CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 266: Collect Security Process Data (CISSP Domain 6.3)
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
A shocking cybersecurity case recently hit the headlines—a 50-year-old IT contractor sentenced to over 8 years in prison for acting as a mule for North Korean hackers. What makes this story particularly alarming? Companies were unknowingly shipping laptops directly to her, providing legitimate access credentials that she then shared with foreign adversaries. This case serves as a powerful reminder of why third-party risk management isn't just a compliance exercise but a critical security function.
Diving into CISSP Domain 6.3, we explore the fundamental security processes that could prevent such compromises. User account lifecycle management forms the backbone of organizational security, from proper identity verification during onboarding to the principle of least privilege and role-based access controls. We examine the critical differences between disabling and deleting accounts during deprovisioning, and why service accounts deserve special attention as high-value targets for attackers.
Security assessments and audits provide the verification mechanisms needed to ensure your controls are both properly designed and effectively operating. Understanding the distinction between vulnerability assessments, penetration tests, and formal audits helps you build a comprehensive evaluation strategy. We clarify the differences between SOC Type 1 and Type 2 reports when evaluating service providers, and explain why metrics must be measurable, actionable, relevant, timely, and attributional (SMARTA) to drive meaningful security improvements.
Perhaps most critically, we address backup verification strategies—because discovering your backups are corrupted during a recovery situation is a career-limiting event. Through practical guidance on security training approaches, enforcement mechanisms, and measurement techniques, this episode provides both CISSP candidates and practicing security professionals with actionable insights to strengthen their security programs. Ready to transform your security posture? Listen now, then visit CISSPCyberTraining.com for more resources to accelerate your cybersecurity journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go cybersecurity knowledge.
Speaker 2:All right, let's get started. Hey y'all, it's Sean Gerber with CISSP Cyber Training, and today is CISSP Monday. We are going to be going over domain 6, 6.3, related to the CISSP, and I was pretty excited about all of that, and we'll get into that here in just a minute, but before we do, saw an article that I thought you all might be interested in, and it ties in very close to what we do with the CISSP. So there is a young lady she's 50, and I say young because that's about my age, right. So she's a young lady that has been in a lot of trouble and she was sentenced to 102 months for pleading guilty to multiple felonies, including wire fraud, aggravated identity theft and conspiracy to launder monetary instruments. What does all this mean? Well, basically, she was a IT mule for the North Koreans, and in the purpose of doing this, she would then get compensated and the North Koreans would gain access to various systems.
Speaker 2:Now the North Koreans have done this for many, many years now, and they utilize the money they gain from this, which is typically extortion, through some sort of ransomware attacks. They have done this to tech, aerospace media you name it pretty much everybody and the reason they're doing it is because they can't get enough IT resources specifically for what they're looking for. So they will outsource this, and this comes down to a really strong third-party risk. You have to have a good plan for this, and this comes down to a really strong third-party risk. You have to have a good plan for this. And the point that comes into is that this person would get laptops. So you get a company, so company X, and they decide that they need some IT resources. So what do they do? They send a laptop to this person, and this person now has access to their network, and obviously they're using VPNs and various other multi-factor authentications to gain access, which is great, awesome, right. However, they're sending it to a lady that is acting as a mule for the North Koreans, and so now she's allowing the North Koreans direct access into your network. Not a good option, no, that's pretty bad, and so, therefore, it can cause all kinds of challenges. Now, in her situation, she had to pay back $284,000 plus $180,000 in restitution, so she's going to be on top of that's, on top of the fact that she's going to prison for some time, and then that also doesn't count out any civil penalties that someone comes after her with. So her life, at least from a financial standpoint and from a having freedom standpoint, is toast for a while.
Speaker 2:So the point comes into, though, is you, as a security professional, need to really truly understand who you're hiring, especially from a third-party standpoint. Now you need to understand remote work vulnerabilities, and if someone is getting a laptop, how are you monitoring their access? So it isn't just giving them a laptop and then saying, well, I can turn them on, turn them off. You need to have your security operations center, really truly understand the risk here and have monitoring in place for it. You need to understand laptop abuse and what people are capable of doing. They will abuse it. If you've got it, they'll abuse it, guaranteed. And then what is your compliance risk?
Speaker 2:Now, this is a big one, actually, and this is kind of a little bit of a hidden, subtle thing. In the past, I had to work with IT external people, and one of the big concerns we had was sanctioned entities, and if you're not familiar with what that is, it's basically a country that you can't do business with, and the North Koreans are one of them. Iranians, I think. The Syrians are another group. There's a whole bunch of these sanctions entities that you cannot work with, and some you can work with in little bits, others you can't work with at all, but bottom line is they are sanctioned and the federal government takes this very, very seriously.
Speaker 2:So let's say, for instance, you are a company and you send this laptop to Ms Christina Chapman and she decides to allow the North Koreans into your network. Well, on top of the fact that she just did that, you now are working with a sanctioned entity. Not good, not good at all. So it's something you need to really truly consider and understand how this could impact your company. There's lots of tentacles on this whole thing, big time tentacles. So you need to truly have a good plan. If you are outsourcing any of your capabilities and your technical resources to someone that you do not know, and this comes down to third-party risk, you go to nextpeaknet, our team. We can help you with third-party risk. We've got actually we've got a proposal we're creating right now that specifically helps companies with their third-party risk. It's a big deal, dude, dudettes.
Speaker 1:I mean it?
Speaker 2:really truly is. I'm just trying to emphasize the fact that this is bad stuff. Bad juju, all right. So, that being said, that's enough about our Ms Christina Chapman and her naughty affairs that she's been doing. Let's move into what we're going to talk about today.
Speaker 2:But before we get started, one thing I wanted to bring forward is go to CISSP Cyber Training and get access to all of my content. There's a lot of great stuff out there, both free and some paid content. If you are looking for free stuff to be able to pass the CISSP, go to CISSP Cyber Training. I've got all kinds of stuff that's available to you that's on a free basis. If you're looking for more of a deep dive and getting more hands-on and some time specifically with me as a mentorship and also helping you with the test, you can also see some of the paid products that are there. And if you are looking for mentorship and career guidance in cybersecurity, there's another program that's specifically there for you as well. So go to cisspcybertrainingcom right now and go check it out. You can also listen to this podcast on cisspcybertrainingcom, so it's all there, available at your fingertips. Okay, so today we're gonna be talking about domain six, 6.3, collect security process data, technical and administrative. So we're going to be getting into this and as we go into this content, you're going to notice there's probably some overlap of things that you have heard in the past. And that is okay, because what the good part about all of the CISSP training is, we go over this content in detail. We want you to be successful in also understanding the cybersecurity aspects of everything you are doing. And also this is just kind of how it flows. It flows and it follows the CISSP ISP squared manual and therefore that's what we are doing. So, account management we're going to get into user account lifecycle management. Now there's a couple different options and we just kind of talked about this onboarding, people provisioning or onboarding. You need to do some level of identity verification. This will help your organization confirm the person that you are hiring any new user. They are who they say they are and they have access to the systems and the data. This is a critical first step and we've talked about this kind of in the news part of this podcast ahead of time, but it was also it's a critical piece of this entire factor Also the least privileged principle granting users only the minimum necessary access rights required for their job.
Speaker 2:We talk about this in the fact that you can, you should only give them what they need, but when they move to a new role, which they eventually will you remove access. I was working as a contractor. My contract ended. What did they do? They removed my access, which is great. It's a wonderful thing that they did, because you don't want someone like myself Well, actually, I'm okay, but other people you do not want them access to their network Role-based access controls, or RBACs.
Speaker 2:You need to make sure that you assign permissions to these users within the organization based on what their role is, and this is an important part. If you don't have RBAC within your company, you need to truly understand how do you get it and enable it with your company. And then each identifier is unique. Again, they should have a distinct identifier. So Sean Gerber should be Gerber, s should be SH Gerber. They should have a unique identifier that's tied specifically to me and it allows them to have traceable capability when they're looking through the log files.
Speaker 2:Now, what is the maintenance and ongoing user account life cycle piece of this? You need to regularly review access rights of people, especially if they are on for a significant amount of time. So if they're going to be in your organization and they're going to be there for a while, you need to go through at least once a year and have this realigned. This can also be tied to how they're doing their user training at the end of the year, but you need to make sure that you regularly look at their access rights Privilege escalation monitoring. This is where your security operations center will be looking for attempts for or successful instances where someone might be using their credentials to escalate their privileges and that's a bad thing. So you need to keep tabs on that. It can be very subtle and they can be hiding in the weeds, but it's an important part that you need to remember and have your people look out for.
Speaker 2:Password management. Again, this is something where you need to make sure that you have solid password management in place and it's not just you flip it on and you're good. You actually are going back and making sure and finding out which accounts are not a key not tied to this password management policy that you may have in place. You will typically find that there are some accounts that you can't enforce the password complexity with because of the fact of the position they're in and how long they've been with your company, what they affect and so forth. You need to make sure you check all of that out.
Speaker 2:Account suspension for inactivity or policy violations this is another thing your security operations team should be monitoring. Is what happens if the account is locked out because one? Maybe your policy is set up so that if they log in from outside the United States, like North Korea, then it flags it, or is it just the fact that they haven't used it in quite some time? So you need to truly understand this. And if you understand it and maybe you don't have it in place, then you need to consider how do I enable it within my company and my organization Deprovisioning. So you need to ensure you have timely removal of access pawn termination and role changes. This would be immediately revoking or adjusting your rights Again when they leave the organization. How is that set up? Happened to me just recently. Like I mentioned before, my rights were removed as soon as my contract was up. Very good, very good concept of what they have. Very good aspects of protecting the organization Account disablement or deletion.
Speaker 2:You need to have a process for one making them inactive but also retaining the history. I've seen this happen time and again, where companies will delete these accounts but they don't keep them for history's sake, and what then happens is if the account for some reason had access maybe it was an it individual who allowed remote access back into the organization they don't know who this person is. So keeping those accounts for a period of time is an important part and in reality, for purposes it's relatively small flat files that don't take up a lot of space. You need to have an audit trail specifically for the deprovisioning activities as well. You need to decide which ones are going to be deprovisioned and then understand where are they being or who did it, did they do it and when did this actually occur. So there needs to be a process around that. And then again, disabling versus deletion. What should you do? Should you is it? Should you delete them? You may have legal or regulatory requirements that may force you not to delete them, so you need to understand that too, as you're going into looking at this for your organization.
Speaker 2:Now, service accounts this is a one that I have talked about time and again that are very critical for your organization. That you need to understand and this comes down to is these service accounts are allowed to run services within your company on behalf of you and they're not tied, typically, to an individual and they do carry elevated privileges in many cases. So these are usually a very big target for outside entities to try to target. So you need to make sure that you have a good handle of the service accounts within your company. Are you cleaning them up? Do they have our password requirements that are policy requirements that are set up specifically for them, or can they manage the same ones you have within your company? Those are important part. You need to understand the risk behind these service accounts because many of them have access to things that you probably don't necessarily want them to have access to, but were stood up that way at the beginning and now they have continued to have those credentials over time. So you need to have some really good management practices tied to this. This is strong passwords, dedicated accounts. Key one is regular review and you need to go through and look at those. I went through service accounts before hadn't been touched in years and you know what, if you don't have a good logging and monitoring and you have these service accounts and they haven't been touched, guess what the bad guys and girls are operating in these all the time, and because these accounts typically are operating in a 24 by 7 world, guess what? They're going to have access to your network 24 by 7. And so when they're in North Korea doing what they're doing, you won't even know it.
Speaker 2:Privileged accounts again, we talk about those where these are accounts that have elevated access to critical systems and data, such as admin accounts, root accounts or any sort of account specifically for security tools. Security tools is a big one and again, you need to watch the watchers because the security tools have elevated privileges to be able to gain the information they need. So therefore, what should be happening? Those accounts should be watched. Enhanced controls around your PAM solutions, your Privileged Access Management solutions this is, your password managers. Those are really very important for organizations and we've talked about this in the past they are expensive. So if you deploy a PAM solution within your organization, you need to make sure that you set it up correctly and you are monitoring its activities on a routine basis. So this is very strong security measures. With your PAM solution, I would highly recommend that you rotate credentials going into it. You have multi-factor and I would recommend strict session recording. Again, it will add expense because you're going to have one the vendor licensing expense but two the storage requirements behind it. But it gives you an audit trail of what's going on and you know what. You may have regulators that will want to see it. So you better just do it and consider it.
Speaker 2:Segregation of duties and privilege functions Again SOD, which is typically what it's seen. You may see that in the CISSP where it says SOD, that's separation of duties. This is where you're dividing critical tasks among multiple people and it's important for you to understand SOD. If you're in the financial industry, that is a very big factor and people watch that very closely. The goal is not to have one single person who has complete control over sensitive processes Now, but it can happen outside of the financial industry as well. When I was working in manufacturing, when any sort of money mover, they would have segregation of duties and there would be at least one if not, or there'd be at least two, if not three people that would approve any sort of money transfers. And we talk about that from a business email compromise, a BEC. This is something that happens a lot, where people are impersonating a CEO or someone along those lines to then authorize the access of money transferring. So, again, segregation of duties important part of account management Management review and approval. So, as a security professional and you all are moving up in the world as security professionals you at some point will be getting approvals to do whatever you're going to be doing within your company. And I would highly recommend that, if you don't have that now, you work with your senior leaders to get it some level of management review and approval put within your company Now. This ensures alignment with business objectives.
Speaker 2:Risk appetite that's a big factor is your risk appetite for your company? What is the risk appetite? And this is an important part that you have to understand and visit with your senior leadership to truly understand. What do they willing to accept for risk? What are they not willing to accept for risk? There is inherent risk, which we've talked about in the past, and then there's risk that they may want to mitigate. They may want to accept. Those are areas that they're going to have to work through and you will work with them on this.
Speaker 2:Accountability of the security posture Senior management is ultimately responsible for the security and they're the ones that should be reviewing the mechanisms. Do not let them pass the buck to you and if you are senior management, do not pass the buck to someone that's your junior. That doesn't hurt that if they're looking into this information, but when it's all said and done, it's up to you to be able to open it up, look at it and decide how do you want to proceed. You need to review the processes. This is regular security posture reviews. This would be assessments of your organization's overall security status to include vulnerabilities, threats, control effectiveness, and then review the policies, standards and procedures. You need to make sure you go over those and make sure they match up with what is going on within your company. So often policies and standards specifically, will not get even looked at. They get built and then they don't get touched, and a lot of times you don't anticipate you're going to touch them, probably once every one to two years, but they don't get even looked at. Procedures. Even in those cases they don't get looked at as well. Well, they'll get made to meet a regulatory requirement, but then what ends up happening is they forget about it and they put it on the shelf, and then they come back to it in two or three years when a regulatory finding has come up. So, again, you need to review those frequently Incident response plan review and testing. Make sure you have effective IR plans for your organization.
Speaker 2:And then you need to look at any audit findings, review and remediate them. Now, if you're going to remediate any findings that you have from audit, you need to make sure you track those and that you have a history of those. It isn't just audit saying, hey, here's a finding, go fix it. You need to go fix it. You need to well understand the problem, go fix it. Once it's fixed, you need to get audit back together with you. You then walk through all the findings with audit, you document all of that and then you store that in a central repository and some location, and that could be one, it could be a spreadsheet or it could be a grc type tool that you have and you're storing this. Again, you need to track all this information. One, it's important for the company. Two, as an employee of the company, people will come and people will go. Having this stored in one central location, with how you came to this point, is extremely important for future people coming on to understand what actually occurred and what happened and how they fixed the problem.
Speaker 2:Approval mechanisms you need to have a formal sign off for any security initiatives and changes. This is an important part. I mean. I keep saying that they're all important but when it comes down to is you need to have someone sign off. It isn't just Sean, who's the leader of the security operations center, saying, okay, we're good, let's go. No, you actually have to have the CISO do that. You need to have maybe the CIO do that. You need to ensure that there's some sort of formal sign-off on any initiatives and changes. Authorization for access to sensitive data If anybody gains access to this data, there is an authorization process in place that is being followed. And then there's an approval for risk acceptance decisions. If for something needs to be accepted, who is approving it? It isn't just Sean. The security operations guy says, it's okay, let's go, because my risk tolerance is very different than the CEO's risk tolerance or the CIO or the CFO, any of those C-suite folks. Their risk tolerance is different than me in the SOC. And I will just. It's true, unless you're a small company and you are the SOC. And I will just. It's true, unless you're a small company and you are the SOC manager and the CEO. Well then, yeah, okay, you probably understand it, but if you are a medium-sized company or any large company, the risk tolerance is very different between organizations or between parts of your company. So, again, formal risk decision process needs to be in place and there needs to be approval of it.
Speaker 2:Now, security assessments and audits. If you're doing a security assessment, there's various types of assessments that are out there. There's a vulnerability assessment, a pen test, security control assessments and risk assessments. These are types that you will typically see Now. Vulnerability assessment obviously they're looking for and quantifying and prioritizing any vulnerabilities within the systems and they're going after those and fixing those. Pentest is stimulating, obviously a real-world attack to identify anything that's exploitable within your company. You may have regulatory requirements that force you to do a pentest. You have a security control assessment Now. This is where you evaluate the design and operating effectiveness of specific security controls against a set of frameworks or criteria. Ie 27001, nist cybersecurity framework is do you have controls in place to manage the risk to your organization? And then a specific risk assessment this is where you're analyzing and evaluating risks and you're determining the likelihood and impact any potential threats that may have. So those are the typical ones you'll deal with. They may have variants and flavors of others. But realistically, those are some various types of security assessments you and your organization may deal with.
Speaker 2:Now, a security audit this is a formal, independent examination of your organization. Now, it could be that it's specifically from an independent. It might be someone outside of IT, it might be finance of IT, it might be finance Someone from finance is actually looking into your organization. Or it could be a third party that is totally outside of your company, such as Nextpeak is a good example of that. We may come in and do a third-party assessment or third-party audit of your organization and again, they will have determined if there's compliance and any sort of criteria, but tied to laws, regulations, internal policies and so forth.
Speaker 2:Now they're typically performed by independent auditors, both internal and external, like we kind of mentioned, and they do follow a structured methodology. The goal is, if it's structured, it's repeatable, it's duplicatable and when there's questions which there will be you can then have, you can answer these questions, questions in an effective manner. Its focus is a compliance, effectiveness of controls over time and adherence to policies and specific procedures. Now the key differences here is assessments will often focus on identifying weaknesses and risks, while audits will focus on compliance and verifying the controls are in place. Again, audits typically have more formal, structured and independent nature. So you just have to kind of determine which one do you need an assessment or an audit? A lot of times I would actually do an assessment of my own stuff, but then I would give it to a third party to do an audit of what I was doing as a CISO. Now, again, you just have to decide what is best for you and your company the size of your company A lot of factors go into it. Size, knowledge of folks, cost, how much money do you have? A lot of that will go into your overall assessment plan. Integration with management review. Findings from both assessments and audits are critical inputs for management to understand. It also helps a lot when you're going to bring on new security tools and new security programs. Having audit findings does help you with that overall plan.
Speaker 2:Type 1 and Type 2 reports these are a service organization control report. So we're just going to briefly go over what is the difference between a Type 1 and a Type 2. A Type 1 report is the controls that are set up at a point in time and assessing their design. It does not include the opinion on the operating effectiveness of these specific controls. So today, how are the controls in place? How are they doing? Based on their design, what does that look like? But it doesn't contain the operating effectiveness, if they're any good. A type two focuses them on a period of time, typically six to 12 months, and provides an opinion on both the design and the operating effectiveness of how they're doing. Type one, not operating effectiveness. Type two operating effectiveness. So you have design for both and then design and operating effectiveness for both. Type two report this is typically a more valuable report and so when someone says I've been certified in SOC type two that would be more important than if it was certified type one. Just so kind of important part for you to understand. But this is when you're dealing with third party vendors. They will come and say I have this report, I have this done. You just need to decide is this something that's valuable to you and your company or not?
Speaker 2:Key performance indicators KPIs and key risk indicators KRIs. So what is a KPI? This measures the security program's effectiveness and its overall performance. These are quantifiable metrics that show how the program is doing to achieve its goals, and this would include, such as patching compliance rates, those kind of things, kris. They indicate potential future risk or emerging risk, hence the R risk and these are early warnings of increasing risk exposure. Again, this would be the number of unpatched critical vulnerabilities over time, or the number of failed login attempts over time. This would be what they consider a KRI. Now do you develop and implement these? This is in alignment with your organization's risk appetite and your security objectives. Now this basically comes down to is what is your organization willing to accept from a risk point of view, and then, from a security standpoint, what are you willing to control? The interesting part in all this is, if you're in the manufacturing space, this is not maybe as quite as profound as if you're in the financial space. That being said, though, that's probably changing as we get more regulations in each of these areas Data sources and collection methods.
Speaker 2:Identifying the data for these indicators will come from basically various locations Scanners, sims, hr records all of those different places where the data can come from. Scanners, sims, hr records all of those different places where the data can come from. The thresholds and alerting mechanisms. These are tied specifically around what you have in your SOC. They could be. What is this breach? What is this time setup? When is it specifically going to be in violation of that? This is what prompts an immediate investigation or a specific action. Those are all defined within your KPIs and your KRIs Dashboards and reportings for various stakeholders.
Speaker 2:When you're dealing with those go that you want something that's in a digestible format for different audiences. Obviously you want something that's technical. I just got done with one of the contracts we did was more for the board, and how does the board look at this information? You periodically assess whether the chosen indicators are still relevant and effective, again modifying them as the threat landscape or as the business objectives do this information. You periodically assess whether the chosen indicators are still relevant and effective, again modifying them as the threat landscape or as the business objectives do change, so again. So a KRI an example would be a number of unpatched critical vulnerabilities. A KPI would be patching compliance right across all the systems Just something to kind of put in perspective when you're looking at KRIs and KPIs.
Speaker 2:So, as we look at KPIs and KRIs, one of the things you want to consider is metrics, right? So what's the importance of metrics? You want to truly have some level of metrics there to help provide you concrete numbers and data points describing your current state of security and it also helps return or provide some level of understanding for senior leaders on your return of security investment, your ROSI. It does help justify your budgets. It helps fire your spend for the next year. Now, again, the metrics need to be quantifiable. They need to be something that is actually actionable, versus just a bunch of numbers that are thrown out there. I've seen metrics that were just basically grabbed out of thin air and come up with just to have a air quotes metrics in place. But you need to to have a air quotes metrics in place, but you need to really have good a lot of thought around which metrics you plan on using. They need to be providing data-driven insights and help you make strategic decisions, and they are an important part.
Speaker 2:Vulnerabilities is a big factor in this, and then you need to identify threats or trends and areas for improvement where it might be some weaknesses, and then pinpoint areas that where security controls may be needed as well. Types of metrics you have your operational metrics. These ensure the efficiency and effectiveness of your day-to-day activities, such as how many security incidents and the number of security alerts are generated per day. I've seen a lot of it. They've had a number of generated security events per day. You got to really ask yourself, though, in that information, what is that benefiting? I don't know if that's how beneficial that is, but that's one that I've seen. A lot of Technical metrics these would focus on security technical controls like vulnerability scan results, such as critical vulnerabilities or the percentage of sensitive data that is encrypted. You need to build a story. A story and a narrative is an important part. And then management metrics these relate to the governance and oversight of the security program, including security budget utilization, closure rates, audit findings and so forth. Well, these are the areas that they would be most worried about and most concerned about from a management standpoint.
Speaker 2:Now, what are characteristics of good metrics? This is the key. This is strong. This is an important part. They need to be measurable, actionable, relevant, timely and attributional. Okay, so this is the SMARTA method, right? You need to basically ensure that the metrics are measurable, actionable, they are relevant, timely and attributional. So they should be quantifiable specifically and they should provide specific. So they should be quantifiable specifically and they should provide specific actions to take once you understand what they are. They should be consistent collection and reporting. You need to make sure that you're uniform in what you do. Just gathering a metric for one point in time is not nearly as important or effective as if you're gathering metrics over a period of 12 months. Now you can actually get trends and understand what's actually going on. Contextual interpretations this is understanding the raw numbers. That may not tell you everything, and so that's understanding the story. The full story this is how does this all work together? How are they connected? How are the metrics for one system tied to giving you some more information on another system? So metrics are really strong. People don't do them, though. They like to avoid them because they're kind of hard and they can be very squishy. But if you, especially if you don't take the time to really try to come up with a good plan, they can be very challenging.
Speaker 2:Backup verification data the importance of backup data this is where you have data availability and integrity. This is an important part and where critical data is assessed when needing it and that it is not corrupted or tampered with. What does that mean? If you're doing backups, you don't want the security or the ransomware guy to be infiltrating your backups. So now that they are tainted and you have issues, you want to make sure that they have the integrity and that they are available anytime you need them, because when you have a situation that pops up and you have data loss or corruption, you are going to need them and you don't want to run into the issue that you don't have them.
Speaker 2:Backup strategies you want different types of backups. This could be full, incremental, differential, and we have a whole section in the CISSP training around backups. Which ones should you do? How should you consider them? Understanding different methods for copying data, from a complete copy to just incremental copies, from the one that was maybe last night, you need to understand which ones are most important for you. And then how do you store them and how do you recover them? The storage is a big factor because it costs money to store these things and recovery time is important. If you have it all stored off-site in the cloud, can you recover in a timely manner and you may go well? Yeah, I can, but if everybody is affected by the same type of incident, your recovery times could be dramatically impacted.
Speaker 2:Storage locations again off-site, on-site, cloud. Where do you want to put them? How do you have them set up for in the event that there's a localized disaster or a regional disaster, I've seen it. Regional disaster would include Amazon AWS going down, and that would be regional because it affects a lot of different companies. Retention policies defining how long backup copies will be kept, based on any sort of regulatory requirement that might be out there. So do you have those policies defined? Are you following those policies? What do they look like for your backups in your company?
Speaker 2:So, verification and testing. You have regular verification of backup integrity. This would include checksums and data validations. Now you have cryptographic hashes, which would be your checksum. Is it set up where the backups are not corrupted? If the checksums don't match, you've got a problem. If they do match, life is good. So you need to have and consider different types of validation methods specifically for your company and what tools you are using. You need to do periodic restoration testing. This is an important part. Knock, you know, ring the doorbell. I have seen it time and again where people will go and just put stuff into backups, hit the return backup it's good, everything's fine, and then when they go to recover, the backup's corrupted, they got issues or they don't know how to even do the backup because they never tried it and never tested it. So you need to understand. If you're doing backups, both from a partial or a full backup based on the environment, you ensure the recovery process works as expected and meets your RTO and RPO objectives that you have defined for your organization.
Speaker 2:Documentation of backup and restoration procedures Again, documentation is an important part. You can't just go yeah, I'll figure it out when it happens. No, you don't want to do that. You want to have clear, up-to-date instructions on how this works. At a minimum, you need to at least have updated links on where you can go get this information. But keep in mind, if you are down and you have a DDoS attack and something in your organization, say you have no internet access, how do you get access to the information? If it's a regional outage, how do you get access to the information? If it's a regional outage, how do you get access to the information? You need to think about this. It's all important because it's it may seem like a lot of busy work at times, but in reality, the time that you need it, you went through all this work. You. It will pay off in spades. You will be, you will be the hero if you have this defined when it does happen and I'm not going to say if, because it will. It may not happen on your watch, but it will happen. And I'm not going to say if, because it will. It may not happen on your watch, but it will happen. Offsite storage verification Again, offsite backups are indeed stored securely and accessible for recovery when needed. This is working with your third party backup provider and asking them a lot of questions and maybe even going and visiting them. Had to go do that once. It was interesting because I wanted to verify they actually were doing what they said they were doing.
Speaker 2:Training and awareness Now the importance of security, training and awareness. This is the human element as a critical control. Now, this is recognizing that people are your weakest link and how do you help them. Now you can also be your strongest one right as well, but you want to make sure they are well-trained and aware employees and are vitally understanding the defenses. I used to have it set up where I would tell my employees and I'd tell employees of the company. You are the sensor, you are the first line of defense One. You could be just basically opening the gate and letting people in, or you can go. I'm the guy at the gate guard and I'm not letting you anywhere near it. It's up to you, and employees are an important part of this. So you need to reduce the human error and susceptibility to social engineering. And now it's even worse. Now, with audio, yes, ai and the ability to fake the person's voice, they're seeing a huge rash of that. I know that the individual who invented chat GPT is saying this is a big deal and, yeah, it's going to be a huge deal. So you better teach your people how to manage this. It's really easy to fall victim to this. I've seen it time and again and they're only getting better.
Speaker 2:Foster security, conscious culture. Again, trust no one. I know it's a bad thing to think of, but you trust your spouse. Well, maybe, I don't know, it depends but trust no one. Tno, you need to trust, but verify from Ronald Reagan you need to make sure that you just don't go willy-nilly into something.
Speaker 2:I had this happen to me. I trusted that my business with our one shaved ice, the people were paying me accordingly, what they're supposed to, and I hadn't been checking my invoices. When I look at my invoices, I checked them and I went wait a minute and, sure enough, it was not quite right. So now I need to make some changes. So again, trust but verify. Do not assume and do not think that people have your best interests in mind. In this case, they had my best interests in mind, but I made the mistake of not truly following through. So again, think through all things.
Speaker 2:Awareness programs these are your target audience. Identification again all employees or specific roles Do you want to go after everybody? You would have in the case of us in the past, I would have specific training for specific people, but then I had broad brush training for all employees, again focusing on the specific risk. I had IP loss risk of specific employees. So they got beat over the head with lots of training, lots of training, and I also watched them like a hawk. So you need to make sure that you have that set up specifically for you. Delivery methods this would be phishing simulations, posters, newsletters, micro learning how do you have this available to them? There could be multiple ways. You could have exercises done, regular communications and short focus learning modules are very valuable as well. You need to have content and reporting procedures in place. This would be essential topics such as your policies. You would walk them through. That you how to have one of the prevalent cyber threats, and then also how to report suspicious activities. All of these need to be taught to your employees Regularly.
Speaker 2:And enforcement if, for some reason, people don't follow, what do you do? You beat them over the head with a wet noodle, or you maybe potentially give them warning that they're going to be fired. That is a possibility. I've seen it happen. We had our CFO go. If people do this, I want them fired. Okay, well, all right, let's look at that. If it's going to be routine, yes, but you got to have that policy set out and you got to let people know that. Yes, if you're going to be a buffoon, you will be fired. If you don't do that, well then they're going to go. You didn't tell me if I could be a buffoon. I could be a buffoon, all I want. And you're saying that now I'm going to be fired. No, I won't. And so, yes, that can be very bad as well.
Speaker 2:Developers, incident responders, privileged users they should have specific training for them. This could be secure coding practices for developers, incident handling procedures for responders. Also, hand-on exercises and simulations. This would be practical exercises such as realistic simulations allowing employees to apply their knowledge and develop skills in a controlled environment. You also would want a way to effectively measure the training. How is it working? Is it effective for them? Are they learning a lot? And this can be done through quizzes, performance metrics, again, metrics again. They're showing up and then observing changes or employee behavior. All of that can help you determine the effectiveness of your training for your company.
Speaker 2:Okay, that's all I have for you today. Go to CISSP Cyber Training. Check out all this information. I got lots, a plethora of content available for you. You will love it, I guarantee it. There's lots of free stuff.
Speaker 2:If you're studying for your CISSP and you want to know the details around how to get your CISSP done, not just take a test and pass then CISSP Cyber Training is for you. If you are looking for your cybersecurity career and you don't know what to do, cissp cyber training is there for you. We are specifically focusing around small, medium businesses, but we do help large corporations as well. If you are an IT professional that is basically a little bit longer in the tooth, like myself, and you're trying to figure out how to help your career and grow it, cissp Cyber Training is there for you as well. It's a one-stop shop that's help you with your CISSP and your cyber goals to help you grow your career and help you have success in your next adventure.
Speaker 2:All right, thanks so much for joining today and we will catch you all on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia, of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
