background top icon
background center wave icon
background filled rhombus icon
background two lines icon
background stroke rhombus icon
header logo icon

Download "Session 3: 2023 FRSecure CISSP Mentor Program — Asset Security and Security Architecture"

input logo icon
"videoThumbnail Session 3: 2023 FRSecure CISSP Mentor Program — Asset Security and Security Architecture
Similar videos from our catalog
|

Similar videos from our catalog

Video tags
|

Video tags

cissp
cissp exam
exam prep
education and training
education
training
information security
infosec
cyber
cybersecurity
security
data
privacy
network
it
technology
netsec
data security
data privacy
internet safety
access controls
business continuity
hacking
incident response
Subtitles
|

Subtitles

subtitles menu arrow
  • ruRussian
Download
00:00:00
yo
00:00:01
if not faster go on live
00:00:17
all right well welcome everyone to class
00:00:20
three of the FR secure
00:00:23
cissp Mentor program tonight's going to
00:00:27
be a bit of a doozy uh we'll be covering
00:00:29
domains uh one finishing out the second
00:00:32
half of domain one uh as well as getting
00:00:35
all the way through domains two and
00:00:38
about a third of domain three so bear
00:00:41
with me here while I get uh the last
00:00:43
little bit of technical details figured
00:00:45
out on my end to get my camera on and
00:00:47
then we'll get right on into this
00:00:50
hopefully everyone had a chance to catch
00:00:52
up on the study and a quick bit of
00:00:55
housekeeping here make sure to uh check
00:00:58
in on the Discord uh do not share any uh
00:01:03
materials that are copywritten in nature
00:01:05
uh or considered to be protected
00:01:10
um we want to respect that respect the
00:01:12
authors that allow us to use the content
00:01:14
uh as well as be consistent with the law
00:01:18
so and again I apologize I have many
00:01:21
screens and doing camera just makes for
00:01:24
an extra one
00:01:26
so uh hopefully we got some study
00:01:29
everybody's able to get into the Discord
00:01:30
all right well let's get on into
00:01:33
tonight's class
00:01:36
um so quick housekeeping reminder uh
00:01:38
just again the online chat and we want
00:01:41
to make sure we're good there
00:01:43
use the slides forwarding along here
00:01:47
of course a little bit of technical
00:01:48
difficulty of course it's my
00:01:51
class where we have that uh this is par
00:01:54
for the course there we go looks like
00:01:56
we're back on track uh and then Ron is
00:02:00
with us as well I am not able to see the
00:02:02
zoom chat so Ron I I can see the Discord
00:02:05
if you give me a thumbs up in the
00:02:06
instructors that we are good to go live
00:02:09
streaming and we can see the screen I'd
00:02:11
appreciate it
00:02:14
all right so moving on uh tonight we're
00:02:16
going to cover uh quite a bit of
00:02:18
information uh I'm going to try to move
00:02:21
through this at a reasonable Pace uh
00:02:24
without uh overwhelming you uh but you
00:02:27
know feel free to check in and check out
00:02:30
as you need to as we get into the the
00:02:31
longer portion tonight uh and I do
00:02:34
encourage everybody to go back and watch
00:02:36
this uh on 2x or 3x uh depending on how
00:02:41
much information you can take so we're
00:02:43
going to talk about uh policies business
00:02:45
continuity Personnel third-party supply
00:02:47
chain controls uh risk management
00:02:50
security awareness and a whole host of
00:02:53
other topics so before we get too far
00:02:55
into that uh nice to meet you all uh I
00:02:58
am your instructor tonight Ryan close
00:03:00
here I am the President of security
00:03:02
studio and if I can get the camera to
00:03:05
turn on for a second I'd be happy to
00:03:07
show you guys what I look like
00:03:09
let's see if that works
00:03:11
all right well hopefully you can see me
00:03:13
hi good to meet all of you uh uh like I
00:03:17
said president security studio uh I'm
00:03:19
also a virtual Chief Information
00:03:20
Security Officer uh serving the
00:03:24
underserved is my passion area uh I
00:03:28
really do uh like to help those that are
00:03:31
that are most in need
00:03:33
um it's it's really a passion of mine
00:03:35
speaking human about tech is my
00:03:37
superpower
00:03:38
um so I'm able to translate a lot of
00:03:40
this technical jargon in mumbo jumbo
00:03:42
into things that are accessible for the
00:03:44
regular everyday person uh co-hosted a
00:03:47
couple of different podcasts uh one that
00:03:49
you might find entertaining the security
00:03:50
should show uh also did one for security
00:03:53
Studio known as the security simplified
00:03:55
podcast uh I am a infosec missionary uh
00:03:59
so I am a Helper and a protector at
00:04:00
heart uh it's why I volunteer my time to
00:04:04
the mentor program I really believe that
00:04:06
we as infosec practitioners uh have an
00:04:10
obligation to go beyond the keyboard and
00:04:12
actually uh provide a protector level
00:04:16
mindset to the work that we do because
00:04:19
ultimately at the end of the day you
00:04:21
know we are protecting human from harm
00:04:24
even though we might do that via risk
00:04:26
management and a keyboard uh authored a
00:04:29
variety of things advisor to many
00:04:32
see if we get this Trucking along
00:04:36
uh very passionate about your success so
00:04:38
tonight I'm going to give you a couple
00:04:39
of pro tips that I use during my journey
00:04:42
to getting the cissp and tips that I
00:04:44
still use today for keeping current with
00:04:47
with the the onslaught of never-ending
00:04:49
information
00:04:50
and if you work in infosec long enough
00:04:52
you will come to realize it's it's not
00:04:54
as much as you know now but as much as
00:04:57
you can learn for the next new thing
00:04:59
that just came out got a soft spot for
00:05:01
those who help
00:05:03
um on the non-computer side I am a very
00:05:05
analog human I blacksmith as a hobby I'm
00:05:08
very into Legos love building Legos you
00:05:11
might see a few of those over my
00:05:12
shoulder uh but I'm an analog human
00:05:15
trying to live a digital life I'm a
00:05:17
Believer in Christ follower uh Jesus is
00:05:20
my CEO first and foremost and then Evan
00:05:23
is second to that uh I'm a husband I'm a
00:05:26
father continuous learner and as many
00:05:28
friends have told me I'm probably the
00:05:30
Energizer Bunny in human disguise you
00:05:32
can find me on LinkedIn you can find me
00:05:34
at securitystudio.com or a variety of
00:05:37
spots on the internet
00:05:39
so with that let's get into the
00:05:42
important parts of tonight
00:05:43
see if we can make this work so some
00:05:45
study tips for you guys
00:05:47
um you know really you want to study in
00:05:48
small amounts now I say that a bit
00:05:50
tongue-in-cheek because tonight we're
00:05:52
going to be doing anything but uh but
00:05:54
really the the
00:05:56
studying in that small 20 to 30 minute
00:05:59
kind of Chunk and then giving yourself
00:06:01
time to digest the information is I
00:06:04
found for myself at least is the best
00:06:06
way to retain information I encourage
00:06:09
you to use flash cards and practice uh
00:06:12
test applications I think the more
00:06:14
familiar you are with the topic uh and
00:06:17
the more you take advantage of those
00:06:20
those maybe five or ten minute
00:06:21
opportunities to study the more
00:06:24
successful you're going to be myself I
00:06:25
use the flashcard app I spent on average
00:06:28
probably I don't know an hour a day
00:06:32
spread out over five and ten minute
00:06:33
intervals uh just practicing the flash
00:06:36
cards and I found that I actually retain
00:06:38
the information a lot better you're
00:06:40
going to want to take a nap after
00:06:41
tonight uh or really any heavy topic uh
00:06:43
our friend Ron has the distinct
00:06:46
privilege of teaching you security
00:06:47
models next week and that is a pretty
00:06:50
heavy weight topic I know I always need
00:06:52
a nap afterwards uh write them write
00:06:54
things down uh you know there's there's
00:06:56
different parts of your brain some of us
00:06:58
are visual Learners some are auditory
00:07:00
Learners uh some you know memorization
00:07:02
example Hands-On whatever that is but
00:07:05
generally speaking most of us are going
00:07:06
to retain information better if we write
00:07:08
them down and we repeat them back and
00:07:10
say them out loud
00:07:12
engage with the Discord and don't be
00:07:15
afraid to exercise and get some fresh
00:07:17
air in between study sessions and even
00:07:19
tonight I'll probably work about a five
00:07:21
minute break in for all of our sanity uh
00:07:23
and probably my need to address biologic
00:07:26
functions all right so moving forward uh
00:07:30
we're gonna get going I want to give a
00:07:31
big shout out to Brad uh Nye for
00:07:33
teaching last week and just in the
00:07:36
interest of managing many cameras I am
00:07:38
going to turn mine off here but I'm
00:07:42
still with you so pretend that you're
00:07:43
looking at me all right so every week
00:07:45
you know we're going to go through this
00:07:47
stuff it's going to move really quick
00:07:49
um chances are you're probably gonna
00:07:50
forget what happened the previous week I
00:07:53
know I forgot what happened even a half
00:07:54
an hour ago everybody should be finding
00:07:58
some time during any break periods or in
00:08:00
between classes as much as reasonable to
00:08:02
get in some study time and and you know
00:08:05
just a check in with uh with with each
00:08:07
other uh and with your mentors in the
00:08:11
Discord
00:08:12
so feel free to answer these questions
00:08:13
in the YouTube chat or in the Discord
00:08:16
chat but how many of you have had a
00:08:17
chance to actually read through uh the
00:08:19
entirety of domain one and got started
00:08:22
on uh domain two and then any uh
00:08:25
questions that you may have that have
00:08:27
come up since last week
00:08:30
so uh most common questions so far have
00:08:32
really been around the Discord Channel
00:08:35
um not everybody's in there yet I think
00:08:37
some folks are still maybe missing uh
00:08:39
the invite if you have not received the
00:08:41
invite please send an email to cissp
00:08:44
Mentor
00:08:45
frsecure.com uh and they'll be happy to
00:08:48
get you a fresh invite uh session links
00:08:51
I know we've had some issues with the
00:08:52
learning platform I believe we are
00:08:54
working through that and the instructor
00:08:56
deck for tonight will be uploaded at the
00:08:58
end of this class
00:08:59
uh please do also note to the uh in the
00:09:03
YouTube chat or in the Discord if I'm
00:09:05
moving too quickly uh need to slow down
00:09:08
or need to speed up
00:09:10
um I doubt the latter will be true so
00:09:13
before we get into this let's talk about
00:09:14
hey dumb dad joke so borrowing from our
00:09:17
great instructor friend Brad Nye uh I
00:09:20
like to do dad jokes as well so why do
00:09:22
skeletons never take any risks
00:09:25
because they have no guts
00:09:29
ah it's terrible but it's fun so here we
00:09:32
go uh refresher the definition of
00:09:35
information security and this is our
00:09:37
definition this is the definition for
00:09:38
the for the mentor program you may have
00:09:40
a slightly different definition but this
00:09:42
is the one we go to so the our
00:09:45
definition is that information security
00:09:46
is managing risks to the confidentiality
00:09:49
integrity and availability of
00:09:52
information using administrative
00:09:54
physical and Technical controls uh most
00:09:57
organizations over emphasize technical
00:09:59
controls uh we find that to be the case
00:10:01
and more often than not the most
00:10:03
effective control is an administrative
00:10:06
control
00:10:07
all right just a warning uh for those of
00:10:09
you that didn't get the heads up in
00:10:11
Discord this is going to be a very long
00:10:13
class tonight there's going to be a lot
00:10:14
to memorize I'm not going to read every
00:10:16
word I am going to glaze over some
00:10:18
things it is expected that you study and
00:10:20
that you uh get to the knowledge level
00:10:23
needed in any topic I might place over
00:10:25
we have 250 sites to get through tonight
00:10:29
again if you need to drop family
00:10:31
obligations you just can't take in one
00:10:34
more bit of information don't feel bad
00:10:36
please do feel free to do that and
00:10:38
follow up with the recording
00:10:40
you have to read the book uh in most of
00:10:43
the content I'm going to cover tonight
00:10:44
you're going to need to memorize in
00:10:46
order to successfully pass the test
00:10:48
so uh picking up where we left off just
00:10:51
as a good segue and reintroducing the
00:10:53
topic before we move on organizational
00:10:56
policies should reflect compliance
00:10:58
requirements okay and organizational
00:11:01
policies should be effective and
00:11:04
enforceable all too often we go into
00:11:06
organizations and we find that they have
00:11:08
very robust policies that are idealistic
00:11:10
in nature but that the organization
00:11:13
itself is unable to actually enforce
00:11:16
those policies if a policy is
00:11:18
unenforceable it is by its very nature
00:11:20
ineffective uh if a policy is so
00:11:23
cumbersome that no one wants to follow
00:11:25
it it is ineffective so the best advice
00:11:29
I can give you when designing policy is
00:11:31
to keep it simple keep it actionable
00:11:34
make it effective and enforceable you
00:11:37
can always add to it later
00:11:40
so some common security policy and
00:11:42
related documents uh again not going to
00:11:44
go through this whole grid on the right
00:11:46
hand side but the idea is that you have
00:11:48
some mandatory policy any policy should
00:11:51
be very clear on its purpose its scope
00:11:54
the responsibilities of the policy any
00:11:58
compliance to adhere to the policy and
00:12:02
then we have different types of policies
00:12:03
so we have a program policy a issue
00:12:06
specific policy and a system specific
00:12:08
policy so for example at a program
00:12:10
policy you might say that the Privacy
00:12:13
program requires certain uh individuals
00:12:17
to be named or responsibilities and
00:12:18
roles and then at a detailed level it
00:12:21
issue specific policy you might have a
00:12:23
policy regarding privacy for data
00:12:26
classification or what to do in the
00:12:29
event of a privacy violation and then
00:12:31
one level down from that you could have
00:12:33
a system specific policy that says
00:12:35
systems that contain data subject to
00:12:38
privacy compliance must have the
00:12:41
following settings configured to a
00:12:43
certain way so for example how you would
00:12:45
configure an active directory group
00:12:47
policy or firewall for that particular
00:12:50
system
00:12:51
uh not everybody has to know what the
00:12:54
policies uh what the details of the
00:12:57
policies are uh everyone should know
00:12:59
where to find policies uh but the policy
00:13:02
is specific to the individual or group
00:13:05
that the policy applies to those
00:13:06
individuals do need to know the details
00:13:08
uh but not everyone else here's some
00:13:11
examples uh regarded you know around
00:13:14
procedures so you know procedures could
00:13:17
be you know mandatory uh generally a
00:13:20
going to be mandatory uh is can provide
00:13:22
that step-by-step guidance so how do I
00:13:25
set up a new system or how do I
00:13:27
configure an active directory group uh
00:13:30
might be something we find in procedures
00:13:31
or how to onboard or off-board a vendor
00:13:34
or employee standards uh are going to be
00:13:37
again mandatory and they're going to
00:13:39
describe a specific use of a technology
00:13:41
so for example in Windows 11 the
00:13:44
standard for uh accounting computers is
00:13:47
going to be these particular settings or
00:13:51
it could be we have a standard that says
00:13:54
you know these are the versions of
00:13:56
laptops and software that we use in our
00:13:58
environment guidelines uh they're going
00:14:00
to be a little bit looser they're going
00:14:02
to be more recommendation based and
00:14:04
discretionary think of them more as
00:14:06
advice and advisory and then baselines
00:14:09
or benchmarks again probably more
00:14:11
discretionary and they're going to
00:14:14
provide you a uniform
00:14:15
method of implementing a standard
00:14:19
so you know back to kind of how do you
00:14:22
do the thing now what's interesting is
00:14:24
these words have very specific meanings
00:14:26
and you need to know what they are but
00:14:28
you will find that different Industries
00:14:31
have different understandings of these
00:14:33
words for example in K-12 policy uh is
00:14:37
something they consider to be at a
00:14:38
school board level and what we would
00:14:40
describe in infosec as a policy they
00:14:43
actually consider more along the lines
00:14:45
of a guideline so know that these words
00:14:47
do have meanings you need to know the
00:14:49
meanings as they exist and for the exam
00:14:52
you need to know if they are mandatory
00:14:54
or discretionary so it's important to
00:14:57
know the difference as to whether they
00:14:59
are mandatory or discretionary that does
00:15:02
and has been on the exam
00:15:05
all right so here's a little bit of a
00:15:08
different look at this uh this kind of
00:15:10
that pyramid hierarchy for those of you
00:15:11
that are visual Learners so you can see
00:15:13
that the policy is kind of the why and
00:15:15
the when the standards are going to be
00:15:16
the what the procedures The Who and the
00:15:19
how and the guidelines are kind of an
00:15:21
FYI and then baselines really are your
00:15:24
minimum level okay
00:15:27
um Bare Bones
00:15:29
all right everybody with me so far
00:15:32
so now we're going to dive in picking up
00:15:36
where we left off last week we're going
00:15:38
to get into the business continuity
00:15:41
planning uh overview and process so
00:15:44
business continuity is a key part of
00:15:46
Disaster Recovery planning but they are
00:15:48
very different they are very different
00:15:50
uh they're completely separate actually
00:15:52
continuity is about how I'm going to
00:15:55
maintain operations in the midst of a
00:15:57
disaster and Disaster Recovery is what
00:16:00
am I going to do to recover from the
00:16:03
disaster it's a quick example from the
00:16:05
physical world is in a hurricane a
00:16:08
continuity planning would be making sure
00:16:10
I have food water and my windows have
00:16:12
been properly protected with plywood my
00:16:15
continuity plan for the hurricane is I'm
00:16:17
going to hunker down and I'm going to
00:16:18
have adequate supplies and and battery
00:16:21
backups and all that and I'm going to
00:16:22
weather the storm where disaster
00:16:25
recovery for example could be in the
00:16:28
same analogy clearing the trees and
00:16:31
debris for my yard hard and and
00:16:33
repairing my roof and and restoring my
00:16:36
home back to a regular non-hurricane
00:16:39
status
00:16:41
so the idea of a business continuity is
00:16:43
is how do we keep the business operating
00:16:45
before uh throughout and and to a
00:16:49
certain degree just after the disaster
00:16:51
has has been experienced
00:16:54
the focus of the continuity plan is
00:16:56
going to be on the business as a whole
00:16:57
so this is everything this is shipping
00:16:59
and receiving you know this isn't just
00:17:01
technology it's up to it including you
00:17:03
know how are we going to feed people
00:17:05
where are we going to House people uh do
00:17:07
we have uh phone lines and adequate you
00:17:10
know uh transportation for them all of
00:17:12
these things could fall within a
00:17:14
continuity plan continuity plan is going
00:17:16
to provide you that long-term strategy
00:17:20
so it is it is intended to be kind of a
00:17:22
long-term uh strategy plan and it's
00:17:25
going to take care of your people
00:17:26
process as well as systems and data
00:17:30
so there's some terms and definitions
00:17:32
within a continuity plan that we need to
00:17:33
know uh one of them is that the business
00:17:36
continuity plan what is it well it's a
00:17:38
long-term plan to ensure the continuity
00:17:39
of business operations now there's a
00:17:42
continuity of operations plan or a coop
00:17:45
or Coupe is a plan to maintain
00:17:48
operations during a disaster so there's
00:17:51
business operations and then there's
00:17:53
just standard operations so for example
00:17:55
you could maintain operations of a
00:17:58
manufacturing production line but have
00:18:00
your sales team uh disabled right your
00:18:04
sales team's not able to do their job
00:18:06
they're not part of this operations plan
00:18:08
uh they're part of the business
00:18:10
continuity plan
00:18:12
depending on how your organization is
00:18:14
implemented it you could have an
00:18:16
operations plan that is separate of the
00:18:18
continuity plan or they could be one in
00:18:20
the same
00:18:21
disaster is going to be any disruptive
00:18:23
event that interrupts normal system
00:18:26
operations so I like to think of a
00:18:28
disaster as you know many things that
00:18:32
you know kind of interrupts normal
00:18:33
operations uh personal disaster for me
00:18:36
would be choosing the food truck that
00:18:38
I've never ate before and maybe later
00:18:40
that day my normal system operations are
00:18:42
interrupted I'm going to have a disaster
00:18:45
recovery plan this is going to be my
00:18:46
short-term plan to recover from the
00:18:48
disruptive event and we'll cover more of
00:18:50
that in chapter seven but this is this
00:18:52
is you know what am I going to do to get
00:18:54
back to normal operations
00:18:57
in order to properly identify analyze
00:19:01
prioritize the business continuity I'm
00:19:03
going to need to know some things
00:19:05
there's some more terms and definitions
00:19:07
but one of the things I'm going to need
00:19:08
to know is what is a critical business
00:19:10
function
00:19:11
um while we want to think that every
00:19:13
function of the business is critical to
00:19:15
its operations the reality is it is not
00:19:18
there's a lot of things we can give by
00:19:20
without but there are some things that
00:19:22
we absolutely have to have and those
00:19:24
things would be critical business
00:19:25
functions so we have to figure out
00:19:27
within the business what that is for
00:19:29
that business they will vary depending
00:19:31
on the nature of the business
00:19:33
we're gonna do a business impact
00:19:35
analysis So This Is Us analyzing the
00:19:38
impact of an interruption over time so
00:19:40
if we have a disruption you know what is
00:19:43
the impact of that over time maybe in
00:19:44
the first five minutes it's not that big
00:19:46
of a deal but if it goes on for two
00:19:47
weeks it's it's something that's very
00:19:50
negatively impacting the business which
00:19:52
leads us to some other metrics that are
00:19:54
important to know which is maximum
00:19:56
tolerable downtime so this is the total
00:19:58
length that any critical business
00:20:01
function can be unavailable basically at
00:20:04
the end of that maximum tolerable
00:20:06
downtime we are now ceasing to be able
00:20:09
to be a business we have reached a point
00:20:11
of criticality where you know it's it's
00:20:13
it's so bad that it's you know kind of
00:20:15
shut down shop and and move on to
00:20:18
something else
00:20:19
um so we want to everything we do in
00:20:23
planning is to address before that time
00:20:26
hits so we do all of our recovery
00:20:28
strategies and everything around uh a
00:20:31
timetable that is less than the maximum
00:20:33
tolerable downtime
00:20:36
we have the maximum acceptable outage or
00:20:39
the Mao and this is the total length of
00:20:41
time that any particular critical
00:20:43
business function can be unavailable so
00:20:46
for example we might have all other
00:20:48
parts of the business working fine but
00:20:50
if our sales organization is down uh
00:20:53
there's a there's a certain amount of
00:20:54
time where they need to be back up and
00:20:56
running and so that time is going to be
00:20:58
that maximum acceptable outage
00:21:01
we're going to also have our recovery
00:21:03
time objective so this is the maximum
00:21:06
time to Restoration of minimum service
00:21:08
expectations now this is not a complete
00:21:11
recovery this is an important
00:21:12
distinction to make this is a minimum
00:21:14
amount of service restoration uh just
00:21:19
enough to start to begin to get by uh
00:21:22
and and this needs to be less than the
00:21:25
MTD so as we learned before that maximum
00:21:27
tolerable downtime kind of that hard
00:21:29
stop number our recovery time objective
00:21:32
must be less than that
00:21:34
recovery time objective is is when we
00:21:37
would like to be back on our feed enough
00:21:39
that we can start to begin normal
00:21:41
operations but there's still a window
00:21:44
there where we're still restoring to
00:21:46
normal operations
00:21:48
we have a recovery Point objective this
00:21:51
is how much data are we comfortable
00:21:53
losing over a given time period
00:21:56
so for example if the system made a
00:21:59
backup uh five minutes ago and the
00:22:01
system fails uh we've had a five minute
00:22:04
loss of data if the backup was made last
00:22:06
night and the system fails now we could
00:22:08
have a you know 24 hour plus loss of
00:22:12
data we need to understand for every
00:22:15
data source uh within the business and
00:22:18
and the overall business what is that
00:22:20
recovery Point objective and you can
00:22:22
have different rpos on different data
00:22:26
sets not every data set will have the
00:22:28
same RPO not every system uh not
00:22:32
testable but a couple acronyms to know
00:22:34
is OMG so that's the feeling you're
00:22:36
going to have as you execute the
00:22:37
business continuity plan and FML uh will
00:22:41
be what you shout out loud if you forgot
00:22:43
to print out your business continuity
00:22:45
plan and you will find that I try to try
00:22:48
to keep things a little bit light
00:22:49
another acronym to know help right so
00:22:52
acronym soup uh if this is new to you
00:22:56
get used to it this is it
00:22:58
insecurity through and through
00:23:00
we love our acronyms so memorize them
00:23:04
and know them well
00:23:06
all right moving on so let's look at a
00:23:09
visual here so I made reference earlier
00:23:12
to kind of when a backup was made so if
00:23:15
we look here we like to call this the
00:23:17
boom event this is the disaster the
00:23:19
little uh Starburst looking thing uh
00:23:22
anything that happens between the backup
00:23:25
and the disaster is considered data loss
00:23:27
so this is our RPO window that we want
00:23:29
to plan for uh anything after the
00:23:33
disaster and uh prior to the expected
00:23:36
recovery is the downtime so this is our
00:23:38
recovery time objective we want to try
00:23:40
to get back up by here and then the
00:23:42
maximum tolerable downtime is where
00:23:44
significant harm begins to happen to the
00:23:46
business or the process so this is our
00:23:49
last stop uh last chance to get things
00:23:52
back up on their feet before we start to
00:23:55
experience real consequences
00:23:59
so in order to begin this journey of
00:24:02
planning a continuity plan we must first
00:24:05
conduct a business impact analysis so
00:24:07
this is a formal method for
00:24:10
um how the disruption of any particular
00:24:14
cyst to any particular system could
00:24:17
impact the organization this could
00:24:19
include non-cyber related events this
00:24:22
could be a you know natural disaster a
00:24:24
tornado comes through you know how are
00:24:26
we going to deal with the loss of that
00:24:28
system and the causes of that could be
00:24:31
several different things we're going to
00:24:33
and run an analysis we're going to
00:24:35
identify and prioritize critical I.T
00:24:37
systems and their supporting components
00:24:41
the results of the business impact
00:24:44
analysis will allow the business
00:24:46
continuity planning and Disaster
00:24:48
Recovery planning project managers
00:24:51
to fully characterize the I.T
00:24:53
contingency requirements and priorities
00:24:58
so uh I can assure you you need
00:25:01
management support for any of these
00:25:03
activities uh you're going to be asking
00:25:05
people for their time you're going to be
00:25:07
asking people
00:25:08
uh drive you a lot of detail so in order
00:25:10
to to justify that managerial support is
00:25:14
absolutely needed uh and they must agree
00:25:16
to any plan that you uh create they must
00:25:20
support this the action items in the
00:25:23
plan uh so they can't just say yeah we
00:25:25
support the plan uh but they don't know
00:25:27
what's in it they actually have to
00:25:28
support at a detail level uh the plan is
00:25:31
going to refer to specific roles and
00:25:33
titles uh and those folks need to be
00:25:35
aware of their role in this plan and
00:25:38
must agree to it they have to have
00:25:40
enough power and authority to speak on
00:25:43
behalf of the organization as a whole
00:25:45
and they need to be able to interact
00:25:47
with outside media now these may be
00:25:49
different folks within your plan or one
00:25:51
person but bottom line you've got to
00:25:53
have it
00:25:54
they management has to be part of it and
00:25:57
they have to be high enough up in the
00:25:59
organization to be able to commit
00:26:00
resources AKA they have to have budget
00:26:03
Authority
00:26:05
you're going to develop and document and
00:26:07
scope the plan so what you're going to
00:26:10
do here is you're gonna you're gonna lay
00:26:12
out in great detail what assets are
00:26:15
protected by the plan uh which emergency
00:26:17
events will the plan be able to address
00:26:21
so you know severe weather cyber event
00:26:23
fire
00:26:25
um
00:26:26
Rogue pack of puppies running through
00:26:28
the data center whatever it may be
00:26:30
you're going to look at what is in and
00:26:32
out of scope for the plan and then after
00:26:35
the sea level signs off on it and you
00:26:38
get input from the rest of the
00:26:39
organization then you can get to the
00:26:41
detail level of the specific objectives
00:26:44
and deliverables
00:26:46
so objectives are generally uh created
00:26:49
as if then statements for example if
00:26:53
there's a hurricane then the employee
00:26:55
the organization will enact you know
00:26:57
plan hurricane uh they will then
00:26:59
activate the physical relocation and
00:27:01
employee safety plan
00:27:03
um for example here plan H is unique
00:27:19
any subplan so if you have a parent plan
00:27:22
you need to have all the children plans
00:27:25
as part of that as well an objective
00:27:28
here would be to create the plan have it
00:27:30
reviewed by all members of the
00:27:32
organization by a defined date and then
00:27:35
the objective will have several
00:27:37
deliverables required to complete to
00:27:40
fully create and vet the plan for
00:27:42
example documents are drafted you've had
00:27:44
some meetings around it maybe conducted
00:27:46
a tabletop exercise uh so on and so
00:27:49
forth
00:27:51
executive management must ensure that
00:27:54
support is given uh so they they
00:27:56
executive management is responsible for
00:27:59
initiating uh any support for the plan
00:28:02
they must support initiating it so hey
00:28:05
boss we think we need to activate the
00:28:07
plan uh you go with that yes I am all
00:28:10
right let's go uh they also need to
00:28:12
support the final approval of the plan
00:28:14
uh so any uh changes that are made to it
00:28:18
any any you know final additions but
00:28:21
once the plan is considered complete uh
00:28:23
management does need to sign off on that
00:28:25
and executive management must
00:28:26
demonstrate do care and due diligence uh
00:28:29
and be held liable under the applicable
00:28:32
laws and regulations uh that are called
00:28:34
out as part of that
00:28:37
so some of the example scope for a
00:28:40
continuity plan
00:28:41
is the critical business functions right
00:28:43
going through identifying what are they
00:28:45
the threats the vulnerabilities and the
00:28:48
risks uh posed to the business or to the
00:28:51
system uh data backups and Recovery you
00:28:54
know what does that plan look like uh
00:28:56
who are the Personnel that'll be
00:28:58
responsible uh for participating and
00:29:00
executing the continuity plan and the
00:29:03
communications of that plan and and
00:29:06
believe it or not uh actually testing
00:29:09
the plan uh this one that was added uh
00:29:12
while it's not in the book uh well maybe
00:29:15
it is now but either way test the plan
00:29:17
if it is in the book let me tell you
00:29:19
many many people don't test their plans
00:29:21
print your plan test your plan I don't
00:29:25
know if you'll be tested on that uh in
00:29:27
the cissp exam but you will be tested on
00:29:29
that if you ever actually need these
00:29:31
things in real life
00:29:34
all right so people uh people are a huge
00:29:37
part of this it's kind of the beginning
00:29:39
and end of the whole process number one
00:29:42
always without exception and this is
00:29:44
testable on the exam
00:29:46
human life and safety trumps everything
00:29:49
always without exception lock that away
00:29:52
in your brain now and remember it
00:29:54
forever it always starts with human
00:29:56
safety and then moves on from there uh
00:29:59
people are defined as any living human
00:30:01
being that may be affected by the event
00:30:04
so regardless of how an individual human
00:30:07
being may be described they are all part
00:30:11
of this is should they be affected by
00:30:13
the event you're going to need to
00:30:14
understand what notifications and
00:30:16
Communications you're using it is highly
00:30:18
advisable to use multiple methods of
00:30:20
communication what we would call
00:30:22
out-of-band or in-band Communications
00:30:24
for example if the Cyber criminals are
00:30:27
in your email business email compromise
00:30:30
and you're using that same email system
00:30:33
to communicate your strategies for
00:30:35
kicking the bad guys out that could be a
00:30:39
problem so you're going to want to use
00:30:40
alternative methods and multiple methods
00:30:43
you're going to need to be able to keep
00:30:45
people working a lot of times we forget
00:30:47
about feeding our humans we need to make
00:30:50
sure that we have places for them to
00:30:51
work food to eat equipment to do the
00:30:54
work on internet access we're going to
00:30:56
provide regular updates to leadership
00:30:58
and we may need to notify external
00:31:01
parties
00:31:02
so as we look at our processes uh and we
00:31:06
say Okay within the continuity processes
00:31:08
we have to ask ourselves what resources
00:31:10
do we need available so what is that
00:31:12
list of resources what kind of critical
00:31:14
supplies might we need for a given
00:31:16
scenario computers power internet
00:31:20
um hand carts to move things around
00:31:22
how are we going to maintain critical
00:31:24
operations so if we understand the
00:31:27
critical business functions we then
00:31:29
understand the critical operations that
00:31:31
support those functions we should be
00:31:33
able to figure out what they are and
00:31:35
then we look at creative ways to
00:31:37
maintain them pen and paper a lot of
00:31:39
times still very viable
00:31:41
we're going to need to coordinate
00:31:42
Logistics we're going to have to move
00:31:44
people and systems and things around so
00:31:46
somebody's going to need to
00:31:48
excuse me have to account for Logistics
00:31:50
we need to make sure that we have
00:31:52
continuously available resources people
00:31:54
will get tired people will get strained
00:31:57
and stressed you're going to need to
00:31:58
rotate humans if the event is going on
00:32:00
long enough so we need to be thoughtful
00:32:03
about that and bake that into our
00:32:05
continuity processes we'll talk more
00:32:07
about recovery sites in chapter seven uh
00:32:10
but they're they come in three main
00:32:11
flavors hot warm and cold hot is ready
00:32:15
to go warm takes a little time to get
00:32:17
ready to go and cold is going to take
00:32:20
the longest those also run in order of
00:32:23
cost hot being the most expensive and
00:32:25
cold being the least you're going to
00:32:28
need to test and update
00:32:29
during continuity uh make no assumptions
00:32:32
always test and always update and this
00:32:34
applies to the plans as well you need to
00:32:37
form a team to do the project planning
00:32:40
so the team should be comprised of
00:32:43
personnel that will actually have
00:32:44
responsibilities during an emergency
00:32:46
scenario should it have stakeholders
00:32:49
from across the organization and should
00:32:51
be ident focused on identifying who
00:32:53
needs to play What specific role during
00:32:55
a specific emergency and again these are
00:32:58
going to be scenario based plans so
00:33:00
hurricane versus cyber I will tell you
00:33:04
you can have both be true at the same
00:33:07
time there are instances where a severe
00:33:10
weather event coincided with a network
00:33:13
outage or a cyber event and you may need
00:33:16
to activate several simultaneously so
00:33:19
having your humans well versus these
00:33:22
plans very important you're going to
00:33:23
need people from HR you're going to need
00:33:25
PR i t physical line managers really any
00:33:29
essential Personnel that's going to be
00:33:31
needed for the continuity of the
00:33:33
business functions
00:33:35
Tech is going to plan our Tech is going
00:33:38
to plan haha Tech is going to fail and
00:33:40
you need to plan for it
00:33:42
um everything ultimately will break
00:33:44
everything ultimately will break down uh
00:33:47
people process and Technology but
00:33:49
specifically technology is going to fail
00:33:52
you've got to have some kind of plan so
00:33:54
traditionally having backups whether
00:33:57
that's backup Hardware backup data you
00:33:59
know it's the number one way that we've
00:34:00
addressed this risk so backups are good
00:34:02
to have redundancy is good to have uh
00:34:05
your continuity plan needs to account
00:34:07
for redundant Services Power Water Telco
00:34:10
internet a lot of times we've got great
00:34:13
uh continuity strategies for the server
00:34:15
but we forgot about the underpinning
00:34:17
infrastructure we need multiple
00:34:19
locations for those backups uh on-prem
00:34:21
you know if a tornado comes through and
00:34:23
wipes out the office well there goes our
00:34:25
backups so we need on-prem we need Cloud
00:34:27
we need multiple secured redundant
00:34:29
locations
00:34:30
when you do account for external
00:34:32
disasters
00:34:34
um you know a bank goes under and ISP is
00:34:37
unavailable SAS provider is under attack
00:34:40
and not able to deliver Services how do
00:34:43
we account for those external disasters
00:34:45
and then again test and update and yes
00:34:48
the cloud the mystical magic Cloud can
00:34:51
go down does go down has gone down and
00:34:54
will go down again
00:34:56
plan for it
00:34:58
humans are going to be your biggest part
00:35:00
in information security folks need to
00:35:03
know what they're doing and why so
00:35:04
clearly Define uh roles and job
00:35:07
descriptions help simplify security
00:35:09
helps keep everybody on task uh we're
00:35:12
going to need process and procedures in
00:35:14
place for verifying backgrounds
00:35:16
we're going to look at things at like
00:35:17
education work history criminal record
00:35:19
credit records so on and so forth uh
00:35:22
references in social media
00:35:24
the higher the sensitivity of the
00:35:26
position the deeper and more
00:35:29
comprehensive the background
00:35:30
investigation could generally be for
00:35:33
example when hiring a Chief Financial
00:35:35
Officer you're probably going to want to
00:35:37
dig a little bit more into their
00:35:38
financial history than you would say a
00:35:41
shipping and receiving clerk uh you're
00:35:44
going to need very clear policies on the
00:35:46
use of social media and Business Systems
00:35:48
and I would even put in here chat gbt
00:35:51
right any time we're interacting with
00:35:55
systems uh in a business capacity we
00:35:58
want very clearly defined policies about
00:36:00
the rules for engaging with those
00:36:03
systems we always want to verify before
00:36:05
granting access to sensitive data just
00:36:08
because someone says they need it does
00:36:10
not automatically mean they are allowed
00:36:12
to have it
00:36:15
generally employment Agreements are
00:36:17
going to be set up
00:36:18
and they're going to put in some
00:36:20
stipulations the employees going to
00:36:22
abide by most if not all of us have
00:36:24
signed some form of this and it includes
00:36:27
generally things like non-disclosure
00:36:28
non-compete coded conduct
00:36:31
conflict of interest disclosures
00:36:33
acceptable use employment policies
00:36:35
equipment use and remote worker uh
00:36:38
provisions
00:36:40
each stage of employment does have a
00:36:43
related security component so onboarding
00:36:46
onboarding is generally going to set
00:36:48
tone so this is your chance to get good
00:36:51
security habits going with that
00:36:53
individual even if maybe previously you
00:36:56
didn't have a good training in place
00:36:58
your next new hire is a great place to
00:37:01
start doing it different
00:37:03
you're going to have process for trading
00:37:04
them on secure habits for the security
00:37:06
awareness this should not be my opinion
00:37:09
be an annual thing but an ongoing thing
00:37:11
you're going to have additional training
00:37:13
for employees who are higher or more
00:37:15
likely higher level in the organization
00:37:17
are more likely to be the target of an
00:37:19
attack uh so this is going to be your C
00:37:21
Level your financial people their uh
00:37:24
supporting admins uh process uh for
00:37:28
reporting security incidents now in my
00:37:29
personal opinion this is number one uh
00:37:32
the faster the staff can can let
00:37:34
somebody know that something's going on
00:37:36
or something's funny the higher the
00:37:38
likelihood that you can get ahead of it
00:37:40
and potentially contain it before it
00:37:43
spreads any wider so I I put a high
00:37:45
value on that you're going to need roles
00:37:48
and responsibilities for you know how an
00:37:51
employee secures their work area and
00:37:53
systems you're going to have data
00:37:55
classification awareness and monitoring
00:37:57
uh and you know a really helpful tip
00:38:00
here letting employees know their
00:38:02
actions actually make the difference
00:38:04
both good and bad it's surprising how
00:38:07
many employees don't know that their
00:38:10
actions digitally have a direct impact
00:38:12
on the business
00:38:14
uh we might transfer employees across
00:38:17
departments we may get a promotion we
00:38:19
may get a promotion demotion uh whatever
00:38:23
it is uh folks move around and we're
00:38:25
going to need a clearly defined process
00:38:27
for that transfer role for those of you
00:38:30
that have been in the business a while
00:38:31
you've probably seen this where
00:38:33
someone's bedded in a company for 10 15
00:38:35
years and they have access to everything
00:38:37
they've ever touched ever and that is a
00:38:40
direct result of not having a clearly
00:38:43
defined process for the transference of
00:38:46
that role you're going to want to employ
00:38:48
review employee access
00:38:50
you know is is this new role still
00:38:52
require previous access is there new
00:38:54
access we need to give you how do we
00:38:56
handle that transition there's going to
00:38:59
be a period of transition where you know
00:39:01
they may need to retain previous access
00:39:04
as part of an onboarding of their
00:39:06
replacement but we need to clearly
00:39:08
Define when that cut off is going to
00:39:10
occur we need to enforce least privilege
00:39:13
so this is only giving them access what
00:39:16
they need to at the absolute minimum in
00:39:19
order to do their job
00:39:21
we're going to need to account for
00:39:22
legacy needs you're going to find this
00:39:24
in smaller orgs more often but it does
00:39:27
exist in larger orgs as well and
00:39:29
sometimes Legacy systems aren't as
00:39:32
easily secured or maintained so we need
00:39:34
to understand what that is there's also
00:39:37
the temporary access filling in for
00:39:39
somebody when they're out sick or
00:39:41
covering for somebody when they're on an
00:39:43
extended leave so we need good process
00:39:45
around how we're going to handle that
00:39:49
uh we have uh termination and it comes
00:39:51
in two main flavors voluntary and
00:39:53
involuntary so voluntary is a planned
00:39:56
event and this is testable so know this
00:39:58
uh planned event generally it's going to
00:40:01
be about a two-week planned event
00:40:03
sometimes longer occasionally a little
00:40:06
bit shorter but it's a known event it's
00:40:08
an event we can plan for generally this
00:40:11
is someone leaving the organization
00:40:12
either due to retirement or moving on to
00:40:15
their next role in life either way it's
00:40:17
most certainly good terms and something
00:40:19
we know is coming in this case we can
00:40:22
follow a standard checklist
00:40:24
and just make sure we've recaptured any
00:40:26
equipment Badges and that we
00:40:29
de-provision any access they have
00:40:32
um involuntary separation on the other
00:40:34
hand is generally an unplanned event and
00:40:38
therefore threat must be assumed uh
00:40:40
folks that surprise come in to find out
00:40:43
they're no longer employed tend to react
00:40:45
poorly and we need to assume that that
00:40:49
threat is present and act accordingly an
00:40:52
unplanned separation or involuntary
00:40:54
separation is going to move very quickly
00:40:56
we need to be very tightly coordinated
00:40:59
with HR and management it's going to be
00:41:02
emotional for everyone including the
00:41:05
practitioner I I've personally lived
00:41:07
through having to disable accounts for
00:41:09
people that were friends I have
00:41:11
witnessed others have to do this it is
00:41:13
emotional respect that
00:41:15
plan for that it's going to suck for
00:41:17
everybody so the better we can Embrace
00:41:20
this as humans and and understand that
00:41:22
you know the job's got to get done but
00:41:24
also like we're not robots or Monsters
00:41:26
the easier it's going to be for
00:41:28
everybody and the more likely folks will
00:41:30
follow the process
00:41:31
uh whenever possible try to recover any
00:41:34
equipment again if it is an involuntary
00:41:37
separation you may need to potentially
00:41:39
run forensics depending on the nature of
00:41:42
what led up to that involuntary
00:41:44
separation uh remaining staff need to be
00:41:47
informed of this termination and the
00:41:49
loss of a of access
00:41:52
um the example here is you know don't
00:41:54
reset the password for Evan right
00:41:57
um but it's it's because uh if folks
00:42:00
don't know well then the sys admin who
00:42:03
has the ability to restore the account
00:42:04
might get an email that says oh hey I
00:42:06
got locked out of my account can you
00:42:08
reset that for me and they do so not
00:42:10
knowing that that particular employee uh
00:42:13
has been involuntarily separated and
00:42:15
should be considered an Insider threat
00:42:17
uh we want to have a process for
00:42:21
reporting attempted access so again not
00:42:24
not that we feel bad about the person
00:42:26
not that we're we're saying everyone
00:42:28
that is is like oh uh immediately turns
00:42:30
into a hostile threat but we have to
00:42:33
assume they can and act accordingly and
00:42:36
so an Insider threat program should be
00:42:38
established and adhered to and any
00:42:41
attempts by the terminated employee to
00:42:43
regain access or login attempts uh
00:42:46
picked up in in monitoring is something
00:42:49
that we need to be very aware of and
00:42:50
take appropriate action on
00:42:54
uh we are going to uh also enforce these
00:42:58
things upon our vendors our consultants
00:43:00
and our contractors we're going to do
00:43:02
this through the agreements we have in
00:43:04
place and the controls that we enforce
00:43:06
so vendors consultants and contractors
00:43:08
should be signing agreements uh that are
00:43:10
supportive of the security controls we
00:43:12
want to have in place this should
00:43:14
include non-disclosure agreements uh
00:43:16
policies that support monitoring and
00:43:18
acts and access uh by Third parties so
00:43:22
we want to keep a tight eye on that we
00:43:23
want to have policies that require
00:43:25
secure connections with third parties
00:43:27
all too often I I see that a third party
00:43:30
has wide open access to the firewall and
00:43:33
there's there's no requirement of
00:43:35
enforcing a secured connection so that
00:43:37
is something we want to look for we want
00:43:39
to make sure that we have all necessary
00:43:41
policies for enforcing any compliance
00:43:43
requirements uh this would be any
00:43:46
regulatory or legal uh issues we want to
00:43:50
have the same for any privacy
00:43:51
requirements so covering things such as
00:43:54
how data is collected what data is
00:43:56
collected and how it can be used also
00:43:59
how not to use it stored or maintain it
00:44:02
so we want to have those rules clearly
00:44:04
laid out
00:44:06
we are also going to want to have some
00:44:08
type of sign off by the employee vendor
00:44:11
contractor Etc that they acknowledge
00:44:14
understand and will comply with the
00:44:17
company policies and regulations uh and
00:44:20
this is a common practice so that was a
00:44:22
whole lot there to go through how about
00:44:24
another dad joke
00:44:27
what is the best way to catch a runaway
00:44:30
robot
00:44:32
use a botnet
00:44:35
all right are we tracking well on
00:44:38
Cadence and Pace if the instructor
00:44:41
helpers could let me know in the Discord
00:44:43
I'd appreciate and I'll keep rocking and
00:44:46
rolling risk management is going to give
00:44:48
us a structure for making our security
00:44:51
decisions so if we look at this Venn
00:44:53
diagram we can see that risk lives at
00:44:55
that sweet intersection of threat asset
00:44:58
and vulnerability where those three
00:45:01
intersect and overlap most evenly is
00:45:04
where risk is going to exist so let's
00:45:06
talk about those terms for a second
00:45:08
because information security is risk
00:45:11
management that's what we're doing here
00:45:14
um
00:45:15
and so let's talk about some of these
00:45:16
terms so risk is the exposure of someone
00:45:21
or something valued to Danger harm or
00:45:25
loss uh I walk through my living room at
00:45:28
late at night with the lights off and
00:45:30
the coffee table got moved I'm at risk
00:45:33
of stubbing a toe uh because I've got my
00:45:36
toe exposed to Danger right and if I hit
00:45:38
it hard enough I might even lose it
00:45:40
let's hope not but that is a risk an
00:45:43
inherent risk is the risk present before
00:45:45
any controls are applied so I didn't
00:45:48
move the coffee table some other family
00:45:49
member did I have an inherent risk of
00:45:51
hitting it uh residual risk is uh I
00:45:56
don't learn my lesson and I just go
00:45:58
swaggering through my living room in the
00:45:59
dark every night the residual risk is
00:46:01
that even if the coffee table is moved
00:46:03
there's still a level of risk that
00:46:05
remains so to say that in computer terms
00:46:07
you know risk is
00:46:09
I've got a machine that's uh got a
00:46:12
vulnerability and it's exposed to the
00:46:14
internet now the inherent risk is any
00:46:16
machine on the Internet is is
00:46:18
potentially a target for an attacker the
00:46:21
residual risk is is that that machine
00:46:24
after I've patched it and I've put it
00:46:26
behind a firewall and I've secured it as
00:46:29
much as I can uh is still technically
00:46:32
accessible via the Internet uh I have
00:46:35
that residual risk so it's risk I cannot
00:46:38
get rid of uh there is no such thing as
00:46:41
complete risk elimination it does not
00:46:43
exist there will always be some level of
00:46:47
residual risk
00:46:49
another unique term here to know is
00:46:51
threats so threat is the is a negative
00:46:54
event leading to a negative outcome so
00:46:57
fire natural disaster disgruntled
00:46:59
employee uh you know cyber criminal
00:47:02
trying to get some Ransom or my favorite
00:47:04
The Click happy employee right these are
00:47:07
all examples of threats
00:47:10
vulnerability or vulnerabilities will be
00:47:13
a weakness or a gap in a system that
00:47:16
might be exploited uh for example
00:47:18
unpatched software this is the number
00:47:20
one place vulnerabilities come from
00:47:23
number two places weak Access Control
00:47:25
mechanisms having that default password
00:47:28
still in place or having you know my
00:47:31
password as your password or password
00:47:33
password one one two three four five
00:47:35
right weak Access Control
00:47:37
uh you could have a faulty fire
00:47:39
suppression system that could be a
00:47:41
vulnerability increasing uh the the
00:47:43
impact of fire should it occur you could
00:47:46
have a security unaware employee so an
00:47:49
employee is just is completely unaware
00:47:52
of of security in that case that could
00:47:54
be a vulnerability
00:47:57
all right assets asset is anything of
00:48:00
value okay an asset value can be valued
00:48:03
as as a quantitative uh so this is this
00:48:06
is a cost or market value or qualitative
00:48:10
the relative importance to you or your
00:48:12
organization I strongly encourage
00:48:15
everyone to take a qualitative approach
00:48:17
to asset valuation
00:48:19
if you look at the cost of the laptop as
00:48:21
just that a hard financial cost uh you
00:48:24
are probably not going to be able to
00:48:26
contextualize the True Value to the
00:48:29
business so uh you want to take a
00:48:31
quantitative approach but you also want
00:48:33
to take it qualitative and when talking
00:48:35
to leadership qualitative is generally
00:48:37
going to be the more meaningful number
00:48:40
uh here's a visual for you on kind of
00:48:43
what is an asset well an asset could be
00:48:45
Hardware software cloud data third
00:48:47
parties iot the list goes on again it's
00:48:50
anything uh the business considers to
00:48:53
have value
00:48:55
so humble Bray uh this is the one time I
00:48:59
get to talk about security studio uh
00:49:01
security studio is a risk assessment
00:49:02
platform this is what we do we help to
00:49:05
take organizations through the risk
00:49:08
assessment process from identification
00:49:09
analysis evaluation and treatment all of
00:49:12
that and a bag of chips and our platform
00:49:15
so these are the phases that we go
00:49:18
through because you cannot eliminate
00:49:19
risk so Step One is what do I have what
00:49:21
go through the identification phase then
00:49:24
now that I've kind of figured out what
00:49:25
those risks are what do they really mean
00:49:28
to me so I start to do that analysis on
00:49:30
them I figure out kind of likelihoods
00:49:32
and impacts once I've understood that I
00:49:35
go through the evaluation process and
00:49:37
that is looking at okay if I have 10
00:49:41
risks but I can only maybe address some
00:49:45
of them or I don't have enough budget to
00:49:47
fully address all of them I start making
00:49:49
these decisions and then ultimately from
00:49:52
that I begin to apply the treatments do
00:49:55
I mitigate it do I that's you know
00:49:57
reduce the risk do I transfer the risk
00:50:00
push her back on a vendor or push it
00:50:02
back to an insurance do I accept the
00:50:04
risk there's nothing I can do about it
00:50:06
you know what are my what are my
00:50:08
treatments this is an example of what
00:50:10
the risk assessment looks like in the
00:50:13
studio platform this is how we do it no
00:50:16
matter how you do a risk assessment it
00:50:18
is the foundations of all Security
00:50:20
Programs and is the number one place
00:50:23
that I start after going through the
00:50:25
people right first I identify the humans
00:50:27
and the very next thing I do is start
00:50:29
looking at risks
00:50:32
so risk identification generally is
00:50:34
going to come in the form of asset
00:50:35
Discovery what do I have what Hardware
00:50:38
what software what networks what humans
00:50:40
what data I'm then going to do some kind
00:50:42
of valuation on that I'm going to do the
00:50:44
business value uh on that particular
00:50:47
asset looking for myself when I do it I
00:50:50
look at that total cost of ownership I
00:50:52
look at that overall true uh qualitative
00:50:55
uh business impact I'm going to do the
00:50:58
classification you know how sensitive is
00:51:01
this particular system and how critical
00:51:04
is a system to the business you know can
00:51:06
I can I live without it the better I do
00:51:08
my risk identification the easier my
00:51:11
continuity planning Disaster Recovery
00:51:14
planning really the easier my entire
00:51:17
risk management program becomes so I
00:51:21
want to do this this part really well
00:51:23
I'm going to look at any vulnerabilities
00:51:25
or threats that may exist to the asset
00:51:28
I'm going to do a vulnerability
00:51:30
assessment now
00:51:31
this is covered more in chapter six uh
00:51:34
the vulnerability assessment paired with
00:51:36
a threat analysis is really good
00:51:39
vulnerabilities alone though are not the
00:51:42
end-all be-all risk and we we frankly
00:51:44
have taken an overly technical approach
00:51:46
to risk uh which is left most
00:51:48
organizations more vulnerable than if
00:51:51
they would have taken a more holistic
00:51:52
approach so remember that vulnerability
00:51:54
assessment is very important but so is a
00:51:56
threat analysis the goal of risk
00:51:58
analysis is to evaluate How likely the
00:52:01
identified threats are to be able to
00:52:02
exploit the weaknesses or the
00:52:04
vulnerabilities right just because I
00:52:06
have a vulnerability if it's incredibly
00:52:09
hard to exploit it it might not
00:52:11
represent as impactful of a risk as
00:52:13
something else that is easier to exploit
00:52:17
um
00:52:18
that that maybe is is not as uh doesn't
00:52:21
rank as high in the vulnerability chart
00:52:23
so to make the evaluation we're looking
00:52:25
at two key factors the likelihood
00:52:27
probability the event is going to occur
00:52:29
and the impact so how bad would it be if
00:52:32
it occurred so risk is threat times
00:52:34
vulnerability otherwise known as
00:52:36
likelihood and impact
00:52:38
and another way to look at that is
00:52:39
threat time vulnerability times impact
00:52:42
right so I like to look at the the last
00:52:43
one and say risk is the threat the
00:52:46
vulnerability and the actual impact to
00:52:49
the business and as a reminder as always
00:52:52
human life prompts everything
00:52:55
so risk analysis can be qualitative
00:52:57
based on professional opinion high
00:52:59
medium low can be quantitative based on
00:53:02
actual values dollars a pure
00:53:05
quantitative analysis is is nearly
00:53:07
impossible there's just not enough data
00:53:10
um and there's there's just a lot of
00:53:12
subjectivity there uh you're going to
00:53:15
use a risk analysis Matrix which is a
00:53:17
quantitative risk analysis table uh and
00:53:20
on one side it's going to be likelihood
00:53:22
and the other impact so we'll take a
00:53:24
look at what that is so here you can see
00:53:26
the probability of a risk occurring on
00:53:29
the left-hand column there and on the
00:53:31
bottom columns you can see the impact if
00:53:33
it did
00:53:35
in my career very rarely have I ever
00:53:38
gotten out of the red
00:53:39
if you start getting into those yellows
00:53:41
you are doing really really well
00:53:43
realistically you're going to live in
00:53:46
the upper quadrant
00:53:48
um right here this is going to be kind
00:53:50
of where you spend the majority of your
00:53:52
life when it comes to managing risk if
00:53:58
we're down here in the yellows again
00:53:59
it's you know we're talking unlikely uh
00:54:02
rare occurrences lower impacts you'll
00:54:06
have enough here every day to keep you
00:54:08
busy for a whole career
00:54:11
all right more terms hopefully you guys
00:54:13
are enjoying the terminologies so
00:54:16
quantitative it's going to be based on
00:54:17
those real values and dollars and
00:54:19
remember earlier I said you have to
00:54:21
memorize this stuff these are all
00:54:23
testable terms
00:54:25
so go back re-listen to the video write
00:54:28
these things down on Post-it notes stick
00:54:30
them up in your bathroom whatever you
00:54:32
need to do but memorize these these
00:54:34
terms
00:54:35
quantitative is based on real value in
00:54:38
dollars and is pure qualitative is is
00:54:41
you know an analysis
00:54:43
um and there's just not enough not
00:54:44
enough data there asset value
00:54:47
so what is the fair market value for the
00:54:50
asset
00:54:51
your exposure Factor so that's the
00:54:54
percentage of asset loss during an
00:54:56
incident or threat occurrence
00:54:59
you've got your single loss expectancy
00:55:01
so that's how much I can expect to lose
00:55:04
in a singular event of this loss type
00:55:08
then I gotta look at my annual rate of
00:55:11
occurrence so how many times a year do I
00:55:14
think this thing might happen and then
00:55:16
that'll inform me on my annualized lost
00:55:18
expectancy so if you notice that the SLE
00:55:21
is taking the asset value and timesing
00:55:24
it by the exposure Factor
00:55:26
and then the annualized Lost expectancy
00:55:29
or the ale is looking at the SLE times
00:55:33
the annual rate of occurrence so how
00:55:36
much per single event times how many
00:55:38
events per year if the ale exceeds the
00:55:42
TCO welcome to acronym soup total cost
00:55:45
of ownership uh then there's considered
00:55:48
to be a positive return on investment or
00:55:50
an Roi
00:55:52
or a Rosie a return on security
00:55:54
investment
00:55:57
all right more terms and definitions to
00:55:59
memorize risk risk is the likelihood of
00:56:01
something bad happening and the impact
00:56:04
if it did
00:56:05
annualize loss expectancy is that single
00:56:09
loss of due to a risk over a year
00:56:13
Safeguard or control is going to be the
00:56:15
measure that you've taken to reduce the
00:56:17
risk
00:56:18
total cost of ownership is the total
00:56:21
cost of the Safeguard or control and the
00:56:24
return on investment is money saved by
00:56:27
deploying a safeguard
00:56:30
so I like Rosie right return on security
00:56:33
investment
00:56:38
all right
00:56:39
send baby Yodas
00:56:42
all right unique's term definition risk
00:56:44
tolerance also known as risk appetite
00:56:47
how much risk is the organization
00:56:49
willing to take on each organization is
00:56:52
free to choose how much risk it's okay
00:56:54
with risk tolerance is how we describe
00:56:57
that risk profile is also another way to
00:57:01
describe this so we have tolerance
00:57:03
profile and appetite is one you'll
00:57:05
commonly hear risk treatment is the best
00:57:08
way to re to address risk risk response
00:57:11
is the best way to address the risk so
00:57:13
again these are common terms terms you
00:57:15
need to know and because we're I.T folks
00:57:18
we have three different ways to talk
00:57:20
about one thing so memorize them know
00:57:23
them tolerance and profile same how much
00:57:26
risk is the organization willing to take
00:57:28
on treatment response same what is the
00:57:31
best way to address the risk
00:57:33
all right so let's talk a little bit
00:57:35
about risk responses and treatments
00:57:37
there are only four risk acceptance
00:57:40
criteria uh there are only four sorry
00:57:42
four treatments any acceptance of risk
00:57:46
or risk acceptance criteria needs to be
00:57:49
documented risk decisions should always
00:57:52
be made by management and not by
00:57:54
information security it is not the cso's
00:57:56
job to make risk decisions it is not the
00:57:59
network admin's job to make those
00:58:00
decisions it is Management's job
00:58:03
management can accept the risk they find
00:58:06
the risk to be acceptable they don't
00:58:08
need any additional controls or change
00:58:09
you can mitigate the risk it is found to
00:58:12
be unacceptable AKA too high and we need
00:58:15
to to reduce it somehow the most common
00:58:18
risk treatment is to mitigate we can
00:58:22
transfer the risk if we can get away
00:58:23
with that give it to an insurance
00:58:25
company or a third party push it back to
00:58:28
a vendor or we can avoid the risk in the
00:58:30
first place so we can stop the thing
00:58:32
we're doing that caused the risk or if
00:58:35
we're being proactive we can prevent
00:58:37
introducing the risk to our environment
00:58:39
to begin with all right we're going to
00:58:42
have one or more countermeasures in any
00:58:45
risk mitigation strategy and the goal of
00:58:48
any risk mitigation is to reduce the
00:58:51
likelihood of an adverse event so we're
00:58:53
going to have Personnel related this is
00:58:55
going to be around hiring and the roles
00:58:57
awareness training people are the number
00:59:00
one security risk they are also the
00:59:02
number one security control
00:59:04
we're gonna have process related
00:59:06
mitigation so changes in policy changes
00:59:09
in procedure adjusting the workflows
00:59:12
separation of Duties introducing dual
00:59:14
controls we're going to have some kind
00:59:15
of process that helps us mitigate the
00:59:18
risk we're also then going to leverage
00:59:19
technology related a lot of intent a lot
00:59:22
of attention goes to technology related
00:59:24
mitigation so this could be data
00:59:26
encryption data loss prevention uh
00:59:29
configuration settings you know
00:59:31
hardening the software hardening the
00:59:33
operating system
00:59:34
it could be Hardware UV Keys
00:59:36
multi-factor change detection any number
00:59:39
of things
00:59:43
so when it comes to Personnel we've got
00:59:46
several security considerations uh as
00:59:49
Evan likes to say and I tend to agree
00:59:51
information security is not about
00:59:53
information or security it is all about
00:59:56
people so we've got uh different
01:00:00
awareness trainings that we can do we
01:00:02
have two different things right there's
01:00:04
teaching specific skills
01:00:06
and steps to take uh to do the job or
01:00:10
perform the function securely and then
01:00:13
there are generalized awareness hey
01:00:15
phishing's a thing don't click links uh
01:00:18
watch out for scams we've got background
01:00:21
checks background checks again uh can
01:00:23
come in different levels there's the
01:00:26
standard everybody gets it background
01:00:27
check looking at you know criminal
01:00:29
history employment history uh credit
01:00:31
things like that and then there can be
01:00:34
more sensitive requirements depending on
01:00:36
the job role for those of you that work
01:00:39
in banking or have worked in Banks there
01:00:41
is an FBI verified fingerprint as part
01:00:45
of your background check because you
01:00:47
have what is considered a more sensitive
01:00:49
role and we're seeing an increasing
01:00:51
Trend in uh having higher level leaders
01:00:54
and a specifically security folk also
01:00:57
have to go through more intensive
01:00:59
background checks you're going to need
01:01:01
processing and considerations around
01:01:03
termination uh so how are you doing your
01:01:05
exit interviews right revocation how are
01:01:08
you handling disciplinary processes
01:01:10
you're going to need to take into
01:01:12
consideration dealing with vendors
01:01:13
contractors third parties and any
01:01:16
offshoring or Outsourcing uh if people
01:01:20
didn't suffer when things go wrong
01:01:21
nobody would or should care and that is
01:01:26
why people are the most significant risk
01:01:29
so the better you engage your humans the
01:01:32
better the security program that you
01:01:33
will have all right security
01:01:35
Effectiveness is how effective the
01:01:38
controls or set of controls are that
01:01:40
were selected in addressing the specific
01:01:42
risk we want to look at these as
01:01:45
preventative detective or corrective
01:01:47
controls we'll talk more about that a
01:01:49
little bit later here we got to look at
01:01:51
the cost effectiveness of the control we
01:01:54
cannot spend more to protect the system
01:01:56
than the system is worth that's just bad
01:01:58
business and math uh bad math right we
01:02:02
want to make sure that that what we're
01:02:04
doing to protect is in line with a value
01:02:07
statement so if we look here we can see
01:02:10
that the annual loss expectancy of a
01:02:13
ransomware event is 200 Grand the
01:02:16
counter measure of having a good secured
01:02:18
backups is 50 Grand so we've actually
01:02:20
added back to the organization 150 000
01:02:22
in value countermeasures are going to
01:02:25
generally have an ongoing cost so don't
01:02:28
look at the original price tag look at
01:02:31
the total cost of ownership
01:02:33
counter measures need to be evaluated
01:02:36
for their impact of the organization
01:02:38
just because we can make something more
01:02:41
secure doesn't mean the users are going
01:02:43
to love it they might hate it it might
01:02:45
cause inconvenience for them that could
01:02:47
actually end up having a more
01:02:50
significant cost from the businesses
01:02:52
perspective in how much it disrupts the
01:02:55
business so make sure that we do that if
01:02:58
the countermeasure is too difficult to
01:02:59
implement it actually increases the risk
01:03:02
people will find a way to work around it
01:03:04
if you make the process too cumbersome
01:03:06
they will just not follow it and they'll
01:03:08
find another way to get things done you
01:03:10
need to have a good understanding of the
01:03:12
culture and strategy so that when you
01:03:14
select the countermeasure you you don't
01:03:16
have a negative operational impact no
01:03:19
matter what you do you're going to
01:03:20
increase friction because you're adding
01:03:23
steps or you're
01:03:25
changing the way something works and so
01:03:28
the better that you're aligned to that
01:03:29
culture and strategy the better your
01:03:32
counter measure is to be successful in
01:03:34
its adoption and ultimately its overall
01:03:36
function
01:03:38
all right these are very testable things
01:03:40
uh so you may be given a scenario or
01:03:44
control description and you have to
01:03:46
match it to its provided category and
01:03:49
type so to make sure that you are clear
01:03:52
on the control type you have to
01:03:54
understand the context okay so controls
01:03:57
are administrative Technical and
01:04:01
physical these are the main categories
01:04:03
administrative again is people paperwork
01:04:06
process rules of the game right policy
01:04:09
procedure guidelines these things are
01:04:11
administrative technical controls are
01:04:13
going to be you know antivirus
01:04:16
anti-malware Group Policy settings uh
01:04:19
endpoint detection systems so on and so
01:04:22
forth physical controls are going to be
01:04:24
door locks and Lighting in the parking
01:04:26
lot and security cameras and security
01:04:28
guards and dogs and things and such okay
01:04:32
within those categories there are
01:04:35
different types there are preventative
01:04:37
controls detective corrective recovery
01:04:40
deterrent and compensating so let's dive
01:04:42
in preventative is going to be your
01:04:44
first line control so uh firewall
01:04:47
validation training offense around the
01:04:50
building
01:04:51
um a really anxious Yorkshire dog a
01:04:55
Yorkie that just is barking at
01:04:57
everything that moves right it's a
01:04:59
preventative or I'm sorry the dog
01:05:00
example is actually a detective control
01:05:02
preventative control will be a sign that
01:05:04
says warning guard dog on site a
01:05:07
detective control it's going to be your
01:05:08
alarm your IDs an audit something that
01:05:12
identifies a negative event this is
01:05:14
where the Barking Dog example comes in a
01:05:17
corrective control is something that's
01:05:19
going to minimize and or repair any
01:05:21
damage traditionally this will be your
01:05:23
patching your config management you know
01:05:25
updating uh of policies recovery control
01:05:29
that's generally going to be backups
01:05:31
Disaster Recovery plans you know things
01:05:33
that'll get you back on your feet uh a
01:05:36
deterrent is is you know going to be a
01:05:38
discouraging thing right we we're going
01:05:40
to generally enforce that through some
01:05:41
kind of policy or physical measures so
01:05:43
that angry security guard uh with a gun
01:05:46
at the door is generally going to serve
01:05:48
as a deterrent to bad guys doing things
01:05:51
you know big big giant German Shepherd
01:05:53
like I have at my house uh is going to
01:05:56
be a deterrent to somebody having a
01:05:58
wanting to do bad things a compensating
01:06:01
control is put in place to satisfy a
01:06:03
security requirement that has been
01:06:05
deemed too difficult or impractical to
01:06:09
implement at the present time now this
01:06:12
is not a full mitigation of the risk
01:06:14
this is an encourage versus enforce so
01:06:17
it's I can't do fully what should be
01:06:21
done to to truly address the risk due to
01:06:24
any number of reasons usually money or
01:06:27
complexity
01:06:28
you know negative impact to the business
01:06:30
but what I can do at least is this so
01:06:33
it's a it's a compensating control or um
01:06:36
as I as I call it a um a compromise
01:06:40
control right I'm compensating I'm
01:06:42
trying to cover that
01:06:44
all right
01:06:46
another dad joke here
01:06:49
how uh we all know about Murphy's Law
01:06:52
anything that can go wrong will but have
01:06:56
you heard of Cole's law
01:07:00
it is thinly sliced cabbage
01:07:05
all right Trucking right along so more
01:07:09
control assessments uh different terms
01:07:12
terminology uh this remaining part of
01:07:16
this domain is very heavy on this uh we
01:07:18
want to examine so this is this is us
01:07:20
inspecting reviewing observing studying
01:07:23
or analyzing assessment objects
01:07:25
we're looking at the specifications the
01:07:27
mechanisms or the activities we're
01:07:29
really getting into these specifics that
01:07:32
make up that particular object we're
01:07:35
going to need to conduct interviews
01:07:36
we've got to talk to people we're going
01:07:37
to need to con uh interview them for
01:07:40
clarity we're going to need to have them
01:07:41
provide us evidence
01:07:43
um you know hey you say you update the
01:07:45
firewall every six months can you show
01:07:47
me an example uh in the change record of
01:07:50
you doing that we're going to need to
01:07:52
test we actually have to see if our
01:07:54
security controls work I know it's a
01:07:56
crazy idea but we do have to do that we
01:07:59
do have to test our controls to ensure
01:08:01
they're functioning as design we then
01:08:03
need to Monitor and measure so we're
01:08:05
going to periodically go in and we're
01:08:07
going to see how well is this control
01:08:09
working uh it may be working very well
01:08:12
it may be quite inefficient so we do
01:08:15
need to periodically look at the
01:08:17
effectiveness
01:08:19
we're going to need to
01:08:21
um report you know at the end of the day
01:08:24
we've done a lot of activities now we've
01:08:27
collected all this data we gotta we got
01:08:28
to report this stuff out to somebody so
01:08:30
we need to have a process for reporting
01:08:32
to leadership regulators and other
01:08:34
stakeholders if you are part of the
01:08:37
critical infrastructure
01:08:39
um
01:08:40
categories if you have an obligation to
01:08:43
the US government in any way shape or
01:08:44
form you have 72 hours to notify them of
01:08:47
a data breach once you have confirmed it
01:08:50
that's going to be a process you're
01:08:52
going to need to make sure that you can
01:08:53
report that in a timely fashion and
01:08:56
you'll see in the next line down
01:08:57
specific reporting requirements so that
01:08:59
would be one of them you may have
01:09:00
regulatory requirements or industry
01:09:02
specific you're going to need a
01:09:04
well-managed risk-based security program
01:09:06
and that means being able to report out
01:09:10
on internal audits external audits any
01:09:15
significant change to the organization's
01:09:17
risk posture any significant change to
01:09:20
the security or privacy controls in
01:09:22
place within the organization and any
01:09:24
suspected or confirmed security
01:09:26
incidences now here it says or breaches
01:09:29
Pro tip if you're not a lawyer don't
01:09:32
ever say the word breach
01:09:34
leave it for the legal Team all right uh
01:09:37
here we want to improve the efficacy of
01:09:40
the Security Management program and
01:09:42
we're going to seek to continuously
01:09:43
improve the ROI associated with security
01:09:46
so if it's in Orange it's probably
01:09:48
really important to know I would totally
01:09:51
memorize this this is testable so the
01:09:55
goal here is to improve the efficacy of
01:09:58
the security program while improving the
01:10:01
ROI so better security lower risk
01:10:03
ultimately lower dollars and or more
01:10:07
value returned for the dollar spent risk
01:10:11
maturity is going to be how we model and
01:10:14
assess this overall strength of the
01:10:15
program and it gives us the informing we
01:10:18
need for the plans that we're going to
01:10:20
have to do to continuously improve so
01:10:22
where are we at in the maturity and can
01:10:24
we improve you could for example
01:10:26
Implement a control around making sure
01:10:31
that
01:10:32
uh everybody has a unique login and then
01:10:35
as you mature that you could then maybe
01:10:37
add multi-factor and as you mature that
01:10:39
you could then maybe say no local admin
01:10:41
rights for uh people right so you could
01:10:45
have a control or a set of controls
01:10:48
within your program that can mature as
01:10:50
you as you improve it
01:10:52
now uh using some type of predefined
01:10:55
scale is going to help you focus on a
01:10:57
specific behavior obviously I'm a big
01:10:59
fan of the S2 score because that's
01:11:01
security Studios uh predefined scale but
01:11:05
any score will do
01:11:06
um I do encourage you to look into a
01:11:09
standardized scoring model uh because uh
01:11:12
it's very difficult to measure one
01:11:14
against the the other if you are using
01:11:17
different units of measurement
01:11:19
all right so we need to be consistent we
01:11:22
got to do things the same way so we're
01:11:24
going to talk about
01:11:26
um having you know measurable things
01:11:28
that we're doing right how are we
01:11:29
showing progress and goals we're going
01:11:31
to want to have some kind of
01:11:32
standardization in our risk management
01:11:34
program so that we could do meaningful
01:11:37
comparisons we're going to need it to be
01:11:39
comprehensive we got to cover the
01:11:41
minimum but be extensible out to other
01:11:43
things and we need it to be modular you
01:11:45
know things are going to change uh chat
01:11:48
gbt comes out now you got all this AI
01:11:50
risk you got to worry about so if your
01:11:52
security program is too rigid to account
01:11:53
for that change it's going to be very
01:11:55
difficult to Pivot and adjust but if
01:11:57
it's modular then you should be able to
01:11:59
go in and make those changes but only
01:12:02
need to change what you have to
01:12:07
so let's talk about risk Frameworks for
01:12:10
a second
01:12:11
so risk Frameworks there are so many
01:12:13
Frameworks
01:12:15
um in my opinion most Frameworks are
01:12:17
fairly equal on the fundamentals and the
01:12:19
basics but there are many to know I am
01:12:23
going to move through this somewhat
01:12:24
quickly
01:12:25
um the big one here is the iso so we're
01:12:28
going to talk about the international
01:12:29
standards organization you have the iso
01:12:32
31000 series uh within that there are
01:12:36
eight principles there's the 3104
01:12:39
guidance on how to implement 31 000
01:12:42
there's the 31 000 series for addressing
01:12:45
General risk to information security and
01:12:47
practices within that those specifics
01:12:50
are within the iso 27 000 series
01:12:54
the iso 27005 does not give you a
01:12:58
specific risk assessment practice but
01:13:00
does provide you inputs and outputs from
01:13:03
the risk assessment practice so if
01:13:06
you're an ISO organization you know
01:13:07
knowing this stuff really helpful
01:13:10
the main principles behind the iso 31000
01:13:15
customized it's inclusive comprehensive
01:13:17
integrated Dynamic uses the best
01:13:19
available information the human and
01:13:21
cultural factors are are brought into
01:13:24
play and it's set up for continual
01:13:26
Improvement
01:13:28
so I'm not going to read all this for
01:13:30
you we just covered that but this is
01:13:32
what's in the 2018 31 000 Edition
01:13:36
now the one that's probably more
01:13:38
commonly interacted with is the Mist uh
01:13:41
or the US National Institute of
01:13:43
Standards and technology and they have
01:13:45
the RMF or the risk management framework
01:13:48
uh so here you're going to categorize
01:13:50
those Information Systems you're going
01:13:52
to select those security controls you're
01:13:54
going to implement them you're then
01:13:56
going to assess them for their
01:13:57
effectiveness you're going to authorize
01:14:00
them and then monitor them so that is
01:14:04
RMF control objectives for information
01:14:07
related technology this one is for cobit
01:14:10
and risket it's another type of
01:14:13
framework
01:14:15
um I Sacco developed this in the 90s
01:14:17
it's got governance of of Enterprise and
01:14:19
I.T it's comprised of five processes uh
01:14:22
yes the number of processes and things
01:14:24
like this do matters so please memorize
01:14:27
this stuff
01:14:28
um the management of Enterprise it has
01:14:30
32 processes and it's closely aligned to
01:14:33
the iso 20 000 27001 I tell Prince to
01:14:38
sarbanes-oxley and togaf
01:14:41
God bless us all right uh risk it
01:14:45
consists of three domains each with
01:14:47
three processes risk governance risk
01:14:49
evaluation and risk response it
01:14:51
identifies organizational
01:14:52
responsibilities it identifies
01:14:54
information flows between the processes
01:14:57
uh it processes Performance Management
01:14:59
activities and additional details on a
01:15:02
risket can be found in the
01:15:04
practitioner's guide
01:15:06
so
01:15:08
no matter what framework we're talking
01:15:10
about we ultimately have to get down to
01:15:13
taking that risk and looking at its
01:15:15
impact in order to do that we have to be
01:15:17
able to start to model the threat uh and
01:15:20
threat modeling is how we describe the
01:15:22
technique that allows us to identify
01:15:24
potential threats so you know as we look
01:15:27
at those threats and those
01:15:28
vulnerabilities to try to figure out
01:15:30
what our risks are we have to be able to
01:15:32
model them so a threat is going to be
01:15:33
any vulnerability or the absence of
01:15:36
necessary security controls
01:15:38
so you could have a a threat because you
01:15:41
have your uh firewall set to default
01:15:44
credentials and you allow remote access
01:15:46
right that could be a threat or it could
01:15:48
be that there's a patch missing um that
01:15:51
needs to be applied the attack surface
01:15:54
is the total area in which the attacker
01:15:57
could execute or compromise systems so
01:15:59
how you know uh how many computers are
01:16:02
exposed to the internet right it could
01:16:04
be the attack surface
01:16:06
um so we want to look at that the
01:16:08
physical example would be on a building
01:16:10
is you know how many entrances and exits
01:16:12
are there in the building uh is it made
01:16:14
of paper mache or is it made of concrete
01:16:17
is it located you know directly next to
01:16:19
an exit ramp on a highway or is it you
01:16:22
know off in the distance so we have to
01:16:24
look at that attack surface
01:16:26
uh we're gonna look at some Concepts
01:16:29
like attacker-centric right so uh that's
01:16:33
the way that a an attacker is going to
01:16:35
look at uh things so it's it's it's like
01:16:38
being in their mindset like an attacker
01:16:41
mindset uh we're gonna look at their
01:16:43
various characteristics skill sets and
01:16:46
motivations uh not all attackers uh
01:16:48
follow the same
01:16:50
um methodologies they can be motivated
01:16:52
by different things we're going to
01:16:54
profile them to their specific attack
01:16:56
and attack types uh we're going to want
01:16:58
to have this as part of a BCP and Dr
01:17:00
planning process and it helps us to
01:17:03
understand how they operate so an
01:17:05
example here would be like an anti-money
01:17:06
laundering process so how does a money
01:17:09
launderer go about doing money
01:17:11
laundering and that's going to help us
01:17:13
get that viewpoint
01:17:16
so again attacker-centric we're gonna
01:17:19
we're gonna look at you know identifying
01:17:20
the value of the asset the organization
01:17:22
so you know which assets does the
01:17:25
attacker find uh attracted
01:17:28
um we're going to look at how the asset
01:17:30
is managed manipulated used and stored
01:17:32
we're going to look at how an attacker
01:17:35
might compromise the asset so this is
01:17:36
you know thinking like the bad guys if
01:17:38
you will uh we're going to look at you
01:17:41
know
01:17:42
um a lot of a lot of different
01:17:43
compliance regimes focus on that asset
01:17:45
protection uh so HIPAA gdpr PCI right so
01:17:49
we need to think about how that attacker
01:17:51
might compromise that asset that's also
01:17:53
part of our compliance uh and it also is
01:17:56
helpful in protecting other assets such
01:17:58
as intellectual property that might live
01:18:00
on that machine
01:18:03
then we have a software Centric kind of
01:18:06
view on this so uh this model is most
01:18:09
useful uh systems are going to be
01:18:11
represented as assets of interconnected
01:18:14
nature uh and we're going to have this
01:18:16
data flow diagram or component diagram
01:18:19
that helps us to understand what we're
01:18:21
looking at and how it communicates with
01:18:23
the other related systems diagrams can
01:18:26
then be evaluated for potential attacks
01:18:28
against each component uh think of this
01:18:30
as almost like a tabletop exercise if
01:18:32
you will
01:18:33
um and then you can determine whether a
01:18:35
security control exists uh if necessary
01:18:39
and if it does does it achieve the
01:18:42
intended effect of the control
01:18:46
all right so some different uh
01:18:48
methodologies so we're going to talk
01:18:50
about stride
01:18:51
uh stride stands for spoofing tampering
01:18:54
repudiation information disclosure
01:18:57
denialist service and elevation of
01:18:59
privilege so this is a threat modeling
01:19:01
methodology
01:19:03
so we're going to look to see if things
01:19:04
can be spoofed can they be tampered with
01:19:07
and or is repudiation able to be
01:19:10
performed uh what information if any
01:19:13
would be disclosed is it you know
01:19:15
vulnerable to a denial of service and
01:19:17
could escalation of privilege occur
01:19:20
then we have another one which is known
01:19:23
as pasta or process for attack
01:19:26
simulation and threat analysis so here
01:19:29
we're going to Define some objectives
01:19:30
the technical scope we're going to do a
01:19:33
decom decomposition of the application
01:19:35
we're going to perform a threat analysis
01:19:37
on that a vulnerability analysis we're
01:19:39
then going to do an attack enumeration
01:19:41
and then ultimately perform a risk and
01:19:44
impact analysis on the outcomes
01:19:47
so we look at the nist 800 154 this is a
01:19:51
guide to data Centric system threat
01:19:54
modeling
01:19:55
you're going to identify and
01:19:56
characterize the system and data of
01:19:58
Interest you're going to identify and
01:20:00
select the attack vectors that would be
01:20:02
included in the model you're going to
01:20:03
characterize the security controls for
01:20:05
mitigating the attack vectors and then
01:20:07
you're going to analyze the threat model
01:20:11
dread which is a mnemonic quantitative
01:20:14
risk rating stands for damage
01:20:16
reproducibility exploitability affected
01:20:19
users and discoverability and again
01:20:21
we're looking to model the threat of
01:20:24
what damage could occur how reproducible
01:20:27
is it how exploitable is it who and how
01:20:30
many would be affected who are affected
01:20:32
users and what is the discoverability of
01:20:35
the threat
01:20:36
uh we then have a few more we have
01:20:39
octave which is the operational critical
01:20:42
threat asset and vulnerability
01:20:44
evaluation
01:20:45
we have trike
01:20:48
which focuses on threat modeling as a
01:20:50
risk management tool and then chorus
01:20:53
which is construct a platform for risk
01:20:55
analysis of security critical systems
01:20:57
this is something coming out of the EU
01:21:00
and it focuses very heavily on uml
01:21:02
language
01:21:03
so
01:21:04
as we know from our friend Buzz
01:21:06
Lightyear Frameworks oh Lord there are
01:21:08
Frameworks everywhere
01:21:11
there is no right or wrong answer to
01:21:13
which framework to use
01:21:15
the one that fits your order best but
01:21:18
know them and be able to recite them
01:21:20
they will be on the exam
01:21:23
all right supply chain risk management
01:21:25
Concepts
01:21:26
most systems are going to be
01:21:28
interconnected and related they will
01:21:30
have dependencies
01:21:32
and a lot of times those dependencies
01:21:33
will exist in third parties and be
01:21:36
associated with vendors who could be
01:21:38
spread all over the planet you're going
01:21:40
to need to understand and evaluate the
01:21:42
entirety of your supply chain to ensure
01:21:44
that you have appropriate security
01:21:45
controls in place to manage the risk
01:21:48
you're going to ensure security controls
01:21:50
are aligned to any legal contractual
01:21:52
obligations as well as organizational
01:21:54
policies
01:21:55
and little asterisks here the cloud is
01:21:58
still your responsibility to secure you
01:22:01
may not be able to touch it directly but
01:22:03
you have direct ownership for it all
01:22:06
right supply chain risk management third
01:22:07
parties got to be assessed for risk you
01:22:09
need a risk management policy that
01:22:12
highlights governance monitoring and
01:22:15
controlling uh and third parties need to
01:22:18
be assessed against your security
01:22:20
requirements to cover this more in
01:22:22
chapter six
01:22:24
uh same thing here you need some some
01:22:26
baselines and standards you want to you
01:22:28
want to get down to a detail level here
01:22:30
that you understand uh what your supply
01:22:33
chain risk is
01:22:35
and if you have a MSR in place that you
01:22:38
are not below it uh or beneath any
01:22:42
external compliance requirement so you
01:22:44
always want to make sure that you and
01:22:46
your supply chain are consistent with
01:22:49
any msrs legal agreements or contracts
01:22:53
um you're going to want to have some
01:22:55
kind of contractual uh agreement in
01:22:57
place with your vendors and make sure
01:22:59
that you have some kind of teeth
01:23:03
related to uptime availability security
01:23:06
requirements uh and that if the slas for
01:23:10
that is are not met that you have some
01:23:12
some generally financial compensation
01:23:15
coming your way or right to terminate
01:23:17
agreement
01:23:18
uh you're going to want to analyze it
01:23:20
for supply chain elements this includes
01:23:23
you know process people technology you
01:23:26
want to as much as possible practice
01:23:28
least access and therefore limit the
01:23:31
exposure you need to make sure that you
01:23:34
have an understanding of any Providence
01:23:37
of data elements tools and processing
01:23:39
that's occurring the information sharing
01:23:41
is only happening within these strict
01:23:43
strictly defined limits and that you are
01:23:46
doing risk management on the supply
01:23:48
chain itself
01:23:50
uh you're going to want to apply some of
01:23:52
these Concepts to protecting it and use
01:23:54
a defensive design for systems and
01:23:56
elements you're going to want to have a
01:23:58
continuous integrator review so always
01:24:00
be looking at these things uh you know
01:24:03
revisit your delivery mechanisms to see
01:24:04
if they can be strengthened uh and then
01:24:07
you know one that a lot of folks fall it
01:24:09
falls through the cracks is the disposal
01:24:11
and disposition activity so once a once
01:24:13
the system is is done once a vendor
01:24:16
relationship is done uh the spin down is
01:24:18
is equally important National Security
01:24:21
System directive 505 for supply chain
01:24:24
risk management is a great place to
01:24:26
learn more about what you can do
01:24:29
all right uh supply chain risk
01:24:32
management is not specific to cyber
01:24:34
security you can uh in the iso 28 000
01:24:38
series uh they have some great uh supply
01:24:41
chain risk management stuff uh here it
01:24:44
is good for organizations that are using
01:24:46
other ISO standards so if you're a 9001
01:24:49
27001 org and it does rely heavily on
01:24:52
the continuous Improvement model of plan
01:24:55
due check and act or pdca
01:25:00
uh this one is the UK's National cyber
01:25:04
security Center
01:25:06
ncsc uh 12 principles divided into three
01:25:09
stages helps you to understand your
01:25:11
risks establish control check your
01:25:13
arrangements and continuous Improvement
01:25:15
hopefully you're picking up the theme
01:25:17
here all of these have some common
01:25:19
things that are described differently
01:25:22
but it really is what do you got what is
01:25:25
it doing who has it what are the rules
01:25:27
of the contracts of the policies
01:25:30
um another way to do this is to have a
01:25:34
security awareness uh training and some
01:25:36
of the techniques that work well for
01:25:37
that
01:25:38
so you want to train around social
01:25:40
engineering uh you want to identify some
01:25:42
security Champions heck even use some
01:25:45
social engineering in your training see
01:25:47
if you can get them to come along and
01:25:48
like it uh you can use gamification
01:25:51
these are helpful so social engineering
01:25:54
you know is generally exploiting a human
01:25:57
weakness and and a lot of times we talk
01:25:59
about it in a negative context but it
01:26:01
can also be used in a positive context
01:26:03
the main area that that gets most people
01:26:06
when it comes to awareness training is
01:26:08
going to be around that phishing uh
01:26:10
still the most common method business
01:26:12
email compromise why people believe Elon
01:26:15
bought them a free house is beyond me
01:26:17
but they do
01:26:19
fishing which is a voice-based phishing
01:26:22
scam
01:26:23
is growing in popularity especially now
01:26:25
with a lot of the AI deep fake
01:26:27
capability uh smushing which is an SMS
01:26:30
or text-based phishing
01:26:32
um still somewhat effective uh social
01:26:35
media the spirit animal survey if you
01:26:38
don't know if you're a unicorn or a
01:26:40
leprechaun uh I don't encourage you to
01:26:42
find out on Facebook most of those are
01:26:45
scams designed to figure out what your
01:26:47
password reset questions are
01:26:49
the other one is going to be
01:26:51
impersonation and this is growing uh in
01:26:54
popularity so using deep fakes AI
01:26:56
technology mimicking writing Styles
01:26:58
writing really authentic phishing emails
01:27:00
up to and including faking video
01:27:03
so we need to train our users on what to
01:27:04
look for and how to report it very
01:27:08
important how to report most users want
01:27:11
to do a better job they just don't know
01:27:13
where to go and when
01:27:14
a security Champion is going to act as
01:27:16
your liaison between security and the
01:27:18
rest of the company if you can find
01:27:20
someone in an apartment and get them on
01:27:21
your side this is going to give you the
01:27:24
super power of making an effective
01:27:26
awareness program because no longer is
01:27:28
it just the CSO I.T and security that is
01:27:31
advocating for good security practices
01:27:33
it is the business themselves they do
01:27:36
not work as part of the security team
01:27:38
and ideally you should have one per team
01:27:41
or Department if the organization is
01:27:43
large enough to support that
01:27:44
gamification is about using game type
01:27:47
techniques in a non-game application so
01:27:50
it's a way to bring some fun and
01:27:51
awareness to this topic tries to make it
01:27:53
more relatable and accessible and it
01:27:55
improves engagement
01:27:57
we have to review the content
01:28:13
any CIS should be involved in the
01:28:15
development of the training content
01:28:19
all right uh we need to do it and
01:28:22
collect it and run quizzes and have
01:28:24
metrics around it
01:28:27
all right domain one is done
01:28:31
all right so take a quick breath here
01:28:34
have a sip of some energy drink and then
01:28:36
we're going to dive into domain two
01:28:38
which is going to be about asset
01:28:40
security hopefully everybody is keeping
01:28:43
up and this is moving at a good pace for
01:28:45
you
01:28:48
all right so we're going to talk about
01:28:50
is identification classification of
01:28:52
assets
01:28:53
uh asset handling requirements provision
01:28:55
and inventory management roles data life
01:28:58
cycles and controls and more uh we will
01:29:01
get all the way through this domain uh
01:29:04
put your seatbelt on because it's going
01:29:05
to move quick
01:29:07
but before we get in another dad joke
01:29:09
what is the most what type of bear is
01:29:12
the most condescending
01:29:15
uh panda
01:29:18
that one we credit to Ron great joke I
01:29:22
want to make sure it stayed all right so
01:29:25
security and risk management we covered
01:29:27
domain one already so that should be
01:29:30
good uh review well we just did it so
01:29:34
hopefully you remember it and then we
01:29:36
did that and we're just gonna move
01:29:38
through this quickly I do encourage you
01:29:41
to go back and watch this
01:29:45
but I am just gonna keep us on track
01:29:49
all right so according to the cissp exam
01:29:54
asset security represents 10 of the exam
01:29:58
so this is a very important topic
01:30:01
okay there will be overlapping Concepts
01:30:04
between domains so you may hear about
01:30:06
things in this domain that you heard
01:30:07
about in domain one you may hear about
01:30:10
things in this domain that exist in
01:30:11
others wherever that happens it should
01:30:13
be called out so domain two around asset
01:30:17
security it's going to be about data
01:30:18
classification asset classification
01:30:20
ownership uh managing data and asset
01:30:24
retention so we'll get into all that as
01:30:26
we go uh here again
01:30:29
so a little little note here this is all
01:30:32
over the place and it's a bit out of
01:30:33
order unfortunately we did not author
01:30:36
the book uh and it's a bit bit here and
01:30:38
there so uh as a refresher CIA
01:30:43
confidentiality integrity and
01:30:45
availability also known as the
01:30:47
information security Triad so in order
01:30:50
to effectively protect assets and the
01:30:54
data and the humans they'll add those
01:30:56
assets are related to we need to ensure
01:30:58
the confidentiality of those systems
01:31:00
data in humans we need to make sure the
01:31:03
Integrity is intact we have to be able
01:31:05
to count on that information as as
01:31:07
having
01:31:08
excuse me having accuracy and we need to
01:31:11
make sure that we can get to it when we
01:31:13
need to hence the availability
01:31:16
all right so uh some supplemental
01:31:18
references uh Mist provides a great
01:31:21
resource so the computer security
01:31:23
Resource Center uh the nist Cyber
01:31:26
framework here uh um recover identify
01:31:29
protect detect respond definitely
01:31:31
familiarize yourself with that it will
01:31:34
come in handy Center for Internet
01:31:35
Security is another great resource
01:31:39
and they all share this in common
01:31:41
inventory and asset management
01:31:43
so if we look at this for example under
01:31:46
identify we have Asset Management number
01:31:50
one so what does this say in this language
01:31:53
well it says that the data Personnel
01:31:55
devices systems and facilities are able
01:31:59
to be managed consistent with the
01:32:01
relative importance to the
01:32:02
organizational objectives and risk
01:32:05
strategy in other words adequate
01:32:08
security controls to protect it as much
01:32:11
as the business values it these are the
01:32:14
subcategories so we want to make sure
01:32:16
that we know what systems we have so
01:32:18
physical devices and systems are
01:32:20
inventory we want to know what software
01:32:22
we're using so the software platforms
01:32:24
and applications are inventoried we want
01:32:27
to know how these things are
01:32:28
communicating with each other and where
01:32:30
the data is Flowing so the
01:32:31
organizational communication our data
01:32:34
flowed and mapped and then any external
01:32:37
information system we may be interacting
01:32:39
with to pull data or push data is also
01:32:43
cataloged
01:32:45
so again supplemental around the CIS uh
01:32:49
top 18 you'll notice here number one is
01:32:53
control of assets control of software
01:32:56
assets and data protection as we just
01:32:58
covered in the previous slide and number
01:33:01
18 is pen test so when somebody says
01:33:03
they're ready for a pen test I always
01:33:05
like to ask them if they have a complete
01:33:07
inventory of their assets first
01:33:10
all right some regulations uh Canada has
01:33:13
the security of Information Act China
01:33:15
guarding State Secrets or stealing
01:33:17
Secrets or I don't know uh European
01:33:20
Union uh gdpr United Kingdom has the
01:33:23
official Secrets act nist has the uh
01:33:26
federal information processing standard
01:33:27
199. uh we also have the nist special
01:33:31
publication 860 and the national
01:33:35
security system
01:33:36
cnss those are for National Security
01:33:40
Systems if you're interacting with those
01:33:42
you'll have plenty of guidelines to
01:33:45
follow uh Global privacy laws uh just
01:33:47
give you an idea where where we're at on
01:33:49
this so I pulled this map this is the
01:33:51
most up-to-date map
01:33:52
as you can see we still have quite a few
01:33:55
states that here in the US that don't
01:33:58
yet have this figured out and it is a
01:34:01
hodgepodge Across the Nation so uh keep
01:34:04
your eye on that my rule of thumb is if
01:34:06
I'm working for a National Organization
01:34:08
I will default to the most strict rule
01:34:10
set and that makes it easiest to stay
01:34:13
compliant
01:34:15
uh we're going to identify and classify
01:34:17
our information assets so mature
01:34:19
security program is going to have an
01:34:21
asset identification classification
01:34:22
process
01:34:24
um we're going to be able to locate and
01:34:25
categorize those assets and it's going
01:34:27
to help us to differentiate the security
01:34:29
approaches that we take for each of them
01:34:31
so again not all assets are equal in
01:34:34
value or important uh and so we want to
01:34:36
make sure that we're applying the
01:34:38
appropriate security control at the
01:34:40
appropriate cost so the what right
01:34:43
Hardware software data data tends to be
01:34:46
the hardest uh only because it is the
01:34:49
most cumbersome uh and generally
01:34:51
involves many many many different
01:34:53
systems across many different
01:34:57
um organizations uh just a quick pop for
01:35:00
you guys if anyone needs to contact the
01:35:03
mentor program it is cissp Mentor at
01:35:07
frsecure.com I believe the instructors
01:35:10
will put it in the YouTube chat shortly
01:35:12
uh so the what Hardware software data
01:35:17
the where where does this live physical
01:35:20
virtual uh you know in the cloud is is
01:35:23
unfortunately not a viable answer you
01:35:26
need to know where in the cloud and
01:35:28
who's Cloud you need to be able to
01:35:30
document where is the stuff that I need
01:35:33
a picture I need to be able to see uh
01:35:35
the network diagrams and the data Maps
01:35:37
then I need to know who's responsible
01:35:39
right who actually owns this system who
01:35:42
can make decisions about it and the
01:35:44
answer is never it
01:35:46
all right so before we get into Data
01:35:48
classification let's talk about data
01:35:50
life cycle and this is actually a really
01:35:52
important topic I won't spend too much
01:35:54
time on it but it is super critical
01:35:57
um I I find all too often too many
01:36:00
organizations especially public ones are
01:36:02
what I call data hoarders remember that
01:36:04
your cost of a data breach is directly
01:36:07
related to the number of Records you
01:36:10
have on hand so before we talk about
01:36:12
data we got to talk about what we do so
01:36:14
we collect it
01:36:15
all right we've gathered it for some
01:36:17
purpose or reason we then store it
01:36:19
hopefully securely and not in an
01:36:22
unpredicted Amazon S3 bucket we then use
01:36:25
it for some purpose or another so we're
01:36:26
consuming this information we're making
01:36:28
decisions on this information a lot of
01:36:30
times that's going to require us to
01:36:31
share information uh we're then going to
01:36:34
retain it and retaining it is different
01:36:36
than storing it retaining is going to be
01:36:38
that archived
01:36:40
um
01:36:41
process right so so backups uh keeping
01:36:45
it for for legal purposes whatever that
01:36:47
may be and ideally once we've completed
01:36:49
that we destroy it at some point data
01:36:53
does cease to have validity and just
01:36:56
represents more risk and should be
01:36:58
disposed of
01:37:00
so a couple ways we go about doing
01:37:02
things is you know supplemental
01:37:05
reference here privacy framework is
01:37:06
going to help us to understand what
01:37:08
we're classifying
01:37:10
and you see here it's got the identify
01:37:12
the governor control to communicate and
01:37:14
the protect
01:37:15
like with everything it starts with what
01:37:17
is what do I have so I got to identify
01:37:19
then I got to put some kind of rules
01:37:21
around it then I've got to enforce those
01:37:23
rules so identify govern the rules
01:37:25
control enforcing of those rules
01:37:28
communicating is the uh you know what
01:37:31
letting folks know what's going on you
01:37:33
know different awarenesses and then
01:37:35
protect is is ultimately you know
01:37:37
enforcing uh the full life cycle of
01:37:40
those rules and making sure they work so
01:37:42
we do have the need for data privacy uh
01:37:45
most organizations have some type of
01:37:48
privacy requirement or need uh it could
01:37:53
be intellectual property it could be
01:37:55
actually protecting individuals pii uh
01:37:58
generally it's going to come in three
01:37:59
types context space which is the pii the
01:38:02
protected health information you know
01:38:04
financial data sensitive information
01:38:07
context based so your IP address and
01:38:10
what you're browsing on the internet and
01:38:12
what apps you have installed and things
01:38:14
like that and then user-based activities
01:38:16
tied specific to an individual
01:38:19
so personal information tends to be who
01:38:22
are you where are you and what are you
01:38:24
doing uh these are some examples here of
01:38:27
data elements that we would consider
01:38:29
personal information
01:38:31
and then we have to classify that so
01:38:34
even though it's it's you know
01:38:35
considered you know personal it may be
01:38:38
confidential it may be sensitive it
01:38:41
might be private proprietary or public
01:38:43
this also applies to data within
01:38:45
organizations that are not directly tied
01:38:47
to a human being so you might have
01:38:50
certain data about your business
01:38:51
processes you might have data about
01:38:53
these you know 11 herbs and spices in
01:38:56
your KFC whatever that is
01:38:58
um you will have different
01:39:00
classifications this is important
01:39:02
because the different classifications
01:39:04
will inform you on how valuable that
01:39:07
particular asset is and what security
01:39:09
controls or privacy controls you may
01:39:11
need to have in place ultimately you do
01:39:13
want a data classification policy
01:39:17
you also want to have a formal process
01:39:19
for Access approval again just because
01:39:21
you work for the company does not
01:39:23
automatically mean that you get access
01:39:24
to every bit of data so I access the
01:39:27
request should be approved by the data
01:39:29
owner
01:39:30
and and we'll get into more of that
01:39:31
later but not the manager and not the
01:39:34
custodian but the actual owner of the
01:39:36
data uh they're going to approve the
01:39:38
individual or the subject and they're
01:39:40
going to give them access to certain
01:39:42
objects again just because you can
01:39:45
access some data doesn't mean you should
01:39:47
be able to access it all the subject
01:39:49
must understand the rules and
01:39:50
requirements for their access there will
01:39:52
be limitations on what they can do with
01:39:53
the information there will be
01:39:55
obligations that they need to adhere to
01:39:57
for the Secure Storage transfer and use
01:39:59
of that information best practice is
01:40:01
that all access requests require an
01:40:04
auditable
01:40:06
process and approval flow and that
01:40:09
repudiation is not able to happen so
01:40:13
what we're always looking for is
01:40:15
non-repudiation we want the ability to
01:40:17
say for certain that this person did
01:40:20
this thing to this data on this day in
01:40:23
this system if they can repudiate it
01:40:26
that means that we are not able to prove
01:40:28
that
01:40:30
so we're going to go through and we're
01:40:32
going to classify and categorize based
01:40:34
on our sensitivity labels we just
01:40:35
covered that we're going to categorize
01:40:37
it according to its information type and
01:40:40
we'll try to apply back to why we want
01:40:43
consistency try to apply similar
01:40:45
security controls to assets with similar
01:40:47
sensitivities okay we're going to look
01:40:50
at things like data hardware and media
01:40:53
for our asset types a U.S removable USB
01:40:57
media is a asset type that might have
01:41:00
different type of sensitivity around it
01:41:03
because it is mobile so we want to look
01:41:06
at those things we're going to generally
01:41:08
try to group our assets based on their
01:41:10
relative level of sensitivity and impact
01:41:12
to the organization if those assets were
01:41:15
to be compromised
01:41:17
all right so for example here uh we have
01:41:21
you know the CIA of
01:41:25
the frsecure.com website so we're going
01:41:27
to look at some of the benefits and this
01:41:30
is covered on page 192.
01:41:32
so making an accurate asset inventory is
01:41:35
going to allow us to gain more insight
01:41:36
into the environment which will then
01:41:38
allow us to optimize things be able to
01:41:40
determine the best maintenance Windows
01:41:42
improve security you can see that
01:41:44
there's all these additional benefits
01:41:47
you know identify those Rogue assets
01:41:48
right this stuff matters ultimately it
01:41:51
helps us to stay compliant and Achieve
01:41:53
our regulatory obligations but there's
01:41:55
actually a lot of really good benefits
01:41:57
to doing proper asset inventory and
01:42:00
asset security here's an example of what
01:42:02
an asset inventory could look like they
01:42:06
don't have to be overly complicated they
01:42:09
can be quite simple a lot of more mature
01:42:12
or larger scale organizations will
01:42:14
actually have a database for maintaining
01:42:16
this stuff but if you don't have
01:42:19
anything you can always get by with an
01:42:21
Excel sheet
01:42:23
so best practice is to know what you've
01:42:26
got and how you're going to keep it
01:42:28
secure right well that's relative to how
01:42:30
important it is uh as a reminder too if
01:42:33
you have any questions please put them
01:42:34
in the YouTube chat or Discord chat and
01:42:37
our lovely assistance and helper
01:42:39
instructors tonight we'll be able to
01:42:40
answer that for you
01:42:43
all right uh let's go through a quick
01:42:47
quiz here so what type of data is not
01:42:50
considered protected or private
01:42:52
information put your answer in the
01:42:54
YouTube chat now
01:43:05
all right public and and the dead
01:43:09
giveaway on this one was it was public
01:43:11
so it can't possibly be private because
01:43:13
it has the word public in the name
01:43:16
all right so uh how do we Mark and label
01:43:20
um interestingly enough uh we really
01:43:22
don't do a good job sometimes in
01:43:24
labeling and I have seen many times
01:43:26
where the backups uh were not properly
01:43:29
labeled for their importance so we had
01:43:32
an asset we tracked the asset but we
01:43:34
forgot to
01:43:39
back up had higher sensitivity
01:43:42
information on it than maybe another
01:43:43
backup
01:43:46
so what does that look like it looks
01:43:47
like this right this is uh an example
01:43:51
and if you notice here this is a
01:43:53
restricted use only so this is a clearly
01:43:55
labeled
01:43:56
uh piece of information it's an
01:43:59
information asset and we've clearly
01:44:01
labeled that it is for restricted use
01:44:03
only so we've properly labeled it and
01:44:06
ideally we have policies that guide us
01:44:09
on the appropriate handling of assets
01:44:12
that are labeled this type
01:44:15
uh we also have you know physical
01:44:17
security we have encryption play you
01:44:21
know it is highly advisable to Only
01:44:22
Store what is needed
01:44:24
um and and to you know go to our backups
01:44:28
the other thing is uh just the lessons
01:44:30
learned from From The Trenches when you
01:44:33
do have to get rid of data remember it's
01:44:35
also in the backup so if you are dealing
01:44:37
with a data cleanup uh you may uh want
01:44:40
to make sure that that process accounts
01:44:42
for backups
01:44:43
all right so declassification you know
01:44:46
the process of modifying or assigning a
01:44:48
classification to a lower level of
01:44:50
sensitivity this is something very
01:44:52
common in the government uh especially
01:44:53
in the clandestine Services uh where you
01:44:56
know things will be classified at a at a
01:44:58
you know don't share with anybody level
01:45:00
and then as uh those classifications
01:45:03
expire or uh you know
01:45:07
people leak it on the Internet or
01:45:09
whatever might be the case uh they tend
01:45:11
to modify it to a lower level of
01:45:13
sensitivity uh this is going to be used
01:45:15
throughout the data life cycle so if you
01:45:17
remember from a few slides ago you know
01:45:19
from creation through disposition we're
01:45:23
doing things with that data that we need
01:45:25
to always be looking at and enforcing
01:45:27
our classification but if we need to
01:45:29
lower its classification level we call
01:45:31
that declassifying now much more common
01:45:34
is de-identification
01:45:36
and you'll get this a lot of times from
01:45:39
folks that want to use data that may
01:45:42
have pii associated with it they want to
01:45:44
take a look at the other data elements
01:45:46
and so you gotta you de-identify the
01:45:49
personal identifiers so generally it's
01:45:52
going to mask or oxygate encrypt or
01:45:54
tokenize these are different methods for
01:45:58
making the personal part of the data
01:46:01
it's no longer personal so here's here's
01:46:04
an example now de-identified data
01:46:08
still can be reconstructed however it if
01:46:12
done correctly that can be quite
01:46:15
difficult to do
01:46:16
but most folks don't do that very well
01:46:20
and so just know that just because it's
01:46:22
de-identified does not mean that it is
01:46:24
fully secured so here's another example
01:46:28
of masking so de-identification looks
01:46:31
like this where we've converted Alice to
01:46:34
some other identifier
01:46:36
and here is masking where we've simply
01:46:39
x'ed out some of the data points
01:46:42
data tokenization is substituting the
01:46:45
data with a random token this this tends
01:46:47
to be a more securable uh way of
01:46:51
de-identification but again if there's a
01:46:54
table that shows who got what token it
01:46:56
could be reconstructed uh in this case
01:46:59
we're using random numbers as a one-way
01:47:00
function in this case you cannot reverse
01:47:02
engineer or decipher this so this would
01:47:05
be for data sets that are de-identified
01:47:08
with never intending to go in the
01:47:11
reverse but if you do tend to go in the
01:47:13
reverse then you might want to use a
01:47:15
different method
01:47:18
here's an example of what tokenization
01:47:20
looks like
01:47:24
okay
01:47:25
and now we're on to the provisioning
01:47:29
of resources so we're going to talk
01:47:31
about information to asset ownership uh
01:47:33
recovered asset inventory and asset
01:47:36
change management configuration
01:47:38
management okay
01:47:40
so uh information asset ownership is
01:47:43
deciding the responsibility uh oversight
01:47:46
and guidelines for asset and data
01:47:48
management
01:47:49
uh a quote here from Dr Eugene
01:47:52
spafford's first principle of Security
01:47:53
Administration if you have
01:47:55
responsibility for security but have no
01:47:58
authority to set rules or punish
01:48:00
violators Your Role is to take the blame
01:48:02
when something goes wrong uh anyone
01:48:04
that's been a CSO can relate to this
01:48:07
very very closely as well as if you've
01:48:10
been on the receiving end of someone
01:48:12
else's terrible decision
01:48:15
so again we can give Ron credit for this
01:48:17
one kept it absolutely love it
01:48:19
all right so asset owner
01:48:21
responsibilities they're responsible for
01:48:23
any compliance and governance
01:48:25
requirements of the asset they're
01:48:27
responsible for the classification of
01:48:28
the asset maintaining its status within
01:48:31
the inventory uh they have oversight
01:48:34
over it this is important for zero trust
01:48:37
we'll get into that later they Define
01:48:39
what is the acceptable use of the asset
01:48:41
and they also Define any monitoring and
01:48:44
prioritizing of safeguards based on the
01:48:47
risk to the asset remember the business
01:48:49
makes the risk decisions not security or
01:48:53
I.T so it's lots of responsibilities
01:48:56
here and rarely is this formalized
01:48:58
however you could have a asset owner uh
01:49:02
responsibility policy and as part of
01:49:04
your acceptable use policy have a
01:49:07
reference to that asset owner
01:49:09
responsibility
01:49:11
most orders don't do that but that's a
01:49:13
that's a good way to to get it in place
01:49:14
and have it enforceable uh you want to
01:49:17
have a current and complete inventory is
01:49:19
absolute Bedrock if you don't know what
01:49:21
you have you cannot protect it right I
01:49:23
cannot protect what I cannot see uh so
01:49:26
it is very important to have that
01:49:27
visibility and inventory is how we get
01:49:29
it there are different tools that you
01:49:31
can use to create that inventory it
01:49:33
could be as simple as an Excel could be
01:49:35
some fancy piece of software But
01:49:37
ultimately it generates a system of
01:49:39
record so whatever that is uh that you
01:49:43
have you want to make sure the system of
01:49:45
record uh is intact and you can track
01:49:48
modifications to it so you saw this
01:49:50
slide before just to reinforce the who
01:49:53
where and the what's
01:49:55
uh some inventory tools that you can use
01:49:58
are active directory an ldap you can use
01:50:00
vulnerability scanners uh you know
01:50:03
software licensing
01:50:04
data loss prevention Solutions you
01:50:07
definitely want to automate wherever you
01:50:08
can and I would say you know it's it's
01:50:11
strongly encouraged for you to also
01:50:14
check in with procurement many times I
01:50:17
found the most accurate asset inventory
01:50:20
is the bills I'm paying
01:50:22
all right so uh like all things there's
01:50:25
a life cycle to this so asset uh life
01:50:29
cycle you know we have a a strategy we
01:50:32
we plan for why we need the thing we
01:50:35
design the thing we need we procure it
01:50:37
or maybe we build it right we then
01:50:39
operate it uh we get it going and it's
01:50:42
working well we then maintain it for a
01:50:43
while maybe make some enhancements to it
01:50:45
and eventually we get rid of it so same
01:50:48
thing here uh all things will follow a
01:50:51
very similar life cycle
01:50:54
we want to use information technology
01:50:56
asset management or item and this is
01:50:59
allowing us to effectively track the
01:51:01
tangible and intangible it assets if we
01:51:05
look to the iso IEC uh 19770 uh there's
01:51:10
some good guidance in that that assists
01:51:12
us with managing risks and the costs
01:51:14
associated with it Asset Management
01:51:17
next is configuration management this is
01:51:20
super important
01:51:21
um a lot of times
01:51:23
the difference between a ransom event
01:51:25
and not having a ransom event is how
01:51:28
well configuration management is being
01:51:30
maintained so this could be keeping
01:51:32
systems uh patched to a current
01:51:34
supported patch level this could be you
01:51:37
know having a actual firewall rules in
01:51:41
place this could be any number of things
01:51:43
but what you want to do is is as your
01:51:45
asset goes through its life cycle
01:51:47
you want to maintain those
01:51:48
configurations and you want to be as
01:51:50
consistent as possible across asset
01:51:52
types you're also going to Baseline so
01:51:55
knowing what a system does out of the
01:51:57
box before you put it in the environment
01:51:59
can be incredibly helpful and as much as
01:52:02
you can automate this stuff then this
01:52:05
special publication 870 provides you a
01:52:07
checklist for this
01:52:09
and you can look there as well for the
01:52:12
security content automation protocol
01:52:16
more on this in domain seven
01:52:18
change management is is ensuring that
01:52:21
standardized processes are in place for
01:52:23
making any changes to the asset ideally
01:52:26
you want to have a standard change in an
01:52:29
emergency change and the standard change
01:52:31
you want to make sure that you're
01:52:32
looking at things like authorization
01:52:34
enforcement verification the same will
01:52:37
be true in an emergency change but
01:52:39
they'll probably be a lot less rigorous
01:52:40
whatever you do you want to make sure
01:52:42
you're documenting it so you could use a
01:52:44
change management database or cmdb
01:52:47
they go by many names a very popular one
01:52:51
is servicenow is a change range from a
01:52:53
database but you want to have a document
01:52:55
of that change this can help you in a
01:52:58
security context because in unplanned
01:53:01
undocumented change can then be treated
01:53:03
as a threat but if you have no change
01:53:06
management well is it the bad guys or is
01:53:09
it you know a system upgrade nobody
01:53:12
knows because they're not doing change
01:53:13
management so change management helps
01:53:15
you get your head around that
01:53:18
all right got a joke for you knock knock
01:53:22
who's there
01:53:23
Noble
01:53:24
Noble who Nobel so I just knocked down
01:53:29
all right data life cycle we've talked
01:53:32
about this a little bit now we're going
01:53:34
to talk about the roles of data so data
01:53:37
has roles
01:53:38
there are owners owners are the ultimate
01:53:41
they own the data they are the business
01:53:43
entity that ultimately has the highest
01:53:45
level of accountability for the data you
01:53:48
have controllers these individuals could
01:53:50
be folks that approve uh or deny uh
01:53:53
access uh they could be folks that are
01:53:56
part of moving that data around uh
01:53:58
controllers and custodians sometimes can
01:54:00
overlap custodians can be you know are
01:54:03
responsible for you know maintaining the
01:54:05
data and ensuring the data's integrity
01:54:07
and doing backups and restoration
01:54:09
requests things like that maintaining
01:54:11
the data systems uh you have processors
01:54:14
those are the folks that are are
01:54:15
actually you know processing the data
01:54:17
this could be a business intelligence
01:54:19
team that's that's putting it together
01:54:20
with other data sources to make a bigger
01:54:22
report something like that you have
01:54:24
users these are the folks that are
01:54:26
actually using the data and then
01:54:27
subjects and subjects are are you know
01:54:29
what the data is actually about
01:54:32
so we have different processes
01:54:34
collection location maintenance
01:54:36
retention destruction remnants uh
01:54:39
remnants is is data that is is left
01:54:42
after cleanup
01:54:44
um sometimes you'll delete data but you
01:54:46
won't get rid of all of it there'll be
01:54:49
like a like a reference key Left Behind
01:54:52
or or fragments of data at times
01:54:54
depending on how your data model is
01:54:56
uh so security secure data life cycle uh
01:55:00
you know you might skip from step one to
01:55:03
step six
01:55:04
um because you never you never retained
01:55:06
it you know so you got to understand
01:55:08
within your specific data element you
01:55:12
know where uh are you within the life
01:55:14
cycle you may you may use data that that
01:55:16
is then you know immediately destroyed
01:55:18
so you have to understand that
01:55:21
a data owner uh is going to be the you
01:55:24
know individual again you know saying
01:55:26
how data is going to be used why it's
01:55:28
going to be used uh they're going to be
01:55:30
the ones to make decisions about any
01:55:32
risk treatments they need to be
01:55:34
knowledgeable about where the
01:55:35
information is coming from how it's
01:55:37
moving through the environment how it's
01:55:39
being secured ultimately they set the
01:55:42
value and they communicate the
01:55:44
classification level for their data this
01:55:47
is part of the do care and due diligence
01:55:49
responsibility of the data owner
01:55:52
data controller you know I talked about
01:55:54
this again this is uh in the gdpr there
01:55:57
is a specific definition for this
01:56:00
um here in the US a lot of times that's
01:56:03
going to overlap with the custodian uh
01:56:05
processor like I explained uh here's a
01:56:08
visual for that
01:56:09
so you can have sub processors that's
01:56:12
where it gets really interesting so your
01:56:14
third party gives to a third party who
01:56:15
goes to a third party uh so you need to
01:56:17
do you need to understand what's going
01:56:19
on there
01:56:21
users going to be the consumers and then
01:56:23
subjects are the are the people and
01:56:26
again this is in gdpr uh this is you
01:56:29
know the actual human beings on on what
01:56:32
that uh data is about
01:56:37
all right data collection all right so
01:56:39
uh you only want to collect the minimum
01:56:43
amount of data possible uh to fulfill on
01:56:46
the uh use of that information right you
01:56:50
want to really want to limit that
01:56:52
uh here's some seven foundations to
01:56:54
privacy by Design I'm going to skip over
01:56:57
some of this little quick in the
01:56:58
interest of time but again fleas you
01:57:01
know go back listen to this study this
01:57:04
read this in the book
01:57:06
um some different use cases for it
01:57:09
we've got you know why why are we using
01:57:11
the data where is the data located you
01:57:14
know these are the principles of privacy
01:57:15
how are we maintaining it how are we
01:57:18
retaining it you know and and the key
01:57:20
part is to memorize the terms
01:57:23
um and and know that you know we have to
01:57:25
have this uh and I touched on this
01:57:27
earlier I'll touch on it again the less
01:57:29
data you have the less damaging the loss
01:57:32
of data or having a security breach will
01:57:34
be to the organization uh you got to
01:57:37
destroy it you just do
01:57:39
um all too often we just want to save
01:57:41
everything forever uh and we don't uh
01:57:44
one key caveat to call out here is that
01:57:46
caching can exist so even though you
01:57:49
think you've deleted it you could have a
01:57:51
full copy still residing in the cache so
01:57:53
make sure that it is uh completely
01:57:55
destroyed
01:57:57
a couple things uh if you are using a
01:58:00
data processing service to destroy data
01:58:02
you want to ensure that you get a
01:58:04
certificate of Destruction from them uh
01:58:06
and then you know cloud service
01:58:08
providers it could be a little bit
01:58:10
difficult to to fully ensure the uh
01:58:13
destruction of data so understand if
01:58:15
you're using a cloud provider how that
01:58:18
particular system is is doing that and
01:58:20
check your contracts for terms uh
01:58:22
regarding that there are some
01:58:24
regulations and Frameworks around this
01:58:25
uh as far as uh the requirement of the
01:58:29
secure destruction of confidential
01:58:30
information
01:58:32
uh there are different methods uh to use
01:58:35
I'm a big fan of the nist 888 has a
01:58:40
really good breakdown on what
01:58:43
um the
01:58:45
um steps are that you would take to to
01:58:47
sanitize it to render it useless chipper
01:58:51
shredder works really well
01:58:52
large pile of of uh Tannerite also works
01:58:57
really well but ultimately you want to
01:58:59
you want to get a destroyed consistent
01:59:01
with the media type and data sensitivity
01:59:04
that you are
01:59:06
um
01:59:07
charged with with following through on
01:59:10
all right so a quick example data owner
01:59:13
here again I'm going to skip to this a
01:59:16
little bit quick but has the proper
01:59:17
security label it's very important the
01:59:19
state owner's job
01:59:21
asset retention uh this starts to get
01:59:24
into records retention and record
01:59:26
retention best practice
01:59:29
there's many reasons for retaining data
01:59:31
there are certain data types that there
01:59:34
is a legal obligation to retain for a
01:59:36
particular period in time uh you know
01:59:39
you might want to have data for forensic
01:59:41
purposes you may need to uh have data to
01:59:45
you know support institutional memory
01:59:46
right we've worked on a project five
01:59:48
years ago we don't need to look at it
01:59:50
for two years we've had a big staff
01:59:52
turnover we now need that data so there
01:59:54
are many valid reasons to retain it but
01:59:57
whatever you do you want to make sure
01:59:58
that you have a data retention policy
02:00:01
that accounts for assigning an
02:00:04
individual to the oversight of that
02:00:06
program that you are managing that data
02:00:09
consistent with your policy and that as
02:00:11
much as possible you are aligned to the
02:00:14
least uh
02:00:16
amount of retention time as required by
02:00:19
your need or by your legal or regulatory
02:00:22
uh
02:00:26
yeah I can't even think of the word
02:00:28
right now anyways uh don't forget about
02:00:30
your logs either logs do have data uh
02:00:34
logs are data logs do need to also be
02:00:37
adequately destroyed
02:00:39
uh you go through a process so if you're
02:00:42
in the EU dealing with gdpr uh then you
02:00:45
have to account for right to be
02:00:47
forgotten uh we do not have this
02:00:49
provision in the U.S at this time nor
02:00:52
um there may be other countries that
02:00:53
have a similar provision uh but
02:00:55
basically it's it's somebody can send
02:00:57
you a request that you remove their data
02:00:59
and you need to do that so make sure
02:01:01
that you have an appropriate policy that
02:01:04
accounts for that
02:01:06
um in your
02:01:07
data retention policy you want to handle
02:01:10
and maintain if you don't need it get
02:01:13
rid of it
02:01:15
um again this should all be covered
02:01:17
under your data protection retention
02:01:19
policy and procedures always consult
02:01:22
legal to make sure you are doing the
02:01:24
right things
02:01:25
uh all right data at Rest In Motion in
02:01:30
use common controls and competency
02:01:32
security controls everybody's still
02:01:34
keeping up with me I know we're right at
02:01:35
the eight o'clock Mark so if some of you
02:01:37
need to drop uh feel free weird about
02:01:42
oh we're probably about 40 minutes from
02:01:44
from done here if I can keep us going
02:01:46
all right so uh we have some different
02:01:50
standards some different protection
02:01:51
methods some scoping and tearing
02:01:55
um
02:01:56
looks like Ron has volunteered to take
02:01:58
over domain three for me so I'll wrap up
02:02:01
domain two I will graciously take him up
02:02:03
on his offer
02:02:05
uh all right data security control so we
02:02:07
have different control types we're gonna
02:02:08
have different security controls based
02:02:11
on the classification of the asset and
02:02:13
the data State we're going to have
02:02:15
technical controls administrative and
02:02:17
physical and you see this theme
02:02:18
repeating over and over and over there's
02:02:20
administrative there's Technical and
02:02:22
there's physical
02:02:23
all right all boils down to people
02:02:25
process and Technology right so we think
02:02:28
about these controls we we have to look
02:02:31
at how different behaviors uh are shaped
02:02:34
right so the way that we use the
02:02:37
administrative control will shape the
02:02:38
behavior of the human the way that we
02:02:40
use a physical control will shape the
02:02:41
behavior of anything that's moving
02:02:43
around right so we we can use these
02:02:45
different controls to control
02:02:48
the behaviors which ultimately helps us
02:02:51
with the risk so data is going to have
02:02:53
three main states it's going to be at
02:02:55
rest this is sitting in the database in
02:02:57
the data warehouse in a spreadsheet
02:02:59
backups uh mobile device in motion right
02:03:03
this is the data actually moving from
02:03:05
computer one to computer two it's going
02:03:07
to the website it's flowing to the to
02:03:09
the mobile device and then there's the
02:03:11
in use we're actually actively
02:03:12
interacting with the data it's a
02:03:14
non-persistent state generally it's
02:03:16
going to be in Ram or the CPU but we're
02:03:19
actually interacting with the date
02:03:22
so data at rest uh pretty pretty easy
02:03:24
one here uh some good access controls
02:03:27
and encryption and we will get more into
02:03:29
encryption in domain three I have seen
02:03:31
the slides they are awesome uh so uh
02:03:35
disk encryption data encryption can uh a
02:03:38
couple different ways to go about it
02:03:39
most systems today come with the trusted
02:03:42
platform module or the TPM uh you can
02:03:45
also now get self-encrypting drives or
02:03:48
you can actually do it at the file level
02:03:50
uh same thing here with data and Transit
02:03:52
you know encryption is your friend right
02:03:54
encryption is making it to where the
02:03:55
data is is not readily consumable and
02:03:58
therefore makes it difficult for the bad
02:04:00
guys to do anything with it in transit
02:04:04
we want to look at using like TLS or
02:04:07
https right a little Lockup in the
02:04:10
browser window you want to have vpns
02:04:11
link encryption and encryption you know
02:04:15
encryption is is our friend now data in
02:04:18
use is often overlooked uh this is what
02:04:21
we refer to is like using an in-memory
02:04:23
safe language or or other things we have
02:04:26
to think about the data being accessible
02:04:28
AKA usable but also may need to put
02:04:34
different security controls around it
02:04:36
encryption uh probably not a viable
02:04:39
option since uh in order for the data to
02:04:41
be usable it has to be in an unencrypted
02:04:43
state
02:04:45
so uh we want to scope and tailor um so
02:04:48
this again is US looking at you know
02:04:50
what controls are we going to apply and
02:04:52
why
02:04:53
to mitigate what risk for what exposure
02:04:56
and then we're going to tailor that
02:04:57
we're going to make sure that you know
02:04:59
just because niss says do it this way or
02:05:01
just because somebody says you know the
02:05:03
framework suggests we do this or that we
02:05:05
need to look at what is actually fitting
02:05:08
within our organizational risk profile
02:05:11
okay it's a very important slide I
02:05:14
encourage you to to memorize this one
02:05:17
uh we're going to use compensating
02:05:18
security controls so again compensating
02:05:20
control is when we cannot fully
02:05:23
Implement a security control for any
02:05:25
reason or another and we need to make do
02:05:28
with what we've got we will then
02:05:30
Implement a compensating controls
02:05:33
all right PCI has a very unique
02:05:35
definition for that uh and it must meet
02:05:38
the intent and rigor of the requirement
02:05:40
it has to be at a similar level of
02:05:43
defense of the original requirement or
02:05:45
it has to go above and beyond uh the
02:05:47
requirement so bottom line has to be can
02:05:50
commensurate with the additional risk
02:05:52
composed by not adhering so if I go with
02:05:55
a compensating control uh I get at least
02:05:59
a lower risk profile than if I did
02:06:01
nothing at all
02:06:03
uh some standards again missed missed UK
02:06:06
DOD uh very common standards PCI HIPAA
02:06:11
gdpr you know these kind of are the
02:06:13
universals you've got fips
02:06:16
um you know the iso family again these
02:06:19
are
02:06:20
a lot of overlap a lot of overlap uh
02:06:24
this is a detailed look at the Section 8
02:06:26
technical controls I will not read all
02:06:29
this out to you but know that it's there
02:06:31
uh you have digital Rights Management so
02:06:34
some of you maybe saw recently there was
02:06:37
a browser update for Firefox where if
02:06:39
you didn't install the additional
02:06:41
plug-in all of a sudden Netflix didn't
02:06:42
want to play because the digital rights
02:06:45
protection method uh did not get
02:06:48
deployed as part of that update so you
02:06:50
had to install an add-on uh but DRM is
02:06:53
going to allow you to access that
02:06:54
protected information and view it
02:06:57
without being able to copy it or save it
02:07:00
or share it with others
02:07:02
data loss prevention these are going to
02:07:04
be a series of Technologies a lot of
02:07:07
times
02:07:08
um you know practices policies
02:07:10
procedures can go with this as well but
02:07:12
the idea is that you're trying to limit
02:07:14
the likelihood of losing data and most
02:07:17
often this is done through a technical
02:07:19
means file Integrity monitoring Network
02:07:22
firewall egress
02:07:25
egress monitoring so what's leaving
02:07:29
um you know uh different software
02:07:31
products that can that can help with
02:07:33
this as well data leakage is another
02:07:35
term for data loss here's an example
02:07:38
policy based example of what this looks
02:07:40
like so there's a there's a you know DLP
02:07:43
policy this could be something in your
02:07:46
firewall this could be something as a
02:07:48
extra piece of technology
02:07:52
right Three core stages Discovery and
02:07:55
classification monitoring and
02:07:56
enforcement again you know very common
02:07:59
reoccurring theme Here what do I have
02:08:01
what's it doing can I enforce it three
02:08:03
stages of data so DLP at rest so data
02:08:07
stored we're looking to see that it's
02:08:08
not moving when it shouldn't data in
02:08:11
transit or looking to see that it's only
02:08:13
moving where it should and data in use
02:08:15
we're looking to see that the host
02:08:17
device using the data is not leaking it
02:08:21
or sending it places it doesn't belong
02:08:24
Cloud access security broker or casby
02:08:27
this is a software application that sits
02:08:30
between the cloud and the cloud services
02:08:32
uh it's another another form of of DLP
02:08:35
if you will
02:08:36
um it's actively monitoring to make sure
02:08:38
that only the authorized Cloud users are
02:08:40
accessing those Cloud resources uh and
02:08:43
it provides you with visibility data
02:08:45
security threat protection and
02:08:47
compliance more specific example you
02:08:50
know forward proxy reverse proxy and API
02:08:53
based monitoring
02:08:56
we're also going to do Integrity
02:08:57
checking I mentioned this earlier so Bim
02:08:59
or file Integrity monitoring uh
02:09:02
basically it uses a hash file a hash key
02:09:05
and then if if something happens to the
02:09:07
file it changes outside of the approved
02:09:10
change uh the expected change or the
02:09:13
change controlled change you're able to
02:09:16
detect that and that could be an
02:09:18
indicator of access that shouldn't be
02:09:21
happening or uh you know bad guys
02:09:24
messing around with things
02:09:26
you're going to do this in conjunction
02:09:27
with your change management procedures
02:09:30
this is not covered in the chapter
02:09:31
however this is a very very effective
02:09:34
control
02:09:36
all right uh
02:09:39
okay we're going through all that all
02:09:42
right look at that well because of Ron's
02:09:45
gracious offer to pick up at domain
02:09:47
three
02:09:49
we're gonna call domain two done and uh
02:09:53
instead of me getting into the next
02:09:55
session now we're gonna we're gonna go
02:09:56
ahead and call it here uh Ron will pick
02:09:59
up what I left off with domain three
02:10:02
security architecture and engineering
02:10:04
um I encourage everybody to interact on
02:10:07
Discord uh you know reach out to your
02:10:10
instructors quick reminders c-i-s-sp
02:10:12
Mentor
02:10:14
frsecure.com if you have any questions
02:10:16
uh or issues otherwise I'd like to thank
02:10:20
everyone for being here today and look
02:10:23
forward to seeing you in a few weeks and
02:10:26
uh sitting through on Wednesday with Ron
02:10:30
taking us through domain three
02:10:32
thank you everyone great job Ryan
02:10:38
oh thank you sir
02:10:40
see if I can stop the live stream
02:10:51
all right live stream ended

Description:

Domains 2 & 3: Asset Security and Security Architecture

Preparing download options

popular icon
Popular
hd icon
HD video
audio icon
Only sound
total icon
All
* — If the video is playing in a new tab, go to it, then right-click on the video and select "Save video as..."
** — Link intended for online playback in specialized players

Questions about downloading video

mobile menu iconHow can I download "Session 3: 2023 FRSecure CISSP Mentor Program — Asset Security and Security Architecture" video?mobile menu icon

  • http://unidownloader.com/ website is the best way to download a video or a separate audio track if you want to do without installing programs and extensions.

  • The UDL Helper extension is a convenient button that is seamlessly integrated into YouTube, Instagram and OK.ru sites for fast content download.

  • UDL Client program (for Windows) is the most powerful solution that supports more than 900 websites, social networks and video hosting sites, as well as any video quality that is available in the source.

  • UDL Lite is a really convenient way to access a website from your mobile device. With its help, you can easily download videos directly to your smartphone.

mobile menu iconWhich format of "Session 3: 2023 FRSecure CISSP Mentor Program — Asset Security and Security Architecture" video should I choose?mobile menu icon

  • The best quality formats are FullHD (1080p), 2K (1440p), 4K (2160p) and 8K (4320p). The higher the resolution of your screen, the higher the video quality should be. However, there are other factors to consider: download speed, amount of free space, and device performance during playback.

mobile menu iconWhy does my computer freeze when loading a "Session 3: 2023 FRSecure CISSP Mentor Program — Asset Security and Security Architecture" video?mobile menu icon

  • The browser/computer should not freeze completely! If this happens, please report it with a link to the video. Sometimes videos cannot be downloaded directly in a suitable format, so we have added the ability to convert the file to the desired format. In some cases, this process may actively use computer resources.

mobile menu iconHow can I download "Session 3: 2023 FRSecure CISSP Mentor Program — Asset Security and Security Architecture" video to my phone?mobile menu icon

  • You can download a video to your smartphone using the website or the PWA application UDL Lite. It is also possible to send a download link via QR code using the UDL Helper extension.

mobile menu iconHow can I download an audio track (music) to MP3 "Session 3: 2023 FRSecure CISSP Mentor Program — Asset Security and Security Architecture"?mobile menu icon

  • The most convenient way is to use the UDL Client program, which supports converting video to MP3 format. In some cases, MP3 can also be downloaded through the UDL Helper extension.

mobile menu iconHow can I save a frame from a video "Session 3: 2023 FRSecure CISSP Mentor Program — Asset Security and Security Architecture"?mobile menu icon

  • This feature is available in the UDL Helper extension. Make sure that "Show the video snapshot button" is checked in the settings. A camera icon should appear in the lower right corner of the player to the left of the "Settings" icon. When you click on it, the current frame from the video will be saved to your computer in JPEG format.

mobile menu iconWhat's the price of all this stuff?mobile menu icon

  • It costs nothing. Our services are absolutely free for all users. There are no PRO subscriptions, no restrictions on the number or maximum length of downloaded videos.