CCT 074: Management of Identification and Authentication - Future Trends (CISSP Domain 5)

Sep 26, 2023
 

How prepared are you for a ransomware attack? Buckle up as we navigate through a thrilling ride into the world of cybersecurity, drawing lessons from the recent ransomware attacks on Caesar's Palace and MGM casinos. We'll walk you through the importance of having a robust disaster recovery and business continuity plan, as evidenced by these high-profile breaches. But that's not all - we're also diving into the future of identity and access management, touching on exciting trends like blockchain, AI, and IoT.

Ever wondered how single sign-on and multi-factor authentication could be your secret weapon against security threats like password reuse? We're going to shine a spotlight on these protective measures and explore global data privacy laws such as GDPR, HIPAA, and PCI DSS. With the recent ransomware attacks, we'll discuss the potential compliance implications and the critical role of internal and external audits in identifying security gaps.

Finally, we'll delve into the transformative potential of AI and machine learning in boosting security. From facial recognition to voice recognition and blockchain, we're going to peel back the layers of these cutting-edge technologies. We'll also offer you a sneak peek into the world of CISSP Cybertraining and how it can be your ticket to cybersecurity mastery. So, don't miss this opportunity to embolden your cybersecurity knowledge and stay ahead of the curve.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Content

Management of Identification and Authentication (Domain 5)

 

Introduction

      • Overview: Briefly introduce what identification and authentication mean in cybersecurity.
      • Importance: Highlight the crucial role identification and authentication play in security.
      • Objective: Explain what the episode will cover regarding management of identification and authentication.

 

The Basics of Identification and Authentication

      • Identification vs. Authentication: Clear definitions to distinguish between the two.
      • Common Methods: Usernames, passwords, biometrics, and smart cards as examples.
      • Business Case: Why robust identification and authentication systems are business-critical.

 

Multi-Factor Authentication (MFA)

      • What is MFA?: A brief explanation.
      • Types of Factors: Something you know, something you have, and something you are.
      • Implementation: How to roll out MFA in an organization.
      • Benefits and Drawbacks: Discuss the increased security but also the potential user friction.

 

Single Sign-On (SSO) and Federated Identity

      • Concept of SSO: Explain how SSO works and its benefits.
      • Federated Identity: Discuss the extension of SSO across enterprises.
      • Security Implications: The risks and how to mitigate them.
      • Use Cases: Industries or sectors where SSO and Federated Identity are particularly useful.

 

Regulatory Compliance

Overview of Regulatory Landscape

      • Global Regulations: Mention that laws and regulations can vary by country and industry.
      • Data Privacy Laws: Introduction to GDPR in the EU, CCPA in California, and others.

 

Specific Regulations Affecting Identification and Authentication

      • GDPR: Requirements for user consent and data minimization in identification processes.
      • HIPAA: Strict access controls required for healthcare information.
      • PCI DSS: Mandates for secure authentication methods in payment card industry.

 

Compliance Audits

      • Internal vs. External Audits: Differences and why both are crucial.
      • Audit Frequency: Recommendation for how often audits should be conducted.
      • Record-Keeping: Importance of maintaining compliance records for potential audits.

 

Penalties and Legal Consequences

      • Financial Penalties: Discuss the scale of fines that non-compliance can bring.
      • Reputational Damage: The long-term damage to a brand due to non-compliance.

 

Future Trends

Biometrics

      • Types of Biometric Identification: Facial recognition, fingerprinting, iris scans, and voice recognition.
      • Security vs. Privacy: Debate around the high-security but potential privacy invasiveness.

Blockchain in Identification

      • Decentralized Identity: How blockchain can provide user-centric identity management.
      • Security Advantages: Blockchain's resistance to tampering.
      • Implementation Challenges: Complexity, resource-intensive nature, and lack of widespread understanding.

 

AI and Machine Learning

      • Behavioral Analytics: Using machine learning to monitor user behavior and detect anomalies.
      • Predictive Identification: AI algorithms that can predict unauthorized access attempts.
      • Ethical Considerations: Discuss potential bias in AI algorithms and data privacy concerns.
      • Examples:
      • Risk-Based Authentication
        • Dynamic Adjustment: AI algorithms assess the risk level of an access request based on various factors (location, device, etc.) and adjust authentication requirements accordingly.
        • Anomaly Detection: Machine learning models trained on historical data to recognize unusual access patterns or behaviors.

 

      • Behavioral Biometrics
        • Keystroke Dynamics: ML algorithms analyze the unique way a user types to provide an additional layer of authentication.
        • Gait Analysis: AI systems that can identify individuals based on how they walk, using sensors in smartphones.

 

      • Adaptive Multi-Factor Authentication (MFA)
        • Smart MFA: AI determines the best combination of MFA methods based on real-time risk assessment.
        • User Behavior: Machine learning models that adapt over time to a user’s typical authentication methods.

 

      • Social Media Analytics for Identity Verification
        • Data Aggregation: AI algorithms gather and analyze publicly available social media data to verify identities.
        • Consistency Check: Algorithms look for inconsistencies in online profiles to flag potential identity fraud.

 

      • Natural Language Processing for Chatbot Security
        • Voice Recognition: Advanced voice recognition algorithms for secure authentication in customer service chatbots.
        • Semantic Analysis: NLP techniques to understand user intent and provide an extra layer of verification.

 

      • Facial Recognition Enhancements
        • Liveness Detection: AI algorithms designed to determine if a face presented is a live human or a photograph/video.
        • Emotion Analysis: Some systems are exploring reading facial emotions as an additional verification layer.

 

      • Phishing Detection
        • Email Analysis: Machine learning algorithms scan emails and attachments to detect phishing attempts that may compromise login credentials.
        • Real-time Alerts: Immediate notifications sent to users if a suspicious activity is detected, asking for additional verification.

 

      • Geofencing and Location-based Security
        • Location Anomaly Detection: AI identifies when access requests are made from unusual geographic locations.
        • Dynamic Policies: Machine learning algorithms adjust security policies based on geolocation data.

 

      • Credential Stuffing Prevention
        • Pattern Recognition: Algorithms detect patterns consistent with automated bots attempting to breach accounts using stolen credentials.
        • Rate Limiting: ML models identify suspicious rapid login attempts and enforce rate limiting dynamically.

 

    • IoT Device Authentication
      • Anomaly Detection for Devices: ML algorithms track normal behavior for IoT devices and flag unusual activities, asking for re-authentication.
      • Device Trustworthiness Score: AI assigns a trust score to each IoT device based on its security posture and past behavior.

Transcript:

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey all, it's Sean Gerber with CISSP Cyber Training, and I hope you all are having a great day today. Today is the day that we're going to be talking about domain five and we talk about identity and access management as it relates to the CISSP exam. But before we do, we are going to get into a couple of little nuances that occurred recently in the news that I think are probably appropriate to discuss. There was obviously if you're in the United States, you're probably aware of this and if you're around the world, you probably are as well but there were a couple of breaches recently or incidents, I should say that occurred with Caesar's Palace in the state of Las Vegas, nevada, or the city of Las Vegas, nevada, as well as now MGM casinos that are in that location as well. But I guess I was just going to talk real quickly about Caesar's and what I've heard about the MGM hack and you think about it. It's like any other hack out there, right? Therefore, it's like Ocean's Eleven, where people hack into these systems and take money or whatever they're doing with it. Well, in the case of this, this is a ransomware attack that seems to have been perpetrated at least from a Caesar standpoint by an outside third party vendor that was able to get social engineered into their network, and it's interesting how this has turned out and the ransomware attack that did occur. It seems like Caesar's has paid the ransom as the time of this podcast and I know MGM was still on the fence deciding what they were going to do. But just the note that I have here from Infosex Security that right now, caesar's is about a $3 billion company and so you're talking a lot of money. And, if you all haven't been aware, it basically a ransomware event took their network and in the process of taking their network, it did have access to their rooms. It had access to different types of personal data. It's one of those situations where there was a network that supports the overall Caesar's environment and it more or less took that down, but because of that, they also took down slot machines in that environment. They weren't able to get access to ATMs, so it brought their business to a standstill, and this is one of the things I have brought up time and again to senior leaders around the country and the folks that I deal with on a routine basis. It's not like the old days where you have an opportunity to just say you know what. It probably won't happen to me. It's highly likely you will get hit at some point in time, and so it's very imperative that you do have a solid DRM, which is your disaster recovery and business continuity plan, set up for your company. It is not something you can mess around with and delay. You do need to have that because even if you have that in place, there's no guarantee that something like this happens. You still will be down for a period of time. So it sounds like right now, caesar's has paid $15 million to the extortionists to prevent the data from going public. So I mean you're talking a lot of money. That's one of the higher ransomware payments that I have seen, and the attackers pretty much know what they had, so therefore they wanted a top dollar for it. But the problem is is that 15 million is just the beginning, because they're not going to have to go through, ideally. I don't know if they're going to do this or not. This is me just making some suppositions is that they're going to have to go through and reinstall or redo a lot of these systems. I mean completely like gut them, like throw them away, bare metal restores. They're going to have to do so. That is just Caesar's alone. That's not even the MGM properties. So this is very quickly going to get into. My guesstimate is probably $100 million or more that this is going to end up costing them. So you're talking a lot of money when your company makes $3 billion a year and you're talking 15 million was just given out in ransomware payments. That is a huge amount because the margins that these guys make as many as people may think that the casinos and other businesses have really high margins basically meaning they're making 20, 30, 40% on their money, on their investment that is not the case. Now, casinos could be different. I don't know from not living in that environment, but I would say that, like any other business out there, if you're making 7 to 15% on every transaction, you're considering yourself good. In the case of these guys, you know who knows? But if you're not making, say, you're making 10% on $3 billion, you know what is that? $30 million is 10%. I know it's probably more than that. It's probably 300 million. 300 million is 10%. So $300 million is your margin of what you make. Well, you just gave away 15 million of that to a, an attacker. So it's a big deal. It's a really, really big deal and I highly recommend that, if you are in the security space, you get your CISSP done, because the opportunities are going to continue to grow. But you do need to make sure that, if you were ever company you go work for you do a really good job of helping them with their Business continuity and disaster recovery planning. Okay, in this podcast we're going to be getting into the management of identification and authentication and that, that which really goes into also the future trends which deal with blockchain. They also deal with AI and the various aspects that you'll have to manage when it comes to IOT. But before we do, we're gonna first start off with an introduction around what is MFA. One is Identification and so forth. So when we're dealing with identification, authentication, you need to understand it's one of the key factors in maintaining cybersecurity. It's a. It's a thing that we use a lot, I mean within an organization, and if you have a good identification and authentication strategy for your business, then it really does take a lot of the headache away from what you're trying to accomplish from a cybersecurity standpoint, where you don't have this. If you don't have a good, solid authentication mechanisms in place, it can become very painful and very problematic. The reason I say that is this comes down to automation. If you have the automation in place and you have good providers, third-party providers that provide An, a version of SSO or a multi-factor within your company, you dramatically reduce the amount of time you have to spend Maintaining a system that will ensure that people are authenticated and identified within your company and and Rightfully so. You know, just because you you have a company and you're working in this company, everybody has to be authenticated and identified before you go and can get access to certain systems. Well, if you're going to have that, if you're you're a security practitioner and you go to a company that has a Solid third-party product in place that provides multi-factor authentication or integrates with an SSO type product, then you are in a situation where you can work on other things, such as, we just mentioned the disaster recovery and business continuity Planning. You could do that and work on that, whereas if you don't have a good situation where you have third parties that are doing your multi-factor or your SSO, you're now going to have to focus your efforts and time on something like this and, realistically, you need to be able to work both. So it's really important that you have a good identification Mechanism in your company, and it does play a significant role within the security of your overall organization. So now what you need to understand is what is the difference between identification and authentication? Now that when you're dealing with identification, that is something who defines who you are. So that can be done through biometrics, can be done in different ways, but it defines who is Sean Gerber versus who is my alter ego in Rike Gerber, right? So, if you all don't know, I have an alter ego. His name is in Rike and Tony oh Gerber. You probably are asking why. Well, real quick digression my name is Sean, spelled shon, and guess what? Many people screw it up when they try to spell it and I just really don't like it. I'm not a big fan of it. So when I was flying airplanes, people used to call me Gerbs, but now that I don't fly anymore, nobody calls me that term, so I can't really call myself Gerbs, so I have to. When I meet people that I don't know, just to have a laugh. They ask what's your name? And I say in Rike and they give me a really funny look. And then when I tell them my middle name is Antonio, they really look at me funny because I'm a Hispanic man with a Italian middle name and I look really white. So yeah, that does. That's quite funny, quite entertaining. But that being said, you got to have something that will define who you are somebody from Sean versus in Rike, and this can be done, obviously, through. You've got passwords, biometrics, smart cards. All of those things are ways that you can help identify people Amiga also can Deal with. You know, do you have a smart card? If you all don't know what a smart card is, it's basically In the military we had a smart card that had a chip in it and that chip, just all it has is a certificate that would verify who you say you are. If I go into certain jobs will have a. There's the HID, hid systems, but there it's. It's an NFC near field communication car reader and you put it up to a little beep beep and it will beep and let you in. You know those are. Those are smart cards. Those are different types of ways to define who you are. And now that does that mean that that's when you're dealing with a smart card. That's something you have, that's something you hold in your hand. Therefore, that allows you Certain level of access, allows you to get into a building, allows you to open up a room. But then maybe there are situations that's something that you know, such as your password. You know that you have a password and you are utilizing that password and that's giving you access as well. There could be another thing where something that you are as well, where you have your biometrics as related to your eyeballs you know those are Pieces that might be you look at a retina scanner that tells them who you are. You know your username. That's something that you know. You know, like my name is Sean Gerber, it could be Sean dot Gerber at XYZcom. All of those things are important for you to try to understand and be able to communicate with your, your Leaders on how to authenticate yourself to different mechanisms within your company. So it's important that you do that now. Also, when it comes to business critical pieces, when your aspects of identification, authentication. If you have a business critical process that's running, you want to ensure that you have proper identification and authentication around it. Now let's look at an example of a system that is sitting within the business network. You may have to get access to this system. You may have to go through a turnstile and to get access to that turnstile you have to use a smart card. So you get through the smart card, through the turnstile, into your office and then they get into the your office itself. Maybe you have to have another smart card that allows a beep beep which allows you in to your office. You now get into your office. That's a barrier of security. You're now sit down at your computer. You have to have a username. That username has to be associated with in many cases Not always, but most cases with a password. You have to know both of those, a username and the password. Now that gets you in and logged into the system. Let's say, for example, you have a web app, that a web application that logs into a server that has a web portal front end that you need to know some level of a username and password again, and you need to have a multi-factor authentication, which would be Like an app that's on your phone, such as like ping id, or octa has those, or google authenticate, microsoft authenticate they all have those type of authenticators. You then can log in with that authenticator and now you get access to the application. So you see, there's multiple layers of defense of depth that you have to go through just to get access to this application. So this is great and that's what you want to have. Now, where this gets bypassed is if you have VPNs and you allow people to log in from a VPN from their home. And now, yeah, I mean now, you still could have the multi-factor enabled, right, which is good, hopefully you have that, but you just bypassed a whole bunch of levels of security by adding that VPN. So then, when you do something along those lines, you have to make sure that you have a good authentication mechanism for your virtual private network, your VPNs, or you have to have some other software that does that for you. So it's again, it's very important that you understand all of these methods to get access to your environment. Now we talk about what is MFA, what is multi-factor authentication and basically what it does it comes down to is another factor that you have outside of your typical username and password to give you access to an environment, and it typically comes into different areas something you have, something you know, something you are, and there's a new one that you'll see that I've seen people talk about with the CISP. It's something you do right now, that something you do isn't nearly as effective as something you are or have. But there is that fourth dimension that I've heard about is something that you actually accomplish, something you do. Now. What you want to do is you want to roll out your multi-factor authentication to your organization and, like I had mentioned earlier, this could be done through third parties, such as paying identities one or Microsoft Authenticator. You want to have a third party that will provide this multi-factor authentication. It could also be done through a token system. I know in the past, rsa tokens were set up and you would have this little key fob and then this fob, you would actually have a what do you call it? Let me like little numbers that you'd have to enter these numbers into your computer, very similar to the same concept you have with a multi-factor token that's on your phone, like such as paying or Google Authenticator, and you have to. It's important to have this because it now forces that if anybody's trying to gain access to these systems, they are now out of band. They now have to be able to get access to your phone to be able to use it. Now they can social engineer you, which is many of the attacks we talk about. As a cybersecurity professional, there are ways they can social engineer you into giving that information to them, but at the end of the day, you need to be able to roll this out to your organization now. Single sign-on, what this is also called, what they call federated identity, and this how this basically works, is that you have one username, one password that you log into and you enter that single sign-on and it then provides the credentials to basic the tokens to allow you access to the various pieces of width in your organization. So if you have an application that is tied into SSO, I now have to just remember one username and one password, whereas if you don't have SSO integrated into your applications, you have to remember multiple usernames and multiple passwords. And for that to happen, when you have multiple of anything, what happens? Well, many times, people will then reuse those, and so if you're dealing with a bunch of employees that are trying to, you're providing them a service. If you do not provide them some level of SSO, they will reuse their usernames and passwords multiple times and in many cases, their passwords will be very simple. So, if you can come, if a hacker were to compromise one set of credentials, what is he or she going to do? They will compromise another set just because of the fact of password reuse and username reuse. So it's important to have some level of SSO through your organization and the overall risks it helps mitigate is the fact that you don't have all these extra username passwords that are being reused sitting out there on the on the web. Now, if you go to, troy Hunt has got I've been pwned as a really good place for you to be able to pull up and find out if your accounts, if your usernames and passwords, have been compromised. I will tell you that my wife I love her to death, more than you can ever imagine. However, she loves to use the same username and password, so I have gone through. When I see she adds them to our password vault, I go in and then I go in and change those and she doesn't really happy with me, but the point comes into is you don't want those username and passwords to be reused just because the fact is you can't you compromise one, you compromise many, okay, so now we're going to talk about some regulatory compliance as it relates to multi-factor authentication and the aspects that go along with that. So, as you all know, regulatory requirements are happening at a breakneck speed. Now I say that, but they're. They're breakneck, not like you're running in the Olympics, but they're breakneck when you're dealing with the overall laws that are out there, just because there's so much that's changing and the law is in place. The large regulatory and compliance requirements have been out there for a while, but what they do is they make tweaks to them, they make additions to them. So there's various global regulations that you're seeing, and there's also various data privacy laws that are coming out, both from the EU. There's the CCPA, which deals with California. There's also the China data privacy laws. There's lots of different data privacy laws that are coming on the books to protect their citizens. That's what countries do. There's when you're dealing with GDPR. We've talked about, through the CISP cyber training, that the ultimate goal of GDPR is to provide user consent and data minimization, so you want to have some level of data data anonymization, data minimization. There's different aspects that go into GDPR, such as data privacy impact assessments, so there's lots of nuances that go to the GDPR piece. Then, from a United States standpoint, there's HIPAA. These are access controls around healthcare information, and then you have PCI DSS, which affects many countries that accept credit cards, so this would be your payment card industry data security standards. Now Caesars and MGM are going to fall directly in the face of these PCI DSS standards and for them to be hacked, it's highly likely that maybe something was compromised as it relates to how they followed the PCI DSS standards. So more to follow with that and I anticipate it could potentially affect them dramatically. Uh, basically, pci DSS states that if, if you were to do things fraught in a way that would cause them to lose credit card information and or cash, they do reserve the right to basically turn off any access to credit cards. So it could be a huge hit. So they're going to end up paying. Caesars has just paid 15 million to the ransom people. They're probably going to pay a monster fine to the credit card industry just because they want to keep credit cards rolling into Caesars because they need people to bet money. So it's important that you have to do this. You need to have compliance audits as well. So we got internal and external audits and the difference between obvious those are the internal audits are usually done by folks within your organization. They can be done by people within your security team. They also can be done and accomplished by folks within compliance or your audit organization. The end of the day, it's if you're going to do an internal audit real quickly, you probably should get somebody that's outside your organization, that understands it to a point to be able to ask the right questions but is not in your overall chain of command or basically knows where all the dead bodies live, because the purpose is is that you want someone from the outside to take a look at what you do, to find gaps and to find holes that you typically one maybe hiding, which we don't want, or two, aren't even aware of. There's external audits. You'll go with third parties that will help you with these external audits and I deal with these folks on a routine basis. At least once a year I have an external auditor come in and deal with different auditing for with my company and I work with them directly on security matters. That's what you would do. You would deal with security audits, you would work directly with these folks and and help them provide that you provide them the information they need to help do a solid and legitimate audit. Now the external audits. They could be done by a very competent and very expensive people such as grand Thornton, deloitte. Lots of different Third parties can do audits. You will pay a significant amount of money for that. If you can get smaller audits, depending upon what you're needing to get audited for. They may be more niche and they may be a just a set of contractors that can help you, but at the end of the day, somebody from the external side is going to cost you some money. Now, the auto frequency will depend be dependent upon what other requirements tied to it. You may have a situation where that your audit company comes out once a year and they will then audit how your Authentication mechanisms are in place. They may come out once every six months, depending upon the industry that you are in. It's important also, when you're dealing with the audits, of maintaining and make your records for this. Now, what this comes out to is when you're dealing with authentication. You may need to maintain your authentication logs for a period of time and it's important that you Just don't you walk with. Work with your IT folks to come up with a good strategy and your audit folks to know what they're looking for. So, as an example, you may the audit team may say you just do, you have logs and you have, say you have the logs for your authentication and For anybody that logs into your system, but what ends up happening is, say you only keep them for seven days. Well, if an event happens or an incident occurs, if you only keep them for seven days, odds are highly likely that you will not know how they got into your organization. So you'll need to work with the auditors. Say, you come up with a plan I'm gonna keep this for, say, three months. You're gonna want to then express that to the auditors and then they're gonna probably want to look at what you have kept to make Sure that if you say you keep logs for 90 days, they're gonna verify that you keep logs for 90 days. So it's important that you bring them into the overall fray as you're talking about this, and they're gonna want to look at all of those different aspects of your company. So I already kind of talked about the penalties and the legal consequences that can come to this. But bottom line is this just use MGM as an example and Caesars they're gonna pay a lot. Just the 15 million that Caesar's paid is just the tip of the iceberg. They're gonna pay all kinds of damages. There's highly likely they're gonna end up going to court. They're gonna be paying money out of Court costs, are gonna be paying arbitration expenses. They're gonna paying all kinds of things. So this is gonna quickly expand. I'll use an example of the, the target. In the United States we have a supermarket not supermarket, it's more like it's like Walmart, but it's target and they were compromised by a third party Industrial, one of the HVAC system, and that third party, when it was all said and done, after I think the breach occurred, paying all the fines Reputational, hit the whole nine yards. It was a couple hundred million dollars is what ended up costing them, if I'm not mistaken. So you're this is gonna be a humongous expense for Caesars and for MGM and and the reputational damage I think it's gonna be pretty substantial as well. Is you know how do you go and you give your credit card to people and you, assuming that they're taking the adequate steps to maintain the protection of your credit card. Yeah, you're gonna. That's gonna take some time, is gonna have some some pain and suffering for a few people. So there is some things you're gonna have to work through at least they're gonna have to work through in regards to that. So let's talk about future trends of Authentication and how that could potentially be a factor, especially as you're dealing with the security side of the house. So we talked about biometrics. So biometrics obviously deal with facial recognition, fingerprinting, iris scans and voice recognition. However, how is that going to work? And, as we deal with the AI world, I will tell you that I had a. You can get online and you and if someone can get enough of your voice, you can put it into these AI Generators and it will generate your voice. I would say I've got enough podcasts out there right now that someone could come up and make a podcast just using my voice. That probably wouldn't be a good idea because people would fall asleep, but if you want to have something where maybe there's a commercial and you're trying to run with a person's Voice in that commercial, you could use their voice and the AI will generate whatever you want them to do. So when you're dealing with voice recognition, that could be a very substantial thing You're gonna have to work through, especially as it relates to the AI. So, as a security professional, you may want to ask yourself Do you want to use voice recognition for your, one of your mechanisms to validate who they potentially are? Another part comes into facial recognition, and we'll talk about that here in just a minute. But if you have AI that can make faces of an individual that look somewhat like them, or make maybe makes looks like them, right there you could end up being a situation where your facial recognition software may not be as efficient and effective. So, folks that are providing these products and services to the general public, you, as a security professional, are going to have to ensure you do your due diligence around these of going okay Well, will your software be able to detect AI generated images? That'll be one of the questions you'd want to ask them, and then you'd want to have them demonstrate how it could do that. Another aspect, obviously, is voice recognition. Can it determine if there's someone's voice, and so forth. So it's important that you really understand and this is why I say, in security, it's over changing you. There's no one out there that knows everything and you, as a security practitioner, are going to have to be up on on all these things. Now. Does that mean you have to be an expert in them? No, but does that mean that you need to be able to converse and have a conversation Basically based on the, the understanding of the foundational aspects of the technology? Yes, you are going to have to do that and I will tell you that's probably one of my biggest challenges that I have. I struggle with, and especially being a really old guy like I am. You know, I've got my walker in the corner and I kind of have my geriatrics calisthenics. That I do. No, it's, it's something that's a challenge and it's a challenge for doesn't matter what your age. Yeah, just to try to stay ahead of all of these different pieces. Now, another one is blockchain. How do you do with the blockchain and identification? So the if you all haven't been looking and understanding blockchain right, it's that technology is taking bits and pieces of what you do, of the different information, and it's using this in a random eyes type environment. Well, if you can use the blockchain to help identify people in that format. That would be extremely valuable. The question is is it when you talk to vendors, are they using that, the resources from multiple different sources, the resources from multiple systems to put together the overall string to determine if it's you or not you? Those are important pieces that you're going to have to try to understand and you're going to have to understand as it relates to its resistance to potential tampering. So, when you're dealing with blockchain right, so you're dealing with multiple systems I used to have a blockchain what do you call it? A miner that I had in my basement that was running right and that miner would go and run for Bitcoin. It's using multiple resources to bit to go and create whatever you want it to do, whether it's from a mining for different types of finding numbers that are going to be for creating that, this virtualized Bitcoin, or using that blockchain for other types of activities. You're going to have to understand how does that work. The second thing was when it comes to security around. It is that you want to understand blockchain because it is geographically and it's dispersed. In many cases. It could be geographically, it could just be by system. It is very resistant to tampering with it. You'd have to have access to all of these systems and have access to the blockchain itself to be able to tamper with it. So you have to determine, when you're looking in the future trends is that a technology that you want to integrate within your organization, with your company? I'll tell you that it's a great, it's interesting, it's unique. I think there's definitely use cases for it. However, I don't know if it's really just there yet or if it ever will get there, but it's just kind of interesting to see how blockchain has it did. It get kind of spurred it up about four or five years ago, has been, it's been out there obviously for a while before then and now it's kind of got tapped down, especially with the generative AI aspects that are coming out. But again, it is complex, it's resource intensive, resource intensive and it does lack a widespread understanding, which makes it a bit of a challenge Now as we get into AI and the machine learning piece of this. In your ML, when you're dealing with AI, obviously you want to have it to monitor user behavior and detect anomalies. That would be one of the pieces that you'd want your machine learning capability to do and again, it's to sort through all the gobs of information and be able to come up with a response that makes that is what you're looking for specifically. Now. There's many different types of AI that's being used and companies are trying to get on the AI bandwagon, especially from a security standpoint, because they, as we all know, there is a massive security shortage for people. Well, if you can use AI to bridge that gap, that's a really valuable tool. But one thing you're going to have to understand is when you utilize AI is one is the tool that you're using. Is the language, the machine learning product. What you're really looking for is that what's going to meet your need to. How is it working in your environment? What are the different types of activity that it creates, what it does? And then, are there any sort of privacy concerns that are associated with that piece of product that you're making? I was looking at an article just the other day about AI and there was a. I know right now who is it. It's a repository for GitLab. Gitlab has got out there where they feel that they have an AI to help you generate source code. They feel so confident that it will generate source code for you that they will go to bat for you if anybody sues you as it relates to infringement right, copyright infringement. So it's interesting to see where that's going. Well, they're building these AI algorithms into the different security tools to just help detect issues that they may have, and I'm seeing this now also in vulnerability scanners. They're putting something of AI in it. Honestly, I don't know how that all completely works. I have a good understanding of how the generative AI piece of this works, but they're using these various models that they're creating this environment and they're pulling this, these feeds, in to help it go. More or less, it's really a Gucci if this than that type of thing, and it's working at light speed to be able to make that happen. Now you have different types of authentication as it relates to the AI, and it will kind of go break into a couple of those. So you have your risk based authentication. This is where you have a dynamic AI, and these are the AI algorithms are used to assess the risk level of the access request. So basically, it's looking at where's the location, what is the device type, what are some other factors that you know, what is the time of the day. All of those pieces can be fed into this AI to help reduce the risk of that person accessing this information. Then it's also looks for any sort of discrepancies between that. So let's just say, for example, sean always logs in at this time, at this date, he's always in this location and so therefore that would make sense that Sean is logging in. But if Sean logs in at 2am from this location and he's logging in from a different country, then maybe that is not Sean. So it's an important understanding that this machine learning models are looking at all these different aspects and these behaviors. Now you have behavioral biometrics. These are where they get into keystroke dynamics. This is where your machine learning algorithms will look at different ways to understand how are you logging in. So, for example I don't know if you all saw in the news there was a situation where they mentioned that ML could actually get your password based on you typing the keys on your keyboard. Same concept it goes through enough permutations. It may figure out that Now it's going to have to have a microphone sitting by your keyboard for that to occur. But if, for some reason, you need the ML understands how do you type in your keys it can know that by how Sean does his certain typing of his monkey butt password, then that's not my password. By the way, if he types in the password monkey butt and he does that in a certain way, it will know that that's the way Sean does it. So it's different types of authentication just by how Sean will log in and enter in monkey butt as a password. So, again, it can also can detect when you're dealing with other behavioral biometrics how you walk, how you talk, how you use your phone. All of these things, these sensors, are watching all of this to determine hey, are you actually Sean or are you the alter ego in RIK? And it's all designed for that. Now, when you have adaptive multi-factor, adaptive multi-factor is basically smart MFA and it determines the best combination of multi-factor methods based on the real time risk assessment that's going on and it will learn what is the best authentication methods you should be using, based on the time and who you are and what your behavior is, so that it's I have never dealt with it. I've saw this online and I was like interesting, because I didn't even know that that was a capability. But that's what they're building out at this point and you'll see more and with all of these, what you're going to see is they're all going to come to the market in various forms and formats and they're going to get implemented in various ways, but then the ones that really stick are the ones that are going to be adopted. The ones that don't will obviously go away, but you're going to have to understand. If somebody comes to you and asks a question around your social media identification, do you have a plan for that and can you at least articulate that? And it's going to force you to go and read it, understand it, so that you can then, in turn, kind of come up with a point of view around it. Now, when you're dealing with social media analytics and identification again, you've probably seen this. Facebook does a really good job of this, of looking at anything that's available on the social media to verify identities. You can get this through. Obviously, they have Facebook and the other social media platforms. On Instagram, they have an SSO capability. So if you federate your identity where you log into Facebook, you use your Facebook credentials and it will verify. The validation of Sean on Facebook will then allow you to log into XYZ. But Facebook is also watching how you surf the web, so to verify that, okay. Well, sean's account got compromised and Sean likes to go, look at I have no idea. People go motorhomes. I like motorhomes, so Sean looks at motorhomes but all of a sudden Sean's profile starts looking at crazy cat pictures that are hairless, that don't have any hair, and that doesn't seem right. So then it will ask it, potentially could ask you hey, is this you? Maybe we're flagging this as a potential compromise. So it's important that all these technologies are going to be getting more and more sophisticated because the hackers are constantly adjusting and moving as well. So it's important that you have you understand these pieces and these concepts. Now, natural language processing for chatbot security when you're dealing with chatbot, you have advanced voice recognition algorithms will look at secure authentication in these various customer chatbots and they will look to understand what is the user's intent, to help you understand and add another layer of security. The chatbots I don't know if you know, like with my Cox, my cable company, right, we have, I have Cox cable they will ask you your username and authentication. The chatbot will, which then it's authenticating you to your account, but then it also asks for pin numbers and started asking for other pieces of information to help better authenticate you to your environment. And so those are pieces that you'll have to. It's going to just go and enhance more through these chatbot types of security mechanisms. There's also facial recognition enhancements right, we talk about that, and one of the key things is ensuring that your face is recognized One not your AI face, but your actual, no kidding face and they're going to have to put. I know Apple has put some level of AI built into your phone to ensure that you are the person you say you are. My wife and my daughter were able to actually bypass her phone a couple of times at the beginning because they below look very similar and it allowed her in my daughter into my wife's phone. But now that has all changed. I know they've been adding more and more security mechanisms to help with that Fishing detection. There's also machine learning algorithms that are out there to help you determine if there's email, fishing the scan emails and looking for detecting any sort of attempt. Now I'm getting more and more of that. Spam stuff is actually getting dumped into the spam filters because of this machine learning that's able to look through the emails and understand is this a legitimate email or is this somebody trying to scam them? Again, this can get immediate notifications to your users if they have any sort of suspicious activity. So it's a really great tool for that. Talked about geofencing and location based security, again based on your, your phone that's tracking you. And if you, if it can base that hey, sean, who carries his phone with him all the time, is in Wichita, kansas, great, but why is Sean in Thailand? That's not the case. Sean shouldn't be in Thailand. So therefore they will fence based on that. So there's various different pieces to this. One of the last two I'm going to kind of get into is credential stuffing prevention. This does help under detect patterns consistent with automated bots that are trying to basically breach your accounts or compromise your accounts using stolen credentials. So if they go off to if this than that and they see that your account's been been compromised and now they know they have a large subset of compromised credentials and they're trying to stuff those in there they're more or less trying to run all of those against your account Then that would be a flag for the ML type activities and they would say this is something that is not normal and therefore they would flag your account and they would potentially lock it out as well. So again, that's the ML is designed to help really get rid of all of those pieces that can that a human was doing in the past but doing very inefficiently. That's where the machine learning will come into play. The last one is dealing with IoT device authentication. This is something that, as we've talked about with the CISP cyber training numerous times, when you get into the process side and you get into IoT, there are numerous ways to authenticate these systems and many times they are not authenticated well at all because there's just so many of them and when you get lots of sensors, it's really hard to authenticate to these the various systems. So what ML will do is it will track normal behavior of these IoT devices and then flag any unusual activities and request for reauthentication. So you could have that set up. Where the your sensor is actually taking a temperature sensor and it is taking the temperature every day All of a sudden this temperature sensor decides to start I don't know starts stealing data from something else or starts sending other data. That doesn't seem right. This will actually request reauthentication, which more or less takes the system offline, which then forces a human to go out and look at the system to make sure it's correct. So again, it will also provide device trustworthiness. You can set a trust score based on the sensor itself, its posture and its past behavior. So there's a lot of different things you can do with authentication as it relates to the future trends that are coming down with AI and ML. All right, that's all I have for today. I hope you all have a wonderful day and you all enjoy your security studying. You're hopefully you're all doing wonderfully well on that and you're studying hard. Go to CISSPcybertrainingcom and you can go ahead and check out my website and you can see where there's a lot of great stuff out there. Some of my students have mentioned time and again that they really like the blueprint and how helpful that is on their studying path. They will also go through the videos and all the audio content is out there and available for them as well, along with hundreds. I think I'm getting close to about a thousand questions CISSP questions that are available for you just as part of CISSP Cybertraining. Again, the ultimate goal is giving you the information you need to be successful so you can pass the CISSP the first time. All right, have a wonderful day and we will catch you on the flip side, see ya.

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!