RCR 043: Secure Communication (CISSP Domain 4)

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 4 (Communication and Network Security) of the CISSP Exam:

• CISSP / Cybersecurity Integration – Data Communications
• CISSP Training –  Implement Secure Communication Channels
• CISSP Exam Question – Point to Point / OSI Layers

BTW - Get access to all my CISSP Training Courses here at:  http://reducecyberrisk.com/cissp-training/

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
• • https://www.isc2.org/Training/Self-Study-Resources
• Quizlet
• • https://quizlet.com/87472460/official-isc-cissp-domain-1-security-and-risk-management-flash-cards/
• Infosec Institute
• • https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/communications-and-network-security/secure-communications-channels/#gref

• Wikipedia
• • https://en.wikipedia.org/wiki/Trusted_computing_base
  • https://en.wikipedia.org/wiki/SwIPe_(protocol)
  • https://en.wikipedia.org/wiki/Transport_Layer_Security
  • https://en.wikipedia.org/wiki/Secure_Electronic_Transaction

TRANSCRIPT:

  welcome to reduce Cyrus podcast July 8th 2019 episode 43 domain for communication and network security reduce cyber risk podcast where we provide you the training tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host for this action-packed informative podcast each week cuz I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam real Shawn Gilligan with her new Cyber risk I hope you're all having a wonderful day today it's a great day in Wichita Kansas the heartland of America basically smack dab in the middle of the United States so yeah it's pretty flat here it's pretty hot here July 8th acai acai cissp cyber security integration data Communications and then on our cissp training where to get into Implement secure communication channels and then in our exam question where you at the point-to-point it's not from Lake point A to point B two different kind of point-to-point and then the OSI layers therefore my cissp training that you can find on youtube.com Deshawn s h o n Gerber and I have cissp training cissp certification training you can find specifically on you to me or you can go to reduce our risk. Com at Sea is cissp training and you will take you to the you to be legs as well so check it out it's a lot of great information during to have their all the domain stuff that you're going to have for as a relates to the cissp exam to properly prepare you for that exam to great way to augment your training and as you well know udemy has some great deals as a relates to training especially as for what I got some really good thing I also all my training the various domains will be updated on a weekly basis okay so the cissp integration this is from The infosec Institute and we're going to focus on objective 4.3 which is implementing secure communication channels according to design and the topic will be specifically data Communications now you deal with different communication protocols we're going to urinate hear some different terms and it's important to understand what these terms mean you'll hear these terms thrown out like SSL and TLS and all of that. TLC which is tender loving care it's different is transport layer security security Now the SSL is secure socket layer Knology to create an encrypted link it what does it ensure that data is Pat that the date has passed remained private it made specifically for private to individuals and it does not go out to anybody else and that's the whole purpose of it right is to have the SSL to protect your data and to ensure that it is private from other people looking over and stealing your information it is also considered an industry-standard to protect online transactions now SSL has been moved on it was it still considered a industry-standard however the new version of SSL is what we called TLS I was just transport layer security and they have TLS version 2 as well as one of the key points that are out there but it's it is the newest version of encryption TLS is and it utilizes symmetric crypto cryptography basically there's two layers is a TLS record and a TLS handshake and those of the aspect around the security SSL secure socket layer is being used synonymously with TLs but everybody has moved on in most cases if you are dealing with the next level of security is around TLS and it's the next area twice really cool anyway did I did now they're called swipe which is your Swype IP security protocol and it's little s Little W Capitol IP and then E I love how they make these fun little things swipe it provides confidentiality integrity and authentication of network traffic it does not however handle policy and Key Management that handle outside of the specific swipe protocol so that is those you specifically swipe encapsulate each IP datagram okay to be secured with inside the swipe packet so basically the IP datagram which we talked about in the different levels of the OSI model and so forth the IP datagram will be secured inside the overall swipe packet and that's word encapsulate sit and wraps it up in a pretty little bow the swipe IP security protocol set is it secure electronic transaction and what this is it communicate to secure acacian protocol standard for securing credit card transactions set is a secure electronic transaction and it's a communication protocol standard for securing credit card transactions and so that's what you'll see typically within when you're using credit cards now as the United States many other countries are just got back from China they don't really use credit cards they use their product called WeChat and or hourly pay and it's the same concept but they it has to be tied to a bank account specifically with in China and but it's what they utilize at least the United States for secure electronic transactions it has a set of security protocols and its set user provides electronic wallet or digital cert that basically puts you who you are and it's if that's kind of how the whole basically ties you to the individuals through signatures are amongst the purchasers the merchant and the purchasers bank and it's just kind of how they do the digital signature work between them all but that is utilizing the term are the the protocol security protocol of set secure electronic transaction then there's Pat which is the password Authentication Protocol as a password based Authentication Protocol used by protocol are PPP for triple p it's considered a week authentication scheme and it's not one that typically is used as much but it still has use it's just not you wouldn't want to either if your main authentication are your main type of authentication skin that you're working within your organization it does transmit unencrypted passwords over the network so it's kind of why it's not utilize as much are there are some others which is the extensible Authentication Protocol which is EAP you have your secure remote procedure call which is RPC and then chap which is your challenge handshake Authentication Protocol as far as he is concerned I remember seeing all of these days you will come to some level of understanding around all three of these pieces are all these various levels authentication protocols and security protocols they are on the cissp exam guarantee some may not be on it some will be on it but you do they do cover these different aspect on the cissp exam so be prepared for that and understand how they are used the key Point around this again in the exam is that you will see they utilize easy ways that are kind of designed to trick you up a little bit and I'll utilize the pap aspect in this a password Authentication Protocol VIP weight and you'll make mistakes so the goal is to understand all these protocols and how they all work together that is what I have for the CIS immigration and that again was from infosec Institute let's roll onto this year training okay in the cissp training we are going to focus on objective 4.3 Implement secure communication channels according to design okay voice voice over digital is quickly becoming the standard from teams to Skype to you-name-it voice is becoming the standard over the digital platform but this the old business of private Branch exchange Azure PBX is going away and that's your typical phone routing switch switches that are out there those are all going away to a product called voice which is by far more flexible and secure in most cases but VoIP is a TCP IP network connection and it's configured to be simple to the more complex depending upon what level of encryption and where that is protected at now it's Tanner phone conversations does have encryption built into it these do occur however you depending upon if you want to have secure voice like in the case of the military there's different levels of infrastructure that need to be put in place to ensure that the communication channel can be clear from somebody over either dropping and couldn't and collecting information now there are some problems associated with and they are susceptible to dead denial-of-service attacks man-in-the-middle issues can occur with VoIP and the traffic is not that is not encrypted can be deciphered so you can listen to these information this conversation's too if if is not encrypted not many cases of stuff is encrypted but there are situations are protocols where it may not be so therefore you need to be aware that voice is like anything else not you do standard pbxware it's right over the wire those can be listened to as well but they are not as susceptible to denial-of-service attacks unless you take out a switching environment than your voice the phone line goes down with it next is PBX fraud what does that mean well basically in the past that used to be where they would it would take advantage of long-distance phone calls and they would call this Freaker's and now I say that because it's still only have in the cissp is cuz it's still a valid attack and you do there still are lines out there that you can utilize from a freaking stamp point but it basically was designed to gain unauthorized access to phone systems and they would rack up toll charges for other people's that would try to be utilizing is your international phone calls or whatever they would then Rock up phone call charges for them is becoming less and less of a problem because of cell phones and those that capability but it's still does exist that to limit that you would have logical or technical control on a network specifically to keep this and this would roll into administrative controls that you need to have in place you want to also avoid securing these Elite are you don't want to avoid securing these older system you want to look look at what are some of the ways you can secure them and protect them from these type of attacks from a PBX fraud attack so don't just say whether old so nobody's going to mess with them I'm not going to worry about it that's really a bad idea in today's world where everything is interconnected more and more than ever you can be vulnerable to any type of attack that may be out there so again PBS fraud is still existing it still does exist and people still do it but it is come down quite substantially from the previous day's of like making all of them multimedia collaboration with this is is working on projects from a distance you are anybody in the cybersecurity space or in it you realize you know what there's all kinds of collaboration that occurs through multimedia uses from you incorporate to email video VoIP you name it it's all there from a multimedia standpoint and everybody does it so therefore you must will consider all of these voice Security check all of these channel to secure which becomes a very daunting task as a cybersecurity professional you will see that this is a problem and it's something we start with on a daily basis these remote meeting Concepts and capabilities of these are all something that you'll have to go through and as you understand that from a multimedia standpoint it is everywhere not remotely this allows for interacting with remote parties which kind of space and it's important that you be able to do this in today's world working remotely and they're working from this but from remotely Geographic remotely separated locations the other was a probably a really cool $10 word that would work well there but yeah I can think of it considerations as you're dealing with this drama with indication log monitored and open an encrypted Transmissions so those are key aspects you need to be aware of as you're doing with remote meetings and and also understanding who's listening in and if there's somebody logs into your remote meeting that you don't know who it is you might want to boot him out until you can figure out who they are because guess what lot of people drop in I used to do that we would drop in on phone calls conference calls but see us before Skype where they have the phone number of pop up and so therefore they wouldn't know who we are we would just log in and listen instant messaging what this does this allows for real-time chatting right a digital media platform and everybody some form or another it could be from your when you're on Facebook could be in various aspects but allows you to have instant communication back and forth through texting environment now it is possible to do file transfer through instant messaging and so from a security professional you need to be aware of that and it can you send voices can you send pictures can you do all of those aspects can be put in there all done in potentials on the security environment sending Social Security numbers or pii personally identifiable information over texting is a bad idea typically there's some key security considerations that you need to keep in mind as careful Communications on what you put in a text cuz guess what come out they always do and never ever not come out they always do you also need to have records management cuz these records they go everywhere and you will run into them they will they they get legs and they move so understand the records aspect around this also you need to limit your encryption as it relates to or it has limited encryption I should say the the aspect of text messaging someone text messaging depend upon the application you use does have a little bit of encryption involved with it or does have encryption but in most cases these do not they the only encryption they have is encryption through the telephone Network the CDMA network in most cases there are no encryption from a texting standpoint versus such as slacks Hangouts excetera and so when you send this out your text it's going to the cloud which everybody goes to a server which everybody potentially could have access to at least at a minimum the administrators have access to it so there is no privacy is very limited to new privacy when it comes to texting Snapchat all of those those things do get legs and move so if cybersecurity professionals important for you to make sure that you teach people that this is a situation and working on your cissp especially you need to understand how that all plays into the overall game email do you need to address this with your so Chelsea there's some acceptable policies for email that you need to put in place and as you're looking to secure your email there are ways to do this through pki it was your public key infrastructure you can get digital signatures on your email which will help protect it be all so I can have access controls do you allow owa like is your Outlook web access your online capability to your email do you have multi-factor and place on your email that's all available online until those are key considerations and also is your deal with privacy around email it's important to consider how do you protect your company's email as it relates to gdpr so it's important that you have that in place as well do you need to cut understand and be cognizant of these different around privacy and and what you should do as far as dealing with the email also understand a security person you should not have access to email you should people's emails you should have that all run through your legal and compliance teams if you have them if not and you are the person that you definitely need to run that through legal before you do anything along those lines how is your back up and Records management keeping emails until the Apocalypse when it's appropriate do not keep that stuff again from legal considerations it's important to understand that you don't need all that forever now if your company that puts it on legal hold where you have to maintain it will then obviously have to keep those whatever reason but for the most part you need to make sure that you don't keep any more data than you actually have to because because stores are so cheap everybody keeps everything it opens you up for a lot of different issues especially legal and litigation issues so just kind of keep that in the back of your cranium is looking at other email Security Solutions you need to understand the secure multi-purpose internet mail extensions s mime and privacy enhanced male which is another term which is pem and then you're pretty good privacy which is pgp which you'll see wasn't a Christian standpoint for your email we're typically for most of those providers that provide you some level of email protection pgp is typically used for the third party types and says my name is used for the more like your outlook's and so forth and then you have your sender policy framework which is the F SPF again other email Security Solutions that you need to be aware of for the cissp does PE exam questions domain 4 my toe in this question where we talked about point-to-point formats packets from Network layer for transmission and is commonly used protocol and the integrated Services digital Network ISDN session layer as a data link layer application layer Network layer that's d and the winner is be the data link layer is responsible for formatting packets from the network layer to be used in the transmission of data so yes as the data link layer that is one that puts them all together and when you're dealing with the OSI model 7-Layer Burrito and puts it all together to get it shipped out the door this questions about the OSI model what layer which Royals last month about those I model 2 what is layer 3 of The OSI model transport layer NES RISD the network layer is the layer 3 of The OSI model video. Lair to choose down her or two and then you have layer 3 which is the data link layer and then you have transport layer which is above that that is the different models of the OSI 7-Layer Burrito layer 3 of The OSI model is the network layer all right all right that's all we've got for reduce our risk podcast today and we are going to be moving on to hell podcast coming out next week but the other links today what is c squared training study guide Quizlet I hope you enjoy this podcast also remember that there's training available for you at reduce cyber-risk. Com / cissp training or you can check out my videos on YouTube, but you'll get a great deal by going to you to me., you'll get updates from what's happening within the cissp on a weekly basis all right have a great and wonderful week will catch you on the flip side thanks so much for joining me today on my podcast but I would greatly appreciate your feedback also check out my cissp videos that are on YouTube just search for Sean as Shon Gerber and you'll find content to help you pass the cissp exam last copia of free cissp materials available do all my email subscribe thanks again for listening