Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
In this episode, Shon will talk about the following items that are included within Domain 6 (Security Assessment and Testing) of the CISSP Exam.
BTW - Get access to all my CISSP Training Courses here at: https://shongerber.com/
Want to find Shon Gerber elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
welcome to reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host for this action-packed informative podcasts each week is I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam strategies Dwayne sex he's doing great this wonderful weekend as we got as we are rolling I should say it's a short week it's supposed to be scheduled to be released around the first of the year and I'll after the Christmas holidays here in the United States and this is a really interesting episode around a security assessment and testing I know we've done this in the past working with the military and they let many times get a little confusing as far as how people look at assessments and understanding the overall picture of how it works is kind of in my mind is very important a recent cyber-attack that hit New Orleans and I just kind of going through the the email or I can set up the website of Romulus and it's been seeing CNBC but they're basically New Orleans shuts off computer after a cyberattack following to Big incidents in Louisiana this year and it looks like they had a ransomware attack on their infrastructure and cause them to bring basically shoot down our kick-off the the Nola alerting which is the amount for when they have an event that occurs within New Orleans where there is a like the case of the past floods this is like a type of program that goes out that kicks off and so they basically had a widespread cyber attacks across Louisiana on the past couple or the past month for sure but recently as well so I think it's kind of interesting how the fact that at least cyberattacks are really getting companies and in many cases of seeing these smaller in small cities especially but even large cities now with New Orleans there's a real strong risk of cyber attacks that are hitting these these municipalities and he's different locations and a lot of this comes down to is one because you guys are setting for the cissp so you want to become a professional in the security space there's lots of opportunities here but is also the fact that maybe people don't totally understand I see it personally where you may do scans if you're going to talk about hear of a installation or of a network but then you come to find out that the management does not want to do much with it they're used to having they cost when they are they don't want this anymore money and there's a lot of cases of old outdated equipment that will be sitting at these locations and people don't want to take spend the resources or the time to upgrade them what ends up happening to leave themselves vulnerable as much similar to what is occurred in New Orleans so I think it's very interesting at that the cool part about it is the fact that if you are sure there's a cool part of here in New Orleans but if you're a cissp are working towards your cissp the world is a great opportunity for you. about what CNBC said around it and one of the tweets that had its is a nola ready as their tweet so they're working with Cypress key resources from the FBI Secret Service and the National Guard which actually because taking over a big substantial part of the cybersecurity space if I will just recommend this if you are wanting to get into the security world I highly recommend you get into the the National Guard as a release of the Cyber stuff cuz I can teach you all the skills you need to know and yes you can make money at 2 so that's a plug for the garden the attacks followed outages experience elsewhere in the states in November and July so they've had those well School District governor's office as well as Medicare systems in Department of Motor Vehicles. That's not shocker DMV and I will say Wichita Kansas DMV but these are different attacks have been hitting me systems and is similar to what they used in this one was a 23 Texas towns had a coordinated attack as well in August so you're going to start seeing this they're going to try to be fleecing these small municipalities now it's not just in the United States globally I see the news on that but if you are listening to podcast from somewhere else on the planet then either high is probably happening in your area of the world as well so that's just something I threw out there real quick show me the podcast that get into news and how does it affect people but at the end of the day that is interesting piece if you're trying to work on your cissp definitely shows that you need to keep doing it and get her done so lots of opportunities okay so this is going to main security assessment and testing and we got a couple articles room to talk about here that have been that come from one of their actions say what are called specifically is coming from infosec Institute. Com and they've got a link will be in my show notes around there's a basically a Refresh on security assessment and testing and I'll go over the article and what can I use some real world examples to and all that's kind of affected me in the past this article again like I said is from infosec Institute security assessment and testing basically bring this down is that your secure are a provide a holistic view of your organization security tools and their effectiveness and I will say that is true it is important that you provide through the security assessment to give you an understanding of how vulnerable you potentially are the other aspect that goes into this you may run these security assessments but you have to do something with the results as well so just running an assessment and having this document it sits on a shelf doesn't really do a whole lot of good so you need to make sure when you do these that you do have a mitigation strategy in place or that you're going to develop one for that two subcategories Access Control test and security assessments the access control test obviously their rights based on the roll sell the Articles Focus pretty much comes down to access control test and Compass a number of processes and methods that assess how strong organizations access control systems are and again we kind of talked about this and future and past podcast where they do these these control test will determine how much of a gaping hole you may have and so therefore you need to run things such as vulnerability scanning penetration testing and various security audit and the interesting part pentesting that's where I came from and then pentesting vulnerability scanning I see a lot of value is almost more value in the security audits because as we're getting more and more dependent upon the cloud and there's these other software-as-a-service infrastructure-as-a-service platform-as-a-service different methods out there for people to use is becoming more and more prevalent that I have to be able to go back and audit was actually occurring within my organization pentest will focus on some key areas it Network infrastructure what applications facilities and wireless configurations just to name a few and that this is so true because I've done all of those but the key run pentest is that you have to look at a very specific niche and look for areas that might be affecting various systems an example around the inside one would be as if you have in the military to get a specific weapon system that needed to have a pen test done against it you would focus specifically on that weapon system you wouldn't focus on the overall infrastructure Tris to get to at you would focus on that system as a whole now you would also look at dependencies does it need to be networked network-connected if it did then that would be a dependency that you have to work through you basically these are commonly called a white hat hacker and they're probing for vulnerabilities basically using secure tools that are for stools that they will gain access to your environment would be open or closed doors are closed but bottom line is that you bought it or you may have a scanning tools that you may use within your organization that you created methodology for pentesting planning this I've seen this on the cissp questions and so it's typical you I would suspect you would see this in the planning reconnaissance scanning access assess vulnerabilities exploiting and Reporting and it's pretty pretty true to that point so when you're dealing with vulnerability testing these are when they test a network or system against known vulnerabilities so for example and it says I've got certain RPC vulnerability maybe they will run against that Google tools are open bass arness's use nessus in the past that there was well then look for any open vulnerabilities that you may have then it's a vulnerability I'm going through and I'm looking for ways to get in when it comes down to vulnerability testing I'm doing that as well but I'm also documenting very substantially where are the vulnerabilities that I see them and then providing a report at the end to whoever had signed us up to go do it it does help with understanding a level risk and threats and that does allow you to prioritize them for mediation that's those I like to look at vulnerability testing is a wide swath whereas pentesting is very much specific great targetbase right there to a point to laser focus best security audits are often the result of organization having to comply with regulations that. Guineas are HIPAA pci-dss with your payment card industry data standards those those typical you have to follow a security audit however what I like to do is I'll do a security audit / assessment of my company and different areas and aspects within my company and these are these are evaluated gets published Frameworks so you have your Frameworks of iso 27001 the cybersecurity framework could be assessed against our audit against Auditors will actually utilize those Frameworks they may come up with their own proprietary framework which basically Blends various others and puts them all together in one assessment d security assessments are a full approach that understand the effectiveness of you access control so there's a security audit security assessments and the audit is typically done by a third party or a external resource to a third party could be somebody within your company I guess it's more of a party and then you have your outside security resource that would be doing that as could be doing it as odd as well assessment is typically done by yourself anime assessment I don't get the same Law of Attraction as I do want to say it's an audit of semantics but it does make a difference when dealing with leadership this is policies procedures and other administrative controls will come into scope as you're looking at security assessment the big thing I've noticed on all of these is change management is a huge Endeavor you really need to have that understood especially as you're looking at doing these assessments week seems to fall down on a routine basis is how are the house of change management occurring within the e-street organizations the software testing I do this with my developers that work for me again it's increasingly a big part of this and reason is because now you're dealing with you you in the past used to have developers Network on I'm saying this really old but you work on bb6 and you'd have your certain development that you would do and you run tests against it and you would come up with your plan will now the decoding is becoming so prevalent that you can talk on citizen developers you're getting low code kind of solutions where it's basically you drop and drag for different functionality important part of it security that you need to consider some level of software testing and it's important that you understand the software development life cycle when you do that because I never sent that's why they talk about it in the cissp get into a little bit more but it's so important that you get into some apartment and you understand how to make your more secure as an example Troy hunt has some really good stuff out there with pluralsight on how to hack yourself and as a developer what are some of the key things you need to consider when trying to basically improve your system that you're you're developing for now and you're talkin software development there static Dynamic analysis reviews there's lots of different areas that you can do to do to complete software testing for your application now you're getting into static and dynamic testing static code testing involves reviewing the code while while it isn't running and you're looking for any areas errors that it might be in syntax and now this is static code not typically with that is that can be challenging just because of the simple fact is that sometimes the lines of code is just immense on how many lines of code you have so it might be really hard for that to actually happen now if you have a good testing strategy that can be automated then automated testing is really pretty important especially as we get into these more complex applications that are running and now you'd into Dynamic testing on top of that so you tip play The Run both of them they work well together a static and dynamic environment you just need to have very tight controls or I should say guard guard rails on your static especially if you have a development team working for you just because they can spend a lot of time doing static analysis where they'd be better off create making sure they have an automated testing strategy in place for their for their code cuz it was out at its it's really important to have it in there without of their spending a lot of time they don't need to Harper sent but it is a really good solution to help you knock out the big rocks within your orders within your testing strategy it can look for errors and also help you with performance base lines and it is extremely useful if you have any development presents and all that we've been building this out for our organization and I'm pretty pleasantly surprised on how it's going to play out for testing levels. This is testing almost perfect perspectives and this can also be Falls of the final at user acceptance testing which typically called you a tea that you went to do software testing levels sometimes they'll integrated with as an example different iPads different iPhone different Android devices and also go through all of that as far as when they're looking at the various testing strategies around it and consider is regression testing this is so after you put something out there you'd then can complete a regression testing other software after new updates and modifications are patches have been applied and so that's if you have an issue where this patches this not do well with the update you would do that regression testing prior to actually pushing it into production once it's all done then that's the user acceptance testing Whitaker and that's when they would sign off on on houses all play out in their organization coat and that software the last one is I've got his fuzzing is fuzzing a boss basically Airfield data and this typically has happened in the past would put and they have an input stream so you have an input field and you could actually run code within that input field or fuzzy will help you determine if that's if you can actually do that or not and so if you're using just an input field allows any type of code to be put into that field then you potentially could run code while if actually input form so that makes any sense so so I say Sean Gerber and you got it or not shy girl say you got a name your name field you had a address field you got up whatever field you want to put out there meals you set up the input type that it will allow any code to run in that start any length of code to be able to run our put in that input field so you if you limit if you don't limit how much characters can you put in there that's a bad thing if you also limit if you don't set the character type that needs to be put in there so like for example only text can be put in there nothing else other than a text comment you have to limit those those fields and if you don't do that then you can cause it to run some sort of code on that server that's considered fuzzing and that's basically so many random Airfield data into software to help make it crash and then you're just trying to see what it can to do the maximum high levels of input applications or to hang it and that's they're just trying to do that to see if they can find what is the error code that kicks back on that it does that code give me some guidance on where what is the mapping of that server then it to or tells me maybe fingerprints the operating system so now I can go and I can attack that specific operating system with maybe a vulnerability that I'm not aware of art that I know of but I'm not aware I wasn't aware of the operating system and how that work so those are just interesting areas get into each of these areas but that's callable overview in this comes from infosec Institute. Com Minister refresh security assessment and testing he's really good for you to understand from a cissp stamp the key aspects around we talked about pentesting vulnerability management software development life cycle do you really need to understand these big terms and how they work and I know cissp added that in and recent additions the software development piece of this because it is becoming a bigger issue that most people Security Professionals are all right so that's really all I have for the infosec Institute now let's roll into the cissp training this focus on the IC squared training manual and its domain 6.1 design and validate assessment test and audit strategies will be very similar to what you see with what we just talked about right here domain 6.1 this is a security considered at all stages of development and you really need to talk to do consider security and this is probably one of the biggest challenges I've had with my development team is getting into understand Security in many cases the development teams they are designed to get code out they want to get it out and get it fast they working in Sprints to get that completed and they don't need to spend time on security focused on getting that right they just want to get the stuff out the door so that the following are going to be some key security items for secure design environment the first one where is objects and subjects objects are resources used by a subject so is an example of what an object would be would be a computer system a subject is a user or process requesting access to an individual or an RPA which is a robot process algorithm and if you're not familiar with rpas it's like a Gucci macro it's designed to run these these Al Gore over and over and over again to provide an output and then it says it's taking away take away individual roles that would do that in the past that would just be a data input person it's now take away that that capability that these people did however right, let's be honest putting in data is just like mine Emily painful so the purposes are object and subject so the object is a computer system like the subject would be an individual or RPA robotic process algorithm objects now we're getting a security assessment and testing the effectively effect new Earth businesses and so are we talked about before there's test there's assessments and audit typically audit is done by a third-party assessments are done internally and a test can be done internally as well or even by Third parties as well but they're more narrow in scope so those are the three primary security component test assessments and audits security testing we talked about penetration testing with me using nessus and Target one specific area or they can do manual scans as well one thing I did learn one doing penetration testing do you want to avoid as much as possible is scanning because one thing if you're scanning within a network and you're trying to hack that net work they will typically have some level of alerting around skins that are going on within a within a network and so scans a good way to tip your hat to say hey attention to the fact they need to do something to navigate that risk now as far as the talk about design and validate a strategy around this there may be regulatory requirements that force you to do this many times of financial companies will record will report require this as well so if you have a an assessment that must be done many cases those are financial institutions or in the healthcare institutions that require some level of scanning or of audit strategy around cybersecurity there might be some business requirements that's just say for example you have your pudding your most impressionist 13 herbs and letters and spices are going to stick those Rascals in a area that you may not be feel like it's the most secure you would probably want to do some level of a strategy around that or you just met consider as regulatory business or just wanting to know what's going on those aren't that's typical strategy around security testing and that the end review the findings with senior leadership to ensure that they understand it and they will help you fix the problems now's your deal with security assessment again you need to detail review of the security the application or other environments should be included as well these can be tools that could be included in this as well you also need to understand the threat environment and that would be current and future wrist you need to provide some level of what is the threat and why are you there what is the purpose of doing these cans and so what is the risk of your company it could be the simple fact that so your Healthcare company and you are worried about any sort of data breach our privacy data breach customers medical records to be exposed so therefore that is the focus of my threat is to make sure of my assessment is to make sure that those that those documents are not exposed to the world now if you you may have a situation where you go I don't really care so much important but it is all about the person's data now if you got a company that the financial about that company and the personal data is a factor but it is not as big as my financials then that's what you would focus on as well dealing with looking at this you too can you decide if it's going to be internal or external is he I definitely recommend a risk-based approach because it is very time-consuming as very expensive so if you're going to do this make sure that you have a plan on how you're going to mitigate this before you need started make sure that your leadership is onboard you have a plan to mitigate these drat the issues if and when they do come up which they will you also have the money available to do these things because the last thing I want to do is go through an assessment spend the money on it and then at the end of the day there's no money that get anything's fixed so you want to make sure you have that in place before you even get started can do this Thurs key aspects around this is that there's outside auditing firms I can do this and they're typically considered not bias from an assessment point of view and I will say I've had a recent audit that was done not too long ago by a third party and I will say that they the audit was good they they ask me some questions that they needed to ask but I also think that they were probably a little too vanilla and some of that cases so you got to kind of way out these and how much do you are you doing it as a checkbox or are you doing to actually learn something if you doing is it a checkbox just that I had to do it to meet these regulatory requirements okay well that's a different outcome than if you actually want to fix some of the challenges that are there so it's something to consider around that when you're talking bodies they will typically contract with a third-party and they will contract with this third-party outside of you I've had it in a case where as a security person the legal folks are they just contracted with the audit firm didn't even tell me about it I just want to get it and then that third-party would come talk to me and go through our audit of our information that's a big for you got eny Deloitte to PWC and KPMG it's got going to be cheap not by a long shot expensive but they have a good product and they are very thorough and what they do just be prepared for the price tag now what you doing security audits these are similar techniques of testing and assessments the they are typically internally tests and assessments are and like I said I usually call them assessments but I will call him on it's just depending upon the situation of the individual that could again August lot more traction and they get people to stand up and take notice that when we talked about it they don't get mad at me saying well you said it's an audit was really not an audit well they really want to fix the problem so I will kind of play around with those words a little bit turn all your external and you have third-party as well so something that I've done in the past around this is that I would do a an assessment then I would I want to do is have a third party that we have a service provider company I work with that will do the audits for us so then I'll have that third-party of that service provider do audits for us and it's not the typical NY type on it but it's because me a good understanding where I'm at and it uses a risk-based approach depending on if I had a requirement of requirement let's just say That's which is a chemical facility anti-terrorism standards if I had a requirement a third party to do that audit but what the goal is that I do my assessments internally so that I can Shore up my defenses so that when the audit comes in the findings hopefully would be minimal and not very large that's only you want to avoid is getting really looking foolish because you did not do what you need to do to secure your on fire now we talked about auditing standards in the previous part of the podcast that you can use control objectives for information and related Technologies kobetz and understanding that's out there ISO 27001 cybersecurity framework each of these standards they each of these have a a cybersecurity framework in the in reality they do set up these specific Frameworks what they're looking for is very close in nature however I will say the 27001 because it is something you get certified in typically there is much more higher level of granularity is very deep it's very precise way more precise than the cybersecurity is very to the point where it tells you what are some key things you need to be aware of so again it that's good I just depends on the on the network I should say depends on the environment and that you're in and whether or not that level of framework is something you want to use or not typically when your deal with 27001 it's an international standard and so that's why they set that up until that if you're a company that follows 27001 and those standards you can use that as your certification so when you go to a dollar companies and yes I'm ISO 27001 certified they can go out that makes it a lot easier and then they know you've already put controls in place to mitigate that risk and if you have to maintain that certification then even better that's just something else that you have to keep until the company is working with you will go that's good warm fuzzies that you have got everything taken care that's the standard there's also different mapping tools out there as well that you can use that will Pacific ISO Standard Pacific framework so like for example if you are a HIPAA person and you want to use the watch the sun that's not a good one let's go you're just a regular manufacturing company and you want to use ISO 27001 does not require but you want to use that and you also are interested in the cybersecurity framework there's mapping tools out there that will show where they overlap and if they overlap which ones would be best for you and then you can kind of pic well okay I want the 27001 but boys really granular I don't want to get that level of detail but the cybersecurity framework is good and less space I'll use that however is real ISO 27001 is really good in this area so I'm going to take that and if you have that mapping it'll help with your ever audited to go this is why I did what I did and this mapping help me understand it and the Auditors will take that they understand what you're doing the key doing that you got a plan in place to mitigate the issue and that you're not just saying yep I did my assessment did you hang with it no I just did my assessment so those are the different aspects around security assessments that is all I have for the cissp training again this comes out i c squared this is out of their test manual and this the kind of things that you would get directly on your cissp exam pretty cool that you can get all this crap free stuff can you get all these things that Sean gerber.com again you get up throughout their these hellacious plug for Sean gerber.com is s h o n Gerber like the baby food. Com and the cool part about all that is if you go to Sean gerber.com I have some free videos out there on demand on my domain training around Des Moines one through four and then I'll be sending you some extra stuff as well over coming weeks just for signing up for my email list you'll get access to that house and we'll be having all these questions are be posted and the podcast are posted so you can go back over and over again and look at these various questions and how you want to study for cissp exam so I was looking at 8 Bara Bara Bara why I can strip his name but it's basically badawi first time at 6 months to stay for the first time and another four months follow up past my cissp about 10 months I personally don't think you did it we need to take you that long in today's world in some cases because there's so many resources out there available to you the key around the cissp exam though is just understanding the objective because the questions are going to be totally the bottom just going to trick you and in so you going to have to understand what life is penetration testing we just talked about if you understand this stuff then when the questions come up. Be kind of tricky once they're going to struggle with a little bit however the key point is that you'll be able to get through questions much quicker if you understand the content right now you're not just guessing on test questions which I've done the past exam questions and he's come from techtarget and he's our domain 6 quiz vulnerabilities and begin to Links from the show. So you can go click on that link and check out what they put together okay question 1 abstract episodes of interaction between and its environment okay so abstract episodes of interaction between a system and its environment misuse case web proxy use cases negative testing EXO abstract episodes interaction between systems and its environment miscues case be web proxies c use cases D- testing NES ruse use cases so basically use cases are situations that occur and there between a system in a bar when you hear people talk about a use case and it's just the way of situations scenario and how things happened and that is? a list of the most widespread in critical errors that can lead to Serious vulnerabilities in software information security continuous monitoring iscm cwe San Jose your software errors C automated vulnerability scanners the real user monitoring rum rum okay so list of the most widespread and critical errors that can lead to the serious vulnerabilities in software Memorial scanners real user monitoring rum an answer is a information security continuous monitoring does have a list of the most widespread and critical errors that can lead to vulnerabilities within your software question 3 this criteria require sufficient test cases for each program statement to be executed at least once however it's a Chima is insufficient to provide confidence in a software product Behavior okay a statement coverage be dataflow coverage see condition coverage d-pad coverage this criteria require sufficient test cases for each group or east program statement to be executed at least once however it's a Chima is insufficient to provide confidence in a software product Behavior criteria for test cases in each program statement to be executed at least once all right so this is they're talking about like criteria and how would that work with his test case is a statement coverage dataflow coverage see the condition coverage D is a pass coverage didn't talk about dataflows he probably could throw out there if you don't know, didn't talk about app a specifically so that could be potentially throat out there did talk about criteria that it would be and you have a little bit but how is written down or how it is brought up in this is around test cases so the answer is a statement coverage tell everyone you have to go to work through but on that I hope you all enjoy this is the other podcast I have to have a wonderful week this week again check me out at the Sean gerber.com got some great stuff for you there free videos one through four also Billy got some other free content that'll be coming to you as well my videos are out there that would made one through eight have a full training Suite is available to you before purchase you can go check that out and with that you get a lot of input directly from me is when you're studying for your cissp exam I've also going to be taking some stuff that he hopped put put out there as well that really good is in a relates to how you can help study for your cissp exam going forward thanks so much for joining me today on my podcast also check out my cissp videos that you can find out on YouTube just search for Shawn s h o n Gerber like the baby food toilet or whatever you choose and then you will find a plethora of content to help you pass the cissp exam the first time lastly head over to Sean gerber.com and look at the Cornucopia free cissp materials available to email subscribers
Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.