RCR 050: Engineering Processes (D3) - CISSP Study and Training!

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 3 (Engineering Secure Design) of the CISSP Exam:

• CISSP Articles – How to Start Looking for a Infosec Job
• CISSP Training –  Managing Engineering Processes
• CISSP Exam Questions

BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/

Want to find Shon Gerber elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
• https://www.isc2.org/Training/Self-Study-Resources
• Peerlyst
• https://www.peerlyst.com/posts/how-to-start-looking-for-an-infosec-job-my-list-of-tips-evgeny-belenky-1?utm_source=linkedin&utm_medium=Application_Share&utm_content=peerlyst_post&utm_campaign=peerlyst_shared_post
• TechTarget
• https://searchsecurity.techtarget.com/quiz/Security-Engineering-CISSP-Domain-3-practice-quiz?q0=0&q1=2&q2=2&q3=1&q4=1&q5=0&q6=0&q7=1&q8=1&q9=1&x=58&y=6

 TRANSCRIPT:

  welcome to reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host for this action-packed informative podcast join me each week is I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam he'll welcome to reduce cyber risk podcast this is Sean Gerber again at calling out to you and hope everybody's doing well this beautiful week we have a wonderful Thanksgiving holiday coming up here in the United States and so everything is getting prepared for that it's a great time to be if you like food it's an awesome time and tryst truly crave it's great yet turkeys you got ham you got everything you can possibly think of on this Thanksgiving holiday season and for us it's just a great time the hope everybody's been doing well this past him direct communication between two devices within the same line of England I've been working with my wife and her business with now better that down for the the season so that's been a good thing and I'm able to spend a little more time on reduce Cyrus podcast and creating some great content around the cissp and a so as we know the one thing that we're trying to get into more as well as if you out there self studying for the cissp it can be a bit of a challenge to do that and I have just been paying attention to some people that were in the Wichita Area that have been studying for that exam and it's been kind of interesting talking to them they they've been having some study groups I've been trying to get that that going for quite some time now and it had some good success but at the end of it it really comes down to is trying to self study for this thing can be a challenge. we put all this together so did they spot guess we're going to be getting to a couple things and SUV have already know we kind of Blossom cissp articles that are on the web as well as providing some cissp training that I provide through the course where that you can find at Sean Gerber that's s h o n gerber.com you can go ahead Google that you'll find it real quickly but there's also the training that I provide there as well and then finally some cissp exam will be available to you the question exam questions are there as well so that stuff that you can do to study for for the exam and about cissp is that 50% is knowledge of 50% is based on how you take the exam questions and I will also say though that the interesting part around that is if you taking I memorized study for this thing it was how many questions can I crammed in how fast can I do in a kind of regurgitated as quickly as I possibly can and then that's changed a lot over time but at the end of it the questions that they provide in the test banks will not be there probably are some that will go word-for-word but at the end of its icy Square puts out questions that you can use that books have questions you can use and you just got to ask yourself let me make a similar but they're not going to make them the same understand the content is really a great way for you to actually be able to get do well on this test and at the end of it when you pass the test you want the cissp certification do you want the ability to get a job and see what I have to know this information you can't just go in and take a test and dump it and go at my kids do that quite frequently they would they would take a test and then they would just dump it and then you'd ask that same question not too long later and they would go what are you talking about so it's kind of interesting because they say they don't live the long-term consequences for all right let's get into our first Usher first, going to have it on this podcast and what it is we're looking for the basically around who's how to start looking for an infosec which is information security job that's going to be the article that we're going to go into today and it will not tell you I was also as we go into this that you can go to Sean gerber.com and you can get some the free videos that I have available out there for you at Sean gerber.com and there's basically the main one through four is but the cissp videos of full length videos that I use for teaching you can get a plethora of those through domains 1 through 4 I got a select select number of those videos out there available but if you going to sign up for my email list you'll be able to get 11 videos free just for signing up so I highly recommend you go out there and you do that as I was also on Billy other fairies free content that will be available out there podcast the lynx's podcasts are all there as well and as so there's a lot of different aspects you can do by just going to the website if you want you also can buy my the Fulda maze 1 through 8 video train that's available at stronger or not, you can get all of that there is a really good Black Black Friday price in here in the United States we have Black Friday and that's coming up in on Friday you can pick up all of that content right there for you added it's awesome to have a really reduced price could be the bicyclist 50% off of my more normal pricing you're going to see there at Shawn gerber.com okay so let's roll right into the cissp Articles this comes from Pierre last.com and they have some articles out there about what should you do when you're looking for an infosec job how should you handle it and so here's some key nuggets from this article if they had put out and you can put your have the link up in my click on that link and go to them directly and one of the key to these are some big bullets but I'll add some contacts to this as well they talk about don't be afraid to ask questions the other one thing I've done numerous interviews of people because I'm pretty old I've been around for quite a while and and so when I first did interviews I want thing I was concerned about it as the interviewee is what should I ask questions so asking questions is very important at a little bit of a caveat to that you need to be very careful about not asking too many questions so it's it's kind of one of those things where if you get asked I'm just using this as an arbitrary number you can ask three questions or four questions then you ask maybe one question I say more like to be asked if they ask for or five questions that you asked once about 20% and so you need to ask some question but they also need to be ones that I've been Fallout not like where's the bathroom understanding if the job is going to be 4 benefits of benefits question would be good one question around Bennett but the other questions need to be focused around the security piece of this and how would you utilize security within their environment and ask them key questions based on a roll what is the role of the effusive security architect role you know what is can you explain it more about your Enterprise and the role of a security architect within your Enterprise and then that have them say some stuff around that but again you need to make sure you ask the right questions to the right pertinent people we also need a you need to specify the list of positions you're looking to move into and which ones do you want to go so if you are you have your resume already applied for a role and say a security analyst role within a security Operation Center you need to be understanding those are the positions that are available provide technical details about yourself and what you're trying to achieve and and that this comes out your gold what are you trying to be with your goals your your bio how are you wanting to get there what did you start how did you end there against their employer is trying to pick out a an aspect about you that they can decide how you know what I want to hire this person try not to be too pushy and it's wasn't running socks about when asking people for help so that means when you're talking to people that are helping you get the roll don't don't try to push on anyone hey where am I at what's going on how to how do I do those kind of things you don't need to be pushing on the people however you need to be able to to ask questions that's a fine balance of people skills as a really good book that I recommend it's super-thin doesn't cost much it's like on Amazon for like 2 to 3 US Dollars it's called skill with people and it's Les Giblin and it's a really good book on how to deal with people if you're an it you probably struggle with this and sometimes a lot it people do it's a really good book in a highly recommend you go out and buy it but you must really first look at what are the companies out there that are looking for interns not all companies are looking for interns in the security space so that's kind of important area to be there also you need to connect with various groups on social networks and engage there now keep the key piece around that is if you are a social networking person be very careful what you post online because of getting people are watching what you do and if you post some buffoonery out there of online the interesting part is that never goes away as a security professional you should know this that the one you put post something out there it will always be there forever it will never go away I've done this is well and been in contact with the berries recruiters it's a way that you can be basically having guidance around that night also would recommend that one way to help win with recruiters is to provide value for them if you can look at ways that you can help them and and help them find new people that's always positive to sit in the recruiters are helping you to find a roll now as there are over two million jobs that it's always good to have a recruiter on your side because they will help you kind of fish through or are funnel through some of the stuff that may be a good fit for your role that your your background or others that might not be a good fit if it's relevant again looking what's the opportunities aren't you need to polish up your English skills it's always a plus and I would highly recommend that you do this and I've got a daughter who is speaks English as a second language and the one thing that I have talked to her on over and over is her speak English English skills and in the United States or in it doesn't really matter what role you're working with the common language typically used is English so if you have salad English skills and you can make those better that is wonderful to also also put it in perspective I said also some twice put in perspective as well one thing to consider is that you need to in this role security roles they are influencing roles they are roles that will you talk to two different companies you talk to leadership and so therefore you need to be able to to provide influence on leadership around what needs to occur well if your English skills are not very good and pretty hard to go and provide influence so that's why we recommend that you did some level of increase knowledge around the English skill is it totally required no not at all only going to work in the Chinese market and you really don't want to go anywhere else your English skills may not be as important so you work with contractors and you work with vendors and so having a good English skills would be helpful in that space as well something to consider Tulsa had also down there was that you should utilize grammarly basically it's when you're dealing with writing content and you want to have the ability for it to to tell it's with The Grommet chromatically correct use grammarly to do that now I will say grammarly is pretty close it does a pretty good job however it's not perfect so don't rely totally on grammarly also as you are understanding how grandma is doing things you you need to understand as well what is the sentence structure look like so my daughter she's really good at leading off prepositions now she's Chinese so that I'm so funny what I was grabbing a kid I could never understand why the please would leave off prepositions well in their language they don't have that and it's so I didn't get it when I was younger and I thought you didn't get it till I'd adopt a child from China and now has she speaks I see her leave out those key at prepositions and adjectives that she just doesn't do it she doesn't do a very good job with it so it's important that as you were studying grammarly and that you if it's helping you with your sentence structure that you understand why you're doing that and pay attention to it because if you do it will go very well for you it really well tweak your message when contacting people based on that you went to work best so far for you and is always good to have someone that's personally within a company to help you because again they are if they can help walk your resume in it's way easier for you to get a job or at least get an interview then if you just start blasting people with emails and that just doesn't work honestly it may work but you may not get what you may not want what you get and that's really what it what could happen to you so make sure that you build personal relationships and if you haven't figured it out yet in the world of security personal relationships are everything and that is how everything is built here and so if you build those good relationships the good roles will come to you and the not-so-good rolls will move on or at least you'll have a heads up on what role is good and what one is not good these job boards there's various ones that Peerless talks about ones they've had indeed GoDaddy GoDaddy monster.com dice.com is another one that is for more technical people and if that's those are important places to go freelance fiber as well how you treat your job search basically as your current job so it's like again I mean I have I have seven children so it I see things on a daily basis that most people do with and you just like really I had a daughter come in today she's 18 she made the comment to my wife as she was going downstairs they're having a bit of a challenge and basically did the scales from Uganda and you didn't didn't didn't have anything and Which Wich in the United States because you don't need all the stuff that you get United States and so this girl who came from Uganda walks down the stairs and she goes after having a little bit of a tiff with my wife and says you started this so that is an interesting world so if you have children out there you know what yeah they're they're great at 8 there funnel there you little and they're fun with their middle and then then when they get older and out so much fun anymore so it's interesting time and that your bills you had don't have children I think I think twice about doing that wait a little while before you do it that's for sure so getting those are those are important things to consider when you're looking at a job country did we have the cyber that are within your military if you can join their military I would recommend that one of you is patriotism towards your country but to they teach you also the skills you will never ever get anywhere else is very hard to get those skills and then basically three is joint various local security organizations to help you with introductions to people with getting some technical knowledge around these different aspects are going on so those are great ways to get started and then if you go to college and local University in your area that could also help you with depending upon what kind of security program they have in place but again you get that it's not just a technical pieces that you have to focus on is the soft skills as well so those are very important that you get the right books you said the right techniques and you get to soft skills you need to be successful in security hour cissp training okay before we get started we're going to one little friendly little plug for Sean gerber.com you can go out there right now get your cissp videos to help you with your self studying for the cissp exam that would be extremely helpful for you I believe me when I took the test I didn't have these and I wish I would have you can go to Sean gerber.com and you can find these videos out there from The Maze 1 through 8 on our Black Friday special you can get those for 50% off pretty amazing you get those right now by going to Sean gerber.com not once and of this is how you implement in manage engineering processes using secure design so overview the security is considered basically all stages of system development so when you're looking at engineering processes and you're trying to bind design a secure environment you need to have security considered at all stages of the system development and I say this because I do a personal basis daily in my job I am always dealing with security in the various stages from the beginning of the applications creation all the way to the completion and it could be the application built itself specifically for a specific process or it could be a already pre-built application that a vendor providing a for you cuz I asked these vendors that bring us Pro your product your security people do they are they understanding the secure development lifecycle and is our secure software development life cycle which is typically called SS DLC sometimes you'll see it acronym as just as DLC for software development life cycle and security is considered one aspect underneath that but that's it should be considered it basically in all areas of system development and following the following are throughout there are really some key items that you need to be aware of as you're dealing with secure design night of object and subject and object is a resource used by a subject so as an example and object would be a computer system that would be an object a subject would be basically the process requesting access could be with almond RPA a robot process algorithm or could possibly be an individual it could be a service account could be anything that is reaching an amusing that object or that could pewter system that wireless router that whatever that might be okay so those are objects and subject now the other key Point around the security is based around Trust and the subjects and insult as a user to say a service account as a user and you in this kind of scenario Nina R&D computer system is the object these two must have a trust between the two discount and the R&D computer system the manipulate this could be manipulated by attackers in the fact that attackers would come out and they would go after that R&D computer hoping to get access to it and a good example of this would be it was a while back where they are radians had a centrifuges that were hacked using I think stuxnet and in so that's those accounts that acted activated and worked on those centrifuges they had their user access until there was a service account or individual user credentials were compromised those are user accounts so that R&D computer system would be hacked by these attackers so these trust though our Inn place not to trust didn't exist within the attackers wouldn't get anything so that's why it's important that a trust to set up between these objects and the subjects open systems you hear terms about this but a closed system is designed to work with a bit in a very narrow range so we'd have to be clean the military we have a closed environment Network and you what you would do is that they would it would not be connected to anything else you couldn't do anything other than what's inside that system so that systems able to hook to the F-22 fighter then what would happen is that system would be connected to it but it would not be connected to any net internet any other network shares nothing it would be a closed system and its really defined by the manufacturer so many defense contractors will develop closed system so that they don't get hacked the problem with this just to keep in mind is that they take a lot more overhead to ensure that they are protected these clothes systems do manufacturers put things in place but they don't always put the level of security in there as well they are not little significantly secure however it's just you need to plan for this you need to make sure that you have people that can manage these systems now open systems he's our agreed-upon on an industry-standard so there's an industry-standard set up around these particular environment these are open systems and they're much easier to integrate with other systems well more options into the network there less secure and this would be a computer current computer system that you would run into which fall into these open systems and in typical networking and typical computer systems are open systems nose closed and open source code not closed source code is proprietary code to set up specifically for your environment you may have a lab back to the lab environment or you built up just a basic application and maybe working as I've seen this in like Visual Basic 6 Rights was really old but that application work specifically for whatever you wanted to do that would be proprietary code these can be designed for both open and closed systems but what ends up happening is they're not always updated because they rely on the manufacturer for those if there a homegrown system like I just mentioned with the VB6 you do run into where they will get exploited by people and tell these people exploit them and they never really updated because one person just made this out of convenience made this application and it works and it doesn't get it provides what they want but it's never updated so therefore overtime create a vulnerability there's good companies around space b Microsoft Boeing everywhere I hear Wichita Kansas we got to end of it we have Foothills Group which is not a company that does software development for all kinds of contractors you name it there they're all over the place integrity and availability not your study cissp CIA is extremely important and there's various techniques by software developers to do this and then basically you can do any of the following that we're talking about here can be used outside of software development as well but software development is the primary place with this kind of begins now Consignment is a restricted user you process taxes and actions to a program so blue it happens as you restrict user to or the process to a specific program or a specific action was in the program now it does allow the process to read right for specific locations and that would be just your confining the capability of what it can and cannot do not a Sandbox also provide some level of confinement you want that applications to run in the sandbox and this is where you place these restrictions on where they can operate and they must meet our operating areas with a higher sense of security this is a zygote example I could have for you is only a specified systems can operate against a specified database you get very narrow down what they can and cannot do they also have any systems outside the scope will not be allowed for those are kind of the examples that are in place I use it all the time especially when dealing with higher proprietary systems you want to make sure that they are only these ones can talk to certain other ones that didn't make sense all these ones that's not that's starting to sound like my daughter subset so only a can talk to me it can't talk to see but I can only talk to be those are kind of important areas to put in place now we get into bounds Bounder Define process is a given specific authority to operate and there can be many or there can be few I recommend less is more you would like to keep it a little case that doesn't make kippah full capability within the entire system up and down the stack or do you want the user to have that capability those are key things you need to put in place to restrict that kind of use as an example you have a malware utilizes errors when in setting bios and basically deals the colonel and manipulates the colonel you see this routinely insecurity space that the user accounts are getting locked out pretty well so now what are they doing they're going after the system or the user the colonel accounts to try to manipulate the overall system themselves now process isolation ensure that only affects Pacific Haitians these you mean to make sure you isolate the processes of the only areas within memory are affected as if it's really part of a stable system and what'll happen with hackers if they're trying to do a denial-of-service attack they will go and mess with these processes and if they can cause them to be unstable while then it causes of system did not work and unrealistically you don't have to Nuke the system to make it not a functional you just have to create instability in it and it will that will do a huge factor in as well as an example of cut paste copy you would allow those to transition between the two are you can have macros to run outside to find parameters all of those pieces can be available mechanic keep in mind HD what controls are there is also what you need to put in place different controls to limit the access to authorized objects these ruler place to limit your access for example file access you may have only may have a lot of people have read only what you may only want a few that can modify so again those are the type of controls you would put in place to restrict access to an environment that is mandatory discretionary access controls go back to limit access to object by subject so the object are limited in and so they're only certain subjects can talk to these objects which we talked to the start of the beginning of this section on the podcast round and those what these Max and XR for a Mac is a subject cannot Define the object that can be accessed by the user so basically you're saying is that the subject can't find what I was going to go after you have to Define that for a Mac mandatory access control and so those are already set for that user ID back is flexibility with access can be accessed by the user around to decide what he want he or she wants to have access to descriptionari it's more it's did you see it's more available for you to do be able to do what you need to do and so and identify user may be granted greater access that would be an example of a DAC and and that in that space would be depends on the situation you may want the user to be able to do that so those are kind of different access controls Mac and DAC and you'll see these kind of call these questions are all these terms in various formats within the cissp exam alright so let's move on to the cissp exam questions and then we've got three questions for you today going to go through and find out which ones do you think fit the mold from techtarget techtarget hats out there and I like what techtarget brings from some different cissp exam questions they pull some of these specifically from is c squared so the first one what are the various sdlc development model covered in the cissp exam what is today but they are covered in the exam and if you are dealing with development you will have to deal with these in some form or shape or another personalized waterfall hey waterfall v-shaped iterative agile spiral and big bang at least of the different methodologies on how you do development work so that if you dealt with development these are all relatively you know these but if you have never done with development which when I first took my cissp I've never dealt with it at all it was very interesting and now I do it a lot so that write to Waterfall v-shaped iterative agile spiral and Big Bang waterfall was a b waterfall x-shaped Toby shape x-shaped repetitive agile spiral and Big Bang waterfall y-shaped repetitive agile spiral and Big Bang Okay so all that again if you're taking the cissp exam pick out the ones that kind of stand out which ones you've if you don't know then guess so this case here I it is a waterfall waterfall v-shaped iterative agile spiral and Big Bang so that is the first question attack is this so you have aggregation is a estate tack she is a state Machine model D is a method author author I cannot say authorization authentication code I can't even say it it's really sad so aggregation State attacks State Machine model and message authentication code some things that may be similar in the case of state of taxes State machine models do you know the difference between the two if you don't know what those two seem to stand out is that they're trying to say the same question twice maybe it's one of those and it is its state attacks All rights this involves removal of characteristics from an identity in order to easily represent in a central properties alright so this comes out to a algorithm abstraction C diffusion substitution 2 involves removal of characteristics from an entity in order to easily represent its essential properties rights of taking characteristics away to what does it look like so algorithm attraction effusion substitution and it is obstruction so you're in removing the characteristics from an entity to try to pull pieces out in fracking pieces out to understand the essential properties of that case let's abstraction core of an OS and one of its main functions is to provide access to system resources which includes the systems hardware and processes for the Corbin OS and one of its main functions is to provide access to system resources which includes the systems hardware and processes a system kernel State attack C extraction D firmware directions to those don't make any sense right is there tax that doesn't make any sense you can narrow it down tattoo system kernel is the answer a all right so that's all I've got today for reduced Severus podcast you can you can check out this podcast as well as many other podcast on Sean gerber.com s s h o n e s my parents I love them to death Sean on guess it's just Sharon Gerber like the baby food tonight or the toilet Sean gerber.com you can go out there and check me out with got some great things for you along with this podcast as well as my free videos from domain 1 through 4 all right I hope you have a wonderful wonderful day and we will catch you on the flip side for joining me today on my podcast I would greatly appreciate the feedback also check out my cissp videos that you can find out on YouTube just search for Shawn s h o n Gerber like the baby food toilet or whatever you choose and then you will find a plethora of content to help you pass the cissp exam the first time Leslie head over to Sean gerber.com and look at the Cornucopia all my email subscribers thanks again for listening