evidence when laws are broken. Civil investigations resolve disputes between parties, regulatory investigations examine compliance with industry mandates, and standards investigations assess adherence to best practices like ISO 27001. Each investigation type requires distinct approaches and yields different outcomes, from disciplinary actions to legal proceedings.

The security documentation hierarchy—policies stating high-level objectives, standards specifying mandatory requirements, procedures providing step-by-step instructions, and guidelines offering flexible recommendations—creates a comprehensive framework for organizational security. However, these documents must use clear, accessible language that employees can understand and apply, not just legal jargon that looks impressive but goes unread.

Business continuity planning begins with a thorough Business Impact Analysis that identifies critical functions and establishes recovery objectives. This foundational work must involve stakeholders from across the organization to ensure operational reality aligns with security requirements. Similarly, personnel security extends beyond employee screening to include robust onboarding, transfer, and termination procedures—with equivalent controls for third-party relationships.

Risk management concepts form the core of security operations, from identifying threats and vulnerabilities to selecting appropriate controls. Understanding the distinction between preventative, detective, corrective, deterrent, and compensating controls enables security professionals to build comprehensive protection strategies. Combined with threat modeling methodologies like STRIDE and PASTA, these concepts create the framework for proactive security postures.

Ready to deepen your CISSP knowledge? Visit CISSP Cyber Training for both free resources and comprehensive paid training options that will help you pass your exam the first time while building practical security expertise.

Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Introduction to CISSP Cyber Training
• 0:32: Microsoft's Critical Security Patches
• 5:15: Administrative and Criminal Investigations
• 9:34: Business Continuity Planning
• 16:19: Personnel Security and Third-Party Risk
• 22:48: Risk Management Concepts
• 31:52: Threat Modeling Methodologies
• 36:13: Supply Chain Security
• 41:29: Security Awareness Training
• 45:32: Closing Remarks and Resources

Transcript

Speaker 1: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge All right let's get started.

Speaker 2: 0:32

Hey all, sean Gerber with CISSP Cyber Training and this is part two of the CISSP Rapid Review exam prep. But before we get started, I wanted to bring up an article that I've just read from Krebs on Security around the security updates. Okay, this is from Krebs on Security and this is around Microsoft's Patch Tuesday and they you know obviously Patch Tuesday. You might be going what's Patch Tuesday? Why is it that important? But there's an interesting part about this, and usually Krebs is pretty sharp. I mean, he's not pretty, he's very sharp guy and if he picks up on something then it's usually something that you should probably take some notice of. But the interesting part that he brought up in this article is there's 137 vulnerabilities across Windows OS and the supporting software specifically that are in this. But the interesting part of that is there are 14 flaws that basically came up as critical ratings, which means they could be exploited to seize control over any sort of vulnerable Windows PC that's out there, and this is a remote code execution vulnerabilities specifically. So obviously, this is why we talk about it. Your patch management is an extremely important part of any organization and we talk about that at the CISSP that you need to understand the assets within your organization as well as understanding which ones should be patched. Right now there isn't any active exploitation that's occurring, but because they've released these exploits I should say released these different critical flaws that are out there, you can know that there's going to be some exploits against them coming very, very quickly.

Speaker 2: 2:01

One of the aspects they thought was around the SQL server. They're very concerned that the data that could be uh, absorbed or should say, taken out of a SQL Server anybody. As we all know, sql Server databases are used primarily in a lot of different places around in various Windows systems that are potentially front-facing systems, and now they're worried that potentially all that that data from a supply chain standpoint could be exfiltrated and used. One of the things I thought was interesting is that it didn't take much user interaction to be able to take control of these systems. So it wasn't like in the past where the user would have to do many different steps. They've said they didn't get in the details, other than to say that it did not take much user interaction to make that happen.

Speaker 2: 2:46

So there's various ones that are out there. There's a couple of them that are on a Windows authentication negotiation, which is a critical rating of 9.8. This is all Windows Plus systems and current Windows Server versions. This is a more likely one, they say, to be weaponized, and that's cve 20, 25, 47, 981, but that is an interesting part. There's also those four critical vulnerabilities within windows office, as well as windows defender and their configuration manager. So a lot of different pieces that are there, but, bottom line, there's 137 patches, 14 criticals that were there as well.

Speaker 2: 3:25

So obviously you need a patch, right. But I would say, in the company that I used to work with, we used to go through our patches and it would be multiple. You would do a patch or you would do a testing. You then run to the Canary Group. You then would push it out to a smaller subset of people and then you would patch. And that was a huge process to bring on any patches and it could be in the upwards of two, three weeks, possibly even a month, before that update is actually pushed out. I highly recommend that if you have Windows which majority of the companies out there utilize Windows for their basic user interfaces that you set it up on automatic update.

Speaker 2: 4:04

Now the problem is is with the SQL server aspects. It is the ones that are no longer in support is the 2012. And if those are exposed, they are going to be vulnerable to this exploit, and so you can assume that people do not upgrade the SQL servers very, very often because of the cost that goes with them. The licensing itself is extremely expensive, so sometimes those might not get updated. You need to really truly understand the assets within your organization. You need to understand how there could be affected by situations such as this and then develop a plan in which you can deploy a new system and therefore then be able to mitigate some of this risk. I can't stress this enough. Your patch management, or vulnerability management, is an extremely critical part of any organization, obviously, especially the front facing servers, but all systems within your organization. And I know you hear about it. It's not sexy, it's not fun, it's not something people really truly want to do, but it's something you really must consider, especially with your security career. All right. So that's all we're going to talk about on this. Let's move on to what we're going to talk about today.

Speaker 2: 5:15

Okay, so, as we know, this is part two of the CISSP Rapid Review, but before we get started on that, I want to just again put a plug out there for CISSP Cyber Training. Head on over to CISSP Cyber Training. There's a lot of great stuff and a lot of free content available for you out there. This is just part of it. The ultimate goal is to provide as much free content as I can for you, but on the flip side is have some content that's available to you that if you want to go deeper into the CISSP, it's available to you, but it's at a price point that you can manage. The ultimate goal is to help you pass the CISSP right the first time, but on the flip side of that is also to provide you the skills you need to enhance your cybersecurity career and help you grow and become a better practitioner of the security trade as you go forward in your career in security. All right, so let's get started.

Speaker 2: 6:02

So we have administrative investigations, no-transcript company resources, potential policy breaches that may have happened. Are employees installing software they should not or are they non-compliant with the data handling? Are they transferring data from Europe to the United States without the proper rules and are they talking to the right people, the data owners or the chief privacy officers in each of these locations? The outcome can be disciplinary action, policy updates and, potentially training. The disciplinary action also could be termination as well. So you have to have a good plan in place to understand how you're going to implement administrative investigations If you roll into the criminal investigations.

Speaker 2: 7:02

This is to determine if there's a crime has been committed and to gather the evidence for prosecution, involving law enforcement in this and ensuring that you have proper due diligence around your overall protection of the data and especially during your investigation, you're going to need to make sure that their chain of custody factors have been played into this. This could include hacking, fraud, data theft, any sort of industrial espionage. All of those aspects can be pulled into a criminal investigation. It could be your employees, it could be somebody that's not your employees. So you need to really consider having a plan on how you're going to manage this going forward. If you go to a company and they don't have a plan, then you can come in and say, hey, what would you think about doing this? Now? The outcome again arrest, prosecution and potential convictions can all be a part of the criminal investigations.

Speaker 2: 7:51

We're dealing with civil investigations. This is resolved disputes between parties determining liability for damages and typically leading to specific lawsuits. Some examples around this could be contractual intellectual property infringement, negligence leading to data breaches or wrongful termination. Those are all civil investigations and sometimes a criminal investigation that does not pan out can turn around and they can just come and sue you from a civil standpoint. So you need to. I've been in both of these criminal and civil investigations and I've had one of my CEOs go well, let's just have them lawyer up and we've got deep pockets. They don't, especially when it came to intellectual property. So you need to make sure that you have a good plan on how you're going to deal with IP protection. For a company. Outcome could be monetary damages, injunctions or other civil remedies that can happen due to the civil investigations.

Speaker 2: 8:42

Regulatory investigations these are determined for organizations that have violated specific laws or regulations governing the industry or operations, and these can be conducted by government agencies HIPAA violations in healthcare. You have GLBA or NYDFS. Those are also ones that could be potentially investigated, and each of these come with fines, penalties, mandated changes and practices. Practices potentially different types of the findings will then cause you to spend more money Again loss of license, operating authority and so forth. So regulatory investigations are done by the regulatory bodies.

Speaker 2: 9:17

Industry standards investigations this is to assess the organization's adherence to non-mandatory but widely accepted industry best practices and standards. Adherence to non-mandatory but widely accepted industry best practices and standards I will say I have not seen a lot of these but they do exist and depending on the organization or the vertical you're in, you could be dealing with that. So non-compliance with PCI DSS though DSS has regulatory-like enforcement, which it does, there may not be as many outcomes that come of this. You may lose your certification. Depending upon like, let's say, for example, you're ISO 27001 certified and you find out that you're not meeting the requirements for ISO, you could lose that certification. Now it's not as simple as I just get the certification. Getting ISO 27001 cert is extremely expensive and time consuming, so you don't want to just lose that right. It's an important part of your overall business strategy.

Speaker 2: 10:06

So it's imperative that you do understand what you're trying to accomplish with these Domain 1.7, policy standards, procedures and guidelines. So these are to develop a security documentation. You need to have high level statements defining your security objectives and the rules of the what and the why. So we're going to get into each of these just a little bit. Standards these are mandatory requirements for specific technologies and configurations or methods that support policies. They basically give you the how and you have the standard in place of what you should do, and these are really important to have. These. I can't stress these enough. Working as a consultant, I'm seeing this in various organizations that don't have this Procedures.

Speaker 2: 10:46

These are detailed, step-by-step instructions for performing tasks in compliance with policies and standards, and the step-by-step they walk you through. They can be considered playbooks and they walk you through step-by-step on how to deal with compliance and the various policies and standards you may have in place. Your guidelines these are recommended best practices or general advice for offering flexibility in the implementation, or suggestions, right? These guidelines kind of give you a plan on what you should do. You don't have to necessarily follow those, but they're recommended to do so. These help ensure that you have alignment with your business strategy, your risk assessments, your legal and regulatory requirements as well. So the ultimate goal of the policy, standards and procedures they're all there specifically to help move you down the path to ensure that your organization is maintaining alignment with your overall strategy.

Speaker 2: 11:36

And then document security documentation this is where you maintain a centralized and accessible version, controlled repository of all your security documentation. This is where you use clear, concise and unambiguous language when you're dealing with your language or with your documents. I have been in so many different situations looking at documents that I'm like, oh my goodness, they use these big $10 words and you don't understand half of it. It's legal language and so if you understand it, that's great, but you got to give it the third grade test and if a third grader can read it probably more like high school, if a high school person can read it and understand it, then it's good, but if they can't understand it and read it, then it's not good. Don't make these documents so I'm legally important. And then you put these things out there and nobody actually ever reads them because no one can even understand them. And then you put these things out there and nobody actually ever reads them because no one could even understand them.

Speaker 2: 12:26

Establish formal review and approval process involving relevant stakeholders, such as your legal compliance and your senior management. You need to make sure that they all understand what is the documentation that you're putting in place. So now that the fact is you've documented, now you need to implement the security documentation. This is where you communicate the documents effectively through training and awareness programs for all your people. They need to understand what is actually important and what is not and what are the purpose around these policies. What is the purpose around these standards? Again, I can't stress this enough, working on this right now, whether folks just don't want to teach their people what is this policy and standard for. It becomes a checklist mentality of going I've got a policy check, I've got a policy check, I've got a standard check. They're not training their people and that's not effective.

Speaker 2: 13:09

Integrate security requirements for documents into daily ops and your business processes. You need to make sure that they're integrated in your daily things and what you do. Enforce compliance through monitoring, auditing and disciplinary action if necessary for violations. Hopefully it doesn't go to that point, but yes, that's a possibility. Regularly review and update the documentation based on changes in threats and technology and the regulations that are going on. So you need to keep up and abreast of everything going on within the security space so if something does change, you are better prepared for it.

Speaker 2: 13:40

Domain 1.8, business continuity requirements. Okay, so we're going to do a couple of things with business continuity. One is a business impact analysis. Now, the purpose of this is to help prioritize critical business functions, processes and systems. I've seen it time and again where I've done a BIA and come to find out that there's a computer sitting in a closet at a really different location that runs your entire company. Yeah, I've seen it done it. It's crazy. It quantifies and qualifies the potential financial, operational and reputational aspects of this and it helps to avoid the consequences of a disruption.

Speaker 2: 14:17

Now it will take a lot of resources to do a BIA and this is in personnel and technology and the data. So you're going to need to plan for this and you need to make sure you have financial resources available to it and, mainly, the people to do it. To do it right. It's going to take some time. Some key outcomes is going to be establishing your recovery time objectives, your RTOs and your recovery point objectives as well, and that's going to come out of your BIA. Now you need to develop a document, the scope and the plan. So you need to clearly define the business units, the processes and the systems. This is important that you work with your business units to understand this. If your business units do not have a plan already, then help educate them on this. They will understand the systems. They will also understand the data. Now you may have to tell them where the data is stored, but you need to understand from them what is the most important data that needs to be included in your BIA. This does a focus on the manageability of it and it does provide you some guidance around what you should do Now.

Speaker 2: 15:12

Stakeholder identification this involves key personnel from the business units, it, legal compliance and risk management units in the BIA process. You need to get them involved from the beginning, and the methodology includes outlining the approach for conducting a BIA. This includes interviews, workshops, surveys, data analysts. All of those aspects would be a part of the BIA. Have you done interviews? Have you done workshops? Documentation formalize all findings, assumptions and identified impacts. There'd be any dependencies, such as RTOs, rpos. All of those aspects need to be documented and in a central repository where you have them stored. The other thing is, this document will be the foundational artifact for developing your BC and your disaster recovery plans, and you really need to do that and it's very important. Now, if you just get started and you go, well, I'm just going to try to do one thing and do a BC for a specific application. That's fine, but you really need to look at an overall business impact to really understand what are the most critical within your company Okay, personal security policies and procedures.

Speaker 2: 16:19

Now, part of the aspects of the CISp is you need to understand how does this work from an hr standpoint, but also from a cyber security point of view. So, candidates screening and hiring you need to be able to conduct background checks, understand the criminal history, education verification, reference checks and so forth. One of the areas that I have seen, not personally, but is around education verification. Now, with the advancement of AI and the ability for people to make resumes that look and sound pretty amazing, understanding the education of people that you have or that you're actually trying to hire is an important part of all of this. One of the things that kind of is strong because of this is the fact that you have sensitivities of the various roles that you're trying to put people into, and so, therefore, you need to do a background check on these individuals, both from an education standpoint and from a criminal history standpoint. You also need to verify the qualifications and experience to ensure they have the competence. Now you guys are all taking the CISSP, so there is some steps in place to ensure that you have the right education or, mainly, the right experience, before you can even take for the test. Well, you can take the test, but before you actually get the certificate, and so the thing that comes out of that is that you also, as a cybersecurity professional, may want to see certifications that people may have, if that is something that you're actually looking for to help someone with the role. Now you also want to implement the screening process to identify potential insider risks that may be there before you actually get started.

Speaker 2: 17:50

I've had a situation where we were hiring individuals that were in a very sensitive area. We had hired an intelligence company, and this intelligence company did background checks, a deep dive into their overall associations, and it was very, very good, helped us out. Amazingly, there's a company called Strider, very good at doing that kind of stuff. So you may want to implement a third party to help you. Now, employment agreements and policies. You'd want security clauses in these policies, in these agreements, to ensure you. One, you have NDAs in place. Two, they have acceptable use policies within your company, security awareness policies or mandates. You may want those within your organization as well, and so this is where the employment agreements and policies come into play in this section of Domain 1.9. You need to have clear policies on data handling, intellectual property and acceptable use. It's very important that you work with your legal team to make sure that you have the right language in there. Now. The language may already be set up within your IP protection people or within your legal teams. They may not think about the cyber aspects, so it's important that you inject yourself into the conversation to try to get that conversation going further. They may want to make some changes to their documents based on feedback that you can provide them.

Speaker 2: 19:05

Onboarding, transfer and termination process this is where you securely provision access based on the principle of least privilege, which basically means it's the least amount that they can have access to and you provide mandatory security awareness training and distribute the security policies that are out there, make that available for people. So that's where the onboarding, transfer and termination process begins. Now the transfer is where you review and adjust privileges when the employee changes roles or departments. I've seen this time and again where a company or a person will move from one role to another role and they take their credentials with them, which is what we call credential creep, and they end up moving into this new role with a lot of capability that they should not have. Termination you should ensure you have swift and comprehensive checklist that helps to get people on and off the organization. Ideally you'd want this automated, but you remove all physical and logical access that they may have, recover company assets that's laptops, phones and so forth and then conduct exit interviews to ensure you gather feedback and reinforce the security obligations that you are expecting with them, such as NDAs, those types of aspects. So it's important that you have a good onboarding, transfer and termination process within your company, and this is part where CISSP helps you with that and kind of gives you guidance on what you should do.

Speaker 2: 20:25

Vendor consultant, contract agreements and controls Again beginning of 1.9. So you need to extend the personnel and security principles that you're planning with employees to your third party engagements, and this means that any third party that's coming on, you have robust contracts. You have legal agreements that are set up with these third parties to help you or to ensure that they are protecting your information just as much as you're having your employees protect this information. So the same type of aspects that you would provide to an employee, you need to provide those to a contractor as well. Now you need to implement continuous monitoring and oversight of your third party access and ensure that they are being watched just as much, if not more so, than your employees. I've had plenty of contractors try to move data outside of my organization without people knowing about it, and so contractors can be a definite win. They can help your company a lot, because I am one, but they also can be a risk to your organization, because I am one, but they also can be a risk to your organization.

Speaker 2: 21:27

Now, compliance policy requirements. You need to also ensure that your policies are meeting the various compliance aspects related to regulatory pieces, such as HIPAA, glba, gdpr, pci, dss, and so in the test, they're going to ask you questions related to these different areas and do you understand them? Do you understand that you should do them? One of the big aspects you need to keep in mind is, when it comes to regulatory pieces, they're non-negotiable. Now I will say there have been. Depending upon the regulatory aspect and the language of the regulatory point, there may be some wiggle room on what you can and cannot do, or what you should and should not do, but that's where you work with your legal team to ensure you have the right plan in place. You want to document compliance measures and conduct regular audits and ensure that those are completed on a regular, at least on an annual basis.

Speaker 2: 22:14

Privacy policy requirements ensure that the CISSP wants you to integrate privacy considerations into personal security practices, especially concerning background checks and monitoring your activities. So you need to make sure that your employees have a document that has been signed about privacy and the fact is that you are going to be monitoring their activities. It's important that they get this. They understand what they're actually signing as well, because we've had it in. I've had a situation where the employee was complaining that they don't want to be monitored. However, on the onboarding process and their employee contract, it specifically called out that they would be monitored on a daily basis. It didn't go into the details of how they're being monitored, it just said they're being monitored. The language was pretty open-ended. Now you want to ensure compliance with employee and privacy laws and internal privacy policies when handling employee personal information. So, again, all of these pieces are going to be part of the overall CISSP training package that they want for domain 1.9.

Speaker 2: 23:17

Now risk management concepts. This is domain 1.10. This is where you identify threats and vulnerabilities. Okay, so what is a threat? Identifies potential dangers that could exploit vulnerabilities, such as malware, natural disasters, insider malice, folks that maybe aren't really happy with your organization that is a potential threat. The vulnerability obviously is the weakness in the system or process and controls that could be exploited by the threats themselves. So you need to make sure that you have a good plan to address your vulnerabilities. These could be anything from unpatched software to not having strong passwords, misconfigurations I'm working on a policy right now about misconfigurations or about, I should say, configurations. So again, this is where the CISSP wants you to understand these key concepts Risk assessments and analysis.

Speaker 2: 24:05

The purpose of a risk assessment is to determine the likelihood of a threat exploiting a vulnerability and the potential impact of this event occurring. Now you have two different types of analysis. You have qualitative and you have quantitative analysis. The qualitative analysis and this gets goofed up a lot by people, including myself. I've made mistakes around this I say one and mean the other. The qualitative analysis is the subject assessment. This is where you're getting in high, medium or low, and then you, based on your expert judgment. Now I will say I went to an organization and they had high, high, medium, low, medium, medium, low, low. That was way too many choices. Don't do that. Keep it simple High, medium and low. If there's a critical, then maybe get rid of the low. But bottom line is keep it very simple. Quantitative analysis this is where you object, object, numeric, objective. You have numeric. I can't even speak. It's basically numbers. Numbers assessment involving calculations such as your ALE, your single loss expectancy, annual rate of occurrence. All of those are all detailed with numbers. That is your quantitative analysis. That's just basically numbers. Quantities. Qualitative is more of a quality thought process around it. How do I feel that it's going to be? I've had to do quality assessments, qualitative assessments on does this company feel they're going to actually be able to meet the demands of this requirement?

Speaker 2: 25:29

Now, risk response this is avoidance. There's different types of risk and the first one we're going to get into is avoidance. This is eliminating the risk by ceasing the activity that it causes it. Stop it. That's what you're basically avoiding it. You're getting rid of it or you're not getting rid of it. You're just stopping the activities. Transference is where you're shifting the risk to another party, such as insurance, outsourcing it. This risk is going on to someone other than yourself and your organization.

Speaker 2: 25:53

Mitigation Mitigation is where you're implementing controls to reduce the likelihood or potential impact of the risk. Now, one thing you also will understand is that, as you're going to the board and you're dealing with different folks, mitigation does not mean the complete ending of the risk. It just means that you are mitigating it. It may still be there and you may be able to get rid of it to zero, but in most cases it's still there. It's just dramatically reduced due to your controls that you are putting in place.

Speaker 2: 26:20

Acceptance this is where you're acknowledging the risk and deciding not to take any action, often due to low likelihood or impact or cost benefit analysis. You're basically accepting the risk. You see there's a problem, but you know what, due to whatever reason. Basically accepting the risk. You see there's a problem, but you know what, due to whatever reason, you are not going to do anything more to it. So that is acceptance under risk response all part of what you need to know for domain 1.10.

Speaker 2: 26:47

Continuing to 1.10, you have countermeasure selection implementation this is selecting appropriate security controls based on the risk assessment findings. This would be cost effectiveness alignment with organizational goals. All of those pieces are selecting the appropriate security control and then implementing the countermeasures effectively to reduce these identified risks. So this is your countermeasure selection and implementation. This is all part of your risk management concepts, basically. And then applicable types for controls. You have different types of controls. You have five different types. You have your preventative, your detective, corrective, deterrent and compensating.

Speaker 2: 27:22

So what is a preventive? This is a control to stop the incidents from occurring, such as your firewalls, authentication, all of those different types of aspects that are set up for you to prevent this from occurring within your company. Detective these are designed to identify the incidents once they occur. So your IDSs, your audit logs, potentially, if you have physical security, your security cameras, those are the detective parts of the controls. Then you have corrective these controls are designed to fix issues after the incident occurs, such as you may have an incident response plan that you have to execute to make to fix the issues. You have Backups or patches. All of those as well are important parts that you would have to correct the issue. Deterrent this is a controls are designed to discourage attackers, such as having man traps, security guards, visible warnings saying there's a problem All of those are deterrents to try to stop people. Razor wire, constantino wire all those are aspects to help determine or deter people from gaining access to your facility or to your data.

Speaker 2: 28:22

Compensating. This is where your controls that are designed to provide an alternate or primary control that cannot be met. So what happens If you have a control that can't be met? You would then incorporate a compensating control, something that would be to help mitigate part of the issue. Say, for instance, you have to deploy I'm trying to think some sort of password change. Right, and you're deploying MFA, for example. Let's just say you have to deploy MFA to your organization and you still are relying on passwords. Well, what would you do? Well, you could have changed your passwords or force everybody to do a password change, and maybe before you had only an eight character password and now you're forcing people to do 15 character. That would be a compensating control until your MFA is in place. So just things you need to think about that you would put in the interim until that actual control can be utilized.

Speaker 2: 29:12

Control assessments you have security and privacy control assessments. This is where you regularly evaluate the effectiveness of the implemented security control in achieving their intended objectives. You'll assess the controls specifically for privacy compliance and then ensuring that you have PII covered. And again, these are control assessments that you would do, or you would work with your compliance and security teams to help you do and these happen a lot in the financial industry you will do a RCSA, and this RCSA is a control, security assessment, and the ultimate goal is that you would put those in place to try to determine okay, where are we at, what do we need to do and are there any aspects that we need to cover right at this moment?

Speaker 2: 29:55

Continue on to domain 1.10, you have monitoring and measuring. This is where you continuously monitor the effectiveness and controls and the overall risk posture through metrics. So, and what they call KPIs, which is your key performance indicators, you have key KPIs and you have KRIs. Your KRIs are key risk indicators. Now you monitor and affect it. The thing comes right down to is this is a metrics program. You really want to have metrics within your company, because it's really hard to know what you have going on if you're not actually measuring it. Then, once you get this completed, you would report, you'd communicate your current risk posture, your control effectiveness and your risk changes significant risk changes to the relevant stakeholders. This could be your, could be your ciso. Who would that be? And that is an important part of the reporting piece of this he said you one. You track it. You determine what you're tracking. You then provide a report to help show how you're doing with this overall plan. Continuous improvement this is where you regularly review entire risk management process, incorporating lessons learned and adapting to involving threats and your organizational changes.

Speaker 2: 30:56

Utilize models such as risk maturity models to assess and advance the organization's risk management capabilities. The ultimate point of this is you're just looking back over it over time and you're looking at the maturity of your organization and you're reevaluating it. See this time and again where people will go and put something in place but they won't go back and reevaluate the maturity of their company and what they're actually trying to accomplish. Risk frameworks these are adopt and utilize established risk management frameworks that are there specifically for you to be able to provide a repeatable and comprehensive approach. Now, some of these are paid. Some of these are not, but you, such as NIST, you have your risk management framework. That's there. You have your ISO 31000. You have FAIR. Those are other ones that FAIR will cost you some money to help you with risk as well, but there's different types of programs that you can use to help guide you down this overall risk plan Domain 1.11 or 111.

Speaker 2: 31:50

Threat modeling concepts and methodologies. So you need to understand threat modeling concepts. Because why, well, you need to understand threat modeling concepts because why, well, as a cissp, you got to be able to pass the test and they're going to ask you questions and two, a lot of the stuff. You're dealing with a threat you need to model. What is the threat actually going to go against my company? Who are these people and what would they be looking for? So let's, it breaks us down into four areas. You have your purpose.

Speaker 2: 32:12

This is where you identify potential threats and vulnerabilities early in the development lifecycle to address them proactively. Basically, you want to figure out who they are and start getting on it. Goals is to understand what can go wrong. Specifically, if these people or things were to get access to my organization. What can go wrong? What could they get access to? And you need to focus on the applied systems and applications, the scope of what they can gain access to as well. So if it's an external facing system and all they can't get anywhere other than the external side, well, now you know that's your scope, that's what you're limited to. But what could they do? They could deface these web servers. That could be a problem. Then the benefits reduce the cost by addressing security issues early. So the point of it is is, if you get hacked and now you have to build in an incident response team, it's very expensive. So by understanding all of these aspects in place, you can then potentially come forward with telling the board or whoever provides the funds for you, that by doing these things we will reduce our risk by X. So again, this improves communication between teams and enhances overall security posture.

Speaker 2: 33:18

So that's understanding the threat modeling as it relates to domain 1.1, some common threat modeling methodologies. We're going to go through just a few of these and we go through these in cissp, cyber training, in the course, where we have stride this is where you have spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege. These are the different types of threats and it's just a mnemonic that's used to help you with those. So stride, dread Dread is damage, potential reproductivity it can be reproduced, that word Exploitability, affected users and discoverability. This is a quantitative or qualitative risk and ranking model used to prioritize the identified threats. And then PASTA this is the process for attack simulation and threat analysis. So it's a seven-step plan or risk methodology that will integrate the objectives and the technical requirements and it will help you understand what would be a potential attack scenario and simulation that they would come after you with TRIKE, it's a methodology that focuses on defensible perimeters. And then VAST. This is the Visual, agile, simple Threat. It's a scalable methodology that's used to help agile and DevOps teams. I've worked with VAST a little bit in the past. It works very, very well and, especially when you're dealing with DevSecOps environment, it works really, really good.

Speaker 2: 34:40

Now, as we continue on with domain 1.11, you have key steps in threat modeling, so you have basically five different steps that you're going to have to deal with when you're focused on this. You decompose the application or system. You need to understand the architecture of the system, understand its components, where does the data go? And then you're decomposing this to find out what are some of the flaws. You're going to find out a little bit more about that system. I had to do this with a device that is in our ERC environment and it was focused on data flows outside of the United States, so I had to focus on how to get that. Where does that data go, who is touching that data, how is that data managed, and so forth.

Speaker 2: 35:22

You identify the threats. You brainstorm potential threats using methodologies like stride, and then you also determine and document vulnerabilities within this discovery. And the point of it is that you document these vulnerabilities and you then will go and put an action plan together to help understand these weaknesses and then go and implement a plan. You determine and document the countermeasures what are some potential security controls that you can put in place to mitigate the risks and then you validate and verify, you ensure that the threats are adequately addressed and the countermeasures are effective. So again, that's your threat modeling plan. You decompose the application, understand it, identify the threats that could come after it, determine and document the vulnerabilities against it and then determine the countermeasures to protect it and then validate and verify that it's actually what it is. So those are the different steps related to threat modeling.

Speaker 2: 36:13

Moving on to domain 1.12, risks associated with hardware, software and services Hardware this is associated with risks that are in embedded malicious components, counterfeit devices, tampering during transit, insecure firmware. All of those fall within the hardware piece of this. Now, one thing to keep in mind I had a counterfeit equipment in Europe I had to work through, and this happens especially with organizations that will go out and purchase the equipment on their own, you run into malicious and, I should say, counterfeit devices, so be prepared for that. Have a plan encompasses vulnerabilities in third-party code, malicious dependencies, insecure libraries and supply chain attacks. So this what are the different risks that are associated in software and then also with your services. This includes cloud and your managed service providers. This would be vendor security, posture, data residency, access controls, incident response capabilities. All of those fall within the services that an organization may provide you, and so you need to understand the risks with that. One would be around incident response. If there's a situation that occurs where you have to call your incident response team and they are unavailable, how do you handle that? And maybe you have to pay so that they become more available. I don't know. Something you're going to have to consider Third-party assessments and monitoring when you're dealing with supply chain risk is due diligence.

Speaker 2: 37:37

You need to conduct thorough security assessments before engaging the third party. Unfortunately, sometimes it happens where the third party is already getting ready to be signed on the contract and now they're going. We need this risk assessment done. That makes things very awkward. Very awkward and very uncomfortable. Contractual agreements you need to ensure that you've gone through the contractual agreements with them. This includes defining audit rights, incident notification processes and data protection clauses. So, again, third-party assessments, contractual agreements important factor, you need to get involved with them early. And then ongoing monitoring you need to monitor your third parties. Most of these different types of regulatory requirements require something along those lines. Nydfs does require third parties to be monitored, and there's various frameworks that I would highly recommend for financial institutions, to include CRI, which would help you kind of helps give you the guidance on what you need to do as it relates to monitoring folks. But the ongoing monitoring is, again, it's where your third party security posture, performance and compliance throughout the entire contract lifecycle. This may involve regular security reviews, vulnerability scans, all these types of aspects that could occur to your third parties, and I highly recommend that you do this.

Speaker 2: 38:49

Focus on your third parties. They are one of the biggest risks to your organization. Continuing with 1.12, you have minimum security requirements. Now, this is an important part. Like I say, oh, this is an important part, right, but your CISSP this is an important part. Around minimum security requirements, you need to establish and enforce a baseline of mandatory security controls that all third-party providers must meet. Okay, important factor, you need to do this now. If you're a security person, I'd highly recommend it. If you're taking your CISSP, I highly recommend it. You need to make sure that you have a good plan for this. Again, this is the commensurate with the risk that they pose. If they don't pose a whole lot of risk, well then maybe it isn't such a big deal. I would just actually get figure out what is your minimum base security posture for your organization and then focus that on everybody and then work from there. If somebody has access to your most sensitive crown jewels, then you add on layer on different types of requirements for them and then you build that into your contracts. These requirements should cover areas like access management, data encryption, patch management, incident response all those pieces. Again, you need to set minimum security requirements and call that out within your policies and your standards.

Speaker 2: 40:01

Service level requirements this is your SLRs and your service level agreements. You'll need to know those for the test. You need to find clear security-related performance expectations and metrics within your contracts. If they are an MSP for you, you need to have clear expectations around resiliency, backup and recovery. This would include recovery time objectives, recovery point objectives. You need to have instant response notification timelines. All of those would need to be built into your service level agreements or service level requirements based on the contractual language you have is. What does that mean? It means you don't have RPOs and RTOs that may be different for your third parties than you would for internal. Yeah, you may, and that's fine, because maybe they are a full SaaS provider and you're expecting RTOs and RPOs at a higher level. But you need to make sure that if you have a higher standard for your RTOs and RPOs internally, that you don't have loose standards for your third parties. You need to have as strong, if not greater, for your third parties.

Speaker 2: 41:07

Now 1.13, the last melon. This is the last subsection of Domain 1's Rapid Review Security awareness and education and training. This is an important part and a lot of times it is lost, but it's a very, very important part and it's one of those where, if you work this with your people, it's going to go a long ways and it will help you amazingly over time. But this does take time. So, methods and techniques for presenting awareness and training. One social engineering awareness you need to educate your employees on social engineering tactics. I was Jennifer and I used to go after pilots and no, I did not change my gender, I just was that online and I did that, and I would do that online towards these pilots and guess what? They gave me all kinds of stuff.

Speaker 2: 41:52

Social engineering yes, social engineering tactics are an important part. Teach your people to do that, how to identify and report them, and conduct simulated phishing campaigns. That's what you need to do Always. Do those Phishing simulations Again. You need to send simulated phishing emails to employees because why? That's one of the main reasons the bad guys and girls can get into your organization and the employees test their vigilance and identify vulnerable individuals and then fire them. No, try not to fire them right away, but you may want to give them some counseling before you fire them. Security Champions Program this is where you train enthusiastic employees from various departments to act as local security advocates. This works really well. Actually, I had one. I had this program operating within my company and you have some really strong people that really enjoy security and they are a big advocate and those facilities were the strongest because of them and it was a very, very good program. Gamification incorporate game-like elements, leaderboards, badges, challenges and all that stuff to motivate people to make sure that they don't click on the wrong links Works good.

Speaker 2: 42:55

It can come with a cost, so you just need to be aware of that. Interactive modules and videos engaging, short, relevant e-learning modules and video that focuses on practical security behaviors I would say the stuff that you can buy is really good, but what also works well is when you, as a security professional, are talking to people directly. Even if you put little videos together, those things go a long way because they see actual people like you. Regular communication utilize various channels, such as internal newsletters, posters, intranet announcements, team meetings anything like that is a communication that goes out from the security team. That's an important part. That way, if people know that you are engaged and you are involved, that they like that. That's an important part of any security awareness training program.

Speaker 2: 43:38

Continuing on, we have periodic content reviews. You need to update your content. So update training content to reflect your current threats, because they do change new technologies, obviously ai, and then changes in your organizational policies due to a new ciso or whomever is now running the show. So you need to make sure that you have content reviews on a routine basis. You ensure the content remains relevant, engaging to the audience. It's not just boring. I will tell you that some of you might be listening to this and you're falling asleep. I'm sorry, but some of you might be listening to this going oh, this is awesome and so therefore, you need to try to keep it engaging. One of the guys that listens to my podcast on a routine basis sent me a note saying yeah, as I'm feeding my child at 2 am, I'm listening to you and I'm like, oh dear Lord, I feel bad for your child because you'll probably fall asleep as you're feeding your child.

Speaker 2: 44:26

Program effectiveness evaluations because I did that a lot. Yeah, when I was feeding my kids, I was asleep when I did it. Oh, sorry, Try to digress. Program effective evaluations Metrics Ensure that the success of the program through various metrics Reducing the phishing click, as well as through security quizzes, decreased incidents, specific security policy violations and the number of reported activities.

Speaker 2: 44:49

The metrics help amazingly to help you with all of these different aspects, but if you're not tracking it, you're not measuring it. It's really hard to do much about it. Feedback you need to collect feedback from employees training and the training content as as well. There be your best source to tell you whether it's good or not, and you need to try to get that information from them as quickly as you possibly can. Adjustments use evaluation results to refine your methods and content frequency as well your and your frequency, ensuring the program continuously improves and meets the objectives that you have set out again Again. So it's important for you not just to put out the training, for you to actually go review it and then look at the effectiveness of the training and then pivot if it's not being effective.

Speaker 2: 45:32

Thank you again for joining me today. Again, you can go to CISSP Cyber Training and get access to all of my free resources Again, from podcasts to study plans, to questions, to my blog. All of that is at CISSP Cyber Training. Or, if you really truly want to get into the details of it and have it walk you through step-by-step, including the book itself, you can go to my paid site where there's 36 hours of all my CISSP content. There's CISSP questions, deep dive topics, you name it. It's all available to you on the paid site as well. Whatever works for you free resources, paid resource, it doesn't matter head on over to cissp cyber training and I can get you everything you need. All right, have a wonderful day and we will catch you all on the flip side, see ya.