Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam:
BTW - Get access to all my CISSP Training Courses here at: http://shongerber.com/
Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
ReduceCyberRisk.com - https://reducecyberrisk.com/
Facebook - https://www.facebook.com/CyberRiskReduced/
what weather do submarines podcast August 19th 2019 episode 48 1 security and risk management welcome to reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host for this action-packed informative podcasts each week is I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam hey all Sean Gerber again with reduce cyber risk I hope you all are doing wonderful this week I know I am I'm actually quite exhausted we my wife decided to start up a business and we are I've been working that the past couple weeks and it has been a bit of a drain but other than that life is good we're doing shaved ice if you're not from around the United States maybe you don't have that in your part of the world it's a awesome opportunity and keep my wife and myself very very busy so hints that was a blast some things lined up for her but other than that things are great and we couldn't beat it I couldn't ask for anything better as far as how things are going on in my life so I just what's good 18 gazillion billion account has been breached and they actually recommend that you go to see if you are account was one of those lucky ones that have been breached and I actually I haven't had a chance to even look but this just assume if it's like a billion oh yeah they're probably all been breached they've all been compromised so you probably want to go and check that out my recommendation on all of this is make sure that you guys and promote it as a cissp and as a security professional the use of password vaults they're very important and it along with the lines of it does allow you to add complexity with your password so I do highly recommend that you utilize those and you promote those in some form fashion however it is important that is you do that you talk to people about password Management in to make sure that they just don't copy and replace and put them in a vault because it's great Throne of all but if they're all the same password help you a lot so make sure that you talk to people that you are in contact with to make it out into I work on putting their passwords and sensitive information into a password fault that and also kind of goes along the lines of making sure that they understand what they're doing because it again this is seen it so much fun last week and he made the comment to me that there because I don't really do much with my password saw the same password and I'm just like holy cow and this is just a golf tournament that I talk to you placed with something that is much more solid secure can I have to help teach people how to how to manage those so just keep that in the back of your mind I got some great topic today in our cissp and there's some as a relates to the domain want a security risk management we've also got to be talking about the cissp exam changes now this is from 2018 so it's a little bit dated as far as what it was before in the past but I still think it's important for you to understand where we came from as a relates to the cissp exam also we're going to talk about the main one and it's going to be Section 1. For cyber crime and data breaches and this is going to be kind of apropos as it relates to dealing with the various preachers that I have occurred in recent days and actually saw the one just recently was of the recording of This podcast there's over twenty local municipalities in the state of Texas which if you are where Texas is a monster estate United States but it is huge but there's 20 minutes Zamora tax that they feel are based on a Target approach honestly didn't surprise me at least bit because that you know working these municipalities he's small state and local government what ends up happening is is they don't have cybersecurity professionals to help them with their protecting their environment so it's kind of a scary thing for these places and if they're hitting United States are going to be hitting other countries to that and they probably already have it just not hitting the newswire that I see so it does something to consider as you are listening to study for cissp there is a great opportunity for you to help make some change and help people protect their environments and then also will be going over the cissp exam one so I say all that now to put in a plug Shameless plug for John gerber.com yes, can I get my parents I love them and they are wonderful but they spelled my name in a goofy way I guess it's great for free on the internet but yeah just a little bit get to go to Shawn s h o n. Shawn s h o n gerber.com and that you can check me out there at Sean gerber.com and we have some great stuff for you I'm migrating away from reduce Everest., as far as for my website to my actual name as putting out more information that as a relates to the cissp exam it's just a better flow we will always keep her do cyber risk and reduce have a risk podcast but we're moving the website to Sean gerber.com others will be a sample videos that are out there from various cissp domains that you can check out and then there's also going to be a membership areas that you can go in and study but bottom line is there someplace for you to study learn and get ready prepared for the cissp exam as that's the most important thing we want to try to help you with as it relates to the cissp integration and what are we going to talk about today the reference is going to be Global Knowledge in this site put out and basically an object moves around all the domains are there and they put out some information when it relates to the overall taking the cissp exam again there's some great study tips in here in this in this post and we'll kind of hobble that post in the show notes but let's go ahead and get started in can cover some key topics that they mention about the 2018 cissp exam changes okay so you're looking different considerations around the 2018 cissp exam there are some interesting things that occurred in the last test missiles like in last year's when this all occurred and they do these changes on the cissp exam but every two years so the next revision should be expected sometime next year that's that's what they're saying it will see if that actually comes to fruition or not it may I don't know but right now movie 2020 the divisions that occurred in this one work but it wouldn't have a step change how they did to a change in the testing process the revisions are small but the testing process was new and different and what they did do is it that they made it a little bit harder and they actually allowed you to have more questions around domain than all the eighth of the domains and in the past it didn't have it didn't have a sequel of a distribution around the eight domains and now they did a work pretty hard to do that and if you go to is c squared where you can check out the cissp exam as far as what their objectives are and so forth that the key aspect of round that is they break it into a percentage and its for anywhere from 13% to 15% of the Quad test questions will come from each of the domains and so the question around that is is that it's pretty easily despair distributed through that area which makes it much easier I should say much easier to take the test but it makes it much better testing solution so you're not focus all on domain 3 which is a monster and whereas demandforce pretty light there actually asked a lot of questions around all the domains so if you're studying for the test you can't really blame it and say well I'm just going to 4 because there's not much in it that that's not true this it'll get you on that. I said some of the main topic changes the certification exam outline that you can go check out and it's basically was formerly was called the candidate information bulletin or CIB I'm in this now call the certification exam outline there's also some domain name changes that did occur so that used to be called security engineering and now it's security architecture and engineering and working as a cissp and as a Cisco for a large company architecture is extremely important as I deal with that on a daily basis when you're dealing with the engineering pieces of it how is it all engineered with the security models or the security operations center vs also hire dealing with the architectural the ad the acronym I am for identity and access management typically because I use ciam a lot and in many cases they don't spell out the full identity and access management just because it is so long but what they do is do the doo doo accomplishes is that they put the acronym of I am in place and so that's that's kind of interesting piece of that now I will set tell you this as far as the exam goes the old the ultimate exam is to trick you I mean if that's what it is to make sure you understand exactly what the heck you're reading and that you actually know what you're taking from a test standpoint and so was I can see is a possible scenario on the test with you if you've taken that you probably seen this already is that they will use I am with it is basically don't don't use as a synonym and then what they may do so switch it around and change instead of seeing I am those a identity and acceleration management I don't know thinking that hey I am is this with a of the actual acronym in the test questions to make sure that you actually picking out the right right answer not just the one that you're globbing on to and you see it you go so make sure you've read all the question and you go through it word by word cuz it they will trick you on these things and focus you on an area that actually doesn't exist but again this is only cosmetic that really didn't change any to content other than the fact that it bad I am as a acronym are some new tap topics that came into play do that and what how does that affect us and so those are important for you as a cispr person studying to be a cissp to understand these legal requirements around it and honestly it does seem daunting at times because you got to know so much but that is the fun about the job is that there is always opportunities for you to learn and Ingrosso if that's the cool part about that what is 1.4.1 is a cyber crimes and data breaches need now go into the details around these as we know we're dealing with these on a daily basis so they're kind of talking about the different topics around those aspects have a friend that just got on as a forensics person on the east coast and this individual is not going to be working with the state and local agencies on areas around children which is really a tough one because dealing with what you got to see with some of these poor kids and what they have to go through but it's a great opportunity for her in that she's able to to get her foot in the door into the cybersecurity world and a lot of times and trying to find jobs online or out there in the world there are plenty of jobs available the first the hardest part sometimes in many cases is your break break into job of just trying to find a way to get into that world because once you get into it and then and then the migration can happen too much quicker of where you need to go because there's so many opportunities but it's getting in that first job can be tough so you need to keep it in mind and keep an open mind around how you can break into that that does roll and we'll talk about that little bit about what you should do from resume standpoint and understanding how you should interviews while then go to my site of Chong gerber.com I've got some things around hiring as if you are a cybersecurity professional and you're looking to get a job there is a great Ted tidbits in there about what you should look for and how you should answer questions and basically how you set up a resume in so far is basically that's where your cissp is a focus on the CBT model now they retain the question count around 250 questions that's what they had back in 2015 and as they migrated 2018 they converted to the Adaptive testing which was the cissp computer adaptive testing or otherwise known as cat the questions then change from 250 to 150 questions so you got it easy right one from 250 which is like what I had to take it it was like 8 million questions was it was a lot and you just the bull sheet but now they want 250 so great awesome but yeah that's how much is unless you really understand this death if you don't have it then these hundred 50 questions give you less opportunity to screw up so questions are a hundred 150 questions and the first 100 questions 75% 75 of them are great and count towards your score and as they move forward in this what a basically tells you is that a you get to question 100 if you've done poorly on those first 75 questions once you get to question 100 you're done baby you are done no more if you have seventy 95% that you will that you've been looking like you'll pass the test till you get to that point and there's a hundred two Advil to a 101 102 and so forth until they feel like you passed or not I'll say what you want to do is do not skip a question it is so much better to guess that it is to skip a question cuz once you skip it you can't go back to it and then what ends up happening is that will grade you grate upon you and cause you some some grief so the purpose of it though was to decrease the fraud there was a tester impersonations that were occurring and it was stealing of test Bank questions and I'm like you've got to be kidding me the curry I mean I guess it's my neighborhood today that I thought that this would be a happening but people were actually doing it is because the requirement for a cissp so high the challenges isn't that just really hurts the whole overall group because now you'll get these people that have just basically lied to take the test to pass the test just so that they can get the job and what's going to happen is you're actually hurt yourself and you're hurting your organization that you're going to work for because you don't really amounts to taking a test is what is what's important it's not but it would have does that proves the fact that the people that do that don't have integrity to begin with so it will cause some challenges and so I do not recommend don't be like I did but at least you need to study for the test mother exam tips if they brought out there was that he's the same level of depth and complexity that you saw on previous tests and is c squared states that the cissp cat which is that adaptive testing is the same as a previous exam it's just added it to either rather wait waste your time and I just see Square time to if you just didn't study it to get you out the door and be done with it so that's what this interesting part about that now the past exam past would say that you can skip domains like again like domain for doesn't have any questions so you can skip it move on I don't do that you don't you want to make sure you take all the test and you study for all of the tests it's imperative that you do you understand this information because one it's right to take that we can take the pass a test but it's only going to help you out again Daly and if you don't understand it what the heck it meant but at least I knew from looking at it and reading the information where I could go back and reference it during my daily activities so basically as you do the math around all this is that there's right now over a hundred twenty five thousand cissp jobs that are open worldwide and they do have some of the highest salary ranges in it is far from a cissp standpoint what is the highest range but they are a substantial then what you'll see is Standard Security analyst and so forth their widely recognized as what is needed for cyber Security Experts to move on to the next phase so highly recommend that you get your cissp and if you listen this podcast you probably were studying for it but it's imperative that you do it the right way so that you can pass a test the first time and move on what movie does cissp training now we're talking about 1.4 cybercrime and data breaches in this is part of domain one now as you're studying to for the cissp there are some different aspects around categories of Law and law is an important part because as a cissp you'll be dealing with the law on a routine basis as you're dealing with from regulations that occur around the globe to just the fact that you have some knucklehead decides to steal stuff and now you have to go deal with the the whole incident response and then you have to go through a whole day do an investigation on this situation so you will deal with law routinely and so the first one when I get into his criminal law and the purpose of a criminal law is to preserve the peace and keep Society safe and this comes right down to murder a assault robbery arson all of those and these are based on how the US has set up their losses them and it may be different the country that you are at but in reality they're not too far off because people are people and people do crimes and so the but as far as the test is concerned these are the main things that people are going to this what the i c squared test going to focus on penalties will be crazy boy from as little as community service which means working your community to pick up trash to the death penalty that's a quite the range of things and then now in computer crime is included in this you'll see a lot of this where people will take pictures and utilize Electronic media specialist relate to children and that will get you in a world of hurt real quick one it ain't right and 2 it's going to send you to prison with people that don't like people that are like you and so therefore it's imperative that you do find this stuff out you hunt it down and you basically put these people behind bars so that's the purpose of criminal law civil law is the bulk of the body of Law and that's where most of the laws come from is the Civil and that deals with things that occur within your environment such as speeding tickets not paying a permit or fine except for administrative law but there are different things that are out there today designed to provide or leases Society so he didn't have speeding tickets or you didn't have but I got one a while back that I'd failed to stop at a stop sign and just basically roll through it. is that was the case in everybody would be doing it and society would start falling apart follow the same process as criminal law but the difference is what they call enforcement so in the in the fact that you are enforcing away that law enforcement is not used in civil law switch you'll see many cases let's just say I'm a bad guy and I go and I hit somebody with my car and I killed them okay so that would fall under criminal law and I just get nailed for doing that right that would be bad and so then what would happen is once that's done then the family at that I ended up hurting the person that I'm up killing would come after me in a civil lawsuit a civil law case criminal law however that would be they would come after me that way in the purpose of that would be Vin fines in other ways that they would take my money or other aspects around my assets and so forth but the government plays an administrative arbitrator arbitrator role in the civil law administrative Laws of Power by the executive branch of the government in different agencies that are involved and it can basically as a wide range of acts around that has basic the regulatory requirements to enforcing like in the case of United States V immigration that would be an administrative law so those are the different aspects that are in place your criminal civil and administrative law Austria course on legal aspects but it really is imperative that you do have some legal counsel involved in all matters of protecting your network and it's like the cissp so what I would recommend you get to know your legal counsel it will be important and now that you're legal person may not understand why they want to get to know this secure the security guy but as you educate them to learn real quick that yeah it's probably a good idea all your legal counsel will be your best friend in many cases cyber crime and data breaches now computer crime is basically expanding into many aspects in many areas of life and as we deal with more of these networks that are in the iot spacer internet-of-things it's going to be more more prevalent within your environment and amenities old laws are finally starting to be updated and in some cases states are actually implementing new laws to deal with this increase cybersecurity risk of that they see but again they don't always pertain the old laws especially do not always pertain to the new world there is the old Telegraph law in United States does the whole purpose of purpose of that what the heck is that word anyway the purpose of that was because that was what they dealt with in the technology change was relatively slow as a relates to telecommute receita de telecommunications is changing at a Breakneck speed so therefore they the laws just aren't keeping up so keep that in back of your mind now Computer Fraud and Abuse Act this was put out is called the cfaa was the first major piece of cybercrime legislation that was put out and it was part of the comprehensive Crime Control Act or the CC BCA and it is it was designed not to infringe on state rights now in the United States state rights are very important United States is a is a conglomeration of multiple States and the state Allconnect are all federal together pretty tightly into the federal government and some key examples around this our access to classified and financial information modify medical records traffic and computer passwords and cause malicious damage to Federal computer systems all of this was part of the Triple C A and which is all the Computer Fraud Abuse Act was part of this triple CA I've been occurred since then that Outlaw the creation of malicious code so if you create code and you do that in a poor way in a way that wants to be used to hurt people or things that will get you a good nail under the cfaa any computer affecting interstate commerce so electronic wire transfers between states words that you start feeding that and affecting that you will get nailed and here's a listen to keep in mind that you need to just understand as a cissp you start messing with people's personal data and people's money people going to jail and they are not going to mess with it if they catch you again that's a kid big thing there's a catch of tell a friend of mine that one it's so we're talking about becs which was business email compromise and how easy these are becoming a guy could make a gazillion dollars doing being fraudulent activities we using the becs and you think about that and go what it is integrity is it isn't rights not morally right you shouldn't be doing it too is is I really like my ability to have freedom or I can move around and that you go do stuff like that yeah you're going to be stuck in a little tiny country that has no extradition to United States and you'll be breaking big rocks into little rocks that you could potentially make but it's crazy how much money that these affecting people the FBI just put out that these business email compromises are in 2018 accounted for 1.2 billion dollars and theft that's a huge and they're expecting this year it's going to be over three times that amount so it's just crazy cigarettes aren't the national information show this is NI IPA 1996 know this is an amendment to the cfaa and it was designed to broaden the international Commerce aspects of it and it was also to affects the national infrastructure which would do with a critical infrastructure of the United States it was designed to deal with that didn't reach it treats intentional and accidental damage to critical infrastructure as a felony so now that's the interesting part around that is The Accidental damage they're going to have to build a case around why would be a felony you and why you get nailed for it but at the end of the day the goals are trying to put a big enough hammer on this that if you do something with through neglect and you know that I accidentally you didn't do something you should have done you left the port open it was hacked they're going to come after you and they're going to force you to go you don't get to know you could be dealing with a felony situation just because you didn't do your job the right way so the important aspects of people to keep under consideration Information Management act fisma this also requires a government agencies to have a security program in place and you'll be hearing this that's part of the reason why people have glommed onto the cissp is having a security program in place and this will provide guidelines for you around this and if you are a study for a cyst and you are looking to put a security program in place and just does have National Institute of Standards and Technology does have guidelines to help you with that and I will tell you from that standpoint if you follow that verbatim you will have a Kick-Butt program it will be amazing it just depends right so if you get into an organization that really has never had cyber security and now you are the person that male or the female that's going to make this happen and what ends up happening is you're going to come back with all these great recommendations from this and they're going to go talk to the hand we don't want you to do that because I've never dealt with it before you're going to have to build relationships and build a base layer tribe somebody that's going to follow you that's going to understand your security posture and what you're trying to accomplish so it's imperative that you do that don't just come out and I'll tell you guys do not do that guys and gals do not when you become your cissp don't start throwing around all these security program stuff towards people you need to work people into it because if you don't you will burn a lot of bridges and people will not want to work with you so just that's a little piece of Tibbetts information periodic risk assessments policies procedures based on risk assessments subordinate plans for providing those and then security awareness training so provides the outline of shell of what you need to be a keep in mind as you are moving down this area is the federal Information Security modernization Act of 2014 okay so this one is it modernize the federal government cyber-security posture and it just confused with the 2002 fisma required by the federal agency to develop document and Implement information security program so it's just it's enhancing what they've learned over the years and is brought to the attention of a higher of cybersecurity and how the government is going to ask act on that little thing that focuses on is a risk-based policy for cost-effective security and that's what you think you're going to look at it o&b provides any reviews and money spent and it replaced the fisma in 2014 they also centralized a federal cybersecurity with Department of Homeland Security and it's basically deal with defense related cyber security issues now report to the secretary defense intelligence related cyber security deals with the DNA DNA which is the Director of National Intelligence and now in 2018 President Trump sign the cybersecurity and infrastructure Security Agency Act is the scissor cisa and it's designed to build a national capacity to defend against cyberattacks and it is a big deal it really is as far as how cyber is getting more and more involved within the government and within state and local agencies and business is designed to cyber to design cyber tools for federal agencies and along with incident response services to with those as well the bottom line is it's to help fix some of the issues after this fast-paced Breakneck speed Hagerty growth that's occurring it's also the to protect critical infrastructure and you'll do with those as you deal with moving your career on your cissp you will do with critical infrastructure as some form shape or another it may not be the infrastructure for your country or you or where are your local area but when you deal with businesses they do have their own level of critical infrastructure coming at work with right now deals pretty strongly with chemical industry until that is considered a industry that is not part of it is there but at the end of the day you're going to have to deal with the federal regulations Dennis hasn't standards around Publications on this year of the nist 800-53 controls for federal information systems and organizations and you have the SP 800 171 which is protecting unclassified information in non-federal Information Systems in organizations bottom line is is that most systems out there unclassified name classified your classify networks unclassified but it's a great way for you to understand how you should protect your environment because it's unclassified now if you have intellectual property you may consider that a a top secret recipe younger 11 herbs and spices that makes your business run that is maybe something you want to consider as a classified Network and then add levels of security to death Twitter is the nist cybersecurity framework that's available for you to use as a guideline and a template to understand what you need to do from a cybersecurity standpoint now that there's one last little caviar don't want to add to this is cyber security legislation and how it's affecting the different states the purpose of this is improving the government security practices and that's one of the legislation's it's in play still see now and states are in the United States at least individual or could be in your Province where you're at and around the globe but their end up putting individual practices in place in those various States United States because I've seen in South Carolina California Massachusetts because the federal government can put some things in but the local governments that they're their own governmental agencies they need to have something in place to protect them as well so that's improving the government security practices working public disclosure of sensitive Isaac cybersecurity information that's why half of the cissp so let's roll into just a few exam questions first one is what is the federal information modernization Act of 2014 responsible for accomplishing A1A modernizing the federal government cyber-security okay be part of the cybersecurity and infrastructure Security Act see comeback cybercrime and create cyber security incident response processes or D amended this cfaa was it what was the federal information secure Malaysian act 2014 responsible for accomplishing a motorized modernizing the federal government cyber-security be part of the cyber security infrastructure Security Act see combat cybercrime create cyber security incident response d-men the cmaa modernizing the federal government cyber-security alright next question what are the categories of law civil administrative be civil administrative and Criminal see local and civil and Criminal what are the categories of law United States and the cissp exam civil administrative civil is Administrative Seminole civil administrative and chrome C is local civil and criminal or D answer is civil administrative criminal those are few questions alright that's all I have for today's podcast I hope you guys had a wonderful time and I hope you have a great week this coming week check me out again Sean gerber.com at Shawn s h o n Gerber like the baby food toilet or knife Gerber calm and check me out you'll get some great wonderful stuff out there in an ultimate goal is not to create some membership site that you come to and pay monthly just to just to hang out can you pass the cissp the first time so I got some great free stuff out there for you to give you a taste of what I can give you and then we can have a dialogue and that's the ultimate goal is to give you some level of understanding and a dialogue around how I can help you with your cissp and then also once you pass the test that's the first step is to help you then also become a cybersecurity professional that can help people in there protecting their environments cuz I can see what the state and local agencies catch you on the flip side thanks so much for joining me today on my podcast if you like what you heard please leave a review on iTunes correctly appreciate the feedback also check out my cissp videos that you can find out on YouTube just search for Shawn s h o n Gerber like the baby food toilet or whatever you choose and then you will find a plethora of content to help you pass the cissp exam the first time lastly head over to Sean gerber.com and look at the Cornucopia call my email subscribers thanks again for listening
Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.