CCT 196: Security Architectures, Design, and Solution Elements for the CISSP (Domain 3.5)

Unlock the secrets of robust cybersecurity defenses as we navigate through the intricate landscape of the CISSP exam content, zeroing in on vulnerability mitigation within security architectures. Explore an eye-opening case study of the Russian GRU's audacious use of Wi-Fi networks for credential stuffing attacks, revealing the critical need for multi-factor authentication. As we dissect the complexities of these cyber-attacks, the episode promises to arm you with the knowledge to stay one step ahead of evolving threats.

Our journey takes a broader look at the myriad of cybersecurity threats lurking in the digital realm. Discover practical strategies to shield your organization from phishing, malware, and man-in-the-middle attacks. Learn about the vital role of password managers, regular system updates, and the implementation of sandboxing to protect against outdated applets. The episode provides actionable insights to fortify your security posture, ensuring sensitive data remains uncompromised.

Rounding out the discussion, we delve into the critical aspects of database security and the unique challenges faced by industrial control systems. Gain an understanding of database architecture, key security practices, and the significance of multi-level classification in military contexts. From access control to encryption and SQL injection prevention, we cover it all. Finally, we shine a spotlight on the mission of CISSP Cyber Training, highlighting how proceeds from the program support adoptive families through Shepherd's Hope, reinforcing the episode's commitment to making a positive impact beyond cybersecurity.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Cybersecurity knowledge.

Speaker 2: 0:26 

All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today's amazing. We're going to be talking about subdomain 3.5 and mitigating vulnerabilities in security architectures. Yeah, this one's going to be fun, a lot of fun, yeah. So, as you look at CISSP Cyber Training, there's a lot of content that we have available for you and you can go get all of that available to you if you just go to CISSP Cyber Training. This will be one aspect, obviously, of the 3.5. I will tell you, 3.5 is pretty gnarly, it's pretty big and we'll only be going over a small portion of it today, but it is. It's going to be an incredible, action-packed, awesome podcast. You guys will just you'll stay riveted. I know you will. But before we get started, I wanted to talk about an article I saw just actually was a couple of days ago and it's quite interesting.

Speaker 2: 1:15 

So one of the things that I did when I was a hacker for the way, basically tied to the red team, the US Air Force red teams was we would try to break into different types of networks on a routine basis, and we would. One of the things we would use is, we would end up utilizing the wi-fi networks of an organization. We would use a yagi antennas, we would use all kinds of different types of tools and techniques to gain access to a wi-fi from a geographic location. Now the thing is, we had to actually go to that physical location to compromise the network and the Wi-Fi network. Well, now the Russians have been very, very how do you say that adventurous, and they honestly, it's a very neat technique. What they did, it's pretty cool. I'm not happy that they did it, but on the flip side, I'm sure if the Russians are doing it, the United States and other countries are doing it as well. But they did decide.

Speaker 2: 2:04 

Describe what occurred here. I've seen it in wired and now it's also an ars technica, but really, basically, what ended up happening is is that there's a situation where the russian gru broke into a network of a high value target after first compromising the wi-fi enabled device in a nearby building. Basically, they're using it to exploit the target's Wi-Fi network. Now, what they did in the past well, we've done this. Where I say we, I did this. Where you would go from one server to another server around the globe and your ultimate goal is to get back to one location.

Speaker 2: 2:37 

Well, what they did was they ended up compromising this network, and so if you can kind of see the screen, you might be able to see it. If not screen, you might be able to see it. If not, you'll hear it, obviously, on the podcast. But they compromised a network that was in a building from a remote location and in the process of compromising that network, they did a credential stuffing on the adjacent building's Wi-Fi network with the goal of breaking into it. Now, if you didn't have multi-factor on your Wi-Fi network, it's very possible that if they stole credentials from somebody else, they would be able to gain access to that Wi-Fi network from the network that they compromised. So it's a very similar technique as if you were, instead of just considering all networks, one network and if you can get close enough to a Wi-Fi network, you can now hack into it with the credentials from somebody else. And we all know that our credentials have been compromised numerous times from various attacks that have occurred over the years. So you have to assume that your credentials are compromised and gone. So, assuming that this is the case, it does demonstrate the ability for the Russians to be able to, or anybody else to be able to take your credentials Once they have a persistent presence on a network, then use those credentials to connect to another Wi-Fi network and then be able to exploit it and run from that direction.

Speaker 2: 3:55 

Now, all of this sounds great, all of it sounds super Gucci, and I'll be honest with you, it's pretty scary. Right, it could happen to anybody. That being said, after doing this for many years, this isn't as easy as it looks on a piece of paper. You know, I just jumped from one network to the other network. Now it can be that easy, right, it can happen where the situation will go very quickly and you can gain access and you gain a foothold. I mean, ideally, what they would want to do is, once they jump to this second network, is create some level of persistence within that network and then that way, that can tunnel outbound to wherever they're at. They wouldn't want to use this Wi-Fi network to communicate data in and out of the network. You just really wouldn't, because it's just too flaky, you can run into a lot of issues, but it does give you that initial toehold into a network where before you didn't have it. So the interesting part is, though, is this occurred? They recommended that you'd put some level of multi-factor on your Wi-Fi networks and don't assume that just because they are segregated from someplace else that someone can't gain access to them. So just something to keep in mind. I will say I've never seen anything before like this. It's pretty cool and I'm sure now that it's got people like little hornets in a hornet's nest all buzzing around trying to figure out how to address this issue. But again, it was on Ars Technica. You can also see it there and you can see it on Wired Magazine and it's just about spies hack Wi-Fi networks in a far off land to launch an attack target next door. Okay, again, russian GRU breaking into systems and hacking them to the end of time.

Speaker 2: 5:28 

Okay, now let's get into what we're going to talk about today. Okay, so domain 3.5, how to assess and mitigate vulnerabilities of security architectures. So the ultimate goal again is you can get all this information at CISSP, cyber training, and you can get all this training there and available to you. Uh, again, we're going to be running a black friday, cyber monday, ad here to kind of reduce some of the price as far as our silver and platinum or gold gold platforms. But bottom line is is that we want you to have this training that's available to you so you can pass the cissp the. The cissp is not an easy test. I I would love to say everybody that joins CISSP Cyber Training passes the test in flying colors. That isn't always the case, right? The thing is it's up to you to study and be able to understand the information, and the goal of this is to be able to provide this information for you so that you can better understand what are some of the questions that are being asked.

Speaker 2: 6:22 

So let's get started with client-based systems. Now, what is a client-based system? There's client-based attacks that are occurring. They're tying against various systems that result in gaining unauthorized access, stealing information, compromising systems integrity, and they can exploit various client-side or at the individual side applications, operating systems and misconfigurations. Just what we talked about recently in that article from Ars Technica can happen to you. So these are types of client-based attacks that you can have that can occur.

Speaker 2: 6:57 

You have phishing, right. So this is where the attackers will trick you into phishing through email, sensitive information, usernames and passwords. They'll ask for it and know you may provide it to them. This happens a lot. I mean, it really does, and I have a friend that she's a little bit older and she's very concerned about these things and we helped her get set up with a password manager to manage all of those things. But when it comes right down to it, people will try to manipulate others to try to gain access to various sensitive information Malware. This can be affected by, obviously, viruses, ransomware, spyware. All of these things are types of malware that can affect a client system.

Speaker 2: 7:33 

There's we talk about the man in the middle attacks. This is where an individual connects, basically is in between. So if you have from, point A is where one server's located or the client's located and point B is where that information is going, they act in the middle, right, so they can intercept or alter communications between the client and the server, especially if it's insecure communication, such as maybe HTTP and not HTTPS. So again, man in the middle important part for you to understand Drive-by downloads. This is where a malicious script will occur on a website and as you go to that website, files are automatically downloaded to the client system. These are things to consider when you have lots of employees within your organization and you wonder what sites they go to. Hence you want to put protections in place to limit potentially where your employees may go. So you can limit some of these drive-by download situations that could occur, exploiting client-side vulnerabilities. This is where attackers will exploit bugs or weaknesses in web browsers or plugins and again that way will download information to the individuals that are seeing them. So, again, this can be Java Flash, pdf readers, all those types of things is the client-side.

Speaker 2: 8:46 

Now, what are some defense strategies around this? Obviously, we talked about numerous on CISSP, cyber training. You want to have updates, regular updates that are occurring, antivirus or anti-malware. Now, I will say, in the past antivirus was the go-to. Now you need more of an integrated concierge type solution where it's like EDR, endpoint detection response. Some level of maturation at the endpoint is important, not just antivirus. And then, obviously, user training is an important part in all of this.

Speaker 2: 9:16 

The next topic is applets. Applets are small applications that are designed to be embedded within a larger application Obviously, such as a web page right, or to execute client code on the machines or on the side right. So the client side. You have some sort of machine code that's going to be running. These were typically used to enhance the functionality of web pages.

Speaker 2: 9:36 

Obviously, java applets in the web browsers is one of the different areas, but they're less used today. You will still see them, depending upon the age of your environment that you're operating out of. So what are some of the risks of applets that you may see? One is security vulnerabilities. They could be in a vector for someone that could use a security vulnerability against them, especially since it's a bit older, had they haven't been updated. It could be a situation where such like a Java applet could be exploited and therefore pass on malicious code to the client systems. So that's that's a risk of those cross-site scripting or java script injections. This is where, if they're not properly sandboxed, applets may interact with the browser or other parts of the system in unsafe ways and because of that, then it would allow the remote, the code, to be able to go transfer into the browser itself In communications. If the applets are allowed to communicate with the web server in a manner that's not secure, obviously in SSL or TLS, then it can expose sensitive data to the attackers as well. Some of the measures that you can do obviously disabling or getting rid of applets is an important part. They are outdated, they are older. You probably want to move on to something else besides them. Sandboxing is another part of this is where the applet itself is sitting in a critical or in an isolated sandboxed area. This would be extremely important on critical systems that you may have within your environment Code signing and validation. This is ensuring that the data, the application itself, has been properly signed and is validated with a trusted certificate to ensure that it's not tampered with or replaced by malicious code. So that's what you would deal with an applet Local caches.

Speaker 2: 11:14 

Local caches are temporary storage locations on client systems where the data is stored to improve performance by reducing the need for repeated access to these remote resources. Okay, so it's basically cached in a location where you can pull it from right. So this could be browsers, applications, operating systems all these different places. Is a cache right? That's where this data is stored. Now, these caches can provide a lot of information to individuals if they would like to gain access to it. So one you can run into situations with a cache where it's sensitive data leakage. If you have data that's stored in this cache, such as login credentials, personal data, confidential documents, all these aspects could be available to people if they were to try to get it. It's just data or a package to manipulate the version. So the ultimate goal there is just that you put a little program out there so that the cache, when it's accessed, it will then do a dropper into your actual client system Outdated or stale data.

Speaker 2: 12:17 

These caches are not properly managed. It can be served without data data potentially leading to operational errors, right? So the more data you have out there that is potentially not being refreshed can lead to issues with your overall system. Now this can be critical when you're dealing with industrial control type systems if they have outdated cache type activities. Best practice for cache management obviously, cache encryption. I have never seen this myself. I'm sure it's out there and people do it, but I've never actually seen it done. This is where the data is encrypted and it's prevented so that you can't get unauthorized access to it. I think that makes it a little bit more of a challenge if you were to encrypt the cache, but I'm sure it can be done.

Speaker 2: 12:54 

Cache expiration this is where your cache will delete itself or refresh itself so that it does not become outdated or stale. So that's your cache expiration. Regular cache clearing I've seen this a lot with systems where they will actually go in and have an automated script that will clear the cache within your different systems, and this will help reduce the risk of data leakage and cache poisoning. And then, no cache for sensitive data. So right, you're not allowing any sort of sensitive data to be in the cache itself, that it would only be like operational type files, not passwords, not sensitive information, and so forth, all right.

Speaker 2: 13:31 

So database system architecture. So what does this mean? Well, we're going to get into various aspects around a database. So you understand what, how, if you see these terms on the test, you understand what they're actually talking about. So a database management system this is typically designed as a software that's designed to store, manage and interact with the databases. So a DBMS and you'll hear DBMS in many different places within an enterprise. I've dealt with multiple clients and they, including the one I used to work with and they all deal with some form of a DBMS system and it's designed to create, maintain and control access to these different databases, and this provides interfaces for managing data efficiently and securely. Right, you hope it's secure at least.

Speaker 2: 14:15 

Now, the internal level of this. You have a physical schema Now. This describes how the data is stored on a storage media. It involves defining the physical storage structure, such as files, indices and the blocks of storage that are set up specifically. You then have the conceptual level, which is your logical schema. This is the logical view of the entire database, including the tables, views, relationships. All of that stuff is all tied up into the conceptual level. So you have internal conceptual and then you have external. Now, the external level is user specific views of the database, showing only the data that's relevant to the specific user or their application. Now, that being said, different users can have different views of the data, depending upon the access privileges and what they're allowed to actually see and not see. So you have your overall DBS, you have an internal level, you have a conceptual level and then you have an external level.

Speaker 2: 15:11 

Now, when you're dealing with databases, there's hierarchical databases and they organize the data into tree-like structures, right? So you've heard about, you've heard man, I can't even speak You've heard about these different types of hierarchical structures. We're going to get into some key characteristics around this, but the ultimate goal is that these are you have, each parent has only one child for each of the branches, so there's a one-to-many relationship. The data is structured in a parent-child relationships, where the parent record can have many child records, but each child has only one parent. Okay, so you can only have one parent, but you can have multiple child records. The data retrieval part is an efficient yet while following hierarchical, it becomes more complex when you get into non-hierarchical queries. So one example of that would be XML databases. These use hierarchical structure for organizing your data and if you've ever looked at an XML file, you'll see that it's very structured. It's very hierarchical kind of flow. I don't know how to really explain it, other than the fact that it can make sense, just seeing it, that it is in that kind of format.

Speaker 2: 16:15 

Now we're going to get into distributed databases. A distributed database consists of multiple databases that are physically located across different locations and these are logically connected to work as one unified system. So now, instead of having just one database, one DBMS, you now have a distributed DBMS where you have multiple databases all tied together and they act as one. Obviously, you can see this a lot with AWS and the overall cloud environment, where, if you get into a database out there, those are, I mean, you can get them very relational, very specific. But if you're doing any sort of like backup data, dr type planning, those are set up in a distributed DBS type format and this ensures that there's data consistency and transparency across the entire system. This works out really well within manufacturing facilities where you have multiple databases that are tied to make sure that you have all the documentation and the products. In the beginning, many of these industrial control environments had a very single database that's done for a specific purpose, but as time has gone on they've become more distributed because they know the value of the data itself and how important that it can be within your industrial control environment. So what are some key characteristics around this Data distribution?

Speaker 2: 17:26 

Data can be distributed across different sites for load balancing, redundancy and fault tolerance. If you're getting into the overall part about maintaining your business resiliency, having a distributed data set is a very important part. You wouldn't want all of your data stuck in one location because if that site goes down and becomes a smoking crater, you then at least have the data in other locations. Replication Some of all the data can be replicated across sites for availability and reliability. An important part is do you have a good replication in place? If you have and this is usually tied to some sort of DR plan have you had a chance to go and exercise and reconstitute that data. It's an important part that you go out and you test this to ensure that you're actually properly have the ability to recover in the event that you have a problem that goes bad.

Speaker 2: 18:13 

Transparency Users do not need to know where the data resides and how it's distributed. That's. Another part about this is that if it is distributed, the users don't need to know that. Okay, that database is sitting over there. Oh wait, I'm a bad person. I'm going to go steal some information from that database. No, you want that it's distributed, because then they don't need to know specifically where it's at. That being said, one of your key risk factors for your company is your database admins. Yes, those people are naughty. No, they're the ones you're going to have to watch out for, because or I should say, their accounts more than that. I mean you should watch out for them. You should watch out for everybody, but you should watch out for their accounts, because those folks have the ability to do all kinds of damage and steal all kinds of data. Because where does the data reside? In databases most of the time.

Speaker 2: 19:00 

Now, security considerations you want consistency and integrity. This is ensuring that data across multiple sites remains consistent, especially during failures or updates. Again, that's an important part. If you have all this information in a database, you want to make sure that it's consistent and it's there and that you can recover from it if needed. Network security is an important part of this, though, because it also helps ensure that if the data going between those databases is properly protected and from risk of interception. So you have encryption, you have secure communication protocols all of those things should be in place. And then access controls. Distributed systems must be well managed, yes, with role-based access and clear segregation of duties. Again, watch out for those naughty database admins, because they are. They are like just they're ornery, they're orner, yes, no, you want to make sure you have good role-based access in place for all people gaining access to any sort of database within your organization.

Speaker 2: 19:54 

Now, odbc databases. This is an open database connectivity. That's what the ODB stands for. Odbc is a standard API for accessing database management systems. Now it follows the DBMS and provides an ODBC driver, making the platform independent and enabling interoperability between different databases and applications. It's a lot of words, but what it comes right down to is ODBC databases. They work really well in the manufacturing facilities because the databases are all very different. It allows you basically to have an interaction between two databases that are of different nature, different manufacturers, different stuff, and that's where the ODBC connection comes in. It's just an API type connection and it's very, very useful. The downside is that you do lose some data when you have these ODB connectivities. Lose data is not the right word, but some of the context, some of the granularity you would have between databases that you would like if they were all the same type, is lost a little bit, unless you have really good coding around your APIs.

Speaker 2: 20:54 

Now, key characteristics related to this this is standardization. Now, the ODBC allows for applications to communicate with various types of databases without the needing to know their underlying implementation plan. Right, so it's ha ha, it works. It's what your ultimate goal is. That it is some level of stream streamlicity. Yeah, that's not even a word, but it'll be a word for today. It is a it's allowed standardization between them. There's a driver model. The ODBC uses drivers specific to databases being accessed, such as you have MySQL, you have SQL, you have they have one that I saw was PostgreSQL. Never heard of that one PostgreSQL, never heard of it. But there's lots of different types of databases that are available to people, but the ODBC does have drivers specific to each individual database.

Speaker 2: 21:44 

Then the security considerations around this is authentication right. So ODBC connectors should have used strong authentication. Yeah, they don't always do that and I will say that I've seen it time and time again where I've had to implement strong authentication with ODBC. But when you're dealing with manufacturing facilities specifically, that can be a bit of a challenge and problematic. So you want to make sure that you can put that authentication in there somehow.

Speaker 2: 22:08 

However, you can do it is a highly recommended Encryption. The connection should be secured with some level of encryption to protect the data. Again, their API calls Don't store the keys in the API call, if you can. Again, depending on, you also got to weigh the risk out within your organization. If this is something that this ODBC connector is when your web server facing the world, yes, you want all this stuff tight as possible. If this was within your industrial control environment, that's maybe following the Purdue model and it's 12 barriers below the seven levels to hell. I don't even know what I'm talking about, but that you know it's like buried in the bowels of this thing then you may not, due to a risk situation, want to. Want to is not the right word you may choose. You may elect to not encrypt that data because it's so far buried within your organization and, in reality, if an attacker gets that far down within your company, that's probably the least of your worries.

Speaker 2: 23:06 

So something to consider if you're looking at database systems NoSQL databases. So NoSQL it's called not SQL, which doesn't mean like there is no SQL, just means it's not SQL. And they're designed for large-scale distributed data storage. And because if you deal with SQL okay, so the regular SQL you have to deal with a lot of licensing challenges. I mean, it's super expensive. So NoSQL is a great alternative to that in the fact that it works very, very well and it works very similar to what SQL would do. However, it is used primarily a lot within distributed data storage locations and I've seen it worked both with SQL and with NoSQL in the same environment. But it's used to store unstructured and semi-structured data. They're typically more flexible and scalable than the traditional relational databases.

Speaker 2: 23:58 

Now the types of NoSQL databases. I'm just focusing on these because of the fact that you may see these more out there than you will. Other types of databases Now the types of NoSQL databases I'm just focusing on these because of the fact that you may see these more out there than you will. Other types of databases Document-based you got MongoDB.

Speaker 2: 24:09 

I use that a lot when we're dealing with my developers and the various types of documentation they had. They have CouchDB. These all store JSON-like type documents. Key value stores this is Redis, diamondodb. Column family stores this is Cassandra. And HBase this is where they store data in columns rather than rows. I have never seen this. I've heard of Cassandra, but I've never actually seen it myself. And then graph databases these are taking off. Graph databases are their data is stored in nodes and relationships in a graph, so much more useful from a contextual standpoint. From what I understand, I've never. I just hear they're being used more. I've never actually used the graph database a whole lot myself.

Speaker 2: 24:50 

Scalability the NoSQL databases are often designed for horizontal scaling and making them suitable for handling large amounts of data in high velocity transactions. So that's the key with a NoSQL. Again, nosql databases often lack the robust access controls of relational databases, so you need to require special attention on those and make sure that they are in a position where they're best protecting your organization. And then data integrity NoSQL databases often trade off asset properties for better scalability, to ensure eventual consistency and data integrity. Okay, so there again, they don't. There is some level of data integrity because they're just trying to roll through the data, put it in there as transactively, as quickly as possible. Again, you can make this as good as you want. You can make these changes to your NoSQL databases. It just requires a bit more finesse to do so. And then, obviously, encryption. It's important for you to put a level of encryption on your NoSQL databases when possible.

Speaker 2: 25:46 

Now relational databases these are organized as data into tables, also called as relations. They have rows and columns and attributes, and these are all set up within a structured query language. This is the querying and managing of data. Now, these are in tables because the data is stored in tables and relationships between the tables are defined by using the keys. Now, normalization data is organized to reduce the redundancy and improve data integrity by decomposing the tables into smaller related tables. So it just basically takes from big to small. Now the ACID transaction, which I talked about before in the last one, but I didn't really get into it. This deals with atomic, consistent, isolated and durable, which guarantees data integrity even in the event of system failures. That's the ACID test that we talked about there earlier, and this is where the relational databases can have that. That adds a level of overhead that you're going to have to work through if you decide you want to utilize these SQL type databases within your organization.

Speaker 2: 26:46 

You're dealing with candidates and primary keys. So a primary key is a key that is in the field or a set of fields that uniquely identifies the record within a table. Now you'll have these keys and they are unique and you'll need to understand that how and again, real quickly, you'll understand that I am not a database guy. I just I've dealt with these a bit to the point of understanding how they typically work, but to the level that you may want to get into at some point in your life. I'm not your guy, but this will be help you a lot with your CISSP, just to understand the key terms that you're going to. Potentially they may ask you on the test itself.

Speaker 2: 27:23 

A candidate key is a field or a set of fields that can serve as a unique identifier for a record. So you have a primary key, you have a candidate key and then you have a foreign key and this is the table where uniquely identifies the row in another table establishing relationships between the two tables. So the foreign key allows you the two tables to connect and establish those relationships. So primary. So the foreign key allows you the two tables to connect and establish those relationships. So primary candidate and foreign key. Now some security considerations. Obviously. With relational databases, access control similar to NoSQL, got to make sure you have the right people having the right access to the databases and avoid those database admins who are kind of just you just never know, Just never know what they're going to do.

Speaker 2: 28:01 

Your data encryption data encryption both in storage and at rest, during the transmission as well. Now I will tell you the one thing about databases that I've always struggled a little bit with is data at rest. The data is really in many cases, especially in a large organization, it's never truly at rest. It's just you have the data in a database to protect it from the event that somebody might walk off and steal it, because at any point in time something is querying a database. So this is the part. It's just I go. Well, when data is at rest, like it's sitting there, it's lounging on a couch, eating grapes and drinking wine it's not doing that. It's being queried on a numerous basis, being written to, uh, or modified in some form or fashion on a continuous basis. So it's really never truly at rest. Well, I mean, I'm sure some is, but for the most part it's not.

Speaker 2: 28:51 

Now, data encryption is an important part, though that, if you're talking about data leaving an organization or a database, you want to ensure that it is encrypted because of the fact that who could be snooping it and sniffing it? You just don't know. And then SQL injection prevention. This is the proper input. Validation, prioritize queries and escaping special characters are essential for SQL injection attacks. What you want to avoid, obviously, is the inputs that come in and what, and then the content that you have set up with your SQL environment to avoid that, if there's special characters used, what kind of what happens? Does it barf all over itself and give out all kinds of information? You want to make sure that you have some level of injection protection against your databases because they again, like we mentioned before, they contain all of your data.

Speaker 2: 29:37 

Okay, so next I'm going to focus on security for multi-level databases. Now, these are databases that store managed data within different security classifications, such as top secret, secret, unclassified data, and you will see this obviously in military, government type context. So these are the multi-level databases. Obviously, when you're dealing with multi-level databases, you want to have multi-level security. This ensures the data is protected according to the classification level, and you don't want the streams to match or to cross. You don't want top secret into secret and vice versa, and so, therefore, it enforces the clearance levels and the need to know policies that are set up within that database. You also have a strong level of labeling when you're dealing with some sort of classification, such as top secret, secret. You want to have a labeled based on the security level in which it's going to be protected and users can only access the data for which they have the appropriate clearance.

Speaker 2: 30:31 

Important part when you're dealing with classified information and this doesn't have to happen with a contracting company or with, I should say, with the military government, or with the military and the government. It can happen with a contractor, it can happen with a different sort of third party. But as you're looking now we talk at CISSP, cyber training, at CMMC rules that are coming out now, the cybersecurity maturation, maturity yeah, something like that, certification I think that's what that acronym is for. But bottom line is is if you are a defense contractor or work for the government in sensitive data, you have to manage this data in a way that is protecting it. In the past they haven't really they've tried to do some things, but it's all been pretty ad hoc. Now the government's coming down and cracking down on that, because what they have learned, come to learn, is that most of the third parties have a majority of the data for the government and therefore they need to put in some level of standardization and protections of this information Security considerations.

Speaker 2: 31:27 

Obviously, access controls are an important part, and you need that for users to access the data and that matches their specific clearance level. And then data inference. This is preventing unauthorized inference, right or sensitive information who only have access to the lower level but might deduce it's a big $10 word. Might deduce the higher level information Basically means I used to do this in the military when we were hackers. We would be able to gain access to all kinds of unclassified information, but we would be able to deduce what else was going on, and so that was an important part. Now, because we were able to gain access to all this information, it actually paints a picture of what else was going on in those organizations. That can happen within any company, right? So if you have a lot of company that's like, say, you have intellectual property that's protected by this big 10-foot door that only one person can go into twice a year, but everybody talks about it, well, the secret's in open, plain and open. I can't think of that word. It's just basically an open site. You can see it, right, because everybody talks about it. So it's really not a secret anymore, other than the fact that you pretend that it's a secret, but yet everybody all understands what the secret is. So, yeah, that's one of those things that you kind of want to avoid.

Speaker 2: 32:45 

Now let's get into server-based systems. Now, server-based systems are central components of the most IT environments. These systems host and provide various services, applications and data to clients, users and other people. Other servers, right. So servers are an important part. They are typically where a majority of your data resides. It isn't usually in the, it is in SharePoint and those different places, but the majority of the server, of the data, is residing in the servers, and these are designed to be scalable. Especially now in the cloud environment, you can scale these babies up. You can do all kinds of fun things with them. But that's the server-based systems.

Speaker 2: 33:15 

Now, key security considerations. You have access controls, right. You want to make sure that you have like we've talked about time and again, there's proper access controls in place. Rbac, role-based access controls awesome. Strong passwords, least privileges as well. It's an important part of your servers. You want to limit who has access to this.

Speaker 2: 33:33 

Patch management make sure the bloody buggers are patched and kept up to date. Server operating systems and applications must regularly be patched. I see this time and again. They don't get patched as well. The client-based systems will, because they are tied to Microsoft or some other company and they're just automatically patched Servers. On the other hand, they don't put these on an automatic patching cycle, because if you automatically patch servers, what ends up typically happening is things break. Especially if you have an old, legacy type application running, they will break, and if they break then people get mad, and then people don't like getting mad and they don't like things breaking. So what do they do? They don't patch them. So patching your servers is an important part.

Speaker 2: 34:13 

Hardening them as well is obviously because, depending on where they sit, you can protect them from denial of service attacks. Now, this denial of service attack, if it's obviously a web server sitting out in the cloud, yeah, you definitely need to protect against that. But could you have a denial of service within your network? Oh, yes, you can and you should protect against that. What does that mean? It means if you have, like, a set of servers that are critical to your organization, it would be highly it would behoove you to put them into a spot that would protect them from the other parts of the servers within your organization. One it would limit the amount of tax from outside entities? Potentially Two. If there is a denial of service, it wouldn't potentially impact your organization or those servers that are sitting in an off a little island off on themselves. So something to consider.

Speaker 2: 34:57 

With that Monitoring and logging, you want to have all this stuff going into a SIM that's your security information and event management system. So all of this data from these systems need to go in there. Right, they need to go in and that way you can monitor them. You know what's going on. So you need to have some level of logging, even if it is just basic logging with those systems. You should have something in place. Data protection this is often where the data is your most critical data. It should be protected.

Speaker 2: 35:24 

Now, again, we talk about the data encryption at rest and in transit. It's an important part. You need to define what is best on your organization, based on the risk profile to your company. So how much do you want to do? Like I said before, the data that is tied to servers usually databases that are connected to these servers are some of your most sensitive data. So you need to consider how do you best protect it. That being said, some of these organizations may have gazillions of servers, right? Lots and lots of servers. So take a risk-based approach. I struggle with organizations that don't do this and they just say, well, protect it all. Well, if you're going to protect it all, you're going to protect any of it. I'm sorry to say. It's just really going to be a challenge for you. So you want to make sure that you have a. Take a risk-based approach. Now, as a CISO or as a security professional, you're going to have to communicate that to the senior leaders so they understand what you're getting at, because when it comes right down to it, if they don't understand it, it ain't going to happen. So make sure they understand what you're trying to accomplish. This is the important part. Where you make your money is being that influencer and helping people understand the risk. So some examples of service-based systems obviously, web servers, application servers, file servers all of those pieces can be tied to a server right, and those are ones you should protect.

Speaker 2: 36:34 

Next, we're going to get into industrial control systems, so ICSs. So I worked extensively in industrial control environments and understand those pretty well, right? I mean, honestly, you don't really get those unless you work in them and understand how they work from a standpoint of a manufacturing point of view. I worked for a chemical manufacturing company in the past, so understood those pretty well. And ICS systems they are, and also taught it in college but an ICS system. They include a wide range of control systems used to monitor and control physical processes. Now this includes manufacturing, energy production, water treatment and transportation. Icss typically consist of a supervisory, control and data acquisition or SCADA-type systems. They included also DCS, which is a distributed control systems, and a PLCs, which is your programmable logic controllers. So that's the typical architecture of an ICS environment.

Speaker 2: 37:29 

These are tied to, again, all kinds of things, from something that makes like a hole punch to something that controls chemical manufacturing, nuclear facilities you name it. They spread the gamut, and so if you have a manufacturing facility of some kind, you probably have an ICS environment in your environment. Now, in a lot of times, in a lot of cases, these ICS environments are blended in with your overall enterprise, which makes them a bit of an easy target. And because of the fact that you can get access to the enterprise, you can get access to the enterprise. You can get access to your ics. Ics's typically are not as protected from updates and patching and all those wonderful things as your traditional enterprise environment is, because you're dealing with a lot of proprietary type equipment which can struggle to be updated.

Speaker 2: 38:16 

So some key security considerations when you're dealing with ics is segmentation and isolation. They should be physically or logically isolated from their corporate IT environment. The Purdue model is one of those aspects. That was almost a physical. It's actually a logical separation but you can get into a more of a physical separation If you are dealing with a nuclear facility. Yeah, they would be physically separated. You cannot connect the two together but depends on your organization. You may or may not have that Now. Network segmentation, firewalls and DMZs will help control traffic between IT and OT environments and that's an important part of your organization is to have this segmentation in isolation.

Speaker 2: 38:56 

Legacy systems and patching Many ICS components are legacy systems with limited support for updates. Right, we just like I mentioned before, there's very little, I shouldn't say little. There are updates becoming more and more important and more critical for organizations to do this, but at the same time there are not nearly enough patching that's occurring. Access control and monitoring there's strict access control should be in place for both physical and network access to ICS components and you should have that available. There should be very similar access controls that you would have within your network, your enterprise network, that you should have within your ICS environment. And if you can't get that because they're segregated, you need to come up with a plan on how to do that. Incident response and recovery. You need to have a good business resiliency incident response plan for your ICS environment. It's just an important part and you need to plan for that.

Speaker 2: 39:46 

Safety and security integration. When many ICS environments safety and security do overlap, things go boom. They tend to go boom when you're dealing with ICS environments and so therefore, the security has a physical consequence around it. And this has probably been one of the biggest challenges that people have had in the past is to understand that the coexistence between cyber and physical security. It's always been there, but it's been. They've always thought that they're separate. Well, as we're seeing more and more today, there's a big blend between physical and cyber security. They really truly do, and you're going to need to, as an experienced professional, to help your physical security people understand that connection together. It's less obvious when you're dealing with your enterprise network, but it's much more obvious when you're dealing with your ICS or manufacturing facilities. That can be something they can equate to and they can understand, because most all of the physical security guys, when I bring it up to them, they all come back and say, yeah, I kind of use a computer to log in and to understand my network, right, so they understand it. And so therefore it's important that you, as a security professional, help them become a better adroit to what is actually going on.

Speaker 2: 40:54 

Now we talked about some examples, right? So SCADA systems, plcs and DCSs they are all part of the overall ICS ecosystem. That being said, dcs a distributed control system is usually tied to large enterprise type systems where they have large industrial processes. Small mom and pop shops won't have a DCS. They're just super expensive and there's really no need. But they may have PLCs on their shop equipment. So I know it being here in Wichita, kansas, we have lots of manufacturers for the aerospace industry. They have PLCs that are on these systems that are making punching out all kinds of stuff, but they don't have a DCS. They're all tied into one server and ideally they would be separated, but most likely they're all on their own business network.

Speaker 2: 41:40 

Now, that being said, if a hacker gets over a punch, yeah, that's not a whole lot he or she can do. However, potentially they could hurt somebody with it. Not that they would do that on purpose Most times they'd just do a ransomware attack and try to get money but the part is, if that system becomes infected and is up for ransomware Now it's unavailable and maybe something, some process is happening and it could potentially hurt somebody and the whole facility. So it's important for you to have really good security. On ICS. I kind of spent a little extra time here just because the ICS environment is a huge part that has just gone underserved, and I will focus on the water treatment facilities for your. Where you live. That's under an ICS and you know what.

Speaker 2: 42:24 

As a security professional, like we mentioned before in this podcast, you should be using your skills for good and helping those people, not for evil, not, and really you shouldn't do any for evil at all, but you shouldn't. You should definitely be doing them for good. So that's what I'm going to talk about with the ICS. Okay, that's all I've got for you today, so I hope you all have gotten a lot out of this podcast. Again, go to CISSP Cyber Training and check it out, or you can go to my other site, that's reducecyberriskcom If you're looking for a security professional to help you with your security needs. Reduce Cyber Risk can help you with that.

Speaker 2: 42:57 

Again, all purchases at CISSP Cyber Training all go to a non-profit the Shepherd's Hope I think it's what it's called and that will be fully live and active here in December. Yes, I have to get that done, but all funds are going to the Shepherd's Hope and it's for adoptive families. So anybody who is looking to adopt a child that really needs an extra help. This is what all the funds that go from CISSP Cyber Training all go to help those people, because it is extremely expensive to adopt a child, and that's what our ultimate goal is to create something to help people out, because in reality, there just needs to be more help, right, we just all need to help more.

Speaker 2: 43:33 

All right, I hope you guys enjoyed this Again. Go to CISSP Cyber Training, get access to all of this content. Again, about. This is a small subset of section 3.5. There's at least another probably 20 more slides that we go through on all those aspects, and this is all available at cissp cyber training. All right, have a wonderful day and we will catch you on the flip side, see ya.