CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 264: Control Physical and Logical Access to Assets (CISSP Domain 5.1)
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
Looking to strengthen your organization's defenses against unauthorized access? This episode dives deep into CISSP Domain 5.1, exploring the critical components of physical and logical access controls that protect your most valuable assets.
We begin with a startling discussion about China's "Maciantool" - sophisticated software secretly deployed at security checkpoints to extract SMS messages, GPS data, and images from travelers' phones. You'll learn practical strategies for protecting executive devices during international travel, including recommendations for burner phones and proper security protocols at checkpoints.
The foundation of effective access control starts with proper identity proofing and registration processes. We examine how to match verification rigor with resource sensitivity and explore the four authentication factors: something you know (passwords), something you have (tokens), something you are (biometrics), and something you do (keystroke patterns). Understanding how multi-factor authentication leverages these factors is essential for building robust security layers.
From preventative controls that stop unauthorized actions before they occur to detective measures that identify incidents after the fact, we break down each access control type with real-world examples. You'll discover how physical barriers like fences and man traps work alongside compensating controls when primary measures aren't feasible, plus strategies for implementing corrective actions after security breaches occur.
The principle of least privilege emerges as a central theme throughout our discussion - granting users only the minimum access necessary prevents credential creep while maintaining operational efficiency. We also emphasize the critical importance of documentation, regular testing, and effective communication channels for all access control measures.
Visit CISSP Cyber Training for free resources including practice questions, study plans, and additional podcasts. Ready to advance your cybersecurity career? Check out our mentoring programs designed to help you maximize both job fulfillment and income potential.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge All right, let's get started.
Speaker 2:Good morning everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is, yes, Domain 5. We're going to be talking about Domain 5.1 of the Control Physical and Logical Access to Assets and, if you're from new to CISSP cyber training, this is what we do. On Mondays, we actually go over the domain, we have training about the specific domain and then on Thursdays we will go over some CISSP questions related to the domain or maybe a deep dive into specific questions in general. So that's the overall goal with this today. So that's the plan.
Speaker 2:But before we do and before we get started, I wanted to go over one article that I saw today. That kind of strikes close to home. So I don't know if you all know, I have been in China multiple times. I've got three Chinese children that we adopted, as well, as my job in a previous life brought me to China quite a bit. So I have been to China a few times. Obviously, there's people that go there all the time, but I've been there enough to know a little bit about the culture and a little bit about dealing with security in China. And, yes, this is an article that talks about it from the Hacker News about China's Maciantool I don't even, I probably just totally butchered that name secretly extracts SMS, gps and images from confiscated phones. Now, this is something that you deal with when you go through security within China. You do have the risk that you do give them potentially access to your data and actually to your devices that go through their electronic scanning methods, and I've seen it in the past where they've taken my laptop, taken my phone, and they have walked off to a separate room and they've done something with it. And this is one of the areas that we always recommended, as far as a security leader, to our senior leaders that are going to China. There were some things that we put in place to help them mitigate some of this risk, and the ultimate goal is you're trying to help mitigate it and minimize the risk to your CEOs, your CFOs, the people of influence within your organization.
Speaker 2:There are some things you need to do, but a little bit about this tool before we kind of get into that is. This tool has the capability to look at different types of messages, right, so your GPS data, your SMS, your contact information, your various email messages as well. Now, it is basically designed very similar to Cellulite and a lot of these other types of tools out there that will then basically suck in all the data that you have on your phones and they will potentially use it for investigations. Now, cellulite and those other ones are designed for a lot of forensics investigations. They get a cell phone, they'll plug those in, they use them for trying to get the information off of them. But bottom line is is this will happen at your check-in, usually going into China. If they feel that you are somebody they want to look at, they'll take your phone and they'll try to access the phone itself specifically. Now, this thing actually works around putting some level of software on the device itself and by doing that, it is able to get very permissive access to the phone.
Speaker 2:Now, one of the things you need to keep in mind is one obviously you need to have it locked prior to going in there, but I would highly recommend that you have it even turned off. Now I've had them ask me to turn it on. They've never asked me to actually unlock it, but they have asked me to turn it on when it was turned off, and that includes both my laptop and my phone. It's it's kind of rare. It did happen, though, from the times that I've been there, maybe twice that it actually happened, where they did ask me to turn it on.
Speaker 2:But it does have the ability to get information off of this phone, and so therefore, you need to understand is that something you really want to do Now? It doesn't, at this point, have the ability to bypass it if it is locked. There are tools out there that can do this, but right now, this one does not have the ability to do that, from what I've been able to dig up. So the bottom line is is one, have a pin on your phone. Two, you need to have it turned off and not turned on, and definitely not have it unlocked when you're going through security. It does require physical access to the phone, obviously, and it does install the app on there. So there's a lot of different aspects to it.
Speaker 2:The point I wanted to bring up around this tool and you can go check it out online is the fact that it does have the ability to get into your phone, and you can expect to see it used in various security places in countries where they are actively looking at data, and the Chinese government just had a recent article that came out that if you are saying anything and this isn't any new anything against the government, especially from an online presence, it can get very challenging for you. So I highly recommend you take this, get a chance, take a look at this article. I also recommend that you get into understanding these different types of forensics tools that can be used, one for it can help you with your company, because I've had to had various individuals that have used company phones and have done them in ways that were not appropriate, and we've had to do forensics analysis on their phones and I've had to outsource it to a third party to do this. We didn't have it at the time in-house, plus, legal counsel didn't necessarily want it in-house, and in the process of doing that, you have to have the ability to chat with them and understand what are they doing to these phones. So there's a whole process that would go along with this, but something just to keep in mind if you are a security professional looking for how do you take care of your people and also how do you take care of your company, you need to understand how these forensics phones work.
Speaker 2:And again, if you're going into China or into countries that are similar to China that maybe are not as privacy friendly. You need to make sure that you enhance and you also provide some documentation to your leaders what they should do when going into the country, and that would include burner phones, burner laptops, different types of capabilities, and again, I would recommend that you put together a training for them. Do not assume that these folks understand that you provide what you need to the leaders and let them know what they should be doing when they go in country. That worked out very, very well for me. It also is one of those things where, if you're trying to move up in the company, it gets you good face time with the bosses. But I would get more than once when I had a senior executive text me in the middle of the night going hey, they're wanting this at the check-in for security. What should I do? And it's better to get ahead of that before they're actually trying to get a hold of you in the middle of the night when it's daytime over there and you're trying to sleep. So highly recommend you go check out this article and then get a plan in place related to forensics and mobile phones.
Speaker 2:Okay, so let's get started in what we're going to talk about today. Okay, so today's training is going to be over domain five 5.1, control, physical systems and logical access to assets. That is a mouthful. Sorry, I struggled with that one. Well, before we get started, I wanted a couple of quick things. This is domain five, so if you are studying for your CISSP, you know about 13% of your CISSP questions come from domain five. So we'll be getting into the various aspects. Understanding what you need to do to pass the CISSP is an important part, and about 13%, which is a pretty good amount, that's going to be coming from domain five.
Speaker 2:Before we get started, I want to talk about what you can find at CISSP Cyber Training. I've got a bunch of free resources available to you. I've got weekly podcasts. I've got a three to five month study plan. I've got 360 questions that are available, a blog, youtube, audio and video content is all available on CISSP Cyber Training. But on top of that, I have a bunch of paid resources that will help you take you to the next level, from a deep dive into your CISSP down to mentoring and career goal setting. All of that is available. And then, if you need some consulting, that too is available as well at CISSP Cyber Training, so there's a lot of great content available if you go to CISSP Cyber Training and check it out.
Speaker 2:Okay, so let's get started in what we're going to talk about. So first thing we're going to talk about is registration, proofing, identity establishment. So when you're dealing with registration around access, this will require a user and entity to be able to provide the initial information you need to be able to be registered, and this includes proofing, which is identity verification. Now, this is an important part of any sort of method that you have to identify and to understand and control access, and this step is to confirm the claimed identity of the individual. Now, this may range from a lot of different things, from knowledge-based articles to document verification, to biometrics or in-person checks. I've dealt with this specifically when working with employees and you would have to come in with your birth certificate or a driver's license, something that had to verify who you were, and this can be done in many, many different ways.
Speaker 2:Now, the establishment of the identity is an important part because it, without that, it links the unique identifier to the verified individual. So that way, you know Sean Gerber is what Sean Gerber says he is, and I had to do this. When you start with a company, you have to have verify who you are. Once that is done, then that's when they begin the whole onboarding process. Now why does this matter? It's the foundation of secure access controls and it does help prevent unauthorized access.
Speaker 2:In the previous life, I was able to create access in various networks without anybody even knowing what I was doing, and that was relatively easy in the past. Now it's gotten more complicated as enterprises have gotten better with access control, in that there is actually a governed process by which you can access or add a person to a network, and it has to have certain checks and balances to ensure that that can be done. The days of just going in and creating a new account are becoming less and less frequent. That you have the ability to do that and it does enable accountability, which is an important part, and we talk about a lot of things in security. Governance is one of the strongest ones that we have to really deal with, because technical controls are relatively easy to implement. It's the governance, it's the processes that are behind it, that are such a crucial part of any sort of security program.
Speaker 2:Now there's some key considerations that you need to understand is proofing rigor should match the resource sensitivity. What does that mean? It means that if you have a very sensitive position within an organization, there should be maybe potentially many different forms of identification that you may require. If it isn't such an important position, maybe it is only then one level of identification that would help you with that. So it really just kind of depends upon the role. Now, I would say, in many corporations they don't have time to be dealing with those different types of things, so they'll give everybody the same amount, and I think that's probably the logical place to go with this. However, as someone gets access to more sensitive data, there's other levels or other checks and balances that are put in place to help mitigate potential wrongdoing that could occur.
Speaker 2:Now we get into authentication factors. Authentication factors are very different, right? So you have verify the claimed identity of this person. Are you who you say you are? Are you that person? I don't know. Could you be an AI generated person? All I can tell you is that some of the things I'm seeing now with AI. Obviously you can see some of the issues when you run it. I just saw a video of Trump and Epstein and someone just put this together and, political stuff aside, the interesting part of it all is that it was pretty darn good and the fact is that it can bring all of this to life with just some basically command line access to it. So it's pretty amazing.
Speaker 2:And now they actually have the audio aspects, where people have been compromised from just trying to. They've been scammed for money because they will use individuals' voices to scam people out of cash. So it is becoming a bigger and bigger issue. So therefore, you need to really, more than ever, understand are you who you say you are? So authentication factor is something you and we go dot dot dot is what? Something you know, you have, you are and you do, and what does that mean? So something you know, that would be a password, a PIN, some level of security questionnaire. This would be all memory based and that is something you know. Something you have would be a smart card, a token, a one-time password type device, mobile codes. All of those things are based on possessions, having them in your hands, having your grubby little fingers. That is something you have. And then something you are that would be your fingerprints, facial, iris, voice recognition, any sort of biometrics that are there. All of that is something that you are and then something you do. This would be keystrokes, gesture patterns, and that would be action-based, and so maybe you have a certain way that you type in a password and that would then pick up on that. So the ultimate goal is that it's using these multiple different things about you to determine is Sean who he says he is, or is it not Sean? Is it his wife or is it a computer?
Speaker 2:Multi-factor authentication We've talked about this a lot on CISSP, cyber Training, and this is the use of two different factors for stronger security, and this is passwords as well as one-time passwords. Multi-factor authentication is an important part of any security mechanism and you should consider it if you haven't already. Why is this key? Obviously, it enforces access controls, protects resources and enables accountability, ensuring that the person who is logging in is actually who they say they are. Now, access control types. What are some of these different types that are available? These are designed to measure and manage and potentially restrict resource access. You have preventative Now. This will stop unauthorized actions before they occur. This could be something such as a lock a lock to a room, a firewall, any strong authentication or security policies as well. You have detective which identifies and records incidents after they occur. This could be security cameras, intrusion detection systems, audit logs, you name it. Those are the detective side of the house.
Speaker 2:The physical would be your tangible security measures to protect physical assets fences, guards, locks, man traps. This is something that you'd be limited in trying to limit your access to specific facilities Been through many fences and guards and man traps, and there are ways that we get around all of them, but they're also put in place to help restrict or limit your access, because if you have one, you have a fence, you get around the fence, then you have a guard that's waiting for you, then you have to work through that, and then you have different man traps you gotta work through. It gets to be very challenging and problematic and so, therefore, you go. Well, if there's all these different layers of protection, it's pretty hard to get in without getting someone seeing you. So then you have to figure a way around that, which is definitely doable, but it does make things a little bit more challenging.
Speaker 2:Compensating these are alternative controls when primary ones are not feasible. This would be encryption instead of strict physical access controls, and one of the things that you want to consider is do you have compensating controls for your data sitting outside of your organization? That could be physical access, where you also have encryptions in place, but the data center in which this information is stored has limited access to who can gain access to it. There's been multiple data centers that you can't just walk in and say, hey, I want to go look at my data. No, I mean not that you'd actually see it, but you can't just go do that. You have to actually have a very strong drawn-out plan and you have to work with legal and many other people to be able to gain access to many of these data centers. You just can't go walk in there and say, hey, I want to go look at something. So there's all these different compensating controls that are put in place and different access control types. Continue on with the access control types.
Speaker 2:This we're looking at corrective. This remedies the incident impact and restores the system. So this would be patching, backups, incident response procedures. All of those would be a corrective control. Administrative control types would be your policies, procedures, guidelines, all of those aspects that are designed to help protect your or govern your security practices. This would be security awareness. Training would be an example, doing background checks, provisioning process for different access or even for devices themselves. So this would be the administrative piece of this Logical and technical.
Speaker 2:This is where hardware and software mechanisms are used to gain access to digital resources. Do you have an access control list in place? Do you have encryption? Do you have passwords? Is there any sort of biometrics to gain access to the information that's sitting on these systems? One of the things that if you had laptops people turn in laptops. There was a process by which you would store these laptops away for decommissioning, wiping, erasure, whatever that is, but you don't just let them sit on desks. You actually had a process in which you put them in a locked room.
Speaker 2:So, again, logical and technical pieces around that Then deterrent. This discourages individuals from attempting unauthorized access. This would be one that the man traps is an example, right, but it's also policies. Maybe it's acceptable use policy, where it could tell the employees that if you use the tools or the different devices in an inappropriate manner, you could lose access to the information that you have. You could lose your job, you could have, say, or face civil sort of penalties. There's all kinds of things that can happen with acceptable use policies and again, that would be a deterrent saying if you do this, there could be a price to pay.
Speaker 2:So why do they matter? What's the important part about all this? They enable layered security approach, such as defense in depth, and they help you select appropriate controls for the specific risks. And the bottom line is they help support a comprehensive security implementation and program that you have within your organization. So access controls are really really important. Some key considerations related to preventative access controls is the effectiveness the controls must be robust enough to prevent the types of attacks the systems are likely to face. This includes both external and internal threats, and sometimes it's easier to determine the external threat than it is the internal threat, and that would be your folks that are working for you, or it could be, I mean simple, as being working as a janitor. I've worked, got into many physical locations by being imposing as a janitor working in an area or working as the IT consultant because I can speak that language, and then, therefore, people really want to have their internet go fast and they all have internet connectivity issues. So, as you show up as the IT guy saying, hey, by the way, I can help you with your speed, let me look at what you've got going on. They tend to let you in pretty quickly.
Speaker 2:Usability Controls should provide security without unduly hindering legitimate users' productivity or access. That is one of the challenges. You really have to balance the security around usability. If you just go out there and trying to implement all these security controls and you're causing impact to your employees and to them, creating profit that can be prohibitive and very painful for you. The cost of implementing and maintaining controls should be justified by the value of the asset being protected and the potential losses from a security incident. Again, a risk assessment can help you determine what is the appropriate level of investment you should consider. A layered approach is always an important part, and this would be defense in depth. Now, these preventative controls can be the most effective when they are layered with other types of controls, such as detective, corrective and so forth. It does provide a level of redundancy that it helps ensure. If one fails, you've got a backup and then you should review and update these on a constant basis, at least annually. I would look at all of your controls and determine how are they in place, address any potential new threats, vulnerabilities or any technologies that might be coming. Ai is one of the examples that that new technology could actually upend many of the security things you have in place.
Speaker 2:Detective access controls Okay, these measure and detect and record unauthorized activity. Now, the purpose of them obviously would be identify any sort of security incidents you may have, monitor system activity and then provide some level of evidence if they ever had to go to a court system because of the situation. Now, some examples around this would be your IDS, your intrusion detection, your SIM Obviously that's your like ARC site, it's your Splunk Audit logs. Security cameras, motion detectors, honeypots is a good example of something that might be sitting in your network. That would be some sort of evidentiary aspects and then regular security audits. These are the detective aspects that you may have to deal with for your organization.
Speaker 2:Now, some key considerations around the detective is that the effectiveness or the ability to reliably detect the various types of attacks, both internal and external. Again, you need to have minimal impact on the performance of your organization and all these controls really need to do that. You don't want them to impact your people and your processes. But you need to really weigh out the cost benefit analysis of putting these in place. Is it justify the expense for the implementation? And here's the key kicker the maintenance in relation to these systems, because it isn't just I set it and forget it. You have to maintain these systems, both from a technical standpoint, from a licensing standpoint, and then from a process standpoint. You have to have that as well. Layered approaches as well. They are dealing with preventive, corrective and they need to be all layered in. And then again, finally, you need to regularly review and look at these systems.
Speaker 2:Physical access controls Obviously, we talked about fences, locks, security guards. These protect the physical assets and ensure personal security and safety. One thing to consider is, if you are putting in cameras in your location, you make sure that you don't just put in the little bubbles that show, hey, I've got a camera behind this bubble. You need to make sure there's a camera behind it and you need to make sure that it's recording this bubble. You need to make sure there's a camera behind it and you need to make sure that it's recording Using those to just kind of like scare people. That isn't really useful and most people realize that cameras aren't on 24 by 7 access and so many people can go and do what they want to do and they're not too concerned about it. Plus, with as many people that have phones and have cameras on phones. I just saw today that there was out in California some people, in driving very nice cars, were robbing places, businesses, stealing the information, stealing their products out of these businesses and getting in their cars and then driving off and they're being videoed on camera by gobs of people with cameras. So you know, it's one of those things where there's a camera everywhere by gobs of people with cameras. So you know, it's one of those things where there's a camera everywhere.
Speaker 2:If you're going to put these cameras at your locations, you need to make sure that they actually work and that they're recording to something At least if, at a minimum, they're on a constant recording statement and they're just over and over and over again so you can at least go back and look at them. I've been caught many times and seeing me put things in place in data centers because someone was actually watching the cameras after the fact, and which is good, because if you didn't watch the cameras you wouldn't know that I put that USB drive within your server and at least going and back and looking at your video, you would go. Oh, here goes Sean. Why is he in here? Oh, what did he do there? Why did he do that? And you now know where I put my USBb stick, so important part.
Speaker 2:So we talked about lighting uh, we didn't talk about lighting, but man traps, surveillance systems uh, lighting's an important part. Obviously, light the world up the more light you can to expose any sort of potential perimeter aspects you have. With fences, fences are easy to circumnavigate, especially if there are dead spots where they're not lit up. It's pretty easy to see some person crawling over a fence when it's lit up, like it's the middle of the day, but it's not as easy to see someone crawling over a fence when you've got dark spots and it's black as night. So, yeah, that's an important part of any security physical security within a location.
Speaker 2:The ultimate goal again is deterrence. When you're dealing with physical, you got visible controls to discourage unauthorized access. You have prevention, where physical barriers to block entry. You have systems in place to identify any sort of security breaches and then you have a procedures and personnel in a response standpoint that are ready to address any incidents that do pop up. So now we move into compensating access controls. So these are basically alternative controls used when the primary controls are not feasible or effective and bottom line is that you have a control. It for some reason isn't working or maybe it's too cost prohibitive to put that primary control in. You may put in a compensating control. In this case we have a compensating access controls.
Speaker 2:Now, the purpose of this is to provide a similar level of security. Again, the key quotes there are similar. When the intended control cannot be implemented, it's gonna be implemented. It's going to be similar. It may not be as good as the original control, but it's just something that you may have to put in and you may have to deal with the risk associated with that. So some examples around this would be the use of strong encryption when your granular access controls are not potentially possible. Implementing security awareness training as a substitute for missing physical security measures, and this may be where you have a thing set up, where they go and you see that they have been not following the man trap rules that you have in place and so now they have remedial security awareness training they have to accomplish. So those are just different types of controls. You could put in place A detective control, such as continuous monitoring, when a preventative control, like automated patch systems potentially, is unavailable. So again. Those are just some different examples around compensating access controls.
Speaker 2:Now some key considerations when talking and dealing about this is the equivalence right. So the compensated control should provide a level of security that is equivalent, ideally, to the primary control. It isn't always the case, but you want to get it as least you can, as close as you can, on par with the original control. A risk assessment this is where a decision is to use a compensating control because you did a thorough risk assessment. So you'll do a risk assessment. You'll see there's an issue. You may go. You know the regular control I can't use, so I will use a compensating control and that would be a result of a risk assessment that may have happened.
Speaker 2:Documentation the compensating control and the reasons for its use should be clearly documented, obviously. So one of the issues I've seen in the past and it happens a lot is the fact that someone will put in a compensating control but they won't document that they actually did it and they won't document what it's actually compensating for. So it just you. You come in there you're like well, I'm assuming they did it for this reason, but I'm not really sure. So the documentation is just as important as actually implementing the tool itself. You also want to have some level of regular review. You want to go over these controls at least, if possible, on an annual basis, if not once every two years at a minimum, but ideally you want to have this on a routine basis that you're looking at. These Highly regulated entities will have a specification that they will have to do this within a certain period of time, so keep that in mind. Regular reviews are very important.
Speaker 2:Now, corrective access control this actions to repair, damage or restore systems and then potentially mitigate an incident impact after a breach or after some sort of incidents in relationship to that. Now, the purpose of this obviously is to limit damage right and restore the systems. You want to make sure that you put this in place. These corrective actions have been done to limit what occurred or potentially have it occur in the future and then to prevent it from reoccurring potentially again. Now, some examples around this would be system recovery you have backup systems. You have systems that are being rebuilt. Incident response you have plan activation, root cause analysis. Those are some examples around corrective actions or access controls that you'd put in place from those Patching and updates, removal and quarantine, remediation, reconfiguration all those are big factors as far as what are some corrective actions you would put in place. So, again, you want to make sure that it's designed to repair any damage that's there, restore any systems and mitigate any potential impact now and in the future.
Speaker 2:Some key considerations when you're looking at corrective access controls Timeliness, rapid response is key and it's crucial to one to limit the damage and also to reduce your recovery time. The other thing is is that if you're not restoring this in a timely manner, it will look badly upon you at the end of all this If you're just basically taking a very lackadaisical attitude towards it. Depending upon lawsuits that may come, that could also have a direct impact. So the faster you do it, the better off you are. Now, effectiveness Corrective actions must be fully addressed and the root cause to prevent repeated incidents. You must go back and double check and this would come down to root cause analysis that will occur.
Speaker 2:You want to make sure that you have a really good, detailed response and disaster recovery plan, and this is the planning piece. A lot of times, people will say, yeah, I've got a recovery plan. Yeah, we're always dealing with incidents, but if you don't have a good response plan and if you don't test it and go through it through various exercises, you are really truly setting yourself up for disaster when and if not really if when it does happen to you and your organization. So planning is everything, and I know the comment is bad planning leads to bad results, but there's other words you can use. The bottom line is is you have to plan and if you don't plan, you plan to fail. Now, testing you need to have regular testing of the corrective measures that you have in place. And this comes back to what I mentioned before some level of automation, some level of testing. It's important to have exercises. Then you're testing your incident response process to include disaster recovery drills and so forth.
Speaker 2:Again, back to documentation. Everything comes back to documentation. You must document what you're doing. Now it can go to the extreme and you can document every little detail and it gets to the point of where it's very wasteful. That can happen and, depending upon the organization you're in, you may still have to do it, even if it is wasteful. But documenting what you're doing, documenting the plan to respond to this, all of these areas are extremely important, and then you need to store this documentation so that individuals can get access to it. You don't put it in a location where no one really even knows it exists or no one has access to it. Communication, clear communication channels for reporting incidents and coordinating response is an important factor as well, and this comes down to having all this predefined, pre-established, ready to go in the event that there is an incident or something that has to occur. You at least have been talking about it, you understand the situation and you can address it very quickly.
Speaker 2:Administrative access controls Now these are policies and procedures and guidelines that govern the resources themselves. These controls are focused on people and processes rather than the technology, and we talk about this a lot. There's people, processes and technology. This is focusing on the first two, people and processes. The technology, like I've said before and especially during all of this, is that the technology can be done very quickly and, in many cases, can be done very easily. It's the people and the process part and it's the process is a big factor that are typically not done very well, and because of that, then you have all kinds of issues that you have to struggle with as you are moving forward with whatever plan you're putting forward Now to establish rules and responsibilities for managing access.
Speaker 2:You need to set this up and you need to utilize a framework with the both technical and physical controls in sync. Now the question is is what framework do I use? Well, there's various frameworks you can use. And bottom line, what is a framework? It's an outline, it's a plan, it's something that you can follow. That will get you going down the right direction.
Speaker 2:Now, what are some examples of this? We got security policies, obviously high level statements around the organization's security objectives, their access control requirements and so forth. This could be your acceptable use. Password policies, data classification policies it's the high level verbiage of what your company does. Security awareness training these are designed to educate employees about security risks, their responsibilities, about protecting the organization. This is all kinds of topics to include phishing, social engineering, data handling, you name it. But there's various levels of security awareness training that you need to provide to your people Background checks, investigating the backgrounds of employees, determine if they're trustworthy, which we've kind of gone over.
Speaker 2:Separation of duties, or you'll see this as an acronym of SOD. Separation of duties is very critical, especially in critical business functions where you can deal with fraud, errors or abuse of power, where they have a lot of influence in these areas. This is where separation of duties needs to be implemented and well documented Access provisioning and deprovisioning Again, having a good plan to provision equipment but then also to deprovision it. And the reason I say that is because if you don't have a good plan, then next thing you know a lot of these assets. Let's just say you have laptops they will go missing because there's not a good way to have accountability and you don't have a good deprovisioning platform and process in place.
Speaker 2:Now some key considerations. At administrative access controls, you've got policy enforcement. They have to be effectively communicated, implemented and enforced, and that is a key factor. Don't just give them lip service. You have to actually enforce your policies that you put in place. If you don't enforce them, don't have them, and that's a bad idea. Right, you got to have them, so you need to enforce them. Training you need to educate your users around the responsibilities they have within their organization and they need to be ongoing, relevant and tailored to specific roles, and the key on this is that they have to be relevant also. I come back to that because I've seen so many different types of trainings that have been put on that are years old and they don't ever dust them off because somebody came in, developed a good training program. That person came and left and now they just use that program even though it's probably 10 years old and needs to be totally gutted or totally refreshed.
Speaker 2:One of the two least privilege granting users only the minimum level of access necessary to perform their job functions. As we know, people will use and abuse their function within their company, so you need to give them the minimum level to get the job done, no more than what's required. Now. That can be a very squishy area. And then we also talk about credential creep, where someone will be in a role and they'll move on to a new role and they'll take their credentials they had before onto this new role. And next thing, you know, you've got this super user that's been with a company 30 years and they can do everything, which is a bad idea. But bottom line is you need to understand least privilege Documentation. Oh wait, you've seen this again. Right? Document it all. This includes auditing, compliance, incident response. All of these things need to be audited.
Speaker 2:At CISSP, cyber Training, we're building out a program to have a lot of these things. It can be available to you in a template form. It's just great. So if you are a security professional and you're looking for something, again, these are training materials. They're not legally binding by any stretch, but there's something that you could use and then tweak them to what you and your legal department may want. So those are some things that we're developing within CISSP Cyber Training.
Speaker 2:Okay, so that is all I have for you today at CISSP Cyber Training. Head over there, go check it out. There's some great content for you, great packages there available for you at CISSP Cyber Training. I guarantee you you will enjoy it. There's a lot of good free stuff. There's also some really good packages.
Speaker 2:If you need some one-on-one help with the CISSP or in the fact is, you know what, you just need some career guidance. You can go right now and spend a bunch of money on some guy that maybe will try to teach you something and maybe had a great career and had a job and made good money. I'll tell you right now. I started from being an aviator all the way up to being assessor of a very large multinational company. From anywhere from security architecture, I've hired security analysts. I led a SOC, I've led red teams. I can help you. Go check out my mentoring program. That's going to be available to you. It's going to be awesome and I really truly guarantee it's going to be a great way for you to help grow your career.
Speaker 2:Understand maybe what are some of the steps you can take to actually enhance your career and make it better to get maximize both your fulfillment of the job and also maximize your income, because, again, if you move as you move up in the ranks with the security world, your income usually goes up quite substantially in some cases. So it's an important part. Go check it out at CISSP Cyber Training. Thank you guys so much for joining me today and we will catch you all on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia, of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
