CISSP Domain 8.4: Assessing the Security Impact of Acquired Software — What Every Exam Candidate Must Know

Assessing the security impact of acquired software is a core testable concept in CISSP Domain 8 (Software Development Security), covering COTS, open source, third-party custom, and managed services — SaaS, IaaS, and PaaS. Understanding how the exam expects you to evaluate each software type, and what controls apply to each, is the difference between answering these questions with confidence and second-guessing yourself under pressure. This guide covers every software category, the risks the exam associates with each, and the manager-level thinking you need to select the best answer.

What Does CISSP Domain 8.4 Require You to Know About COTS Software?

Commercial off-the-shelf (COTS) software is pre-packaged, proprietary software built for mass distribution with minimal customization — Microsoft, Oracle, and industrial control system (ICS) platforms are common examples. For the exam, the defining security characteristic of COTS is that you have no access to the source code, which creates a full trust dependency on the vendor.

COTS security concerns the exam tests:

• No source code visibility — you cannot independently verify the absence of embedded vulnerabilities or backdoors
• Full dependency on the vendor's patching schedule — your exposure window is controlled by someone else
• Risk of undisclosed third-party library dependencies inside the product

COTS assessment strategies to know:

• Evaluate vendor reputation, market share, and third-party certifications — ISO 27001 is the primary certification to cite on the exam
• Review patch frequency and update cadence — irregular patching is a red flag in exam scenarios
• Confirm black-box testing and vulnerability assessments are documented within the vendor's certification program
• Review EULAs (End User License Agreements) for compliance obligations and permitted use constraints

How Does the CISSP Exam Distinguish Open Source Software Security Risks?

Open source software has source code freely available to review, modify, and distribute, developed and maintained by communities or individual contributors. The exam tests whether you recognize that "freely available" does not mean "inherently safe."

Open source security risks:

• Unmaintained or abandoned projects — no active maintainer means no patches when vulnerabilities emerge
• Malicious code injection by contributors, especially through low-volume or one-time commit accounts
• Lack of formal support and accountability when incidents occur

Open source assessment strategies:

• Code reviews: static analysis, community vetting, and commit history — infrequent or single contributors warrant deeper scrutiny
• Dependency analysis: identify all libraries in use; confirm they are current and free of known vulnerabilities
• National Vulnerability Database (NVD) checks: integrate NVD lookups into your CI/CD pipeline for automated vulnerability detection
• Patch and update policy: confirm who owns patching responsibility and the release cadence

What Does CISSP Expect You to Know About Third-Party Custom Software Risks?

Third-party custom software is developed by an external vendor specifically to meet your organization's requirements. It sits between COTS (no customization, no source visibility) and open source (full visibility, community support) — you may or may not have access to the source code, and you are fully dependent on that vendor for updates.

Third-party software security concerns:

• Limited visibility into the vendor's development environment and security practices
• Potential for weak supply chain security in the vendor's own development process
• Dependency on vendor-provided patches and updates, which may be inconsistent

Assessment strategies:

• Conduct a vendor risk assessment: certifications, past breaches, and incident history
• Require contractual SLAs with security clauses and indemnification provisions for breaches
• Demand evidence of penetration testing, code audits, and application security testing — vague claims of "security vetting" without documentation are a red flag on the exam
• Verify monitoring and logging is in place for all integrations that touch your systems or data

What Does CISSP Expect You to Know About SaaS, IaaS, and PaaS Security?

Managed services introduce a shared responsibility model — the provider is responsible for certain security controls, and you are responsible for others. Knowing exactly where that line falls is one of the most frequently tested concepts in Domain 8.

Software as a Service (SaaS)

SaaS delivers end-user applications hosted and managed entirely by the provider. Key exam risks include limited configuration control, potential insider threats on the provider side, and ambiguity over who can access your data environment — including whether the provider retains privileged administrative access.

• Review the provider's data protection policies, encryption standards, and incident response protocols
• Determine whether you can restrict provider administrative access to your environment

Infrastructure as a Service (IaaS)

IaaS delivers compute, storage, and networking (AWS, Azure). The provider secures the physical infrastructure and hypervisor layer; you secure everything above it.

• Clarify the shared responsibility model in writing — exam scenarios will test where provider responsibility ends
• Assess hypervisor vulnerabilities and the provider's patch cadence for underlying infrastructure
• Evaluate API security: insecure API configurations are a primary IaaS attack vector
• Look for SOC 2, ISO 27017, and relevant certifications as evidence of security maturity

Platform as a Service (PaaS)

PaaS provides a platform for developing, running, and managing applications. Risk comes from third-party add-ons, insecure integrations, and the provider's own developer security practices.

• Verify the provider's developer security training and secure coding standards
• Review integration monitoring and how the provider handles security for hosted application components

What Is the Difference Between a Cursory Software Evaluation and a Full Security Assessment?

A cursory evaluation uses binary analysis tools and automated scanning to check for known security flaws. These tools are useful but limited — they lack full application context, and relying on them exclusively creates a false sense of security, a phrase the CISSP exam uses deliberately.

A complete security assessment adds:

• Public documentation review: development processes, vulnerability response procedures, and secure configuration guides
• Verification that vendors are working toward ISO/IEC 27034 (application security) or IEC 62443 (industrial control system security)
• Manual code review where access is available
• Penetration testing and application security testing with documented findings

What Cross-Cutting Risk Practices Apply to All Acquired Software Types?

Regardless of software category, these practices apply across the board and are testable in Domain 8:

• Risk assessment: Identify potential threats, rate impact and likelihood, and factor in deployment context — internet-facing software carries far higher risk than internal back-office tools.
• Threat modeling: Map attack vectors and mitigation strategies with special attention to integration points — where software connects to other systems.
• Compliance and regulatory alignment: Validate that software supports HIPAA, GDPR, or PCI DSS obligations. Self-issued certifications carry no assurance value — look for third-party-validated certs.
• Incident response planning: Establish vendor coordination agreements before go-live, particularly for ICS environments where downtime has operational consequences.

What Does the Software Evaluation Process Look Like on the CISSP Exam?

The exam expects you to know the structured evaluation sequence:

1. Initial screening — functional fit: Confirm the software meets your business and technical requirements before investing in security assessment.
2. Vendor/source validation: Assess reputation, market presence, customer reviews, and community health (for open source). Low project maturity or a single-contributor base are risk indicators.
3. Security assessment: Code review (where accessible), vulnerability scanning with tools such as Nessus or Qualys, NVD lookups, penetration testing, and data handling/encryption review.
4. Compliance and licensing review: Validate regulatory alignment, confirm licensing terms and intellectual property implications, and involve your legal team on any significant acquisition.
5. Integration and compatibility testing: Deploy in a sandbox or test environment before production. Establish both a deployment plan and a rollback procedure — though fix-forward is preferred when change control cycles are lengthy.

What Are the Best Practices for Long-Term Software Security Management?

• Formal software acquisition policy: Document the process for COTS, open source, and third-party software. Train procurement and technical teams — a policy no one knows about is no policy at all.
• Software inventory with risk ratings: An undocumented software asset is an unmanaged liability. Licensing exposure alone makes this worth doing.
• Continuous monitoring: Establish behavioral baselines and alert on deviations. UEBA (User and Entity Behavior Analytics) and EDR (Endpoint Detection and Response) tools are applicable here.
• Automated or scheduled patching: For open source, create CI/CD pipeline triggers or calendar reminders if automated patching is unavailable.
• Documentation and evaluation records: Record why you selected each software, what assessments were performed, and all licensing and compliance verification. This is essential during audits and incident investigations.
• Approved software repository: Build and maintain a vetted list of approved software for organizational use to accelerate future procurement and enforce consistent security standards.

FAQ — CISSP Domain 8.4 Acquired Software Security

SPEAKER_00 0:00 Welcome to the CISSP Cybertraining Podcast. We provide you training and tools you need to pass the CISSP exam first time. Hi, my name is Sean Gerber, and I'm your host of action for the podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cyber security in the money. Alright. New CISSP Sprint Cohort Offer Trigona Ransomware And Data Exfiltration Symmetric Encryption Strengths And Weaknesses Asymmetric Encryption For Confidentiality Digital Signatures And Non Repudiation CISSP Crypto Exam Trap Questions Elliptic Curve Crypto Key Advantages Quantum Computing Threat And PQC Crypto Attack Types And DRM Board Briefing Framework Overview Part One State Risk Clearly Part Two Tie Risk To Business Part Three Make A Clear Ask Build And Use Loss Cases Pro Tips For Executive Buy In Better Board Language Examples Final Takeaways And Closing SPEAKER_01 0:26 Good morning, everybody. It's Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is Monday, and we are going to be getting into some great aspects today related to aspects you see in the world today of CISSP and cybersecurity. We're going to be talking about the news. We got a little bit of an article there about Trigona. We're going to be getting into the domain 3.7 of the CISSP, and we're going to go into our board briefing framework as the board cybersecurity series as well. So there's got a lot going on today in today's episode. So it's pretty exciting. But before we do, I just actually want to take a couple minutes real quick before we get started on something that I'm doing that I wanted to get your opinion on it. So I've basically I failed the CISSP the first time, right? You guys we've talked about this all the time. There's a lot of issues that go into this. And I've also, a lot of my students have mentioned made comments to me of they've they've got programs out there that are helping them with the CISSP. They love the podcast, they love the content that's available, but they still struggle with taking the CISSP exam. So what, and then I also there's you all know that there's boot camps out there. There's really significant boot camps that you can go and spend six days, 10 grand,$15,000, whatever that is, and you can be successful potentially and pass the exam and move on. Right. But they're super expensive and not everybody can do that. So I've come with a solution and I wanted to get your guys' opinion, and I think it's going to be hitting here soon. Uh my goal is July 7th. I am going to launch my first ever CISSP sprint. Now, what is it? It's an eight-week live cohort that is specifically set up for folks that are cybersecurity professionals who are serious about getting this done. And they have weekly live sessions with me on a personalized study plan to get you ready for your CISSP at the end of that eight weeks. So that's a small group of peers who will hold each other accountable. And then when exam day comes, you're going to be ready. I'm only going to have 15 spots available. That's it. And it's going to start July 7th. Now I'm going to have an early bird price of$497 for this. And the typical price is going to be$597. I'm saying this now just as a as I'm putting taking a few seconds to talk about it just because I want to let you know that it's an exciting thing that's going to be hitting here very, very soon. And I I feel very confident that what's going to happen is it's going to give you that boot camp experience, right? In a little bit more toned-down way. And but it's going to still be a self-study aspect. You're going to have to study and you're going to come with expectations. But on the flip side of that, you're going to be ready to go. And so that you can pass the CISSP exam in that eight-week period. So again, keep your eyes peeled for it. I think it's going to be awesome. I truly believe you're going to love it. Um, and I have already got some feedback from people thinking this is an awesome idea. So excited about what's going on. And but well, let's get into what we're going to talk about today. So today's news, we're going to be getting to Trigona Ransomware. This adopts a custom tool to steal data and evade detection. So Trigona is a remote, or basically ransomware as a service operation tied to the Huntus Cybercrime Group. I don't know how these guys come up with their names, but they do. Uh, they're active since basically 2022, and they've uh they've seen some activity here March of 26 by Semantic. So what this works, and they're saying this is the big shift, and I will I will argue a little bit with the drama and the semantics or the theatrics a little bit in this, in the fact that in the past, many companies, I say companies, but they really are companies, many of these groups will use tools that are already available to them. Uh, one of these is our clone and mega sync. This is what they call out in the article that are used to sync between cloud environments, and it's a way for you to be able to manage and move uh data around within your organization. Um, the thing is that's a difference in this, is many of the attackers are using these types of products. And so the alert systems are kicking off going, why are you using our clone? Why are you using mega sync? And so these folks built their own exfiltration utility called uploader client.exe. Okay, so what does this mean? Well, this isn't new. I'm just gonna be out there. This is not new and it's not like revolutionary because we did this back in the 20, 20 years ago when I was a in the red team uh commander. Now, the point difference is that we would have for us to be able to create our own tools, it was very laborious. It took a lot of work, it was very time consuming. And so what ended up happening is you have to have a test environment, you have to have all kinds of tools and everything else ready to set up, and in many cases, it doesn't work very well. So it takes a lot of back and forth. So when you but use these tools that are already in place, such as R Clone and Megasync, then they have already gone through all that hard development work for you. So they you know they work. The downside is that the the good guys know that the bad guys use these things, so they flag for those types of situations. So these guys created this uploader client.exe. And how does it work? Well, it basically uses five parallel connections per file to saturate bandwidth, and it rotates these TCP connections at basically 2,000 megabits intervals to avoid triggering network monitoring alerts. So they know what the DLP aspects are going to be, and they're doing this to keep it on the down low. They focus on sensitive files like invoices, high-value PDFs, and they use their key to secure the data as it's being filtered out. And in many cases, you know that if you're using a SSL or you're using any sort of encryption on the outbound connection, uh, there are not many companies that will actually do full-time packet inspection of these connections. So if it's encrypted, they are nobody's looking at it in most cases. So this is an important part. Now I say that why did I say that that it's the fact is that this isn't anything new. It's not. We did very similar concepts. However, now with their, we didn't have to worry about the 2,000 megabit intervals because no one was really looking at it at the time. But today, obviously, if you have DLP rules in place, this is a great way for you to kind of help with that. The downside is again, they're still getting data out. It's this cat and mouse game that you're going to be playing. So, what they the attackers do is they will disab uh disable security software using H Sword or PC Hunter, and then they will look via some vulnerable kernel drives, and then they gain remote access through any desk. And they steal their credentials with uh Mimikats or with NearSoft. So the point comes into is you're going to have to, they it's a very complicated attack that they're using here. This is something for someone that is actually well schooled in how to use these types of penetration testing tools as well as the red teaming aspects around it, and from an ethical hacking standpoint, or non-ethical hacking, I should say. So the point is that you need to just be aware of how they are doing these aspects. So, custom tooling that these folks are using is a great stealth advantage that they have. However, once it's discovered, then you can make signatures for it. It's that cat and mouse game we get into, you know, it's just a it's an interesting concept. So, some different types of how does this connect with the CISSP? Obviously, security operations is the primary aspects with this. And at this attack will hit on all the key pillars evading network monitoring, disab disabling endpoints, credential theft. These are all aspects that you need to be aware of for your CISSP. And it also touches on domain one, which is why your remote or your uh ransomware as a service model. It basically means a threat isn't just one actor, it's scalable and its overall ecosystem is an important part. So you really need to account for a commoditized ransomware when you're looking at all your different threat models in your BIAs. So these are all important parts. So as you're thinking about this concept and you're thinking about these attackers, think about how these tie into the CISSP as well. Uh so again, domain seven, domain one, key factors in this aspect. Okay, so let's move into what we're gonna talk about today. Domain three, 3.7, cryptographic methods, symmetric, asymmetric, and elliptic curve. So we're gonna get into some different types of cryptographic methods that are associated with the CISSP. And obviously, there's many different aspects that are rolling that you're seeing on a daily basis. And this is also a very dense type of content. So we're gonna get into it's kind of high level to understand what are some key terms you need to be aware of for the CISSP. Cryptographic methods, symmetric, asymmetric, and elliptic curve. So we're modern crypto is computationally complex and is extremely complex, especially any sort of crypto that is worth its salt. It just truly is. And the key aspects around this all relate to the CIA, your confidentiality, integrity, and availability. There are three types of algorithms typically used. You have symmetric, asymmetric, and hashing algorithms. Now, the cryptographic keys, these rely on secrecy of at least one of the keys. You have to keep one of the keys at least secret. And the key length is an important part of any part of this equation. The shorter the key length, the less uh strength it has, and odds are high, it will be crackable. So we'll give an example around this would be data encryption standard DES. Uh so DES, the typical key length in the past when I first got started was around 56 bits. Um, this was definitely crackable. Okay, they can get this not a problem. However, the standard now is 128 is the minimum. Now, I would say even minimum of 128 is one of those that is bouncing off the bottom of the pool. You need to be in the 256 aspects related to any sort of cryptographic function, and I think that's what's recommended from MIT as well as NIST. So it's all the aspects come into is cryptographic keys. The shorter the key, you have a bigger problem. The longer the key, the bigger the key, you have a much more secure environment. Um, the downside is the shorter the key, the faster the crypto the algorithm can run, the larger the key, it takes a bit longer, and which can be problematic in some situations, depending upon how it is used. So the symmetric key algorithm, this is a shared secret. Both parties have a copy of this shared secret. So basically, each person has this. Both one A and B have a copy of this shared secret. The sender encrypts, this receiver decrypts. When they have this shared secret, that's how it works. You will encrypt it. If I'm sending it to you, I send it to you. Because we both have this shared secret, you now are able to decrypt it. If I did send it to somebody else and I didn't send it to you, because we have the shared secret, you could, but they could not. So it's really great for doing bulk encryption, large amounts of encryption. Works very well for that. Uh, but there are some downsides with it. So, some of the weaknesses. So, when you're dealing with symmetric algorithms, some of the weaknesses that are in this is key distribution. You need a secure method is needed to transfer the keys. So you need a way to be able to move the keys back and forth in a way that's secure and it cannot get intercepted. It does not implement non-repudiation. Now, non-repudiation means you cannot deny having done something in this. It's the ability to prove that a specific person performed a specific action and they can't later claim, oh, it wasn't me, it was somebody else. So it does not implement non-repudiation. So sharing keys, they can be lost on the one who's involved, and the keys not tied to a specific individual. So, like Sean doesn't get this specific key, it could be anyone. So the algorithm is not scalable. Sharing with large groups is not useful. Um, and so there can be a bit of a challenge when you're dealing with that aspect of symmetric keys. Key regeneration keys must be reconstituted often, and all the keys must be discarded. So, again, it's great for point-in-time aspects. It's really good for if you're working with a specific individual and you want to just go or a specific group and you want to go with them, uh, but it is not the best for ensuring long-term management of your overall in crypto. Okay, so let's look at how these this actually works. So the goal is to send a message to only the recipient can read. We don't want it to have everybody like we did before with Symmetric. We want to focus specifically around what is the aspects of what they want to read. We want them to read only our message. So, step one, the sender gets the recipient's public key. Now, this is publicly available. You will get access to everybody's public key, as well as you have this far as part of the PKI infrastructure. You will then get this public key. The sender will encrypt the data, the information with the public key. So that's what locks the message, that's what puts it in place. You can't do anything with it. Then the encrypted message travels, is sent to the network to where they want it to go, and then the recipient will decrypt it with their private key. So the public key is available. You do not want to share your private key with anybody because that is for you specifically. But because it's tied to your public key, it now, when it comes across the wire, you can actually decrypt the message. Now you can only decrypt it coming from this individual. You can't decrypt it from anybody else. So this is how it comes in, and only you can open it. So confidentiality is achieved again, only when the recipient can read the specific message. So you encrypt with the recipient's public key, decrypt with the recipient's private key. So key thing to keep in mind and remember for the exam. Now, cryptographic other methods, you got digital signatures, and we're gonna get into those in just a second. These ensure the message non-repudiation. So a message digest is created, and this is using a hashing algorithm, and it's encrypted with the sender's private key. So the senders, their private key, they're gonna send it, they're gonna hash it, and then what's gonna happen is the recipient will decrypt it with the sender's public key. So it's the thing in reverse, basically, but what it comes down to is now they decrypt it and they can verify that the message coming from the sender is legit. It hasn't been tampered with, there's no man in the middle, everything worked out great. So again, one public, private, public, and private key pair for everybody. Same key pairs are used to communicate with all the specific users. Okay, use case two. The sender hashes the message. This is the fingerprint that Chris created. They encrypt this hash with the sender's private key. This includes this basically incorporates what they call their digital signature. They send the message plus the signature with it. The recipient verifies with the sender's public key that it is correct. And this, if the hashes match, it's authentic, right? So the ultimate goal though is integrity plus non-repudiation. The sender cannot deny sending the message. So the key part in all this is sign with the sender's private key, verify with the sender's public key. Okay, so asymmetric key algorithms, some of the strengths related to asymmetrics. It's easier uh user removal. Again, you can write key revocation makes you removal of users extremely easy. Key regeneration for private key only, it's all you have you are dealing with is a private keys are needed to be regenerated. It makes it much more simple. And if they are compromised, it's not as big a deal. Simple key distribution, again, just making the public key available makes it much more useful for everybody to be able to share encrypted information. And then it just uh the simple communication asymmetric keys do not require pre-existing relationships with people to share the keys with. So asymmetric, go all the way. Here are some CISSP exam traps. Which key encrypts for confidentiality? Always the recipient's public key, not the senders. Which key creates digital signatures? Always the sender's private key, not the recipients. So again, confidentiality, recipient. Digital signature, sender. Keep those in mind. Does asymmetric encryption provide non-repudiation? Does asymmetric encryption provide non-repudiation? Only when it's used for digital signatures. That's when it provides the non-repudiation aspect. Encryption alone will not provide non-repudiation. It basically means that if you can't deny that it came from you, it only provides confidentiality, encryption does. But even you pair it with digital signatures, then it provides non-repudiation. Trap four, what does a hash provide alone? Integrity only. A hash with no signature just tells you the message wasn't changed. It doesn't tell you who specifically sent it. So again, the hash is integrity only. If you just have the hash, okay, if there's no digital signature with it. Okay, cryptographic methods dealing with elliptic curve algorithm. So the key points here is this is an approach to public key crypto. It's an algebraic structure of elliptic curves, and it's key to key agreements, digital signatures, and pseudo-random generators. So the benefit of the ECC is basically its smaller key size, equal security with larger RSA-based systems. So as an example, yet your 256 EC is comparable to a 3072 RSA public key. So the electric curve is a very strong cipher. The NSA classify with 384 keys. I think no, that's gone up to 1,084 at this point. Um then NSA is addressing crypto changes due to quantum computing. They're trying to figure out how to deal with that and work through those different quantum computing. What is it? So it's an advanced field combining computer science and quantum mechanics. It removes the traditional ones and zeros that we deal with, more or less the on and off. And it uses quivets instead of bits, which basically enables multidimensional computational models to re superposition and deals with entanglement. Now, I would not even be the person to lie to you and tell you that I understand what how that what that all means. I don't, right? Those are key terms that I saw on the web. And I do know that Einstein had talked about entanglement in some aspects, but realistically, that's about the depth that I know. All I know is that instead of it being very linear, it's now going to be multidimensional, which, if you're computing on a multidimensional aspect versus a standard plane, you can only imagine that it will only go up from a speed standpoint. So where does it stand today? The quantum computing industry reached its inflection point this year or last year, going from theoretical to potentially to potentially a commercial reality. Now, there's a company called IonQ and Ansaris, they ran a medical device simulation that performed a classical high performance computing by at least 12%. So this is a big factor for a lot of people. And still far from achieving the fault-free general purpose quantum computing, it's not there yet. There are some key challenges that do remain. However, this is starting to make the transition, starting to move in a direction that is going to be commercially viable. So, what are they expecting for 26? It's now feasible that within the next five years there are going to be something that's going to be very strong from a computing standpoint. And I would tell you that now that we have the various LLMs that are involved, and some of the cases specifically that we'll just use Mythos as an example for Claude, I think this is going to probably speed up even faster just because of all the capabilities that it does provide. So again, IBM targets fault-tolerant quantum computing by 2029. And that is their best current estimate is practical cryptography, relevant quantum computing should be in by 29 to 31. So it's going to be a very interesting world we see. I mean, we're talking in 26, we're halfway into it almost. Uh, you're going to be in a situation where in the next three to four to five years, uh, it's going to be incredibly cool to see what happens, but it also could be incredibly scary. So, why does this matter for security? Um, obviously, urgency is increasing. Quantum computers may solve problems impossible for standard computers, such as breaking current encryption, which has always been something they've been concerned about. And NIST has put working with MIT, come out with some cryptographic standards. They came out in 24. Adversaries are already harvesting encrypted data today with the intent to decrypt it. Uh, there's a, and that's when you're talking with the Chinese, they do that all over the place. Now, I would say that I'm sure the United States is doing the same thing, as well as many other adversaries are doing it at some point in time. So organizations must begin transiting to post-quantum crypto PQC now as the quantum accelerated decryption becomes legitimate planning risk rather than the distant future. So you gotta start planning for making your crypto quantum resistant. That's the ultimate goal. So we kind of talked about this a little bit, but it's gonna be quantum is gonna be a great thing in the future. It's also gonna be very interesting to see where it plays out. So there's various methods of a crypto attacks. So let's just kind of we're gonna briefly touch on some of these. You have analytic attacks, these are algebraic attempts to reduce the complexity of the algorithm. They're just basically like going off uh going after them specifically. You have implementation implementation attacks. These were the weakness in the crypto of the system. They're attacking these where let's just say someone came up with their own crypto idea. That would be, they would go after that. Statistical attacks, these focus on statistical errors in crypto themselves. And then brute force attacks are dealing with rainbow tables. Now, those brute force attacks have been probably less and less uh something that people use, but they still are a valuable tool that many people use. I remember uh in the days of the old days, we would have daisy chain computers together uh to do rainbow tables, and they worked, they worked really good. Um, and then there's also network systems that are daisy chained together, and there's so there's lots of great ways that you can actually do different types of attacks uh depending upon the situation that you're looking for. Digital rights management. Now, this is utilizes encryption for copyright protection. Uh now there are been many debates around DRM, and this DRM that was used many years ago by Sony, and in a way that That they actually were using it to track people in a way of malware. So they were they put DRM on their software and then they ended up getting sued because the software was doing other things besides just protecting the music. So there's music, movies, different types of pieces of activities that are available for people. Now they you have a subscription. Once you lose access to that subscription, then they revoke access to the information that's there. So I mean if you download music off of iTunes, the moment that you don't quit paying, they revoke access. Now, even though the file may still be sitting on your system, you don't have access to it because they remove the access. Movies, again, there was always in the past significant piracy issues when it came to movies. The protections really have been negated a lot, especially when it with by hackers. So now that we've moved to streaming and much more content-based versus actually physical systems, it's become a much easier factor to protect it. Now, that doesn't mean it's not being stolen and then trying to be resold by individuals, but there it the world is changing. It's morphed a lot just over the past 15 years. Ebooks, video games, and documents, all of those aspects will have DRM associated with them in some form or fashion. Okay, so that's all I've got related to the CISSP. Let's move into our next topic. All right, so this is segment three of the board briefing framework. This is a repeatable structure for every executive presentation you need to do. So this again, this is focused on if you want to be a CISO or a senior leader and how do you deal with the board? How do you ensure that the board gets the information they need to get so that you can get what you need to protect your company? Why most board briefings fail? Okay, well, a lot of briefings that I've seen in the past, both from when I was in the military and from dealing with boards and other senior leaders, these are some key things that come out of it. One, no structure. Security leaders will tend to ramble through technical details without a clear idea of what you're trying to accomplish. I've seen it. They just kind of talk, they get diarrhea of the mouth and they keep on going. There is no specific ask. They inform the board, but never lead to a decision or a resource request. What are they looking for? What are you asking for? There's no specific request from the board for them help. There's no foresight. They report what has happened instead of what is coming and how they're preparing. So you come in and say, these are the things we're seeing. This is what we're doing to prepare for this situation, and this is how you should be anticipating what you should be expecting in the near future. There's no ownership. They present risk without demonstrating what they've really evaluated it. So they basically say, we have a problem, but they're also saying, I haven't looked at it, and I don't really know what I'm looking at. The fix is simple. It's repeatable, three-part structure usable for any board briefing you may have. So what does it deal with? Part one, what happened and what is the risk? So you're going to want to go in the plain language, no acronyms, no jargon, you have about 90 seconds to frame the situation. Use them precisely. When I was working at Coke Industries, we always had the people that ask the question if Charles Koch catches you on the elevator, and he works there all the time, uh I don't know if he still does, but he he was working there all the time. You would see him routinely. If he got you on the elevator and said, Hey, what kind of value are you producing today? You had a 30-second elevator pitch to tell him what how you're doing. Same concept. You got about 90 seconds, right? You don't have a whole lot of time. You got a minute and a half because board meetings are usually typically very full, and you just got a point to say what you need to say and get to the point of it. I've been briefed, I've briefed four-star generals, and same concept, right? You have 90 seconds to frame the situation and tell them what's going on. So part two is what does it mean for their business? A financial impact, operational impact, or reputational impact. How are these affecting the business? If you cannot connect the risk to the business consequences, you haven't done your homework. So again, you've got to be prepared for this. And it's an important part of understanding what the business needs and how you can provide that value for the business. Part three is also what we are doing and what we need. Come with recommendations, come with a clear ask, and tie your request to measurable outcomes. Be a leader, not a reporter. I mean, that and you'll see some more as we get into this. So part one, state the situation in one or two sentences maximum. No technical background is required. You don't need to give them a whole laundry list of what happens. You see these different types of Geico commercials or the progressive commercials. You know, some of these guys, they just kind of talk and talk and talk. You don't want that. You're gonna get right to the point. If you use the so what test. So if the CFO couldn't explain it to a colleague, you need to rephrase it. If they go, so what, what does this mean to me? If they're saying that to you, they may not say it to you, but they're probably thinking it. So you need to make sure that whatever you you say, it can be explained by somebody else in a third part, third person. Avoid passive voice. We discovered is stronger than it was identified that, right? We discovered we had active involvement in it versus it was identified. So here's some examples of some strong framing you can have when you're dealing with the board. Last quarter we experienced three targeted attacks on executive credentials. None were successful. Uh, a critical vendor in our supply chain was breached. Here is our exposure. I don't like the word breached. You're also gonna have to get them used to the word event or incident. Uh, we I like to use a I say breached in this situation just because I want you to understand that if to talk about this, we want to move away from breached as much as we possibly can and move into the event and incident aspect. But you want to then tell them what is your exposure to the situation. Part two in practice, right? Our business impact. So from a financial standpoint, you need to quantify the potential or actual dollar exposure that you had. From an operational standpoint, you need to tell what systems, processes, or revenue streams were or are affected. Now, with this situation, you are gonna work highly with the different operational leaders in that organization. So whatever you come up with, they better be briefed before you go to the board. I'm just there, there's a good nugget right there, big nugget. Make sure that your operational folks get access to this briefing before you go to the board. Nobody, I repeat, nobody likes to have them, their their dirty laundry aired in front of the bosses or uh that are out there before they're aware of it. Make sure everybody's aligned with what you're going to the board with. Reputational, customer trust, regulatory disclosure, or brand risk. You need to make sure that they're connected with those if there are any potential issues. Then, from a competitive standpoint, does this affect our market position or contractual obligations? There are contractual obligations that you may not be aware of, and you will have to work with legal on this. Again, doing your homework. You need to make sure if you use this framework, it will help you dramatically in visiting with your legal teams to ensure that you have what you need specifically. And then always answer what would we lose if this happened and what have we already been protected. So those are key aspects related to the business impact. Always answer what we would lose if this happened and what have we already protected? What is already in place and what is protected around it? Part three, the ask. Never leave the board read briefing without a clear ask or recommendation. And you need to do format format it like this. I need X to achieve Y by date, whatever that date is. You need to make sure to tell them that. But dates are important. You need to have hard dates in place so that you know that you can actually act upon them. Tie resource requests to outcomes, not activities. What is the outcome you're gonna get out of this? And then offer options when possible, preferred path plus the alternative. So this is our preferred path. This is the alternative that we're gonna go down. So again, what are the options that are available to them? And then anticipate objections. Come prepared with your basically return on your investment case already built. I can't stress this enough. Come prepared with everything you need to be able to give them the answers they have. If you do that, your odds are high you're going to get what you're looking for. So an example is I'm requesting$450,000 for endpoint detection. This closes our largest exposure and protects$6 million of at-risk revenue. Now, I will tell you, if you drop these numbers and they're gonna ask questions, how did you come up with that? You better be prepared to come up with the solution. And here's another big nugget, okay? If you worked with your operational folks to come up with these numbers and everybody's aligned, the odds are the board's gonna go, got it. Okay, makes sense, totally get it. Good. And then they move on. Again, communication is the key here and working with other parties. So at lost case presentations, what is a lost case? A specific scenario tied to your business model, not a generic threat. So a ransomware event shuts down an order system for 48 hours, costing$3.2 million in revenue. That's a loss case. If that happens, this is what would happen. This is how much we would lose. This is what's going to occur. Walking them through those situations will be extremely valuable to them. So, how do you build this? You work with your finance and ops teams to put dollar values on downtime, data loss, and recovery. Done this. It's incredibly important. It takes a lot of work, but it is super valuable. And it also helps you build a baseline when it comes to losses. So make this scenario vivid and specific. Now, how to present one? You present this in the two to three loss cases per quarter. And it may not need to be that many. You may want to just depend on your time frame you have. Maybe you're only meeting with your board once a quarter. Maybe then you just do one to maybe two loss cases per quarter. So just got to decide how that works best. So which ones have controls in place and which ones represent open risks, requiring board decisions. Now, if you go through this process and you realize, okay, I've got all those covered, well, then it comes back to going, how do we tweak this and modify it? But this is the initial piece getting going. So why this works, boards govern by risk tolerance. Lost cases give them something to govern. They can then approve spending, accept risk, or transfer the risk. They make the decisions on this, but you give them really good nuggets to make these decisions. Now, the key is don't just make also assumption where we say, well, we'll be down for 48 hours. Like I've mentioned before, you may not be down for 48 hours. You may be down for three weeks. So what does that look like? And I would give them bracketed ranges. Best case scenario, worst case scenario. You need to give them all of those aspects. So some pro tips. What separates good from great, right? Show your foresight. You're answering ahead. So what risks are you tracking that could disrupt us in the next 12 months? If you already have that in place, if they ask, you're showing that you're ahead of the game. Prevention over detection. Boards have learned detection after the breach or in uh incident equals no impact reduction. Show what you have stopped. Know your audience, align with your CFO, your COO, general counsel, all of those people before you walk in the door. I'm telling you this: you have to work with these people to understand the overall risk. Bring the language they use: revenue continuity, customer commitments, operational resilience, not CVEs or CVSS, which we've mentioned before. And then partner across the C-suite. CISOs are isolated from the peers, create board visible gaps in execution. You work with your peers. You have to be visible and you have to be engaged with your peers. So here's a quote from Tucson Boardroom Reality Report. In 26, successful cybersecurity leadership is defined not only by the strength of its technical controls, but by the ability to clearly articulate, govern, and defend risk decisions at the board level. And that's a no-brainer there, guys. That's one's most definitely is the case. So framework actions basically putting this into a scenario, right? So we want to talk, we've mentioned this again, but I'm gonna kind of drive this home, right? We've this is the what not to say. We've completed an annual pen test. There are 47 findings, 12 critical. Remediation progress is set up per our standard SLA. They have no idea what that means, right? So you can say our pen test reveal we have three scenarios that could disrupt payments for 48 hours, causing a$4 million exposure. I'm requesting$300,000 to close in by Q3. Ah, it's actionable. It's got questioned. Yeah, we can do that. That's good. Another one is that we detected unauthorized access to financial systems. Investigations is ongoing, no data confirmed or exfiltrated. So an attacker, that's the what you shouldn't say, right? The one that you should say is an attacker accessed our financial system for six hours. That's usually really bad. And then when that happens, you're like, oh my gosh. Uh no funds moved, controls worked. Here's what we're hardening to prevent future occurrences. The board will be very happy with you if you do that. Now, I will tell you that the the this situation, the CEO, the CIO, and all of them involved will be like clamoring to figure out what do we need to do to fix this problem. So, some key takeaways for you to deal with here. Use a three-part structure every time. What happened, business impact, and what do we need? Build a lost case scenario tied to your specific business model, not generic threats. Always come with a clear ask tied to measurable business outcomes. Show foresight answering what's coming before the board has to ask for it. And then prevention metrics carry more weight than detection metrics. Again, prevention is the key. Detection is after the fact. You want to make sure you have a good plan ahead of time before you even get there. Thanks so much for joining me today. I hope you guys enjoyed this. I hope you have a great day. And you know what? We are excited to see how the future goes, but we'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.