Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
Alright , let's get started . Let's go . Cybersecurity knowledge .
All right , let's get started . Hey , I'm Sean Gerber with CISSP , cyber Training , and hope you guys are having a beautiful , blessed day today .
Today is July 4th , so here in the United States , if you're listening to this , it is our Independence Day , so it's a good reason to go out and blow up a lot of money , that people go and just explode stuff all over the skies of the United States . It is actually super impressive . Explode stuff all over the skies of the United States .
It is actually super impressive . I don't know if I mentioned this on one of my podcasts before . I'm a pilot by trade and so I would take up in the old days , I would take up my girlfriends and we would go look at fireworks as they're being shot off in my airplane and it is just beautiful . Now that I've been married for 30 , how many years ?
Oh gosh , think about this on the radio or on the podcast . Yeah , a few years , 92 . So , whatever , that is 32 years . Yes , I've been married 32 years , been my wife for 35 years . So , yes , I haven't taken a girl up in an airplane since my wife was the last person which is good which is very , very good .
That's why I've been married for 35 years or 33 , whatever . It is a long time , really really long time . But yes , so yesterday I went out and got pictures taken with my family and it was fun , got a lot of those done , so it was an expensive endeavor , but we have a total of about 15 adults in my family now , so it's quite growing quite quickly .
But you guys did not call and get on this podcast to hear about this , but you did hear . I wanted to hear about the CIS SP and domain six , and so that's what we're gonna get into is domain six of the CIS SP . But before we do is a couple , just one article I wanted to bring up that I saw as it relates to SAS cyber security .
So if you're not familiar with SAS , that's secure or a's software as a service , and majority of many different companies operate in the SaaS environment , and this comes from Forbes . There's an article out there about threats and mitigation strategies for SaaS environments .
Now we've talked about all those in CISSP , cyber training , as far as many of these different ways , and I'm not going to go over anything that is new to you than what you may have not already heard , but again , a lot of people come and listen to this podcast . They come in , they go out , so it's new stuff to them on a routine basis .
So real quickly around the SaaS , this article from Forbes talked about some of the different statistics around the overall SaaS environment and they're saying that around 96.7% of organizations will have at least one application within a SaaS environment .
And I will tell you that when I was a CISO , it was growing exponentially on the number of applications that were ending up in these software as a service locations on the web , and so one of the things that came up was how do you deal with the security around these ?
Because what's happening is now the software , instead of being inside your network , protected by your stuff , it is now in somebody else's network , being protected by their stuff .
So you want to make sure that you do a really good understanding or risk assessment of these SaaS providers , because in many cases , you may have some of your most important data sitting out there in somebody else's cloud . Now , again , this has become a bigger problem because over time , the article says that it's been overlooked for a while .
It depends on the size of the organization . I will say maybe small organizations have overlooked them just because , hey , this is cool software and I can put it in place . A good example of a SaaS product would be for my businesses , I use QuickBooks , right ? So QuickBooks is an accounting software and it takes care of all of that aspect . Well , that's SaaS .
It's software that's in the cloud and it does with all of our accounting for our various businesses , and so that's the point of why it's become a bigger problem .
Well , now , as there's getting more regulatory pressure , ai expansion and then also the increased risk of overall breaches or incidents that may occur on the web , this is getting a little bit more focused . So , rather than spend a lot of time on this , I'm just going to kind of get down to the nuts and bolts of it .
You have obviously different types of attacks , right ? Your supply chain attacks , credential exploitation , multi-factor bypassing . There's different ways you can get into a sas environment , and , and so that's it's . You need to kind of understand what are some of these different attack vectors , and so they talk about what are some best practices that you can do .
Well , one , obviously is data encryption . So you want to , when you talk to a SaaS provider now we mentioned this in saying , you know that it's in somebody else . Your stuff's in somebody else's stuff . What we're trying to talk about is you're going to have to do a risk assessment , and this is kind of what we go with .
Today's lesson or podcast is around 6.3 , and we get into security assessments . You're going to want to do a security assessment of these SaaS providers and you're going to want to ask them some key questions .
Now , there's a lot of things out there and I'm actually going to be putting out a security assessment questionnaire that'll be available to you on reduced cyber risk , so you can go out and get that and use that questionnaire to help you .
But there's some key questions you're going to need to make sure that they're doing if they're going to be your SaaS provider , and one of those is relation of data encryption . You need to make sure that the data that they're storing is encrypted . But you need to ask questions a little bit deeper than just going , hey , are you protecting my data ?
And they're going yes , we give you encryption . Oh , thank you , and you walk off . No , you want to ask more questions than that . But data encryption is a key standard that you want them to make sure that they're putting in place , because if they get pwned which odds are high somebody's going to get pwned in many of your SaaS environments .
You want to make sure that if the data gets stolen which it will okay , just make sure you set that up it will get stolen . It is protected to the highest level possible . Multi-factor authentication need to make sure that they have enabled multi-factor authentication . Change healthcare good example of them .
Not enabling multi-factor authentication and boom , you have a $22 million ransom payment and , yeah , lots of gnashing of teeth and after about a billion dollars later , they're going to finally get back to square one . That's really just burning a billion dollars . I'm sorry , it's just ludicrous . It is . It's not smart .
Account access protections you want to have IAM policies in place . Again , you want to have the ability to deny by default versus access controls . You want to understand their access controls . Who do they allow access to your data ? How many people have access to your data ? How many people have access to your data ?
Lots of questions that you're going to need to want to have answered , especially if you're looking to do any of their software is going to run in your . Actually your data is going to be inside their software , in their environment . And then you want to make sure they have reliable authentication for their cloud providers . Who are their cloud providers ?
Those are another big factors you need to be aware of . And then real-time data protection and backups Understanding what is their backup strategy . How fast can you get backups recovered ? What are they doing around their backups ? Are my backups commingled with other backups ?
It's a lot of backups in one sentence , but bottom line is you want to make sure that they are doing their due diligence to protect your information . So that's just the nuts , the basic skinny around a SaaS provider and the security that goes into this . You guys have plenty of applications that are out in SaaS environments .
I know you do and you're going to have more and so , as you are studying for your CISSP , you obviously are going to be in a position where you're going to try to influence your organization's ability to protect this SaaS software . So here's a good way for you to begin the process Again go check it out . You can go to CISSP Cyber Training .
You'll be able to see this video as well , as you'll be able to gain access to other resources that are there . Also , you'll be able to check out Reduce Cyber Risk .
That is going to be the site that I'm just slowly getting it up and operational , but that is the site that will be offering up various services , such as virtual CISO , security architecture aspects and assessments , so that'll all be available to you as well . Okay , so let's get started on the CISSP training for today .
Okay , so this is group seven questions , 15 questions , and this is . You'll be able to see this . This is part of the overall series that we have available on cissp cyber training , and all the videos will be there for your consumption .
Uh well , actually , before we get started , one interesting funny tale is since this is fourth of july , I've gotta have one digression . All right , had 4th of July at our house a couple years ago , right when they were building our home and had all my kids out there and we decided to shoot off a bunch of fireworks . Shot off some fireworks and we were done .
Across the street was the dumpster that they had been using to build a house next to us . We threw all of our stuff into the dumpster . I made a poor decision and did not put water all over our fireworks . About 20 minutes later , I have a low-kitting dumpster fire in my front yard . It was pretty cool Actually . It was like flames shooting up .
It was impressive , yes . And then try to put out a fully raging flames out of a dumpster fire when you have wood and all kinds of fun flammables inside there . Yeah , that was a good time , that was a great time , but so don't do that Piece of advice . Do not throw fireworks in trash cans without thoroughly dousing them and letting them sit out overnight .
Good idea , just wait a day before you do that . Okay , group seven All right , this is when we're going to CISSP Cyber Training . We are getting into domain 6.3 . And here are some of the questions . Okay , so which of the following is a black box testing technique ? A fuzz testing , b static analysis , c penetration testing or D code review ?
So which of the following is a black box testing technique ? And the answer is C penetration testing . Black box testing focuses on assessing the system from an external perspective , or , basically , you don't even have a look , you don't know what it is . It's black box , it's an empty box , right , without the knowledge of its internal workings .
Pen tests will fall under this category and it will simulate the real world attacks , obviously by attempting to exploit vulnerabilities that you discover . So that's the purpose of the black box . Is pen testing . Question number two what is the primary purpose of a vulnerability assessment ? A to identify security controls . B to evaluate risk exposure .
C test application functionality or D validate encryption algorithms . Again , what is the primary purpose of a vulnerability assessment ? And the answer ? We'll go with the questions again Identify security controls , evaluate risk exposure , test application functionality or validate encryption algorithms .
Now , all of those are good , right , they're all important to do , but the primary purpose of a vulnerability assessment is to evaluate the risk exposure . You identify weaknesses in the systems , the applications and the networks , and they do help evaluate the risk exposure by pinpointing vulnerabilities that potentially could be exploited by attackers .
Question three which type of testing assesses the effectiveness of security controls during system operation ? Again , what type of testing assesses the effectiveness of security controls during system operation ? A static analysis , b dynamic analysis , c regression testing or D user acceptance testing .
So what type of testing assesses effectiveness of security controls during system operation ? And the answer is B dynamic analysis . So dynamic analysis involves testing a system while it's running . Okay , we done this many times when I had a development team working for me and they would evaluate the security controls and the expected behavior that may be occurring .
It does happen , like right now . I'm doing a contract work and we're doing application testing on some encryption capabilities , and so you wanna make sure that you're doing an effective assessment of that as well .
So any sort of testing you want to occur , you really need to do some level of static analysis which would determine uh examines a code without the execution of it . So , and then you also want to have availability of doing regression and user acceptance testing , but those are different than your overall dynamic analysis testing .
Question four what is the primary goal of a code review ? A identify security vulnerabilities . C optimize performance it's not C , it's B , sorry . B optimize performance . C ensure compliance with coding standards . Or D validate business logic . So what is the primary goal of a code review ? A identify security vulnerabilities . You want to look for vulnerabilities .
That is how you do it and you're doing a code review . Now you want to make sure they adhere to your coding standards that you have set up and your best practices , and the ultimate goal is that you're looking through there to see if you can find any vulnerabilities . Potentially , again , that depends on the size of your code and your sprint .
It may be a very daunting task and you may miss some things , but at least you're doing . The ultimate goal is to go through there . When your code reviews you will usually have a second party , somebody else Like . So if I wrote the code , I'll have Bill , my neighbor , look at the code .
It's always good to have someone get a fresh set of eyes on your code because you have a tendency of when you're doing your code , to overlook potential errors because , one , you have bias around your development capabilities and then , two , after you look at something for 100 times , you just kind of gloss over it .
So it's always good to do a code review to have somebody else if not the group look at your code . Question five which testing technique involves sending malformed or unexpected data to an application to discover vulnerabilities ?
Again , malformed or unexpected data to an application to discover vulnerabilities , again , malformed or unexpected data to an application to discover vulnerabilities ? A fuzz testing , b regression testing , c boundary testing or D stress testing . So which technique involves malformed or unexpected data sent to the application ? And that is fuzz testing or fuzzing .
It involves sending random or unexpected inputs to an application to trigger an unexpected behavior . Question number six During a security assessment , what does a false positive indicate ? Okay , what does a false positive indicate A a valid vulnerability , b an incorrect vulnerability report , c a successful attack . Or D a misconfigured firewall .
So during a security assessment , what does a false positive indicate ? And the answer is B an incorrect vulnerability report . Okay , that's a false positive . So basically , what it comes down to is identifies a vulnerability that didn't actually exist .
Had plenty of times where you would do a report , come out and say that yes , this web application is vulnerable to X , and you start digging a little bit deeper and it's like , yeah , no , that's not it .
But what a lot of times happened when we got a lot of false positives is we would have to do some sort of authentication scanning , and when you do an unauthenticated scan , you can get a lot of really squirrely responses . So authenticated scans are usually your best , but they do take more work to make those happen .
Question seven which type of testing focuses on the interaction between the different system components ? A integration testing , b regression testing , c unit testing or D acceptance testing . So which type of testing focuses on the interaction between different system components ? And the answer is integration testing .
Integration testing verifies the interaction and compatibility of various system components and ensures that they all work together as you are expecting them to do so . Question eight what is the primary purpose of a security audit ? A evaluate system performance , b assess user satisfaction , c validate encryption algorithms or D verify compliance with policies .
So what is the primary purpose of a security audit ? And the answer is D compliance with policies . That is the order to verify the compliance with your policies . That's the ultimate goal of a security audit is to make sure that your policies , controls or standards are there and that they're being followed by your organization .
Question nine which testing technique aims to identify vulnerabilities by analyzing the application's source code ? So which testing technique identifies vulnerabilities by analyzing the application's source code ? A dynamic analysis , b penetration testing , c static analysis or D regression testing ?
So which testing technique aims to identify vulnerabilities by analyzing the application's source code ? And the answer is C static analysis . Static analysis examines source code , configuration files or other artifacts to look for vulnerabilities , and you will want to do some level of static analysis on your code . Question 10 .
What is the purpose of a threat modeling exercise ? A Identify vulnerabilities , b Evaluate risk exposure , c Design security controls or D Validate encryption algorithms . Okay , purpose of a threat modeling exercise what do you think it is ? And the answer is C design security controls right .
So you want to make sure that when you do a threat modeling exercise , you're identifying potential threats , right risks to your organization and the vulnerabilities and possibly even the way they come in , and therefore you're going to look at your overall security controls and determine if these threats or these vulnerabilities were existent , how would that affect your
organization ? How would you mitigate the risk ? So it's a threat modeling exercise . We'll kind of help you with that . Question 11 . What is the primary purpose of a security control assessment ? A validate encryption algorithms . B evaluate risk exposure . C test application functionality or D assess compliance with policies .
So what is the primary purpose of a security control assessment ? And the answer is D assess compliance with the various policies that you have in place . That's the security control assessment . Now , again , you have to decide .
I talked about before where Audits I usually typically consider that a third party , someone outside your organization , and assessments are internal . Now , when it comes to wording for the CISSP , the main thing you're going to want to understand is what is the output ? That's going to be a big factor in determining if it's an assessment or an audit .
But personally and real world kind of situation , I like to use an assessment as something that I conduct internally , by my people , by me doing it , whereas the audit is usually a third party , whether it could be an audit from your own company or somebody that is actually paid to do this for you , but an audit is usually somebody that's a third party that's
looking at it . Question 12 , during a vulnerability scan , what does a false negative indicate ? A a valid vulnerability . B an incorrect vulnerability report . C a successful attack . Or D a misconfigured firewall . So again the question is during a vulnerability scan , what does a false negative mean ? It means a valid vulnerability .
See , it's that double negative thing , right ? False and negative is double negative . What does that mean ? It's a positive , so two negatives makes a positive . Aha , right , that's like electricity type stuff . No , so it's right . You really basically want to come down to is if it's a false negative , it is a valid vulnerability .
And this false negative occurs when the security tool fails to detect the actual vulnerability . And it's essential to minimize the false negatives to ensure you actually have the right security setup . But that's where you find it says , hey , oh , you're good , no problem . And then you realize , oh crap , there's something wrong there . That would be a false , negative .
Okay . So question 13 , which type of testing focuses on behavior of an application under stress or load conditions ? So what type of testing focuses on the behavior of an application under stress or load conditions ? A fuzz testing , b regression testing , c stress testing or D boundary testing ? Again , what type of behavior under stress or load conditions ?
And it is C stress testing , right ? So that type of testing is when the behavior of the application is under a stress or load position or condition . Question 14 , what is the primary goal of a vulnerability scan ? What is the primary goal of a vulnerability scan ? A identify security controls . B evaluate risk exposure .
C test application functionality or D validate encryption algorithms . So what's the primary goal of a vulnerability scan ? And the answer is B evaluate your risk exposure . Again , that's the ultimate goal of these scans is to look for weaknesses and therefore it can help ensure of what is your overall risk exposure to the world .
Because , again , you need to know what's going on in your environment and you may not have a good handle , but it's better to know something than to know nothing . So , just not running scans , just going . Hey , I'm going to put my head in the sand and hope that everything works out . Yeah , that usually doesn't go well . You can try that .
You can try it , but I would not recommend it . Just don't work in security for any company that I work with , because that would be bad . That would be really bad . Question 15 . Which testing technique involves analyzing the flow of data within an application ? Which testing technique involves analyzing the flow of data within an application ?
A Data flow analysis , B Code review , c Penetration testing or D Fuzz testing ? Which testing technique involves analyzing the flow data within an application ? Look for the words data flow analysis right .
A data flow analysis examines the data how it moves through your application , looking for potential security issues , input validations , data leakage and other access control challenges . I will say that you do testing , I've done testing and you look for data flow analysis .
It's a very important factor in all of your security toolbox that you may have within your organization and what you use . So you will do it , you will do data flow analysis and if you're a good security architect , you will definitely do data flow analysis . Okay , that's all I have for you today . Guys , we are excited Again . Go to CISSP Cyber Training .
Head on over there . Anything you purchase at CISSP Training , cissp Cyber Training . Hit on over there . Anything you purchase at CISSP Training , any of the products that you purchase there , all of that goes to charity . It's all heading to our charity , our nonprofit for adoptive families .
The ultimate goal of that is to provide resources available for families who wish to adopt children , because it can be very expensive I mean adopting a child can be $20,000 , $30,000 , $50,000 to do that , depending upon where you get your child and other different situations .
So we want to provide a nonprofit available for these folks to be able to request money , either on loans or potentially even a grant , depending upon their need . But we believe in adopting kids is the most important thing in this world .
I've been called to do that and therefore we want to put that out there , and any money that is brought in for any of the CISSP training will go directly to that nonprofit . So we're pretty excited about that . Still got to get the name right , though we have been too busy with the 4th of July to actually hunt down a name , but the name has been .
It's close , it's really really close , but I'll let you know once I have the name . You all will be the first to know about it . All right , have a wonderful day and we will catch you on the flip side , see you .