 Hi, my name is Shawn Harris and I'm going to be an instructor for the 10 full domains that's covered on the CISSP exam. I've been in this industry for many years before anybody actually really cared about it. When I started in security, I said that I was very interested in it because it was complex. You have to really understand technology before you can secure it. And 10 years ago I was told, well, that's nice that you are interested in security but you'll never have a full-time job in it. Well, not only do I have a full-time job, a lot of people have a full-time job in security because the importance of it. Hi, I'm David Miller. I'm going to be the instructor for this computer-based training course. I am a Microsoft Subject Matter Expert, a Microsoft Certified Trainer, numerous certifications in the Microsoft arena. I've been a CISSP, CWNA, CNE, CCNA, Licensed Pen Tester, Certified Security Analyst, et cetera, et cetera, et cetera. I've been a computer consultant and network engineer since about 1990. I've been a Microsoft Certified Trainer since about 1998. And since then I've been a lecturer and author of multiple curricula. Hi there, my name is Ken Mayer. I'm a part of many instructors that are going to present to you the course on Certified Information Systems Security Professional. Now, I've been in the world of information systems since 1981, even though we probably didn't even call it that. I don't even remember what name we gave it. During that time I've had the opportunity to work in a lot of different fields, whether it was from operating systems, servers, mainframes, infrastructure with routers and switches, whether it was with firewalls by Cisco, Juniper, or Palo Alto, or even on the Windows side of security, as well as working with CISA, CISM, and many other types of auditing courses and auditing work. Having been involved in doing penetration testing, having clients that ask me to help evaluate their security. So I've had a lot of, like I said, experiences in many places covering many of the different domains. In fact, for a short while there, I even worked in law enforcement to help with the ideas of physical security. Now, in this domain, it's information security and risk management. They used to call it security practices or security management practices. And we're going to go over kind of what they call the soft skills, development of policies, development of a risk management program, development of standards, and we're going to get into what security governance actually means and how to do a structure with that. We'll talk about the type of training and the type of awareness that needs to be in place. So in this domain, it's more of what a lot of people call the soft skills instead because it's not overly technical. But this is where a lot of companies actually are moving into. A lot of companies have their head down in technology. And because of all the regulations and now because security is a business issue, these things are much more important or get a lot more attention than they did in the past. So there's actually a gap in the industry of people who really know how to do these things compared to configuring a firewall or configuring a KDC or something like that. So this is important. You may think it's intuitive and you understand it, but when you actually have to put it in practice, a lot of people have a hard time because it's a new thing. Now our mainframes, of course, got smaller, more efficient. They could do more different types of batch jobs. But at that time it was really interesting because that was a glass house. We called it a glass house where the mainframe was. There's only a handful of guys who actually understood how the mainframe worked, interacted with it, and actually when anything went wrong, they didn't just do a configuration like we do today. They went into the code and modified it there. Now the mainframe, at that place, we all took our batch files to the mainframe for whatever job we had to have taken place. And then we figured out that a processing needed to come closer to the actual users. So we moved a lot of the processing power from the mainframes down to the user desktops. Now why do you think information security is so important today, compared to five, seven, ten years ago? Well, seven to ten years ago we worked in this mainframe environment. Only a handful of people could interact with the system itself. So at that time who knew what TCPIP was? Who knew what the OSI model was? What an API was? At that time, the knowledge about technology was very small, so there wasn't as many people who could do damage. Now, as our culture has grown, we personally actually depend upon more technology than we realize. Health care, the energy that we use, and businesses can't run without technology. We actually take technology as, for granted, it's always there and it provides us a lot of functionality. Now anything that you really depend upon is a weakness. And so that's where the attackers have come in. The hackers came in and they knew that that was a weakness. Now in the beginning, hacking was just a lot of fun. There was just some teenage guys who had too much time in their hands and it was very challenging to learn about the different protocols and to be able to carry out, you know, bring down different websites or affect something. But now that's actually changed. There's actually, hacking has changed from some kids who are interested into it to a much more organized crime. That's what we're going to get into identity theft and the types of crimes that are taking place. But the reason that security is so important is because we're so dependent upon it. It protects our money. It protects our data. And as the technology came from the mainframe down to the employees' desktops, now they can interact with it, which means that they can make mistakes. So there's a lot of reasons that security is important. It's going to be around for a long time. And now, it's not just general security information you need to know. People actually have to specialize, just like doctors have to specialize, maybe into web services, application security. So this is not going to go away. It's only going to increase because the complexity of our environment is going to increase. So if you look at our environment today, talk about complex. We have networks. We have routers. We have firewalls. But then we're growing outside these bounds. We have wireless. We have road warriors that have to communicate with the corporate environment and the assets. We're setting up things like web services, which allow different companies to use each other's services in open standards. We have cell phones that are basically computers. And the software itself is increasing in the complexity because we want more and more functionality. So our environment is going to only get more complex in the devices that we put on it and the software. Now, why does that have anything to do with security? Well, security and complexity do not get along. The more complex something is, the harder it is to secure it. Like in Windows 2000, there's 40 million lines of code. And that was Windows 2000. How do you secure that much code? So in our environments, not only do we have devices like routers and switches, we have software that works on them. We have operating systems. We have applications. We have users. And now we don't even have a closed environment. We're interacting with other companies, with the internet, with partners. So our environment is becoming much more porous. And the complexity of it is going to increase. And so if you're in security, you're always going to have a job. Now we're going to go through some security definitions. And this is a part that a lot of people think is simplistic and kind of boring. But what's a class without definitions? But on the exam, not only are you going to need to know the definition of a term, you're going to have to have examples, you're going to have to know examples of them, and be able to think about them in a cognitive way, in a real world way. So we'll first look at a vulnerability. A vulnerability is a lack of account or measure, or some type of a weakness. Then there's a threat. Now the threat is that something or somebody is going to find out about that vulnerability and exploit it. That's what the threat is. Now risk. A lot of people don't have what, down the definition of risk. Risk is the business impact and the probability of that vulnerability being exploited. And then there's account and measure. That's what you're going to put in place to protect the vulnerability. And then there's exposure. Exposure means you have a vulnerability. It's there. You're exposed to, maybe you don't have antivirus in place. You're exposed to an infection. Now there's actually a lot of types of vulnerabilities. And you need to think outside of the box. Or you need to broaden your horizon on the types of vulnerabilities that are within your environment. When we talk about vulnerabilities, unfortunately a lot of people think about open ports on a firewall. Well that is a vulnerability. But what about your people who aren't trained on how to properly configure things? Or your people maybe answering the phones aren't properly trained about social engineering? Or you're not watching your physical security. These are all vulnerabilities. And this is what's difficult about information. Security is thinking about all the bad things that could take place. Now here are some examples of vulnerabilities that a lot of people don't think about. The first one I put up is it's a lack of understanding. Our environment, our industry as a whole, we are continually learning more. We're maturing. This is a very immature industry. And because of our immaturity, because of our lack of knowledge, this is why a lot of attacks and a lot of bad things could take place. So that's one thing. Education, understanding what the bad guys are going to do and how to make sure they're not going to do it to you. There's another one that's called authorization creep which is all over the place. Authorization creep means that somebody has too much access. Let's say I started a company, I'm a clerk. Then I'm given rights and permissions and such. And then I get promoted and now I'm a manager. Then I get other rights and permissions added on instead of subtracted. And this happens on and on as somebody moves from one department to another. They have too much access. And almost every organization today, users have too much access. Why do we care? Well, the reason is because now this allows that user to carry out mistakes and also allows that somebody actually gets a hold of that account. Now they can access a lot of resources. So in the next domain, we're actually going to talk about identity management and how the industry is trying to get a hold of this authorization creep issue. Ways of detecting fraud. A lot of companies actually have attacks that have gone on for years, successful attacks, social security numbers have been taken, personal information have been taken for years and they don't have the right things in place to actually detect that those things are going on. So there's a lot of different types of vulnerabilities. It's not just technical. It's at those different layers, operational, tactical, and strategic. Now I said that most people don't understand the term risk. And that's because we use them interchangeably. We use vulnerability, threat, and risk interchangeably. Hey, we have this type of risk. Hey, we have this type of vulnerability. Now it may not seem important to you about having distinct definitions and knowing what they are, but it is important because they're totally different things. For example, one time I was asked to be on a risk management panel. We're a bunch of experts on a panel and we're going to talk about risk management to about 500 people. We were going to talk about specific tools and I was given a list of tools that we were to discuss and say what part was great and what part wasn't so great. And what happened is I wrote back to who was putting this conference together. I wrote back and said, I don't think you want me on your panel. Because the tools that they actually listed were vulnerability management tools. They were not risk management tools. And in the industry today, a lot of products say they're risk management and they're not. The easiest thing to do is define a vulnerability. That's a weakness or a hole. The hardest thing to do is actually calculate the business impact of that vulnerability and the probability that that vulnerability is going to get exploited. So the understanding of risk, I think, is very critical. And I'm a consultant. I work in a lot of different environments. And I see the confusion that when people don't have the right definitions down, they're speaking apples and oranges. So in our industry today, risk management is getting more and more and more important because of regulations, because the business people actually get what security means. Again, risk is the probability that a vulnerability is going to be exploited and then the business impact. How bad is that going to hurt us? Now, how do these all work together? Some people think they're interchangeable, but they're not. Any environment, any organization has a whole bunch of vulnerabilities. Can you plug them all? Can you fix them all? Well, only if you have all the time in the world and an infinite amount of money. You can't address all the vulnerabilities and you actually don't need to. So you have a whole list of vulnerabilities. And what you have to do is you have to associate a threat to that vulnerability. Because you can have a vulnerability if there's nothing that can actually take advantage of it. It doesn't matter. So let's say you have an open port that faces the Internet. That port may not have a service that could be exploited and anybody can do anything about it. You're not going to pay any money or do any configuration for that. So a threat is that somebody is going to find a vulnerability and exploit it. So again, the first step is find all your vulnerabilities. You have to associate them to a threat. Is there something that could take advantage of them? And then you have to calculate the business impact and the probability if that comes true what that is, you're calculating the risk. So you find vulnerabilities and we've had tools out there for years that finds vulnerabilities. So associate them to a threat and then calculating the risk is really where the skill comes in, how it relates to the business. So usually you have a whole bunch of risks listed and you can't address them all. But you're going to say these are the top risks. We're going to address those in the first three months. These are the next 12 months. So it's really important to understand how all of these work together. And I just see it's not only important for the exam. I'm in the industry. I see the confusion between these things where people don't think definitions are important but it's actually not the definition. It's the concept and what is the right tool for the right issue. Now we've talked about the definition of vulnerability threat and risk. But where does risk lie? Who is actually responsible for it? That's very important. Who's responsible for it? Who's responsible to ensure that risk is properly mitigated? Now in the past security was all in IT. IT understood that the company needed to be protected but they knew technical security and they knew that the company needed to spend more money to protect itself. But the business people and senior management didn't get it. They didn't want to hear about it. Now as regulations have come down we've got GLB and SOX and HIPAA. Now that's come from the top. So security isn't coming from the bottom anymore. It's coming from the top also. So who is responsible for risk? Well that's senior management, board of directors. On the CISP exam it will actually specifically say senior management. But in the industry it's not just senior management. On publicly owned companies it's also the board because they're responsible to ensure that the shareholders are properly protected. The company is running smoothly and that all of these risks are identified and dealt with properly. Now another interesting thing is that risk should actually be delegated. The risk should not just be within the security realm or just on the CISO's desk or just on the CISO's desk. The risk needs to be delegated to like the business management owners or whoever the department heads are. They need to be held responsible for identifying risk in their department and know how to approach it. It doesn't mean that they have to be security experts. It means that they have to be held responsible for making sure that any types of risks are actually being identified. So although senior management is ultimately responsible it's important that we get it out throughout the company that each business unit manager or the department head or somebody is responsible because that department head actually understands that department. Understands the type of risk that can take place. Remember it's not just technical. So ultimately yeah senior management but they can't do it all. They don't understand all the risks that can happen throughout the company. So they need to delegate it and they need to keep people's feet to the fire. Most companies are not holding any type of business unit manager or department head actually liable or responsible for any type of risk. So it's mainly lip service. So since a lot of companies don't understand risk they just ignore it. They don't deal with it. They're being forced to. Just like with any security nobody really wants to do security. The company doesn't really want to understand or pay money for security. They need to profit. They need to make money. But this is life. Security within the corporate world and within the government sectors is only becoming more important and risk management is really becoming something that is the most important. This is also something that the auditors are looking at. What type of risk program do you have in place? How are you identifying and mitigating those risks? Now some other definitions we definitely need to know about are availability, integrity, confidentiality. It's called the AIC triad. It used to be called the CIA triad, but for some reason I guess they thought you'd get confused with the real CIA. So we're going to look at examples of availability, integrity, and confidentiality. But the main concept here is that every single type of countermeasure that we put in place is going to provide one of these services. It's going to provide some type of integrity. It's going to provide some type of confidentiality. So not only do you need to know the definitions and some examples, but you need to know how they match up. This type of countermeasure provides this type of service. Now in availability, a lot of people don't put availability within security. Most people just think about confidentiality, secrecy. But availability is very important because if a resource isn't available, you can't do your work. So there's attacks that take place against resources so they're not available. Those are DDoS attacks, distributed denial service attacks. There's also availability issues that take place that are not attacks, but things get overwhelmed or they go down. So mainly in operations, that domain, we're going to look at the different types of technologies that provide availability, which is redundancy, fault tolerance, those types of things. Now integrity also falls under this triad. And integrity, a lot of people think it's just the integrity about data. And that's true. The data needs to have its integrity when it's being held on a server, when it's going from one place to the other. We need to make sure that it's not been modified by somebody or even it's been corrupted. But in reality, it's not just the data that we need to worry about the integrity. What about the integrity of the environment? What about the actual systems themselves, integrity of the systems? Do you want people to just install patches as they see fit without actually testing them? If that happens, the integrity of the environment is horrible. You don't have your configuration management in place. So it's not just about data. We need to think about the system, the application, the software, the environment, that things aren't changing in an uncontrollable manner so that integrity is compromised. Now confidentiality is pretty simple, at least conceptually. This is what people usually think about when they think about security. So we want to make sure that whatever somebody's not supposed to have access to, they don't have access to. And we're going to go through, in each one of these domains, we're going to have some type of control that is going to provide confidentiality. Access control, encryption, a lot of different things. Because usually the goal is to protect your data. Data today is the goal of the organization. That's usually what needs to be protected the most. So not only do you have to know the definition of confidentiality, but examples of what provides confidentiality. Now one thing that a lot of people may know about is shoulder surfing. Shoulder surfing is when somebody's looking over your shoulder and they see some type of sensitive information they're not supposed to. That's why when you type in your password you have those X's that come up so nobody can look over your shoulder and see those passwords. So that's shoulder surfing where somebody's looking over and seeing something they're not supposed to. But that's not the whole thing. You've got to think outside of bigger within the environment. What about the people who have worked with the backup tapes? Do they have the actual access level to be able to access that data on the backups? Maybe not. Maybe there's sensitive data that they shouldn't have access to. When I was in the information warfare unit, everybody had to have a top secret clearance, even the janitors. Because the janitors have keys to everything. And they're usually around when nobody else is around. So they had access to top secret information. And what about the people who are doing surveillance? Let's say in a room you have a camera that's surveilling the environment. Well if you are in an environment that has top secret or even secret information that's being worked on on a computer, then that camera can capture what's on those screens. Whoever's doing the surveilling and whoever's maintaining those tapes, do they have the actual clearance? Should they be accessing this type of information? So shoulder surfing, that's simple, where yeah okay it's looking over your shoulder, but you need to think about if you actually have sensitive information, who else could be looking at it? Another thing is the area. Do you have it just sitting out? It's not just digital information that we have to protect. It could be an even paper format. Now social engineering is very interesting. It's not an attack, a technical attack. It's an attack against people. Social engineering is skillful lying to get whatever it is that you're after. So there's a lot of different ways to do social engineering. You're basically trying to convince somebody else that you have authorization to assist them or some type of data that you don't have the authorization for. So somebody can come in and be dressed as a repairman and get past the front desk and get to where they want to go. A lot of social engineering happens over the phone where somebody calls and says, hey, I'm the administrator. We're having a hard time right now with the systems. We're going to reboot them. I need you to change your password to password. So somebody says this is the administrator. I'll do what I'm told. They changed their password to password. Now the bad guy has their credential set. And social engineering is one thing that the corporate environment doesn't think about as much. The military and the government think about it more and they do a lot of assessments that include social engineering attacks. In the corporate world, it's usually just about the technical issues and the policies and such. But people are the weakest-length. They're the ones who are going to give out sensitive information. It's actually easier to do social engineering and get information from people than ever trying to go through a firewall or a HACA system. It's always easier to go through people. And the assessments that are done like in the government, you pick out people who would have some information like the commander's secretary or a pilot or somebody that you pick them out and you meet them not at the job but maybe you meet them at a bar or you meet them somewhere else, play racquetball or something. And you see what little tidbits you can actually get out of them because if an attacker is serious about attacking a specific target what they're going to do is gather as much information about that target before they attack. And that's called footprinting. There's an amazing amount of information in the public sector that can be learned about a corporate environment. You go through the air and database for all the IPs that a company has. You go through who is database for all the domains that a company owns. You look at, let's say somebody has a job opening. In their job description that they need somebody to fill, they can list the actual type of technology that they have, the type of firewalls, the type of intrusion detection. They'll say we need people with this type of experience. Now you've just told people what you're actually using in security. And another big way that attackers are getting information is in chat rooms. We have chat rooms and forums for everything and we have forums where people will help each other out. So let's say I have Sidewinder firewall and there's a question I have about configuration. So I'll go to a forum and I'll say, hey, we have this type of firewall. I don't know what to do. Can anybody help me? Now there can be an attacker in there specifically to find out who doesn't know what they're doing. If they could figure out what company it is, which is easy to do, they'll know that that firewall is not configured properly. So social engineering, there's a lot of different ways for data to be leaked out and this is one thing that is not looked at within the corporate world. You need to test your people to know what they're supposed to say and what they're not supposed to say and you need to educate them on this. Now people who are in security get a little cockier. They think the whole world is just about security. I fall into it sometimes myself. I see other people, my peers that fall into it. But you need to remember that business people and they just have their own jobs. Security isn't their life. So you have to understand that somebody else, like a business person, already has a 60-hour a week job. They don't even know about security. They don't even want to know. So sometimes security people get a little full of themselves and they know so much about what somebody should and shouldn't be doing. But we have to be sensitive. We have to properly educate, which that doesn't happen through acting superior or acting so knowledgeable. We have to be able to be humble and put security information in different languages that people understand. There's mid-management and then there's senior management and they'll speak different languages. So we need to know their language so we can make a business case so everybody can understand the security issues within the organization.