CCT 314: AI Threats And Identify, Analyze, and Prioritize Business Continuity (CISSP Domain 1.8) - Part 1

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is Monday, and we are going to be going over domain one of the CISSP exam. And today we're going to be getting into identifying, analyzing, prioritizing, yes, lots of words, to business continuity requirements. So BC is an important part of any organization, and we're going to be going over that today. But before we do, I have an article I wanted to share with you regarding AI. Okay, this article comes out of CSO magazine, and it's regarded to top cyber threats to your AI systems and infrastructure. This actually is a really great article to kind of walk through some of the various relationship aspects of AI and some of the areas that people are dealing with related to it. I know there's a lot of risks with AI, and as I saw this, I was like, oh, this is good because it actually brings in a really great point of all the different types of activities that could occur within your organization, or should say, attackers could do to your company through AI. So I'm just going to quickly kind of summarize all the different ones that they had in here, and then we'll kind of go from there. And this is where attackers will corrupt and manipulate the training data that it's set up specifically for the AI model itself. And so therefore it will learn incorrectly. So that you want to make sure that you have a good plan for ensuring that if you have internal LLMs within your organization, what are you doing to ensure that that data is not manipulated in any form or fashion? The other one is model poisoning. And this is where the model itself is tampered with, not just the data. So you actually have to have physical access to the model to be able to do much anything with it, but they're able to modify the data that the model itself. This would introduce vulnerabilities affecting potentially the inference or inference. That's it. I can't speak$10 word. Inference and decisions. So if you affect the model, now it's going to be making decisions and inferring different things in ways that is not what it was set up to do. Another one is tool poisoning, which is a newer form of attack where the tools are used in AI pipelines to contain malicious instructions. This can enable stealthy data exfiltration or potentially unauthorized actions through the trusted AI tool. We've been seeing some articles that have been coming out related to tool poisoning as well. And this is an area that I feel is probably going to become a bigger factor in the future, especially as you're dealing with the various types of tools that will be people will be integrating within their organizations. Another one is prompt injection. This is where hackers will embed harmful instructions inside the otherwise normal looking prompts. So again, they would have just like we've done with SQL injections, the same kind of concept, but it's using their overall controls within the over command line command line type activities. It'll trick the AI, obviously, into bypassing your safeguards, exposing data, and acting in potentially harmful ways. So that would be the prompt injection. Then we move on down to adversarial inputs. This is where that's basically they alter the inputs designed to fool the AI into incorrect outputs. This is an interesting one. I don't really know if I've heard much about this, but it basically will create some sort of noise that's involved in this. And it could be subtle, really hard to detect, but the article says it's effective. I have not seen anything about this myself. So it's kind of interesting. Model theft extraction. Now I can see this one, especially if you're dealing with intellectual property, being a big factor. And this is where the attackers will query a model repeatedly to potentially reverse engineer the model itself. So again, you've got to consider if you're having stuff that is going to be intellectually property within your organization and you're using LLMs. I would highly suggest and encourage that you utilize these LLMs within your organization and do not use one that is an internet-facing type LLM. There's a lot of terms and conditions that do cause problems with that. So it's better to bring all that stuff in-house. So I kind of think about that one as well. The model inversion, this is where a specialized extraction attack is aiming to reveal the training data. Model inversion, this is a specialized extraction attack that's specifically designed to reveal the training data that's set up for that model itself. This would potentially expose sensitive information of the model of and what it was actually trained on. So it's going after the information that made the model what it is today. And therefore, it would be any specialized information that you may have would potentially be exposed in that situation. Supply chain risk, this is where they depend on third-party components and open source models and as well as APIs. And this is vulnerabilities with those dependencies can become attack vectors as well. And we know this all too well. The third-party risk is a big, huge factor with most organizations. Uh, very, very, very few people do not have some level of third-party involvement. And that supply chain risk is that. The last one is jailbreaking. This is where techniques to get AI models to ignore the restrictions that have been placed upon them. This is where you'll trick them into bypassing guardrails and performing harmful actions or revealing sensitive specific responses. Uh, this I feel is probably where everybody keeps moving towards is how do I break that thing and how do I end up utilizing this, the information that's in it and in ways that it's outside of what it's been programmed and pre-positioned to do. So that is jailbreaking. Again, these are nine different AI threats that are set up on CISO or CISO, on CSO magazine. Uh go check it out. Again, it's a really great article around this, and it talks about all these different places, all these different AI risks in one spot. Uh, it's called Top Cyber Threats to Your AI Systems and Infrastructure. Okay, so before we get into what we're going to talk about today, I wanted to quick do a quick shout-out and uh again plug for CISSP Cyber Training. Please head on over to CISSP Cyber Training. This podcast is available because of CISSP Cyber Training. We put this together so that you guys have the information you need to pass the CISSP exam the first time, as well as gain a lot of great information that will help you in your CISSP career going forward. So I highly recommend head on over there. There's lots of packages. I got free stuff available to you up to the good lore. It is there. There's 360 some odd questions plus another hundred and some. So there's like 500 free questions that you can get just for being a member of CISSP Cyber Training. Just getting the free stuff. There's like 500 questions. There's also a quick study plan that you have. If that you want more of a hands-on approach, I have different packages available based on your needs and your desires to get your CISSP done in 2026. Again, do not delay, get it done because if you can get this thing done, it can have so much more impact on influence, income. All of those pieces can be a huge part of this if you get your CISSP completed. So go check it out. CISSP Cybertraining.com. Okay, this is over domain one, 1.8. Identify, analyze, and prioritize business continuity requirements. Now, if you've paid any attention to CISSP Cyber Training and any of the content that I've been putting out, having a great business continuity plan and developing resiliency for your organization is imperative. It really truly is. And we talk about this. This is again one chapter in the book. It's like chapter three, I think, as of the when I did this video. But the bottom line is, and that may change in the future, but realistically, it's a it's a crucial, critical part of any sort of cybersecurity program is your business continuity management. So, business continuity management, the purpose of it is to ensure continuation of critical business functions during and after a disruptive event. So obviously, you want it to be able to maintain what it's doing during this event, but you also want it to maintain it after the event has occurred. This is an important part, and this will protect life, especially where I was used to work. We had systems that if they something went bad, they'll melt your face off. I mean, they're bad. And if things blew up, lots of people die. So the point was it'll protect life, assets, brand, brand is a huge factor, legal standing, and stakeholder confidence. And business continuity management is a key component of this. Many companies struggle with this. And big companies get it. Small and medium-sized businesses do struggle a lot with BCM, and they need to really think hard about doing it. Uh, my other product uh site that I have is Reduce Cyber Risk. You'll see content out there around business continuity and as well of disaster recovery and so forth. So BCM versus BCP versus DRP. Those are the three acronyms, the trifecta. What are they? Well, BCM is governance and lifecycle management of continuing capabilities. Yeah, continuity.$10 words, they kill me. So governance and life cycle management of continuity capabilities. So keeping it, the lights on, keeping it going. The BCP is your business processes to maintain the continuity, people and processes. So your plan is how to keep it rolling. Your business processes are the continuity to make this happening, and then DRP is your disaster recovery plan. This is where the technology recovery, this is your systems, networks, and data. A lot of times DR and BC get confused and they get intertwined. They are not. Now they're all a part of the business continuity planning, but keep in mind business continuity is for the business. Disaster recovery is for specific systems that are technologically stacked within your organization. So it's a big difference between the two, and you need to make sure that on the CISSP exam, they're gonna ask you those specific things as well. So business-driven priorities over technology-driven decisions. You need to make sure that you are connected with their your business program people around this. And this in your CISSPs, this is gonna be a big factor as well, is understanding that what is business-driven priorities over technologically driven decisions. And then also understand executive accountability and governance alignment are an important part in all of this. You have to have accountability and you have to have a governance plan to deal with your business continuity. Now, scope and planning, you need to define your BCM scope. Business units, locations, processes, and technologies must be included in this. This would be internal versus third-party dependencies, such as vendors, SaaS providers, or MSPs. So you need to define the scope specifically around it. Now, I will tell you that it's easy to go and say, we're just gonna do it all for everything. I would not recommend that initially. Now, you may build upon it and have that, but you need to really consider: are you gonna just focus on your critical systems? Are you gonna focus on the entire company? Are you gonna focus on your third parties? But it comes down to some key concepts. Criticality is imperative and is extremely important for you to consider. Assumptions and constraints, you need to understand your funding. How much money do you have for this? Your staffing, because it is a staffing hog. It takes a lot. Um, and then recovery capabilities and regulatory constraints around it. Well, the regulatory constraints may be that you have to have something in place. You may have to have a physical location depending upon what regulatory requirements you have. And that will add a lot more complexity and a lot more costs. So it's a big animal, and I would not recommend biting the entire animal at one time. That'd be hard, biting an animal. I wouldn't do that. That would really be kind of gross. But that being aside, you want to eat the elephant, the proverbial elephant, one little bite at a time, start small. Planning horizon, this should be short-term disruptions versus long-term outages. You need to understand, okay, if I have a short-term disruption, what's my business continuity plan for something short-term? Long-term is a malware incident involving such as something such as ransomware. That is an important part. A short-term disruption would most likely be the stray backhoe that comes in and takes out your fiber channel. That's relatively short because that can be worked around pretty quickly. So you need to kind of consider the different types of plans that you have related to short-term or long-term outages. Alignment. You need to have make sure that your enterprise risk management team, your ERM, is involved in everything that you do. They will help with the organizational mission, strategic objectives, and the risk appetite for the company. Your risk team is a vital key of any sort of business continuity planning and activities. So you need to work with them. If you do not have an ERM team, then you need to work with your senior leaders to determine who is best within your organization that understands the risk to your company and then work with them. So again, it's you need to determine your scope and overall how do you plan and move forward with this? Organizational review. This is where you have business structure analysis. This is the core versus the supporting functions. And this is also centralized versus distributed ops. How are you going to operate? So, what is the core pieces of your organization? What are the supporting functions around that? What make all of your pieces in your company work together as a whole? And then are your ops going to be centralized within your one company, or are you going to have them distributed out amongst various pieces? So, as an example of this, it would be uh if we had our my old business, if we had a headquarters building, if that went away, we had a plan to be able to operate in distributed ops environment. Each of the locations could operate by themselves if they needed to, and with the central hub being gone. But then we would pick up and move to one of those distributed locations and operate out of it based on the fact that we could have all the infrastructure we need to make that happen. Some critical stakeholders. You have executive leadership, business unit owners, legal HR compliance, and the facilities themselves. So your executive leadership goes without saying they need to be involved in everything that you're doing. Business unit owners, they're the faces, they're the people that understand their business the best. So you want to make sure they're involved. And then obviously your legal HR compliance, these are all the folks who keep you out of trouble. IT keeps everything connected. And your facilities people, if you have facilities where people are at, they're gonna need to be involved as well. So these are all critical people that are gonna be in part of any sort of BC planning that occurs, any sort of BC development that occurs. Defend dependency mapping, you should have upstream and downstream process dependencies. So this is the part where I heard this in this when I was a CISO at a local at a large company and they said upstream, downstream. You gotta understand that the the supply chain piece of this, who gets your product, okay? Uh who do you get raw materials from to make your product? These are upstream, downstream type of cap capabilities that happen within your organization. You need to understand what are some of the dependencies on that. If your facility needs a downstream type of activity to make it work, then you need to, or like say for distribution, you need to make sure that that that distribution company is good to go. Something upstream, such as raw materials, if the raw materials are not available to you to be able to make, now you end up running into a dependency issue there. That if if your logistical company is gone down, you can't get product to that company or to your manufacturing facility, you now are in a situation where the information or the product itself that you created cannot be distributed. So you need to really understand your upstream and downstream dependencies that you have. You also need to really dig into your single points of failure, and this can occur through different ways, but doing tabletops is a great way to figure out where you might have a single point of failure within your company. And this happened with me. I did a tabletop, went through the entire process from business continuity planning, and then got to a critical point, and I asked a question about a server. And I said, Where's that server located? Who owns that server? Where has it been updated? And the question came back was, uh yeah, that's sitting in a closet someplace. I said, Well, if that thing went down, how would that affect your overall plan? And then there's lots of little talking and scurrying, and then they go, uh, yeah, we would be shut down. So one server had the ability to shut the entire facility down. Those are key points of failure you need to really truly understand within your company. BCP team selection. This is where you have a governance structure, is you have executive sponsorship in some form or fashion. They need to have them involved because the executives are the ones that are going to ensure that this is done in the form they're going to be responsible for it. So they're going to help be that face for this organization and what's going to occur. Your program owner is the person who's responsible. This is the individual who's going to be leading this and making sure that it is getting done on a complete manner. He or she is ultimately responsible to the executive sponsor who has overall accountability in this situation. So some of the key team roles that you're going to work that will be part of your BCP selection. Business unit representatives, IT and infrastructure leads, facilities and physical security, legal compliance, communications, and PR. These are all key team roles in the business continuity planning teams. And you need to define all of these individuals. They might have maybe wearing multiple hats. For example, your legal and compliance might be the same person. It could be two different people, it could be the same person. Communications and PR might be the same person, could be two people. So those are just kinds of things you'll have to work through depending upon the size of your organization. Now the role characteristics associated with this is that there needs to be decision-making authority, business process expertise, and availability during a crisis. You don't pick, if you're going to have a crisis, you need to make sure that everybody is either in the same region, relatively time speaking. So everybody's in the United States, knowing full well that there's time zones between them, but everybody's in the United States. Why would that be important? Because of the fact that if an incident happens at two o'clock in the afternoon, you can muster everybody together and go. Whereas two o'clock in the afternoon in Europe is maybe 11 o'clock at night. So that could be a huge factor in setting up these people. Now, that doesn't mean you don't pick these people if they're in different time zones or different regions. You just need to make sure that everybody's aligned with what could occur in the event that there's a business outage. This is the 3 a.m. phone call kind of thing in the middle of the night where things start getting going. So just kind of keep that in the back of your mind as you're building this out. Business process expertise is really important. They can't be just the face of the company. They have to understand how it is are the business processes that make their business run. What makes the product run? They need to understand that. It's an imperative piece of this. And I've had it times and again where people have come into my BCP and they don't understand their product, they don't understand the processes, so I have to kick them out and bring somebody else in. Succession plan and alternates for all the critical roles. You need to make sure you have a plan and a backup plan and a backup to the backup. I personally believe me on this. The person that is critical to your organization is in an airplane flying across the Pacific on their way to Mumbai. Had it happen. And you have if you don't have a plan, then everything falls apart. So have a plan on what your goals are around that specifically. Resource requirements, you have human resources, you have minimum staffing levels, uh specialized skill sets, and then you have cross-training requirements as well. So you HR needs to be able to give you what you need to make those things happen. Now, if they don't have the cross-training requirements defined, you need to help build HR build these out. There's technological resources that are associated with it as well, systems, applications, and then the overall network connectivity in conjunction with all of that. Facilities such as primary alternate remote work locations need to be defined and well developed. You need to determine are you going to have an alternate work location? In the event that there is a problem. So again, these are all resource requirements that you're going to have to come to and think about before you actually get to the point where you have to flip the trigger, flip the switch, and kick over and on your BCP environment. Resource requirements around this, you have third-party resources and financial resources. If you're going to be having a BCP plan, you need to make sure who are your third parties that are involved. And this includes your vendors, your cloud providers, and also your utilities. Make sure they understand what's going on. You need to work with them and have good plans on that. So example would be power. Do you have a power in these locations when you need it? So we talked about having backup sites specifically set up for your business continuity. Now you have backup locations for disaster recovery, right? And you have to have power requirements to build up all these servers and to run this war room in an off-site location. That is a DR plan. However, you still need to work with your DR plan slash your business continuity plan to ensure that those utilities are ready to go when you need them. Are you going to have to have contracts in place? Will you have to pay a retainer to keep the power in a semi-ready state? Those are all things that you're going to have to work through related to your business continuity plan. You also need to make sure that your vendors are aligned with what you're trying to accomplish. Does your licensing allow you to do what you're wanting to do? That's a big gotcha. Many people make assumptions around licensing, and in most cases, it's never an issue. However, this situation, it possibly can become a problem if you don't have a good plan around it. Financial resources, your emergency funding authority, and also insurance considerations, all of those need to be considered in this situation. If your cyber insurance does it cover business continuity planning, does it allow to pay out in the event that you have to use business continuity planning or use it business continuity in some form? All of those pieces need to be aware. Emergency funding is also critical. And I say, I mean, I keep saying all these are critical, but they are because with the emergency funding, if it's nothing worse than you say we're kicking off our plan, and then you go and you go, how are we going to pay for X? And you have no way to pay for X. That's just not a really good place to be. So you want to make sure that you have a really good structure and schedule set up for that specifically. Legal and regulatory requirements, there are regulatory drivers that make all of this happen. Financial services, healthcare, and critical infrastructure have specific regulatory requirements that these business continuity plans have to be done. You also come down to, I know there's even CMMC for the military, they are requiring you have some level of business continuity set up in regards to, especially if it's a critical piece of equipment for them to be able to operate. Data retention and availability requirements, these are also an important factor within the regulatory aspects. And then of that, you need to make sure your contractual obligations are set up and in place, such as your SLAs, your service levels agreements, customer commitments, and vendor agreements. Do you have the contracts in place to make sure that this business continuity venture can begin? And that if you need to kick it off, you can. Documentation expectations, evidence of testing, approvals, and updates are required, especially when you're dealing with legal requirements. They will want you to do an annual, in most cases, situation where you'll want to do a BCP test. And they want to know did you test your entire system? Did you test one part of it? What did you do? What were the approvals? Where's the documentation? All of those pieces are an important part in the overall BCP plan. That's all I have for you today. This is the end for part one. We're going to be having part two, will be next week. So come back and check that out. Uh, but also on Thursday, plan on getting some CISSP deep dive questions as well. So, again, this is part one. We finished it up. Uh, expect part two of this conversation next week on Monday. All right, have a great day, y'all. We'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube, and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conopopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.