RCR 071: Understanding Multi-factor Authentication to Pass the CISSP - CISSP Training and Study

Feb 10, 2020
CISSP Cyber Training
RCR 071: Understanding Multi-factor Authentication to Pass the CISSP - CISSP Training and Study
39:46
 

 

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will provide CISSP training for Domain 5 (Identity and Access Management) of the CISSP Exam.  His extensive training will cover all of the CISSP domains.

  • CISSP Article
  • CISSP Training
  • CISSP Exam Questions

BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ 

CISSP Exam Questions

Question:  096

At what voltage level can static electricity cause destruction of data stored on hard drives?

  1. A) 4,000
  2. B) 17,000
  3. C) 40
  4. D) 1,500

1,500

Destruction of data stored on hard drives can be caused by 1,500 volts of static electricity.

From https://www.brainscape.com/flashcards/physical-environmental-security-1004067/packs/1774328

------------------------------------

Question:  097

What type of physical security controls focus on facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures?

  1. A) Technical
  2. B) Physical
  3. C) Administrative
  4. D) Logical

Administrative

Administrative physical security controls include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.

From <https://www.brainscape.com/flashcards/physical-environmental-security-1004067/packs/1774328>

------------------------------------

Question:  098

Which of the following is typically not a culprit in causing damage to computer equipment in the event of a fire and a triggered suppression?

  1. A) Heat
  2. B) Suppression medium
  3. C) Smoke
  4. D) Light

Light

Light is usually not damaging to most computer equipment, but fire, smoke, and the suppression medium (typically water) are very destructive.

From https://www.brainscape.com/flashcards/physical-environmental-security-1004067/packs/1774328

------------------------------------

Want to find Shon elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

TRANSCRIPT:

What color do Service Podcast episode 71 understanding multi-factor authentication to pass the cissp reduce cyber risk podcast where we provide you the training tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is and I'm your host action-packed informative podcast you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam all right let's get going hey good morning everybody hope everybody's doing well this beautiful day it's it's a great day here in the United States and I can't complain whatsoever the weather starting to warm up so that's always a positive trying to sound like an old man I talked about the weather a lot but unfortunately life isn't that kind of seems we're goes back to but yeah it's it's interesting interesting day this past week and we had bought a new car for my children so yes it's very interesting I've got so many of them at home that would end up happening is his I got various levels of cars in various states of disrepair from they leak fluids all over the driveway to they're actually drivable so it's a very fun time this time in my life I had one that asked me that looked at it we sat in the car and Mac goes I like this car cuz it really is it yeah it's pretty cool it's a little Toyota sky on or something like that and it it's it's got like 200,000 miles on it and I've been paying a lot for it but he likes the car so that's always a positive but then I've got the other children all looking at it going to get one it's interesting interview out there that are studying for your cissp have children you can relate if you don't have children bless you you're probably very very fortunate right now so you know what it's great thing and not again kids are great they are put the different signs in your life. So much so everybody's going victories of my children so we're going to move on to the next topic and so today we are going to talk about multi-factor authentication and how you would need to know to pass for the cissp exam and it's pretty important that you understand multi-factor and it's also important that as you deal with cyber-security within your organization and your career you're going to deal with multi-factor in multi multi phases of your life and in various places in your life and patient and then that the topic of single sign-on they get used very ubiquitously $10 was playing a $15 word right there so I would listen to a podcast actually books on tape and these big words if these English guys or maybe Australia another there more English cuz you hear a lot of people out there that are really good on books on tape their English so if you're an English person that's in England than you are listening to this podcast with have I have quite a few that do you should get your career in reading books on tape cuz you could do well or both voiceovers gentleman out of hid Global and they're obviously what he was trying to sell some he's I think a sister or a cissp with them at Jeff Carpenter is director of cloud authentication at hid Global and so this is an article that he had put out a little while back but it talks about how the differences between a multi-factor and SSO are important his lesson in conversation is because you will you will hear people talk about SSO and and it and it for me I'll be honest I even the dentist at one point in time was kind of using them simultaneously but they're they're not and and they're very different so what the big thing that they talk about is he brings up in this part here is that the simple user IDs and passwords are there no longer good enough for most the most vulnerable information and I honestly would probably challenge a little bit of that and say they're not good for much of anything but they were designed back when the first computers first came out to limit some level of access control we met that mention that on the podcast numerous times that usernames and passwords are just really bad idea I'm too if you are a cybersecurity person that is studying for your cissp that needs to understand the vernacular at security Now is Steve Gibson really really good podcast super super nice guy and provides that great cybersecurity fundamentals security fundamentals and it actually more than fundamentals he gets deep dive into stuff that's just pretty amazing I like listening to it when I get a chance so I'd highly recommend you go check that out but he talks a lot about passwords and he'll really they are just useless and we we really need to look at ways to move beyond the simple user ID and the password asking what is multi-factor Authentication multi-factor it does it uses multiple verify the person's identity and then allow the access to this systems of software systems data whatever you want to call it but it is using fat different factors about you it's what you know what you have who you are and what you do and where you're at and you're probably glistening us in your drive to work or whatever you going what what are you saying will break this down just a little bit what you know is typically the password right so you remember XYZ QWERTY 1 2 3 4 5 6 7 8 which is really bad password to use that but that people have used it it gets down into areas that are more not designed for a PG audience people will write things that are more in the mature audience but those things are the key passwords that people use location number recovery questions which are terrible by the way cover questions or easily so that's what you know and typically in the past while today everybody uses usernames and password what you know now what you have is the next topic and that's where it can be a smart card Fido token of one-time password Bluetooth devices Apple watches so on and so forth another some really cool things happening and I know Google put something out now that you have to have more or less will you cannot have to have you can put in place a use your phone as that second factor of what you have and that utilizes Bluetooth that connects to your computer which acts as a multi-factor token so someone can't just log into your device they have to you have to have your smartphone with you that would them Bluetooth to a device which would act as that second token which is a really cool idea and I think it's what people need to utilize those kind of aspects more then as he built more influence with the company he now has more in his security and he's learning is that he has all these great ideas about security which are super good they're awesome but you got to be very careful how fast you roll it out to people because most people don't understand technology like you all do that are listening to this podcast. So that's where it comes into his you have to start people off slow with your trying to influence people insecurities and therefore one of those things I say all of that because if you're going to utilize but Google putting out with the Bluetooth devices for your multi-factor authentication you need to build them into that slowly and I think it's a great idea bleeder crawl them into that stays cuz you try to push them to Fashions of Technology unless you're in a technology company and most people will lock up they will not allow it and they will election hurt your influence with a company so smaller I really need to put these things in place immediately cuz you feel like the risk is there you want to continue your ability to influence people so you sometimes have to start off a little slower and then ramp up sorry that grass on that one but it's important who you are biometric authentication chest is your fingerprint or face recognition and we'll get into bio here little bit of challenges with that it's really good and helps out a lot and now that you have a fingerprint scanner that's on your smartphone that makes it much easier along with face recognition pretty cool but bottom line is is that you don't that's what you are so what you know what you have and who you are and then what do you do what you do and where you're at and this is based on GPS IP addresses which IP addresses are really poor idea because they your most of those IP address change and therefore it adds a level of complexity of the last pass a good example of that it will base it off of location and if you log in with your computer from a different location or even sometimes just even the same location that the proxy will pick up that hand I'm now Dallas and I'll say that you haven't logged in from Dallas before that's really not the case so then it ends up adding more turn to the car versation however it's good because if you want to make sure that you get to notification knowing full well that you have that token so they can't get in and use the combination of a password physical token and Biometrics to reduce the risk of data breaches and they do and they are at that's why people recommend them that's why companies and countries recommend them if they are at a really good factor to have good thing to have can be hacked in the account of talked about this a little bit we're now people have gotten accustomed to mash in the button mashing up that what they call it the fingerprint scanner so like you all of a sudden you go ahead I got to login to Office 365 won't now I got to mash the button I know that I have to match the button and then I get in so what's Pavlov's dogs where the little bell rings and everybody starts to salivate that's the same thing that happens right you you end up logging into Office 365 or some other application you didn't get a notification on your phone that says You must do match your finger on your smartphone which you do and then you are in for the bad guys know that's what they're doing is as they are there Example The Office 365 login they will send you a phishing email you click on the link redirect you to a a pseudo Office 365 login would you think I'm here then they are stealing your creds so you're using a password they're stealing that and then what they're doing is they're acting as a man-in-the-middle they didn't take your creds they didn't put them into the real Office 365 connection which then and turn the the multifactor kicks in and you're expecting this because you're expecting a while I put my creds into Office 365 now I get the little multi-factor thing comes up up there it is I mash my finger on it and now I'm in but the problem is you're not in the hacker isn't out yet so those are things that keep keep in mind that they're not perfect he's right and the mouse and so the Jesus. Right you're the cat in the mouse right so if you're the cat or the mouse the cat always trying to get you while there's always there always come up with new ideas so this cat-and-mouse game that we play now the downside of multi-factor is it can be cumbersome and that's technical I can be very difficult to manage on the in device for second Factor if it breaks if you if your system multi-factor system breaks now people can't get in that cause of challenges Dollar's application such as Google Authenticator QR code scanning all of those things add additional complexity if your deal with the population that does not understand the technical QR code these things and Google Authenticator things people that start to just basically they don't want to do it because I don't understand it so I didn't technology is changing so quickly for people I mean I can't even keep up with it I can only imagine how frustrating and overwhelm it is for most people because it is overwhelming for me and I've been doing this for 20 plus years passwords over text okay so what are the disadvantages people like those they're not the most secure in the world actually not but people like him because they can write to her SMS so they're texting so that's that's interesting it doesn't mention before it gets people accustomed to mashing the quote unquote or quote easy button or the just a little button that makes him happy so you mash the button so those there is a downside to that what Jeff said sweet selfie a lot of my commentary as well but that's what he had so he then he comes into goes says what is single sign-on now single sign-on is very straightforward and the ultimate goal of it is is to reduce the amount of times you had a map put in your username and password why is this the case it's easier for the user right makes it a whole lot easier to just entered it once and you're always in to it helps Foster the conversation with the user that maybe just maybe they'll may use very complex usernames and passwords SM away from having multiple username and passwords that are all identical because what ends up happening is people will make they'll just have them all the same and and so now the hacker gets one who gets them all so SSO solution is a much more secure solution for storing the are the various credentials that you may have with the various pieces of applications are software that using within a network so it again it's it's just it takes the credit and it logs in for you and remembers all these passwords at one time all these passwords is really only one password password to login concluded now you can incorporate SSO with multi-factor so that do your first login attempt that uses your username and password and then ask for multi-factor pin enter that pin and now you're in the game now made it inside that application and it's very quick and convenient for the user so it's highly recommend that you do utilize SSO especially if you can use it with a multi-factor solution there are risks involved with some of this and it basically credentials of third-party applications can be stored internally rather than for external systems which is not really a risk to positive for us and it does reduce the risk for you the only thing I've noticed is ideal with more and more third parties and we have access to these third-party that you can integrate with SSO with these third parties and makes it a much more seamless environment and as one of these third-party contractors are becoming more and more part of our networks having sso-a nsso solution integrated into your network isn't even more valuable so if your small company easier for people so just consider that when you're putting it when you're trying to understand SSO and how it work within your within your company specifically Bush's actor does get access to SSO Boom game over that's all she wrote Texas in place to avoid that spins deploy with strong encryption and Authentication consider with that is if you get into countries that have encryption requirements or you can't get encryption into these countries due to encryption regulations what regulations are like import export regulations that can cause challenges so keep that in the back your mind you could do a denial service to yourself where the Doss goes down or SSL goes down you now lose access to your entire apartment that's a bad thing we don't want that cuz then people are screaming at you because you tell your fault it's like it's crazy woman I heard that once in a while when I was dating your get that beautiful young woman you're you're dating her she's awesome you like all this could be cool and then all of a sudden your head starts spinning around on top of her shoulders and she just sits and it's all your fault I listen to me are probably all just turning off my podcast and saying what you you just your terrible well guess what I do a lot of ladies that have the same thing with guys have going there just really really strange so we as humans we are just unique there is no question about it we are very strange SSO you guys are all probably going this is all over the place yet sorry add Kick It In so are both coming take care of the issues and they help mitigate a huge risk when you're dealing with people users logging into your environment it was convenient it is but there are some security risks with it and ffos more medication is more secure but is not the most convenient thing in the world has the best that's approaches out there there's some things you need to consider when doing that Tony's also said he had some approaches that he had put in here Jeff did of is requiring secure MFA at sign on a start of the day and then it's basically allowing these SSO to continue for the rest of the day I'd highly recommend that but it also set up when you said your multi-factor that would be awesome however people made kind of complain a bit on that one just because it's just constant make him grab their phone again if you have to work through and see if that is a viable solution or not require additional verification such as MFA does help anyways far as accessing most sensitive data so if you have the super secret skunkworks area within your business that people have to get access to you may want to just require multi-factor every time that login or every 15-20 minutes sqc there if you're worried about a foreign company or country stealing your how to make a fuzzy cat fuzzier then that would be probably something you want to worry about however I don't see a lot of demand for how to make a fuzzy cat fuzzier so you may go Overkill and again as a security person would you mind risk getting folks all risk I can't always just try to make it like Fort Knox and tighten it all the way down it's just that's a bad bad idea I using criteria such as location roll seniority and those things to help with authentication I would not use the North or seniority just because anybody can be hacked and it's not necessarily just individuals their account and just because a person deal with you a long time does not mean make them a less of a risk for your company so we got two different aspects going on here you've got your network the old with a company honestly many cases that could also tend to make them more more of a risk just because it's specially if they've been there a little smaller season like myself and the company singing we're probably going to let you go overall it means vessel so can buy with security benefit give businesses a security posture and confidence and they do I like MFA is very very cool Cloud application that hid Global and he's 15 years in cybersecurity so he's good he's worked with cross-match and RSA and Dell big names that are out there so the dude has a good understanding of what he needs and he's a cissp and a ccsp the SPF Cloud security professional certified Cloud security so he's at you know stuff and it's is a good little article but you can catch that out at hid global.com I multi-factor authentication so you can search for that you can see more with Jeff all right so that's all I have for that piece of it we're going to roll into the cissp training that you need to know for your exam and this would be objective 5-2 management implementation and single multi-factor authentication at is a mouthful to get started I got to put a plug in a shout-out go to Sean gerber.com check out all Mighty Isis featuring it's there as well as volume of training is available for you to study for cissp exam so I've got example questions out there we've got the cissp mini course it's available to you and I also have my entire cissp training course that is available for you and that is an awesome price go online you find it anywhere you will not find it any cheaper than that I mean it really because it's seriously but you can check it out Deshawn gerber.com and with that you get all my content plus you get access to me and we can chit chat through some emails and back and forth little bit if you have any questions so go to Sean Gerber, that s h o n e s my parents are awesome Gerber like the baby food.com alright let's roll into our cissp training daily management implementation we talked about how this when you're setting up your identity management and we talked about alter necessarily previous aspects authorization so one aspect would be is you are dealing with let's say Google or you're dealing with Facebook that could your identity could be decentralized is it going to be in various locations and they're using a single sign-on take capability to get you you edit your credentials in one time and now you have access so those are the two different types of centralized and decentralized Guinness use more more seeing more of that as we mentioned in the previous part of the podcast you authenticate once and the resources do become available to you and then it have does avoid multiple password so is your taking the cissp those are some key terms understand is it's it's using one-time login it's b-boys multiple password and it's very valuable for convenience for employees so keep that in mind. A downside it is again of accounts compromised they do have greater access into your environment so those are considerations around single sign-on now to deal with ldap vacation this is a directory-based service and they uses a central database stands for light direct lightweight directory access protocol this is a directory we're basically all your network services and assets are located in and there's certificates that are built into ldap not as you're logging in your your single sign-on will integrate into ldap and that's what controls your access and that's how it supports the single sign-on so if as all these things interact together then what ends up happening is his date these things basically keep the credentials that allows you to log into your environment and so that's where you get into the centralized control with single sign-on so that's an important aspect to an overall overall to understand how identity management works within most environments various forms you communicate that within your company you could utilize that capabilities well we used to copy the smart cars and you could always copy what they look like but you can never copy the data now they probably can now you can probably just transfer the data off of a smart card I would be willing to bet you can and put it onto another smart card if you'd be very simple I would think any equipment highly probably out the market purchases very quickly so but the thing is it was cool as we would use a smart card as people to see why you have a smart card so you're allowed into the network and when they would do that is what you're allowed in the building so we just flashes smart car and then we would just walk in I saw they had a policy around the fact that it's more than just a hey you got it you see somebody that has the credentials hang around their neck that doesn't mean that they they belong there until we we didn't so many funny ways on that we actually would we copy this marker which isn't easy that we also use a piece of paper and made a photocopy of it put it into a little what do you call it little Ben those little things that hang on your neck and over the top of a debit card Hartford hotel and people just is funny anyway all right. Device authentication is a mobile that basically you don't have to be part of the domains it such as like in the case of a ping ID you can install an application on there on your mobile device and it allow you to log in through multi-factor and type that in your good to go while we do with that in various places around the world and I will have third parties that will come in and we will push out to them ping ID and then they can utilize that as a multi-factor cuz I get it authenticated back to Ping ID and then it also have tied into our networked environment so they it when someone logs in with their multi-factor authentication it allows them access biometrix these are the most capable and fingerprints with mobile devices I say that however my daughter can look at my wife's phone and unlock it's kind of scary so it's interesting to see how it's not infallible it is still work so it's not a perfect solution it just is one more barrier to reducing people from getting access into your network legal could be involved whether we should be dealing with multi-factor and Vinnie re Vanessa so if they're storing any sort of credentials do you need to make sure that they are connected to it it is such a big deal if it's here in the states I mean it still is but if you're getting into other countries such as the EU that does there is some conversations that need to occur about that service authentication This is highly targeted by attackers and why is it because what ends up happening is if they can get access to this then they can get access to your entire environment and they can get 24 by 7 access which is what I used to do you would Target people sanitation it once we get there. Now we could act as them 24/7 okay 365 and that's what they want to do cuz everybody else in two environments and they they're usually maybe it's around the country so it's at least say Ukraine or any place other than United States and they're attacking somebody within the United States they're working usually through the evening to it to go after people that are in the United States working during the day so once they get 24 by 7 access they can go back to their normal hours just like everybody else and that's what they want to do cuz why would you not want to work on normal hours like everybody else so passwords they don't change much obviously didn't never change Eminem cases and people or if they do they just Integrations of the original password so yeah it's kind of interesting processes certificate-based authentication complex passwords and they all are integrated with password Vault and you need to consider password vaults for your people and give them the tools that they can best protect their passwords Guild accountability with multi-factor in SSO and all these other aspects you need to have trust in vigils obviously in systems and processes within your network now the people need to be trusted cuz you can't run a business about trusting your people people let you down that's going to happen but you want to avoid all access authorization so a bill bill is got access to all of the credentials he's a God or God that has access to our Network so he should be is the awesome dude or bad idea for Bob have access to everything looks like it was a basic Tagalog yeah that one right there at the tell people about that account of a little mean that pops up saying I'm always watching because then when people they will keep the majority people want to do the right thing however drink convenience they do things that are it'll keep them more along the straight and narrow so it just that people like that against amendment gives a lot of comfort that makes me really happy alright so again accountability access granted proving identities can you make sure that they are those people are who they say they are auditing logging and monitoring you need to put in place to even if it's just basic something is better than nothing and then you need to communicate all the employees and tell them that yes you are watching what they are doing and then it keeps them in track of already had a couple situations where people say liking it I'm just watching it I'm just letting them know the last one and session management basically it's managing access the systems prevent unauthorized access based on the session screensavers display random patterns and screens you know it's kind of the session you maybe have it set up for that session times out and then those things will kick him cuz he want to put some level of session management place because what can also happen is if people like the say they log into your Banking and your browser is open you added in your pin and all of your identification and you never close out your browser well if you don't have a session management that was in time that out after a. Of time that account could stay open internet browser and they could be someone could get access to it so you need to set up some sort of session management around your credentials to tab in timeout and Banks do a good job of this but you need to consider that within your organization to especially if you're looking to protect your data free process out there is the owasp. Org is what it is and for your company is all I have for questionnaire for topics on the cissp study around multi-factor SSO that's a 5.2 now we're going to roll into some cissp exam questions alright at what voltage level can static electricity cause destruction of data stored on hard drives a 4000.b 17,000 40D 1500 what voltage level can static electricity cause destruction of data stored on hard drives thousand seventeen thousand 1500 1500 bolt of static electricity can destroy your data stored on hard drives so good thing you want to avoid that and one avoid carpet in where you have data center Danielson want a little moisture in there. A lot a little talk about that last week or on some of the questions I have a little bit of moisture would be good and you can check out that questions of these coming up that brainscape they have flashcards out there around that next question what type of physical security controls focus on facility construction and selection site management Personnel controls awareness training and emergency response and procedures what type of physical access or security controls focus on those things administrative C logic logical seasmoke deee-lite is RISD light is usually not damaging to most computer equipment again unless it's a lazer a lazer a movie but it isn't about fire smoke all that stuff suppression systems will destroy your equipment something to consider there alright I hope you guys enjoy this I will we will have more of my questions you can find out that Shawn gerber.com but I hope you have a blessed and wonderful week will catch you on the flip side my podcast tell Richard gerber.com and look at all the free content that I have available for you there is a cissp mini course free cissp exam questions podcast and so much more it's all available to my email subscriber so sign up if you want my personalized cissp training you with your cissp need so you can pass the test the first time thanks so much for listening will catch you on the flip side CPR

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!