CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 272: Confidentiality, Integrity, Availability, Authenticity, and Nonrepudiation (CISSP Domain 1.2)
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
The core principles of cybersecurity aren't just theoretical concepts—they're the practical foundation every security professional needs to master. In this deep-dive episode, Sean Gerber breaks down the critical components of Domain 1.2 of the CISSP exam, unpacking confidentiality, integrity, availability, authenticity, and non-repudiation in clear, actionable terms.
Starting with breaking news about Microsoft ending Windows 10 support on October 14th, Sean highlights the urgent security implications for organizations still running this widely-embedded operating system. He emphasizes the importance of comprehensive inventory management—especially for IoT devices that may contain embedded Windows components—and the available extension options for critical systems.
The heart of the episode delivers a comprehensive exploration of the CIA triad. Sean walks through each element with real-world examples: confidentiality through encryption and access controls; integrity via change management and validation processes; and availability through redundant systems and business continuity planning. But he doesn't stop there. The discussion expands to cover the DAD triad (Disclosure, Alteration, Destruction) which helps identify security failures, and the AAA framework (Authentication, Authorization, Accounting) that provides essential security controls.
What makes this episode particularly valuable is Sean's practical advice drawn from 25 years of cybersecurity experience. He emphasizes the importance of defense-in-depth strategies, network segmentation, and prioritizing critical systems rather than attempting to fix everything at once—"eating the elephant one toenail at a time." His methodical approach helps listeners understand not just the concepts themselves, but how to implement them effectively in real-world environments.
Whether you're preparing for the CISSP exam or looking to strengthen your organization's security posture, this episode provides the foundational knowledge and practical strategies you need. Visit CISSP Cyber Training for free study materials, practice questions, and mentoring options to accelerate your cybersecurity career.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go cybersecurity knowledge.
Speaker 2:All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today we're going to be getting into domain 1.2 and we're going to be getting into over confidentiality, integrity, availability, authenticity and non-repudiation. So that's the goal for today. Again, you can get all this content at CISSP Cyber Training anytime you want. Just head on over there and get it. I hope you all are doing good, though. I mean, right now in Wichita, kansas, it's a whopping 100 degrees, with a heat index of around 107. So, yeah, I'm enjoying life, and as you walk outside, you just start to melt. So it's good, it's awesome, but you're in a comfortable car or in your home listening to this video or listening to this audio. Hopefully, you are staying cool. So let's get started about what we're going to talk about today.
Speaker 2:So Microsoft is ending support of Windows 10. Yes, that is true. I remember when Windows 10 first came out, it was like, oh, this is awesome, especially from Windows 7. And now Windows 10 is going away, and the interesting part of this is it's going to be ending. October 14th, I think, is the date in which they have called out in this article, and this article came from the bleeping computer. One of the things about this is that you can extend service, and we did this a lot in the enterprises that we would extend service on critical apps, or I should say critical operating systems, for a period of time until an update would be available, or I should say a new version. We could get it tested, and it's $30 for individuals and it's $61 right now and climbing for enterprises. So if you want to keep it up to date until October 13th of 2026, it basically gives you a two-year extension. You will have to get this done soon. Now, the interesting part in all of this is that Windows 10, similar to what happened with Windows 95, has been embedded in almost everything, because it was really a stable Windows version that came out after Windows 7, which wasn't so stable, and therefore it got embedded in a lot of different things.
Speaker 2:So if you are dealing with Windows 10 still and continuing to operate in it, you need to consider getting off of it as fast as you possibly can. So just kind of put this in the back of your mind If you are managing an enterprise for somebody, if you're the security person for this, if you're the IT person for this. You better start thinking about it if you haven't already done it. Now. One thing that you may want to consider and really kind of dig into is IoT-type devices. Anybody that put in a Windows 10-type of light version of their operating system within IoT. Those you're going to have to keep an eye on and you probably are going to be going. You won't be updating them much at all because a lot of those are in a sensor-type of situation, but this is where we talk about a lot in the CISSP and in cybersecurity as a whole. You understand your inventory within your company, because if you don't know what your inventory is, this IoT device that's managing your fishbowl could end up leading to a compromise of a casino. We've heard that before. I wonder where. So it's. Something to consider is that you just really need to make sure you understand all the devices that are going on with your network so that you can have a proper plan on how to deal with them. Again, all updates will no longer be available as of October 14th. You can get an extension for two years, but after that two-year bingo point, they turn into a pumpkin and can't be updated at all. So just keep that in the back of your mind, all right. All right, let's get into what we're going to talk about today.
Speaker 2:Okay, so this is domain 1.2 confidentiality, integrity, availability, authenticity and non-repudiation. So again, domain 1, this is a focus on the CISSP, cyber training, or actually on the CISSP not cyber training, but CISSP, and this is domain 1.2 of the CISSP. You can gain all of this content available to you at CISSP Cyber Training. Go to it. You get a lot of free stuff. I've got a free bronze package. I guarantee you'll love it. It'll give you all kinds of free stuff. Just sign up for the package. That's what it is. Doesn't cost you a dime. It's free, doesn't nothing? Get you on my email list. Any things that come out that's new. You will get updated on that, and that gives you my domain access, or it gives you access to a lot of the content that I've created. It also gives you access to my domain rapid reviews. It gives you access to other types of study materials. Basically, it's designed for anybody who wants to self-study but doesn't really want to pay for any additional products. It's a good program for that and it'll help give you a good direction on what you need to do to study self-study for the CISSP. If you want to have more detailed information, such as the videos that I'm showing here or other types of videos, you go and you can purchase my product that I have as well as mentoring. I have that available. Go and check that out. Really, it's the best money you'll spend, especially if you're trying to take your CISSP and you're trying to expand your career in cybersecurity, because I've got like 25 years of doing this. I can help you in many different ways. So go check it out at CISSP cyber training.
Speaker 2:Okay, so domain 1, 1.2 let's get into it. So confidentiality what are some key concepts around confidentiality? This is the secrecy of data that is not made available or disclosed to people, and you really want to limit the unauthorized individuals or entities from having access to it. Now, one of the key points on this as well is the processes, because you're going to run into, especially in today's world where you have LLMs connecting into networks you have all kinds of webhooks going into networks there are the processes as well that are occurring in the back end, and this can be very challenging, because you have to know where are these processes taking this data and what are they doing with them and then are they maintaining the confidentiality of it. You are responsible for these processes, so you can't say you didn't have the ability to know it. If you don't know it, you got to find it out. So those are again unauthorized individuals, entities or processes ensuring that things are confidential. Again, only the persons with authorized or the persons slash, entities or processes with authorized access. Unauthorized access would be a breach of confidentiality.
Speaker 2:So you have different types of how it's maintained and one is through encryption. You have encryption at rest and encryption during transmission. Encryption at rest this is where you have disk and type encryption. You may have it on your SSDs, you may have it on your thumb drives, you may have it in your phone itself. Right, those are all types of disk encryption that's available. You may have traditional hard drive disks where it's encrypted as well. Network connections. This is where the data is transferred from one location to another. Is that data encrypted through SSL, ipsec tunnels and so forth? Then how do you store the data? You have password storage vaults or some sort of managed key vaults that are available. This is where you would store passwords or key data that would be available to decrypt this encryption.
Speaker 2:There's a lot more countries now that are focused on the data encryption and they're trying to basically crack it so that, because they know more and more encryption is being involved with the type of data transfers that are occurring. I just saw an article by Russia wanting to do this, which is kind of surprising, because they should be doing this by now already. In the past, russia has had a very specific place where keys are stored and that you cannot store your keys anywhere outside of where they can have access to them. I don't know if that's still the case anymore, but because of the data transfers is becoming so rampant, they also see the need to ensure that they can have control over the data traveling in and out of their countries. Access controls this is where you have put access controls on folders, applications, any place where data is stored or transmitted, and and so this isn't like if you have a location such as you're doing file transfers for money, is that data being stored there? Are there access controls on those files? Are there access controls on those folders? Is there some level of protection that is then limiting the amount of data that's going out from that location as well? So again, confidentiality maintained. Now where confidentiality can be compromised.
Speaker 2:This is where data is shipped in plain text or stored unprotected. This happens a lot, way more than it should, but this is something for you, as a security professional, need to be aware of Now. Does that mean that if data is being shipped in plain text, that is bad? No, not necessarily. There may be situations due to risk to your company that you may go. You know what. It's not a big deal, I don't care. That being said, that means you have a really true, good understanding of all the data paths within your company. Where does the data go? Where does it leave? Where does it originate? Where does it terminate?
Speaker 2:If you have really good understanding of all the data paths within your company, you can take a risk approach and say you know what, I'm not going to encrypt that data. If you don't have that, you have to be buyer. Beware. You need to be thinking about this strongly to go. Yeah, I don't know. So do you want to take the risk? Passwords being shared or stored in unprotected file structures? What's that? That's an Excel spreadsheet without a password on it. I would say that for sure. Or in emails or in memos. That would be a bad thing.
Speaker 2:Everyone who has access to a file, folder or structure without audit. What does that mean? It means that is there a file folder that everybody in your company can see, and is that really truly what you want them to do? In most cases that is probably not the case, because there's probably data in there. So let's just use an example you have an employee but you have a contractor. Do the contractors need to have access to that folder? Been in many organizations where contractors have access to folders and data they should not have access to. So again, you need to understand the access to the file folder, structure and all of that done without audit. And then employees are socially engineered they click on links allowing for unauthorized access. That's where confidentiality can be compromised. Once again.
Speaker 2:Other considerations around confidentiality data sensitivity how sensitive is the data to your organization or company? Is there intellectual properties or critical business processes? And then operators' decision rights what do they get to do with the data? Then this comes down to a really big part. We talk about a lot in Domain 1, but we'd really talk throughout all the entire CISSP training is who owns the data and who has a decision right specifically for that data? Is it IT? Is it the data owner? Is it the CEO? Is it somebody else? Is it legal? Who owns that data? And that is one of the key crux questions you need to ask when you're dealing with the protection of any data within your company and looking at it from an organizational standpoint who owns it, who's responsible for it, who's a custodian of it, et cetera. Now some other considerations that you need to consider about confidentiality, data criticality Does your business require data to remain confidential?
Speaker 2:Is it required to run your organization or does it give out business critical information that is specifically for your company? Data privacy, regulatory requirements for keeping data confidential Are there any that you have to deal with and maintain? If there are, you need to know what these are and your leadership needs to know what these are. They will rely on you, as the security professional, to keep them out of trouble, but at the end of it, you need to understand it and you, as a security professional, need to be briefing your senior leaders. What are the regulatory requirements? What are they now and what do you see coming in the future? You can run into reputational damage for data loss if you are allowing people's private data to be leaked and expunged. That could cause all kinds of issues with your company. So again, data privacy is a big deal.
Speaker 2:Data system isolation Do these systems and the data need to remain isolated specifically to protect them? Do they need to be in their own protective bubble? Do they have to have their own reduced or, I should say, segregated network that's specifically for them? Is there based on any sort of regulatory or compliance requirement that's forcing you to put them in this bubble? That's a question you have to ask yourself. Data systems or seclusion storing the data in and out of the way of locations? Is the data going in and out? How is it best? Secluded and maintained, and then using strict access controls to maintain the seclusion and keeping it whole.
Speaker 2:Data secrecy the act of keeping something secret or preventing disclosure. You want to make sure all the data there is kept in a secret and protected environment, and it does help prevent disclosure from something happening. So that's what data secrecy is. So you got data criticality, data privacy, data isolation, data seclusion and data secrecy Integrity. What are we doing to deal with integrity?
Speaker 2:Integrity is dependent upon the confidentiality of the data. Specifically, it maintains the assurances around accuracy and completeness of the data. Is it complete? Is it something that you're not having missing data, missing information. One thing, that if you have the data that is missing information, you become not really positive about it. Right? You think, okay, now if I'm missing data in this spot, am I missing it over here? And you lose confidence in the overall data integrity itself.
Speaker 2:This also includes the data integrity from the life cycle, from the birth of the data to the death of the data, and that means that there's times when you will go through and completely gut your. I mean you'll go to many organizations and there is data glut, and what that means is is they have been keeping data and hoarding data for years and years and years, and now they have all of this discoverable information that one could be very damaging to a company, especially if it's looked through the eyes of a legal team, because they can twist it in all kinds of different directions. And then, two, the data is old, and if it is old, is it really valuable to your organization? So this maintaining the assurances around the integrity of it from the time you birthed it to the time you killed it is an important part that you have to consider, and it really most companies do not do this and they don't do it well unless they're highly regulated, and so, therefore, it's imperative that, if you're looking at this from a small company standpoint, you need to think about how do I do this and how do I keep my data clean and how do I get rid of the old data that it's not needed anymore?
Speaker 2:Data cannot be modified or unauthorized in an undetected manner. When you're dealing with integrity, again, that's transmission and storage that keeps the bad guys and girls from going in and making changes to logs. It also it makes builds the integrity and the confidence of the data itself. And then you need to ensure, or process to ensure, proper change of the data. So, if the data just needs to be changed, is there a process by which it's changed, it's modified, it's tweaked, and is that process duplicatable? Is it being managed? Is it being properly monitored? So those are all part of the integrity piece. Now, integrity maintained security mechanisms are in place to ensure the data has not been compromised, like we talked about.
Speaker 2:You have encryption in transit and in rest. There's also proper access is provided the data via authentication. Do you have multi-factor? Do you keep authentication logs in each of those folders that have the ability to understand who had access to the data. Last, keeping unauthorized people, ie contractors, away from the data is an important part. Audit and oversight trail you have proper logging, monitoring and ensuring that only proper access to the systems is allowed.
Speaker 2:How does integrity compromise? Well, when the data is transmitted or stored in an unprotected containers or media without encryption. A person put a whole bunch of stuff out there on the web to share it in a Google Drive and didn't protect it. You know that's the key one right there. Inadequate authentication methods that are in place. You're not allowing authentication or you don't have a good one in place. That is incorporating that within your organization and now anybody can gain access to the information. Systems are not logged, monitored to ensure data integrity. Therefore, if you don't have logging in place, how do you know who has access? How do you know who got access, who doesn't have access anymore? That's your integrity compromised.
Speaker 2:And then other considerations around availability would be accurate. Is the data correct and precise? Is it specifically what you need? I would say I'm probably guilty of this more than ever. Is that is my data that goes in always what it's supposed to be? Is it the right numbers, is it the right information? And that isn't always the case, and so do you have mechanisms in place to ensure that the data that is placed into these files is correct and is precise? Accountability the person who's responsible for the data. This would be the action or the result, which we talked about again earlier is the fact that do you have the right people that own the data, that are the custodians for the data, that manage the data, and is that defined in their roles, responsibilities and potential expectations for their job?
Speaker 2:Other considerations around integrity would be non-repudiation. Now you cannot deny or an action event that has been performed or has occurred. This is what they consider non-repudiation Certificates, transaction logs, etc. These are all non-repudiation aspects. That's the essential part around integrity, and if you doubt the data, then this whole thing kind of falls apart. So non-repudiation is a very important part of integrity. It needs to be complete, having everything you need as a result, within the data. Is it all there, as you expect? There's nothing missing, no gaps? Again, responsibility who has control of the data and has that been well defined? And then the completeness Is all the data included? Does it have all the necessary pieces and parts needed to ensure that you feel confident the data has full integrity and is available to you.
Speaker 2:That moves us into availability. So availability this is where authorized items are granted timely and uninterrupted access, and this is available for when it is needed. So high availability systems must remain available at all times, and that's an HA system. In many HA systems, you will have redundant systems. To ensure high availability Now, this includes efficient, uninterrupted access, which would be prevention of denial of service attacks operating. It could be a mass flood of data coming in through a SYN flood or something along those lines. It could be as simple as a backhoe chopping a line. That would be a denial of service. But it helps to understand that if you have backups in place, if you have redundant systems in place, this will ensure that you have availability. There's intentional and unintentional accidents, like I said about the backhoe, but all of that's where availability is an important part in thinking about.
Speaker 2:How do I maintain the data Now? How is availability maintained? Power is maintained and kept available, right. So do you have UPSs? Do you have an uninterrupted power supply that's keeping the data center active and operational? Do you have highly available systems and devices? Are hardware in place to ensure the system stay operational in the event of a failure? Are there policies and procedures that are defined specifically on how to deal with disaster recovery and business continuity? Are those policies in place and is there a testing plan in place as well? And this is used to address any critical business systems out there. So, again, availability is an important part of your policies, procedures and your systems and the overall devices.
Speaker 2:Availability compromise. So this is where you have a denial of service causing an outage, which we talked about just a brief minute ago, dealing with SIN floods within the network. Do you have it from an internal denial of service or is it an external attack from outside parties? Which one is it? This is where availability will ensure that you have these systems up and operational and available to you. There's critical systems that are available. Do you have power protection in place to help these critical systems? Have you defined what these critical systems are? Do you know what these critical systems are? Is your business aligned with that? They are actually critical to your organization.
Speaker 2:Those are big key factors you really got to think about. I've dealt with that a lot and that's something to consider. But again, critical systems focus. Focus on something like that. If you're going to be trying to protect your entire environment. Focus on the critical ones, first Figure out what is critical and then go from there. Other considerations around availability, usability, how easy is it for you to use it and can it be understood by the layperson? And what I mean by that. Can it be understood by a third grader? I mean, ideally, as adults we go well, we're smarter than a third grader. Well, a third grader is pretty smart, but if you can get to a third grade level when you're communicating with people, that is huge. That's really, really big. And then that means most people can understand exactly what's going on.
Speaker 2:Is the system easy to stand up, restart, reconfigure in the event of an incident? Do you have that planned out? Do you have the documentation to support that? Accessibility how easy is it or hard to manage? Can individuals manage it relatively quickly or is it take a lot of time to do that? Do that? Can others interact with a system or is it extremely limited to only those who can manage the system? Accessibility big factor. You give too much accessibility, well, you can have problems. You take too much away and don't give people access, you can have problems.
Speaker 2:There's that fine line between their timelines, is it? Is it promptness on time? Is it a reasonable time for recovery? Is it I can have it recovered within a day, within an hour, within minutes, or is it going to take me two weeks? Those you have to determine the timeliness of that availability. Is that important to your company? Maybe two weeks is fine, but on a critical system probably not. Two weeks probably won't cut it. It's probably more like yeah, you said you'd have it up in a day, but we want it in hours, especially after it happens. So can the system be restarted, reconfigured, reinitiated in a quick timeframe? Things you need to kind of think about Now.
Speaker 2:Security mechanisms outside of the CIA triad, you have your network and system layering. This is commonly called defense in depth, and I kind of talk about that here just a little bit further down in the slides too, this is a series of restrictions, limitations. As you travel farther down the stack, you have issues that you have to work through. This is the different layers of depth and this is the defenses that are tied with that. This includes logging, monitoring during each of these steps and then different authentications during the various steps as well. This would include. One example I have on here is industrial control systems. If you go to an industrial control system, you should have it segregated from your business network, which means if I jump on your business network from the internet, I should not have direct access to your industrial control systems. That controls your power, electricity, toilets, you know whatever you want to call it, doesn't control that. That would be a good way of layering your protections. If you have it all in one network, that's not really a good defense. In depth thing. That's like flat network open to the world.
Speaker 2:Obfuscation this is hiding of the data. This prevents the data or information from being discovered and or accessible. Intentionally hiding data within a network or infrastructure would be considered obfuscation. Now, that being said, we'll get into some more details around obfuscation, the benefits of it. I hear pros and cons with it. So it just kind of depends on your situation and where you're at with your company if you think obfuscation is a good example.
Speaker 2:But as an example, we have labeling. You have secret sauce, right? You label that secret sauce which I, as a hacker, would go after and go ha-ha, secret sauce, let's go there and find out what's in that. To file 1, 2, 3, 4, 5, 6, 7, 8, 9, x, 9, 2, 6, 7, 7, 2, 4. Okay, whatever you want to, it doesn't transmit right. The naming convention does not match. So you think well, as a bad guy or girl, it's not a big deal and that's true. That works really well.
Speaker 2:However, it does confuse the dickens out of people. Second, what it does is you have to refer to it at some point in some of your documentation. And so if you have a person who does OSINT operational security intelligence if you have someone that's actually doing osyn and looking at your network and pulling down the data, pretty quickly, they'll find an email that'll say 12345 is actually secret sauce. And so what do they then? Do you change your algorithms and your scanning to look for 12345? So again, it does slow down people. It does. You can put triggers to make alerts in place that would say hey, why is somebody scanning for 12345 or secret sauce? But Bottom line is it has mixed reviews.
Speaker 2:The system is so buried, it's intentional, it can't be found. People do that. But again, I still struggle with that whole piece. There's one thing that a software one of the examples we had as well is a software programmer creates a program with a flaw and releases it, hoping it will not be exploited. Basically, they went through their entire development process, know there's a flaw in there, don't want to go back through it. So they're like, yeah, it's so buried in the code, no one will know it, just release it and yeah, somebody will find it. They usually do, and at the most inopportune time.
Speaker 2:Okay, so what's another thing outside of the CIA triad is encryption. This is where it's extremely important parts of any security program and it can be applied to any file type and is extremely versatile. But it also is extremely challenging, right, depending on how you use it and how it's used within your company. There's a lot of unencrypt, decrypt, recrypt, yeah, all that fun stuff Storing with encryption keys. There's lots of moving parts when you're dealing with encryption, and so people tend to just either don't do it or they tend to just kind of turn it on for some stuff, but for most stuff they don't. Because of this, they have poor encryption practices, and then these can be extremely detrimental to an organization.
Speaker 2:It gives you a false sense of security, thinking ha ha, I'm good, but yet, oh, you're not. And so therefore, you struggle, struggle, something bad happens and you're like I thought you had security. I did, but they didn't use the file that had security. They used the file that didn't have security. Yeah, then your kind of name is mud and nobody's happy and then things go badly for you. So you need to really consider this. I mean, I mean it, I'm stressing this stuff hard.
Speaker 2:You are probably a security professional going into an organization and you probably deal with a whole bunch of nastiness, like Medusa. It's got lots of heads. But you're going to have to work through it one step at a time, and I would recommend eating this elephant one little toenail at a time, because it's going to be a big challenge for you to try to do it all at once. You will fail. I'll just be blunt. You will fail if you try to do it all at once. Pick something, work on that, then, after that's complete, pick something else, work on that and then try to fight the fires in between.
Speaker 2:Okay, the dad triad right. So we're dealing with the dad. Now what is the dad? It's disclosure, alteration and destruction. Not the dad bod, but dad Disclosure, alteration and destruction. So what is this? This represents failures of security protection of the CIA triad. It's useful to recognize failures of mechanisms when you're dealing with the dad. So the failures of the triad are dad Disclosure right.
Speaker 2:You have disclosure of sensitive or confidential material that is accessed by unauthorized entities. That breaks confidentiality Boom, baby. So this would be your like. You see on a daily basis So-and-so's data just got compromised. 18 gazillion passwords just got compromised. So-and-so's data is also now out in the wind. So that's disclosure.
Speaker 2:Alteration this occurs when data is either maliciously or accidentally changed. I've seen this happen where bad guys and girls have gone in and changed the data specifically to try to get us off the scent, and after was, we are chasing them. This also. I've seen employees do this because they're doing bad things that they shouldn't be and they're trying to hide their what they're doing. So alteration and then D destruction. This occurs when resources are damaged or made inaccessible to users A denial of service attacks or a logic bomb, something like that. Seen that happen, where an IT employee decides to go I'm going to make your life painful, and then they go and they did it with that accent even and what they end up doing is putting a logic bomb and once they leave the organization after a certain date, it goes boom. And when it goes boom, everything goes away. Yeah, that causes all kinds of chaos and pandemonium for quite a while, and it's quite expensive. That person, though, is breaking big rocks into little rocks, so don't do it.
Speaker 2:I highly recommend it. Use your powers for good, not for evil. All right, now we have the dad bod. Now we're in the AAA, right For old people. No, that's I don't. Yeah, that's not. I think it's old people. No, that's AARP, that's for old people, aaa services.
Speaker 2:Okay, the key concepts around this is authentication, authorization and accounting. Now, there are five elements of the three A's. So, again, the three A's are authentication, authorization and accounting, but there are five elements to each of these, or to the overall three A's. One is identification. This is claiming to be an entity while attempting to access a secure area. This is understanding, identification. Now, this starts the process for authentication, authorization and accountability, and that is what you need to tie though people is that when you're identifying something you need to and they're attempting access, it's through identifying that you have the right person. Another element is authentication. This provides that you are the claimed entity, right, so you requires a person to provide additional information that matches the identity. Now, in some cases, if your phone, it could be your eyeballs, it could be your fingerprint, it could be a password, could be a cat card, a lot of different things right.
Speaker 2:Identification and authentication are commonly used together. They're considered in many ways kind of symbiotic, but without both you cannot access the system or the device. So it's an important part for you to be able to control what you gain access to. It also has a good audit trail to find out. Did you do something you shouldn't do as well?
Speaker 2:Now authorization another one of the five elements is defining the permissions which would be allow, grant, deny. Those have to be defined well. Now I would say authorization is probably where we fall down quite a bit, because, rather than trying to figure out what Sean should have, I just say allow all, sean can have it all, don't worry about it. It's one less thing I got to deal with. They got it all, and then that may be fine for the first four or five people, but then you have 500 and then you got a problem. Once authenticated, then the authorization must ensue and then this ensures that request, activity or access is granted to the individuals. The individual may have identity or authentication but potentially may not have authorization. And that does happen where that person has the name, their ad, or the name, their password, but they are not authorized to gain access to the file or folder, so therefore they're blocked. So that's a good thing. The more you can integrate that within your multi-factor authentication schema, that is going to be great. There are lots of programs out there, like SailPoint and other types of activities, that can provide you a really good, seamless experience, but in most cases most companies it's Bill who's clicking allow, deny, allow, deny. And what does Bill do? He goes. I don't want to deny, it takes too much work. Allow, allow, allow, allow and yes, then you have fun things.
Speaker 2:Another element is auditing, right? Oh yes, I know auditing is a dirty a word, uh, but it's important, right? So, recording of log events and activities related to the systems is it being monitored, is it being logged, is it being watched? Uh, this is probably one of the areas that people definitely do not do much of. If they do, it's a very limited. And this comes back to the critical aspects that I mentioned earlier. If you know the critical systems, those should be logged. Yes, indeed, and you should keep those logs for a period of time long enough to know that if you need to go back and look at them, you have the data that you can go look at. Don't make the log data good for like three days. That's on a critical system. That's not a good idea. That's a bad idea. You need to really have it longer, like 30 days or probably 90 would be even better, because it usually takes between anywhere from six months, 90 days to six months to find a bad guy or girl in your network. So having log data on critical systems at least 90 days would probably be valuable. But that all costs money and you got to kind of determine what is what's it worth to you Holding a person accountable for their actions Important part of auditing.
Speaker 2:Yes, why are you accessing those file folders that say plush kitty videos? Those are only for the CEO and yet you're watching them. Why is that that? That would you need to hold people accountable. They're not allowed to watch those plush video kiddie videos. Additionally, is it a process for looking through unauthorized or abnormal activity? Again, you don't know what's. You don't know until you start looking and then, when you start looking, you go, oh, why is this? Now I will tell you that sometimes you may look at logs and go, oh, why is this? And then you chase a rabbit that doesn't exist and you waste a lot of time. So you've got to be very careful when you're looking at logs, because logs are not always perfect and they can give you advice or they can give you guidance or direction that may not actually exist.
Speaker 2:Accounting this is reviewing the log files and looking for complete compliance and violations. Again, bringing out the hammer and schwacking people over the head with it Not physically, that's assault, just I mean talking to them. Right. Accountability must be maintained. And then, linking an individual to online activities is an important part. All of that's done through the accounting piece of this. So those are the five elements tied to the three A's. Now, key concepts Security concept that data is authentic or genuine.
Speaker 2:Again, authenticity it's an important part. This originates from the alleged source. Where did it come from? And this is very close in the nature to integrity on the CIA triad change in transit or while it's being stored. This is the confidence in the validity of the transmission or the message or the message originator. Again, you want to make sure that whatever message or document you're using is authentic, it isn't a forgery and it hasn't been tampered with. So, again, it gives you a high level of confidence around it. I will say that with the PKI system that has been developed, you do get a really strong sense of integrity and authenticity, specifically when you're dealing with email messages. But if it's not deployed well, then you may have started having questions about that.
Speaker 2:Non-repudiation yes, this is where the subject activity or person who caused the event cannot deny the event happened. The back to the point with the plush kitty videos yes, I wasn't me, it was my dog that did it. Yeah, was your dog log in gerber s? No, but so then it's you. Um, so again, ensure subject activity or the person who caused the event cannot deny the event occurred. This prevents people from claiming they have not sent the message, perform the actions or etc. This is made possible through identification, authentication, authorization, accountability and auditing Non-repudiation Did you do that? And yes, I have employees that go and they will. They bent my fin on one of my Kona trucks. Did anybody do it? No, it wasn't me, it wasn't me. But oh wait, the non-repudiation piece was you were working that day and it wasn't bent the day before. So it is you, it's non-repudiation. But then they came and said no, it wasn't me, somebody else borrowed the truck. So, yeah, you got to have non-repudiation. It's important.
Speaker 2:Established through digital certificates, session identifiers, transaction logs and access controls. Digital certs are really good. Again, they work really really well. They also can be very challenging depending on how you have to deploy them. If you have an automated system, they deploy wonderfully. If you don't have an automated system, they suck, that's just. That's just. They're painful.
Speaker 2:Essential part of accountability, again is an important part of non-repudiation If you want to be accountable, have things accountable, you've got to be able to prove that the person, who or systems that were accessing it are truly them. This is a really important part when you're dealing with service accounts, because now anybody potentially can have a service account. So if a service account is connecting to something and you know that it's connecting to it, you need to be able to understand who has access. And then are we sure that that was the actual service account and it wasn't somebody posing to be just utilizing the service account for something else? Protection mechanisms, the role we finalize all this up.
Speaker 2:We kind of talked about this earlier, but one of the things I wanted to just kind of come back to is defense in depth and this we talk about layered protections. This combines tools such as firewalls, intrusion detection, access controls. All of those are done for overlapping the safeguards as well, and this mitigates the risk through redundant and diversity. So the redundancy and diversity will help mitigate this through the different layers that you have within your organizations, like a cake. If you have a multi-layered cake, you eat one part, you come to another, eat another part, come to another. It does reduce the likelihood of a successful attack if one layer is potentially breached. If you have a flat network where your business network and your industrial control network are on the same network, that is a one-layer cake. That's a sheet cake. No sheet cakes. You want multi-layered cakes. I'm getting hungry as I say this, but that's true. You want multi-layered cakes. An example would be a corporate network uses perimeter firewalls, then they have endpoints, then they have have multi-factor to protect each of these sensitive datas. If an attacker will go past a firewall and the MFA, there's still other mechanisms to catch them, and if you bypass an MFA, then you've got bigger problems as well.
Speaker 2:Abstraction and hiding data Some things to think about there. This is where data hiding restricts access to sensitive data based on the role, and it also will help conceal the potential raw data that's there. It does enforce least privilege and it's a core principle of protecting confidentiality when you're dealing with restrictions. It limits exposure to critical system components of unauthorized users. And I would say, if you have critical systems, putting them in separate networks is an important part R&D networks, good example. If you have a research and development network, it should be in a separate, segregated network and it should have protections going in and out of it to protect the data that's coming in and potentially leaving. You may not even have the data allowed to leave. Only data can come in, which would be a great way to help protect any sort of data theft.
Speaker 2:But again, this you know, like a hospital database is an example you have. Nurses will access a simplified interface, obviously showing the vitals, but they cannot get into the underlying tables and any of the content that's in there. They're unauthorized to do so. So that would be the abstraction piece or the data hiding piece of this. Again, you want to have a strong company that you'll go through and you make sure that these protections are in place and you, as a security professional, need to go and audit these. You need to verify that they are in place, that the nurses can't have access to the data, especially they can't have any sort of right access to the data, and then encryption and security boundaries to fortify data protections. So you have security boundaries such as DMZs or process isolation that will segregate a trusted or untrusted network. So we've talked about this just briefly a little bit ago. It reduces the attack surface and supports risk reduction, maintains compliance with security policies by controlling data and systems interactions, and the thing with that is you are going to run into countries that will require you to have segregations and that you will maintain those segregations and that you will document where those segregations are in place. So I highly suggest that if you are in any sort of regulatory environment and in today's world, especially if you're dealing with defense contractors at all in the United States you're regulated, whether you like it or not. So it's important that you have good security policies in place and that it's defined well with your employees. Now, an example of this would be a company's web server and a DMZ uses HTTPS with TLS 1.3, and then they use a secure customer transactions right, and from there you can't just gain access to the database. It's not front facing at all and this would protect anybody from the outside gaining access to your web server and then gaining access to the underlying databases. You've got to make sure that you have protections in place for all these specific activities. So, again, an important part of the overall plan.
Speaker 2:Okay, here are the references for today's stuff. Thanks so much for joining me. This is all I have for you today. Head on over to CISSP, cyber Training, and catch out what I've got. I got a bunch of free stuff, my bronze package. You'll love it. It's amazing. Check it out. All my free stuff is there. It's all in one spot for you. I just wanted to make it easy on you. You can get my blogs. You can get access to the videos, the rapid review questions. You can get access to my 365 questions that I provide for people who sign up on my email list. You gain all kinds of great stuff that's there just through the bronze package. If you want more details, you want this video, you want this in a curated format. Look at what my other package is my silver, my goal. Those will provide you all this content to help you pass the CISSP the first time. That's the goal. We want to help you do that as well, as I'm here and available to you to mentor you, to give you the knowledge and guidance you need to help navigate this whole cybersecurity space. It's here for you, from resume prep, interview prep. All of those pieces are available at CISSP Cyber Training, so go check it out.
Speaker 2:All right, I hope you all had a beautifully blessed day today. Please stay warm. Actually, I shouldn't say stay cold, stay cool, stay cool. Go float around in a pool, if you got one, but if you're listening to this and it's the winter, well then, go find someplace warm so that you can snuggle up. All right, have a wonderful day and we'll catch you on the flip side, see you. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia, of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
