CISSP EXAM CRAM - DOMAIN 1 Security and Risk Management (RETIRED! NEW VERSION IN DESCRIPTION)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the cissp is the premier security certification around the world and now even recognized as the equivalent of a master's degree in the uk pretty fancy today we're going to dive into the first of eight lessons as i attempt to help you get further faster in preparing for the cissp exam we have a lot of material to cover today so let's get to it the cissp exam consists of eight domains of knowledge around security and today we're focused on domain one which is security and risk management do bear in mind that you have to pass each individual domain within the exam or it's an overall fail so today we're focused on domain one and over the next few weeks i'll release a lesson for each of the eight domains so essentially you'll have one lesson for each exam domain plus i'll release five to ten shorter supplemental lessons on challenging topics or exam strategies one of which actually already exists and that's my strategy for hacking your cissp exam prep and in there i explain how i passed the cissp on my first attempt with around 12 hours of dedicated study spread over a couple of weeks frequently within this series you are going to hear me refer to the official cissp exam study guide because for less than 60 dollars u.s you get 1300 practice questions you get 700 flash cards great resources to go back and test your recall on important exam topics and if you get the e-book version you have searchable key terms at that point so it makes a great resource to accelerate your preparation you can buy it on amazon.com i have a link in the video description to the best price i could find over there for the new book and on the topic of free things to help you prepare if you haven't bought the study guide yet and you want to just check your knowledge i do have a 50 question cissp practice quiz available to you free no login required link in the description give it a shot see where you fall today if you want to assess your current state here's your chance is your frontline support struggling with too many microsoft cloud portals now they can manage office 365 users and devices directly from microsoft teams using simon the ai powered chatbot for the microsoft cloud a link with more info in the video description so now let's get into lesson one which is domain one security and risk management i wanna start by having a look at the exam outline with you and the outline we're looking at here lifted straight from the official cissp exam outline from the ifc squared website but i want to break down domain one with you i'll have you a link to this document in the description on this video but just going through the skills measured so to speak for domain one you need to understand and apply concepts related to confidentiality integrity and availability what we call the cia triad very important that you know this security governance principles we'll talk about compliance you need to understand legal and regulatory issues in a global context what this section means at the end of the day if you have a lot of memorization to do here there are a lot of specific laws you'll want to be able to recall and and to understand the gist they really cover the the basics of of legal and regulatory as it relates to information security you won't get into the nitty-gritty of the laws but there's going to be a lot of memorization that i'll help you with there you need to promote understand and adhere to professional ethics isc squared has their own code of ethics that you will be expected to know well you need to understand the difference between policy standards procedures and guidelines we'll cover this so the differences are clear and you know where they fit in your strategy be expected to identify analyze and prioritize business continuity requirements so think preparing for disaster contributing and enforcing security policies and procedures and notice that says personnel security policies and procedures so there's a people management element to this you know other than cryptography you're going to find that many or even most of the topics in the cissp come from a perspective of information security management certainly there's a there are technical elements to all of these concepts but but outside of cryptography most of them have some of that that management focus you'll need to understand and apply risk management concepts as well as threat modeling concepts so so 1.9 and 1.10 are are huge and they involve frameworks you're going to need to do some learning and memorization here i find that nobody walks in just ready to hit those right off the bat uh apply risk-based management concepts to the supply chain and you see that word apply a lot because there are many real world questions that come in to play in cisp it's not just a theoretical exam so all this knowledge isn't much use if you can't apply it in the real world and then establishing and maintaining security awareness education and training most organizations today have regular security awareness sessions for their end users but there are layers to education in the security space and what you need for your users is obviously different from what you need for your analysts and your decision makers so just to recap some key areas that we need to focus on so understanding risk and the risk analysis process being able to apply that process threat modeling concepts and processes and the frameworks that go with those two compliance legal regulatory privacy professional ethics you need to know that ise squared code by heart security governance principles will definitely come into play and then again security policy standards procedures and guidelines we need to know the difference between these four you definitely need to understand what's suggested and what's mandatory you know the cissp will definitely test your ability to filter through all the details and to bring to the surface what is most important in selecting that best answer and i'm going to try to help you everywhere i can by pointing out some of those key consideration points that will help you make the right decision on on exam day so i mentioned you're going to need to know the cia triad by hearts the cia stands for confidentiality integrity and availability you'll sometimes see this expressed visually in the form of a triangle with confidentiality being the first followed by integrity and availability so confidentiality is about secrecy or privacy and in the technology context that means access controls that help ensure only authorized subjects be those people or services can access objects whether that object is data or a system so integrity ensures that our data or system configurations are not modified without authorization if a threat actor modifies data without authorization we've now lost integrity that data is now no longer true and reliable and confidentiality and integrity don't matter if we don't have availability so authorized requests for objects those systems that data must be granted to subjects within a reasonable amount of time the cia triad is covered in chapter one of the official cissp study guide you'll want to know cia very well for the exam definitely going to come up i mentioned the cissp code of ethics i'm not going to read you the full code here but at a high level it covers protecting society infrastructure the commonwealth acting in a manner that is honest and responsible and legal providing competent service to others and to advance and protect the profession the code of ethics itself is much longer than this you want to give the whole thing a quick read and personally i find most of what's in here is common sense but but you'll want to have some familiarity with the terminology they use in here in case it comes up on a question so i want to shift gears and talk about security policy development so at a top tier security policy is your document that defines the scope of security that's needed by your organization the assets that need to be protected and to the extent uh we should go to to protect them but there are four levels of security policy development so it starts with acceptable use policy which is designed to assign roles within an organization and to tie responsibility to those roles then we have security baselines which define a minimum level of security that every system in the organization needs to meet then we have security guidelines which offer recommendations on how standards and baselines should be implemented and these provide operational guidance for both our security professionals and our users and then finally we have procedures which are those detailed step-by-step documents that describe the exact actions that are necessary to implement a specific security mechanism a control or a solution in protecting our data or infrastructure so a tidbit for the exam when you're developing new safeguards you're establishing a new baseline a new security baseline which means that maintaining compliance with existing baselines is not a valid consideration point now let's move on to risk management and risk analysis and i want to start with risk category so a category is a group of potential causes of risk so at a high level you have damage which results in physical loss of an asset or an inability to access that asset and then when it comes to information we have disclosure and disclosing critical information regardless of where or how it was disclosed if this was a malicious act as a result of a threat actor or unintentional on the part of a well-meaning user and we have losses so losses might be permanent or temporary which could include altered data or inaccessible data so data altered without authorization affects integrity if we think about it from a cia perspective and then if you think of an attack like ransomware for example which renders data inaccessible and permanently inaccessible unless we can recover and then we have risk factors and risk factors factors are something that increase risk or susceptibility to loss so in the realm of risk factors we have physical damage natural disasters power loss vandalism we have malfunctions so whether that's a failure of a system or a network or a peripheral or the hvac system we have attacks now these are purposeful acts of a threat actor whether that's from the inside of the outside like unauthorized disclosure for example so continuing on risk factors human errors now these are usually considered accidental incidents where attacks are generally purposeful incidents then finally we have application errors which would be failures of the application including potentially the operating system now security planning may come up on the exam and there are three types of plans you need to be familiar with the first is the strategic plan this is the long-term plan it's fairly stable it should generally include a risk assessment and the strategic plan typically has a five-year horizon and you'll update it annually this helps to align the goals of the security function with the organization's missions and objectives next one is the tactical plan this is a midterm plan it's developed to provide a little more details on the goals of the strategic plan this is typically going to have a horizon of about one year the tactical plan gives us a little more flexibility we can make some ad hoc adjustments here when circumstances dictate and the final plan of the three is the operational plan so this is a short-term highly detailed plan that drills down on the strategic and the tactical plans and by short term we're typically talking about monthly or quarterly the operational plan will have budgetary figures staffing assignments scheduling and typically step-by-step implementation procedures so now let's talk about response to risk so we have several ways we can respond to risk the first is risk acceptance and and that means simply doing nothing we simply accept the risk and the potential loss if the threat occurs and if the safeguards or counter measures outweigh the potential loss in terms of their cost then simply accepting a risk might make sense the next option is risk mitigation or sometimes you'll hear this called risk reduction and when we mitigate risk we implement a counter measure and we accept the residual risk that's the risk that's left over once our safeguards our security controls are in place now in risk assignment this is also called risk transference we're transferring or assigning that risk to a third party like in purchasing insurance against damage and outsourcing to companies with specific expertise is another way we commonly see risk assigned or transferred so next is risk avoidance so when the cost of mitigating or accepting a risk or higher than the benefits of the service itself then avoidance is a good idea so for example i might decide to locate a business in kansas instead of florida to avoid hurricanes if i decide that the cost of mitigating the risk of hurricane damage to my business is too great so continuing down this road risk deterrence is another potential response and implementing deterrence to would-be violators of security and policy is a pretty common response in the real world and deterrence would include things like implementing an audit policy to uh deter folks from malicious behavior for example in the i.t department security cameras are security guards to defer deter unauthorized entry onto our premises or even something as simple as warning signage and then finally we have risk rejection and i want to point out this is generally considered an unacceptable response it's a possibility but it's not acceptable this means to simply reject or or ignore the risk just treat it as it doesn't exist obviously never a good idea to just bury our head in the sand because problems don't just go away but remember handling risk is not a one-time process this is an area you're going to have to revisit on a recurring basis and refresh your responses to risks and to determine if the nature of these risks has shifted in some way and require changes on your part let's talk about risk management frameworks now the primary risk management framework referenced on the cissp exam is the nist 800-37 framework and that's currently in revision 2. if you'd like to read it end to end i'll have a link to 800-37 in its latest revision down in the description for this video now you'll also hear some other risk management frameworks mentioned but i want to point something out here so from the cissp study guide it says consider the following risk management frameworks for use in the real world so the key there is for use in the real world so they mention octave and fair and tara and the fact that they say consider these for use in the real world while mentioning that nist 800-37 is the primary framework that tells me i'm not going to worry much about these i'm going to focus on nist 800-37 now this nist framework establishes a process steps and you with any process in cissp you need to make sure you know these steps in order and really it's depicted by some as a preparatory step followed by six main steps i'm going to just give you the seven steps so when we talk about that preparatory step preparing to execute the risk management framework is that preparatory step so so if you ever see nist 837 presented as six steps it's because they leave the prepare off so second step is categorizing your information systems and we're looking at the information process stored and transmitted by the system based on analysis of the potential impact for loss next is selecting security control so we need an initial set of controls for the system and to tailor those controls uh to our reality to reduce risk to an acceptable level based on our risk assessment step four we implement security controls and we describe or document how those controls are employed within our systems and our environment and then we're going to assess those controls to determine if they're implemented correctly if they're operating as we intended in our environment and most importantly are they producing the desired outcomes you know are they meeting our security and privacy requirements and expectations so next we authorize the system and by that i mean we authorize the system to operate in a normal environment and at that point the organization is accepting the risk formally for the system and because this is not a one-time event your risk management is a process uh step seven is monitoring our security controls periodically assessing that our controls are effective documenting any changes to the system and conducting risk assessments periodically as necessary and remember i mentioned this is a process right for any process in cissp we need to know those steps we want to know them in order some folks will use a mnemonic device or a memory device that's called using the first letters of these steps in the framework so for example for for these letters for pcs i am i could use the mnemonic device people can see i am always monitoring so at test time if i'm a little foggy on nist 800-37 i can at least get the first letter of each of these seven steps by remembering my mnemonic device people can see i am always monitoring that was something we did very commonly with the osi model back in the day and we'll talk about that in a later domain in this series and a few other things for the exam so do remember when you're talking about risk management and and risk analysis not every risk can be mitigated that's just a fact and it's management's job to decide how that risk is handled so when you hear me talk about thinking like a manager when you're taking the cissp exam remember it's the role of a security professional to be a risk advisor to advise the decision maker who is the manager and also when multiple priorities are present always remember human safety is the most important i bring that up now that it may not even come up as a part of this domain but it's an important point so i wanted to just mention it early on here left i i forget remember to prioritize human safety when you're presented with many options and remember when legal issues are involved calling an attorney is a valid choice it might not seem like a valid choice because it's technical folks you may want to solve every problem but when we put our manager hat on calling an attorney is a great example of risk transference right or or assignment we're outsourcing our problem to an expert so let's talk for a moment about types of risk so residual inherent and total are three types of risk so we have residual risk which is the risk that remains even when all our conceivable safeguards are in place that's the risk we can't get rid of and at that point the risk management function has chosen to accept rather than to to mitigate or or transfer or assign that residual risk sometimes there's a bit of risk there we just can't shake so we're accepting then there's inherent risk newly identified risk not yet addressed with risk management strategies so another way of saying that is its inherent risk is risk that exists in the absence of controls and this is one that that you don't really see in every cissp text i i bring it up because i've seen it a time or two and it's worthy of mentioning but total risk is the other that you want to be very familiar with and that's the amount of risk an organization would face if no safeguards were implemented so to say it another way if we just look at those three types of risk residual risk is after controls are implemented that's the risk that remains inherent risk is risk that exists before we've implemented our safeguards and then total risks would be the risk present without any safeguard so for the exam you really want to focus on residual risk and total risk these are going to come up in a formula and this is the first time i've mentioned formulas but formulas are very much a thing when we talk about risk analysis and management on the cissp exam so a few tidbits for the exam so be able to explain total risk residual risk and the controls gap which is the amount of risk that's reduced by implementing safeguards we'll see controls gap in a formula and talk about that a bit more a little later in this installment so to calculate total risk know this formula threats times vulnerabilities times asset value equals total risk and we'll look at some of these formulas later in this installment because you will need to understand the several formulas as they relate to to risk and how to use them to arrive at good decisions so we can also express risk itself as a formula and risk can be defined as as threat times vulnerability so yes your threat and vulnerability are expressed as numeric values as probabilities so stick with me to the end of the video we'll we'll see more formulas here and we'll we'll look at a couple of examples to help you get the ball rolling and if when we're done if maybe you'd like to see a video dedicated to nothing but the formulas that are going to come up for you on the cissp exam just leave me a comment and i can make that happen so i want to shift gears now from risk to risk analysis so so there are two ways at the highest level to evaluate risk to our assets there's qualitative risk analysis and quantitative risk analysis so quantitative assigns a dollar value to evaluate the effectiveness of our countermeasures quantitative risk analysis uh really is the more labor-intensive of the two methodologies it employs typically a lot of data collection and analysis using cost benefit analysis it results in specific values that we're really what we're doing is removing guesswork and opinions from the process it's really if if i were to describe quantitative risk analysis in one word it's objective it requires a lot of information and effort typically but at the end of the day it's going to assign a tangible dollar value so we can evaluate the effectiveness of our response to risk so let's look at the risk analysis steps involved in quantitative risk analysis so this is specific to quantitative risk analysis we're going to talk about qualitative in a moment so step one is inventorying your assets and assigning a value and you might be asking yourself what's that out what's that text out there in red i'm putting some some terms and some acronyms out here because these are going to come up in formulas that we discuss later in this module so these are going to be important you'll wind up revisiting this slide to to perhaps think think again through these steps and and what the outputs of the step are so step two we're identifying threats we're going to research our assets we're going to produce a list of all the possible threats to each asset and here we're going to calculate ef which is the exposure factor and the sle which is the single loss expectancy we're going to get to what these mean in just a moment i just want to set the stage for you so you know what some of these outputs are and this will all come together when we talk about the formulas step three you'll perform a threat analysis to calculate the likelihood of each threat being realized within a single calendar year you're calculating the annualized rate of occurrence again that acronym it's going to show up in a formula here momentarily step four we're going to estimate the potential loss by calculating the annualized loss expectancy and the fact that the word annual or the concept of yearly is coming up here should tell you that this process is an ongoing process right this is a recurring process we're going to revisit periodically within our organization it's not a one-time exercise step five we're going to research counter measures for each threat and then we're going to calculate changes to the annualized rate of occurrence so in other words how often is is this event going to occur and what is our annualized loss expectancy based on the counter measures that we've applied so if we've done our job right the the annualized rate of occurrence and the annualized lost expectancy are going to be lower than when we started in step six we're going to perform a cost benefit analysis of each of our countermeasures for each threat for each asset to determine in a very dollars and sense fashion if we've made good decisions in our selection of countermeasures so let's talk about qualitative risk analysis so qualitative risk analysis uses a scoring system to rank threats and the effectiveness of our countermeasures relative to the system and the environment it requires guesswork and estimation it definitely uses opinions however it does provide meaningful results if i if i could summarize qualitative risk analysis in one word it would be object subjective because it involves opinions and while it's going to tend to be less accurate it is a quick way we can make some estimations that we can then use to guide our efforts in the deeper quantitative risk analysis so so a lot of times qualitative risk analysis can serve as that way we take a five minute rough cut at the problems we're dealing with i can rank impacts as low medium high i can throw out some percentages to just get to a point that i know what i'm dealing with in terms of the probability and impact of of the threats we're working with of the the risk we're trying to to deal with uh you should be familiar with the delphi technique for the exam as well so in qual qualitative risk analysis this is basically anonymous feedback and response used to arrive at a consensus a couple of other considerations when it comes to risk analysis uh there's lost potential so so what would be lost if the threat agent is successful in exploiting a vulnerability and then delayed loss and this is the amount of loss that can occur over time because the reality is you don't lose uh everything all at once in certain situations for example if uh an exploit uh takes down your firewall and from in front of your web farm and your web farm is unavailable you lose money over time as customers can't reach your website that's delayed loss and i mentioned threat agents here the threat agents are what cause the threats by exploiting vulnerabilities the vulnerabilities are the weaknesses in your assets or in your safeguards for that matter so i promised you we would talk about those important formulas and that time has come so we're going to talk about the relevant terms and the formulas that we use to calculate their results so we have exposure factor single loss expectancy annualized rate of occurrence annualized loss expectancy and safeguard evaluation so these all factor into some key formulas that are definitely going to show up on the cissp exam so let's dig into these terms and the formulas that go along with them so we'll start with exposure factor ef this is the percentage of loss that an organization would experience if a specific asset were violated by a realized risk so this is a percentage of loss so so ef or exposure factor is expressed as a percentage single loss expectancy or sle so this represents the cost associated with a single realized risk against a specific asset so this gives us a one-time loss figure so the formula for single loss expectancy is the asset value times the exposure factor so the asset value is going to be a number a dollar figure the exposure factor will be a percentage which is expressed as a decimal when we're doing the math so let's uh look at a sample here so if i have an asset value on the left here of a hundred thousand dollars and a tornado is estimated to do thirty percent damage to my asset so that's going to be point three my exposure factor is thirty percent uh and my single loss expectancy then would be 30 000 or the asset value times the exposure factor okay this is just the tip of the iceberg so let's keep going here so annualized rate of occurrence or aro so this is the expected frequency with which a specific threat or risk will occur within a single year so the annual rate of occurrence is an important input for this next item and that is annualized loss expectancy so this is the possible yearly cost of all instances of a specific realized threat against a specific asset so we look at that in a formula the the annualized lost expectancy the ale is the single loss expectancy times the annual rate of occurrence so so the sle is the one time loss and then we take that times the annualized rate of a current so if we have an sle of fifty thousand dollars and we have an annualized rate of occurrence of say point five because a particular threat only occurs once every two years fifty thousand times point five is 25 000. so i've explained that simply there but i i started with an sle we'd already calculated let me take you through an end-to-end example of annualized lost expectancy so we have an office building that's worth two hundred thousand dollars and we estimate that hurricane damage uh would be fifty percent uh of the value of this building and hurricane probability is one every 10 years so 10 or 0.1 okay so we have to start by calculating the single loss expectancy right so the single loss expectancy is the 200 dollar building times the damage estimate of fifty percent or point five so our sle is one hundred thousand dollars now we're going to take that sle and that factors into our ale equation so we'll carry that hundred thousand dollars into the next equation here and that is the single loss expectancy of a hundred thousand dollars times the annualized rate of a current or aro and our hurricane probability is one every 10 years so the annualized rate of occurrence is 0.1 so so if a hurricane probability was one every single year that would be one even right but one every 10 years means point one so we take that hundred thousand times point ten and our annualized loss expectancy is ten thousand dollars so what this tells us is that the safeguards we put in place better not cost more than ten thousand dollars a year or we're spending more to protect this building than we're essentially going to save so that gives us the the value of the safeguard so while we're on that subject that that gives you a dollars and cents answer right so while we're on that subject let's talk about how the value of the safeguard is expressed then so we call that safeguard evaluation so good security controls will mitigate risk they're transparent to users they're difficult to bypass but the last one here they're also cost effective so in our previous example we saw that the safeguard shouldn't cost us more than ten thousand dollars a year or we were spending too much relative to the reduction in loss so so safeguard evaluation has a formula so it's the annualized loss expectancy before the safeguard minus the annualized loss expectancy after the safeguard minus the annual cost of the safeguard that gives us the value of the safeguard so we're really trying to answer the question is the safeguard cost effective if we're spending more to protect an asset than we're saving in ale then we don't have a cost-effective answer there so there's your formula expressed a little more simply so ale before the safeguard minus ale after the safeguard minus the annual cost of the safeguard so again i hope these examples have been helpful if you need more help with formulas if we need to do a video with just the formulas go down to the comments drop me a note let me know we can make it happen so the amount of risk reduced by implementing safeguards is known as the controls gap and to see control's gap in a formula we can look at residual risk then so residual risk is total risk so the risk and absence of controls minus the control's gap gives us that remaining or residual risk so if total risk is a hundred thousand dollars the controls gap is fifty thousand dollars our residual then is fifty thousand dollars so the cissp exam will also test your knowledge of applying risk-based management concepts to the supply chain so today most services are delivered through a chain of multiple entities that is to say one product like a car for example really you know while it has a car company's label on it likely includes components from multiple companies and certainly may be transported by multiple companies to the dealership so a secure supply chain includes vendors who are secure they're reliable they're trustworthy they're reputable and you need to evaluate the vendors in your supply chain to ensure that's true so when evaluating third parties in the chain you want to consider methodologies like on-site assessment visiting an organization interviewing personnel and observing their operating habits to ensure they are as safe as they claim to be document exchange and review and this means to investigate the means by which this organization exchanges data sets and documentation as well as the formal processes by which they perform assessments and reviews there's processor policy review so requesting copies of their security policies their processes or procedures and you could finally opt for a third-party audit so having an independent auditor provide an unbiased review of an entity security infrastructure but you want to dig into supply chain evaluation from a risk management perspective for the exam you're going to be expected to have good knowledge there so let's talk about threat modeling so this is the security process where potential threats are identified categorized and analyzed the key phrase there is potential threats so threat modeling can be proactive or reactive but in either case the goal is to eradicate or or reduce threats and there are different approaches you can take to threat modeling so common approaches include focus on assets and and a focus on assets uses asset valuation results to identify threats to the most valuable assets the model could focus on attackers so identifying potential attackers and identifying threats based on the attacker's goals and a software company might consider potential threats against the software they develop so focused on software so the exam essentials section in the official cissp study guide mentions you should be familiar with a few different threat modeling methodologies so let's talk about a couple of those briefly first there's the stride model which comes from microsoft so stride is an acronym that stands for spoofing tampering repudiation information disclosure denial of service and elevation of privilege it's essentially a threat categorization scheme there is the pasta model which focuses on controls relative to asset value so it's a risk-centric approach that aims to select and develop counter-measures in relation to the values of the assets you're protecting a pretty good dollars and cents methodology and there are seven steps or stages in pasta which are listed here you're going to want to make sure you have familiarity with these methodologies and remember when you're dealing with any sort of multi-step or multi-phase process or methodology understanding the order of the steps in that methodology will be important at least to memorize those so there's going to be some memorization work on these items for sure there's the the vast model which is based on agile project management and programming principles so vast is also an acronym visual agile simple threat it's actually visual agile and simple threat and then we have the trike model so the trike model also takes a risk-based approach and ultimately provides a method of performing a security audit how many users are likely to be affected by the attack as a percentage and discoverability how hard is it for the attacker to discover the weaknesses but these are all threat modeling methodologies that you're expected to know a bit about for the exam so make sure you dig in to dread and stride and trike and pasta and vast so another step in threat modeling quite commonly is diagramming potential attacks determining uh potential attack concepts is achieved through visualizing your infrastructure and identifying threats or identifying potential vulnerabilities that may be exploited so let me just sketch out a simple example for you here so let's diagram some potential attack so i have users that come through my perimeter my user web server boundary we'll call it so they hit my web service here and i have a database back here a sql server where we'll pull some data from a database so my user starts by logging in to the web service at some point they may make a request that then causes that web service to go back and retrieve data from my sql database i'd imagine there's uh you know maybe even a different authentication process here from a service principal or an entity down to that database versus the user logging in manually here and i can perceive different threads here because i'm visualizing so just right off the cuff i can imagine that on a login form brute force password attacks dictionary attacks might be common if attackers wanted to just guess at user names and passwords and if they were to register for our service maybe they could get an idea of the username requirements and then just start you know as i mentioned a dictionary attack now if i think about a web service talking to a database the first thing that always comes to mind is sql injection so as an attacker i could try to exploit maybe some poor value handling on a web form to perform a sql injection attack and i'm out of space here but and i could go quite a bit further as you can see but this gives you an idea of that diagramming process at a basic level so let's talk about reduction analysis in threat modeling so in reduction analysis i'm going to break a system down into its uh its parts which makes it much easier to identify the essential components of each element and take notice of where we might have vulnerabilities and likely points of attack so just to go through this i could look at trust boundaries so any location where the level of trust or security changes so a trust boundary in your application from say a an access control perspective would be where a specific role or privilege is required to access a resource or an operation that would be a change in trust data flow paths so looking at the movement of data between locations and what exposures there are that might allow attackers opportunity to to capture or breach that data input points locations where external input is received so in our diagramming example a web form where we're logging in or a web form where we're submitting a request that that calls back to sql that's going to be an area that would be most likely a possibility for attack a likely target perhaps privileged operation to any activity that requires greater privileges than that of a standard user account that's going to be a red flag area an area will want to give special attention then finally details about security stance and approach so so essentially just the our declaration of security policies foundations are assumptions in a given scenario for for a service or infrastructure so after we go through that deconstruction and documentation process then we want to rank or rate the threats we can use the dread methodology we just talked about or a high medium low rating for example so i want to clarify a few things around security control so your security controls are the measures for countering or minimizing loss or unavailability of your assets your services your apps etc and you'll hear the term safeguards and counter measures we've used those quite a bit today and they may seem to be used interchangeably at the end of the day the main difference between a safeguard and a countermeasure safeguards tend to be proactive and counter measures tend to be reactive let's talk about the categories of controls there are three categories of security controls they're technical or logical or sometimes called which involves the hardware or software mechanisms used to manage access and then you have administrative controls which are policies and procedures that are designed by the org security policy or other regulations and requirements administrative controls for example might include hiring practices background checks data classifications and labeling security awareness and training methods and then you have physical uh control so the physical category are items you can physically touch so there we're talking about guards fences motion detectors lock doors seals went sealed windows lights laptop locks etc so be familiar with these control categories and be able to name off a few in each category as i just did for you now so next let's dig into security control types so you have deterrent control so these are deployed to discourage violation of security policies deterrent controls could include uh you know audit policies security awareness training locks fences security badges they're designed to discourage violation and then we have preventative controls these could be technical controls like firewalls or intrusion detection systems or it could be a physical control like a fence or a gate or a man trap and technically there could be some overlap between deterrent controls and preventative controls the main difference here is deterrent controls really rely on on somebody making a decision to not do something where preventative controls are really designed to actively stop the unwanted behavior and we have detective controls which are deployed to discover or detect unwanted activity the defining characteristic of detective controls as they really detect the activity after the fact right they detect something in progress motion detectors cctv cameras audit trails honeypots and you'll find some surprising elements listed as detective controls like mandatory vacations for example job rotation because if you're rotating people across jobs or in and out on vacations you're going to be able to establish some patterns there that will allow you to detect behavior based on the presence or absence of certain individuals or circumstances then we have compensating controls uh compensating controls provide options to other existing controls to aid in enforcement of the goal so for example let's say your organization requires that personally identifiable information is encrypted in the database and in fact it is encrypted in the database but someone discovers then that the the uh pii data is being transferred across the network in clear text so a compensating control would be for example an additional control to encrypt that data in transit to support the requirement and you want to make sure on the exam that you you understand the key element that defines that control type and you know a few examples off the top of your head so you can you can pick those out should you see them in a question so we're actually not done with control types let's keep going here so so we have corrective controls corrective controls can range from antivirus that removes uh malicious files to backup software that automatically restores missing files to policy-based configuration management that returns a system to its desired configuration after a breach next up we have recovery controls which are much like corrective controls but they tend to have more advanced capabilities good examples here would include server clustering vm shadowing hot sites warm sites alternate processing facilities and finally we have a directive control which is intended to confine or control the actions of the subject to force or encourage compliance with security policies good examples of a directive control would be security policy requirement posted notifications escape route exit signs just to name a few so again make sure you understand the defining characteristic and you can rattle off a few examples before you walk into the exam now we're going to talk legal and regulatory which is an area of the cissp exam that requires a lot of memorization i'm going to try to help you focus that in so at a high level the topics here include cyber crimes and data breaches transporter data flow licensing and intellectual property requirements things like trademarks patents we'll talk about that in just a moment privacy is very important quite a few laws related to privacy and then import export controls which we'll cover also so let's start by talking about types of law so you have three types you have criminal law which is just what you think it is it covers areas like assault robbery arson murder you have civil law which covers more business disputes contract disputes real estate transactions employment estate the high dollar lawsuit type of law then you have administrative law which relates to government agencies they have some leeway to enact administrative law that can cover important topics or areas as mundane as requirements when procuring a phone for an office desk the the cissp exam focuses on security related generalities you're not going to get into the nitty-gritty details of the law but when a question comes up around health care related information customer health care information you'd need to know that high tech and hipaa are are laws related to that topic for example so let's talk about some of the the laws that are likely to come up on the exam so the computer fraud and abuse act i think the the most significant thing about cfaa was it was the first piece of u.s cyber crime specific legislation you have federal sentencing guidelines which are laid out to provide punishment guidelines to help federal judges interpret computer crime laws the federal information security management act better known as fisma had some requirements around formal information security operations for federal government the copyright and digital millennium copyright act say that three times fast covers literary musical and dramatic work so that that's really helpful for artists let's talk intellectual property and licensing so you have trademarks which cover words slogans logos you used to identify a company in its products or services you want to protect your company name you apply for a trademark patents protect the intellectual property rights of inventors and trade secrets cover intellectual property that is absolutely critical to a business and must not be disclosed for the health of that business and then there are four types of licensing you should be familiar with and that's contractual shrink wrap click through and cloud services so let's talk encryption and privacy so computer export controls uh u.s companies can't export computer systems to cuba iran north korea sudan and syria and there are also export controls on encryption so there are regulations that restrict the export of encryption products outside the us to many countries when it comes to privacy in the u.s the basis for privacy rights is laid out in the fourth amendment of our constitution there are many laws related to privacy i'm going to cover a few of those in just a moment and uh while the cissp exam really focuses on the u.s market generally speaking uh privacy as it relates to the eu may come up because many u.s companies who have european customers are they're all going to be subject to gdpr and and that's most likely to be mentioned on the exam uh if something comes up around a foreign country now let's talk about other u.s privacy laws so you've so when it comes to health care you have uh healthcare insurance portability and accountability act better known as hipaa you have the health info technology for economic and critical health better known as high tech we have graham leech bliley which applies to financial institutions if you see a question on the exam related to law and financial institutions i'd bet it's going to be graham leech blighly the children online privacy protection app better known as copa and the electronic communications privacy act or ecpa and that's one of two laws related to electronic communications that i might expect you'd see on the cissp exam the other being the communications assistant for law enforcement act i think i'd be familiar with both of those as well now notice that i've put the acronyms here i find memorizing these acronyms makes everything easier because memorizing all those words is a lot of work but if i memorize hipaa when i see health insurance portability and accountability act i can pick out the h-i-p-a-a right so memorizing those acronyms is going to make this a lot easier for you and you notice how i talked about just the very basic focus of these laws you're really going to be dealing with generalities as i mentioned and that's straight from the official cissp exam prep guide and matches right up lines right up with my experience in taking this exam so you're going to be expected to be familiar with the business continuity planning process and issues that pertain to information security in in bcp around things like strategy development processes plan approval plan implementation training and education uh so so important you understand the steps of the process but know that that bcp topics are going to cover you know information security related angles you're not expected to be a certified business continuity planner here by any means i give you that same warning i give you for any process when you're looking at a process make sure you you know the steps in order personally i don't think you're going to see a lot about bcp on the the exam it'll be limited uh you want to be familiar with uh education so security awareness education and training so the methods and the techniques for different audiences periodic content reviews evaluating your program effectiveness and and you can see a variety of questions here that talk about everything from you know simple user security awareness training to you know what's the the deepest form of training so covering things like classroom training all the way to degree programs but security awareness training is that topic that is ubiquitous when it comes to information security so as you're preparing for the exam again i absolutely recommend you invest in the cissp official exam study guide that has lots of questions flash cards and searchable material domain one is covered in chapters one through four in the official cissp study guide you can get it on amazon i've got a link for you in the video description it's just a shade less than sixty dollars us and that is it for domain one if you enjoyed part one make sure to like subscribe and hit the notification bell so you get a heads up when lessons two through eight are published in the very near future until next time take care stay safe and i'll see you in the next one

Info

Channel: Inside Cloud and Security

Views: 89,416

Rating: undefined out of 5

Keywords: #CISSP #infosec #certification

Id: iArcmcGPp7k

Channel Id: undefined

Length: 60min 51sec (3651 seconds)

Published: Thu Jan 14 2021