RCR 044: Learning Access Lifecycle (CISSP Domain 5)

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 5 (Identity and Access Management) of the CISSP Exam:

• CISSP / Cybersecurity Integration – Identity Governance
• CISSP Training –  Manage the identity and access provisioning lifecycle (Domain 5)
• CISSP Exam Question – Username-Password / Preventative Controls

BTW - Get access to all my CISSP Training Courses here at:  http://reducecyberrisk.com/cissp-training/

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
• • https://www.isc2.org/Training/Self-Study-Resources
• Quizlet
• • https://quizlet.com/87472460/official-isc-cissp-domain-1-security-and-risk-management-flash-cards/
• Infosec Institute
• • https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/identity-and-access-management/#gref
• Wikipedia
• • https://en.wikipedia.org/wiki/Identity_Governance_Framework

TRANSCRIPT:

what colors do cyber risk podcast July 17th 2019 episode 44 5 identity and management welcome to the reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host of this action-packed informative podcast join me each week cuz I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam hey all this is Sean Gerber again from reduce cyber risk and we are in this wonderful state of Kansas in the United States and things are great we just got done with our July Fourth weekend here in the United States has actually been a little while but I kind of want to talk about that love it and had a great time over the July Fourth weekend I had some time with the family and my kids just I love them they drive me crazy understand that yes teenagers are a lot of fun and it in my case snow tomorrow I've got to just graduated high school and then United States it's a big event so what's going off to college so we be prepping for college here before long and then I've got another one who's going to be joining us probably we're going to be a starting up a business my wife is and so therefore with that with between her business and the kids coming to scout college and between I have three others and still in school one more senior it is a busy busy day and we've been since we have will be basically have four or five seven children total enough that five of them are four of them have been adopted and so we are we're very fortunate and also is at a lot of challenges that are a lot of fun to kind of work through and I say fun in air quotes so yeah but other than that I cannot complain at all I want to talk about cissp cybersecurity integration was going to be identity governance again this is over domain 5c an access provisioning lifecycle cissp exam question will be usernames and passwords and preventative controls all right before we get started just want to put on a plug out there for the cissp training courses you can get these yes you can you can get these in your hands or in your eyeballs in your eyeballs you can I go to youtube.com as a udemy. Com depends who you talk to some people call it udemy but it called different ways but you can go to youtube.com or you go to reduce sybaris.com cissp Dash training in that will point you in the right direction for the different domains again we have there's eight different domains you can get those at your leisure and you get access to all of the cissp training that I put out along with exam questions you can get those as well and I also put out exam questions during the week and you can get access to that just by going to reduce cyber risk and becoming part of my email team and you get all that as well exam questions information available to you at your fingertips let's get going on into our training okay cissp and cybersecurity integration the infosec that came from infosec in is the reference in the link so I'll be in the back the final part of the presentation and also in the show notes as well so I'll be there and available for you object of 5.3 cissp Manatee identity and access provisioning life cycle and the topic today will be identity governance again this is an article from infosec Institute now managing identity and access provisioning lifecycle this is crucial to have effective control over your logical environment and we talked about different environments and you have your your basic the physical environment in your logical environment which is the aspects around that the technical pieces right that all falls within the logical aspect of your specific environment and these include operational documentation maintenance monitoring reporting access rules roles and maintenance will get in those are Big Ten Dollar Words a lot of smart really smart people they are usually Big Ten Dollar Words and I struggle with ten-dollar words but we'll try to make them simple cuz that's the whole purpose cissp training Made Simple the operational documentation maintenance this helps develop structure provides oversight and how to implement the local access control so basically it comes down to if you want to put in Access Control and these are logic write these are all logical controls what you have to have this documentation around your operational things that you put in place so you have your you're basically RIT functions within you had your operational functions that work within your organization that makes the operations the daily day things go and so you need to have this documentation in place and then this but it does though is this maintenance aspect is kind of like an assessment piece of this where you go back in and you'll provide oversight on how to do this and at least give you followed a policy that can fall under different areas as well but it's it's a basically how it flows into the operational pieces what is a governance model that helps to ensure compliance and we talked about this quite a bit in the fact that you need to have some governance model in this and we talked about compliance we don't talk about The Big C compliance back with a little C compliance this would be your when you talk in The Big C compliance that means you have regulatory requirements at 4 shoot two to do these different aspects with your company to ensure that you meet their compliant of the government regulations that may be out there in this stilsby state local regulations it could be other aspects to the little see is that you follow the process that you provide you put in place to comply with the aspects that you're wanting to to accomplish and it also the whole purpose of right is to have some governments around how to help you get that done wines with policies and standards now you're just making sure that you meet and you follow through with what you say you're going to do with the policies and standards you have in place that provides guidance through executive dashboards and reports so if you can hit get a executive dashboard and it could be as simple as you have a spreadsheet that's got little green and little red and little orange green yellow red stop light pink some way of measuring how are you doing what are you doing how are you doing it and are you moving forward or are you falling backwards fall backwards on a full Volvo word Texas rules roles and entitlement maintenance SPS basically deals with exception management and you have definition of the rules and how you're going to follow these different rules for the role so do you have how do you bring things on how do you take things off how do you provide provision Indy provision individuals their devices all that all falls under the access rules and roles and it basically is the life cycle from beginning to end how do you start it how do you end it how to decommission it and if you have that in place I mean honestly that's a big deal if you can get your access that whole life cycle piece going and put in place and start off simple that does a lot for your company to ensure that it is secure it is Keke Palmer's operational Readiness advisory now this begins with various stages of Ronnie requirement so once was a good fine and you have your design your test and you're doing all the operational I'm bored and you do this is where this begins right so it's how do you begin to get ready to go and and that's the whole purpose of I'm getting ready for my operational side I need some assistance I need to know what I'm going to do all right let's go and this provides advisory a consultation to the development of these various system so it's to help you with are you ready to go and give you some some guidance around that and change management also around the aspects of change management and this is the process of managing to change around your identities and how do your people how do they get permission but then what is the process process for managing the change with those identities so Bill who has access to the Ollie's plowshares how do you manage his chainsaw rebuild I still in the same area but we need to reduce the level that he has access to so how do we manage that he also it's how do you do with a communication piece of this at this built into it going to be automated and ideally in today's world you can automate so much of this and it can be done if you'd like SharePoint or something along those lines that it can be automated with that like that infopass not the right word flow flows it the product that use now with SharePoint online you can provide this change management advisory peas to people and that could be really simple can be set up in a simple format that will give you what you need so again that this change management advisory Communications now you're dealing with identity operate this includes access review hoarding and this is access request fulfillment in the other aspects of around this and its function is focus specifically on your day-to-day Access Control request this is your provisioning your Administration all that maintaining maintaining of the life cycle is associated with it enforcement of logical access controls another key component of your identity operations and then again this is the day today stop operations your day-to-day get dirty in the weeds kind of thing and then so that's the whole purpose of that ambulated ID access request approvals and so forth do you have these rules and play basically deal with your identification and also anybody who may request access to your specific systems again this is all responsible for the day-to-day Ops and it basically allows you to provide the capability of bringing people on take people off the operations function that's what they took all about out there is that continue to have governments operations and you need to have some way to deal with a life cycle that's that's how it all works those three pieces will go take you a long way okay so that is the discussion around from infosec Institute okay and we're going to move on into the cissp training again talk about 5.3 managing identity and access provisioning lifecycle domain 5 this is going to be a supplemental that part Derby talking about today and the rest of this podcast second account review and then count revocation which is basically the D provisioning or the turning it off of the account again I will I will tell you I apologize sometimes these these Big Ten Dollar Words and so therefore they that use big words but then I'll go to some easy one like yeah you just how to turn it off I will struggle and if you're at work on your cissp with the cyber-security career here's one thing to keep in mind as you're moving forward and this gentleman is to offend anybody at all that's not the intent but it's a lot of times words out there and they will say big monsters words in the thought and hope that it makes them look way smarter than they potentially maybe our I'm saying that they're not I'm just saying that a lot more people will use Big Ten Dollar Words and I am totally confused going what the Dickens are you saying I can understand that because it's all I have from another standpoint and and so therefore sometimes I use a big word and I'll say it out there and then I'll try to bring it down just a little bit because honestly I get confused then I'm confused I only assumed that maybe only about 10% of you all are confused just because you all are probably way smarter than me so just I challenge you to look for the Big Ten Dollar Words and then try to make those simple because here's the point if you're going to be a Cisco or if you're going to be someone that's going to provide influence for your bored or whomever that in your cybersecurity field you need to know how to do this you need to know how to break down the ten-dollar word and put it in terms that the for a third grade level not because you're dealing with third graders cuz that's not the case so that's one that's one of the things to think about as a cybersecurity professionals do not treat people like their third graders do not okay cuz I'll tell you right now most people in the world are there people that are way smarter than all of us right but if you can talk to people at a level that is easily understood and that's why I say the third grade level because if you can talk in the third grade level two people that's easily understood by most and so therefore if you're talking to your CFO your CEO or any other sea levels and you know the board whoever that might be they're going to want you to talk at that lower-level not because they're stupid nor they don't know what the heck they're talkin about is because it's a language that everybody can understand when you get these Big Ten Dollar words that are out there your $10 worth in cybersecurity is very different than the cfo's $10 worth in financial terms and so therefore it's important that you bring it to a level where everybody can understand damn right we been a little bit aggressive this is just keep it simple silly alright so we can provisioning account review an account revocation or de-provisioning or turning it off provisioning so some key points about this is Grace the new account with privileges it's important that you keep it as simple as possible do not overcomplicate this and I am guilty of all those of making it way more complicated than it needs to be thinking and it's kind of comes out of the development space where you create this complicated thing thinking you're an ad features in later on you never really do and all these features ever do from a development standpoint is caused risk so you need to keep it simple as possible follow specifically defined processes and procedures if you don't have the processes and procedures Define then Define them and then follow them but keep them simple and then you can move on you can grow on to these simple procedures as time goes on I need to have a way to confirm the identity of the individual would be photo ID HR security clearances whatever it might be you need to have that confirmation of their identity and place this concludes all users contractors employees and so forth. Sometimes it may be as simple fact that identity of it but you need to keep the process as simple as possible hu that's doing HR and doing a provisioning and everything because you are the person that's that's going to be doing that then obviously you've got a lot to do but that game keep it simple as possible I keep the same process compliance issues to consider as you have PIR person identifiable information then you need to adequately protect that that it also could be a personal identifiable health information is you're dealing with those him questions as well do you need is a cybersecurity professionals especially study for cissp you need to understand those key points about this the China the birth name that's another good issue is that in China privacy aspects what is the birth name of the individual I like in my daughter's name was Kelly of her name lock up my son so he is was a molecule so that was a Chinese name I called him Jax Jax Jax Gerber rice that's his name and therefore his middle name we called now I just butt in China it was I just realized I do it somewhere around there anyway that's the whole purpose around him and so those are different aspects that you got it could be aware of everyone's compliance issues employees contractors that you need to have waited for them to sign documents as well how do you confirm that so if they have abused DocuSign or some other document signing technology that would be extremely valuable by your ongoing maintenance around this piece is your Aunt need to audit the accounts you need to provide and and the access to these accounts need to have the ability to do that the process for promotion and departures employee employee transfers you need to keep all of those the same did the holy process of anything that enters roll or leaves are all you need to keep that actually the same as well also get laser employee transfers ongoing maintenance HD Live account review some other key points to keep in mind as these need to be reviewed periodically do not rely on the fact that these are just going to set them and forget them kind of thing Network credentials get added in never go away previous lives many many times where I would actually go into a zoo in the steam hacking world I would go into an account or into a environment I would see if there was a count that have been there for seven eight years and the past a question was this person still here in the person hadn't accounted menus and 7/8 years and then know that person's left but they count was still at their act and active it wasn't even the point where it was turned off it was still active that set up and you also need to ensure that the policies are in place to address audit that we talked about all that they could be audit or they could be an assessment audit typically a formal type of thing is done usually by a third-party or at a minimum an outside resource either within your company that is specifically designed to do audits or it's actually a third party that that maybe you have a sister company or could be a company like e&y Orson young or delete one of them to do an audit on you you need to have scripts you have script to run warts on your account sell hence no activity login for 30-plus days excetera excetera you can have those in place and so those are ways you can look at you different accounts and how to review those there's excessive privileges you need to know as far as that goes to do this what is the need to have and how do you manage that do they have an S supposed to do the role do they not have the necessary Privileges and you have a process in place how to add them privileges in easy format I'll be honest if you can do this then you really set yourself up well I will say that many of us struggle in this space just because it is there so many things to do and these are one of the things that gets left behind and it really needs to be one that really needs to be the top priority how much are creepy creepy do they have how much they're creeping it's how many privileges do they have so if you have a and then you move into a row now you have privilege b-but you now because you moved the new role you have privilege A&B and then we moved to New really got problems a b and c that's privileged that's a little bit artist will help address this as well they need to consider the principle of least privilege what do you need to have to get the job done do you need it all will know okay so in the case of myself I have typically if you're cyber-security person you should not have admin rights you just shouldn't especially if you're dealing with if you do because you are the only person left then that's one thing but then you also need to make sure that you do not use your admin rights obviously for surfing the web and doing those things in my role they they've asked me if it would do you want Edmund rice I do not see any need for me to have admin rights the simple fact of it is one I'll just mess things up to from his targeting stamp when I'm probably targeted a little bit more than some people so therefore I don't want to be an increased exposure so I don't have that stuff and I just rely on other people to do that so again the principle of least privilege account revocation so someone with pool happens if these people never go away and then they're on your books at forever and there's a bonus question in there for that forever so that's you need to have a process to address the departures this morning holy cow I'm ready to go HR is use the ones that are most connected with account revocation they know who is coming and who's going and so HR needs to have the ability to to basically clean this up there's an account removal process and his account or removed immediately after leaving so once person leaves the area than the accounts are shut down and they move away are you remove access is disabled for a. Of 30 days and then you delete the account after those 30 days so don't those kind of processing you to have that automated where once person leaves account is removed immediately after leaving so I was put into a standby mode for a minimum and then you remove access that should be disabled for a. Of 30 days so access is denied you hold on to that and my test people will hold on to these accounts specifically for a reason that they may be documented they need to get access to and so therefore it's important that you look at those document you have your supervised visors look at the documents with those credentials 4th. Of 30 days you then go ahead and you can pull out that information without once that's done and you have that setup and the credentials are revoked then at that point in time you can delete them after another three-day so base it's a 90-day process do they leave their the counselor the access is removed is disabled do that for 30 days once that is done then you go ahead and delete accounts after 30 days sometimes you may set it up will you may leave access for this thing for a period of a week maybe but the problem is when you leave access account still active I've already seen situations where an individual has made back door for themselves they've logged in from a remote capability and what ended up happening is still active and they all kinds of Mayhem and destruction not granted it was a really stupid idea cuz he end up going to jail for something like that but at the end of the day accounts access immediately after leaving mother additional precautions you can have is audit IT personnel with elevated permissions that is a big deal so I T guess what they touch almost everything and having them with elevated permissions guard permissions is usually not a good idea and you need to audit those people to make sure they're doing the right thing cuz they all do have gone prevent for permissions and so therefore when I said they all many of them do and especially starting with domain admins and so forth at them to make sure that they're doing what they say they're not surfing the web with their domain admin employees your R&D in your senior leaders those are also ones you need to audit just because they are typically targeted from a cybersecurity standpoint Packers will go after these senior leaders sometimes they do offer because they have a little bit more information that they wouldn't normal people like myself wouldn't have so they go after them R&D is because they have electric proper knowledge that they may go after them as well so consider Security leaders they will go after them as well because many times they have the list of vulnerabilities that are out there so as a working or cissp and you need to make sure that you are connected with cissp training we had set up for this podcast we're now going to roll cissp exam questions domain 5 MSP exam all right in this question we're going to get into usernames passwords when looking at user logs the purpose of the username and password provides the following which one is it a identification B authentication C accountability D authorization you name it ensures that the correct identification is used when accessing the account so you won't understand that it's important that you have these correct username when they're accessing is and as you're dealing with logs also important to ensure that the username is connected because what ends up happening is if you don't ever username is pretty hard to give me chocolate non-repudiation hit $10 word basically to make something a sentence a little bit more simple but you want to be able to prove it there hacker actually do what they said they were did username or you don't know what was the account that actually worked at so it's important that you have a username available and these logs to ensure that you can track it all back to the right username or the right device alright this question preventive access controls which one of the following is a preventative Access Control type a CCTV see Mandarin d none of the above the Bose is it preventive preventative access c-man traps are considered a preventative access control that will limit individuals from a specific facility CCTV is there an available so that if you want to be and usually a CCTV honestly there's nobody really a most Mini cases 24 x 7 viewing of CCTV does not exist so therefore it's important that you understand that's usually egg control its after-the-fact a background check again is done beforehand and usually is before the first enters the area and then a man-trap is really designed as a preventative for a facility so if you're not familiar indoor close behind you and then it's validating identity it allows you in if it does not stand here until Security Forces come and get you 14 if you carry your buddy in carrying your buddy into a into a facility and your back do they have pressure plates going okay this guy weighs 450 lb he's really either really big or there's two people so that's something else that they keep in mind so that those are getting those are preventive Access Control type is the Man Trap podcast it was like The Institute and Wikipedia all right again if you happen to see if I haven't told you yet I'll tell you again check out my training at udemy.com that's udemy for your cissp training udemy.com or you can check it out at reduce Severus. Com cissp Dash training and you can get all of your cissp needs and a very good price with you to me extremely extremely inexpensive for with utilizing you know me and you can get your pricing there at that location again cissp training domains 1 through 8 is available for you and I hope you all enjoyed this podcast I always enjoy giving thanks so much for joining me today on my podcast if you like what you heard please leave a review and iTunes is I would greatly appreciate your feedback also check out my YouTube just search for Shawn s h o n cissp exam look at the Cornucopia of free cissp materials available do all my email subscribers thanks again for listening