CCT 158: Assess the Effectiveness of Software Security (CISSP Domain 8.3)
Jul 15, 2024Ever wondered how a data breach could impact cloud security, or what measures you need to take to secure sensitive information? Join us in this episode of the CISSP Cyber Training Podcast as we break down the recent AT&T data breach and its implications on cloud environments like AWS and Snowflake. Discover how attackers gained access to critical phone records and network topology, and why staying up-to-date with cloud security is more critical than ever.
We also cover the intricacies of multi-level database security and concurrency fundamentals. Learn why separating data with varied classification levels—like top secret and secret—is essential for preventing unauthorized access and ensuring data integrity. We dive into the challenges of non-greenfield environments, offering practical migration and separation strategies. We also shed light on the benefits of NoSQL databases and how they compare to traditional SQL systems, focusing on their advantages for faster queries and simpler design.
Finally, we turn our attention to best practices for data management and risk mitigation. Explore the three major classes of NoSQL databases: key-value stores, document stores, and graph databases, and understand their unique advantages. We'll guide you through setting up robust logging and monitoring systems, and stress the importance of tamper-proofing logs and defining retention periods. Additionally, we discuss the vital role of stakeholder involvement in risk management and provide actionable strategies for identifying critical assets and mitigating risks effectively. Plus, learn how your participation in our cyber training supports the philanthropic mission of the Adoptus Foundation, helping families afford adoption. Join us for this informative episode packed with insights to elevate your cybersecurity expertise.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started.
Speaker 2:
Good morning everybody. This is Sean Gerber with CISSP Cyber Training. Hope you all are having a wonderful day today. Today we're going to be talking about Domain 8.3, whereas we're moving down the domains and the various domains of the CISSP, today is 8.3. So this week we're going to be getting into Domain 8. It's wonderful news.
Speaker 2:
But before we get started, I kind of wanted to talk about this AT&T data breach, and I know we talked last time about another data breach and it seems like data breach de jour, which is something that normally typically happens. It seems like, from the overall standpoint of everybody getting hacked. But, that being said, at&t's phone records were recently hacked, and I saw in the article. At first, when I saw this, I was like meh, okay, I mean it's like everybody else is getting hacked, right. But there was an interesting parts of this that I thought were very telling that we need to really keep in mind, especially as you're dealing with the cloud environment that you may have within your network as well. But what they announced is that in April 14th through April 25th, they had a hack that occurred and these attackers were able to gain access to a significant amount of information within AT&T, and so they're working with law enforcement at this point, obviously, to get this squared away. But this gentleman by the name of Jake Williams, who's R&D at Cybersecurity Consultancy Hunter Strategy, said yeah, this is really bad. Well, I didn't really understand what he meant by that. Is that somebody just trying to get their name on the news, or what exactly is that? Well, an interesting part about this was that they had access to their Snowflake accounts. Was that they had access to their Snowflake accounts and if you're not familiar with Snowflake, it's basically it's an online, it's a repository that is in Amazon AWS and it's where data is stored. Well, they had their Snowflake account, had been accessed by these individuals and they basically their customer account credentials and all of that was in this Snowflake account really basically around Ticketmaster, santander Bank, and then they had LendingTree's Quote Wizard. So all of these were the records were stored within this Snowflake account that was tied to AT&T, so they did have access to that they. Also an interesting part is that it had the information on how the various phone records are set up, which then gives the attacker better knowledge of, overall, what does the network look like. So it gave them a real good way to help them understand the topology and therefore other ways to attack the network. So it had some site information indicators, just tower data, approximate cell phone locations and so forth.
Speaker 2:
Now, so one question you're asking about all this is it may be meh, okay, what does that mean? It means a lot from a standpoint of gaining information to do a premeditated attack within an environment. So if I know I'm going to attack X, if I have a good understanding of what is the location of where they live, what is the location of the data they have, what kind of information do they have in there that would be pertinent to the attack, if you can build up a dossier on how you would go about committing or completing the attack and you're able to gain this information, to use some of that information to do that, that is a pretty big deal. So it's that pre-registration, the pre I don't know how you want to call it research to basically figure out more about your target. We would do this a lot in the hacking world, where I would go out and I would actually gather as much information as I could on a target before I would actually launch an attack, just because it gave me SA or situational awareness to where is their most vulnerable locations.
Speaker 2:
So in this case here, whoever these people are, have an opportunity to get some really good information around AT&T's network, as well as, obviously, some ways to make some extra cash with the different accounts and so forth that they have access to. So is it somebody that was just doesn't even know what they have? Well, if they don't know what they have, they probably do now, but in reality it could be someone that's most likely a external partner, such as the Russians, potentially Chinese or Iranians, that may be trying to gain access to this data to utilize it for a future operation. So it's hard to really say, but I guess that's the one big thing that they wanted to kind of bring up is the fact that it is a super big gold mine for attackers looking to conduct phishing attacks, looking to understand what kind of attacks they could do against these structures in the future. It has a lot of potential.
Speaker 2:
So this is why I kind of hinted about this in the past and I've talked about it off and on that you all have a great opportunity as a cybersecurity professional to really help protect the world from chaos and pandemonium Not that it already has enough of it in it already. But, that being said, it's also important that you get smart on various aspects of within your environment, to include, obviously, aws, azure, google Cloud Platform all of these to understand what could you do from a security standpoint to help protect those environments. Now, I also made this comment time and time again you do not have to know everything about everything. Right, you're not going to have to know all of this information immediately, but what you have to have what's the most important thing that you have to have within security is a hunger to learn and a hunger to be able to go out and gather as much information about a topic as you possibly can, use your experiences with security and your background to then formulate a hypothesis or a conclusion on what you should best do to protect this environment. No person has best knowledge on everything, and if there's someone out there that has best knowledge on almost everything, yeah, they're amazing and they're incredible, but they're also a unicorn and they very rarely do exist. You don't have to know everything, but you need to pick something and be extremely smart about what you're picking and then also understand that you can create something for you for the future. It's huge, it's amazing.
Speaker 2:
So that's one thing I wanted to talk about with the AT&T phone records data breach that just recently hit the streets. You can go find this out on Wired. It's out in other places as well, but I pulled mine off of Wired. Okay, so this is domain 8.3 of the CISSP. So what we're doing here making some little changes to how we're getting this information out to you. A lot of this is going into the courseware that I have and it's available to you at CISSP Cyber Training, and so we're just kind of going through that, making some updates to it as we go, and it is exciting stuff. Okay.
Speaker 2:
So 8.3, this is to assess the effectiveness of software security. So with software security, you have auditing and logging of changes. This is a big factor. We're going to get a little bit into auditing and some best practices around that, and then we're going to go into some various pieces tied to it. So, again, pulling this information out of ISC Squares book and then adding my experience to it, we're going to break this down into things that you need to be aware of when you're taking this study for the test.
Speaker 2:
So, multi-level database security this is what. What does this actually mean? So you have multi in this slide we'll talk about multi-level database security and concurrency. So multi-level database security contains information with different classification levels in it. Okay, so you need to strive to keep the data as separate as possible when you're dealing with classification levels, especially as, depending upon the model that you're using but let's just use top secret and secret for an example you would not want the same level of classification to be on the same database, in the same tables. Now, can they be in the same database? Yes, they can, but you've got to have substantial access controls around that to be able to protect the co-mingling of data.
Speaker 2:
Now, in most cases, rather than deal with the issue of having that potential co-mingling especially when you're dealing with classified data such as top secret and secret many of them will have separate devices that are tied to separate networks. But can it be done? Yes, there's ways to work around it, I believe. But at the end of the day, you want to make sure that your data is separate and segregated from each other and there's no co-mingling. That can occur Now if you take a step down and you go into something that maybe isn't quite so draconian and so separate, if you get into business confidential, confidential and then potentially unclassified or just open original, depending upon how you guys label your data or open to the general public is another one. What you'll want to do, then, is ensure again making sure that that data is separate, if you can do that. If you can't, then that's where the labeling is a big factor, and the classifications levels will help segregate the data as well. Again, mixing of data classifications can cause issues.
Speaker 2:
Now I say that and this is coming from a greenfield. You'll hear the term greenfield. That basically means a brand new instance. When you're starting up something from the brand new, segregating them into one is unclassified. Let's use classified and unclassified as an example. If you use one as classified and one as unclassified, segregating them is a great thing and if you can do that, amazing. However, that is not reality in most cases. In most cases, you are not starting with a green field approach, which means it's brand new. You probably get dropped into an environment where there's tons of commingled data between classified and unclassified that you're going to have to separate. So you're going to have to make sure that you set the policies that they will be from the time that you start. We are separating it. Everything going forward is separated, and then you take the approach of going now we need to migrate things away from this commingled environment to a separate environment that are both unclassified and classified. So again, multi-level database security keep them separate as much as you possibly can.
Speaker 2:
Co-concurrency I can't say that word, concurrency, that's it. See big $10 word, I'm struggling. Concurrency is applied to a single or multi-level databases and what it does is it utilizes a lock allowing only one user to make changes. So what does that mean? So that means that in many databases most databases you can be accessing a record in a table and then somebody else can be accessing a record in another table. But when you deal with concurrency, it allows for only you, one person, to make changes within that table and that database at a time. Once the change is complete, then the unlock will occur. The problem with that is that it will slow things down substantially. It does limit the amount of people that have access to it, which is great, but it does slow down productivity Because of that. You want to make sure that you have either multiple databases available for people or you have the ability for of small subset of people. Maybe this is just a database for a small section and therefore when somebody is accessing it. That's a small group of people. You're not going to be running into delays from somebody accessing the database, so that's where concurrency comes into play Open Database, connect connectivity, odbc.
Speaker 2:
Okay, so what this basically does is it acts as a proxy between applications and it allows these applications to interact with the various databases. Now, I've witnessed this being a lot of it being used within legacy applications, mainly within your critical infrastructure within your manufacturing spaces. Odbc connections will operate that way and they kind of, especially when you're dealing with databases that are a bit old and antiquated. Odbc works well, but that is a proxy. It acts as a proxy between the various applications connecting to a database.
Speaker 2:
Nosql is no longer a relational type. Database is what it basically means, and it's a tabular relationship. It's got simple design and allows for faster queries, and you'll get NoSQL is also when you deal with SQL. If you ever had to have that challenge in your life, you will know that the licensing structure around SQL databases can be very, very problematic, very, very expensive, and so therefore, the NoSQL works really well for operating from a SQL side of the base. So I mean that's the key question there. So there's MySQL, there's NoSQL, there's SQL, but there's again no scheme thing to keep about. Nosql is that it's no longer a relational type database, it's a tabular relationship, okay, and it's a much simpler design.
Speaker 2:
Now, when you're dealing with auditing and logging changes, it's important for you to understand these different types of connections. Why? Because if you understand the connections to your environment when the terms come up, what does ODBC mean? You then now know that you can go connect, you can understand the logs that are tied to the ODBC connections and you understand they're dealing with applications, same with NoSQL. It's a tabular relationship, so therefore the logs will be different than what you would see in a normal SQL database. But bottom line with all of this is to understand the differences.
Speaker 2:
Now, when you're dealing with NoSQL, there's three major classes. It's key value, document, store and graph. So the key value is the simplest and non-trivial data models and this can be used with ram and your software devices, basically your ssds. So this, your software storage devices. This is a key value store. That's the major, one of the major classes. Then you have document store. This offers apis, which is your automated application process interfaces, and these are allowed to receive or retrieve documents based on what the contents are and we've talked about APIs and they're tied to a tag or a meta tag which will allow you to retrieve information, and they're designed to be a standard type connection allowing for the data to be transferred in a standard format and a standard way. Graph is designed for data representations in a graph format and it's a public transportation link, such as roadmaps, top network topologies All of those are designed with a graph format in mind. We've used graph a lot with the different types of network designs and also with piping designs, with some of the manufacturing facilities as well. So in MySQL there's three major classes key value store, document store and graph.
Speaker 2:
Now let's get into audit and login changes best practices. So some audit and logging changes best practices. So first off is the bullet. You see there is log everything you can within reason. Right, you want to be able to capture as much logs as you possibly can. Now the key thing that you're going to run into with log capture is the cost. If you try to capture everything you can, it's going to cost a fortune. So you're going to need to work through what is the most important thing you possibly can. That will let you give you the information you need Now. Logging everything is a challenge it really is, but you should consider this when you're and the reason I put that bullet out there is that you should consider this when intersecting or understanding the logs within your environment. This is application access, configuration changes, also all of those different pieces of this. It's important that you do remember this and you look for logs as much as you possibly can, but, again, based on the risk.
Speaker 2:
You need to understand tamper-proofing logs. So how can you tamper-proof your logs from someone coming in and making changes to those logs that will end up happening. Where an attacker sees what they've done, they go in, they modify the logs and they make it known so that you they do that, so that you don't have a record to go back and try to figure out what they actually did. Now this comes down to storing logs in central or secure location that would prevent unauthorized alteration. You would utilize a thing called WURM, which is write once, read many, and this is for storage or cryptographic hashing. Obviously, to help ensure the overall integrity of those logs.
Speaker 2:
You want to define a log retention period and this is also important when you're dealing with the cost of these logs. If you need to define what your retention period is. You also need to have that in a policy somewhere and then from there that helps you understand that if you have a defined policy retention period, then that helps with your overall investigation timelines, compliance needs, needs and so forth. What I've seen in this case is that you'll have compliance logs, or logs will be set up for. I'm just going to use an example for your firewalls, it's set for 14 days. You have logs set up for your applications. They're set for two days. You have logs set up for um, some of something else, so that's five days and and the the problem is compliance may have a requirement around how much you need to keep these logs for.
Speaker 2:
You also need to know that if it's consistent, if you can consistently keep the same number of logs, then it makes your job easier, because when you go for an investigation and you realize, well, this one only has five days of logs and this one has 35 days of logs, it can change things. So you need to really define your log retention periods. You also need to understand user accountability, so implement strong user authentication and authorization controls with these logs as well. So these logs should record the user, who's made the change, the time and what was specifically modified, and they need to be to the point where, if they are being modified, there is that paper trail that follows that along. You need to have log monitoring and alerting, which is continuously monitoring the logs for suspicious activity. You set up alerts for any unauthorized access and that are changes to outside the baseline parameters or other anomalies, and so one example you may have like this is a company will implement a centralized logging system that captures all user activity on its web apps, so the log will record the user ID, timestamp, you name it, all of that stuff. These logs then are stored in a tamper-proof server for a year, right, and then from there they would be deleted after that. Now, if you deal with, potentially, with the legal hold situations, you may have to keep this data for a longer period of time. But, that being said, there are different ways you can set up your logging strategy to be effective for your organization.
Speaker 2:
Now we're going to get into risk analysis and mitigation. So in risk analysis and mitigation, you need to identify security risks within your development plan. You need to take time to complete the risk analysis of the software you're looking at. So if you're looking at various software within your environment. You need to try to have your folks do that Understand what is the risk of this software being deployed. Is it reputational, financial or corporate theft risk that would be available to the adversary or someone insider that may want to take this information and use it for their own benefit? You then need to document the highest risk to your company. Now, if you're working with your developers, you and your developers will probably have the best knowledge around what you need to do as it relates to this overall data.
Speaker 2:
It's just important that you do understand this and these high risk items at first. You need to kind of try to go through what are they? So I'll give you an example Troy Hunt he's got the different website out there and I'm drawing a blank on it right now. Oh yeah, just go to Troy Hunt Okay, you've been pwned, I think it is, or something like that and hack your site. First, look at your information to see what has been compromised on your site.
Speaker 2:
Utilize, document risk items and verify with your various stakeholders and understanding the various risk items to your organization and let their stakeholders, which is basically your senior leaders, know what are the risks within your organization. The risks would be within this let's say, software that you've created Develop a plan to remediate this from the highest risk items first and then document any risks that you plan on accepting. Now the thing is, what you may accept and your leadership may accept are two different things. So you need to understand what the risks are, you need to document those and then you need to come up with your formulate, your plan on what you think they should accept for a risk standpoint. Then you need to bring that to your senior leaders and make sure they're aligned with the same thought process that you have around the risk to your organization, because in most cases the CISO or the senior leader for security does not have the decision rights to take on this level of risk. It's usually CEO or the board that has those rights and responsibilities to take on that level of risk. You then document that accepted risk and then ensure everybody has best knowledge and you've communicated that to everyone.
Speaker 2:
Now you need to integrate this with a development methodology. So we talked about the methodology around the development life cycles. You had Agile, you've got've got spiral, you've got numerous other ones that are out there, but you need to incorporate this risk methodology into your development plans and you need to add it to your sprint cycle. So what needs to happen is, when you do your at the end of your two-week sprint and you've gone through and done a code review of all this information, you need to also understand the risk that you're trying to account, trying to mitigate, from this code. Now, ideally, you would do that before the sprint begins and then at the end of the sprint, you would then evaluate the risk to your organization based on the amount of code that was developed and what tasks in that sprint that were actually accomplished. So it's important that you do this at the beginning and at the end of each of your cycles. And again, it also helps ensure that your development team is connected with the remediation strategies associated with it as well.
Speaker 2:
Many may not be aware of the risk, and I've run into this time and again where my developers didn't truly understand the cybersecurity risks to the organization until they were well informed and gone over with them as we walk through different scenarios on how the software could be leveraged by external resources. And again, it's all based on risk. This code is divine, for internal use only, and the external people will never see it that the risk goes down substantially. But, that being said, you also need to know that if if it's really, it's, hey, this is only internal code, no one else is going to gain access to it, but it is type tied to your HSM, which is basically your security appliance, right? If it's tied to your HSM, that has all your certificates in it and it could open up the keys to Pandora's box for your organization.
Speaker 2:
Even though it is internal code, that could be a substantial risk to your organization. So therefore, you need to be able to understand and document that and you need to track and document the remediation process that's associated with it. So you need to plan for risk and communicate this to your stakeholders we talked about a little bit before. Is we understand the overall risk that you have and make sure that you have a plan to talk to the people that can make the decisions around this, because their stakeholders may or may not be connected to the risk. Odds are they're probably not connected and you're going to have to help them and educate them on how this works.
Speaker 2:
So therefore, I talk about I know many people that I've worked with that and I'm going to say it's like an old fart, an old codger that says, hey, you know what the generation today doesn't like talking to anybody. Well, I would say that's probably a little bit of truth, because sometimes I don't like to talk to people either. But you're going to have to learn to do that and you're going to have to be. You need to take time to try to be able to communicate well with senior leaders, especially if you want to have be as successful in the cybersecurity space. Whether it's an engineer, you're a security engineer, that's a senior security engineer, you're an architect, you're a director of security, you're a CISO, whatever that position is, senior auditor, it doesn't matter. You're going to have to communicate with people. So you're going to need to understand how to be able to relay this risk to those leaders so they understand what that is.
Speaker 2:
And the reason the stakeholders need to be connected with it is because the risk could be acceptable by them, which we kind of talked about earlier. So one use case that we have is security would recommend multi-factor for all users of a site or of a location. Now, development team, they require complex password rotation and a variable history for that. So one of the thing is is, if you add multifactor right so to this situation. The cost for adding this, both from an opportunity standpoint which means doing it as well as the capital itself, could be substantial and could be high. So no financial data is being shared with this situation, and so you know what the stakeholders would go. You know what. We're just going to accept this risk. We don't see this as a problem. So therefore we're willing to accept the risk with going with no multi-factor.
Speaker 2:
So it's up to them to make the decision. It is not your decision to make. It depends on your organization. It may be your decision to make, but in most cases it would not be a decision you would make. You'd want to make sure the leadership was aligned with it. So you also want to track and document any acceptable risk scenarios. So anything that you come back to that your organization says, hey, this is acceptable risk and we're just going to deal with it. You want to make sure that you are documenting all of that so that they're aware it's been documented, they understand it. You have provided the documentation to them and then you have a time set up, specific, that you re-evaluate these acceptable risks.
Speaker 2:
Situations, times change, right, you may have accepted it for one year because of one situation that allowed you to do that, but then, over the course of a year, something else had changed. So then you may not want to accept that risk again. So you need to document these to make sure that you have this properly annotated and understood by everyone, Because I guarantee you what's going to happen is that something bad is going to happen and they'll go well. I thought we did X and you're going to go. No, you guys accepted the risk. Well, no, but, and then you're going to deal with that fun time. I'm speaking from that, from experience. So document it all, document everything. I mean it. I know it adds more pain to your life, but you just need to do it. Rinse and repeat Again, repeat the process with various agile sprints and then go through this entire process each and every time. Some sprints may require many updates, or some may not have any at all, but you may just need to understand what the overall plan is going to be as you go forward.
Speaker 2:
Now, as we're looking at risk analysis, there's some mitigation techniques that you need to deal with, and how do you handle those? So you need to identify critical assets Again, prioritize the most important systems, applications in your environment, and then you want to do everything you can and focus your efforts specifically on these high-risk assets. We talk about threat modeling, and that's something you should consider when you're looking at all of these assets. From what are the potential threats that could exploit vulnerabilities in this software? You need to do a threat modeling exercise against the various software that you're coming up with. Now you wouldn't do this modeling exercise against each and every one of your sprints, but you would do it from an overall standpoint. What could someone do if they gained access to this application? Complete vulnerability assessments, especially if the data is externally facing.
Speaker 2:
You'll want to make sure that you do regularly scan your software for any known vulnerabilities. You want to implement these mitigation strategies for your software depending upon the situation. So this could be access control, code reviews, secure coding practices, a potential, an IDS system. But depending upon what your code has let's say it's the code for self-driving cars. What your code has let's say it's the code for self-driving cars you may want to have that code in a very secure location so that, one, no one can tamper with it and, two, no one can steal it from an IP theft standpoint. So you want to understand the risk mitigation strategies around that Patch management. You also want to develop and implement a process for timely deployment of patches and make sure that you have this in place and ready to go. Again, so you want to really understand the risks associated with it. So we'll get one example. This is kind of an example we have around this topic is, during a risk assessment, a company identifies a high risk associated with an unauthorized access to a customer database. Okay, so that would be bad. So mitigation strategies would include implementing strong access controls requiring multi-factor authentication, and as well as conducting regular penetration tests to identify and fix vulnerabilities. You also want to make sure you do vulnerability scans in there as well, depending upon where it is located. So again, you can see it's kind of compounding and building on that overall risk.
Speaker 2:
Okay, here are the resources for today's discussion and if you have any questions, head on out to CISSPcybertrainingcom. Check out all the information we've got out there. Everything out there is amazing. I got a lot of free content, a lot of free content. The ultimate goal of this is to help you get past the CISSP the first time, and we're doing this from the paid standpoint Any purchases you make at CISSP, cybertra and we're doing this from the paid standpoint.
Speaker 2:
Any purchases you make at CISSP Cyber Training, they all are going to our nonprofit for adoptive children. So, real quick, I've got four adopted kids, both from China and from Africa. My wife and I feel that very strongly that we need to give back in that regard, and all the funds that come forward for CISSP cyber training are all going to this Adoptus Foundation, which is going to provide funds for adoptive families that are in need, specifically to adopt children that they can't quite afford it, because we ran into that problem ourselves and it gets to be very expensive to adopt children. So the ultimate goal is that we want to give back and provide a service for people so that maybe we can help alleviate some of that stress that's in their life as they're trying to make a new life for families.
Speaker 2:
All right, go on out to CISSP Cyber Training, check it out. There'll be some new stuff also being released by our other website called Reduced Cyber Risk. So Reduced Cyber Risk podcast is for businesses and some of the security stuff that goes along with that. You'll be seeing that. More about that here soon. Again, I gotta. I only have so much time in a day and I'm trying to get as much done as I possibly can. All right, have a great day and we will catch you on the flip side, see ya.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!