CCT 180: Failing Securely, Separation of Duties, and System Resilience for the CISSP (Domain 3.5-8)
Sep 30, 2024What if your organization's security posture could withstand any cyber threat? This episode of the CISSP Cyber Training Podcast promises to equip you with actionable insights from CISSP Domain 3, emphasizing the critical principle of failing securely. We tackle the intricacies of separation of duties, zero trust, and the benefits of maintaining simplicity in your systems. Plus, I share my firsthand experience with virtual CISO roles, providing a roadmap for hiring a security professional, from conducting gap assessments to understanding risk profiles and developing robust mitigation strategies.
Next, we dive deep into data security and management essentials. Discover why data classification and separation of duties are paramount in preventing fraud and protecting sensitive information. We'll cover the importance of data loss prevention measures, network segmentation, and change management to safeguard your systems from unauthorized modifications. Learn the significance of monitoring, logging, and process isolation techniques like virtualization and sandboxing to detect anomalies and limit the damage from breaches. And don't miss our discussion on capability-based security, application whitelisting, and the strategic application of these controls based on thorough gap assessments.
Lastly, we explore the facets of system resilience and security measures that ensure reliability. Understand the concept of graceful degradation and the pivotal role of error handling and logging in troubleshooting. We highlight the importance of redundancy, fault tolerance techniques, and the principle of security by design. Proper testing and auditing are emphasized to ensure systems fail securely, and we provide strategies for addressing both soft and hard failures. Additionally, the roles of job rotation, dual control, and mandatory vacations in error detection and risk management are examined, along with a comparison of on-premise versus cloud networks to help you maintain critical servers and applications. This episode is a treasure trove of practical knowledge to elevate your cybersecurity readiness.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.
Speaker 2:
Cybersecurity knowledge All right, let's get started. Hey all, it's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautiful day today. Today is what? Today is the podcast that we go over various aspects of the CISSP as it relates to in today's podcast. It's going to be 3.1. So we are in domain three of the CISSP and we're going to be focusing on failing securely. We're going to be 3.1. So we are in domain three of the CISSP and we're going to be focusing on failing securely. We're going to be getting into separation of duties, zero trust, keeping it simple and so forth, but before we do, we are going to get into this.
Speaker 2:
One little thing that actually happened to me this week that I think it's really important for you all If you're in the security space trying to figure out what should you do. I had a couple engagements around a virtual CISO role, and one aspect that came up was understanding what does it take if you're looking to hire a virtual CISO, and so I thought this would kind of be good, because I know many of my audience are former or currently IT folks that have been around for a little while and they are looking to increase their cybersecurity capabilities around for a little while and they are looking to increase their cybersecurity capabilities. Well, this is something that you may just be interested in to understand if you are ever looking for a security leader for your organization or if you're trying to just maybe get virtual CISO. But it's just something, a little piece, that would be valuable to you when you're, especially as it relates to the CISSP as well. So they all kind of tie together, because we talk about that a lot. So what I want to just kind of go over real quick is an engagement.
Speaker 2:
If you're looking to bring on a security professional to help your organization, what I would recommend is one obviously vet out who this person is and are they. Do their credentials meet what they actually say they are? I will say over the years I have interviewed plenty of people for roles, a lot of them in development, but for roles that have actually their resume says one thing, but when you start talking to them and digging deeper into their knowledge, it is a different story. Once you start to unravel a little of that. But you need to understand who they are, obviously get recommendations and if you can get them from, maybe if they're dealing with a consulting company, that would be good. Or if you're just looking for them online, but make sure you validate who they specifically are and what their knowledge is. But outside of that, let's just talk about what is a way that you would want to do.
Speaker 2:
If you brought on a security professional. If you bring somebody on, if you're validating them, you'll want them to do what they call a gap assessment, and what a gap assessment is is the security person will come in and they're going to do an evaluation of your overall infrastructure, what the security controls you have in place, what are the different types of processes you have in place, the policies and so forth, and this gap assessment should take a period of time anywhere from a month to well, it can be probably two to three months, and I say that it wouldn't take that long to do the physical assessment. But what it will do is that two to three month period is actually getting with people, interviewing them, understanding more about how their environment works and what are all some of the limitations and areas of concern that you may dig up. And it may deal with interviews with multiple people. It may be the interviews with the same person, but you have to break it up into different chunks, to try to get to know the individual and also to get to know some of their environment and their network. So a gap assessment is really good.
Speaker 2:
It's also important for you to meet with their leadership to understand what is the risk tolerance and what is their risk profile. What I mean by that is are they a targeted company? Are they critical infrastructure? Are they the financial institutions? And, based on that then also, what is their tolerance for risk? Are they like, eh, I'm not worried about it, or yeah, this is really bad and it also will change over time.
Speaker 2:
Some of the clients I met with this past week they are at the beginning of their business journey. They were very risk tolerant. They actually didn't really care a whole lot, but then, as time went on and their organization grew, they made or had more money, they had more opportunities, their risk tolerance became less and less. And they also realized that as time goes on, that you know what more people bad guys are out there trying to catch them or trying to, you know basically attack their companies. So understand that gap assessment through risk tolerance and risk profile will be good. Then you want to provide a detailed report and you want them to provide a detailed report to you on what are the recommendations to their organization and move down the path of that.
Speaker 2:
Now, if you're dealing with, that's just the gap assessment, once that is complete, then you would move on to your next couple of phases of your plan and what the security professional should do with you and your company, and one of those would be the next phase would be to develop a strategy to mitigate, accept or transfer risks based on the overall business objectives. So again, as you understand the business through the gap assessment, you understand what is their pain points, you understand what is critical to them. You're going to want to come up with some way to help them understand the risk and then mitigate, accept or transfer that risk and then come back with those recommendations. And if they take any of those, then you'll need to work on implementing this strategy for the organization. Now this comes a different test or a different task I should say. What will happen is phase one is just they may take your gap assessment and that's all they want and that's great and that's all they should need. If they have the people to go through and make that happen, great. Let them take that gap assessment and run with it. If they want you or you want somebody else to do this for you, then you would want to figure out a strategy by which you would have them implement this for you and your company.
Speaker 2:
And then the last thing is I look at this from a virtual CISO standpoint. My ultimate goal is to help the customer reach their goals, their security goals, and by reaching that, that may be with me working with them on a retainer basis or full time or however they want to pay for it, but it also may be where I set their people up for success and you develop an overall strategy for that person. So a way to basically package it up, put it in a bundle and hand it back over to them once the engagement is over. Basically package it up, put it in a bundle and hand it back over to them once the engagement is over. So you're going to want to help understand the people, the processes and the tools and help them to reach their security objectives, and that may happen with you creating training programs. It may create by you just helping, whenever they hire the person, walk them through step by step. And so the reason I'm telling you all this as far as the CISSP goes is.
Speaker 2:
It's a really important factor just because when you're dealing with looking at a security professional whether it's a security leader for your organization or whether you're going to be the security leader for your organization if you look at your company and you were to put it into these three specific phases, it's a really good way to at least try to break it down into bite-sized pieces. So, if you're going to be the CISO phase one do a gap assessment. Then from there, if you're going to be the CISO or the security leader, then figure out what is the strategy to mitigate, accept and transfer the risk. And then you want to implement that strategy. And I know it's very simple, but if you break it down into these three buckets, it's going to help you understand what you need to do first and that you don't, just because it'll be overwhelming. There's so much that you will get lost in everything and then you'll sit back and go what did I accomplish over the next year? So, again, break it down into three phases your risk tolerance, or you do a gap assessment on a risk tolerance and risk profile, provide a report to your senior leaders no different. Phase two you get to mitigate, accept or transfer your risks and then implement that strategy. And then phase three you just focus on your people, your processes and your tools and figure out your long-term strategy and then implement it. If you do that, you know what You're going to be in a really good spot.
Speaker 2:
Okay, so one of the topics we're going to be talking about is bounds. Now, bounds refers to the limits or constraints that are imposed on a system to protect it from unauthorized access or malicious activity. So you put these in place to protect yourself and a lot of times an EDR solution will have something like this as well, but they're designed to basically protect from unauthorized disclosure or modification. There are different types of aspects that will tie into the bounds, so we're just going to kind of go into a few of those. One is access control. So you want to implement strong access controls on those systems to put basically guardrails in place to keep an individual or to keep the application from staying within the context of what it's supposed to do. You can implement role-based access controls to grant users only access to specific privileges. They need to specifically do their job. So that's a part of putting in bounds for access controls.
Speaker 2:
Another part of bounds would be within data classification, so you'd have separation or not separation. You have classification of the data itself would help to ensure that there's security measures in place for the data and protecting it. Another one is separation of duties, which we'll talk about here in just a little bit, and that's to prevent fraud, for a separation of duties might be one single person isn't allowed to send EDI transfers. That would be a separation of duties, and I would say it's really important as a security professional to implement some level of separation of duties within your organization, and it may be just in very small niche areas, but it's an important factor and it will pay off. I mean, just with my wife's business, I understand that separation of duties on who can collect money and who can't collect money will help you save yourself from money being stolen, which it does, unfortunately. Data loss prevention, again putting in controls around the documents themselves, applications, specifically also looking at network traffic and so forth. So that's another piece of putting in some levels of bounds and protecting the data and those systems. Network segmentation will do that and we talk about segmentation a lot in this podcast and that's having one separate network that would be focused specifically on IoT, one network that would be focused on your overall IP or intellectual property Data encryption, obviously talking through making sure data at rest and transit is protected.
Speaker 2:
Change management, change management Change management is one that I think gets overlooked a lot, where you have to implement certain change processes before you can deploy something, and that change management process will do a lot to protect your organization one from accidental challenges, which still won't protect it completely, but it does limit some of the blast radius around it and then also some of the prevent unauthorized changes that may occur due to security incidents as well. So that's where the change management piece kind of comes into play. Where you know a document or a process that has to occur within your organization, those changes are submitted for approval and documented. I'm dealing with that right now with a company where every change I make I have to document it within email and it also has to be put within a like ServiceNow or some type of other service situation so that it's documented what has actually occurred. You also have to have a plan on how you're going to back all that out, but that's a different subject Monitor and logging, obviously looking at anything that's going on within your environment. That your SIM will help you with that. So you have specific criteria by which this application should operate, and outside of that specific criteria, then the SIM will alert and make noise. Based on that, it'll light up. It depends on how you have this.
Speaker 2:
Now. I would say that's a pretty master's level type of configuration that you would set within your organization. A lot of companies don't do that because it takes a lot of extra tweaking, but you wouldn't do that to your entire organization. You would do that in a very specific subset, just because it would be so hard and complicated. It would just make your life more painful. But in very niche or specific situations it could be very valuable. Now we're going to get into process isolation. Now this is what involves separating processes from each other to limit the potential damage that can be caused by a security breach, and this can be done in various different ways. You have virtualization right. So if you virtualize your environments, it makes it very difficult for these something's potentially malicious to spread throughout your organization.
Speaker 2:
The other part that kind of comes into play from an ip protection. If, for some reason, I was in a country that I will not name, if you would have, someone would come in and steal the data you would because it'sized. You can shut off all those systems immediately and therefore limit some of that theft that could potentially occur. Sandboxing this is where you run untrusted or suspicious code in a sandbox environment. A lot of times when data is coming into a company, I worked with a product a long time ago called FireEye and it did that same thing. Right, any data coming in would be exploded within the sandbox or run within the sandbox to look if there's any sort of malicious code built into it and then, if it wasn't, it would allow it on. Now the guys got people got smart and they would put timers and all kinds of different things in the malicious code to try to get it by appliances such as this. But again, that's the sandboxing piece.
Speaker 2:
Memory protection these are various mechanisms to prevent processes from accessing each other, accessing memory, and they're also ones that are not authorized to use. So that would be specifically focused on the memory Capability-based security. This is where you grant specific capabilities. Rather than granting unrestricted access to various sources. It limits the potential damage, again caused by a specific compromise, and then it's granted the ability to read-write files on directories, again not to access other systems. So you basically have a situation where you're allowed to read and write in a certain directory and then anything outside of that directory is not allowed to be accessed.
Speaker 2:
Again, I'm talking about things that are very, very granular and process isolation. If you get into this level, you will not want to do this to your entire organization. You'll want to be very specific and kind of we talked about earlier with the gap assessment by figuring out what your gap assessment is, where your areas that are most important to your company. Then you can focus these types of controls on those areas specifically. Application whitelisting is another one that is set up where only specific applications can work and they prevent authorized applications executing and potentially causing any sort of challenges. Again, the one great thing with whitelisting is it works really well. The challenge with that is, though, if you forget about it and if things change, you can be whitelisting applications that maybe you didn't want to.
Speaker 2:
Talked about segmentation. Again, that's another way to get into process isolation, and then also DLP. So those they all kind of. You can see they kind of work together when we're focused on these different areas.
Speaker 2:
Now we'll get into mandatory and discretionary access controls. Mandatory access we kind of talked about this on various podcasts that we've had throughout CISSP cyber training but a mandatory access control is one that restricts access to resources based on the security labels we have defined in them and we've talked about that numerous times throughout the podcast and throughout the course where those labels are assigned to both users and objects. Now, the characteristics around this is that you would have some level of centralized enforcement. Your MAC is typically enforced by a central authority, so that would be, such as a security kernel or a security server. This can have mandatory rules that you have to deal with, and then they also may have the specific security labels tied to the users and, as we've mentioned, objects. What are the objects? Those are different. They could be the computers, they could be the data itself, and these labels are to indicate the overall security level of the data itself. Now, the security implications around this is that it allows you to have some very granular control.
Speaker 2:
Your Macs can provide fine-grained control over access to resources, and then the complexity of this, though, is that Macs can be very complex to resources. And then the complexity of this, though, is that Mac can be very complex to implement and they can be very challenging doing so, especially when you're dealing with a large company and they don't when you're dealing with a mandatory access control. They do limit your flexibility. For you to be very agile and to pivot, I would highly recommend that, if you're going to use mandatory access controls within your organization, you use them in a very narrow area, specifically around, maybe, engineering, maybe in specific intellectual property areas. That would be a good place for mandatory access controls.
Speaker 2:
Now you get a discretionary access controls. This is a model that allows users to gain access to resources based on their discretion. So, like the title says, it's discretionary and this means you can deny or grant access of people within your organization. This works well. Obviously, sharepoint's a good example of how you can have discretionary access controls, because the owner may allow everybody access to a certain folder, and that would be more discretionary. The challenge with it is obviously as we'll get into is it can lead to some security challenges because now too many people have access to things. Now it's got a decentralized enforcement, so it's typically enforced by the individuals or the systems.
Speaker 2:
As we've talked about, it is based on user discretion. Well, I like Bill, so I'm going to get Bill access to my SharePoint site. Yeah, no, that's probably not a good idea and so something to consider. I mean, we've had a situation multiple times, especially when you're doing SharePoint and SharePoint Online, where owners of that will go well, hey, I'm working with Bill from company X, I'm going to give them access. Sharepoint Online, unless your company has very specific criteria around it, will allow outside entities access into your SharePoint environment. Teams is another good example.
Speaker 2:
So you need to make sure that you have those controls in place and you really know what you're doing and you educate your people, because if you give your people the ability to make these kind of decisions, yeah, they're going to go hog, wild, crazy and they're going to do it all over the place and then you're going to have a bigger problem to try to go back and clean up. Again, dac's very flexible, again, much more so than Mac. There is risk because it can increase your unauthorized access, and then DACs can become complex to manage large organizations. Again, they're very hard. They require careful administration and user permissions. So again, you need to really consider, when you're dealing with Mac and DAC, what are your requirements? How complex do you want to be, how flexible do you want to be? And then, are there any regulatory requirements that force you to be into some sort of mandatory access controls. There are different regulatory requirements that do force that. So something to consider there. And then are you interested in maybe a hybrid type approach where you're mixing both the MAC and the DAC together?
Speaker 2:
Okay, so now we're going to get into defense in depth. So defense in depth is a strategy that involves implementing multiple layers of security controls to protect systems, again from unauthorized access. Now, the different ways of defense in depth we're going to go through about there's like six or seven different options around this. But to consider, there's physical security right. So if you have physical security in place to protect theft from theft and vandalism, that would be a defense in depth. You have cables that are tied to your computers that are in your offices. The another one might be is that network security specifically, do you have IDSs? Do you have VPNs? What level of defense do you have for people gaining network connectivity to your environment? Do you have Wi-Fi that's on the same network as your business network or is that on a separate network completely? Do you have a guest Wi-Fi network? All of those would be network security aspects that would give you some level of defense in depth, aspects that would give you some level of defense and depth, then your system security would be is that? What would that include? Such as antivirus, endpoint detection, response, mdrs, patch management all of those things are specifically tied to the system security as well. So you have physical security, network security, system security.
Speaker 2:
Then you have application security. Now application security is again focused on the apps themselves, and this can include input, validations, output coding, secure code, reviews and, depending upon your organization, much of that might be already built into the applications that you have. Maybe you don't do a lot of in-house development, but you require that from your applications you purchase. So that's one thing you want to consider as a security professional. Do you set a minimum standard for applications before you purchase them within your company? That would be an application security situation.
Speaker 2:
Data security this obviously focused on data loss prevention, and this would include encryption, access controls and so forth. So that would be the data security around it and, as you can see, this kind of goes right down the OSI model. Right, you're not too far off of. Many of the things that we talk about in the OSI model are the things that you will look at from a defense in depth standpoint User awareness, training Again, that's obviously you want to treat people and train people to understand what are the security implications to your organization.
Speaker 2:
And train people to understand what are the security implications to your organization and then by educating them, it will help. Limit, not prevent I mean, I've got prevent in the slide, but it's more or less limit some of the human error that for your employees of some kind Phishing, password management, data security highly recommend it. Now, one thing you want to consider is if you are providing this level of knowledge to your employees, don't go hog wild. Keep it simple. I would focus on keeping it simple initially, making sure everybody understands, and then focus on the basics. Again, this comes down to football American football, I should say where you focus on the blocking and tackling. If you can focus on the basics, get the basics down, get those down really, really well, then the rest of it will come later and I know a lot of times people don't like to hear that, but I think it's an important factor later and I know a lot of times people don't like to hear that, but I think it's an important factor Incident response obviously, have a good incident response plan and define people that are going to be implementing this incident response plan.
Speaker 2:
This includes identifying, containing and investigating all the different incidents that you have within your organization that may come up. This could be some that are small, and then what criteria would it take to make it a large incident? And then how do you deal with that specific incident? Now we're getting into secure defaults. Secure defaults are a principle in security where you're basically having the configuration of the systems and the applications to the most possible secure setting when you pull them out of the box, that means when they're installed initially or set up. This is where they're set up as most secure as possible when they have their default setting. This is without you going in and tweaking them. This is just pulling it out of the box, flipping it on. Is it secure?
Speaker 2:
So the default settings you need to really consider your system, your application or your network settings need to be dialed in to where they are, where you want them to be from a default standpoint. And this could be the most restrictive, but yet not too restrictive when you're setting around limiting access and functionality of the overall systems and you'd want to make sure that with your network applications, you disable unnecessary features. One good example would be around admins and many times the applications will be around admins and many times the applications will have default admins set up and the username is admin and the password is admin. You'll want to make sure that those application defaults are not triggered like that. They're not set up to be that way. Same with network defaults as well. Again, disabling unnecessary services, limiting specific networks all of those things need to be considered when you're deploying them. Now again, you may get it from Palo Alto in a certain way and then you have to make some tweaks to it. But when you say a secure default, if you're getting it from Palo and it's set in a perfect way for you, great. But if you need to make some modifications, the ultimate goal is that you modify the policy or the configuration file that goes along with it, and then that would be your default configuration file that you would send out. But you want to make sure that you set it up to where the default that is set in that system is the most secure, for, based on the risk for your organization.
Speaker 2:
You want to understand the least privilege principle. This is around again, having systems with only the minimum necessary privileges to perform their task. We talk about this a lot in the CISSP and it's a lot in security. You want them to have the minimum necessary privileges to perform what task they're doing. A good example I have is a database admin having full access to the database. It's probably not a good idea. You don't want really anyone to have godlike credentials with an application. You just want to avoid database. It's probably not a good idea. You don't want really anyone to have godlike credentials with an application. You just want to avoid that. And if you have to have it, then it should be like in case of emergency break glass kind of situation.
Speaker 2:
Strong, default passwords. Obviously, the passwords are a big deal in today's world. The passwords were really never designed to be what they are today, but you need to have make sure that you define that they are at least 12 characters. They are up and down, high, low I can't think of the name of it. They're special characters, they're capitalized, they're lowercase, they're all those things. You need to have that set up as your default. And one thing I have seen people do is they go. Well, you know what? I'll keep the default password, like eight characters, but I'm going to have multi-factor enabled. Okay, well, that's good, it's not terrible. But at the same time is if you have any accounts that don't require multi-factor, and so, if they do, does that default that you have set up does that affect those places where multi-factor is not enabled? So it's something to think about.
Speaker 2:
Security updates, again, you need to. From a default standpoint, the system should be configured to automatically receive security updates. This has been an ongoing battle with many organizations, especially IT folks, is they're like well, I am not pushing out a security update to my company unless I have thoroughly tested it, and that's understandable and I'd say in some cases that is definitely warranted. However, when you're dealing, like with Microsoft, for example, do you have time? How often have you tested a Microsoft patch and has it failed? Now somebody will come up and say, well, it failed on me, but in most cases those are pretty solid and so do you want to go and deploy them to your organization. Now, maybe it's one of those things where, on a security update, you don't update it, you have it delay the update, maybe by I don't know a week, just to see if there's any issues with it it. But realistically, that's a really good way for you to help with the security of your company is ensuring that your updates are automatically. Your security updates are automatic.
Speaker 2:
Auditing and logging turn those on, obviously, but what we've talked about before your auditing and logging is only as good as anybody looking at it, or as the amount of storage that you keep it. If it's set up for one day and it just basically rewrites over itself after one day because of, maybe, a limitation on the amount of storage you have, then it's really not that useful. So you got to consider that. But one thing again around login attempts, password changes all of those pieces are an important part. And then again around security awareness training. You need to educate people on the importance of all of this. Again, this isn't intuitive. It is intuitive for you all because you are listening to this podcast or you're going through my training and you understand the fact that security is important. But most of the people that you will deal with do not. They see it as a hindrance, they see it as a problem and it's just a pain in the bottom. So you're going to have to educate them on that.
Speaker 2:
Next topic we're going to talk about is failing securely. What do you mean by failing securely? Well, there's basically ways you want to have the ability so that when things go bad, you can recover from them after they've failed, and one of those pieces is the fail safe default. So what this involves is basically disabling certain features or reverting to a known good configuration. So If something happens like a database, it might automatically switch to read-only mode if it detects a potential corruption challenge. That would be a fail-safe default.
Speaker 2:
Another one is graceful degradation. This is where it gracefully degrades to a functional state in the face of different failures. So again, it's one of those that will continue to operate, but it could be at a much degraded position or state because of the fact that there's something going on. A good example or an example of this might be a web application might display a simplified error page instead of crashing if the back-end server becomes unavailable. Again, that's graceful degradation. Another one is error handling and logging. Again, obviously we talked about this is that this is where you'll have any sort of error that would happen, will capture those logs and it can alert on those logs specifically, and this can allow you to help developers specifically come back and deal with the troubleshooting area of various issues that are within their application.
Speaker 2:
Separation of concerns this is dividing the system into smaller, independent components with various responsibilities that it has. This reduces the risk of failure in one component versus catastrophic situation that may occur if it all goes down. So that's the separation of concerns. Web apps can do this right because you may have specific areas within authorization and authentication that you may may allow you the application to still continue to run if those are not met to a certain criteria. Or if you, in the case of, let's say, your authentication like, say, it's an internal app and your authentication isn't working and it can't sync, then will it continue to run or will it just totally fail and give you a log out, and that might be the case as well. But you just have to determine within your organization if that's something that you would want to implement or not. Redundancy and fault tolerance obviously you want to have a fault tolerance techniques to increase the system's reliability. This could be in replicating data using redundant hardware or implementing failover mechanisms this happens a lot with various systems that are in the network to ensure that if they fail, they fail open or they fail in a way that allows the system to continue to run.
Speaker 2:
Security by design you want to make sure that you develop the system on the onset and this comes down to when you deploy a new application, a new system, you think about security at the beginning. You don't think about it after the fact, and I think in the past that was definitely the case. It's becoming more and more common now, though, that as we get more security folks within organizations, they're thinking about the overall security of these systems before actually deploying them. Testing and auditing that's an important part of any system that you put in, to ensure that it fails securely and it fails safely. You want to test this and take these systems down, see what happens, but you may have to do that, obviously, in a test environment, or you end up doing it on the weekends when people aren't in the office. But you'll want to test and audit those, either through tabletop exercises, that might be, or actually physically taking them down.
Speaker 2:
Another part around failing securely is soft failures and hard failures. We'll kind of get into those just a little bit. A soft failure is where temporary disruptions in the systems can often be resolved without human intervention. So it has a hiccup right and then it picks back up and it's going back again. Network issues, software challenges, power supply fluctuations all of that stuff can be a soft failure. A hard failure is obviously when things have complete loss of functionality or the data Hardware failures, critical software bugs, physical damage to the system Again, the hurricane that rolled into town, the taping of this, it's that they've got a lot of physical damage. So those are different areas that you'll have to consider.
Speaker 2:
Now, some different strategies to deal with soft and hard failures. Implementing retry mechanisms for soft failures is an important part, so I was going to keep retrying over and over again. Do you have redundancy? Is there backup functionality? Are you monitoring these systems for soft failures to take proactive steps to prevent from escalating into potential hard failures? Are you seeing this happen? When you have hard failures, you want to develop a disaster recovery plan specifically around this, and this also includes do you have critical systems that you need to ensure that they don't go down? That's again, if they're going to go down, do they go down soft or they go down hard? Now, if you're going with systems that are critical to your company, you'll want to build in some sort of redundancy so that maybe they go down in a softer fashion or they don't go down at all, obviously. But one thing to consider is that how do you want to scale that, within your company, have backup and recovery procedures, and then you want to implement security measures to prevent unauthorized access to these. Again, it's important for you to build this out. You also want to have, depending on your organization, depending on your risk tolerance, regulatory requirements and so forth, you may want to consider pen testing to identify any weaknesses that you may find as well. That just doesn't mean that a pen tester has to come from the outside into your organization every time A penetration tester may. Actually, you may give them internal access to your network and allow them to operate, and then you make a decision what they find.
Speaker 2:
The next topic is separation of duties. So separation of duties is a fundamental security principle that involves dividing critical tasks that individuals use into multiple individuals, groups or organizational structures. This helps prevent one single person from having too much control over a system or process. I highly recommend this for your it folks that are like domain admins. There needs to be a level of separation of duties. One thing to consider is that if they're going to use your domain admin credentials, there's like the two-fact, two-person control or the dual control, where you then have to have at least two people approve this type of activity.
Speaker 2:
Parts of job rotation we've talked about this as well where an individual will work in a certain role. They then rotate out of that role into a new role for a period of time. This can be where they have mandatory vacations they have to do. It could be where you just do job shadowing and they move into another role but in the process, someone else that moves into the role is looking for any sort of errors that may be evident. Dual control we talked about this where you have one or two or more people that approve critical actions within your company and this can work really good when you're dealing with purchase orders, money, anything along those lines.
Speaker 2:
Mandatory vacations again, you tell them if you're in Europe, they all get vacations anyway. You get like six weeks, but they're mandatory vacations and they have to take them at a certain time. Now you don't tell them when they. This is where it gets really squishy is that you tell them hey, I'm going to tell you that you're going to have to take a vacation, but I'm not telling you when, and you're going to take two weeks and you're going to like it and have fun. Which kind of. I've never seen this in a job, but I would think that in that job you might not be too happy that going. Well, you're going to take yours in January, middle of January, and you're like, where am I going to go in the middle of January? I guess someplace warm you can do that. But it kind of jacks things up when you have kids, because kids don't get off in the middle of January.
Speaker 2:
Independent oversight that's an important part as well, having security policies and procedures that can identify, stress, potential vulnerabilities and risks. Privileged segregation again this is where it limits the privileges of people that are granted the specific access. This could be the minimum amount that they need for their role, and this also helps prevent authorized access and reduce the risk of data breaches. So that's privileged segregation. Then there are change management controls. These ensure that all changes to systems and processes are properly authorized, documented and tested. They don't allow anybody to go rogue and do what they want to do. Again, this may require these changes to be submitted for approval and documented in a change management format, and this would be. They usually have like a change management board that you may have to go through.
Speaker 2:
Okay, so now we're going to keep it simple. So when you're dealing with keeping it simple. We talk about this in the ISC squared. They say well, what is keeping it simple? One thing you're going to learn with security is complexity is the nemesis of security. The more complex you make things, the more insecure it's going to be. Contrary to what you might believe, you may go if I make it super complex, it's going to be obfuscated. It's going to be hard for people to get in and get my data. It just makes it harder on your people to try to understand where all that data is at. So you want to avoid complexity. Don't worry about the hackers. You can put the defense in depth in place. You can do a lot of different areas that will help restrict this. But avoid complexity and keep it simple. Again, the more complex you make it, it's going to be hard on your people. They're going to make mistakes. The hackers are going to take advantage of it. That's just the way it's going to work. So avoid crazy network topology.
Speaker 2:
I went to a network I looked at and they had VLANs everywhere. They were everywhere. And I'm like, dude, this is really cool but way too complex. And he's like, no, it's good, it's very good. And yeah, he was French and so he was very strong-willed in what he believed. We finally came to an agreement. I got him sort of moving in my direction, but it took a little while. So again, avoid complexity. Nothing against the French, he's just very strong. He had his opinion and he had some very good opinions. Some were maybe a little bit not as good, but that's okay.
Speaker 2:
Standardization Make this stuff as standardized as possible. This includes topologies. It calls technologies, processes, procedures. Avoid too many technologies. Oh my gosh. You don't want to buy all the new fancy schwancy tools. You want to avoid too much technology and you want to keep it simple. Processes and procedures need to be simple. The people need to know what they're supposed to do, when they're supposed to do it and how they're supposed to do it. Again, keep it very to the point.
Speaker 2:
Documentation Create documentation that is clear and concise. I will tell you this, though sometimes the purpose of documentation gets to be overwhelming, depending on what the organization is and the culture they may want too much documentation where everything has to be signed in triplicate. So what does that mean? Nobody looks at it. It's never, ever touched, ever again. So keep your documentation simple, easy to understand by your staff. A user manual is helpful, but watch the detail around it. Do just enough that they understand what they're supposed to do, but not too much that as soon as you created it, it's now out of date, so you don't want to create documentation for the sake of documentation.
Speaker 2:
Another thing is automation. Automate any task you possibly can Think about automation. As much as you can do it, the more automated it is. I would beg to differ in many ways that the more secure it is, because it helps reduce some of the human error. That being said, the old statement is poop in is poop out. If you put bad stuff in, you're going to get bad stuff out. So make sure that whatever automation you put in, it's spot on and works. One of the idea around that was again is obviously automatically patching vulnerabilities, which we've talked about.
Speaker 2:
Training and education can't beat this drum enough. Now I say this people are educated to the point of they just like go and say, oh, stop the madness. You have to teach them stuff that is important for what they do, but don't teach them too much. And the reason I say that is because they're not going to pay attention. Now again, if you're a security professional, teach them a lot. If you're an end user that's in finance. He doesn't need to know about all these crazy different techniques that you have in defense in depth and all these different aspects, unless he or she wants to know it. But in reality they don't need to. They need to know what's important for their job to protect the data and the company. So, again, keep it simple, silly, regular reviews and updates. You need to make sure that you do updates and reviews of all of your systems that you currently have in place. Again, annual audits, potential vulnerabilities you look for and then make any recommendations and improvements.
Speaker 2:
Zero trust Zero trust is a security model that assumes that any device or user accessing the network or system is a potential threat to your company, and therefore a lot of the US government is requiring zero trust in all of their various the larger areas and you have to be able to focus on basically anything that connects to the network is a risk to the organization, and so this includes, by focusing on perimeter security to a granular access controls, and it's one of the aspects around. I think it's a great concept and I feel that you do have to assume that everything within your environment is potentially compromised. The challenge is is that you got to understand your scope. If you make it too big and too complex, you'll never make it and you may ever, never get to a zero trust model within your entire network. It may be certain aspects of your environment are zero trust and other areas you just can't get there. It depends on the company. Now you need to have, with zero trust, continuous verification of the integrity of the devices. This includes users, applications accessing the network or the system, and this can be done through multi-factor device posture assessments and so forth. And again, you need to make sure that you understand how you're deploying this and I would recommend that, if you're in a company that you have an organization that's been around for a while, maybe get a third party to help you with it, because it can be very challenging.
Speaker 2:
Microsegmentation this is breaking your network into smaller, isolated segments, roles, applications, data sensitivity and so forth Great concept. Again, you've got to do a little bit in, little bites at a time. If you try to do this too big, too fast, you are going to break a lot of stuff and you're going to make people mad at you and you're going to lose money. Bad idea. So you just want to make sure that you have a really good plan before you deploy Zero Trust. Least privileges is granting the users and the devices only the necessary privileges they need to perform their tasks. This means you have to get very granular and understand what each user is supposed to do. What is their role supposed to do? This also helps, though, if you to streamline some of your roles that you have, because over time, there are many roles that are just like huge. They got all kinds of credentials and entitlements that they shouldn't have. This will force you to limit that to a much smaller subset of roles, which is great, right, it'll help you with minimizing that, but you will have a lot of complaining people. So start small. Have I stressed that enough yet? Start small.
Speaker 2:
Data-centric security, again. This is where the data is, wherever it resides, regardless of the location. It includes encryption controls and other security measures to protect the data, both at rest and in transit. Again, this is where you want to watch your data and make sure it's in a certain spot. Network access controls this enforces policies and prevents unauthorized devices from accessing your network, and this requires certain requirements, such as up-to-date antivirus software and firewalls as well. And then cloud native type security you want to make sure that you deploy this Now the cloud security versus your on-prem security.
Speaker 2:
Much of it is the same, much of it is very different. So the terminology is different, the vernacular is different, concepts are similar and mostly the same, but there's nuances. So don't assume that your network, your on-prem network, and your cloud network are going to be very alike. They may not be, and as you make a migration from your on-prem to your cloud, as many do, just keep that in the back of your mind and also consider the fact that you may never ever get fully to the cloud, and I don't think I would recommend that. I think having it on-prem is an important part, especially when you're dealing with your more critical servers and applications. Okay, that's all I have for you today and thanks so much for joining me at CISSP Cyber Training. Hope you guys are enjoying this stuff. I hope it's great for you. Head on over there to CISSP Cyber Training. You can get access to all my content and you check it all out. Things are good, Life is good. Can't complain at all, never will.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!
