CCT 294: Config Management Essentials - CISSP Domain 7

Show Notes

A single Windows shortcut can open the door to espionage—and that’s exactly where we begin. We break down a fresh LNK exploit campaign to show how hidden command execution and DLL sideloading slip past busy teams, then pivot into the core defense most organizations underuse: disciplined configuration management. From baselines and version control to change boards and rapid rollback, we map the habits and tools that turn chaos into control.

We walk through building secure, realistic baselines with CIS Benchmarks and NIST 800‑128, and why “simple and enforceable” beats “perfect and ignored.” You’ll hear how least privilege for change stops shadow tweaks, how EDR and application firewalls catch command and control, and how automation with Ansible, SCCM, and Terraform keeps fleets consistent. We spotlight the CMDB as a living source of truth—only valuable if you maintain ownership, automate updates, and report on drift so leadership and risk teams can act.

Change governance becomes your stabilizer. A change control board aligns IT, security, operations, risk, and compliance before big moves, while an emergency change advisory board authorizes fast action for zero‑days and incidents with a strict post‑implementation review. We break down the full change lifecycle—request, impact analysis, staging, implementation, verification, CMDB updates—and the common pitfalls to avoid, including undocumented changes, brittle rollbacks, and ignoring post‑change scan results. Expect practical guidance on when to auto‑patch Windows, how to iterate quarterly without overengineering, and what metrics prove progress.

If you’re aiming to master CISSP Domain 7 or just want fewer outages and faster recovery, this conversation gives you a clear blueprint to reduce attack surface and increase stability. If it helps, share it with a teammate, subscribe for more deep dives, and leave a quick review so we can keep improving for you.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome And Episode Focus
• 0:33: News: LNK Shortcut Exploit Campaign
• 3:50: Mitigations: EDR, Firewalls, Awareness
• 6:10: CTA: CISSP Cyber Training Resources
• 6:43: Why Configuration Management Matters
• 9:10: Secure Baselines And Frameworks
• 12:05: Automation, Version Control, And Benefits
• 15:45: SCM Standards And Regulatory Drivers
• 18:00: Asset Discovery And Baseline Enforcement
• 21:10: Keep It Simple And Iterative
• 24:00: Core CM Activities And Status Accounting
• 27:15: Change Boards And Security Integration
• 30:20: Emergency Changes And Fast Decisions

Transcript

SPEAKER_00: 0:00

Welcome to the CISP Cyber Training Podcast. We provide new training and tools you need. CISP exam. Hi, my name is John Gerber. Join me each week as I provide the information you need. And grow your cyber checker in the way. Alright.

SPEAKER_01: 0:25

Good morning everyone. It's John Gerber with CISSP Cyber Trading. And hope you all are having a beautifully blessed day today. Today is Monday, and Mondays are CISSP trading, and we're going to be focused specifically around domain seven of this ISC Squared CISSP exam. And this is performing configuration management at 7.3. So pretty excited to get into configuration management because I will tell you that a lot of people do not do it well. And when you don't do configuration management well, you really set yourself up for some challenges. And so as you're looking at studying for the CISSP exam, one of the big things you may hear is around how do you configure all this stuff? And so we're going to try to go into what it is and why it's important. But before we do, I wanted to go over an article that I saw today in CSO magazine. So CSO magazine had an article that says Chinese hackers target Western diplomats using hard-to-patch Windows Shortcut Flaw. Now, according to the article, and I've dealt with this before in the past, is it's dealing with dot LNK files. Now, a dot LNK file, to kind of break it down, is more or less a shortcut, right? So you have an icon on your computer on the desktop, and then like it says Windows Internet Explorer or whatever it might be, it has a path that targets to an application. In the case of like Internet Explorer, it would be the application Internet Explorer. It clicks on it, you click on it, and then it runs. Well, they've been a the Chinese have been focusing on this related to Mustang Panda, and this is targeting Western diplomats in Belgium, Hungary, Italy, Netherlands, and Serbia. Now these attackers are exploding a.lnk vulnerability track to CVE 259491. And it's also a Canadian one version of that as well. Bottom line is they're spearfishing folks in the EU looking for different information that they can have. And then in these emails that they're sending, there is a dot LNK file that basically uses the Windows shortcut flaw, which then has a hidden command line instructions and execute code that is going. So it basically pulls up, it's it's hidden though, in the command line, your CMD line, and then it runs and executes a code. Now, this includes DLLs that have got side loading, uh, there's a decoy sign, Canon software, and the deployment of a plug X remote access trojan that's in there. So this could be bad, right? Like everything else that's out there, this is something that's specifically targeting, looking at these folks. Now, they they obviously are going after these individuals using the LNK files because they feel that they can gain some access doing that. Um, and it does highlight the fact that the actors are weaponizing these newly disclosed vulnerabilities for state-sponsored espionage activity. Now, when it comes to the LNK files, this has been around for quite some time, this actual vulnerability. And Microsoft has made the comment that they do not wish to update or patch this because it's something they can't do. Um, and I thought that was kind of interesting because they basically it said it was in an article from Palo Alto that Windows just says this is not something we plan on doing at this point, and therefore you are out of luck. Now, this can be mitigated in a couple different ways, right? There's there's different aspects to challenge to work through this challenge, but one of the things you want to do is put in place some very good application-level firewalls. And by doing this, this can be looking for different types of activities that are trying to occur. Now, this wouldn't happen, this wouldn't change the fact that somebody could actually utilize the execution on the desktop, but it would notice any command and control that's going out. If you have a good EDR platform in place, such as CrowdStrike and others, if that click, if you click on the link, that would then notify that it's actually trying to go do come this command line with command and control, and an alert would be generated as well. So they're targeting folks that maybe do not have good EDR type activities in place or capabilities in place. So therefore, it if you are in these situations, you may want to look at what you actually deployed in your environment. So the ultimate thing you want to really do, obviously, is restrict or disable automatic resolution of LNK. So a person actually actually click on it, double-click on it, make it work versus the automatic aspects of it. So if you can delay that or stop that deployment within your EDR solution, that would be a good place to be. You also want to monitor for any suspicious use, obviously, any sort of signed binaries or unusual DLL loads. This is where an EDR, again, an EDR platform will be extremely helpful. And then focus on human risk reduction, obviously via phishing awareness and so forth. So you want to make sure that you're teaching your people how this happens. And a good little article you could put out, just put maybe the link to this article, send it to your folks, and just say, hey, if you think that this happens to you, please we have the phishing report button, click on the phishing report button and go from there. So again, the Chinese are after you all the time. I mean, it's not just the Chinese, right? Everybody out there is always chasing these folks. In this case, here it's not looking for trying to spam or scam somebody, it's more on the the eyes of trying to gain some level of espionage and gaining access to data. So let's move into what we're going to talk about today. All right, before we get started though, but wanted to let you know, head on over to CISSP Cyber Training and get access to all the incredible free content and content that's out there available for you. There is tons of information out there. I've got free questions, I've got basically YouTube podcasts you can go to, I've got exam prep, all that stuff is available to you, as well as if you're looking for paid content, go there. There's a lot of great content that's there and it's paid and available to you as well. All of the aspects that you come into are all at CISSP Cyber Training. You can get everything you need to do to study for the CISSP exam. If you're not ready for the CISSP exam and maybe you just still need some help, I have paid products that are available to you to help you walk through step by step everything you need to do for the CISSP. So it's a great place. Go check it out, CISSP Cybertraining.com. All right, domain seven, seven dot three, performing configuration management. So configuration management. What is the purpose of this? It's to configure your system, yes, sort of. But what it is, it's a systematic process to identify, control, record, and verify changes to your IT system. Now, as we all know, if you've dealt with IT for any length of time, you understand how complex it is. And it has even gotten more complex over the time. Like between AI, between various virtual machines, between Kubernetes, between all of those pieces, it is overwhelming what you have to know. And each of those has a configuration that is associated with it in many ways, right? From your PAM solution, which is your privileged access management solution, down to your virtual machines that you have in your organization. So there are so many knobs and buttons that you can push and turn to make your system work the way you want it to do it. So you really truly need to have a configuration management program developed and integrated for your company. You just really must do it. And this is why ISC Square talks so much about this. So it ensures that there's integrity, availability, and accountability through all the system lifecycle. And again, we've talked about the birth to the death of various systems. You want to make sure that you have that done. You also want to understand the relevance as it relates to security. It does prevent unauthorized or insecure changes. So someone doesn't just come in and make changes to your to different things. And then what does that cause? It causes outages, it causes down downtime, it causes impact to your organization. So it is a big deal. And many organizations, as they are trying to roll out different parts to their company, they cannot afford a downtime of any sort or any method. And so it also provides traceability and rollback capabilities. So you push this update, whatever it is, and it goes out, it updates all the systems, and then all of a sudden, everything breaks. How do you deal with it? Well, how do you roll it back to where it was before? Because the worst thing you can do is put a patch out and then go, oh no, now what? And it doesn't roll back because you didn't have a good plan. That is what the goal of having a configuration management program can do. It helps you in these situations. It supports audit compliance and incident response as well. So if you have a situation where you now have an incident within your company and you're bringing everybody together and you need to deploy a patch quickly or deploy some sort of fix quickly, you now have this process in place on how to bring everyone together to actually push it out and make it done as quickly as you possibly can. One of the aspects around configuration management is secure configuration management. So one of the core principles around this is maintaining secure baselines for systems and applications. You should have a minimum security expectation set up for all of your systems, your servers, your virtual machines, all of your desktops, your laptops. There should be a baseline, a secure baseline that you have developed. Now, this baseline can be relatively easy. I mean, it doesn't have to be something super complex. And I would actually recommend that you don't make this complex. You want to make this so it deploys in a way that is secure, but if it's overly complex or verbose or management heavy, then it can actually start breaking stuff as well. I mean, when things don't meet that criteria, you start having exceptions, and then you have a lot of exceptions. So you really try to want to avoid that as much as you possibly can. And you want to regularly validate the configurations against your security standard, such as your uh CIS benchmarks, NIST 800-128. You want to make sure that those are out there for you to give you an idea of what good looks like. So you want to measure those or validate those against those various frameworks. You want to apply lease privilege and role-based access for any sort of configuration changes. So if there's going to be a configuration change in your enterprise, it shouldn't be the local admin that can do that. It should be somebody that actually has those rights and capabilities for your company. Now, the key activities you can consider is baseline establishment. This is where you document the secure configuration as a reference point. And then you will have various configuration audits that you can complete. This will help ensure consistency and detect unauthorized deviations for within your company. Version control, you need to track and log every change made to these configurations because obviously when these things happen, you may all of a sudden realize something's bad and you want to roll it back. Well, if you're not controlling the version of the different change, it could be devastating and you wouldn't know which way to go. So version control is important. And you see this a lot. We talk about this in the CISSP, but really it comes down to anything in IT. Attention to detail is imperative. You really truly need to understand that. And then you utilize some level of automation tools such as uh Ansible, Chef, or Puppet, to help you enforce secure configurations at scale. Now, your organization may not have this at the beginning, and you may want to just start off small. But nonetheless, you want to have the ability to have some level of automation deployed or to be able to deploy these different configurations to your company. So, what are the benefits that occurs? It reduces the attack surface of your organization. So by being making sure that there's uh updates that are happening, it does reduce the overall up the attack surface that someone can do, both internally and externally to your company. It also ensures operational stability. Now, if you're trying to make money, operational stability is important. It's extremely important. And your your VP of operations will want to make sure that you understand this. So you are now saving the company money by ensuring that this the company's operational capability stays up and moving and it is stable. You also ensure rapid recovery from any sort of misconfigurations or compromise. So if you have a situation where there's a ransomware attack that occurs, you now have to rapidly deploy new equipment or I should say new software, then this change management process will help either whether it's hardware, software, or any sort of even process that you may have in place. It's going to help dramatically in that overall plan. Now, secure configuration, we talked a little bit about NIST 800-128. This is where you're dealing with security configuration management. And they talk about software-based SCM solutions to help you basically reduce this attack service through proactive and continuous monitoring. Now, these monitors will monitor the operating system, the application, and the network devices to ensure that they are properly configured. And you'll see there's various software that you can do this, and you want to make sure that this program fits or this the software fits into your overall program. Now there's regulatory requirements which may require an SCM. Payment card industry, you have your PCI, DC DSS, Sarbanes Oxley, Monetary Authority of Singapore, these all require some level of SCM in their organization or in your organization. So this automated tool is invaluable to them. Now, security configurations consists of four potential steps. Asset discovery, you've got to know what you have in your company. From software to hardware, you need to understand this. And we've beaten on this drum many a time within this organ within this podcast that asset discovery is an imperative part of what you're doing. You also need to define acceptable security configurations as baselines for each type of device. This ensures security baselines are met to your internal policies that you have developed. So this all builds together your policies, your configurations, all of these tie to one another. And manage devices also on a predefined frequency based on the security policy that you have created. So how often do you go and look at these systems? Do you look at them once every six months? Do you look at them once a year? Do you look at them once a quarter? You want to make sure that your security configurations have a baseline and then you are automatically going out and you're checking these baselines to ensure that everything is being configured as planned. Now, one of the aspects you may come back and say is, well, everybody does this, or you know, if I set this configuration, the security baseline, I don't need to worry about someone making changes. And do tell you are correct. However, how often I have seen where something that somebody should not be able to configure, they do, and they configure it to make it easy. And some of the worst people in this situation are the IT folks. Yes, they see they have the God-right uh capabilities and they are trying to work a problem. And what do they do? They make changes to a system or server to get the problem fixed. And guess what? They don't go back and change back what they did, and they just go, oh, hey, it works. We're good. It works, so we're good. No worries there. Other things you need to consider when you're dealing with configuration management is operating systems, application support, policy flexibility, and scalability. You need to really truly understand all of these pieces around it. And this is why you cannot just create a configuration management program at on whim. You need to have a good plan. But I will tell you, your plan doesn't have to be perfect. It must just be done. And you need to create a plan that you can scale, but you also need to create a plan that you can build upon. So if you all of a sudden you're going, well, hey, I gotta build this plan, so let's start. And when you create this monstrosity of a plan that just, there's no way you're gonna be able to follow it, that is really not the right approach. You need to build out a plan, a configuration management plan that meets your needs at the basic level and then build upon it. But that's where your iterative process will come into play once every quarter that you go back and you relook at it. So again, you need to plan it, plan it smart, plan it small initially, and then build it from there. So when you're looking at some other aspects around this, you need to establish the baseline based on the system and the product structure, functions, and their attributes. So this would be an example would be documenting the initial hardware and software configuration of the server. So again, back to attention to detail. Then you need to manage the changes to these systems to ensure that it has stability and you minimize your overall disruptions. So you need to make sure then what changes are being done to it, what to what system. This is an example of this, could be approving and implementing security patches for a specific application. So a spreadsheet, you know, many of you may have, I know I've managed so much stuff with spreadsheets, it's just terrible. But a spreadsheet is a really good way to start. However, if your organization is of any size, a spreadsheet is going to real quickly get unmanageable. And this is where the software that you purchase to help you do this is what would be extremely important to you. You also want to have configuration status accounting. This is where you track and report on configuration items, or another, also known as CIs. So you maintain an inventory of all network devices and their configurations is an incredible part, and you're gonna have to do that. And I highly recommend you do that. Uh do don't don't try not to do it. I'm I just yeah, okay. I think I've I've beaten that drum enough. Uh configuration, verification, and audit. This is also ensures you are compliant with established baselines. And these are really good reports that you can pull to show auditors that yes, you have a program, yes, you are following it, and you have documentation associated with it. So configuration, verification, and audit that again you want to make sure you have a paper trail to document all these things. And this is where you regularly audit user access permissions that are against the defined security policies you've created. So as you're looking to do change management, there's a process, what we've talked about a little bit here, and what are some of the different key components of this process? Well, one is a change control board, the other one is an emergency change advisory board, and then finally you have the change request process as a whole. So let's break down each of those into how they actually work. All right, the change control board. Now, the purpose of this is a formal authority to evaluate, approve, or reject change requests. This consists of people from IT, security, operations, risk, compliance, many different aspects. And the purpose of this is this group of people is gonna get together and you're gonna talk about the change. So let's just say a hypothetical you're gonna do an Active Directory change and you're gonna make this change to your put in a new Active Directory system and you want to make do an update, and you're making this change within your company. And it's going to cause an outage. Well, operations is gonna want to know about this. Compliance is gonna want to know how's this gonna affect the regulators? Security is gonna want to know if, okay, how vulnerable are we at this time? And IT is in the process of deploying it. So there's a lot of, and then risk is saying, how what's if this doesn't work, what's gonna happen to our organization? So all of those folks are involved to help you work through this overall plan. Now, it's imperative that everybody is aligned before you go forward with one of these changes. So you review the impact assessment of what occurred with, such as Active Directory, how is this going to impact your company, who's gonna be affected. You want to ensure alignment with everybody and the security and the business policies are in place as well as everybody else. And you want to document the decisions and maintain the audit trail associated with it. Again, attention to detail and documentation. One is to help you roll back if there's issues. Two is if you're hit by a bus, people know what actually occurred. And then three, it comes down to is that if there's some sort of regulatory requirement that has been addressed and covered as well. You have security integration. This is where you evaluate security implications of each proposed change, and then require vulnerability or risk assessments for significant changes. Now, you may not have a risk assessment that is a formal risk assessment for each of these changes. You may have something smaller, but you just determine that during this overall change control board. Now, an emergency change advisory board, this is just as it states. In emergency, something bad has just happened. And this handles urgent high priority changes such as zero-day patching, incident mitigation, etc. So if something goes sideways and you're like, oh my gosh, we've got to do something, that's when you would kick in the emergency change advisory board. Typical change boards happen uh once a week. You would have the change board, talk about any updated changes that are occurring. Now, if your organization is smaller, your change board may be once every two weeks or maybe once a month. It just depends on how much change occurs within your organization. But the emergency change board is immediate. If something like this happens, we need to pull everybody together. And this is where incident response is really works in well if you have a good documented emergency change advisory board. Now, the characteristics of this is a smaller, agile team authorizing for rapid decision making, and it bypasses standard approval timelines, but requires a post-implementation review. So in the past, you may have to have multiple people sign off on something. The emergency change board has the right to go and just push this out immediately without telling everybody. Well, I should say telling, they'll tell people, but without actually requesting approval to do so. And so you want to have them to have that capability. However, you want to also have the ability that you need to have the ability that they will create a post-implementation review process and documentation on what actually occurred. So, some of the best practices around this. You want to document justification for the emergency change. Obviously, you want to make sure who approved it and why did you think you needed to do it. You want to conduct retrospective analysis for compliance and lessons learned. And then you want to reintegrate your emergency changes into your formal change management documentation. So if there's any sort of changes to your emergency process, you want to put that in your documentation that you have. Again, documentation around change management is very, very important. I can't stress it enough. I've I was always one that kind of like to fly from the seat of my pants and shoot from the hip. Well, yeah, that doesn't work so well in IT. It can for a short time and you're getting things done and you're the hero, but then when things start falling apart, then you don't have the documentation to fall back on, and that's not a good place to be. Now, the change request process, how does this work? Now it's it's a multi-step process, and so we're gonna start to walk through some of these. One, the change request submission occurs, and this is initiated by an authorized person uh within your organization, and this includes a description, the rationale, a risk assessment, and a backout plan. Now, if it's operations that's submitting this change request, they're obviously gonna work with IT or security to come up with a good assessment and a good backup plan for this change. You're gonna review an impact and an impact analysis that's gonna occur, and you're gonna have a technical and security evaluation for any potential effects, and then consider any dependencies or downtime that may happen. Now you also want to consider threat exposure. For as an example, if you are to say you're taking down your DDoS provider for your front-facing websites, and now you have no longer any DDoS protection while this change is occurring. You want to make sure everybody's aligned with that and they understand the risks that are associated with it. It may be, you know what, we have a small window, we'll be down for about six hours. We don't see it as a problem, we're gonna press forward. Or you could be we're gonna lose DDoS protection for 10 weeks because of, I don't know, some crazy idea. That would be a much different conversation than four to six hours. So you want to have a understand what how does that impact you and how does that impact your company. The approval process, this will be reviewed by this change board or by the emergency change board for specific activities. And this must be approved or denied based on risk, cost, and potential business impact. So you really want to have a good plan in place and the approval process needs to be defined and written out. And everybody needs to understand the process. The next one is implementation and testing. You want to deploy this to a staging/slash test environments first. This helps validate the baseline and the security policies are being met. Now, sometimes it doesn't happen, right? For an emergency change request, that's not gonna happen. It's just you're pushing the thing out. But if you can have a staging or test environments first, that would be extremely useful. Now, that being said, I would highly recommend that you deploy your Microsoft patches automatically. Now, your organization may not have that ability to do that. Okay, that's one. Two, you may not want to do that because of some other sort of application that it might break. That's fair. But I would recommend if you are a Windows shop to deploy these things automatically, just because it it does reduce the risk to your company. And I've had I've had situations where they've had to be rolled back, but in most cases, the Windows patches are pretty good. And I would say that if you're that's one thing to take off your plate is if you automatically have these systems being updated. Now that says if you have a new enough system that can have that happen. If you have old systems, well, it's time to upgrade because you're got a lot of issues there. Originally, I was one that argued against that because I'm like, well, things happen, right? And in the days of old, that was probably true. But in today's new world with the way these systems are, I would highly recommend, if you can, automate your Windows updates. Now, documentation and audit, this is where you record record changes, test results, and approvals. You'll update your CMDB, which is your configuration management database, and to make sure what has actually occurred. This is the one where people fall down flat on their face a lot, a big time, is these darn CMDBs are not updated appropriately. So you really want to do this again, attention to detail. If you find somebody within your organization who is an attention detail nerd, put them on this. They will love it, they will gobble it up and they will do very, very well for you. So consider that. I really would. Your CMDB, um, they're supposed to be set up to be automatic, they're supposed to be set up to be uh configurable. So often these things are just outdated and are not useful. So if you do have one and you do utilize it, which I strongly recommend, you do keep it updated and find your geeky nerd out there that who loves that stuff and put them in charge of it and then make them very happy and give them bonuses and all those fun things because they will be saving your bacon in the future. Post-implementation review, this is where you confirm objectives achieved without adverse impact. So how make sure you have that objective set up. And then you also assess any residual risks or vulnerabilities that are introduced by implementing it. Did I do this? And now how's everything going? You should have routine external scans, and these routine external scans will help highlight any things that may have happened, may have changes that may have increased increased some level of risk for your organism. Some tools in automation, right? Your configuration management database, which I have recommended earlier, I kind of talked about your CMDB. This is an ad maintains asset and configuration data, such as ServiceNow, BMC Remedy. All of these are different types. I know there's Microsoft has a CMDB as well. So there's they're out there. Just recommend, please keep them up to date. Automation tools to help enforce configuration by uh baselines. You have Ansible, Terraform, SCCM, all of those are all automation tools that are work within your organization. Version control systems such as Git, subversion or code control, any sort of configuration tracking that's available to ensure you have the right version control. Now, if you have a CMDB, ideally, and some automation tools there would be keeping the version control systems for you. Um, it just depends on what level of automation you have and what level of tools you have. You also want to monitor and report. This helps detect drift from approved baselines, and it also helps in the event that somebody does stuff they shouldn't and put out systems that don't meet your baseline, which they do from time to time. And so it's it's also your senior leader should be getting a report on this. Now, would you send this up to your board? Probably not, but should your CIO see it? Yes. Should your CISO see it? Yes. Uh so they should be understanding how up how what is the risk to your company. Your risk team should also be asking for this. I built relationships with our risk team so they were asking for these uh audit reports on a routine basis. And it was just a bullet point that we had in slides that we sent to them, but they were tracking it because they understood the risk to your company uh can be substantial for not having a good configuration plan. We've kind of talked about some of these already, but some common security pitfalls related to change management is lack of change documentation or approval trail. Yep, that's one see a lot. Unauthorized or shadow changes by IT, a lot. Yep, or by folks at like a location. So we've had manufacturing facilities where at the location there's usually someone who has godlike credentials because of some emergency that may occur. Uh, yeah, somebody uses their credentials and starts putting stuff in. Yeah, that's your shadow changes. That's not good. Uh weak testing or rollback plans, that those are things you may not have those in place really well. Poor integration between your IT, DevOps, and security teams, that would be an issue, especially as it relates to changes. And then ignoring post change vulnerability scans or audits. So basically, you you you do a vulnerability scan, you're like, well, we have a problem. Well, yeah, but that's not a big deal. And by the way, if I have to go back and change it, it's a lot of work, and I don't want to do that. And we just got it working. We spent six weeks getting this darn thing working. Ah, we don't really want to do that. So I sounded a lot of whining there, right? But that's what I've heard that every one of those things I just said, I've heard it. Um and it took a lot of uh coaxing, look a ta a lot of um influence. It also took talking to supervisors to say, uh I know you will do this and we're gonna get it right. And I'm sorry, but that you'll be screaming your head off when things get hacked and you realize that the the configuration was because of something that we could have fixed. That is just bad. So those are some common pitfalls that you run into related to change management. Okay, that's all I have for you today. Head on over to CISSP Cyber Training. Again, lots of free content, lots of great paid content. If you're looking for the CISSP and you want a free thing and you want to have the ability to kind of study for it and be prepared on a self-study basis, might have some free stuff there that'll help you do that. If you truly want to have a step-by-step concierge type process and you ensure that you're studying the right stuff, you want to look at the paid products products as well. Again, you can do whatever you want. Self-study, I did it. And it wasn't pretty. I've created some things to help you self-study and make it much easier for yourself. Uh, but if you need that little help, you need some guidance, you need some mentorship, all of those are my paid products as well. So you can go to CISSP Cyber Training and head on over to that, and you'll be able to find out what I've got available for you. All right, thank you so, so very much for today, and I hope you all have a wonderful day. We will catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a cornucopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.