RCR 045: Security Control Testing (CISSP Domain 6)
Jul 15, 2019
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
In this episode, Shon will talk about the following items that are included within Domain 6 (Security Assessment and Testing) of the CISSP Exam:
- CISSP / Cybersecurity Integration – Disaster Recovery and Business Continuity
- CISSP Training – Conduct security control testing (Domain 6)
- CISSP Exam Question – CVSS / Scanning Tools
BTW - Get access to all my CISSP Training Courses here at: http://reducecyberrisk.com/cissp-training/
Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
ReduceCyberRisk.com - https://reducecyberrisk.com/
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
- ISC2 Training Study Guide
- Quizlet
- Disaster Recovery Journal
- Person IT Certification
- OWASP
TRANSCRIPT:
welcome to the reduce cyber risk podcast July 24th 2019 episode 46 security assessment and testing welcome to reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host of this action-packed informative podcast join me each week cuz I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam real Sean Gerber again introduced cyber-risk. Com in a wonderful day in Kansas I have today and life is good can't complain at all and when do the listening about your complaints they just want to hear it all the good things in your life in most cases people are saying how you doing I'm doing good how about you I'm good but in reality their lies you stink so know what I'm doing good then the last hope everybody's things going well for everybody else out there in the world and Things Are hear from a cybersecurity couldn't get any better there's actually it's interesting you're studying for cissp I use you well know it's actually a great opportunity to get your cissp there's so many jobs that are coming open it's just blows my mind and put in many cases you have to have a cissp to even be able to play in the space so therefore it's a good thing that you're you're working on your cissp and the fact that you are trying to enhance your cybersecurity career so let's it's good today today we're going to talk about disaster recovery and business continuity in their cissp integration the cissp training is going to be conducting security control testing is not part of domain 6 and the cissp exam questions are going to be around CVSs common vulnerabilities and then the scanning tools that are associated so again those look cissp questions also doesn't listen to podcast you'll be hearing I go over domain or exam questions as well on a weekly basis that are just going to more to brief and to-the-point in the whole point of it is though is there just have a snippet of what I offer on my udemy courses that you can get yourself if you want the cissp training that you can go and study and then also use it to augment your cissp studying go to youtube.com you can check those out there at Dad look for Sean Shoshone yeah I love it's great Sean Gerber at udemy.com or you can go to my side ever do cyber risk. Com cissp training and you can actually have access to the training and gold but it's still take you to you to me where you can purchase that that training as well so it's awesome stuff I guarantee it is a great training I've done is like probably close to what I think is Ron 19 hours of training that you can get specifically to help you with the cissp it's the different domains are there and honestly is bargain-basement pricing that you will get at you to me and it's not as if they get a they get a little bit out of it I get a little bit out of it but at the end of the day you get a lot out of it and that's the ultimate purpose behind and the cissp training so alright tell as you well know working on your cissp and study in this face specially for cyber security professional Disaster Recovery is a key part of how you protect your data and ensuring that it is properly protected and available for people and then this comes down to the CIA triangle as it relates to availability having a disaster recovery plan is a great first step to having a availability of the data testing on a disaster recovery business canoe plans they should occur you should have these and you should do these and Huntington place and this comes down to you should have a security assessment and testing that are set up to determine which Disaster Recovery are what systems need a disaster recovery plan and which ones need business continuity plans and so the total of the background from a disaster recovery point of view in the event of a disaster you have to have the ability bring critical systems back up at a certain. Of time within a within a few minutes from my we can you typically call this an RPO which is recovery Point objective to your recovery time objective which is part of the disaster peace and in so therefore you need to have that in place where you'll have to do an assessment and understand what does that look like from a standpoint of data recovery and so you should you can should consider that also consider security control testing as well and your Disaster Recovery plan now from a business continuity you need to operate no matter what in the business it has to be operational has to be ready to go and so that would fall under the business continuity and that is a individual point system is that recovery is kind of them or larger broad-brush systems that you would deal with you also need to understand one of the security processes for data collection as a relates to your disaster recovery and business continuity plans and these come into new equipment that Evan place like new acquisitions so if you don't have done a really good job of assessing whether these are critical systems or not or whether they should have a good Disaster Recovery plan that can limit your effectiveness of your Dr plan so the fact based cleanse into this you have a system and you said you have a Dr plan for the system and its system a well system be rolls into town and you get rid of system a butt system a hadedas Dr plan in place you not have system be okay he's gone he's here what what ends up happening it well disaster occurs when we didn't have a Dr plant setup forces to be and so therefore it's imperative that the effectiveness is like I don't know what to do. those are bad things that run into especially when things go south so therefore it's important that any new equipment you bring and you re-evaluate the requirements and the criticality of that equipment Austell staff changes when people sessions at change how does this affect your organization so you have your main Dr person within your company and that person has the keeper of all the knowledge they are the big brain that operates the the the situation and if you've seen Wizard of Oz they are the Puppet Master there the man behind the curtain or woman behind the curtain and so therefore you need to understand well is that the right at a person's gone now what we do I don't know so the point of it is that your staff changes you need to prepare for that as well and have a plan in place to deal with the issues of individuals leaving your organization especially if they deal with the r Dr plant affecting us another thing that fight a factor that reduces your Dr plant Effectiveness is Shifting processing priorities a Datacenter vs Cloud processing and I say Datacenter obviously and the clouds are one of the saying they're synonymous it's just is your data center on front on-prem in your environment that you control or is it in the cloud and somebody else controls it or is it your Cloud again these are all different things that you need to consider when you're dealing with Dr plan Effectiveness and so often people with my great things to the cloud not thinking that well by doing that I do I incur some issues with my Dr plan I'm active application complexity Automation and solutions which is software-as-a-service Solutions do they add complexity and you need to understand if you're adding this new system is in place to automatically pushes stuff to the cloud need to BTR have a good solution in place to deal with it maybe don't know so there's a different aspect you need to consider as you're dealing with application complexity and then legislation challenges are changes that happens routinely and if that happens how do you deal with it recently there just been some with the Chinese Cyber Law. They had some requests for comment that was supposed to be done by the end of June so that has been completed and now we're waiting on what is a final ruling on some of these things from the Chinese government again legislation changes even though they are slow to to operate in some of these changes but they have dramatic impact effects when they do make these changes so changes in laws and all countries could have a dramatic effect on how you do business or if you are in country and you're trying to come United States to start date of laws may change to as time goes on audit preparation you need to prepare the team to meet any regulatory requirements that you may have and this includes yours ensuring you inspect your expectations are set that the team will not enforce the procedures so you need to make sure that they understand what does it takes if you do not enforce these procedures how does that affect you what how does a deal with what you going to do about it and do you have I'd wait a document in the event that someone did not follow these procedures like that into words that people can use I'm outside resources can provide a little or a lot of technical assistance depending upon you if you want that or not from an audit preparation standpoint that would be your Ian wise your Delights and so forth they can help you with this from a preparation one of you or they cannot just kind of comes down to what you want them to accomplish for you okay that is what the training I had from The infosec Institute security integration Andover Disaster Recovery section 6.3 so now we're going to roll into the cissp training and that is objective 6.2 conduct security control testing domain 6 now we're at talk about vulnerability assessments there's a physical assessment of a segment that doesn't really work out a really good word what does that word mean as physical aspects of an assessment and these are scanning tools penetration tests are big keep physical aspects around in the assessment and if if you just heard a growing it's from my dog sorry my dogs in here and he's not happy that he's actually having to listen to cybersecurity stop assessment findings mitigation so these are all the different things you need to be aware of as you're doing an assessment probability assessment from those tools to the penetration test and so forth standards for vulnerabilities in these can be all over the map as far as our standards for these vulnerabilities and you just need to be aware of those not some examples around this article cve those CDs in this case the example I have is a CD 2018 1 2 3 4 5 what that is is that say nomenclature they have for the common vulnerabilities exposures and these are what governments have come up with it these are some of the vulnerabilities that are out there and this is the exposure to that not talks about a description of the vulnerability it talks about references and how it got to that exposure to a CVV number these will typically go by the year 2018 or two three four five six seven eight nine 10 11 and they will then talk about the vulnerability of one of the issues and you can you reference when you scan for vulnerabilities and lot of times of scanner will actually reach out and that utilizes a database the cve database to say well hey XYZ vulnerability is tied to cve-2018 1 or 2 3 4 5 and then it'll talk about talk about that little bit there's also a common vulnerabilities scoring system and and that's another once we get CDs yet CVSs this is the principal character of the vulnerability what is it and it also ranks it on a scoring of the CVSs is from 0 to 10 being the most secure or most secure problems it's the apocalypse things are coming down asteroids from heaven and a plague of locusts and all those things is when you hit to range tent when it's range 0 what's like why bother even wasting my time so those are the different CVS numbers that they have but they that's how they rank them with all so many others as well that kind of talk about this but you're seeing your CVSs are typically the most used evaluation of systems Apple and networks these automatic evaluations of these systems you will automatically go out there and look at them now sometimes it needs to have it authenticated scan and what that means is it may need credentials to actually do a full scan of what it needs to so it may as an example of vulnerability scanner may just do a fingerprint of it may only get it the operating system name and make it a version of it it also may not get the most accurate information if it doesn't have it authenticated scan but something to consider if you're doing these scandals in your environment is doesn't have to be authenticated to ensure that is done properly and typically set for a routine basis you need to set these up so that they're done on a monthly basis and in many cases cases 8 the scans only good as the operator I seen it where the person will match the easy button and smash the button is scanner sometimes reports that kick out of these things are like 8 gazillion pages long and it just is not so it's important that you have a good operator who understands the scanning piece of this and there will be need to be some level of interpretation as a relates to the scanning and and how what does what's actually occurring within the environment and how does that affect you so vulnerability scans again there they're typically you done on a routine basis but you you need to make sure that whoever does it is and I like to say if you have someone is doing vulnerability scans for you if it's resource they need to own their product to be able to provide you good results if it's a third-party this mean the scans for you do the regulatory requirements they need to give you a good product and they need to be able to talk to it not just say here here's your report and have a nice day checkbox complete they they need to be able to do a good product and give you a give you a good product and do the job now from a network scan standpoint there are four main types you have network discovery Network vulnerability web application and database vulnerability scans the network discovery scanner this is basically a different range of techniques around this and he's just looking for open systems that are open and potentially vulnerable and ports that go to them so you can have tons of systems that are out there but if the ports are all closed and you can't get access to it that's a good thing but in many cases that's not the case in many cases when you scan a system you'll find out that there's jobs of Port open which would allow potential attackers to get into your environment little many companies typically do not have good knowledge around what other assets on their environment and so network discovery scans are important now something to keep in mind with network discovery scans is that if you have older Legacy systems the news legis the new network discovery scans that we have today are very they can be a bit issues with a with the environments that they're too much making make things tip over because they're just so strong so there's very skinny option that you need to consider as you're doing it when you're putting these out there just know that if you have old Legacy systems and you're running a scanner you could run into issues so it's better to start small and work your way out now there's TCP syn scanning TCP connect scanning scanning and then Christmas Kenny and obviously the TCP syn you're looking for a sin and that will tell you that basically to live if it you're trying to do a connection electric connect to the device and then an actual will go ahead and knowledge that it's even listening on a specific Port your Christmas canning basically means you you send the scan and it lights up like a Christmas tree that's not good but different kind of options that are available for you with a network discovery scam Billy scan this is a much deeper than a discovery peace and is looking for known vulnerabilities play Senor cvec VSS items will be looking for those vulnerabilities and it Compares a discovery of the data to what's within the database so if it finds out that there's issues with it it will go and say that there's a problem with it and it'll tell you these this basic compares the discovery to the data within the database itself specifically an author unauthorized scans typically are are not as good so therefore an author I scanned gives you a lot more detail when you're dealing with a network volubility skin you just got to determine if you can put the credentials in place to do that now if you have to have certain level of credentials for that that are elevated now you need to protect those in a way that it doesn't incur more risk within your company is that will help you do this there's nessus Metasploit rapid7 these are all scanners that you can will provide you that level of detail you just have to decide whether you want to use free or you want to use paid versions The paid versions obviously can get very expensive but they give you a lot more detail no more granular I just the free version will give you something but you got to ask what do you need now if you just trying to do some basic maintenance and trying to understand your risk-free scanners work out well if you're dealing from a standpoint if you got exposure on the web and you have regulatory requirements compliance requirements you may want to invest in something different just because they typically are updated better with the database they also will give you a better support those kind of things we got to decide what works best for you as you're dealing with network vulnerability scans for your organization web vulnerability scanning this skins for vulnerable web applications that are on the internet It's usually the first line that is attacked is the rest of them that got to get within your network the webs are out there and force the webs that was the web the web vulnerabilities are your internet facing websites are typically the first line of attack because it's out there available for people to go against and in many cases he provide valuable data on even how you do your nomenclature within your network so if they can get easier as I can leverage an attack against that that server it can give him valuable information of how your network is configured and so therefore if that's the case if they do get inside your network through a phishing attack of some of their kind it can cause issues right they got more intelligence about your network the other thing is that if you get your web server and it gets attacked and they can get access to it it can cause reputational impact important that you know what your lab environment your crush environment look like from a web point of view now if you have a third-party that's doing this for you so you have a marketing company that's doing your your web applications and do are doing your front end for your website you need to make sure they have a good security program in place and I wouldn't do an assessment of them to make sure they're managing at appropriately false positive can and do occur you will get false positives with your scanning engine so just keep that in mind it's going to happen so you might chase a rabbit that doesn't exist it's very possible and yes it will happen so therefore it's good to have multiple ideas and using good scanners will help you with this but I have seen really good highly-paid scanners are highly expensive scanners do give me all kinds of false positive so tell you again having a good operator that knows what they're doing will help you dramatically in this a wife has a list of scanning tools that are available for you as well that you can lies for your vulnerability scanning database vulnerability scanning this typically contain some of the most sensitive data within your organization is within a database and so usually their internal memory and that that's typically what's kind of buried in the bowels of the Beast and also because of that its internal would also ends up happening is sometimes you don't even know they exist so very Cloud providers are changing this thought process because now we are getting more databases in the cloud but you need to consider where these databases reside in many cases they are tied to various web applications car that's all I have for the cissp training today as we were late to vulnerability scanning so we're going on now roll right into the cissp exam questions this is for domain 6 okay this question we are going to be talking about CVSs so when looking at, vulnerability scoring system CVSs 1 of all abilities write 10 what does that mean it's most open for patching it's most severe Locust plagues big asteroids coming from Heaven not hemorrhoids but asteroids coming from Heaven yes that is the most severe right 10 that's bad okay score of 10 is most severe is bat he's so what tool is commonly used as a scan engine to find vulnerabilities within environment nessus BN map see Ping golf club DNS and the answer is a nessus is Cal you look for vulnerabilities within a network to determine if an exploit can be used against the system necesitas abused nessus it's a big monster tool works like a champ give you all kinds of gods of information but if you don't know what you looking at it's just like looking at Greek and honestly if people way smarter than me that I understand that super well but nessa's is commonly used to look for vulnerabilities and ping is not a set of golf clubs that is a set of golf clubs but not for cybersecurity like to play golf goodonya all right this is the link We Hazlet and IRC Square training study guide Quizlet Disaster Recovery Journal person it certification and owasp all right that's all I have for today's reduce cyber risk again if you want to check get some awesome training Go to youtube.com and check out Sean Gerber and cissp certifications you can get some great training their domain 1 through 8 or you can go to reduce cyrus.com cissp training and you gain will get access to all of my domains that again is all available for purchase you can check the all that out it's great is very inexpensive because compared to what you're going to pay for going to a boot camp awesome opportunity for you to if your self studying or even getting ready to go to a boot camp it'll set you up immensely for prior to going to that boot camp so highly recommended it will just it'll save you time believe me I'm a guy who failed the first time and past the second time and having some of this training would have been instrumental in the passing it the first time we will talk to you next week catch you on the flip side thanks so much for joining me today on my podcast if you like what you heard please leave a review and iTunes is I would greatly appreciate your feedback also check out my cissp videos that are on YouTube just search for Shawn s h o n and you'll find out the exam Lashley head over to reduce cyber risk and look at the Cornucopia of free cissp materials available to all my email subscribers thanks again for listening
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!
