RCR 018: CISSP Introductions

Dec 25, 2018

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS

Description:

Shon Gerber from Reduce Cyber Risk.com reveals to you the steps each week the information you need to best protect your business and reduce your company’s cyber risk. Shon provides cybersecurity training for individuals working on their CISSP as well as ways to better secure your business's daily activities.

In this show, Shon will take the time to introduce himself and the Reduce Cyber Risk website. RCR will strive to provide you the cybersecurity training you need to educate yourself on cybersecurity matters.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskRed...

Transcript:

welcome to the reduce Cyrus podcast where we give you the tools you need to meet your cybersecurity regulatory requirements while helping secure your business and keep the evil hacker horde at Bay your business and reduce your company's cyber risk how to get going welcome is Sean Garrett cyber risk on this episode 1210 2018 where we going over a lot of really cool stuff today get into the Australian encryption challenges that go with that second is the Marriott breach that may or may not affect you until some things are coming out of that coyotes California iot internet of things and their law that just passed recently the business tips around Amazon vpns VPC security groups and finally went to do some security training on the cissp and its introduction security snapshot kind of talk about the Australian encryption bill that came out about last week sometime the main thing that came out of this is that what they're wanting they wanted what they're going to do is the Australian government is requiring that application developers create basically a backdoor into their encryption scheme that are in their applications the interesting part about this is now it would have been want to do this for years is that an individual or a country can say for law enforcement purposes we what we want to do is we want to allow them to get access in case the terrorists are going to plan something so they want to basically put a shim into the encryption piece of applications so this is going to affect your Google's your Facebook everybody right that deals with Australia so then the question to ask yourself play what you got to put the shimmy in there for your stuff or somebody else and this is just a bad idea the simple fact of it is it anybody thinks that the criminals are going to go I guess they got us now we're done no big deal right I guess they're just going to catch us that is not going to happen weight is that going to happen so what will happen is that these criminals will find new ways around it and they'll just are very smart not real good on what they're playing our future plans are but they're very very smart people not all of them but many of them are and so the Australian Christian bill is actually going to be a detriment to security and everybody I've talked to you and the people that you are coming back about it everybody just shutters at what a mistake this is and when it comes down to really is legislators who really do not understand what they're doing and or they're getting pressure from their constituents that they had to do something so this looks like a good solution it's just bad really bad idea the Marriott breach termites during this breach and get that's a bad thing right things were kind of starting to see is they're going to do the obligatory now here here's your free credit reporting it depends right now in China but they're all over the globe the fact of it is is that they're going to get to a point where they go well yeah we're just we did it we did you give your obligatory security stuff and oh by the way I look there's a there's a rabbit over there and then they just keep on moving on and they're still going to make money the interesting part about all of this is just that these breaches a continue to happen evil or 500 million accounts and pick up the pieces and affect their bottom line I've heard Rumblings from other people talking about that breaches that used to be like the targets that have the HB HB AC that heating ventilation air-conditioning company that breach the target US based company and they said it will that would affect them and what's going on in their environment I don't think it really did and so the interesting part of it is is that these breaches continue to occur I'm going to cost I should say that it cost a lot of money but at the end of the day other companies that have been breaches they're doing all right so it will be interesting to see what the breaches in the future due and how this affects everything the California iot Bill what is that what is the Internet of Things Bill and what they require California's requiring is there trying to get away from having the ability to wear these companies that are come up with your smart light bulb and people are just throwing some sort of wireless device inside a light bulb saying okay great I'm hooked up to your home security around it at all it is it that well if we come up with some level standard for these different iot devices it'll Force manufacturers to do that I commend them for doing it needed to happen it's a smart idea the challenge will be is how does that play out long-term so it was really going to force United States is a conversation about they're going to have to do something cuz right now the United States you get EU gdpr you got China with a Chinese Cyber Law and then you got the United States which is still proving to be home in that just proves that I'm not there basic going to come down to their notice they've got multiple bills at our place that are focused on cybersecurity but nothing around this so it'll be interesting to see what the US government doesn't picks up the plan because there are some other bills that are out there around in Ohio around its security for businesses that they don't it's the Safe Harbor which basically says that if you are a business and you try to follow the security framework that are specified out there cybersecurity framework you will be protected in the event of a lawsuit but it again you got states in the United States individual states that are coming up with their own security plans versus will be with you at the United States does it's a Hold Us government to address that issue alright so we're rolling up some business tips to hear a small and medium-sized business I try to put these things out there for your business to just kind of give you a little insight into what is available as it relates to security and your company's so are Amazon virtual private cloud or Amazon VPC a little virtual environment that exists within Amazon and in their there is a object called security groups and the security guards are basically a firewall but the interesting World about the part about this is that I currently if you have a business and you want to put in a fire while they're usually hardware-based or if they're software-based they're individually they're kind of stuck in their there they're at their individual application person what would allow security groups is allowed is that you can output firewalls anywhere and it allows inbound and outbound traffic specifically to your company until you set up rules just like you would with a standard firewall and then that will allow traffic to come and go there are limit they don't let you have 3,000 different fireworks nor would I recommend that I've seen networks that have multiple segregation's multiple firewalls and they've got virtual become vlans virtual local area network firewalls super complicated a situation that may be necessary however I would beg to differ that it adds a lot of complexity in the point where it gets hard to manage however they need to have some rules in place to manage the traffic coming and going into your network and the security groups will do that. Do you have a limited number if they have so you can specify specific rules for the VPC inbound outbound rules you can specify what exactly you want now if you for whatever reason do not put in a security rules want to go with the default you just drop one in in a security group and same place it is set up specifically to allow outbound traffic only it will not allow any inbound traffic so in the guy that's me like myself a third grade education business out there I'm going to go drop a security group and play some set one up and I'm good to go and I forget about it right cuz I got too distracted by the butterflies flying across the room and then I get off on something else that happens to me butterflies but yeah what is is that when you set up the security groups that if you just put one in place and forget about it what it does it set up so that you will only allow outbound traffic now the question on that though the bad thing is if you get a phishing email and you're using your your Amazon VPC and you click on the link it will allow an outbound connection it will allow connection between the two challenges those you you got to make sure that you set up your Security Group the right way and have only specific rules that are allowed into your network play tutorials out there that you can do it there's training out there how to do it but the school groups are a great tool to protect your company little thing is is that your security groups can talk to each other so he had your VPC when it's a big cloud and you get a stubble security groups in place well what'll happen is you want them to talk to each other with my default they don't write but you can set up rules so that they actually cancel it allows interconnections between different entities within the cloud great idea awesome idea incredible the challenges those you just got to make sure that you know what you're doing because you can actually open up more risk to your company than you anticipated associated with network interfaces so each Network that you didn't network interface that you have set up within your VPC it you can associate a security group with it which is a great idea so now you got all these networks that are potentially coming into your Cloud you can set up a specific Network instance great way to to limit traffic and monitor manager traffic is coming in and out all right that is the Amazon virtual private Cloud security groups training on how to best protect your business find the right people for your company and if your security person the right training to help move you on your way wild example I got cissp training I'm a CSP myself and what we want to provide a level of what do you can you expect from your on the cissp none of your business that's okay this train will be awesome for you in the fact it will give you some knowledge and some language on what your security person is actually telling you because when all I know is that when people talk to me about Finance all I hear is won't won't won't won't won't won't like what are you saying I don't understand what npv is net present value what the heck does that mean so the point of that is that if you don't know the language and you don't understand what they're saying it's really hard to communicate and ensure that your business is secure For You especially if you're looking for security folks or you're trying to figure out how to navigate the security cyberspace right all right so is c squared a little square system security certification Consortium say that 10 times and your tongue will fall out they are the the governing body that actually provide cissp training okay and they also will certify cissp cissp is a certified information security system bottom is the big daddy dog certified certification for security folk and it's like up there right takes forever to get super expensive but once you get it you become Superman security world at no not really but you think you are and that's good but you're not cissp since 29th 2009 and yeah the point where I talked about private clouds and security groups in the yeah I didn't exist few years ago so this world is constant changing anyway back to what we're saying the mission of the is c squared is to maintain the common body of knowledge it's a CV K and provides certification for information security folk that's what the purpose is right they produce security training all of those aspects and you can go they give you a credit Nation stuff for seeing continued education training I'm so all of those things are available through ISC squirt and they support various certifications from cissp sscp so on and so forth alphabet soup ABCDEFG all kinds of certifications they support now what do I talk about your mother's eight security domains that are tied specifically to the cissp and others are security risk management asset security security architecture engineering communication network security identity and access management security testing and assessments operations and software development security pics of these are the main behind the cissp and so therefore that's how they bucket it now because that's how they bucket it what they also do is that's how the testing will come and play as it relates to the cissp do you listen to All of big words are like Penny marbles in your mouth and you're trying to say them it's like what in the world is this but believe me I've been doing this for a few years and the fact of the matter is is that out of 90% of stuff in here I have touched it and not just kind of gone all of these areas pretty intensely from all the rules and I've had in the security space so if you get the cissp and you cover all these places you really argue have a pretty good strong background in security want to do now the whole purpose of the cissp is a mile wide and an inch deep in some areas you might be like an like 3,000 ft but it's like a mile wide alright so pre-qualifications practicing security professional what the heck does that mean it comes down to is that if you are a security admin on your Datacenter whatever might be your security professional because you should be incorporated security into your network.. If you're not and you say I'm not asking cuz I'm not doing it but I might have been on Datacenter shame on you okay cuz bottom line is Securities not just one due to do that job it is everybody's responsibility and it's up to it because right now close to two million security people are going to have job openings within the next 20 20 something like bottom line ain't going to fill out those is no way so you have to understand security before you can take the test you got it or before you become cissp you have to full-time paid work experience and that has two basic salary or commission within the least two of the eight domains so what does that mean I mean eight domains is a security I've been making some money over those okay get me doing it for a living or the big or caveat are quotes all that you have a 4 years experience with recent it so information technology or information security degree from a college the purpose of this is to that they've called their Associates program but it's because they're so few people to get this that have security background they're wanting to get people in early to have so I can a case of me I had to have 5 years of experience but bottom line is is that you have to have experience in these colleges but it's it gets at least people started on that way you can take the test early but you're not exceed issp until after you complete the the program writes EFI years to complete it it's six years to complete a 5-year program but once you're done with that and you taking the test then at that point in time you can become a cissp NASA finally have to have an endorsement from a sitting on an active cissp all right so so you can just go take the test can have somebody indoor shoe okay so they do Citi training testing and what does that mean it's called cat and it would it set up as is it each of those 8 buckets that we talked about that 15% is the first one Social Security risk management that thing is like forever long as far as training goes it takes forever put it together it's like a hundred some slides it's but everything so those that kind of training at 15% of it is is what your waited on for security risk management asset security isn't as big and it's about 10% but if you look at the Spectrum is from 10 to 15% is what you're looking at from a cissp the testing so the tests are pretty much broken up throughout the whole thing now the thing was sacked with cat is that if for some reason you do not do well so say your in since you're taking the test and it realizes hey Sean he's got his third grade education he doesn't know what the heck he's talking about bada boom bada bang you're out and start answering questions wrong you're done game over no more touch to take your 1200 bucks and you're on your way so I highly recommend that you study for this thing but it is actually adaptive it's figuring out if you actually know what you're talkin about or if you don't so I highly rated this is that different than what I took it so in the old days old crotchety guy like myself and go we had it rough harder because I could just get away with questions and then can a narrow it down this you got to have to know your stuff you can't just go to memorize questions so you're taking the test so when you're taking the questions your exam tips does using multiple choice K it's usually for options ish right around there and some are very straightforward some are not straightforward some of them are like please choose the best the best or most most bad correct option of your of the question and I hated I hated those do you like the least wrong at least correct it's not subjected to think it is so then what you got to do what you got to go through there and you're taking your test one take your time to be prepared better be prepared for 3 take it back to 1 take your time and when you go through number three when you go through each of those questions make sure you'd kind of narrow down so the for which two of the four are like these ain't going to work.. No question about it don't understand them if you still don't know then what you should do is move on to the next question but bottom line is though is just be prepared to sit for this thing as it is a bugger it's a bugger no question about it I felt the first time I did self-study didn't go to bootcamp anything like that didn't have any extra training however I would recommend you can get some training if you're going to spend the money under the boot camps are around $78,000 I highly recommend that if you can afford that money go to it if not get some video training on how what you should study for and how you should break that out Chinese Wilsonville to get some of that mine is be prepared for it do not go in there thinking you could shoot from the hip that you're going to pass this thing now maybe again you did all of you guys out there that have got master's degrees and are phds and are super smart maybe you can get so again just got to be prepared for this test because it's a boy cissp training so he went on what's what's going on security World some business tips on Virtual private cloud and then finally some training on the cissp and how to prepare for the exam you can get some references out there you go to ISU square.org and they have some self study books that are available to you and is also some links will be in the show notes as well alright hope you had a great day enjoy the wonderful weather wherever you're at and we'll catch you from Catching the flipside see you

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.

Close

Don't you want to pass the CISSP....the FIRST time?

Get my FREE CISSP training videos (Domains 1 - 4) so I can show you how to pass the CISSP Exam...the FIRST time! .