CCT 009: Implement Secure Communications (CISSP Domain 4)
Feb 21, 2023
Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity.
In this episode, Shon will talk about the following items that are included within Domain 4 (Communication and Network Security) of the CISSP Exam:
· CISSP / Cybersecurity Integration – Data Communications
· CISSP Training – Implement Secure Communication Channels
· CISSP Exam Question – Point to Point / OSI Layers
BTW - Get access to all my Training Courses here at: https://www.cisspcybertraining.com
Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
CISSPCyberTraining.com - https://www.cisspcybertraining.com/
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
- ISC2 Training Study Guide
- Quizlet
- Infosec Institute
- Wikipedia
Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.
[00:00:00] Welcome to the Reduced Cyber Risk and CISSP training podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Shon Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam.
And grow your cybersecurity knowledge. Alright, let's get started. Let's go. Hey y'all. Is Shon Gerberg again with our new cyber risk. I hope you're all having a wonderful day today. It's a great day in Wichita, Kansas. The heartland of America, basically smack dab in the middle of the United States. So yeah, it's pretty flat here.
It's pretty hot here, but it's July 8th. Hey, we just wanted to go over, we're gonna be talking about in our sci. Si. CISSP, cybersecurity integration data communications. And then in our CISSP training, we're gonna get into implement secure communication channels. And then in our exam question, we're gonna get to point to point.
It's not from like point A to point B, it's a [00:01:00] different kind of point to point. And then the OSI layers. All right. Before we get started, I want to just throw out a plug there for my CISSP training that you can find on udemy.com. You can check it out there at, uh, Shon, s h o n Gerber, and I have CSS P training.
CISSP Certification Training. You can find specifically on Udemy, or you can go to reduce cyber risk dot. Com at cis slash CISSP dash training and it'll take you to the Udemy links as well. So check it out. It's got a lot of great information. You're gonna have there. All the domain stuff that you're gonna have for, as it relates to the C I SS P exam to properly prepare you for that exam.
It's a great way to augment your training and as you well know, Udemy has some great deals as it relates to training, especially, uh, for what I got. So. Some really good things. Uh, also all my CSS P training, the various domains will be updated on a weekly basis. Now, some domains may be updated one week and then another domain the next week, [00:02:00] but they all, all of my training is updated on a weekly basis.
So some great things that are coming out there as far as the CISSP to help you be successful and pass the exam. Okay, so the CISSP integration, this is from the InfoSec Institute, and we're gonna focus on objective 4.3, which is implementing secure communication channels according to design. And the topic will be specifically data communications.
Now as you're dealing with different communication protocols, we're gonna, you're gonna hear some different terms and it's important to understand what these terms mean. You'll hear these terms thrown out like SSL and TLS and all of that, not tlc, which is Tender Loving Care. It's different. It's Transport Layer Security.
Yes, security. Now the SSL is Secure Socket Layer, and what this is, is it's a standard security technology to create an encrypted link. It what it does, it ensures that data is. PA that data is [00:03:00] passed, remains private. It remains specifically re private to individuals, and it does not go out to anybody else.
And that's the whole purpose of it, right, is to have the SSL to protect your data and to ensure that it is private from other people looking over and stealing your information. It is also considered an industry standard to protect online transactions. Now, SSL has been moved on. It was, it's still considered a, a industry standard.
However, the new version of. SSL is what we call tls, uh, which is transport layer Security, and they have TLS version two as well as one of the key points that are out there, but it's, it is the newest version of encryption of TLS is, and it utilizes symmetric crypto cryptography. Basically, there's two layers.
There's a TLS record and a TLS handshake. And though those are the aspects around the security, but so you'll hear a lot of the synonymous. Where you see third grade education, the S S L secure socket, layers being used [00:04:00] synonymously with T L s, but everybody has moved on. In most cases. If you are dealing with the next level of security is around t L s, and it's the next area.
I said that twice. I know that's kind of not really cool, but anyway, did I did? Just did all right. Then there's another product out there called Swipe, which is your swipe IP security protocol, and this little s, little W capital ip and then E. You gotta love how they make these fun little things. Swipe. It provides confidentiality, integrity, and authentication of network traffic.
It does not, however, handle policy and key management it that has. Can handle outside of the specific swipe protocol. So that is those just specifically swipe encapsulates each IP datagram okay. To be secured within inside the swipe packet. So basically the IP datagram, which you'll we talk about in the different levels of the OSI model and so forth.
The IP datagram will be secured inside the overall swipe packet, [00:05:00] and that's where it encapsulates it and wraps it up in a pretty little boat. But that is the swipe IP security protocol. Set is a secure electronic transaction, and what this is, it communicates a, it's a communication protocol standard for securing credit card transactions.
Set is a secure electronic transaction and it's a communication protocol standard for securing credit card transactions. And so that's what you'll see typically within when you're using credit cards. Now as in the United States, many other countries have just got back from China. They don't really use credit cards.
They use their product called WeChat and or Alipay. And it's the same concept, but it has to be tied to a bank account specifically within China. And but. It's what they utilize, at least in the United States for secure electronic transactions. It has a set of security protocol calls and it's set user provides electronic wallet or digital cert that basically puts you who you are and if, if that's kind of how the whole [00:06:00] PL basically ties you to the individuals through that digital cert.
Digital certificates and signatures are amongst the purchasers, the merchant and the purchaser's bank, and it's just kind of how they, the, the digital signature works between them all. But that is utilizing the term or the, the protocol security protocol of set secure electronic transaction. Then there's pap, which is the password authentication protocol.
Now this is a password based authentication protocol used by point to point protocol or P P P through Triple P. You heard pip, P P P. It's considered a weak authentication scheme and it's not one that typically is used as much, uh, but it's still is used. It's just not. You wouldn't want to use it for your main authentication or your main type of authentication scheme that you're working with in your organization.
It does transmit unencrypted passwords over the network, so hence uh, that's kind of why it's not utilized as much. There are some others, which is the extensible authentication protocol, which is eap. You have your secure remote. [00:07:00] Procedure call, which is S dash rpc, and then chap, which is your challenge, handshake authentication protocol.
Now, as far as the CISSP is concerned, I remember seeing all of these, you'll, you'll come to some level of understanding around all three of these pieces, uh, or all of these various levels, authentication protocols, and security protocols. They are on the C I SS P exam, T now very, some may not be on it, some will be on it, but you do, they do cover these.
In different aspects on the CISSP exam, so be prepared for that, um, and understand how they are used. The key point around this, again, in the exam is that you will see they utilize these in ways that are kind of designed to trick up a little bit, and they'll utilize the pap aspect and they'll say, password authentication protocol is used with set.
And you go, oh, yeah, yeah, P p P or no wait, p a p wait. Set. Oh no. And you'll make a mistake. So the goal is, is to understand all these protocols and how they all [00:08:00] work together. Okay? So that is what I have for the CISSP integration, and that, again was from in FO SEC Institute. Let's roll on to the CISSP training.
Okay. And the CISSP training. We are gonna focus on objective four three, implement secure communication channels according to design. Okay, voice. Voice over. Digital is quickly becoming the standard from teams to Skype, to you name it, voice is becoming the standard over the digital platform, but this, the old business of private branch exchanges or PBXs is going away, and that's your typical phone routing switch switches that are out there.
Those are all going away to a. Product called VoIP, which is by far more flexible and secure in, in most cases. I mean flexible in the fact that sometimes Skype doesn't work so well. But VoIP is a T C P I P network connection, and it's configured to be simple to the more complex, depending upon what level of encryption and where that is [00:09:00] protected at.
Now, standard phone conversations does have encryption built into it. These, these do occur. However, depending upon if you want to have secure voice, like in the case of the military, there's different. Levels of infrastructure that needs to be put in place to ensure that the communication channel can be clear from somebody over eavesdropping and con and collecting the information.
Now, there are some problems associated with VoIP. Uh, caller ID can be spoofed. That is a possibility, and they are a susceptible. To denial of service attacks. Hence, the reason is they're on an IP network. So if they're on an IP network, they can be denied of service. They can basically be, they can flood gates with, of the network connections with nothing but garbage, and therefore your VoIP connection will go down.
Man in the middle is issues can occur with VoIP and the traffic is not, that is not encrypted, can be deciphered. So you can listen to these informa, these conversations if, if it's not encrypted. Now, in many [00:10:00] cases this stuff is encrypted, but there are situations, there are protocols where it may not be.
So therefore you need to be aware that VoIP is like anything else. Now, if you do standard PBX, where it's right over the wire, Those can be listened to as well, but they are not susceptible to denial of service attacks unless you take out a switching environment, then yes, then your voice, you're basically your, your hurt the line, the phone line goes down.
That's it. It goes by. Bye. Goodbye. Next is PBX fraud. What does that mean? Well, basically in the past it used to be where they would, it would take advantage of long distance phone calls and they would call this freakers. And now I say that because it's still you. I reason may have it in the CSPs cuz it's still a valid attack and you deal, there's.
There still are lines out there that you can utilize from a freaking standpoint, but it basically was designed to gain unauthorized access to phone systems and they would rack up toll charges for other peoples that would try to be utilized, you know, your international phone calls or whatever. They would then rack up phone call [00:11:00] charges for them.
This is becoming less and less of a problem because of cell phones and those, that capability, but it still does exist that to limit this, you would have logical or technical controls. On the network specifically to keep this and this would roll into administrative controls that you need to have in place.
You want to have also avoid securing these old, or you don't want to avoid securing these older systems. You wanna look at what are some of the ways you can secure them and protect them from these type of. Attacks from a PBX fraud attack. So don't just say, well, they're old, so nobody's gonna mess with 'em.
I'm not gonna worry about it. That's really a bad idea. In today's world where everything's interconnected more and more than ever, you can be vulnerable to any type of attack that may be out there. So again, PBX fraud is still existent. It still does exist and people still do it, but it is come down quite substantially from the previous days of like Mitnick and all of them.
Multimedia collaboration. What this is, is working on projects from a distance. So [00:12:00] now if you are anybody in the cybersecurity space or in it, you realize, you know what? There's all kinds of collaboration that occurs through multimedia uses from you. Incorporate email, video, VoIP, you name it. It's all there from a multimedia standpoint and everybody.
Does it. So therefore you must consider all of these VO security cha, all of these channels to secure, which becomes a very daunting task As a cybersecurity professional. You will see that this is a problem and it's something we struggle with on a daily basis. These remote meeting concepts and capabilities, these are all something that you'll have to go through.
And as you understand that from a multimedia standpoint, it is everywhere. Now at remote meetings, this allows for interacting with remote parties, which kind of comes into the collaboration space, and it's important that you'd be able to do this in today's world because guess what? Everybody shares it and everybody's working remotely and they're working from this.
I can't think of that big $10 word, but from. Remotely geographic, remotely separated locations. Yeah, there was a probably a really [00:13:00] cool $10 word that would work well there, but yeah, I couldn't think of it. Now there's some key cons, security considerations as you're dealing with this. Strong authentication activities are logged and monitored and open and encrypted transmissions.
So those are key aspects you need to be aware of as you're dealing with remote meetings and, and also understanding who's listening in and if there's somebody logs into your remote meeting that you don't know who it is. You might wanna boot 'em out and until you can figure out who they are, because guess what, a lot of people drop in.
I used to do that. We would drop in on phone calls, conference calls, but see us before Skype where they'd have a phone number pop up and so therefore they wouldn't know who we are. We would just log in and listen. Instant messaging. What this does is this allows for real-time chatting, right? So this is the ability for you to have real-time chatting through a digital media platform.
And everybody, everybody does instant messaging in some form or another. It could be from your, when you're on Facebook, it could be in various aspects, but allows you to have. Instant communication back and forth through a texting environment. Now it [00:14:00] is possible to do file transfer through instant messaging.
And so from a security professional, you need to be aware of that and if, can you send voices, can you send pictures, can you do, all of those aspects can be put and they're all done in potential UN in security environments. Then social security numbers or. Pii, personal identifiable information over texting is a bad idea.
Typically, there's some key security considerations that you need to keep in mind. That's careful communications on what you put in a text, cuz guess what? If you put in a text, it's gonna come out. They always do. They never ever not come out. They always do. You also need to have records management cuz these records, they go everywhere and you will run into them.
They will, they, they get legs and they move. So understand the records aspect around this. Also, you need to limit your encryption as it relates to. Or it has limited encryption, I should say. The, the aspect of text messaging, some, some text messaging dependent upon the application you use does have a little bit of encryption involved with it [00:15:00] or does have encryption.
But in most cases these do not. They, the only encryption they have is the encryption through. The telephone network, the CDMA network. In most cases, there are no encryption from a texting standpoint. Many are public services such as slacks, Hangouts, et cetera. And so when you send this out, your text, it's going to the cloud, which everybody goes to a server, which everybody potentially could have access to, at least at a minimum, the administrators have access to it, so there is no privacy.
There's very limited to no privacy when it comes to texting, Snapchat, all of those, those things do get legs. And move. So as a cybersecurity professional, it's important for you to make sure that you teach people that this is a situation and working on your CISSP especially, you need to understand how that all plays into the overall game.
Securing the email. Uh, you need to address this with your security policy. There's some acceptable policies for email that you need to put in place, and as you're looking to secure your [00:16:00] email, there are ways to do this through P K I, which is your public key infrastructure. You can get digital signatures on your email, which will help protect it.
You also can have access controls. Do you allow all. Owa like, is your Outlook web access, you know, you basically your online capability to your email, do you have multifactor in place on your email that's available online? And so those are key considerations. And also, as you're dealing with privacy around email, it's important to consider how do you protect your company's email as it relates to gdpr.
So it's important that you have that in place as well. So you as a cybersecurity professional working on your CISSP, you need to understand and be. Cognizant of these different aspects around privacy and, and what you should do as far as dealing with the email. Also, understand as security person, you should not have access to email.
You should ha or people's emails. You should have that all run through your legal and compliance teams if you have them. If not, and you are the person, then you definitely need to run that through legal before you do anything along those lines. [00:17:00] As your backup and records management, keeping emails until the apocalypse is just a bad idea.
So you need to consider getting, purging those emails when it's appropriate. Do not keep that stuff again, from legal considerations. It's important to understand that you, you don't need all that forever. Now, if your company ha puts it on legal hold where you have to maintain it, well then obviously you have to keep those emails for whatever reason.
But for the most part, you, you need to make sure that you don't keep any more data than you absolutely have to because it. Because storage is so cheap, everybody keeps everything. It opens you up for a lot of different issues, especially legal and LI litigation issues. So just kind of keep that in the back of your cranium.
As we're looking at other email security solutions, you need to understand the secure multipurpose internet mail, extensions, s mime, and privacy enhanced mail, which is another term which is pem, and then your pretty good privacy, which is pgp, which you'll see with from an encryption standpoint for your email, works typically from most of those providers that provide you some level [00:18:00] of email protection.
PGP is typically used for the third party types, and SME is used. For the more like your outlooks and so forth, and then you have your sender policy framework, which is the F S P F. Those are again, other email security solutions that you need to be aware of for the CISSP. Okay. CISSP exam.
Questions domain four. All right, so in this question we're gonna be talking about 0.2, point what layer formats, packets from network layer for transmission and is commonly used point to point protocol. And the integrated services digital network, I S D N session layer. That's a data link layer. That's B application layer.
That's C network layer. That's d. And the, and the winner is B. The data link layer is responsible for [00:19:00] formatting packets from the network layer to be used in the transmission of data. So yes, as the data link layer, that is one that puts 'em all together when you're dealing with the OSI model, the seven layer burrito and puts it all together to get it shipped out the door.
All right, so now this question's about the OSI model. What layer, which will you almost last one about OSI model two, but what is the layer three of the OSI? Model A, transport layer B data, link layer C, physical layer, or D, the network layer. And the answer is D. The network layer is the layer three of the OSI model situated between the data link, which is layer two.
Okay, so you, if you can see the video got layer two oh, actually layer two is down here, layer two, and then you have layer three, which is the data link layer. And then you have transport layer, which is above that. Okay? That is the different models of the OSI seven liter [00:20:00] layer. BOTO layer three of the OSI model is the network layer.
All right. All right. That's all we've got for reduced Cyber Risk Podcast today, and we are gonna be moving on to, Hey, I'll see the next podcast coming out next week, but the links today with ISE Square Training Study Guide, Quizlet InfoSec Institute, and Wikipedia. All right. I hope you enjoyed this podcast.
Also, remember that there's training available for [email protected] slash cissp training, or you can check out my videos on udemy.com, which you'll get a great deal by going to udemy.com and you'll get updates from what's happening with. In the CISSP on a weekly basis. All right. Have a great and wonderful week.
We'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my cis. P videos that are on YouTube. Lastly, head over to [00:21:00] Reduce Cyber Risk and look at the cornucopia of free CIS s p materials available to all my email subscribers.
Thanks again for listening. See ya.
Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube. Just head to my channel C S S P Cyber Training and you will find a plethora of content to help you pass the cssp exam the first time.
Lastly, head to cissp cyber training.com and look for the free stuff that is only available to our email subscribers. Thanks again for liste
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!
