RCR 039: Conducting Security Audits - CISSP Study and Training!

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following:

• CISSP / Cybersecurity Integration
  • What is Security Assessment / Testing
• CISSP Training
  • Conducting or Facilitating Security Audits
• CISSP Exam Question
  • Conducting a Penetration Test

TRANSCRIPT:

reduce cyber risk podcast June 10th 2019 episode how to reduce a bruise podcast where we provide you the tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host of this action-packed informative podcast join me each week is I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam real Sean Gerber again from reduce cyber risk and I hope you all had a wonderful week this past week I apologize I had to take a little bit of a break from reduce evereska had to go to China for some business work and outside of that though it was been a it was a great QuikTrip it was out and back in no time at all but now I'm back and able to finish this up and actually worked out really well Wells on the airplane I got a few things kind of knocked out as I was going to deal with fighting with reduce arborist going forward and one of the things that we're going to do is I'm focusing this specifically broadcast we're going to be focused specifically on a domain within the cissp training restraining we're going to be focused on domain sixth we should be a security assessment and testing so we're at that would be basically talked about cyber Integrations have a straightener graichen cissp training specifically and then an exam question that's how we break it up at reduce cyber risk until the first one about tussock cyber security integration is going to be on what is a security assessment / testing what what exactly is that and I've got the article that got from what I found out online it kind of go through that little bit and I think it's from infosec industry if I'm not mistaken and then where the Fiat cissp training specifically on conducting or facilitating security audit and then the last part about the exam question is going to be about conducting a penetration tester and others I'm all done each one of these in different forms of Fashions and so we're going to kind of go over each of these with the cissp test requires some real world examples are round how this could you can make this work for you and the company you decide to go I work for if you're not already working for them cissp cyber security integration pieces institute.com and security assessment testing and it was an article that they had put out and it basically came down to what exactly is security assessment and testing they had an ad my little input maize on Amazon AWS and run station in the cloud that way so that each of those have a little bit different vulnerabilities and different risk to them it's going to have to understand what are those risks Associated it could be the simple fact of it is now you've got a SAS solution that may be storing your data and so the risk is one accidental loss and I could it be from the company themselves could it be from a hacker get in your account I don't know it also could be if it's the S3 bucket situation could it be the fact that you don't have multi-factor set up on that device so then there's an account issue where you would have to to focus on who's accessing the data and then it can you verify do you have logs for this data so that would be some of the situations you might want to consider all SAS Solutions have to do this so anything that is a software-as-a-service solution sitting the cloud must follow the specific criteria this specific policy that we're also that anything that is Buda lizing as three or Amazon AWS has to follow this criteria so by doing that you're setting yourself up to be where you're going to be evaluate yourself against your policy and and how that's being updated then you need to go through the documents and review those and determine what works best and ended are they make sense for individuals does it actually have some teeth behind it is it I'd like to call the kiss test where it would keep it simple stupid because you really want the ability to keep this policy as simple as possible you do not want make a complex an overly burdensome because if you do what's going to happen is nobody's going to last listen to it and pay any attention to it and therefore what's the point it's just a piece of paper and it has nothing behind it the purpose of the policy is not to beat people over the head with a stick is to give them guidance and direction in the event that you're not there and that they can understand that cuz guess what you're not going to always be there to get the bigger job make them bigger money but doesn't really matter at some point you're not going to be there so you need to have these policies in place to help with that the risk identification and this will help pull out what are the risks that are associated with your sass solution or your Amazon solution so you need me to pull those out and that's how the identification will occur as you do an assessment it also will be with data analysis you'll understand where is the date of going who has access to the data is a day that protected while it's in transit while sitting at rest all of that is a key aspect and I've talked about this before and reduce cyber risk that if you if you focus on is all about the data where is the date of going is a date of protected why is it protected all of those key aspects that will go a long way and set yourself up for success as a relates to protecting your systems are you also need looking for a porch or briefings in this can provide this for you because at the end of it you want the ability to give out check out some level of report that you can provide to senior leadership on how things are going as their assessment done because it will happen is as you come up with this plan most likely there's somebody somebody else is going to have the same type of solution or situation come up for them and they're going to know if you have it all written out and documented it's real easy especially someone comes and says he can fix it can you check it out this out and if they go check out the repository see if it's in there and it's in there it makes things a whole lot easier and streamline those are some point point to think about from Key steps is removing for a pharmacy is espionage understanding part of this you need to focus on what are the international legal issues that focus on doing a security assessment security assessments can be very tricky and you need to understand what are the legal implications of doing 1/2 if they don't have any legal implications what are the nuances to the legal aspect in which you're going to be doing this assessment to so so freaking example if you're going against the European Union what what are gdpr requirements verses in the United States they're very different and because they're different then you need to focus on while it's pretty hard to have a finding on something that is extremely different than what your current company or country is so those are important aspects for you to know do you need to do to dig this information up can you just use it on the scan do you have to do interviews what what are the things to find out the different phone bill is that may exist and practically Implement forensic procedures dude can you go through what does it take till that you're in a dig out this information can you use forensic type activities to do that what are the threats and vulnerabilities that are associated with that again this comes back and knowing what is your risk what is the threat to this data into these systems and it governance That Couldn't need to be in place for managing these systems so I say you have a solution do you have the third-party governance model in place to deal with these third-party Solutions can you do security testing techniques there's different aspects around this so doing a specific assessment of in focus of this you have ethical hacking which is your white hat hacking now that also can kind of come into the testing around penetration testing but these are people that are specifically focused on testing the system and what are the vulnerabilities with it they call them white hat just because that's they're doing it from my research standpoint now you're dealing from penetration testing this is where they find out alone vulnerability and this is where the ethical hacker my do this alone vulnerability and they will then exploit that that hole that place and that's a penetration test to see how deep they can go they typically do not expose multiple vulnerabilities and looking for one maybe two vulnerabilities that they can exploit put on the system before it breaks and understand the actual load to do security techniques that you can use as you're doing some level of security assessments and testing okay so when you're preparing to for security testing you need to study the architecture and understand the requirements the objectives and the goals of what you're trying to accomplish as it relates to doing this security testing you need to understand the security company security compliance plan because again you may have a situation where you don't want to do this specific testing because it could have violate your security your company's compliance you want to analyze the architecture understand where do you want to go in at what do you want to do what do you want to actually physically test cuz you can't text everything so do you want to just what subset do you want to actually do an analysis analyzation on and do a test on I need to classify the security testing approach and it comes down to it what risk vulnerabilities are you trying to mitigate manage and then create a threat profile or model threat model to be able to go in and say they had this was based on this attacker this is how we went and did this is how we went and attacked this environment prepare for test plan for a threat understand what are the threats out there and what is your test plan around those utilize tools for testing and this comes down to do you use a Metasploit do you use it to standard vulnerability scanner are the tools just basically a question the answer will you will go through and ask questions specifically of the individual who owns the system or you do an evaluation of the of the product themselves and it finally over pair report for that will look at the overall testing environment piece of heart going to get ready for your security assessment okay so that is what we have set up for cybersecurity integration again that was from infosec Institute pretty good plan and that's all that that will help you out if you're preparing for some level of security assessment testing all right let's roll into the training I'm going to do a little where they called advertisement for myself go check out at udemy.com you can check out the all the cissp training that I have in place I put these out at udemy obviously going to give you some great pricing independent Paul when you buy but you can get all domains 1 through 8 on you to me and if you D uniform Delta Echo Mike yankee.com udemy.com and look for Shawn with s h o n d s that's s h great but yeah. Not a big fan of my name but if you check out my name because it is unique you will find the training guys that are out there for you for the cissp can I get domains 1 through 8 with some see at with some exam questions you also to check me how to reduce cyber risk as well as some other stuff that's out there as well as available for you all right the cissp domains 6 security assessment and testing the topic everfocus the objectives going to be a conduct or facilitate security audits okay so you're looking to complete a cyber security audit basically people just making the stay where am I going to look at focus on specifically an Insider Potential Threat you need to kind of consider which one are you going to look at this view from a vulnerability identification you need to understand what are the vulnerabilities that you're aware of and then that way you'll helsel help if you're doing a scan will you be able to confirm his vulnerabilities exist on that scan do you have these vulnerabilities mitigated by controls are there things in place that you know these vulnerabilities do exist and there's no way around it however you do have controls in place one thing I thought was interesting was reading an article about S3 and or I can say a story about Docker and Amazons Docker they have a really good article around these older applications use XP 2003 and throwing them in a Docker container and I think that's really good idea 50 Cent's can live forever but those are good mitigating controls that you potentially could put in place to help offset some of the risk that's associated especially in that situation with old operating systems find the controls and then that comes back to the vulnerabilities are mitigated by the current controls if not then you need to look at what controls can you put in place to mitigate the potential risks you determine the impact severity this would be assuming the vulnerabilities been exploded if it has how do you limit what is going to be exposed as if you have a s a solution that if did people get access to it they get access to this one account they get nothing however if they get the admins account they how can have everything well case of what additional controls can you put in place on the admin account determine the risk level on the likelihood of An Occurrence or / at what is it would be the impact do you have all of this stuff in place in this if someone gets access to this one system it's the end of the world it so know where we going to do but what is a real likelihood they going to do that well except for on once a month and it's doesn't have very good controls but it's always turned off and it's verify that it's turned off script that runs on an hourly basis okay right there yeah the system itself is a vulnerability however the controls and plays are pretty substantial that someone who only has a very small window to be able to manipulate it and get access to it address the highest risk item now it also could be that you have some high-risk out of that will take a lot of work to fix and then you have a bunch of medium and low items that can be fixed immediately we need to ask yourself the high-risk ones are definitely one you want to focus on but if you can knock out the low and medium-risk in just a very short time that does reduce your overall risk and those are something to consider as you're looking at reducing the risk for your company okay so you conducted facilitate there's different types of wants to think about so this is internal won the Fergus first objective where to focus on here and this with exercising determined for trains cyber resources you need to provide an evaluation of current control and or processes in this building the accountability for the organization so by doing this internal audit you are providing an increased level of visibility and oversight into your system and it does it help I'm sure that was getting accomplish what needs to accomplish is getting done and internal audit will typically work the CEO the CIO or the board that is reports to your company that you're coming reports to in many cases these are Financial there's a regulatory requirements around this and Avengers may be requiring specific audit so I've seen an ISO 27001 for example we have a company that has a very large partner and is very large partner requires 27001 certification or List it does require Audits and on a routine basis require a third-party order external audit which will talk about the minute but bottom line is you need to have some level of audit and he's be documented with a report and that some of the requirements that they have so you need to understand what are the requirements do you have to have an external entity do this do you have to, to begin with internal resources ATT more your compliance team who does this need to be in this Define pretty well as you are looking to move forward in the space another key aspects is this needs to be understand if it's planned annually if it's practical if you can do that anally that'd be great but you may or may not depends upon the requirements right up the requirements state that this has to be done annually then can you get away with it once every two years or so trim plan for it so it doesn't just preparations you need to have your it your legal your Human Resources all of them need to be involved as you're moving forward scope will determine your duration in this could be the system facility the group locations all of that will be determined by the scope that you were trying to to do this assessment on so used to going to be one facility in a remote location is it going to be everything globally is it going to be just a closet in a specific room that I will hold all of your super-secret stuff those are all the things that you need to come and understand what how are you going to do it either right to audit clause in this could be in contractual agreements if you have with third-party you have the right to audit them especially if they are holding your data but you need to build that into the contract or is the srw that you have with them statement of work so those all those key aspects need to be considered as you are building out this for your company it's external and third parties are too kind of a little bit just in the internal aspect external parties are to provide an independent Assurance of what exactly is occurring outside Auditors will be used for many times has external entities needs to be your P&G pwg PW TWC price Waterhouse Cooper Cooper's they could be other third parties at maybe are smaller mom and pop shops but you you can have those third parties involved as well and they need to be contracted this needs to be set up as a process specifies specifically what you're trying to accomplish with them and they need to also give you some level of understanding of what their auditing you to it could be ISO 27001 it could be missed any one of those was fine based on what the Auditors are saying but you need to understand what are they actually auditing to they may have some specific subject matter experts that they're going to bring in to help with this but or they're going to may even augment some of your internal staff as they do it so you can understand I expect this is going to happen more and more in many other aspects of cybersecurity especially as more breaches occur within the global environment now you need to understand if your cyber security program maturity model for framers we talked about your ISO 27 miss or your cybersecurity framework any one of those will work depending upon what you're going to be evaluated to so again you and somebody else your roadmaps how does the audit fit within your multi-year roadmap do you have to do an annually like I mentioned before or can you do it every two to three years and then from there it will catnip what's the size and the scope of the audit every two to three years and governance models also will become a photo focus on how are you governing how people access the the processes that I can, TTP to techniques tactics techniques and procedures how are you going to deal with that and how did they they monitor those so those are the different governance models at and how they become a focus alright let's move on Jim questions domain 6 when completing a penetration test of your organization who needs to be involved in the discussion and decision oh no no no alright those we talked about this is when you who needs to be involved and why do they need to be involved and this is going to focus on those that specific question indeed so I've got four specific answers they may not only right that may be right that maybe one maybe two don't know we'll see but there's four basic and answers to that one question who is the evolved a no-one informing people that the penetration test will occur will taint the results resulting in Waist definitely everyone is important that people don't feel duped that is the test was designed to I don't feel like they've been kind of pushed what the test was there just to kind of play stump the dummy or Hey where's the idiot that that's not the point right so I guess everyone see Key Personnel is important Focus only on the on telling the decision-makers influencers I eat CEO Seattle could be a couple in there but that's just an idea as it relates to the penetration test nabob peace and the answer is keep resetting a personal number number what are see it important to focus on only telling the decision-makers and influencers now I say that as a CEO CIO legal public affairs compliance penetration test I say that just talked to them first they may want everybody to know about it it will taint the results if you let everybody know depending upon how much time Italy time you've given them come up where someone is giving them a lot of time to let them know and it ends up being a situation where than they going to start making changes so it affects the audit a bit if you tell him right before you do it that's one thing but it's not a bad idea to tell people especially the key people that are involved and if you're going to be targeting a specific system like so you have a website that you're going to be doing a pen test on it's important to let it no potentially if if they're going to react to that or if you have a good instant response plan in place where they report to the CIO and then the CIO can handle that result as well so if they do to check your your website's being attacked and the response plan says contacts thank you continue importing the right people are involved in the decision-making process as a pentest can have significant impact on an organization and can cause disruption within a company again that's why you won't do with key personnel that's the explanation now here's a scenario can't talk about it briefly but you got e-commerce site and you have specific compliance requirements for penetration test now you you set up a contract with a third-party and you completed penetration test without any notice okay now that's you just could be the situation that comes up the penetration team has instructions to exploit any and all vulnerabilities they discover okay how's it going to play out well the other was all the penetration tester web front-end the database provides data to all visitors to your eCommerce site cuz I think it's downsize to some of this blue people from all over the globe of the world right to get everybody from small-town Iowa Kansas where they might be too Australia to China to Europe where you name it well please is reported to newspaper it gets a release to the papers and now you just have been involved with a data breach what did you do is compliance about what you do I don't know what is lawsuits are filed on behalf of the affected persons and then just things go south very quickly this is is that if you make sure that everybody's involved before you go and launch this thing now compliance can go and work their ankle public affairs can work their ankles everybody's an alignment that you're doing the right scope in the right way of doing it then you mitigate any issues that come up as a person says I'm follow lawsuit will this is compliance we got approval from the work consoles we got blah blah blah blah blah all that stuff is done then when the shoe falls the ball drops it's not a big deal because guess what it's all been worked through compliance and everybody else the legal and all leaders are involved that's why you want to do it cuz it can go south real quick and in today's Twitter verse play can go sideways before you even know it before even showing to work it's gone sideways comparative that you do have the right people involved when you do a penetration test xiacy Square training study guide and isaca.org and also the info youtube.com you will see in the show notes as well hope you all had a wonderful day check me out a reduce cyber risk hope things are going wonderful for this wonderful week and we'll catch you on the flip side so much for joining me today on my podcast if you like what you heard please leave a review and iTunes is I would greatly appreciate your feedback also check out my cissp videos search for Sean at SHI Gerber and you'll find out who the author of content to help you pass the cissp exam lastly head over to reduce cyber risk and look at the Cornucopia of free cissp materials available do all my email subscribers thanks again for listening