CCT 114: Security Assessments and Audits - Unveiling Bulletproof Strategies for Cyber Defense (D6)

Are your organization's cybersecurity measures battle-tested against real threats? Let's unravel the complex tapestry of security assessments and audits together. As your host, Sean Gerber, I bring my red team experience to the forefront, dissecting the various layers of security evaluations that go far beyond simple box-ticking exercises. In this week's CISSP Cyber Training Podcast, we focus on the importance of rigorous, unbiased evaluations, not only to adhere to industry standards but also to solidify your company's defenses and uphold the trust of your clientele. Discover how internal, external, and third-party assessments each play a pivotal role in an organization's security strategy.

Ever wondered how an external perspective can transform your organization's security posture? I'll navigate you through designing a bulletproof assessment strategy, emphasizing the necessity of a methodical approach to spotlight and prioritize vulnerabilities. The episode peels back the curtain on various techniques and methodologies—from vulnerability scanning to security auditing—each vital in safeguarding your company's assets. By meticulously planning and documenting the assessment process, we ensure that every security measure aligns seamlessly with the overarching goals of your organization, and I'll show you precisely how to achieve that synergy.

Closing out, we tackle the crucial distinctions between security assessments and audits, and why audits are not simply reports gathering dust but are influential documents that command the attention of senior leadership. This episode not only primes you for the CISSP exam but also equips you with actionable insights necessary for making informed decisions post-audit. As a guiding light for your cybersecurity journey, I also highlight the treasure trove of resources available at CISSPcybertraining.com to bolster your exam preparation and practical knowledge. Stay sharp and join me for a deep dive into the world of security assessments and auditing, where every detail matters.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, I'm Sean Gerber, with CISSP Cyber Training, and I hope you all are having a super blessed day today. Today is a great opportunity. We get to talk about some really fun stuff as it relates to security assessments and auditing. Yeah, it's pretty cool. Well, as we talk about CISSP, you're going to deal a lot with security assessments and the various aspects around those. Coming from a previous life that I lived in, you know being working as a red teamer I would do security assessments quite routinely on military installations around the globe, and these assessments would be very protracted in some cases. They also could be very in-depth, and we're going to talk about if you have a business. When you go work for a business as a CISSP, you're going to probably want to either commit some sort of resources towards a security assessment or you may hire somebody to do that for you. So we're going to kind of talk about what would you expect to do as it relates to a security assessment and tests and how that ties into the CISSP exam, because they kind of go hand in hand. The one great thing about the CISSP is, whatever you study for you will end up doing in some form or fashion as it relates to your job, when you get it completed or when you move on to one of those roles. So it transposes very, very well. So we're just going to begin this conversation on how to do audits and security assessments Now, before we do, obviously I will put a shameful plug out there for CISSP cyber training. You need to come out and check out what we've got available for you Some great, great opportunities as it relates to products for you to be able to pass your CISSP exam. So go to CISSP cyber training. Or if you want to just get some free CISSP questions to study and to have a good handle on that, you can go to free CISSP questionscom and you can just get CISSP questions for free. It's up to you. So, as we get started in this, we're going to talk about the audit strategies as it relates to validation, testing and audit and how it's important for you to complete a security assessment. Now, one thing you have to understand this is out of domain six, of the security assessment and testing aspects, and it's a crucial part of the overall CISSP certification because it really helps understand the effectiveness of security controls while understanding if your overall security posture fits for your organization. Now, it does cover a wide range of assessments and testing activities and I will tell you that you will do those. It depends on the company you go work for, but it can be scanning, penetration testing, auditing. You may do one of those, you may do all of those. I would say the scanning piece is probably something you'll see a lot more of, but when it comes to penetration testing, you may or may not do much of that, depending upon the company. Now you may have regulatory requirements that force you to do penetration testing, but that may be something that you may not deal with in the future a whole lot. But you're going to want to make sure that you understand the security measures that are associated with your controls you have, as well as the vulnerabilities that might be available to you because of these systems. So what is the importance of dealing with auditing and testing and assessing. So when you do set up some sort of assessments you want to understand this does play a very strong role in what you do on the effectiveness and the reliability of these assessments and testing processes. So it's important that you have this in place because it does help understand how your overall security posture is set up. Now these strategies will provide you with structured and systematic approach. So, again, it's basically structured means that it's a framework and then a systematic approach is basically how it goes through, step by step by step, to ensure that your security controls are basically are tested, you identify any vulnerabilities you also potentially have any vulnerabilities and weaknesses and then validate the posture of your company. Now, by implementing these strategies, you will identify various vulnerabilities that may happen which could be exploited by potential malicious actors. So you want to make sure that you do these assessments because it will highlight some potential challenges you may have. You also want to evaluate the effectiveness of the controls that you have in place. This includes policies, standards and any sort of regulatory requirement that may be imposed upon you by a company or by an outside regulator that requires you to have some sort of a security assessment completed, especially in the financial industry, you are required to have various levels of security assessments. If you are ISO certified, you may. You will be required to have a security assessment done. Now, penetration tests it leaves it kind of open on if you want to do a penetration test or not, unless it calls it out specifically. But you, depending on the position you're in and depending upon the area of business you're in, you may want to do a penetration test which will focus on a specific area. The other thing around security assessments is that it helps you determine due diligence and established trust with your customers. What does that really mean? Well, when you do these assessments, it makes people, especially if you're like a third party so say, for instance, I'm with my company and I hire a third party to do some sort of work for me. If they do security assessments, even though I may not have a regulatory requirement that forces them to do that, by them completing a security assessment gives me peace of mind that they actually somebody from the outside has looked at their organization. So it does give you some level of trust and helps alleviate potential concerns you may have. Now you have internal, external and third party assessments. Now what? An internal assessment is? Basically the something that is done within your organization could be done by your IT department, could be done by your compliance, could be a combination of both. I've done internal assessments for many, many, many years and those assessments do they highlight with IT, but they also will bring in other parties to help. I've had legal with me, I've had compliance with me, and what they'll do is they will look at one part, I will look at another. We then come together at the end and then have a plan on how we want to address these issues that we determine. The thing is that around those is, they help you understand the policy, standards and regulatory requirements that are there, and then they help you come up with an overall game plan to look for the weaknesses and to address any of those weaknesses with mitigating factors or potentially just to accept the risk. So that does happen, you will. There's been plenty of times where I have found issues with something Now and then I go to the group and what will ends up happening is is we will then accept that risk. We won't necessarily put a control in place due to the fact that it may be too expensive to actually put in the control. So or it may be the situation where that, that system that we did an assessment on is end of life and going away. So therefore, there's no reason to put the money into it at that point. But again, they do help provide a lot of insights. So your internal assessments are probably the one thing that you will do the most of, just because of the easiest to do Now. That being said, they're also you know where all the dead bodies are at. You know where there's problems, whereas you bring in a third party and they start looking at your environment. Now they can find areas that you may have been blind to because you were focused on the things that you knew were wrong and the things that you knew were broken. So there's external assessments. These assessments basically involve an independent third party, such as an external auditor, which could be Ernst and Young, could be Deloitte, could be somebody else, or potentially consultants that you may hire specifically to help you with this assessment. Now, these external assessments provide you an unbiased and objective evaluation of your security posture. They're because they don't have any skin in the game. They do not have to talk to the CIO or the CEO. Therefore, they're going to come in and give you an unvarnished version of what they see, and it does help you gain better external validation. What does that mean? So if you have an external party that's requiring you to have some sort of assessment, it does help validate that. Yes, I had a third party come in. I paid for the third party. They did the assessment. This is what they found. Therefore, you know I will now address those and then those requirements are then met. Regulatory requirements usually use an external assessment at some point. I've done internal assessments on when there's especially during COVID, when there wasn't a lot of ability to do external assessments, but for the most part, that is what they bring to the table. A third party assessment is basically conducted by entities that specialize in security assessment and testing services. So you have external assessor assessors, which may not be maybe a contractor that you hire. That doesn't cover all of the spaces, but then you have a third party assessment where you may be bringing somebody specifically to do a penetration test of your environment. This what happens in these situations is they leverage expertise and specialized knowledge of external security professionals. So they are very specific, very targeted in what they're looking for and therefore they provide a comprehensive evaluation of your overall security controls, identify vulnerabilities and then engage in some sort of recommendation providing that to you. Now, the one thing is that, in many cases, these third party assessments will help meet industry best practices and demonstrate commitment to security clients and their partners. So you really have three, right, you have the internal assessments, you have an external assessment and you have a third party assessment. Okay, so how do you do an assessment and the test that goes with it? So you need to design these basic plan or the strategy around completing an assessment and the test itself. So you need to first thing. There's really basically three areas that you need to consider One assessment, objectives and goals. You need to define the purpose and the scope of the security assessment and the test. This means you have to articulate the goals and objectives that you want to accomplish in this assessment. One of those goals could be assessing vulnerabilities, or it could be the effectiveness of the controls, or it could be just to meet the compliance and regulatory requirements that are associated with it. So you need to define the purpose and the scope of the security assessment itself. Then you need to define what are the assets, systems and processes to be looked at, so you may have a situation where you know what we're not going to focus on AWS, we are going to focus only on on premises, servers that are sitting in X location, maybe to keep the scope small. You need to also understand when you figure out that scope, you need to look at your overall inventory of assets. Now this would include hardware, software, data, any of those pieces to it, because that list of assets will be provided to the, the assessors. You determine the criticality and the sensitivity of these assets and then prioritize those specific efforts based depending upon what you want to actually have accomplished. So again, understanding what you're trying to go after, understanding the assets and then the criticality around these assets, the methodology of this one of the things you want to consider is you determine the correct, the right assessment plan when you go forward this. This plan needs to align with the identified objectives and your goals. So how are you going to attack this? What are you going to do to go after these areas? Now, you may want to consider industry best practices, such as OWASP, which is the Open Web Application Security Project, if you're going to be doing any sort of web application testing. But bottom line is you want to have some sort of best practice. It could be NIST, it could be some other, it could be ISO 270001, if you want to go down that path, most likely you're probably going to stick. If you're in the US, you'll stick with NIST or with OWASP is a really good one for web apps but you'll want to pick something that will help guide you in looking for the vulnerabilities. Now you need to consider the following methodologies when that are used in assessments and testing. So, again, we have vulnerability scanning, we have penetration testing, we have security auditing and we have risk assessments. So the vulnerability scanning again, these are automated tools used to identify known vulnerabilities within the systems. In a previous life I used to be able to I'd have a vulnerability scanner that I would sit in a network and I would run that scanner in a very slow, methodical way not to tip off people that were actually there and also to be able to get this much information from that network as I possibly could. When I do a penetration test, I'm actually simulating these real world attacks, coming specifically at the vulnerability you know focused on a specific vulnerability. So, as an example, I would go after web servers quite routinely and I would try to run exploits against these web servers, but I also would try to look for misconfigurations that would allow me access into the company's network. We talked about auditing already and why it's focused on, specifically on the security policies, and then we assessments. Basically, these help identify the risks that are associated with these various systems. Now the next step you need to do is look at a testing plan and documentation. Now you need to have a test plan because if you try to go out there and just start throwing scanners on, you're not going to get out what you really want to achieve in this overall event. You need to be able to have some level of plan around this. So the objectives, the scope and the timeline of each assessment. So you need to have a plan of what objectives you're looking for, what is the size of the scope and then how fast are you wanting to get this accomplished. This would include the methodologies, the tools and the techniques that you're planning on using on this overall test. You also want to define who has the responsibilities to do. What Do you have a person who's going to? I'll give you an example how this would typically roll out. If you're doing a normal vulnerability type scan, if you're doing the scan well, there's people that know about it, then that's a different approach than if you do ones where people do not know about it. If you have someone that leads the overall exercise, if the organization can know about the scanning, then that person is the conduit, the face of this overall scan, and they're the ones that are talking to any senior leaders or anybody else about what is actually occurring. If there's one that's going on behind the scenes and nobody knows about it, you now have an individual who is listening, watching, waiting for people to start screaming because of the scan, or maybe, if they determine there's somebody on the network, they think and they go, start looking for the scan. This is the face of this overall scanning plan. You then have individuals who are actually going out and doing the overall scans themselves. This could be an automated process or this could be very manual, depending upon if you're bringing in an organization to help you. So you need to document the testing procedures, tools and techniques. You need to capture step by step instructions on how you're going to do these various assessment techniques. Now this comes into documenting the tools, the software, that are used during the assessment. It also helps describe, for evaluation effectiveness is, the controls and the vulnerabilities that are there as well. You also want to have forms, templates, anything else that's in place to help you with these findings and to help world through or understand the overall risks to the organization. Okay, so what are some validation strategies for security assessments and testing? So the objectives will help understand the accuracy and the effectiveness of the overall testing process, and you need to ensure that these assessment methodologies are reliable and capable of identifying the weakness. So, basically, what it comes down to is, if you use a scanner that is looking for a specific weakness, it needs to have the ability to do that. If you try to, as an example of using a scanner, that maybe it is designed specifically to look for user accounts and our user accounts have elevated privileges, but if you use it for a different capability than that, you may not get the same results that you may want. So therefore, you need to use the right tool for the right job. You need to really understand, though, these assessment results. They do reflect the overall security posture of the system. So what does that mean? It means if you scan the system and this system says there's all kinds of vulnerabilities with it, but it is sitting buried within your network and maybe there's firewalls in front of it. Maybe all you did was scan that one system. You didn't scan anything else. All you scanned was it and you found all these issues. But if you don't take into account the other varying security controls that are there, it's not a really good test, because what ends up happening is is yeah, that system that you're you scanned is bad, right, it's broken, it's not going to work or it's going to cause you all kinds of issues. However, to get to it, you basically have to go around the moon and back just to get to it. That's not a really good, adequate test. Yeah, you said the baby that you're testing, the system that you're looking at, is ugly, it's not good. But to get to that baby I say proverbially that system, to get to it, it's almost impossible to do so. So, therefore, you need to really understand the effectiveness of the assessment. You also need to talk about industry standards and regulatory requirements. You need to align to what those are. So we talked about ISO 27001, nist, the National Institute of Standards and Technologies, the CIS benchmarks. You also need to consider payment card industries. So PCI, dss, gdpr. You need to understand the various regulatory requirements out there that you have to comply with and follow. They are coming out routinely. There was a new one that hit Europe just the other day. That one is based around equipment that needs to be properly assessed and ensure that it meets criteria. But the Chinese have them, I know they've. I've seen more of them in the coming out in the United States individually, in the states themselves. So there's more of these regulations that are coming out and they again a regulation doesn't just come out. It takes a long time for these regulatory requirements to actually be validated and be approved by whatever governing body has them. However, if they come out that quick or because they're coming out relative, they're always in the pipeline. There's always one after another after another. It seems like they're coming out very quickly, but in reality they've been in the queue for some time. What that means is you need to pay attention to all these regulations that are coming, that are in the queue, that are coming forward, so that you can help provide a better protection for your company. Quality assurance this, basically, is measures, the standardization of the procedures and the guidelines that you use to conduct security assessments and testing. You want to implement quality control mechanisms. This helps with the integrity and the reliability of the test. So if you don't have a quality control that the test is a fair and solid test, that can cause you problems. You really want to conduct regular quality reviews to ensure the consistency and accuracy of the assessments, and you want to make sure that you use competent assessors to help you through this process Again, people that know what they're doing. Getting a scanner and just hitting the button and having it run is one thing, but to actually you need people that understand the output and the response that's coming from the system, the, the what do you call it? The tool itself, to try to understand how. What exactly am I getting out of that? You also want to encourage people to get certifications and training in this space, especially if you have a requirement, a regulatory requirement, that forces you to have this done. Getting those certifications can be very valuable One. It can help if, from an external party standpoint, if people are requiring you to get some sort of assessment and you have internal auditors that are certified, this will help with alleviate some of the concerns they may have. So it's important that you consider those actual certifications within your company. Now, what are some testing strategies for security assessments that you can kind of look at. Now there's basically three buckets as well. You've got test execution, test data and the environment, and then documentation and reporting. So execution is basically you're following through with the assessment that's occurring. You've identified all the systems, the networks and the applications that are associated with it. One thing to also consider are the processes. So when you deal with AWS or you deal with cloud types environments, there are lots of processes that are going that are running. Just basically, the processes in the past were being run by a computer, but now they're being run by code. So therefore, if you are going to assess a system, especially a cloud system, you need to understand all of the processes that are running in that environment. So, again, you need to really truly understand what are the activities that you're going to be going after and then you need to understand what tools are you going to use to specifically go after these systems. Now, this could include simulating. Or you do want to simulate a real world attack, or do you just want to do a scan of the network? Could it just be a standard TCP IP scan where you're actually going out and scanning and trying to connect to devices? Are you doing an authenticated scan or are your scans unauthenticated? You'll want to decide which way are you wanting to go with that. What is the plan for this specific assessment? You also need to create realistic test data and the overall environments. Now, what does that mean? It means that you may have a situation where are you going to test? In the business network itself. So are you just going to put your scanner, plug it into a port and start scanning, or are you going to pull this system aside in a controlled room and scan it specifically for the vulnerabilities that are in it? Now, depending upon what you're looking for, each of those has their own need. So, as an example, if I know, I have a critical piece of equipment. In the military we used to do this. You would have a one piece of equipment that is a critical piece. Whatever that might be, we would specifically target that specific device and how do I try to break into it? That would be a very single off set off way of testing that system. But in many cases, especially as you're dealing with, as you all going to become a CISSP and working at a company, you will probably scan your entire internal network. Now, depending on the size of your internal network. You may just only scan certain subnets or certain virtual lands V lands that are set up, but you will determine which is the best for you, which is the best course of action for your company. Now, when you're scanning, you do want to ensure that there's confidentiality of the test data. So you're going to get information back. You're going to find out information about IP addresses. Well, depending upon the situation, those IP addresses might be considered a privacy type data. So you're going to want to work with your compliance folks to ensure that whatever scanning you're doing within your network, they are aligned with what the outcome happens. They're also aligned with the data itself where it's going to be stored, who's going to have access to it. Because you want to ensure that that data is protected. Because it's very possible, highly likely, that you're also going to pull up in this scan usernames. You may pull up email addresses. Typically you don't bring in data like if someone's got a Word document that has their all their kids's birthdays on it. You typically don't bring that into the scans. However, it is possible. So you want to make sure you don't just go out and start turning on the scanner at your network, within your business. You want to make sure your compliance and legal and HR are all involved and at least aware of what you're trying to accomplish. You need to also properly document these types of activities. Again, what are the tools that are employed? When did you start scanning? What are the areas, the subnets, what are the network segmentations that you looked at? What are the actual devices you scan? You want to have all of that documented. You also want to be able to have observations. We had a running board that was there when we were doing a scan and if something came up, we would annotate that in the notes section. So you want to have that commentary going. You want to ensure that whatever you're testing, you're actually keeping a good log and a good record of what all of that is. So you want to also make sure that when it's done, you clearly communicate the severity, the impact and the consequences by finding these specific vulnerabilities or weaknesses. Now you're going to want to couch this. You don't want to be one that comes in and says you have all of these problems, you guys are a mess, everything's falling apart. You don't want to have that, but you do want to be able to communicate to them, in a way, to the people that asked you to do this or it may be the people that are the senior leaders in your organization. What actually was discovered, what is the overall risk and how are you planning on mitigating it, or potentially not even mitigating it? So the point is, you want to make sure that you properly set the expectations of what you have found and how is the severity around it, because it can cause a lot of drama if you don't do this correctly. Now, last thing we're going to talk about is audit strategies when you're dealing with this. So we talked about the various, the assessments. Now we're going to talk about audits. Now, when you're talking with an audit again, you have an internal, external and a third party audit. These all focus on the same type of thing. That the thing is with an internal audit. Typically, what ends up happening is is it's focused on the same type of activities as an assessment. However, what it's done now is you actually have formal documentation that you are providing, and this formal documentation may be put into a system that is tracking these audits. So, if I did, I've done security assessments on networks and on systems, the documents provided, the documents given to the CIO. The CIO, then I give them recommendations on how to fix the problem. They then go out and start making changes and then they move on. They take the document, they file it away in some cabinet somewhere and that's it. With an audit, you provide a document. Same concept, overall process is pretty much identical. Now it may have, you may have a situation where the audit may have requirements or scope, that's in a very specific niche that wants you to go in this specific area, focused on this specific product. But what will happen is is now you create an audit report. This audit report typically is tracked. It has visibility beyond just the CIO. It will go up in many cases to your most senior leadership within your company and it may get put into a system that is tracking these types of events. So there are various document management systems out there. But like, as an example, if you had an incident at your facility and let's say you have a manufacturing facility and there was an issue, maybe one of the plant blew up, right, I don't know just trying to come up with some sort of scenario that something bad potentially happened they will. They will go and do a root cause analysis of that area. When that, whatever the findings are of that root cause analysis of that incident that occurred, they will then take that information and put it into a, a document management solution that will keep record of that. So if they ever are audited, if there's ever litigation against them, they have all of this information documented, recorded and kept in one central spot. Same concept with an audit for a cyber type of activities. If you are requested to do an audit, you will complete the internal audit. You will then give them the documentation. The documentation will be entered into this document management solution and then they will have they'll determine on the findings if they want to go remediate these problems. Now, sometimes that audit document will be shared, potentially with regulators, could be shared with legal counsel, depending upon if maybe you're being sued. So it becomes more of a more authorized or more approved document than an assessment and the audit usually takes the overall process to the next level. So, again, you want to make sure that if you have this audit in place or you're doing an audit, you follow very specific criteria and guidelines by which you handle this. External audits same concept as an external assessment. They have a third party that will come in. You may contract with your with a local resource had this happen numerous times, where our facility will contract with a local resource in the area to come in and do an external audit, and then they focus on one area, one specific aspect, they provide them a document, and then they will do something with that. Typically, auditors are more trained than an assessor. I will send out individuals within my company to go do assessments, and they may not have any sort of formal training other than what we've provided them, and they will assess what's there. An auditor will have very formal, very specific training, in which they use that training to help them do a complete and a set, a successful assessment or audit of that environment. So they will use standards, like we've talked about NIST 27,001 and various benchmarks that are out there, and then you will either take their recommendations and use them or not. Now we talk about discoverable, so when we get into the cyberspace, everything is legal. We have to deal a lot of legal stuff when you're dealing with audits. Audits and assessments can be discoverable, which means they can be presented to a court, and they can be used for your defense or for, potentially, for prosecution. The one thing will happen, though, is if you go into a courtroom and you are being sued and they are looking at did you do a proper job with the assessments? The audit and assessment will carry different weight. Now, again, I'm not a lawyer. I don't play in the B1 on TV. I don't play one on TV. I am. This is not legal advice, but it's such an imagination. This is just experience of what I've occurred is that the audit will carry more weight as an evidence than an assessment, because understanding the assessment is looking more broad brush, whereas the audit had very specific needs, very specific requirements going into it. Then, lastly, you've got your third party auditors. These are the folks who are E and Ys, your Deloitte's and so forth, and they are contracted to come in and do an audit and to provide you results. Typically, these are done and they are very expensive. They are not cheap. If you do a third party audit within your company, in many cases they're done because of external requirements based on a regulatory, or maybe a vendor is requiring you to have an audit. Most companies will not pay for an audit, especially by a third party, just because they want to have a third party audit them. The cost can be hundreds of thousands of dollars to have this done. Therefore, it's important that if you do get these auditors to come in and do something on you, you take the information they provide you and you actually do actionable actions against it, because the amount of cost that goes into having a third party come in and do an assessment or do an audit of you is huge. It costs a lot of money. That's just one thing you'd kind of want to consider. Okay, that is all I have for today. Again, go out to CISSPcybertrainingcom. Check out what's there and available to you. We talked about audit strategies, assessments today and this is out of domain six. You can go to CISSPcybertraining and you can get all eight domains, plus CISSP questions, plus study tools. The CISSP blueprint is available for you that will walk you through step by step what you need to do to study for the CISSP. One thing I did not have when I was studying for the CISSP exam I'll tell you right now. I've got folks that are doing it and they love the blueprint. They're actually so thankful that the blueprint is there because it's giving them those step by step instructions. Lastly, all my podcasts, all the training I've done, is available at CISSPcybertraining. You can have all of that available to you to help you pass the CISSP exam? I didn't have that, didn't even have anything close to that. Don't do what I did and just try to cram the book and try to regurgitate it. It will not work for the CISSP exam. You need to know this information. Go to CISSPcybertrainingcom and you can get everything you need to be successful to pass the CISSP the first time. Have a great day, everyone. We will catch you on the flip side, see you.