CCT 290: CISSP Rapid Review Exam Prep (D7) - #1

Headlines about a massive F5 Big-IP exposure aren’t noise—they’re a masterclass in why Security Operations must be disciplined, fast, and auditable. We open with what the F5 situation means for enterprise risk, patch urgency, and long-term persistence threats, then shift into a practical, exam-ready walkthrough of CISSP Domain 7. The goal: help you think like an operator and answer like a pro when pressure spikes.

We map investigations from preparation to presentation, showing how evidence collection, handling, and chain of custody turn raw logs into defensible findings. You’ll hear how live versus dead forensics trade-offs play out, which artifacts matter across endpoints, networks, and mobile, and why standardized procedures keep teams synchronized. From there, we connect visibility to action: IDS and IPS for detection and control, SIEM for correlation and retention, and egress monitoring to catch data theft and command-and-control that slip past perimeter thinking. Threat intelligence and UEBA add context and behavior baselines so you find the meaningful anomalies without drowning in alerts.

We also dig into the operational backbone that keeps environments stable: configuration management, security baselines, and automation to eliminate drift and reduce manual error. Then we anchor on foundational principles—least privilege, need-to-know, separation of duties, job rotation, and PAM—to limit blast radius when credentials or processes fail. Finally, we close with resource protection and media management: classification, encryption, verifiable backups, and secure disposal and transport, so your controls hold up under legal scrutiny and real-world adversaries.

Whether you’re tightening controls after the F5 news or sharpening focus for the CISSP, this guide to Domain 7 gives you a clear, actionable path. If this was helpful, follow the show, share it with a teammate, and leave a quick review—what Security Operations topic should we explore next?

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

TRANSCRIPT

SPEAKER_00: 0:00 

Welcome to the CISSP Cyber Training Podcast. We provide you the training and tools you need to pass the CISSP exam free time. Hi, my name is Sean Gerber. I'm your host of the Action Pack Informative Podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cyber checker in the line. Alright, let's get started.

SPEAKER_01: 0:25 

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a wonderfully beautiful day today. Today is, yes, Monday, and we are going to be talking about different aspects around the CISSP. But typically we would go over a domain, but today we are going to be going over the rapid review for domain seven, security operations. And so that's the plan. But before we do, I wanted to highlight this article that I saw today in the this was in the bleeping computer, and they had over 26,000 F5 big IP instances exposed to remote attack. So what exactly is big IP? Yeah, so this is if you haven't seen this, I mean I assume that if you're a security professional, you've probably been alerted to this at some point in the past week. But this is a huge deal. And you know, when it comes down to big areas, you know, you always hear people saying, especially in the media today, that yes, everything is a big deal, and they all make a humongous monster deal out of almost everything. But this is pretty big. And the reason I say that is because it's using F5s, and the F5s are pretty much ubiquitous with infrastructure and the protection of various enterprises throughout the country and throughout the globe. Now, this thing that has come with the big IP is the big IP is their software suite that is used designed for security and management and all those different aspects around it. And so therefore it's a pretty big deal if you ever to someone was to gain access to it. Well, the Shadow Server Foundation has identified over 26,000, or I shouldn't say 26,000, 266,000 F5 big IP instances exposed to the internet. Now, of those that are exposed to the internet does not mean that they are all vulnerable. However, when this came out, it was such a big deal because that the that's leading to a long-term persistence kind of connection to your network. So that's why the F5 is such a humongous monster deal. So now supposedly there's about 142,000 of those that are in the United States. The rest are distributed across Europe and Asia. So this is pretty substantial for the organization for F5 as a whole. And uh they they need to be aware of it, and obviously they are aware of it, and they've been pushing out new patches to deal with this uh situation. So, what what are the details around this? Well, F-5 disclosed that a nation-state hackers had infiltrated their systems, gaining access to portions of big IP source code, as well as information on undisclosed, uh basically not yet publicly known, vulnerabilities that are out there. So there they say so far that there is no evidence that any of the stolen vulnerabilities have been used in the attacks. So, again, that's of what they know. And this can all change very, very quickly. And they're not going to come out and tell you that they know of these vulnerabilities having stolen until they feel confident that they have not been stolen. Or until they have been stolen, I should say. Uh they've rotated their certificates, they've hardened access, and they're improving their monitoring as well. They've pushed out patches as much as they possibly can. Uh and they've re This is the part that just blows my mind. They've released patches addressing 44 vulnerabilities. 44. Yeah, not like one or two or ten. We're talking 44. That's a large number of vulnerabilities that are out there. These are also the ones that have allegedly been stolen at this point. So CISA, obviously the Cybersecurity and Infrastructure Security Agency, is quite concerned about this, especially since many of the customers that deal with that have uh F5s are US-based or very, very large organizations. Uh so if it's compromised, basically what it comes down to is you can access your internal networks for lateral movement, obviously. And then they have API key theft could occur, as well as persistence backdoor installation. So the end of that's pretty bad. And I'll tell you that the of all these big issues that cur occur within our environments, uh, it's a it's it's why it's very challenging. And where's the one thing that I think is interesting is that between this, the solar winds, and all these other aspects that have occurred within the various network infrastructure for the United States and for the globe, uh, these nation states, whoever they may be, are are putting themselves in a position where they can uh basically execute an attack if they feel it is necessary. So if I would do it if I was them, and I'm sure that the United States and other governments have done this to them as well. Uh we can only assume it's this tit for tat kind of Cold War type activities. But if you do have F5s within your environment, you need to get those updated if you have not already done so. Um I would even recommend that if you are in there in critical positions within your network, uh, you may want to consider ripping and replacing these systems as well. And I know it's a huge expense and it takes time, and you have outages, and you have all of these different areas that go into it. But yeah, it could be it's a huge deal. It's a big deal, and it's gonna cause a lot of challenges for the F5 team uh going forward. It's yeah, it's really a bad thing. So wanted to make sure that you all were connected with that. Again, this is off bleeping computer. You can go to F5 specifically, and you can see this is K001154696, is their security incident that they have gone out and put information around it. Uh, so you can head on over to F5 as a whole and they can give you that information as well. Okay, so let's get started into what we're going to talk about today. Okay, so this is CISSP rapid review exam prep. This is for domain seven. So if you are connected with CISSP Cyber Training, you know that we are big into providing a lot of free content for you all. That's the ultimate goal is to provide enough information you need to pass the CISSP the first time. But what we want to have with that is I wanted to provide you all a rapid review exam prep for the various domains within the CISSP. And you can get all of these at CISSP Cyber Training, and you can gain access to them. It's part of my free content that's out there. And these are designed specifically to help you with the last final mile of the exam prep. What that means is that you've already gone through a lot of the training, and hopefully you've gone through CISSP Cyber Training, but you've gone through a lot of the training, whatever you've found, and now you are ready for the final throws. This is a great way for you to understand what are the things you need to be aware of. And as we go through this rapid review exam prep, you realize, okay, do I have everything I need? And then you hear this, you go, wait, I missed that. Let's go back and look at that again. That's the purpose of the exam prep. So each of these preps are anywhere from 30 to potentially an hour long, but they're designed specifically to help you with the overall exam. So let's do a question breakdown per domain. If you look at the slide, and if you're listening to this on any of my other training, you'll know that domain seven, security operations, is 13% of the questions. So 13% of overall questions are going to come from security operations. Well, so what does that mean? Well, it really just means that they're all about the same amount. So if you look at the slide, the domain one is 15, domain two is 10, so on and so forth. Now, I will say that the majority of the content comes from domain one and domain seven for the CISSP exam. I say the majority of the content is actually spread out, the questions are, but a big chunk of the content that you will have to learn is in domain ones and domain seven. Now, you can get all these free resources at CISSP Cyber Training. I've got weekly podcasts, I've got a study plan, I've got over 360 study questions, as well as I have all the rapid review uh videos that are all there. I have blogs, YouTube content. It is all at CISSP Cyber Training. There's so much content out there, it's some cases probably too much for you to all try to get at one time. But if you're trying to prep for the CISSP, it is everything you need to study for the exam. I mean, really, it's got it all. And when I took the CISSP, I didn't have this. This is designed specifically for you. If you really want to have get the deep dive, the boot camp type of experience, you want to go to the paid resources. And these are there's over 50 hours of CISSP video content. There's 1,500 questions. I've got audio and video, it's all curated for you in just a step-by-step format, as well as the deep dive topics, along with a 250 question final exam that's all there available for you in my paid resources. If you also need some sort of virtual CISO or IT leadership consulting, if you can get this at CISSP Cyber Training or through some of my partners, such as NextPeak, Reduce Cyber Risk, and many others. So again, that is the question breakdown per domain. So we're going to start off with domain 7.1, and this is understanding and complying with investigations. So evidence collection and handling. What does that mean? Well, as we're collecting and handling information, so you're now in the middle of an investigation. What should you do? There's a process by which you need to do this to ensure that you do it, you complete it correctly. So the collection is the process of acquiring potential evidence from various sources, i.e., logs, disks, images, memory dumps, network captures, etc. And this is where you collect all this information and you store it in a place that will be protected. Now the handling of it is maintaining the integrity and authenticity of the collected information through strict chain of custody procedures. So you're going to want to have defined, uh, if you're, and I'm again I'm going to speak to you as if you are a security professional, which most of you are, but you're a security professional who needs to set this up within your organization. And as I talk to you about real-world knowledge around this, it will make sense on how you can answer these questions. So the handling, the collection, you need to have a way to collect it through logs, through a SIM, through some sort of ability, uh network packet capture capability, and then all that information is then captured and put into a storage location, and it should be properly handled. In that, so that if the legal team comes to you and says, Can I have this information that you have? Then you have it available to them, but you know that the way you've stored it, you've protected it, that no one could have tampered with the information. That reduces down to the amount of people that can actually have access to the data. It should be dramatically limited. Who can actually put data in there should be limited. And then who has read-write access to that information as well. Now the preservation piece of this is ensuring that the evidence is stored securely and unchanged to be admissible in legal proceedings. So all of this is that it's preserved. And now that when we talk about preservation, it isn't just for a week, two weeks, maybe ten weeks, it could be a per def indefinitely or most likely in years. So you want to make sure that you have a good strategy around protecting and preserving this information for a significant amount of time. Reporting and documentation. Reporting is where you're clear creating a clear, concise, and accurate reports that are detailing the investigation's findings, methodologies, and conclusions. Now, if anything else that you do in the cyber world or even any place else, it seems like there is some level of reporting or documentation that will go with this. And this is where you meticulously record all the steps taken used with the tool and the observations made during the investigation to ensure it's repeatable and it's auditable. And the point of this is you collect this information, you take notes on this information, you then store this information in a location, and these notes that you've taken follow a specific format so that it's easy to read, easy to understand, and can be admissible in court as needed. So all of the documentation needs to be protected. You also need to make sure that you are working with your general counsel or legal counsel of some kind to ensure that this is protected or that they're aware of it, and most likely if you're collecting information, yeah, they're aware. So, but you're gonna want to make sure that they are aligned with your thought process in how you're actually uh storing this information and keeping it for long terms. Now, investigative techniques. This is where you're preparing, identifying, collecting, analyzing, and presenting. These are all different, five different techniques that you're gonna need to be aware of for the CISSP and for your long-term security future. Now, when you're preparing something, you're establishing a forensics toolkit. Policies, that's a key term. You gotta have some sort of level of policies involved as well as trained personnel. You need to prepare for this ahead of time. Identification is where you're recognizing that an incident has occurred and you're identifying potential evidence sources. This is where you're having the different types of evidence that's coming in. How are you going to identify it? How are you going to prep it? How are you going to have it ready? A good example, well, I don't know if it's good, it's an example, uh, from the BTK killer. Uh, the person, if you're not familiar with that, that was a mess that happened here in Wichita many, many years ago. Friend of mine actually was part of the investigation that caught the individual that did that. And in the process of doing that, they have they had a very meticulous way that they kept and stored all of the information and how they identified it, and then how they would present it to legal counsel. The collection of this is acquiring the evidence in a forensically sound manner. So, what does this mean? This mean it means that you have it process and procedures on how to collect the information. You might be using regular network type tools to collect the information, however, you have then the process by which when you collect them, what you do with that information and how you store it. That is that's an important part of all of this. And it's an audible thing that you're gonna want to make sure that you complete because people will ask you about how did you collect it. And if you have a documented process, they are much more likely to be able to feel confident that they have a good case going forward. If you don't collect it, if it's just willy-nilly going, yeah, I grabbed some PCAPs here and I did a little there, um, that will not go well with the lawyers and with legal counsel. Analysis: this is examining the collected evidence to reconstruct events, identify root causes, and determine the overall impact. The present presentation part of this is reporting your findings clearly and concisely to all the stakeholders, which could be leadership, could be legal counsel, uh, it could be the CEO. You don't really know who it's going to be. It actually could be outside counsel, depending upon if you're working with an outside legal team on this as well. So, again, you got preparation, identification, collection, analysis, and presentation. These are all the investigative techniques that the CISSP will ask you about, or I should say the ISC Square test will ask you about. Digital forensics, tools, tactics, and procedures. So, tools, tactics, and procedures. Your tools will be your software and hardware used for forensic analysis, i.e., your disk imaging tools, memory analysis tools, network analyzers, specialized forensic workstations, etc. etc. All of those pieces are there for you, and this is what you're going to need to have tools available. If you do not have this, you want to outsource this to a third party who will do this for you. You may not want to keep the one the manpower and two the expense of having these various software tools around. But if you don't have that, you again, you'll need to make sure that you have a third party on retainer that you can contact when you need it in the event of an incident. Tactics, these are strategies employed during the investigation. This would be live versus dead forensics, your timeline analysis and artifact correlation. How are you connecting the dots? How are you putting things together? This may be where you're initially just collecting the information and you're not figuring out the tactics until you start then going back and reanalyzing the information. But you need to also understand your live versus dead forensics. What does this specifically mean? It means that if you are looking at a product that is taken off the network, it's not live on the network. It is, they call it dead, but you can call it whatever you want. It's just not on the network, uh, then that would be something that you wouldn't be seeing it live as it's streaming. Whereas if it is getting live updates and live PCAPs that are going on on the network immediately and that is being stored, then that would be a live situation. And again, you have to decide what is the best solution for you. Depending upon one thing I've run into putting in packet capture tools, you have to be very careful with where the data is actually traversing the network. If it is going through certain areas, packet capture tools can be much better useful or more useful. Uh, a lot of times people will put them on the perimeter and they're not as useful there because there's just so much data for one and two, not all the traffic sometimes is more narrowed down in those areas. It's just gobs of data. So you need to consider where do you want to put listening uh devices at. Procedures, these are standardized repeatable steps for conducting forensic examinations to ensure consistency and validity. You want to ensure that you have procedures in place to manage this, and you want to that make sure that they're available for people, uh, your forensics team, so that they can ensure some level of consistency and validity. Artifacts. This is computer artifacts, network artifacts, and mobile device artifacts. So, computer artifacts, these are data remnants found on computers, i.e. file systems, metadata, registry entries, browser history, event logs, and the memory contents as well. So it's all the things that are found on your specific computers. As we get in more of a uh virtual type environment, that changes a little bit, but you need to understand from a hardware standpoint where is all this information stored. Network artifacts, this is where data is captured from the network traffic, i.e. net flow, packet captures, firewall logs, DNS logs, etc. Uh, these are all the different types of places, like I mentioned with a PCAP, you would store this information. And then your mobile device pieces. So we all know about 70% of all of your internet traffic goes over mobile devices at some point. So you're gonna want to make sure that you have mobile device protection in place and that you can collect data on these mobile devices. Now, and with in all of these, especially the mobile device piece, if you allow a bring your own device type of solution in your environment, you're gonna want to make sure you have legal counsel around what you can collect and what you cannot. You want to have policies in place on what you can collect and what you cannot. This includes call logs, SMS, GPS app data, images and videos. All of that information needs to be properly stored and cur collected. Uh, and because of that situation and you're dealing with it, you need to make sure that one also the employees that are using these devices are aware of your policies. Now, they don't need to necessarily know what you're collecting, and I actually would not recommend that they know what you're collecting, but I would work with your legal counsel to come up with draft policies to ensure that they understand that their information is being collected and their activities are being collected in some form or fashion. So, again, mobile devices are a big factor. I highly recommend if you do not have an MDM solution out there right now, especially if you're dealing with BYOD, you have something in place. Now, again, it can get very hairy, very squirrely when dealing with this, but it can be done. I did it. Uh, it works well, and you just have to consider okay, if these people do things wrong, can I collect or confiscate their devices? And in some cases, yes. In some cases, that might be a bit more of a challenge. But it also could be just more of a veiled threat that actually isn't going to happen. So, this again, that's domain 7.1. Now, 7.2, we're conducting logging and monitoring activities. What is this? So, intrusion detection and prevention. We've mentioned that a lot in the CISSP cyber training. There's a lot of this available, but what is it? So you're basically collecting information from these IDSs and IPS systems, and you're looking for any sort of malicious behavior that might be occurring. Uh, the IDS will identify an alert on suspicious activity, and the IPS will actively block or modify traffic in real time. So this is a big factor, right? You've got you've got a problem, you've got a malware on your environment, and it's doing bad stuff. Well, your IPS can shut it down. It can take it out. Um, yes, but then it also could take out your business too, because it then provides an internal denial of service, which is not fun or good, but uh it might be necessary depending on how bad the situation is. But the intrusion detection and prevention systems that are there, they're available for you. They can collect all kinds of data from these as a network type uh tap. And I would highly recommend them. We would I dealt with network taps off of these devices, and I would shunt the data. I would move the data to another tool to analyze it. So you can use these types of uh hardware tools for that capability. You may have to put in network taps in various locations as well outside of these IDS and IPSs, but they can work in a pinch to get at least give you the information you need. Security information and event management sim. This is a centralized platform that aggregates, normalizes, and correlates security logs and event data. It's basically the brains where all the information goes into, and then it is analyzed by your analysts. So it's the SIM, and that is we you'll hear that term used a lot in my training and pretty much anywhere out on the on the web on any sort of sort of content that you might see. This provides capabilities for alerting, reporting, dashboarding, and long-term storage of security events. All of that is available to you. Again, all of this is available when you get a sim in your environment. Now, do you need to buy a SIM? I will tell you if you go and buy this personally, one, it's expensive to just have it internally on your own. Two, you have to buy the people or pay for the people to work for you to manage the SIM. That's expensive as well. And then you got to have the ongoing tools and the log aggregation and storage data, which is also expensive. So all of these things going together can get really, really pricey if you bring it internally. If you ex do this to an outside external party, then it becomes a much more manageable process. It's still expensive, don't get me wrong, but it is a much easier process uh than having it in internal, unless you need that internal for your organization. Continuous monitoring. This is the ongoing process of collecting and analyzing and reporting security information to maintain a posture of awareness. So you want to make sure that you have all this information going into one central log source. Or wow, one central, you say one. You're gonna have lots of log sources that are gonna be brought into one area, and that would typically be in your SIM. This includes monitoring systems, network applications, and user behavior and compliance status. All of these things would go into your uh the SIM or into your storage locations. Egress monitoring, this is the practice of monitoring and analyzing all outbound network traffic from internal networks. So it goes through your proxy in many ways. You may have this information leaving. You want to monitor what's going outbound because what happens? The bad guys and girls will use the outbound connections to basically filter your data out to their location. So again, the mothership starts sucking data back from your company, and you will want to monitor your outbound egress. This focuses on detecting and preventing exfiltration, command and control, communications, etc. So, again, all these are big factors with dealing in the egress monitoring space. Log management, this is the process of generating, collecting, storing, retaining, and disposing of security logs. So you want to have a good log management plan in place as well. And this log management aspects will be something on how you what is your policies around the storage of log data. Log data is typically extremely expensive, and you want to have a good plan on how you're going to one collect the information, the log data, and then two, maintain it, and then lastly to destroy it. Because you don't need logs forever. You just don't. Now, in some cases, when you're on legal hold, you may, but in most cases, you do not need the logs to last for a generation. Uh, so therefore, you need to have a good policy around this. Now, these key principles include centralization, time sinks, normalization, and integrity. All of those fall into the log management process. So threats intelligence. This is where threat feeds, threat hunting, and so forth are all part of this, and this is when you're dealing with your indicators of compromise. So around contextual knowledge of existing and emerging threats, including their capabilities and the infrastructure they may have to be able to attack you. So understanding how if it's a nation-state threat, then how does that look? If it's just Billy Bob down the street, what does that look? Does Billy Bob interested in my business? Maybe. Is Billy Bob interested in moonshine? He is. And you are a moonshine distributor, then he might be interested in you. Uh, but if you are a nonprofit helping pregnant women in Africa, Billy Bob probably doesn't care a whole lot about you. So there's just different things about that. This involves automated threat feeds, your IOCs, and proactive threat hunting to detect and advanced threats. So again, threat intelligence, big factor. I I brought up the pregnant women in Africa because we are part of a nonprofit that helps women. It's called Mercy for Mamas. Highly recommended if you want to help them. Great place to go help them. Uh, they actually provide stuff to um for women that are having children. And there's a lot of actually high high rates of death of children in Africa just due to basic things. So it's a really good program. Highly recommend you go check it out. Mercy for Mamas. All right, user and identity behavior analytics, uh, UEBA. This is a security solution using machine learning to establish baselines of normal behavior for users and entities. This detects deviations from these baselines, flagging anomalous activities, and indicating insider threats or compromised accounts. So again, UEBA is a big factor, and this is where you want to just basically I've dealt with this uh in various aspects of my career with the insider threat. UEBA is a great tool that can help you understand what are some of your employees doing and what are they doing incorrectly. Yes, UEBA is a big deal. Um, I would highly recommend you roll that through your organization if you have not already. There's some great products out there uh that can help you. Platform configuration management or CM. So platform configuration management. This is a systematic process of managing and controlling changes to the configuration of hardware, software, firmware, documentation, and other assets. That's a mouthful. But the point of it is that you have to have a plan in place to deal with configurations within your network. This includes hardware, software, firmware, and the overall documentation as well. This ensures that systems are configured securely and consistently across your company. And we a good CM management platform and process is imperative for your company. If you don't have this, you need to really look at deploying it. So CM, big deal. Provisioning, this is the process of setting up, configuring new systems, applications, and services according to a predefined security baselines and organizational standards. This your organization should have a prov provisioning process in place so that if a new comperson comes into your organization, they then get a computer. How do they get the computer? How do they get provisioned access? How do they get provisioned the overall mouse? How do they get access to the various SharePoint libraries? So on and so forth. There should be a setting up and configuring of new systems and accounts to help them with this. This involves installing operating systems, applications, agents, you name it. So there should be something that is you just click a button and you go. Baselines, this is defined minimum security configurations and settings that all systems or specific types of systems must meet. And this serves as a secure starting point and a reference against which future configurations are compared to detect drift. The boy basically the baseline is designed that you this is my security baselines, and this is my normal maintenance baselines, and you meet these minimum security configurations for your systems, and therefore that's why when they get rolled out, they already have these set up, and you don't have to go in and manually do each one of them. These must be it must be met at each situation. So I like an example on this, is I would have people that would bring in applications and they want to install applications within their network. I would say it has to meet these set of minimum security expectations before you can install this application in our network. I also would go to them ahead of time saying, before you even look at the application, you need to have it consider these minimum security applications. I've had it many times where a person has bought the application, come to me to install it, and I'm saying, sorry, you can't install that. And they're like, I just spent gazillions of dollars on this. Well, yeah, you should have asked. And by the way, here's this thing. And oh, by the way, we cannot put it on this network because it's just full of bad stuff. Uh, yes. Then it becomes a very interesting conversation with uh them and the usually the CEO. It's it's really great, it's an enjoyable time. Uh, but it could serves as a secure starting point and a reference against which future configurations are compared to detect drift. Automation, this is where you're utilizing tools and scripts to automatically provision, configure, and manage systems based on codified policies and baselines. It reduces human error, increases efficiency, and ensures consistency, allowing for the rapid deployment and remediation of anything that occurs. Yes, automation is a big factor. And realistically, you want to first get the baselines in, you want to get the some level of provisioning in. Once that's in and operational, you need to consider how do you automate it as quickly as you possibly can. Automation is a huge factor in any sort of ongoing uh IT space. Now, applying the foundational security operation concepts, domain 7.4. You need to know and least privilege. Yes, you need to know this because it's need to know and least privilege. No, need to know, these are where individuals are granted access only to the information or resources of absolutely necessary to perform their duties. If you can't, if you don't have the need to know this information, you shouldn't have access to it. The military works very well in this, but it should be considered in any organization that you are part of. Least privilege is where individuals are granted the minimum level of access permissions required to perform their job functions and no more. That is the overall least privilege. These principles work together to limit the potential. Impact of a compromise account on insider threats. I dealt with this a lot with the insider threat programs I would put in place. And this is about what does this person need to know within your company? And is this a situation where they are basically having the least amount of privileges they possibly can for their company? Separation of duties and responsibilities. Separation of duties is where you're dividing critical tasks or responsibilities among multiple individuals to prevent any single person from controlling an entire process that could lead to fraud, error, or misuse. So the responsibilities around this is that you're trying to avoid someone who is an example would be the money mover, a person who can send money outside of your company to another organization. And if they can do that and send money to another organization, then they have the risk that they could just send it to themselves. So you usually have a second or potentially even a third person involved to do a checks and balances to ensure that this money is sent to the right location and that someone isn't enriching themselves. Responsibilities, this is where you're clearly defying and assigning accountability. And the accountability needs to be what are some of the things that can happen to you if you fail your accountability for these various security tasks and controls to specific individuals or teams. We had people that worked on the money side of the house and security, and those are the that's all they did. But we had a job rotation policy that would move them out of that rotation out of their role, and someone else would go into that role specifically. And therefore, what ends up happening is now you can see if someone was moving money around. Now they don't know when they have to move out, they just know that they have to move out at some point. So it's designed to be very much spur of the moment. This reduces the risk of collusion and also ensures checks and balances. Privileged account management or PAM. Yeah, this isn't the spray that you put on your pans. This is PAM, privileged account management. What is that? Well, that is when you're dealing with accounts such as your domain admins, your service accounts, and this is a comprehensive management of accounts that have elevated permissions across systems and applications, such as administrators and service accounts. This is where you'll store this stuff and put this into a product that can be used to CyberArc is a good example of that. That can be used to protect it. Involves securing, monitoring, and controlling access to these accounts through vaulting, session recording, and just in time access. So you've got your vaulting where it's put in a vault and you have to check it in, check it out. Your sessions that when you're going in and pulling the accounts out, they're being recorded, and then your just-in-time access, where it's just you it's being sent to your computer or sent to the system for you to gain access. And then once you're done doing what you need to do, then access is removed and the passwords are changed. That's your just in time piece of this. Now, job rotation, I mentioned this just briefly earlier. This is where you're period periodically rotating employees through different job roles and or responsibilities. It helps detect potential fraud or misuse by preventing any single individual from having prolonged unchecked control over a critical process. It serves as a cross-training benefit and increases your organizational resilience as well. So this is job rotation. Highly recommend it in areas where you have a lot of people that are have access to some significant information. Job rotation is a very good place to be. Service level agreements. This is where you have formal contracts or agreements that define the level of service expected from a vendor or internal department. Now, for security, SLAs are often includes metrics for uptime, response times for incidents, and patch application timelines. So you may have an SLA with an MSP. Whoa, that's some acronym suit. Your service level agreement and your managed service provider. They are the ones that you'll probably have these SLAs with you. And you may have that set up where you have a certain amount of uptime is required for these systems. How fast do they respond in the event of an incident? Maybe they do, maybe they don't. Do not assume that they are going to respond to an incident because if you haven't built that into your SOW, then you probably don't have it. So you'll need to consider what that entails. Ensures external and internal service providers meet defined security and operational performance benchmarks. All of those pieces are a key factor in your service level agreement. Domain 7.5, apply resource protection. So we're gonna get into media management. This is the process of controlling, tracking, and securing all forms of information storage, media, such as uh hard drives, SSDs, USBs, you name it, all those things. How are you gonna manage it? Track it and secure it. This ensures that data stored on media is protected from unauthorized access, modifications, or destructions, and that the media is handled appropriately through its entire life cycle. So all of that is part of media management. And so therefore, it's an imperative that you have a good plan on how you're going to do this, and you also have this documented so that you can ensure that you have the ability to maintain this information on a long, long going or long going, ongoing aspects around this. And again, you want to have the destruction process, the modification process, all of that should be done throughout this entire life cycle for media management. You need to have a documented and well thought out of how you're going to roll with this. Media protection techniques, this includes classification and labeling. This media should be classified based on sensitivity of the data it contains and clearly labeled to indicate its classification and handling requirements. Storage controls could be physical security, environmental controls. All of those are an important part when you're dealing with the overall storage of this data. So are this equipment. This could include locked cabinets, secure data centers, fire resistant safes, etc. And this environmental controls would be protecting the media from environmental hazards such as temperature, humidity, and magnetic fields. Access controls. This is implementing a logical and physical access controls to ensure only unauthorized personnel can access or retrieve the media. This is an important part where you have these physical controls in place and that only individuals can do this, that you have defined within your team. Inventory and tracking, this is maintaining a detailed inventory of all media and tracking its movements. So media, especially depending on the size of it, has a tendency to move and has a tendency to walk away. So you need to have a way to track this information. Now, I will tell you that when you're dealing with USB sticks, that can be a challenge, right? Those things are very tiny. And I would highly recommend you don't use USB if you can avoid it. But if you have any sort of media that your employees are using, you may want to have some level of tracking involved, at least on the most valuable things within your company. What are some media protection techniques? So encryption. Encrypting the data on media, i.e. full disk encryption, file level encryption, to protect the data, especially from portable and off-site media. You want to have some level of encryption on these systems. Now I used to have it where my folks would be taking intellectual property from one location to another. They would actually have to encrypt the data that's going there, and they had a very specific type of encryption capability that they would use. So you want to consider that. Backup and recovery, this is where you implement a robust backup procedures for data on media regularly testing the recovery process. So you want to, whatever you have from a backup standpoint, you when you backing it up is one thing, but then recovering it is another. You need to have the process in which you're going to then recover the information and be able to regenerate it after a backup has occurred. Don't just back up the information and then go, I'm good. You need to make sure that you have a recovery process and that you've actually tested and implemented your recovery process. I would recommend doing that at least once a year that you do that within your company. Secure disposal and destruction. This is utilizing appropriate methods to securely erase or destroy media at the end of its life cycle and preventing overall data remnants. This methods will be are varied by media type and data sensitivity, such as degausing, shredding, pulverizing, incinerating, etc. etc. I use that a lot. Sorry. You guys are probably going, oh my gosh, here he goes at the et cetera thing again. Yeah, there's lots of stuff that can happen. Degaussing and shredding are fun. I enjoy doing that, but they do make your device pretty much useless at that point. So pulverizing is super cool. I've seen that. That you just dump it into this big old like tree uh chopper and it just pulverizes the dickens out of it. It's great. Transportation controls. If you are taking data off-site, do you have secure procedures for transportating media when you're going off-site or between locations? When folks were transporting our intellectual property, they had to have it in a uh basically a briefcase of some kind, had to be locked, um, and the keys were kept by an individual, not somebody else. Uh the so you had multiple uh things that were involved. We also had two-person control when it came to that, and we were taking the data off. Uh, because our our intellectual property is worth probably around five billion dollars. And so you you don't want to, it's worth a lot of money. You don't want to lose it. Uh so you have to have some level of transportation controls in place uh to avoid someone taking advantage of it. Okay, so that's all I have for you today. This is part one. You can expect part two will be on Thursday. But again, if you have any questions at all, please feel free to reach out to me at CISSP Cyber Training. Head on over to CISSP Cyber Training. There's lots of free content that's available to you. It's awesome. I mean, it the ultimate goal is to get you the CISSP and so that you can pass it the first time. So head on over to CISSP Cyber Training and check out all the great stuff that we've got there. All right, thanks so much, and we'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or iconicopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.