CCT 232: Managing Authentication in the Modern Enterprise (CISSP Domain 5.2) - VIDEO #1

Identity management sits at the core of effective cybersecurity, yet many organizations still struggle with implementing it correctly. In this comprehensive breakdown of CISSP Domain 5.2, we dive deep into the critical components of managing identification and authentication systems that protect your most valuable assets.

Starting with a timely examination of the risks involved in the proposed rapid rewrite of the Social Security Administration's 60-million-line COBOL codebase, we explore why rushing critical identity systems can lead to catastrophic failures. This real-world example sets the stage for understanding why proper authentication management matters.

The episode walks through the essential differences between centralized and decentralized identity approaches, explaining when each makes sense for your organization. We break down Single Sign-On implementation, multi-factor authentication best practices, and the often overlooked importance of treating Active Directory as the security tool it truly is—not just an open database for anyone to query.

For security practitioners looking to level up their authentication strategy, we examine credential management systems like CyberArk, Just-in-Time access models, and federated identity frameworks including SAML, OAuth 2.0, and OpenID Connect. Each approach is explained with practical implementation considerations and security implications.

Whether you're studying for the CISSP exam or working to strengthen your organization's security posture, this episode provides actionable insights on establishing robust authentication controls without sacrificing usability. Don't miss these essential strategies that form the foundation of your security architecture.

Ready to master CISSP Domain 5.2 and all other CISSP domains? Visit CISSPCyberTraining.com for structured learning materials designed to help you pass the exam the first time.

Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.

Speaker 2: 0:22 

Cybersecurity knowledge All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today we are going to be getting some awesome content around Domain 5.2 and this isa managing identification and authentication of people, devices and services. So if you're just new and just tuning into CISSP Cyber Training, we go through the CISSP training on Mondays and followed up by questions related to the content on Thursdays. The ultimate goal of CISSP Cyber Training is to provide you the content you need to pass the CISSP so you don't fail it like I did. So that's the ultimate goal of it. You can go to CISSP Cyber Training and get access to my content. They have various videos out there as well for you. We've got various content that's on the internet and also this podcast that can help you. If you want a more structured approach to CISSP, you can actually purchase some of my content and or my blueprint that will help you, step you through step by step on the CISSP and get you ready to pass the exam the first time. Again, the ultimate goal is to help you pass it, and that's one thing I struggled with was I didn't know what to do. The terms didn't seem like they made much sense. So that is why I stood up CISSP Cyber Training, and we've been doing this now for a couple of years, so there's some really great content to help you with your exam. The other great part about all this is that it helps you in the cybersecurity space whatsoever. It helps you understand the overall goals around it. So it's pretty cool stuff. But before, without talking about all that, we'll get into the training just in a second.

Speaker 2: 1:54 

But let's pull up this article that I saw today in the news. So this is out of Ars Technica and the article says what could possibly go wrong. Question mark question mark Doge is to rapidly rebuild the Social Security code base. Now, yeah, this will be interesting and the sad part is it could be very bad. We all know, I know there's sometimes we get a little ahead of our skis at times and I am all for, in some respects, doge going in and cleaning house because, being in the military and understanding the government, I know there's a lot of waste and I also know that my taxes are really, really high and there just needs to be some streamlining. That needs to occur, and we all know that this exists, doesn't matter what side of the aisle you're on, whether you're Democrat or Republican, you know that it's there in some form, shape or another. The interesting part is going to be, though, is what this article talks about is that Doge is going to go in and they are going to go and tie into, or basically going to rewrite, the code in the Social Security Administration.

Speaker 2: 2:55 

Now, we know the Social Security Administration sends a lot of money to a lot of people around the country and around the world based on that whole entire program, so one of the points that was brought up in the article is that over 60 million lines of COBOL code is set up to take care of people, which that does not surprise me in the least bit, and it's not all code that's been built upon, that has been just designed it this application, and it's running. No, you know as well as I do, if you've been listening to this and you understand development whatsoever, it has been an iteration over gazillions of years for this to occur, so you know there's a lot of challenges with it. That being said, basically, they said some previous modernization efforts were delayed due to COVID-19, because they've been wanting to do this for a while. Obviously, some major risks that come into this is if you've done development work, trying to rush something, we all know we run into problems, right, you can run out of code. You hit it into prod and you're like, oh wait, why did I not see this in test and in lab? And so now you're in a position of going is not good and things break. And then there's all kinds of people and now, because you're dealing with money and benefits, oh my gosh, you're going to have people with pitchforks and torches waiting for you at the gates of the of the city. So it's not going to be interest. Well, I should say it's not gonna be good. It could be very good, right, especially with ai, and that's kind of.

Speaker 2: 4:21 

One of the thought processes is that they're going to use ai assistance to help accelerate the code conversion, but it's going to require a lot of testing for this to occur. So I guess Musk is the one that's spearheading the project and pushing the SSA to grant full system access to Doge recruits. Yeah, I'm all for this, but yeah, it should be interesting. One of the articles around it was there's a lot of skepticism and concerns related to it. I wonder why. Yeah, if anybody's been in development for any period of time, and I am by no stretch an expert in development as far as going everything that you could possibly deal with, but having a development team that worked for me again, we didn't use AI type activities, so we were not in the ones that were dealing with the new capabilities that are out there, but and also having some development work with some folks in my last job AI is going to revolutionize it, no question about it. I just don't know if it's going to be the timeline that they have and what's their plan around it. But then again, if a guy can get a rocket up into space and have it land on its own, working with a bunch of really smart people, heck, anything's possible. So we'll just see what happens. It's either going to be an amazing effort and save gazillions of dollars, or it could be like one of his latest rocket ships and burn up on reentry. So let's hope it's not the latter. We want it to be a positive experience for everybody and save us lots of money. Otherwise it's going to be just a mess. Yeah, all right. So let us get into what we're going to talk about today.

Speaker 2: 5:54 

Okay, so this is Domain 5, 5.2, managing Identification and Authentication of People, devices and Services. So identity management implementation. Now, if you've talked with anybody in any sort of cyber or IT space, identity management is an important part. It's almost one of the key, foundational parts of any sort of cybersecurity strategy within your company. Now it falls into basically there are two types of categories that identity management falls into you're centralized and you're decentralized. So centralized, it's verification with within one entity, whereas decentralized, various entities perform the level of authorization for it. So again, you get two different compartments, two different components that you're dealing with.

Speaker 2: 6:38 

Now we're going to kind of roll into single sign-on. And what is that? Now? This is used more and more within organizations and it's really designed to for you to authenticate just one time and then the resources become available to you. They can become available from an application standpoint. They could become available for granting permissions to sharepoint, to different areas. But it's basically you authenticate one time and then the resources are there. Now it avoids having to remember multiple passwords.

Speaker 2: 7:05 

Now the positive is that we all know people reuse passwords all the time. I'll be honest, I reuse them on little crappy sites that I don't really want anything from. If I have any of my payments and so forth that are in there. I have different, very complex passwords that I use for those, as well as multi-factor authentication. So the point is is that everybody uses multiple passwords in various cases. So single sign-on gets you to the position where you only have one password tied to that one account. Now the downside is, if that account is compromised, you get gained greater access, and this is where you'll have to do the layered security and through there. But again, it's one of those pieces that is important for most companies to implement, because they've looked at the fact that if I have one password and I have force complexity related to it, it's much more secure than and I watch everything I have defense in depth it's much more secure than if I allow people to have multiple passwords on multiple systems and multiple applications, because then it just makes it much more challenging. So single sign-on is one of those that you'll see more of, and if you don't have one within your organization, you may want to consider it.

Speaker 2: 8:18 

Now, when we're dealing with implementation of IDM, there's also some different areas that go into this as well. So you've got your LDAP. So your LDAP is your centralized directory services, the lightweight data directory access protocol, and this is what you deal with with your active directory. That's really what LDAP basically is. It's a hierarchical data storage. It's all in there and then it's efficiently query and retrievable. So you can query the different and applications can query your AD environment and then it can bring that back and it can utilize those services as needed. It can utilize those accounts.

Speaker 2: 8:52 

Active Directory is a security tool and Active Directory is probably one of the most important capabilities within your company and it should be protected as such. Too often you'll see Active Directory being used as a database and people are able to query it. They're able to gain access to the different data that's in there and there is no real good checks and balances around it, and that is a bit of a challenge. You really need to have some strength in your LDAP environment Now. The great thing about LDAP is it does improve your security and your compliance right. It gives you the ability to keep all of that in one spot. It's able also for you to watch it in one spot. That being said, I know there's a lot of there's a big move afoot to move away from LDAP and I know Azure has got their own Azure type of AD for the cloud, but it's simplified administration. It gives you the ability to keep this all in one house, and then it's also allows you to scale it and make it very flexible.

Speaker 2: 9:46 

It's been around 80, has been around for a long time I mean I'd like since the dawn of the internet not quite that early, but it's been around a long time. And because it's been around like that and it's because it works so well and therefore why break something or why fix something that isn't broken? Now, it does have its issues, right, it is broken in some areas, but it is what most companies put throughout their organization and there's a lot of benefit because of the fact that they do that. So now we're going to get into single-factor authentication, or SFA. Now this is where you have one form of authentication G-G-I-E, a password, and that's your single-factor authentication. It's very simple ease of use, lower security, right, obviously, because you only have one form of authentication and there is a higher risk of compromise.

Speaker 2: 10:32 

So you want to make sure that if you're using a single-factor authentication, which is typically just a password on an application, that you force some level of strict controls around this password. You know, obviously you have long characters, multi-complexity and so forth we try to talk to people about make sure they're using passphrases of some kind, especially for the length. But in today's world, where so many hacks have occurred, you have to assume that pretty much every password has been compromised multiple times. And the cool part is there's a lot of tools out there that will look at those and tell you hey, by the way, your monkey butt password has been compromised. You need to change it. You need to consider that as well. If you see that, please change it for your own safety and those around you. When you're flying an airplane.

Speaker 2: 11:16 

All right, multi-factor authentication this is where you have two or more forms of authentication. This is your password and this is your one-time password. Or this is your one-time password, or this is the part that you get a code that comes to your phone and says hey, you know, enter in this one-time multi-factor password. You enter that in and that is what allows you access to the application. Now, it's something you know.

Speaker 2: 11:36 

Obviously, we talk about the. Something you know, you have and you are. Something you know is your password and PIN, right? You know those passwords. You know the PIN that you have. It's a secret that is only known by you. Something you have would be a smart card or a one-time password token. Now that token can be something that's physical. It could be like a fob, a key fob. It could be on your phone. Those are different pieces, but it's something you have. It's a physical device of some kind. Something you are is your biometrics, your fingerprint, facial recognition. Your phones now will look at your bios right, look at your face. I remember the first time when a lot of those were coming out, my daughter and my wife could actually use the bio together and it would say, oh, look, it's Trish. Oh wait, look, it's Trish. It would do that. So you need to understand that that has come a long way from where it was before. But that's again something. You know, something you have, something you are, and so those are all key pieces when you're dealing with multi-factor authentication.

Speaker 2: 12:35 

Now, the pros of this obviously is enhanced security, reduced risk of unauthorized access. There is that ability behind it. The downside is the complexity. We know that with as having an aging parent, multi-factor authentication is a challenge for her. Now she doesn't do a lot of online stuff. But, that being said, adding more levels of complexity can cause some challenges and it does have some inconvenience to the users because now I'm like, oh my gosh, I've got to go look at this code on this phone. What a pain and you're going to see that right, that that's going to happen, but for the protection of them and the world, it's much, much better.

Speaker 2: 13:12 

Now you need to understand when you're looking to deploy any sort of multi-factor authentication. You need to have user training and awareness. Ensure that your people understand what they're getting themselves into. You also need to consider how does it integrate with existing systems? This has happened a lot where I've seen people want to roll out multi-factor but they don't understand how it's going to interact with the other applications that they have within their stack.

Speaker 2: 13:36 

You'll get a lot of people with applications, multiple applications, wanting to deploy multi-factor, deploy the tool, just to realize that well, yeah, it's not going to work the way I want it. If I want to deploy it to all my other applications, I'm going to need to buy this add-on. Or it's just not going to work, or they're going to have to recode it all kinds of aspects. And so, as a security professional and you're looking especially as you're dealing with I deal with architecture a lot in this you need to really think about it from a strategic point of view of okay, how, if I bring in MFA, how is it going to interact with my applications? What applications will it work with? Which ones will it not work with? Also, if the vendor tells you, well, yes, it'll work with all applications, take that with a grain of salt. You need to do testing on your own to make sure that that is the case, because not all applications are the like and, as you saw, we talked about just briefly in the article, if you've got 60 million lines of COBOL code, yeah, it may not work too well in some respects. There's gonna be a lot of bolt-ons to get you to that MFA sweet spot. That in an MFA pan, yeah, nirvana.

Speaker 2: 14:43 

It's also balancing security with usability. You've got to really think about that. When you're dealing with security and I talked to some of my consulting friends earlier here one of the key aspects around it is again being the office of no. In security, we all often become the office of no. No, you cannot do that. No, you cannot do that. You need to make sure that you balance security with usability Because, again, people still have to make money and they have to make the business work, so it's got to be able to be used within your company.

Speaker 2: 15:14 

Now, device authentication there's different types of device authentication related to single and multi-factor authentication. Mobile, obviously, mobile devices you do not have to be part of the domain and you can have the app installed, such as Ping ID Really great capability. I like Ping. Ping works really good, very seamless Again, a couple steps you have to do to get access to it, but it does work very well. Biometrics you've got to have that are mobile, capable, right, your fingerprint within your mobile device or your authentication of your face within your mobile device. All of those things can come into a factor with your mobile.

Speaker 2: 15:48 

Storage of personal data Again, though, when you're dealing with multi-factor authentication because you have a storage of personal data in many companies, depending upon your regulatory place and where you live if you're in in the EU, china, different places around the world if data is stored, it may have to be stored locally, and if you are outside of the organization or outside of the country say, I'm an American getting access to European data there's specific steps in which you have to comply with to get access to this. One of the requirements they would have is that you have multi-factor authentication involved, and so that's a big, big factor. Authentication involved, and so that's a big, big factor. You also want to have your legal team and your compliance team. Obviously, anytime you're dealing with storing of external data, you want to have them involved. I have brought them in time and again and they've saved my bacon in numerous cases where there's a thing that I did not think about as a relation to the stored data. Again, to look at it this way, you understand cyber. They understand different aspects of data and the legality that goes around it Between the two of you, though they don't understand cyber. You don't understand those as well Between the two of them. Together, you become a very potent team and you will do very, very well. So it's important you bring those folks into your overall conversation.

Speaker 2: 17:01 

Now, when you're dealing with multi-factor authentication, something to consider obviously is highly targeted by attackers. Why is that? Well, because of a couple reasons. One, it's 24-axis. Into your environment, you can gain access by having a multi-factor pin. It's ubiquitous, it's 24 by 7. What do bad guys and girls like to do? They like to hack on their time, not on your time. So if they can hack when it's 4 o'clock in the afternoon in Mumbai, hey, more power to them. But if they have to hack at 4 pm on central time, that's a pain in the bottom. So again, it's highly targeted by attackers.

Speaker 2: 17:39 

Now, the passwords that are tied to MFA they do not change much, if ever. I've seen this where what most times happen you set up your password for MFA, yeah, it stays that way forever. And I've even seen MFA passwords to gain access into. It is like eight characters. They're anticipating that because of the fact that you have your phone, you have that password and you have your multi-factor authentication token, that you've added enough layers of protection there, you don't need to worry about it. So, yeah, that's a bit of a challenge. So, since that's the case, you need to utilize certificate-based authentication and that basically means that if I have my computer, I get a certificate from company X. Companyx installs that certificate on my computer and now it's a trusted computer. So that's a certificate based authentication. Again, it's a cryptographic hash that you're using to say hey, sean's computer is good, can they get access to those hashes? Well, they'd have to have internal access to get that hash. So it does. It adds another level of protection for people trying to gain access Complex passwords If you do have to change passwords, force complex passwords and not the eight character, no super exclamation point, dollar sign thing.

Speaker 2: 18:55 

So you want to make sure that you try to incorporate complex passwords as much as possible. You also want to integrate this with password vaults, ie CyberArk or something very similar to it, because the more you can integrate with your password vault, then you now incur and you increase the security of the overall platform itself. So, again, that's an important part as you're looking at deploying MFA within your company. Now, when you're dealing with accountability, you have some different aspects we're going to get into. We're getting authorization. So, again, trusted individuals and their systems and processes. This helps to avoid a air quotes all access authorization. This helps to avoid a air quotes all access authorization. So when you have authorization within Active Directory, within utilizing MFA, you want to make sure you avoid that. Hey, when Sean logs in, sean is a demigod, let's Sean have whatever he wants. Yeah, no, we don't want that. That's bad, that's real bad. So you want to help avoid those all access authorizations and you really want to have it again.

Speaker 2: 19:55 

Like we've talked about before multiple times is our back role-based access controls. These controls are granted on a very granular permissions only specifically for the role, the individuals or systems that need the access and the accountability for the or need the access. They're the only ones that have access to that data and that system auditing will help ensure accountability and responsibility. Again, you really want to audit these systems? I highly recommend. If they are, you have to understand your critical apps. So, talking with a company and they have a set of critical applications, if I'm a security professional, that is my target. That is what I'm looking for. I want to make sure that anything that account that goes into those applications has been audited. Anything that is a non-user based account would have higher, in my mind, have higher auditing capability against it, more increased logging and monitoring. And the reason is because, knowing bad guys and girls, they want to go after service accounts and different types of accounts that will gain access to these critical applications and not be seen by the rest of the world. And service accounts are it, baby? You get into a service account that has 24-7 access, full read-write, yeah, then game over. And then that's where they end up having the god permissions or demigod permissions, and that's not good either.

Speaker 2: 21:10 

Accountability Access is granted on proven identities. Again, we talk about the identities is an important part, and this is why single sign-on or some sort of IDM is an important aspect of proving you are who you say you are. We talked about auditing, logging and monitoring. Always have those in place to help ensure accountability and then communicate to all people. And the reason I say you've got to communicate to people what you're doing one legally got to do it right.

Speaker 2: 21:35 

If you're monitoring people's activity, got to let them know. Hey, I'm watching you. Be very careful, I'm watching you. Yeah, you got to let people know right. Second thing, though, you do have to do is by telling people that you're watching them. You don't tell them what you're watching. You tell them you're watching them. So then they put the fear of heaven and earth on them, of going. Well, maybe if I do something bad, they will say something. I've seen that, where I wasn't monitoring something and somebody made a mistake, they contact me and say, hey, I know you're watching everything, but just in case you see something come across, this was me. I'm like yeah, thank you, I did see that that was very interesting. I didn't. Yeah, thank you, I did see that that was very interesting. I didn't see it, but I saw that that's good. Again, you're building that overall rapport with people. I know that's a little white lie.

Speaker 2: 22:30 

Computers and these are multiple systems and applications. There's an authentication and authorization that occurs when you have a session that's stood up. Now you can set up these sessions, these connections. To be timed or not depends upon the situation. I would put a timer on them of some kind and that timer will be tied either to a session token or a cookie that's tied to it. These session times are important because of the fact that if, for some reason, it gets lax or I should say it's not active, it will then disable the connection and so you don't leave open a connection going 24 by 7 for 365. I was going to say 465 days that's the way I feel some days, but no 365 days a year.

Speaker 2: 23:13 

Session maintenance you want to ensure that your session timeout policies are set to what your corporate standards are going to be. If there's keep alive mechanisms for people like cursor movement, what is that? Does it move? Do you have to actually type something? You could have somebody that sets up a program that just kind of moves their mouse around and keeps it alive. But what are the keep alive mechanisms versus it timing out all the time. Is there a bar, something that pops up and says you have five minutes left, you have two minutes left, so on and so forth. A lot of banks will do something similar to that. And then the session renewal and re-authentication. If someone's session does go out, how do they renew it? Do they have to go through the entire process to do this, or is it something very similar, such as entering in a PIN or something like that? So it just depends on your overall organization and how you want to set up the timeout and keep alive mechanisms.

Speaker 2: 24:04 

Now you have a session termination. Now session terminations can be explicit logout, where at the end of the session it goes you're out, got to come back in, you're out, you're kicking out the door. There's idle session timeout, where it might just sit and it'll idle for a little bit, and then slowly timeout, which we kind of just talked about briefly. If it's sitting there for a period of you know, five minutes and there's no activity, then it will time itself out. There's forced logout on security events, which basically means if they notice that you're using password too many times, it will then dump you out as well. So there's different types of session termination.

Speaker 2: 24:40 

You can add to this If there's a security event in your organization, you can kick everybody out. I would highly recommend not doing that if you can, unless you're like, omg, the Huns are at the gate and they're storming the gate right now and they're about ready to breach the wall. Then maybe you would hit the nuke button and kill everything. But as soon as you hit the kill everything button, yeah, then life is going to get real challenging, real quick. So use that very sparingly. It's like taking a cyanide pill you only get one shot at it. So, yeah, don't do that.

Speaker 2: 25:13 

Security considerations you have a session. Hijacking prevention this is what happens when you deal with your session will get compromised by somebody else. This is why the timeouts are so important, because if it's sitting there idle and someone's able to compromise it because it's been sitting idle and they're able to get access, the timeout will then kick them out and it'll put that extra level of detection and defense in there. Secure token storage Do you have a way to store that on your system? Most tokens can be stored in an encrypted format and it would be highly recommended that you do that, but they don't have to be, and so that might be something for you to consider. And then encryption of the session data Any session data that's going back and forth across those two applications. You may want to encrypt that, and that, again, would be highly recommended. Depending upon your area of business, you may be required to do so based on governmental regulations.

Speaker 2: 26:04 

Now, registration, proofing and establishment of an identity. So registration begins when the user provides identity. This identity would be a driver's license or something similar to that that proves you are who you say you are. I'm Sean Gerber and my ID is from Kansas, right, and I look like a mule. Okay, that probably wouldn't be the right one.

Speaker 2: 26:23 

Now, the more complex you're going to be, you may have to have some sort of biometric set up for this, and you'll need to schedule time for that. A company that I'm working with. They have biometrics in place and they have a palm reader and they have eyeball scanners and they have all these different aspects that are there for you to allow access for you into their facility. If you want to gain access to that, you have to go through all of the little hoops. You got to schedule time. You got to it doesn't work. Got to redo it. Yeah, it's pain in the bottom. But if they, but if your company requires that, it just will take more time to get those things set up.

Speaker 2: 26:56 

Company proofing is an example, right? So we'll use the driver's license. You have to have to go to the DMV, you have to. When you go there this is the Department of Motor Vehicles in the United States you have to prove your residence. So I know Sean lives in X in Kansas, right? He has a bank statement from there. I get a utility bill from there. I've got a birth certificate saying, yes, sean was actually born and Sean does exist. Sean has a social security number, yes, and which is probably going to get managed, mangled and destroyed by Doge, but I have a social security number. So all that stuff is tied together to make sure that, hey, sean is who he says he is.

Speaker 2: 27:32 

Another one that's actually just come out recently here in the United States is the gold star verification, and you have to be. This has to be done, I think by March of this year, if I'm not mistaken. Everybody has to have this gold star verification and especially for what you're dealing with passports, you have to have it. So, again, proving you say you are who you say you are. In the past, you just needed a note from your mom saying, hey, this is Sean. And they're like, oh, okay, that's fine. Yeah, we'll take that In today's world, no, and now it's a pain, right. So you go to DMV and you're like, do you have your five different statements? And you're like huh. And they're like, no, you got to have those. They say yeah, you are. You say you are Because you threw your DNA match. You are Sean Kerber. No, I don't, not quite yet. I'm sure that will happen at some point.

Speaker 2: 28:18 

So one thing you're dealing with key aspects around again knowledge-based authentication, again designed to identity-proofing someone new to an organization, and this is usually a series of multiple choice or fill-in-the-blank questions. Right? And this is usually a series of multiple choice or fill-in-the-blank questions, right? How much is your mortgage payment? If you go to you check your credit, they'll ask you a lot of questions just to gain access to your credit. How much is your mortgage payment? How much is your car payment? Do you have a loan through XYZ for your car? Do you live at XYZ address? What is your mother's maiden name? What is her student name? What is her Marvel Comics name? I don't know right. So you can add different kinds of things to this, but the ultimate point is that you identify, identity proofing someone who would be potentially new to an organization.

Speaker 2: 29:04 

Now, does this happen in all organizations? No, it does not happen in all organizations. It's not at all. It does happen, just specifically it happens in companies that are a little bit more concerned about security. That being said, if you're dealing with CMMC it's your Cyber Maturity Model Certification you're going to have to have some level of this in place for CMMC. You're going to have to. It's moving in this direction. So if you don't have it now, I would highly consider putting it in place, because you're going to be required at some point, either directly from whoever you're contracting with, or even through the different subs that you may have. Now there's authoritative queries that occur, right Credit bureaus. So if they go out and they can approve that Sean is who he says he is because they hit your credit, there's governmental agencies and these queries also limit the amount of time required to complete the forms and so forth.

Speaker 2: 29:55 

If I haven't said it yet, on CISSP Cyber Training, freeze your credit. You need to go in and freeze your credit on all of the three main credit bureaus TransUnion, experian and Equifax Definitely go in and do that. You, as a security professional, you need to do that specifically because your stuff gets hacked all the time and that would really look bad if your stuff got stolen too. But it's also one of those things that we talked about using your powers for good, not evil. You can teach other people how to do that. I help a lot of elderly people in my local community to freeze their credit and put it in a situation where their stuff doesn't get compromised, because it's one of the things that bothers them the most. And, in reality, a lot of them are living off of a very limited budget and if their finances were compromised, that would be super, super bad.

Speaker 2: 30:41 

Okay, federated identity management FIM All right. So this is SSO integrated into the internet, ie, facebook, google and so forth. So if you notice you go to Facebook or you go to an application, I'm going to log in. I'm going to go into. I want to see the calendar for hairless cats that are out there and you want to go see it. Well, what do they have? They have SSO signed in for Google, right? You're Seanblanketyblank at Google. That's, that's it.

Speaker 2: 31:07 

It's common on internal networks, but it can also be used on the internet, so you can use internally. You can use the federated identity, where your Google email address will pass the credentials across into your environment. This works really really well. I mean, it's a neat, cool tool. Now, not everybody has Google, so therefore you have to come up with a plan to have your own federated situation, or maybe you have to force them to do Google. But there's different types of pieces that go to this. Internet providers are typically a third-party service and you will have. Cloud-based providers can use federated identity management or a FIM, which is their form of SSO. So it does. Again, it stands beyond the single organization, and then organizations can join the federation or a group if they want to. So what it basically comes down to is you utilize Google's tool instead of you using ping, but, like I said, not everybody uses Google, so therefore you have to run the risk of okay, if they don't use it, what do I do now? But again, federated networks can compose of multiple networks, not just one. So it is a really great tool and it's a really cost-effective tool if you want to deploy it to your organization.

Speaker 2: 32:14 

Now, federated networks require a standard or common language. Now there's different types of language. I'm going to get into a couple of them. But you got SAML, oauth and OpenID Connect, which is OIDC. Now these examples are. You got Google and Facebook credentials will gain you access right, so we'll get into just one of these here as we go into SAML. So some various operating systems that require single standard language would be your service providing markup language, or SPML, and your SAML, which is security assertion markup language, otherwise known as SAML. Saml is probably the most prevalent within the organization out there, but I've seen both SPML and SAML.

Speaker 2: 32:55 

Now your hypertext markup language. This is your HTML. So that's a typical markup language that's out there and you see the common use. If you're looking at this video at CISSP Cyber Training, you'll see that it's got basically the brackets of your heading. You've got your I for your italics. Actually, no, it's an H1 heading and that's cyber CISSP rocks. And then you have your close ampersand, whatever. That's called slash H1. So those just basically means a heading. You have your HTML. Again, you can write all of that out and it can be done. Or now you have readers that are set up within your, the browsers that read that and then provide you that. That output. You have extensible markup language is xml. Now this describes data with tags and which is allowing for easier import and export. So, like you have, for example, uh cissp, challenging right, uh slash cisp. So it's just making it out there where there's metadata meta tags based on adding it to the, the line, adding it to the markup, and the point of it is is then you can then search on those tags uh as well. So it makes it much more granular than just having uh data that's sitting out there in etherworld.

Speaker 2: 34:11 

So what are some common markup languages we talk about? What are they purposely for? So html, obviously, is used for creating websites. That's an important part. Tags help define the headings, the paragraphs, the links and so forth. And then you have xml this is your extensible markup language, and this is used for data storage and transport. And then again, those have very customizable tags dividing data structures. So you will see both of them used, but I would say XMLs probably would just think of data, data storage and data retrieval. Htmls think of more of the web pages and the data that's sitting out there on a page itself. A lot of that's more static than dynamic. You have the lightweight markup language there. Again, this is where it's used for formatting plain text and it actually adds a lot more value to the overall product.

Speaker 2: 34:56 

So we talked about tags and elements. These help define the structure in the presentation. The attributes these help additional information about the element specifically. So, again, they're just you have your element, then you have an attribute, and these elements can be nested within other elements. So just basically, you have all I don't know how to say it other than they're nested. You have them inside each other. You can have that, but the attributes will provide more information and the attributes are really an important part. If you really want to have granular data access controls, you need to consider adding attributes to help you with that.

Speaker 2: 35:27 

Now, as you're dealing with applications, again, we have real kind of re-summarize a little bit of that web development in HTML, xhtml data. We got XML and JSON. Json happens a lot, especially within AWS. You have a lot of JSON language, markdown language on there as well, or markup language, and then documentation is your markdown and latex. So the one piece that's interesting when you're coming into documentation standpoints is that it will allow you to add this kind of level of documentation, like a wiki page is a good example of that where this markup language is built into the wiki page and it gives you a lot of flexibility to be able to document what is actually occurring within your company. And I've seen guys use this in different ways there's Confluence, there's Wiki, there's man, there's a couple different ones that are out there and you just have to kind of decide which one.

Speaker 2: 36:17 

Within your organization, a lot of SecOps teams will use a Wiki page of some kind for their internal storage because it allows them to, rather than having a document. So it's something to kind of think about. I don't know governance, so it's something to kind of think about on governance, rather than having a document that says you must go do X, y, z. They will then throw this into a wiki so that it's much easier that they hit a webpage. Bam, they've got it. They can make modifications on the fly. It's just a really great tool. The downside is it's not a structured documentation process and I think when you're dealing with specific things, such as a job aid or something that's very specific around tasks, these wikis work really well, but you want to have some level of standardization and structure around your governance process. I know I kind of went off on a tangent there. But, as a security professional, just because you can get it done faster does not mean it's done the most correct way. So just kind of keep that in the back of your mind.

Speaker 2: 37:14 

Oauth 2.0 now this is the open standard to delegate access, uh again. So an example is we're going to kind of walk through this is you're not logged in with an app, right? So what do you do? You download this app and then you are redirected to an approval screen to access your facebook credentials. This then would approve it. You hit the button, mash the button says yes, allow it. I am not reading anything in there what you're doing with my data, but I'm going to allow it because I want access to Facebook or to the app. And then, once you hit approve, the app allows access via the Facebook account that was created. So that's OAuth 2.0. And it's very similar to what we just talked about a minute ago, but they're just different types of standards that are out there. But this is OAuth as an open standard. Specifically Now, openid this is an open standard but maintained by the OpenID Foundation. That's decentralized authentication and it does provide OpenID identity to a site and then the site then shares the data. So it's very similar to what we've talked about in all of these, but OpenID was a standard that stood up.

Speaker 2: 38:11 

I know Steve Gibson with SecurityNow really great podcast. If you guys want to go check it out, I highly recommend it. Openid was one of his big things that he promoted and was very supportive of. He's got a lot the dude's brilliant, very smart man, extremely brilliant. But the OpenID Foundation has a lot of really great stuff and it's good that there's another standard out there versus just having the 1 slash 2 that were available. Now we're going to deal with credential management systems, which we talked about on CISSP, cyber Training a lot.

Speaker 2: 38:43 

These actually are very, very important for your company and you need to consider utilizing them in any form and fashion you possibly can, and in many cases, regulators will require the use of these because they see the value in them. Now, because they're so bloody expensive. Not everybody can afford those, so you may have to come up with your own version. I don't mean you create one. I mean you may have to use something that's a smaller version, like KeePass, that is more of an enterprise-based solution that's a little bit cheaper for people. Now what does it do? It provides storage for users when SSO is not available. It stores their creds for websites, network resources, you name it right.

Speaker 2: 39:19 

There's various options available for embedded SaaS and free programs that, depending upon the size of your organization and what you can do, it helps you ensure super duper strong passwords are set up. Now, one thing to consider is like when you log into this password database basically is what it is you need to have a super-duper master password that is like killer strong, like 4,000 words long. It's monster, right, probably not quite that long, but it needs to be long and it's something that you would obviously remember. You then also need to integrate multi-factor, either through an authentication mechanism such as a ping id or facial, or both if you want, but you need to incorporate. There's some level of multi-factor in that because, as we know, with the last pass hack that occurred just recently, they got access to lots of data and some guys crypto got stolen because of it. So I have last packed out down here as an option. Yeah, they're here as an option. Yeah, they're an option. Probably not the best, but they're an option.

Speaker 2: 40:15 

But so what are some different options available to you? You got Microsoft Credential Manager. You've got LastPass, keepass and CyberArk, again, depending upon what you want to deploy to your organization and, like in the case of Credential Manager, that is for Microsoft shops, if you have Azure and so forth, they will have that available to you. If you're going to be dealing with a large enterprise, then CyberArk is probably your best bet to go down that path. And CyberArk works great. It's an incredibly great program, but it's incredibly expensive, so not everybody can do it. Keepass is another good program to look at, but again, there's lots of them out there. You just got to decide which one works best for you and your organization.

Speaker 2: 40:55 

So I kind of talk about CyberArk here. As you can tell, I've got a love fest with CyberArk. I think it's awesome. I've used it. It's so cool. I can do lots of great stuff. It's just really expensive. Sorry, I keep going back to that. I'm kind of cheap, sorry.

Speaker 2: 41:09 

So then when you're dealing with CyberArk, you have usernames, password storage. It's SSO enabled. It does have logic for check-in, check-out. It does record what you are doing. It can do that. So if you have people that go in and check stuff in, check it out, it can watch what they do, when they do it, what time they do it, you can have monitoring set from Jakarta. You might want to flag that right, because Billie Jean doesn't live in Jakarta and that could be a situation where we got a problem.

Speaker 2: 41:36 

It's got service account integration. I've used it with service accounts. It forces rotation of passwords. With service accounts it can do a massive DDoS on your environment if you configure it incorrectly. Yeah, don't do that. That would be bad. Didn't happen to me, thank God, praise Jesus. No, it did not, but I've seen it happen to people and that is really bad.

Speaker 2: 41:55 

So you want to make sure that if you do deploy PAM to your organization, you have a really good plan on how you're going to manage it Just in time. Okay, so federated identity with just in time. We'll get into this a little bit. This is an important part. It's coming out now. I highly recommend just in time, but it can cause some drama within your organization if you do it incorrectly.

Speaker 2: 42:17 

So what it does is it creates a connection without any administrator intervention and it helps you get access just in time just as you need it. So one example would be like your HR benefits. So a user visits the internal site with a benefit sites associate right your HR benefits. So a user visits the internal site with the benefit sites associate right. The user travels to the benefit site, the information exchanged, the account is created, the benefit site is then based on the user connecting, all that stuff is stood up and it's just in time. It's ready to go right. Life is good. However, if it doesn't work, then it causes drama, which you got to deal with, but it works really well. Probably 90% of the time it works. There's that 10% that you got to fuss with, but when it comes down to it, it's awesome.

Speaker 2: 42:57 

Saml will be required, but it provides the significant flexibility, as you're incorporating SAML and that's just the applications being able to talk back and forth, and this again comes back to the attributes and the use of those. The process will start with a third party verifying the user is logged into a trusted organization and then, once it's complete, they send the required information, which would be name, email address, employee number, so and so forth, and basically that data is transferred back and forth. So it's a really great tool that works awesome when you're trying to deploy it, especially in hr environments. Now it's a temp.

Speaker 2: 43:28 

Another aspect you can use just in time is a temporary elevation of user privileges for specific tasks. So if you need to elevate their privilege to go out and manage a database, it can go. Hey, I need access to this database for this period of time. What ends up happening is a process kicks off, goes to supervisor, supervisor approves it, approves it, boom, access is granted and it could be set up for a very limited time. You will get get two hours, you get two days, you get whatever. I have it set it up typically for around usually a day to two days, I mean because, honestly, if a hacker is going to get it, they're going to. They have to know a lot of the processes to be able to manipulate this just-in-time piece of this. So I do leave the window open a little bit longer. And again, that's up to the risk of the organization and what they're willing to accept or not. But it comes right down to is I do recommend putting a time window on the access for these systems.

Speaker 2: 44:22 

It minimizes what are some features around. It minimizes long-term privileges. Again, you don't have demigod credentials forever, so there's a reduce of the risk of misuse. It's got on-demand access. It provides you the information just as you need it to complete the task or within a small window. And then there's automated provisioning, which is streamlined access management and so forth. So again, all that stuff can happen in a very stream and automated process. So what are some of the benefits? It's got enhanced security. It limits exposure to sensitive systems, meets regulatory requirements for least privilege and again, that's a big big factor, especially if you're in a regulated environment Reduces administrative overhead. So there's a lot of efficiency that goes with it.

Speaker 2: 45:00 

Now some considerations to consider. Again, you got to have a good policy defining the clear rules for use of just-in-time access. You really need to have that hammered out and down to a science. Auditing and monitoring you got to watch it. You got to log activities and don't just blow it off going well, hey, I've got just-in-time, I don't need it anymore. Yeah, you still need to watch these things because most cases on just-in-time is set up on critical applications or critical data and therefore, if it's critical, it's critical for a reason. You want to watch it. Integration it has seamless with existing IAM systems. It can work very. Integration it has seamless with existing IAM systems. It can work very, very well with those, especially ones that are updated. Will it work with 60 million lines of COBOL code?

Speaker 2: 45:38 

Probably not but it will probably work with something that is in the interim. Again, ultimate goal is it helps you with getting you into a much more secure environment. Okay, that is all I have for you today at CISSP Cyber Training, head on over to CISSP Cyber Training. You can get access to this content and so much more just by going to CISSP Cyber Training. You also can get by purchasing some of the content I have there. You get all of it anytime you want, 24 by 7, it's available to you. You can also just listen to the podcast if you want.

Speaker 2: 46:10 

But if you're studying for the CISSP, you're going to want to have this content for you in front of you and not just have to try to go and fish through each of these emails. I have it priced extremely reasonable. I mean really. I mean I have a mentoring part which is a little bit more expensive. That's if you get with me. But if you just want the CISSP, I have it set up. So it's extremely reasonable for you and it's for that specific reason. You can spend $10,000 and go to a boot camp, or you can take my CISSP Cyber Training and have it at your own pace, and it's like 1% of that. So it's extremely reasonable.

Speaker 2: 46:46 

It's there for you. It's highly useful. I mean, I'm just going to be honest with you. You got way more content from the cost of what's going to be put into it than you're actually paying for it. So I highly recommend go to CISSP Cyber Training, check it out. If you are a security or if you need any of a security professional, you can go to ReduceCyberRiskcom that's my consulting side of the house and ReduceCyberRiskcomcom you can gain access to me or to my network of people that I work with. Again, reduce cyber riskcom and cissp cyber trainingcom. Okay, have a wonderful day and we will catch you all on the flip side, see you.