├── Archive ├── CISSP 2021 Syllabus.pdf ├── CISSP21-Session1.pdf ├── CISSP21-Session2.pdf ├── CISSP21-Session3.pdf ├── CISSP21-Session4.pdf ├── CISSP21-Session5.pdf ├── Session1Transcripts │ ├── part01.vtt │ ├── part02.vtt │ └── part03.vtt ├── Session2 transcripts │ ├── part01.vtt │ ├── part02.vtt │ └── part03.vtt ├── Session3Transcripts │ ├── part01.vtt │ ├── part02.vtt │ └── part03.vtt └── test.txt ├── CISSP Bootcamp 2025 Syllabus.pdf ├── CISSP_DAY1_part1.pdf ├── CISSP_DAY1_part2.pdf ├── CISSP_DAY2_part1.pdf ├── CISSP_DAY2_part2.pdf ├── CISSP_DAY3_part1.pdf ├── CISSP_DAY3_part2.pdf ├── CISSP_DAY4_part1.pdf ├── CISSP_DAY4_part2.pdf ├── CISSP_DAY5_part1.pdf └── CISSP_DAY5_part2.pdf /Archive/CISSP 2021 Syllabus.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/Archive/CISSP 2021 Syllabus.pdf -------------------------------------------------------------------------------- /Archive/CISSP21-Session1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/Archive/CISSP21-Session1.pdf -------------------------------------------------------------------------------- /Archive/CISSP21-Session2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/Archive/CISSP21-Session2.pdf -------------------------------------------------------------------------------- /Archive/CISSP21-Session3.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/Archive/CISSP21-Session3.pdf -------------------------------------------------------------------------------- /Archive/CISSP21-Session4.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/Archive/CISSP21-Session4.pdf -------------------------------------------------------------------------------- /Archive/CISSP21-Session5.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/Archive/CISSP21-Session5.pdf -------------------------------------------------------------------------------- /Archive/Session1Transcripts/part01.vtt: -------------------------------------------------------------------------------- 1 | WEBVTT 2 | 3 | 1 4 | 00:00:13.769 --> 00:00:18.480 5 | Michael Shannon: Alright, welcome back from break everybody it's the ci ssp boot camp. 6 | 7 | 2 8 | 00:00:19.770 --> 00:00:21.090 9 | Michael Shannon: With Michael and David. 10 | 11 | 3 12 | 00:00:23.070 --> 00:00:35.670 13 | Michael Shannon: So as a security practitioner one who's wearing that management, a hat, we have to align our security functions our controls our initiatives or programs. 14 | 15 | 4 16 | 00:00:36.210 --> 00:00:52.080 17 | Michael Shannon: With our business our business strategy, whatever our value proposition is, do we have a mission, a charter objectives you have to always be cognizant of our contribution not only to. 18 | 19 | 5 20 | 00:00:53.010 --> 00:01:04.590 21 | Michael Shannon: Meeting the perhaps we're doing it to be accredited or certified right, we have to meet some regulation or mandate, because of the industry we're in. 22 | 23 | 6 24 | 00:01:05.670 --> 00:01:10.320 25 | Michael Shannon: But not only that, how do we help add value. 26 | 27 | 7 28 | 00:01:11.760 --> 00:01:24.330 29 | Michael Shannon: We may have our own customers, we may be a service provider ourselves okay our partners are relying upon us strategic partners large vendors and customers. 30 | 31 | 8 32 | 00:01:25.740 --> 00:01:37.290 33 | Michael Shannon: Right, so a lot of this is going to be driven not by just by corporate governance but corporate governance itself should drive a security, governance. 34 | 35 | 9 36 | 00:01:38.970 --> 00:01:47.550 37 | Michael Shannon: We have to be able to react to changes if we're going to go through a merger we're going to our company's being sold to some other company. 38 | 39 | 10 40 | 00:01:48.000 --> 00:01:57.030 41 | Michael Shannon: Often there's like will be called a dark period there where we have to be highly concerned about you know, privacy and intellectual property. 42 | 43 | 11 44 | 00:01:57.630 --> 00:02:14.580 45 | Michael Shannon: There may be legal ramifications, maybe if we're under an investigation suddenly other legal holds on data or files or assets, what if those assets are being stored in a cloud provider. 46 | 47 | 12 48 | 00:02:15.810 --> 00:02:26.550 49 | Michael Shannon: Okay, anything that changes the way our company is structured we go from a privately held company company to a publicly held company David and I have been around. 50 | 51 | 13 52 | 00:02:27.870 --> 00:02:29.910 53 | Michael Shannon: This institution long enough. 54 | 55 | 14 56 | 00:02:31.050 --> 00:02:40.290 57 | Michael Shannon: To kind of go through that I think I don't know, maybe four times public than private or private and public and private than public. 58 | 59 | 15 60 | 00:02:42.480 --> 00:02:45.930 61 | Michael Shannon: And it, you know it introduces complexities. 62 | 63 | 16 64 | 00:02:47.370 --> 00:03:02.160 65 | Michael Shannon: Privacy issues data sharing interconnection agreements, who might have with as part of our disaster recovery business continuity options connectivity agreements with service providers. 66 | 67 | 17 68 | 00:03:04.800 --> 00:03:10.200 69 | Michael Shannon: there's internal and external influences from a security, governance standpoint. 70 | 71 | 18 72 | 00:03:11.220 --> 00:03:25.890 73 | Michael Shannon: Are we, a more traditional type of top down company with a very strict you know vertical chain of command or a very functional were very departmental. 74 | 75 | 19 76 | 00:03:27.960 --> 00:03:35.760 77 | Michael Shannon: In a in a more traditional functional environment, you may have more silos or siloed areas. 78 | 79 | 20 80 | 00:03:37.560 --> 00:03:55.380 81 | Michael Shannon: If you've been involved in security long enough, you know it used to be and it's kind of like where devops came from, but early on the people that were involved with writing the Code and the people that were involved with the operational aspect were siloed. 82 | 83 | 21 84 | 00:03:57.360 --> 00:04:14.190 85 | Michael Shannon: You can you can be involved in security, but you had no access to the database and the database people from a security standpoint, it was basically network security infrastructure, the database people they were doing their database admin stuff. 86 | 87 | 22 88 | 00:04:15.240 --> 00:04:17.790 89 | Michael Shannon: Maybe even to some degrees server admins. 90 | 91 | 23 92 | 00:04:20.220 --> 00:04:32.550 93 | Michael Shannon: Today, those those relationships are flatter we often see more project ties organizations, where an individual may have a certain job title. 94 | 95 | 24 96 | 00:04:33.180 --> 00:04:55.740 97 | Michael Shannon: But they can be working horizontally in different business units and departments, maybe simultaneously or they move from one project to another throughout the organization or the campus obviously executive management our management structure our C suite RC team as a security. 98 | 99 | 25 100 | 00:04:56.880 --> 00:05:09.270 101 | Michael Shannon: architect do I answer to another security architect or do I answer to somebody in the C suite the CIO the CIO so do we have a chief privacy officer. 102 | 103 | 26 104 | 00:05:11.580 --> 00:05:13.230 105 | Michael Shannon: We have internal auditors. 106 | 107 | 27 108 | 00:05:14.520 --> 00:05:22.800 109 | Michael Shannon: And those might be certified public accountants in the accounting department or maybe other types of specialized auditors. 110 | 111 | 28 112 | 00:05:24.720 --> 00:05:28.500 113 | Michael Shannon: That have to answer to our insurance company, for example. 114 | 115 | 29 116 | 00:05:33.600 --> 00:05:37.830 117 | Michael Shannon: Maybe maybe as an organization, we have a private cloud. 118 | 119 | 30 120 | 00:05:38.880 --> 00:05:49.770 121 | Michael Shannon: So we've converted our data Center into a more virtualized hypervisor driven data Center and we provide the same type of services. 122 | 123 | 31 124 | 00:05:50.430 --> 00:06:05.970 125 | Michael Shannon: That a cloud provider would offer we offer sandbox environments and development environments, we they have the ability to use their budgets to do research and development or development using our private cloud. 126 | 127 | 32 128 | 00:06:10.050 --> 00:06:15.480 129 | Michael Shannon: We have to always again from an internal standpoint know our key value propositions. 130 | 131 | 33 132 | 00:06:16.620 --> 00:06:21.540 133 | Michael Shannon: Right service product or both, and then external. 134 | 135 | 34 136 | 00:06:22.950 --> 00:06:26.700 137 | Michael Shannon: influences will affect our security, governance. 138 | 139 | 35 140 | 00:06:28.380 --> 00:06:36.240 141 | Michael Shannon: If you're a public company, you may have to you have to respond to stockholders and bondholders maybe you're part of a partnership. 142 | 143 | 36 144 | 00:06:38.160 --> 00:06:41.220 145 | Michael Shannon: You have to be aware that your customers and your clients. 146 | 147 | 37 148 | 00:06:42.570 --> 00:06:50.610 149 | Michael Shannon: have an incredible amount of influence, your lenders Okay, if you have a data breach. 150 | 151 | 38 152 | 00:06:52.440 --> 00:07:07.800 153 | Michael Shannon: of credit card information, for example, that's going to affect your customers that's a secondary kind of cascading loss that you're gonna have to deal with, but when you put you know you provide credit, you know protection. 154 | 155 | 39 156 | 00:07:08.850 --> 00:07:22.620 157 | Michael Shannon: For your customers, maybe with lenders, if you have a data breach a secondary loss might be something like well you're going to pay higher interest rates for that borrowing next time. 158 | 159 | 40 160 | 00:07:23.760 --> 00:07:30.660 161 | Michael Shannon: We can be affected by social, political, socio political, economic factors right. 162 | 163 | 41 164 | 00:07:32.100 --> 00:07:34.470 165 | Michael Shannon: pandemics war. 166 | 167 | 42 168 | 00:07:36.390 --> 00:07:48.030 169 | Michael Shannon: Okay supply chains can be affected vendors that we used, two years ago, two and a half years ago, may not even be in business anymore. 170 | 171 | 43 172 | 00:07:48.840 --> 00:08:01.380 173 | Michael Shannon: A software vendor a hardware vendor or that particular vendors only operating at 75% they're barely keeping their head above water trying to ride out the storm. 174 | 175 | 44 176 | 00:08:03.120 --> 00:08:08.220 177 | Michael Shannon: disruptions in the supply chain more regulation okay. 178 | 179 | 45 180 | 00:08:10.080 --> 00:08:29.190 181 | Michael Shannon: So, you know as a security practitioner obviously we're heavily involved in access, controls right access to resources and assets, so we need to have our finger on the pulse of our the way organization is designed roles responsibilities processes. 182 | 183 | 46 184 | 00:08:30.330 --> 00:08:42.330 185 | Michael Shannon: Okay, and there's no one size fits all you may have a large global company that operates differently at the headquarters, then they do it a regional branch office or a satellite office. 186 | 187 | 47 188 | 00:08:47.670 --> 00:08:57.750 189 | Michael Shannon: The responsibilities and roles may drive your access control methodology, if you have a role, based access control. 190 | 191 | 48 192 | 00:08:58.290 --> 00:09:19.830 193 | Michael Shannon: or even if it's discretionary often in a discretionary access control model like windows with active directory your groups your global groups are often they can be built on roles like network administrators database administrator, but they can also be departmental. 194 | 195 | 49 196 | 00:09:22.440 --> 00:09:29.430 197 | Michael Shannon: Your role based access control, for example, if you're working at a medical Center and use a role based model. 198 | 199 | 50 200 | 00:09:30.870 --> 00:09:37.110 201 | Michael Shannon: You need to be aware of the different roles medical doctor nurse practitioner. 202 | 203 | 51 204 | 00:09:38.250 --> 00:09:40.500 205 | Michael Shannon: Registered nurse technician. 206 | 207 | 52 208 | 00:09:43.950 --> 00:09:45.180 209 | Michael Shannon: we're going to talk more about. 210 | 211 | 53 212 | 00:09:46.350 --> 00:09:55.560 213 | Michael Shannon: These access control models, of course, like like today, this is all under the umbrella of understanding the responsibilities of security, governance. 214 | 215 | 54 216 | 00:09:56.610 --> 00:10:04.170 217 | Michael Shannon: Okay trust me most of the things we've even brought up we're going to revisit them again, because if you go back to. 218 | 219 | 55 220 | 00:10:05.820 --> 00:10:06.480 221 | Michael Shannon: This. 222 | 223 | 56 224 | 00:10:09.090 --> 00:10:10.740 225 | Michael Shannon: Waiting of domains. 226 | 227 | 57 228 | 00:10:12.030 --> 00:10:25.410 229 | Michael Shannon: Well, it goes without saying that there's a lot of overlap in these domains, I mean part of security operations number seven is securing your assets. 230 | 231 | 58 232 | 00:10:27.330 --> 00:10:30.330 233 | Michael Shannon: What how you operate yours, how do you. 234 | 235 | 59 236 | 00:10:31.710 --> 00:10:39.660 237 | Michael Shannon: put into practice, your controls in operations will be based on how you handle and treat risk. 238 | 239 | 60 240 | 00:10:41.820 --> 00:10:44.040 241 | Michael Shannon: Right now, I can pretty much. 242 | 243 | 61 244 | 00:10:45.180 --> 00:11:01.740 245 | Michael Shannon: isolate software development, security as a domain, but that's also going to be driven by your security architecture, so the point i'm making is there's a lot of overlaps in the domains, which by the way, is why to be. 246 | 247 | 62 248 | 00:11:03.210 --> 00:11:15.840 249 | Michael Shannon: qualified to take the exam you don't have to have four or five years of real world fully paid experience in all eight domains. 250 | 251 | 63 252 | 00:11:17.640 --> 00:11:30.840 253 | Michael Shannon: Because there's so much overlap and so that kind of ties into the fact that many of the things that we talked about today we'll revisit these again when we get into the operational and the practical aspect of them. 254 | 255 | 64 256 | 00:11:33.630 --> 00:11:48.240 257 | Michael Shannon: Now owning something ownership ownership of the data ownership of the file you create the data you create we often see that in more discretionary or role based models. 258 | 259 | 65 260 | 00:11:49.890 --> 00:11:51.270 261 | Michael Shannon: So an owner. 262 | 263 | 66 264 | 00:11:52.530 --> 00:11:59.040 265 | Michael Shannon: Typically, you see those in certain access control models, for example in a mandatory access control model. 266 | 267 | 67 268 | 00:12:00.270 --> 00:12:03.810 269 | Michael Shannon: A MAC model it sucks it's rare, if not. 270 | 271 | 68 272 | 00:12:04.920 --> 00:12:08.700 273 | Michael Shannon: Just exclusively, there is no ownership. 274 | 275 | 69 276 | 00:12:10.860 --> 00:12:13.140 277 | Michael Shannon: And a strict mandatory access control model. 278 | 279 | 70 280 | 00:12:14.910 --> 00:12:18.300 281 | Michael Shannon: The ownership is the entity, the Agency. 282 | 283 | 71 284 | 00:12:19.560 --> 00:12:20.460 285 | Michael Shannon: owner everything. 286 | 287 | 72 288 | 00:12:22.260 --> 00:12:31.470 289 | Michael Shannon: But a discretionary models, you can create directories and folders and when you open, you know when you create a word document or a PowerPoint. 290 | 291 | 73 292 | 00:12:32.610 --> 00:12:45.000 293 | Michael Shannon: Presentation or an excel spreadsheet or something else, something maybe in sharepoint you're the owner of that, and you have the discretion to share it and even assign permissions. 294 | 295 | 74 296 | 00:12:48.180 --> 00:13:00.480 297 | Michael Shannon: If you're in a corporate environment to use classification levels owners may determine those levels as well owners can determine how things are labeled or tagged. 298 | 299 | 75 300 | 00:13:02.490 --> 00:13:09.210 301 | Michael Shannon: there's an existing schema of key value pairs and the owner of the. 302 | 303 | 76 304 | 00:13:10.470 --> 00:13:25.020 305 | Michael Shannon: object either locally or in the cloud tags it with key value pairs owners often do that, we have data ownership, we also may have asset ownership okay technically. 306 | 307 | 77 308 | 00:13:27.030 --> 00:13:29.820 309 | Michael Shannon: I may not be an owner of my corporate laptop here. 310 | 311 | 78 312 | 00:13:31.020 --> 00:13:49.230 313 | Michael Shannon: But I may be a steward or a custodian of it Okay, so you have stewards and notice protect my data but also assets in general data is just one of our assets and probably for many organizations are most important. 314 | 315 | 79 316 | 00:13:50.550 --> 00:13:57.420 317 | Michael Shannon: opt in the most mission critical asset that a company has this data, not all companies right. 318 | 319 | 80 320 | 00:13:59.400 --> 00:14:04.230 321 | Michael Shannon: Some companies actually consider their employees to be their most valuable assets. 322 | 323 | 81 324 | 00:14:06.210 --> 00:14:10.110 325 | Michael Shannon: But not all not all companies operate, not all organizations operate that way. 326 | 327 | 82 328 | 00:14:11.310 --> 00:14:14.580 329 | Michael Shannon: Often, and when I talk about stewards versus custodians. 330 | 331 | 83 332 | 00:14:15.720 --> 00:14:18.960 333 | Michael Shannon: Which is kind of to differentiation is, you have to have here. 334 | 335 | 84 336 | 00:14:21.390 --> 00:14:27.030 337 | Michael Shannon: I mean a hard time driving my slides forward hold on like stewards versus custodians okay. 338 | 339 | 85 340 | 00:14:29.130 --> 00:14:39.330 341 | Michael Shannon: I don't like to use a lot of cultural references because i've students from all over the world and we don't watch the same movies, we don't listen to the same music. 342 | 343 | 86 344 | 00:14:40.110 --> 00:14:50.880 345 | Michael Shannon: We don't watch the same TV shows, but there is a there's a show it's a reality show it's called below deck and so what it is it's just luxury. 346 | 347 | 87 348 | 00:14:51.480 --> 00:15:01.260 349 | Michael Shannon: yachts in the Mediterranean or Greece or whatever and it's just the drama of all the people that are working on the yacht. 350 | 351 | 88 352 | 00:15:01.890 --> 00:15:06.480 353 | Michael Shannon: And then you know the rich drunk people and all of that drama right it's the reality show. 354 | 355 | 89 356 | 00:15:07.170 --> 00:15:24.840 357 | Michael Shannon: Well, you know, on these luxury yachts you have stewards and you have custodians that the stewards deal with the customers, the people that are paying to come out of the yacht for three days from a business perspective, they deal with internal and external customers. 358 | 359 | 90 360 | 00:15:26.220 --> 00:15:46.230 361 | Michael Shannon: Because a steward of data or other assets may be there for quality control, ensuring compliance okay stewart's the ones that do with internal external customers often maybe compliance and regulators auditors a custodian is more of a technical. 362 | 363 | 91 364 | 00:15:47.790 --> 00:16:00.990 365 | Michael Shannon: For example, on the on the yacht it would be the first Mate, and the second Mate, and the third mate and they they interface with engineer, and the captain so assets from a technical perspective. 366 | 367 | 92 368 | 00:16:02.850 --> 00:16:12.690 369 | Michael Shannon: Okay, they may be dealing with management with vendors they're there to ensure confidentiality integrity availability authenticity. 370 | 371 | 93 372 | 00:16:14.760 --> 00:16:16.800 373 | Michael Shannon: Non repudiation okay. 374 | 375 | 94 376 | 00:16:17.880 --> 00:16:18.450 377 | Michael Shannon: Technical. 378 | 379 | 95 380 | 00:16:20.550 --> 00:16:34.020 381 | Michael Shannon: And then you have officers, where that's where the buck stops usually in an organization when it comes to data and assets, the buck has to stop somewhere right on the yacht it's the captain. 382 | 383 | 96 384 | 00:16:36.150 --> 00:16:41.910 385 | Michael Shannon: And organizations, usually some type of executive manager or C suite or cto. 386 | 387 | 97 388 | 00:16:43.860 --> 00:16:51.960 389 | Michael Shannon: CIO chief privacy officer CIS oh and, by the way, some of you already. 390 | 391 | 98 392 | 00:16:53.010 --> 00:17:00.210 393 | Michael Shannon: Probably are operating I mean if I was it was many people, as I have in this group today almost 300. 394 | 395 | 99 396 | 00:17:01.800 --> 00:17:12.420 397 | Michael Shannon: chances are some of you are already functioning in the role you're already on the CSP to the seating and you're getting the CSP certification. 398 | 399 | 100 400 | 00:17:13.200 --> 00:17:17.490 401 | Michael Shannon: Because, maybe it's mandated you know you see people get hired. 402 | 403 | 101 404 | 00:17:18.090 --> 00:17:29.100 405 | Michael Shannon: In these roles and then there's they're like Okay, but I need you to get a your CIS SP and your CSA auditor I see is m within the next period of time, some of you. 406 | 407 | 102 408 | 00:17:29.730 --> 00:17:37.440 409 | Michael Shannon: Already in these roles, some of you it's in your future you'll get to see is SP other certifications and you'll go on to be. 410 | 411 | 103 412 | 00:17:39.210 --> 00:17:39.900 413 | Michael Shannon: officers. 414 | 415 | 104 416 | 00:17:46.680 --> 00:17:55.080 417 | Michael Shannon: We also have a couple of terms due diligence and do care pay due diligence is the act of performing through research. 418 | 419 | 105 420 | 00:17:55.590 --> 00:18:07.890 421 | Michael Shannon: Before you commit to a plan of action okay so remember one of the key differences of due diligence and do care it's kind of similar to change the configuration management. 422 | 423 | 106 424 | 00:18:08.580 --> 00:18:20.430 425 | Michael Shannon: Okay, when I describe let's say from an eye till four perspective if i'm explaining changing configuration management well configuration management happens first. 426 | 427 | 107 428 | 00:18:21.300 --> 00:18:33.120 429 | Michael Shannon: You have to have an initial baseline configuration without that there's nothing to change now, you can consider that initial configuration, as your first change. 430 | 431 | 108 432 | 00:18:34.560 --> 00:18:51.900 433 | Michael Shannon: But you get the point so due diligence is the thing that we do before we do the plan of action, proper information gathering planning reconnaissance workshops Delphi methods planning testing strategy. 434 | 435 | 109 436 | 00:18:52.920 --> 00:18:53.340 437 | Michael Shannon: Right. 438 | 439 | 110 440 | 00:18:54.660 --> 00:19:08.340 441 | Michael Shannon: due diligence is the proper strategy do care is the tactical right do care is ongoing, the ongoing degree of reasonable attention. 442 | 443 | 111 444 | 00:19:10.410 --> 00:19:10.800 445 | Michael Shannon: Okay. 446 | 447 | 112 448 | 00:19:12.600 --> 00:19:15.030 449 | Michael Shannon: due diligence to care. 450 | 451 | 113 452 | 00:19:16.800 --> 00:19:18.180 453 | Michael Shannon: Do care activities. 454 | 455 | 114 456 | 00:19:19.560 --> 00:19:30.900 457 | Michael Shannon: patch management classic right but from a security manager standpoint, yes, we would, we would like to know that patch management is an aspect of do care. 458 | 459 | 115 460 | 00:19:32.070 --> 00:19:40.290 461 | Michael Shannon: And that's true, however, when we get into looking at threat models and security testing. 462 | 463 | 116 464 | 00:19:41.400 --> 00:19:51.600 465 | Michael Shannon: As advanced security practitioners we're going to understand at a higher level, just the do care of patch management is not enough. 466 | 467 | 117 468 | 00:19:53.790 --> 00:20:00.300 469 | Michael Shannon: Because if we're not testing the updates in the patches before we deploy them. 470 | 471 | 118 472 | 00:20:01.530 --> 00:20:03.030 473 | Michael Shannon: Is that really do care. 474 | 475 | 119 476 | 00:20:04.290 --> 00:20:25.200 477 | Michael Shannon: Just just installing the patch probably doesn't qualify as do care installing a tested patch in a hypervisor environment or a sandbox environment would for most zero trust environments be what do care is. 478 | 479 | 120 480 | 00:20:26.610 --> 00:20:35.010 481 | Michael Shannon: Some of you remember, a few months back it was last year, but when the solar winds malware happened. 482 | 483 | 121 484 | 00:20:36.840 --> 00:20:46.650 485 | Michael Shannon: There were people that were security operators and security practitioners that were doing do care because they were installing the patch right away. 486 | 487 | 122 488 | 00:20:47.130 --> 00:21:00.510 489 | Michael Shannon: They were up to date on their patch management yay but they didn't test those patches first in a prototypical environment, maybe in a hypervisor environment first and they got burned. 490 | 491 | 123 492 | 00:21:01.530 --> 00:21:03.390 493 | Michael Shannon: To get the malware was in the patch. 494 | 495 | 124 496 | 00:21:04.620 --> 00:21:07.050 497 | Michael Shannon: Now, obviously, solar winds didn't do their. 498 | 499 | 125 500 | 00:21:08.280 --> 00:21:09.120 501 | Michael Shannon: due care. 502 | 503 | 126 504 | 00:21:15.450 --> 00:21:16.650 505 | Michael Shannon: I feel confident. 506 | 507 | 127 508 | 00:21:17.700 --> 00:21:32.250 509 | Michael Shannon: That, if you if you approach this exam if you if you truly do have the four to five years of full time experience I feel very confident that after you go through this five days and you find some gaps. 510 | 511 | 128 512 | 00:21:34.890 --> 00:21:51.720 513 | Michael Shannon: you're gonna be able to find the right answer it's just gonna it's just going to make sense to you, and some of the questions where it's just not obvious since there's no trick questions that that there should be too obvious distractors. 514 | 515 | 129 516 | 00:21:55.080 --> 00:21:58.320 517 | Michael Shannon: too obvious distractors I just took the. 518 | 519 | 130 520 | 00:21:59.730 --> 00:22:22.230 521 | Michael Shannon: This last summer I took the certified cloud security professional, which is isc squares cloud security and the beauty of being a CIS SP is you don't have to you there's no other requirements if you're a CIS SP you can just go take that exam. 522 | 523 | 131 524 | 00:22:25.530 --> 00:22:26.280 525 | Michael Shannon: In fact. 526 | 527 | 132 528 | 00:22:30.930 --> 00:22:32.490 529 | Michael Shannon: I think i'm teaching that again. 530 | 531 | 133 532 | 00:22:33.930 --> 00:22:34.830 533 | Michael Shannon: In July. 534 | 535 | 134 536 | 00:22:38.190 --> 00:22:41.010 537 | Michael Shannon: So i'm teaching that CCA SP. 538 | 539 | 135 540 | 00:22:42.990 --> 00:22:47.970 541 | Michael Shannon: The 26th of July it's a three day course I would love for you to go. 542 | 543 | 136 544 | 00:22:49.170 --> 00:23:07.980 545 | Michael Shannon: Past this exam get your ci ssp and then in July come take my three day cloud security boot camp and get that second cloud security because you don't have to have five years of experience working at a cloud provider. 546 | 547 | 137 548 | 00:23:10.260 --> 00:23:11.730 549 | Michael Shannon: and get that on your resume. 550 | 551 | 138 552 | 00:23:13.230 --> 00:23:24.030 553 | Michael Shannon: So this summer, when I took that exam and, by the way, that exam is not like CIS SP it's like 125 questions and you're gonna get all the questions. 554 | 555 | 139 556 | 00:23:28.230 --> 00:23:39.060 557 | Michael Shannon: And I can tell you, most of those questions were just read purpose CIS SP questions they just changed it to be in a cloud environment or a data Center. 558 | 559 | 140 560 | 00:23:41.370 --> 00:23:49.050 561 | Michael Shannon: There were no trick questions and I got I got two questions that I didn't obviously know the answer, but I definitely could get it to a coin flip. 562 | 563 | 141 564 | 00:23:51.600 --> 00:23:53.040 565 | Michael Shannon: I knew it's one of these two. 566 | 567 | 142 568 | 00:23:55.320 --> 00:23:55.830 569 | Michael Shannon: So. 570 | 571 | 143 572 | 00:23:57.330 --> 00:23:57.840 573 | Michael Shannon: You know. 574 | 575 | 144 576 | 00:23:58.890 --> 00:24:05.310 577 | Michael Shannon: For some of you that this is going to be coin flip questions that's Okay, you should be fine. 578 | 579 | 145 580 | 00:24:06.720 --> 00:24:18.720 581 | Michael Shannon: So governance is a much more general corporate organizational what drives the ship right it's what steers the Titanic hopefully. 582 | 583 | 146 584 | 00:24:20.490 --> 00:24:29.460 585 | Michael Shannon: Getting it to its destination, but the three main attributes or characteristics of governance are some authority. 586 | 587 | 147 588 | 00:24:29.880 --> 00:24:54.840 589 | Michael Shannon: Right, the buck has to stop somewhere and governance has the authority to say, this is the direction we're going in or we're going to no longer be a privately held company with venture capitalists owning us but we're going to go public we make those big decisions but we're also accountable. 590 | 591 | 148 592 | 00:24:56.010 --> 00:25:07.740 593 | Michael Shannon: accountable to the venture capitalist accountable to the to the shareholders in the bondholders Okay, but we're concerned with security, governance, our role. 594 | 595 | 149 596 | 00:25:08.760 --> 00:25:09.240 597 | Michael Shannon: In. 598 | 599 | 150 600 | 00:25:10.260 --> 00:25:11.130 601 | Michael Shannon: Protecting. 602 | 603 | 151 604 | 00:25:12.180 --> 00:25:22.200 605 | Michael Shannon: The assets and being involved in risk assessment and risk management to lower risk to acceptable levels. 606 | 607 | 152 608 | 00:25:23.340 --> 00:25:30.450 609 | Michael Shannon: Based on governance and our value proposition, but it's look again it's wearing the security hat. 610 | 611 | 153 612 | 00:25:31.590 --> 00:25:34.950 613 | Michael Shannon: Now if you're if you're if you're a small to medium sized organization. 614 | 615 | 154 616 | 00:25:37.650 --> 00:25:51.870 617 | Michael Shannon: Then, that there may not be a real big separation between corporate governance, I mean I mean, I have a board of directors that are working with the C suite small to medium sized business, you know. 618 | 619 | 155 620 | 00:25:53.370 --> 00:25:55.920 621 | Michael Shannon: you've been at have that type of structure. 622 | 623 | 156 624 | 00:25:57.300 --> 00:26:11.850 625 | Michael Shannon: But we're the activities of security, governance, we need to be aware of those there needs to be some type of documented risk register or risk ledger and we're going to talk about what populates that. 626 | 627 | 157 628 | 00:26:13.230 --> 00:26:18.180 629 | Michael Shannon: But what's going to populate that initially is any existing. 630 | 631 | 158 632 | 00:26:21.330 --> 00:26:23.160 633 | Michael Shannon: scenarios that we've gone through. 634 | 635 | 159 636 | 00:26:26.190 --> 00:26:33.060 637 | Michael Shannon: If you're a startup company that risk ledger risk ledger is going to be based on best practices. 638 | 639 | 160 640 | 00:26:33.480 --> 00:26:41.670 641 | Michael Shannon: And are we using co bit five are we using this are we using ISO IEC the risk register is going to be kind of driven by. 642 | 643 | 161 644 | 00:26:42.210 --> 00:26:59.940 645 | Michael Shannon: how you are going to implement your your guidelines and your standards, but as you become a more mature organization that risk register starts to get populated with these are actual events and incidents we've gone through, and this is the after action reporting and lessons learned. 646 | 647 | 162 648 | 00:27:02.730 --> 00:27:14.130 649 | Michael Shannon: So it it gets continually populated with whatever the results of your risk assessment vulnerability assessment penetration tests all those things will populate that. 650 | 651 | 163 652 | 00:27:14.550 --> 00:27:25.260 653 | Michael Shannon: could be spreadsheet driven could be database driven another major activity of security, governance is making sure you're aligned. 654 | 655 | 164 656 | 00:27:26.610 --> 00:27:36.180 657 | Michael Shannon: Is alignment with your business or whatever your organization is could be it could be a nonprofit it could be an agency, whatever. 658 | 659 | 165 660 | 00:27:38.250 --> 00:27:53.940 661 | Michael Shannon: Making sure that everybody all stakeholders are aware of any compliance or regulatory requirements and that the policies that they must adhere to like acceptable use policies are in line with those requirements. 662 | 663 | 166 664 | 00:27:55.170 --> 00:28:00.960 665 | Michael Shannon: Security government's governance plays a vital role in risk assessment and risk management. 666 | 667 | 167 668 | 00:28:02.820 --> 00:28:03.900 669 | Michael Shannon: Now, usually. 670 | 671 | 168 672 | 00:28:05.220 --> 00:28:11.910 673 | Michael Shannon: Your security practitioners or engineers or architects they aren't the sole. 674 | 675 | 169 676 | 00:28:13.410 --> 00:28:24.660 677 | Michael Shannon: Entities doing risk assessment and management to small business as possible, but that usually involves you know accountants auditors HR legal. 678 | 679 | 170 680 | 00:28:25.800 --> 00:28:29.520 681 | Michael Shannon: So there's different roles responsibilities that are you know part of that. 682 | 683 | 171 684 | 00:28:31.470 --> 00:28:38.160 685 | Michael Shannon: Your insurance company, you know before you get your business policy and your cyber. 686 | 687 | 172 688 | 00:28:39.720 --> 00:28:55.890 689 | Michael Shannon: Your cyber attack writer or additional policy it's you know it's very likely that you're working with the teams, they send in to assess your organization before they determine you know what are your premium is going to be. 690 | 691 | 173 692 | 00:28:57.960 --> 00:29:06.030 693 | Michael Shannon: tracking and recording documentation all of those things finding out what you can automate is a. 694 | 695 | 174 696 | 00:29:07.080 --> 00:29:11.460 697 | Michael Shannon: Pretty big security, governance activity what things can we automate. 698 | 699 | 175 700 | 00:29:19.560 --> 00:29:20.100 701 | Michael Shannon: Okay. 702 | 703 | 176 704 | 00:29:22.230 --> 00:29:27.210 705 | Michael Shannon: So I already mentioned this security, governance, often responsible for publishing. 706 | 707 | 177 708 | 00:29:28.350 --> 00:29:38.010 709 | Michael Shannon: and making your stakeholders aware of compliance and regulatory requirements often that's going to drive their acceptable use policies. 710 | 711 | 178 712 | 00:29:41.160 --> 00:29:43.110 713 | Michael Shannon: Privacy policy requirements. 714 | 715 | 179 716 | 00:29:44.370 --> 00:29:51.780 717 | Michael Shannon: Now I don't know if these this example from the gdpr I don't know if it's still valid, that may have changed just an example. 718 | 719 | 180 720 | 00:29:53.430 --> 00:30:08.250 721 | Michael Shannon: If you're implementing privacy policies which is kind of a subset of confidentiality you're protecting intellectual property personal information health information you're involved in data loss prevention dlp. 722 | 723 | 181 724 | 00:30:09.570 --> 00:30:18.600 725 | Michael Shannon: Maybe assuring adherence to different acts regulations and I put an example there of penalties from the gdpr. 726 | 727 | 182 728 | 00:30:20.430 --> 00:30:27.480 729 | Michael Shannon: And what happened with gdpr was the same thing that happened with hipaa now if you ask me. 730 | 731 | 183 732 | 00:30:30.000 --> 00:30:41.190 733 | Michael Shannon: And you didn't but do I believe that these huge you know compliance initiatives are they really all about protecting privacy. 734 | 735 | 184 736 | 00:30:42.330 --> 00:30:46.740 737 | Michael Shannon: Well, you know what I don't really think, so I think it's more of just a way to. 738 | 739 | 185 740 | 00:30:47.910 --> 00:30:58.920 741 | Michael Shannon: it's just a taxation vehicle right hipaa had all these penalties and in the early years they didn't enforce any of them, they gave people time. 742 | 743 | 186 744 | 00:31:00.720 --> 00:31:05.130 745 | Michael Shannon: But then they started to enforce them and there were some pretty hefty. 746 | 747 | 187 748 | 00:31:06.450 --> 00:31:07.230 749 | Michael Shannon: penalties. 750 | 751 | 188 752 | 00:31:08.340 --> 00:31:10.620 753 | Michael Shannon: So here, you can see example of gdpr. 754 | 755 | 189 756 | 00:31:17.130 --> 00:31:22.500 757 | Michael Shannon: So your data privacy often due to a mandate that common sense. 758 | 759 | 190 760 | 00:31:24.240 --> 00:31:33.000 761 | Michael Shannon: because so many global organizations have become service oriented right kind of the. 762 | 763 | 191 764 | 00:31:35.010 --> 00:31:41.340 765 | Michael Shannon: opposite of the Industrial Revolution it's the digital revolution it's the information age. 766 | 767 | 192 768 | 00:31:42.660 --> 00:31:45.180 769 | Michael Shannon: Right our intellectual property. 770 | 771 | 193 772 | 00:31:46.230 --> 00:31:48.510 773 | Michael Shannon: is more and more difficult to protect. 774 | 775 | 194 776 | 00:31:50.460 --> 00:31:50.970 777 | Michael Shannon: Now. 778 | 779 | 195 780 | 00:31:52.620 --> 00:31:59.880 781 | Michael Shannon: In a way, we'll talk about this, but in a way, part of the solution of protecting data. 782 | 783 | 196 784 | 00:32:00.900 --> 00:32:02.220 785 | Michael Shannon: will be blockchain. 786 | 787 | 197 788 | 00:32:03.420 --> 00:32:08.550 789 | Michael Shannon: will be one of the parts of the solution of that but part of our responsibility is going to be. 790 | 791 | 198 792 | 00:32:10.320 --> 00:32:13.800 793 | Michael Shannon: yeah Sebastian Sebastian you're really good question. 794 | 795 | 199 796 | 00:32:15.930 --> 00:32:19.740 797 | Michael Shannon: I don't expect to get a lot of specific. 798 | 799 | 200 800 | 00:32:22.410 --> 00:32:41.370 801 | Michael Shannon: Questions about different regulations and mandates like specific hipaa questions or fish or because, like Sebastian saying the CIS SP is a global certification now, am I going to tell you that it's not us centric No, it is. 802 | 803 | 201 804 | 00:32:43.140 --> 00:32:54.480 805 | Michael Shannon: it's kind of like I it's kind of like IP version for addressing versus IP version six addressing IP version six address thing is global. 806 | 807 | 202 808 | 00:32:55.530 --> 00:33:02.100 809 | Michael Shannon: But IP version for addresses are still the majority of them are kind of owned by us entities. 810 | 811 | 203 812 | 00:33:04.470 --> 00:33:22.140 813 | Michael Shannon: IP version six removes that so the CIS SP exam is not ipv6 yet it's the men, the the mentality and the thinking is us centric but don't expect to see a lot of you know. 814 | 815 | 204 816 | 00:33:23.700 --> 00:33:38.460 817 | Michael Shannon: Understand that intellectual property are things like copyrights trademarks, patents formulas trade secrets digital rights information rights licensing cryptographic keys and passwords credit card information so on. 818 | 819 | 205 820 | 00:33:39.510 --> 00:33:48.300 821 | Michael Shannon: knots and you know consequences primary and secondary loss, but not so much you know this was an example. 822 | 823 | 206 824 | 00:33:50.040 --> 00:34:00.900 825 | Michael Shannon: This was an example not for you to say Oh, I need to memorize this but understanding that governance and regulations do have penalties. 826 | 827 | 207 828 | 00:34:02.130 --> 00:34:23.130 829 | Michael Shannon: that's one of the driving factors behind security and privacy policy is avoiding or evading those types of penalties not you know, the fact that up to the first 10 million euros or whatever that's not The important thing it's conceptually the why. 830 | 831 | 208 832 | 00:34:24.240 --> 00:34:29.070 833 | Michael Shannon: of privacy policy and security, governance, avoiding penalties. 834 | 835 | 209 836 | 00:34:30.360 --> 00:34:30.720 837 | Michael Shannon: Right. 838 | 839 | 210 840 | 00:34:33.540 --> 00:34:41.370 841 | Michael Shannon: Always approach it from a security managers point of view so there's you know, the primary inside this is kind of a. 842 | 843 | 211 844 | 00:34:42.420 --> 00:34:43.020 845 | Michael Shannon: A. 846 | 847 | 212 848 | 00:34:45.960 --> 00:34:48.690 849 | Michael Shannon: Factor analysis of information risk. 850 | 851 | 213 852 | 00:34:49.980 --> 00:35:03.000 853 | Michael Shannon: mentality, fair, which is becoming very, very popular open, fair as a quantitative risk analysis methodology, this is actually kind of borrowed from that. 854 | 855 | 214 856 | 00:35:03.630 --> 00:35:14.340 857 | Michael Shannon: Because you've got primary loss let's say to a data breach let's just stick with the whole data privacy thing, so if there's a data breach that. 858 | 859 | 215 860 | 00:35:16.230 --> 00:35:25.230 861 | Michael Shannon: First responder and, by the way, this could be something that you discover that the data had been breached or stolen or Expo traded. 862 | 863 | 216 864 | 00:35:26.610 --> 00:35:29.280 865 | Michael Shannon: Immediately based on. 866 | 867 | 217 868 | 00:35:30.300 --> 00:35:35.010 869 | Michael Shannon: Excellent visibility tools or This is something that you discovered through an audit. 870 | 871 | 218 872 | 00:35:36.420 --> 00:35:48.720 873 | Michael Shannon: But regardless there's going to be the alerting of certain first responders and other incident response, people are teams so that's going to be a loss of productivity. 874 | 875 | 219 876 | 00:35:49.560 --> 00:36:02.310 877 | Michael Shannon: And the people that have to respond productivity, the response time that the money to respond to, for example, paying the ransom. 878 | 879 | 220 880 | 00:36:03.330 --> 00:36:14.610 881 | Michael Shannon: Because of the ransomware attack and you don't have a proper backup restore snapshots and you're unable to just you know re image, the machines and backup from data. 882 | 883 | 221 884 | 00:36:15.840 --> 00:36:20.340 885 | Michael Shannon: Because remember your backup if you don't go through restoration processes. 886 | 887 | 222 888 | 00:36:21.600 --> 00:36:32.880 889 | Michael Shannon: If you don't recover you don't do database recoveries or data restoration, technically speaking, you don't have any backups you can say yeah i've got backup media. 890 | 891 | 223 892 | 00:36:33.810 --> 00:36:43.680 893 | Michael Shannon: i've got backup media and i've got i've got a grandfather approach and i've got it stored blah blah blah, and you know this location and it's fireproof you have backup media. 894 | 895 | 224 896 | 00:36:44.310 --> 00:36:55.200 897 | Michael Shannon: But unless you've gone through the process of testing and doing restores and recovery you don't really have a backup system, not from a disaster recovery standpoint. 898 | 899 | 225 900 | 00:36:56.910 --> 00:37:04.770 901 | Michael Shannon: So replacement, these are all primary you know you found out the compromised insider so they're fired. 902 | 903 | 226 904 | 00:37:05.880 --> 00:37:17.280 905 | Michael Shannon: Now you have to replace them and the cost of replacing an employee, the longer they've been there is more than just i'm plugging in a new human being who's getting that same salary. 906 | 907 | 227 908 | 00:37:17.970 --> 00:37:27.630 909 | Michael Shannon: know the costs are way beyond just this is a new body getting the same salary replacement costs are much higher. 910 | 911 | 228 912 | 00:37:28.620 --> 00:37:38.190 913 | Michael Shannon: Because of just the time to train that person to get them up to speed to get them operating at 100% efficiency or whatever. 914 | 915 | 229 916 | 00:37:38.940 --> 00:38:01.920 917 | Michael Shannon: And then you have secondary losses fines judgments civil cases losing to your competitors your reputation of goodwill, you know borrowing costs the list goes on and what's interesting is primary and secondary has nothing to do with impact or magnitude primary just means initial. 918 | 919 | 230 920 | 00:38:03.210 --> 00:38:08.430 921 | Michael Shannon: These are the kind of first immediate loss secondary means they come afterwards. 922 | 923 | 231 924 | 00:38:09.570 --> 00:38:15.030 925 | Michael Shannon: As far as impact or magnitude secondary loss can often be much higher. 926 | 927 | 232 928 | 00:38:16.800 --> 00:38:21.900 929 | Michael Shannon: Your competitive advantage can be such that now your stock price just plummets. 930 | 931 | 233 932 | 00:38:25.050 --> 00:38:33.420 933 | Michael Shannon: So secondary losses because they can be cascading you know lawsuits and judgments can be much higher than just the primary laws. 934 | 935 | 234 936 | 00:38:38.430 --> 00:38:52.320 937 | Michael Shannon: The CIS SP exam mentions digital rights management as part of security, governance right you're dealing with copyrighted information, it could be your an organization that has content. 938 | 939 | 235 940 | 00:38:52.980 --> 00:39:02.880 941 | Michael Shannon: That you need to protect you need to protect the rights, the copyrights of your content that's your streaming through you know some. 942 | 943 | 236 944 | 00:39:04.110 --> 00:39:19.920 945 | Michael Shannon: akamai or cloud flare or aws cloud front right you're you've got content right, so you had to protect the rights of that content accessing the original right. 946 | 947 | 237 948 | 00:39:20.940 --> 00:39:31.020 949 | Michael Shannon: or you may have to make sure that your organization that your employees are not downloading pirated. 950 | 951 | 238 952 | 00:39:32.430 --> 00:39:46.200 953 | Michael Shannon: Content running unlicensed software and a Type two hypervisor right they've downloaded Oracle virtual box and they're running unlicensed software. 954 | 955 | 239 956 | 00:39:47.430 --> 00:40:03.780 957 | Michael Shannon: or you've got privileged insiders who are in the dmz servers and they're downloading pirated DVDs and content so remember we think of digital rights management with a couple of different perspectives. 958 | 959 | 240 960 | 00:40:05.520 --> 00:40:19.770 961 | Michael Shannon: Right, are our employees, respecting the digital rights of vendors and providers and partners or and or are we is our value proposition content. 962 | 963 | 241 964 | 00:40:20.700 --> 00:40:37.020 965 | Michael Shannon: That has to be a publisher are we are we, the owner of the intellectual property, you know, are we Sony and somebody stole games game of thrones season, whatever and now they're trying to exploit that. 966 | 967 | 242 968 | 00:40:38.340 --> 00:40:52.920 969 | Michael Shannon: And this is going to apply we think of content, like video and audio but another really primary of digital rights management and, by the way the on the cloud exam they call it information rights management I rm. 970 | 971 | 243 972 | 00:40:54.240 --> 00:41:05.670 973 | Michael Shannon: I can't guarantee you that the CIS SP exam is going to be DRM or informational rights management, I would just consider them to be synonymous. 974 | 975 | 244 976 | 00:41:07.200 --> 00:41:13.770 977 | Michael Shannon: But for like PDF files you've experienced this right you've gone and you've gotten a PDF file. 978 | 979 | 245 980 | 00:41:14.880 --> 00:41:26.970 981 | Michael Shannon: From a some site and maybe you had to pay a lot of money for it, or you had to offer and give them information about yourself, so they can put you on some list to spam you. 982 | 983 | 246 984 | 00:41:27.930 --> 00:41:38.220 985 | Michael Shannon: But you did it because you want the PDF file, so they can enforce expiration they can put watermarks on it right, they can you know. 986 | 987 | 247 988 | 00:41:39.390 --> 00:41:44.100 989 | Michael Shannon: take away your ability to do a screen capture or print or things like that. 990 | 991 | 248 992 | 00:41:45.180 --> 00:41:52.020 993 | Michael Shannon: So it's not when I say content, you know adobe pdfs can you know fall into that category as well. 994 | 995 | 249 996 | 00:41:56.010 --> 00:42:11.910 997 | Michael Shannon: The gdpr and this exam are really big on data minimization okay so data has a life cycle right the first phase of the life cycle is often called the create. 998 | 999 | 250 1000 | 00:42:12.360 --> 00:42:22.770 1001 | Michael Shannon: Now that's a misnomer, but it basically just that's where, for whatever the purpose of the data that's where it begins, yes, it could be something that you create. 1002 | 1003 | 251 1004 | 00:42:23.610 --> 00:42:34.830 1005 | Michael Shannon: It can be generated by some machine learning tool or algorithm it could be some report that's written, but in that create phase, the data can also be acquired. 1006 | 1007 | 252 1008 | 00:42:35.190 --> 00:42:47.040 1009 | Michael Shannon: Right you go and you purchase a bunch of sales leads or you go and you get some type of document from gartner or IDC whatever right is that first phase. 1010 | 1011 | 253 1012 | 00:42:47.790 --> 00:42:57.390 1013 | Michael Shannon: Maybe you're generating data two different tools right same systems are taking it all in and they're creating reports here's the point. 1014 | 1015 | 254 1016 | 00:42:58.530 --> 00:43:17.430 1017 | Michael Shannon: GDP ours really big on this, you should only in that phase generate and create and produce data that's meaningful for something just creating mountains of raw data, because you can. 1018 | 1019 | 255 1020 | 00:43:18.510 --> 00:43:19.800 1021 | Michael Shannon: is a bad idea. 1022 | 1023 | 256 1024 | 00:43:22.050 --> 00:43:30.030 1025 | Michael Shannon: it's not a best practice, so we really want to create data with a purpose we generate data with a purpose. 1026 | 1027 | 257 1028 | 00:43:31.200 --> 00:43:34.950 1029 | Michael Shannon: In that in those first early phases of the data life cycle. 1030 | 1031 | 258 1032 | 00:43:36.300 --> 00:43:38.730 1033 | Michael Shannon: Okay, it should be meaningful. 1034 | 1035 | 259 1036 | 00:43:39.750 --> 00:43:53.520 1037 | Michael Shannon: And, especially when you think about okay my management V land or whatever tools i'm using if I just create tons of unfiltered logs and I alerts and alarms and. 1038 | 1039 | 260 1040 | 00:43:54.630 --> 00:44:08.040 1041 | Michael Shannon: Net flow records vide was producing tons and tons of information that it's just going to be raw data that i'm never gonna make into information that's just more things to be breached. 1042 | 1043 | 261 1044 | 00:44:09.480 --> 00:44:16.770 1045 | Michael Shannon: that's just more low hanging fruit, not just for privileged insiders but for people that can breach your firewall. 1046 | 1047 | 262 1048 | 00:44:17.820 --> 00:44:34.200 1049 | Michael Shannon: So you know they're really big on understanding why you need to produce or create data and be specific and only do it for those reasons, only acquire data that you need they're really big on that. 1050 | 1051 | 263 1052 | 00:44:34.980 --> 00:44:42.480 1053 | Michael Shannon: Now, and then now once you have that mentality, then it's going to involve another other tools. 1054 | 1055 | 264 1056 | 00:44:43.140 --> 00:44:53.760 1057 | Michael Shannon: right to protect that data obviously encrypting data at rest or roomy send data in transit, you know, using protection mechanisms. 1058 | 1059 | 265 1060 | 00:44:54.450 --> 00:45:05.880 1061 | Michael Shannon: To provide confidentiality integrity origin authentication availability all of those things you may even you know, instead of encrypting data, you may token eyes the data. 1062 | 1063 | 266 1064 | 00:45:06.630 --> 00:45:16.830 1065 | Michael Shannon: Removing data that direct has any directly identifying elements right generating tokens or pseudonyms that are irreversible or non reversible. 1066 | 1067 | 267 1068 | 00:45:18.210 --> 00:45:26.820 1069 | Michael Shannon: token icing national ID numbers so security numbers other identifying information. 1070 | 1071 | 268 1072 | 00:45:28.590 --> 00:45:32.310 1073 | Michael Shannon: token ization is often a system. 1074 | 1075 | 269 1076 | 00:45:33.360 --> 00:45:40.260 1077 | Michael Shannon: Like you have a middle tier token ization server engine and may be done in the cloud like with azure. 1078 | 1079 | 270 1080 | 00:45:42.540 --> 00:45:54.150 1081 | Michael Shannon: we're going to cover this again in database security that was just an example of saying Okay, once we have a philosophy that the gdpr wants is to have data minimization. 1082 | 1083 | 271 1084 | 00:45:57.150 --> 00:46:05.610 1085 | Michael Shannon: Where we really are only producing or creating the raw data that we need to become information and then knowledge. 1086 | 1087 | 272 1088 | 00:46:08.100 --> 00:46:19.320 1089 | Michael Shannon: Then we have other mechanisms that, by the way, token ization schemes should only be operating on meaningful data. 1090 | 1091 | 273 1092 | 00:46:23.580 --> 00:46:39.210 1093 | Michael Shannon: As the student asked like Sebastian asked being familiar with the granular aspects of different control frameworks, not so much understanding why we use them in the importance of them definitely. 1094 | 1095 | 274 1096 | 00:46:40.230 --> 00:46:55.140 1097 | Michael Shannon: But here, this describes some of the attributes and, from a practical standpoint like ISO IEC a lot of Oregon a lot of organizations in certain countries will avoid. 1098 | 1099 | 275 1100 | 00:46:56.100 --> 00:47:17.760 1101 | Michael Shannon: ISO IEC and they'll they'll rely upon something that is maybe specific to their country like if you're in the UK, for example, you may for go I, so I see with some other mandate that is specific to your country, because I, so I see is super broad. 1102 | 1103 | 276 1104 | 00:47:18.840 --> 00:47:21.510 1105 | Michael Shannon: Massive and it's expensive. 1106 | 1107 | 277 1108 | 00:47:23.280 --> 00:47:42.900 1109 | Michael Shannon: So it depends on which country you're in okay missed the importance of mist is the fact that is C squared will generate a lot of their their questions from this nist point of view, like I said they're very misty okay. 1110 | 1111 | 278 1112 | 00:47:44.730 --> 00:48:02.430 1113 | Michael Shannon: kolbert five is specific remember the is a CA I mentioned earlier, this is the organization that has the CIS M and C is a certification certified information security, a auditor or em manager. 1114 | 1115 | 279 1116 | 00:48:03.270 --> 00:48:13.380 1117 | Michael Shannon: So they also have the covert five framework but that's why I mentioned to you, you know go find a 2001 CSM book. 1118 | 1119 | 280 1120 | 00:48:13.950 --> 00:48:33.660 1121 | Michael Shannon: Maybe the highest rated book on whatever site you go to and add that to your reading list for the exam because is a CA is also very misty they come from the same kind of point of view, as the is C squared, but there are others that are you know. 1122 | 1123 | 281 1124 | 00:48:34.830 --> 00:48:39.090 1125 | Michael Shannon: More more European or other parts of the world right. 1126 | 1127 | 282 1128 | 00:48:40.590 --> 00:48:41.070 1129 | Michael Shannon: uh. 1130 | 1131 | 283 1132 | 00:48:42.090 --> 00:48:48.270 1133 | Michael Shannon: don't even ask me to pronounce that Dave could I think dave's a francophone. 1134 | 1135 | 284 1136 | 00:48:50.310 --> 00:48:54.180 1137 | Michael Shannon: I think everybody, where he lives speaks French to some degree. 1138 | 1139 | 285 1140 | 00:48:56.040 --> 00:49:03.510 1141 | Michael Shannon: But there's others like I said don't focus on the granular differences focus on the why security, governance. 1142 | 1143 | 286 1144 | 00:49:05.130 --> 00:49:06.240 1145 | Michael Shannon: This is interesting. 1146 | 1147 | 287 1148 | 00:49:08.130 --> 00:49:17.640 1149 | Michael Shannon: organizations are going to face cyber threats and three main areas now one thing on this exam you will need to be aware of the threat scape. 1150 | 1151 | 288 1152 | 00:49:18.630 --> 00:49:35.220 1153 | Michael Shannon: Okay, the threat scape but we don't spend like a long I don't spend like an hour on the different types of attacks and things that's like security plus stuff that's like SS CP. 1154 | 1155 | 289 1156 | 00:49:36.390 --> 00:49:50.190 1157 | Michael Shannon: Or the G SEC from the gic see Those are three of your kind of i've got a year of experience and security certifications security plus it's recommended. 1158 | 1159 | 290 1160 | 00:49:52.440 --> 00:49:58.020 1161 | Michael Shannon: But you don't have to have a year of experience to get calm to security, plus SS CP. 1162 | 1163 | 291 1164 | 00:49:59.190 --> 00:50:12.840 1165 | Michael Shannon: Is what some of you may get you may decide I don't really have the work experience so i'll go get the SS CP which needs one year and then, when I get my experience i'll get the CIS SP. 1166 | 1167 | 292 1168 | 00:50:14.550 --> 00:50:18.450 1169 | Michael Shannon: The gic has the G sack. 1170 | 1171 | 293 1172 | 00:50:20.280 --> 00:50:29.640 1173 | Michael Shannon: Certification which is one year of experience, you have to go through sands.org point i'm making is those certifications you'll spend. 1174 | 1175 | 294 1176 | 00:50:30.720 --> 00:50:39.690 1177 | Michael Shannon: A lot of your time on you know what's a worm versus a virus what's a poly morphic worm. 1178 | 1179 | 295 1180 | 00:50:41.610 --> 00:50:46.770 1181 | Michael Shannon: what's the what's the remote access Trojan we're not going to spend hours doing that. 1182 | 1183 | 296 1184 | 00:50:48.480 --> 00:50:48.900 1185 | Michael Shannon: Okay. 1186 | 1187 | 297 1188 | 00:50:50.670 --> 00:51:06.240 1189 | Michael Shannon: So categorically from a security manager standpoint, I want to know that you know are three areas are disruption right denial of service just distributed denial of service bottom nets ransomware. 1190 | 1191 | 298 1192 | 00:51:07.440 --> 00:51:15.480 1193 | Michael Shannon: compromising your iot your new thing with has an ipv6 or ipv4 address on it. 1194 | 1195 | 299 1196 | 00:51:17.430 --> 00:51:22.290 1197 | Michael Shannon: This new thing you got with there was you know this robotic system. 1198 | 1199 | 300 1200 | 00:51:23.400 --> 00:51:36.600 1201 | Michael Shannon: That they used, you know raspberry pi for the operating system or arduino or something like that, and you haven't fully secured it so they're going to disrupt it with a denial of service attack or distortion. 1202 | 1203 | 301 1204 | 00:51:38.070 --> 00:51:51.630 1205 | Michael Shannon: You know what's interesting is one of the emerging methods of distortion is to take advantage of your reliance as an organization on machine learning tools and algorithms. 1206 | 1207 | 302 1208 | 00:51:52.230 --> 00:52:03.300 1209 | Michael Shannon: Because what happens is this this usually happens whenever some new technology becomes the thing companies implement machine learning tools and algorithms. 1210 | 1211 | 303 1212 | 00:52:03.960 --> 00:52:16.530 1213 | Michael Shannon: on site on premise and in the cloud and they rely too heavily on the machine learning or the Ai is results not realizing that that. 1214 | 1215 | 304 1216 | 00:52:17.190 --> 00:52:32.400 1217 | Michael Shannon: input to the machine learning engine or algorithm can be poisoned and attacker can poison and we're if we're just blindly taking actions based on the results of the Ai and the machine learning. 1218 | 1219 | 305 1220 | 00:52:33.840 --> 00:52:38.820 1221 | Michael Shannon: Their their distorting our organization or functionality. 1222 | 1223 | 306 1224 | 00:52:45.390 --> 00:52:46.560 1225 | Michael Shannon: deterioration. 1226 | 1227 | 307 1228 | 00:52:47.700 --> 00:53:02.580 1229 | Michael Shannon: Breaking down your usage of smart contracts or just deterioration could also be considered the results of an advanced persistent threat can be state based can be a crime syndicate it's a long term. 1230 | 1231 | 308 1232 | 00:53:03.720 --> 00:53:11.610 1233 | Michael Shannon: You know they have the long view in mind to just slowly deteriorate and compromise your organization. 1234 | 1235 | 309 1236 | 00:53:13.260 --> 00:53:17.760 1237 | Michael Shannon: that's deterioration is more what you see with cyber warfare. 1238 | 1239 | 310 1240 | 00:53:19.560 --> 00:53:32.010 1241 | Michael Shannon: Yes, we see disruption, yes, we see distortion, but in a state based world wars see that we're in is just the long game of just deterioration of systems. 1242 | 1243 | 311 1244 | 00:53:36.180 --> 00:53:40.410 1245 | Michael Shannon: And so, some of the emerging types of cybercrime issues. 1246 | 1247 | 312 1248 | 00:53:42.000 --> 00:53:54.690 1249 | Michael Shannon: Ai enhanced I mentioned how you, you can poison, but also the malicious software is Ai driven it can adapt quicker than we can respond to it. 1250 | 1251 | 313 1252 | 00:53:55.590 --> 00:54:16.350 1253 | Michael Shannon: Ai fuzzing just shoving so much at us to overwhelm our system, Ai fuzzing to accelerate a zero day attack once an organization discovers this 080 day Code as soon as it's discovered the next variant is right behind it. 1254 | 1255 | 314 1256 | 00:54:17.610 --> 00:54:23.400 1257 | Michael Shannon: already mentioned Trojans and back doors that can poison machine learning tools. 1258 | 1259 | 315 1260 | 00:54:24.660 --> 00:54:30.810 1261 | Michael Shannon: hacking smart contracts Okay, more and more entities. 1262 | 1263 | 316 1264 | 00:54:32.220 --> 00:54:40.920 1265 | Michael Shannon: Moving forward new companies new organizations new partnerships are not going to be traditionally. 1266 | 1267 | 317 1268 | 00:54:43.230 --> 00:55:00.120 1269 | Michael Shannon: established with a bunch if you think about what it, I mean a corporation or an entity or an llc or a partnership, whatever the business is it's really historically it's really just a bunch of contracts and agreements right. 1270 | 1271 | 318 1272 | 00:55:01.890 --> 00:55:14.940 1273 | Michael Shannon: You make your company is is a contract and agreement between management and employees vendors customers partners it's a bunch of contracts and agreements. 1274 | 1275 | 319 1276 | 00:55:17.280 --> 00:55:20.460 1277 | Michael Shannon: And you know at the state we're in today. 1278 | 1279 | 320 1280 | 00:55:21.750 --> 00:55:25.170 1281 | Michael Shannon: Many of those are corrupted or there. 1282 | 1283 | 321 1284 | 00:55:26.280 --> 00:55:39.960 1285 | Michael Shannon: have been taken advantage of dummy corporations, many of them right false front organizations and corporations embezzlement The list goes on and on. 1286 | 1287 | 322 1288 | 00:55:41.010 --> 00:55:49.980 1289 | Michael Shannon: So smart contracts, a company built that way on a ledger that's distributed that has to have you know some level of. 1290 | 1291 | 323 1292 | 00:55:51.660 --> 00:56:13.170 1293 | Michael Shannon: Some methodology for even being able to write to the ledger some consensus agreement on a certain percentage of the parties that type of blockchain mentality will eventually remove a lot of the corruption that is involved in corporate entities, but even those can be hacked. 1294 | 1295 | 324 1296 | 00:56:14.610 --> 00:56:21.120 1297 | Michael Shannon: A company built an organization built on smart contracts everything's written to a blockchain. 1298 | 1299 | 325 1300 | 00:56:23.310 --> 00:56:29.370 1301 | Michael Shannon: And cloud computing vulnerabilities which we're going to talk about the CIS SP exam. 1302 | 1303 | 326 1304 | 00:56:30.750 --> 00:56:44.250 1305 | Michael Shannon: This one that you're studying for there's several areas of technology that have been added over the previous version and versions, one of them is cloud computing. 1306 | 1307 | 327 1308 | 00:56:45.360 --> 00:57:05.760 1309 | Michael Shannon: there's a little bit more application and software development, security and there's there's more on mobile mobile devices mobility iot specialty devices Okay, those are areas that you may have to fill in some some gaps on. 1310 | 1311 | 328 1312 | 00:57:07.230 --> 00:57:12.240 1313 | Michael Shannon: Now this is not they like, I said, they have a dedicated cloud security professional. 1314 | 1315 | 329 1316 | 00:57:15.540 --> 00:57:16.020 1317 | Michael Shannon: But. 1318 | 1319 | 330 1320 | 00:57:17.460 --> 00:57:26.220 1321 | Michael Shannon: You still will get some cloud questions on this exam, this is a, this is not something to memorize but It just shows you as a. 1322 | 1323 | 331 1324 | 00:57:27.930 --> 00:57:33.120 1325 | Michael Shannon: This was a really big deal to people, which is why we're going to cover cloud security okay. 1326 | 1327 | 332 1328 | 00:57:36.780 --> 00:57:49.170 1329 | Michael Shannon: And again, you know these are the biggest cloud security challenges, and this is, you know secure configuration of your workloads and data in the cloud, those are the biggies. 1330 | 1331 | 333 1332 | 00:58:00.480 --> 00:58:01.620 1333 | Michael Shannon: So i'm having a hard time. 1334 | 1335 | 334 1336 | 00:58:03.000 --> 00:58:05.700 1337 | Michael Shannon: Moving my files alright so. 1338 | 1339 | 335 1340 | 00:58:06.930 --> 00:58:08.190 1341 | Michael Shannon: licensing issues. 1342 | 1343 | 336 1344 | 00:58:09.480 --> 00:58:17.250 1345 | Michael Shannon: Okay, that makes sense, this kind of goes back to the DRM topic or information rights management. 1346 | 1347 | 337 1348 | 00:58:18.150 --> 00:58:26.190 1349 | Michael Shannon: there's different types of licenses today, though, we see more and more of the click through license which is you. 1350 | 1351 | 338 1352 | 00:58:26.910 --> 00:58:35.670 1353 | Michael Shannon: When you install the, off the shelf whatever you are agreeing to the license right it's The thing that most of us. 1354 | 1355 | 339 1356 | 00:58:36.240 --> 00:58:50.190 1357 | Michael Shannon: Who install software never read coming right, I mean do you do, you always read through every single line of the click through license agreement, maybe you do if you do good for you now. 1358 | 1359 | 340 1360 | 00:58:51.540 --> 00:59:01.530 1361 | Michael Shannon: It says, obviously I don't but but on a commercial basis on an enterprise basis, you should be aware of the licensing there's also. 1362 | 1363 | 341 1364 | 00:59:02.610 --> 00:59:09.990 1365 | Michael Shannon: licensing that's part of your service level agreements with service providers Those are two very common areas okay. 1366 | 1367 | 342 1368 | 00:59:11.280 --> 00:59:14.130 1369 | Michael Shannon: let's take a let's take our second break. 1370 | 1371 | 343 1372 | 00:59:15.240 --> 00:59:23.250 1373 | Michael Shannon: 15 minutes and then we'll come back and we'll have another hour and 15 minutes to finish up our final. 1374 | 1375 | 344 1376 | 00:59:24.240 --> 00:59:44.160 1377 | Michael Shannon: set of slides, which is really going to be continuing security, governance but we're going to now get a little bit more granular where our security, governance is going to start to look at policy right policy guidance best practices, those types of things right so i'm going to. 1378 | 1379 | 345 1380 | 00:59:46.410 --> 00:59:49.020 1381 | Michael Shannon: By the way, we will talk about token ization again. 1382 | 1383 | 346 1384 | 00:59:51.090 --> 01:00:01.470 1385 | Michael Shannon: That slide was in there, just as an example of what you can do with that minimize data we have a whole data security. 1386 | 1387 | 347 1388 | 01:00:02.850 --> 01:00:08.430 1389 | Michael Shannon: module do you want to call it that Okay, we have a whole data security thing to cover. 1390 | 1391 | 348 1392 | 01:00:09.480 --> 01:00:18.210 1393 | Michael Shannon: Like I said this first day really is very global very macro okay so i'm going to go and stop the recording. 1394 | 1395 | 349 1396 | 01:00:19.320 --> 01:00:20.880 1397 | Michael Shannon: And i'll see you back here in in. 1398 | 1399 | -------------------------------------------------------------------------------- /Archive/Session2 transcripts/part03.vtt: -------------------------------------------------------------------------------- 1 | WEBVTT 2 | 3 | 1 4 | 00:00:10.440 --> 00:00:15.900 5 | Michael Shannon: Alright, welcome back from break everybody we're gonna finish up our final hour of our day two. 6 | 7 | 2 8 | 00:00:16.949 --> 00:00:21.150 9 | Michael Shannon: of our CIS SP boot camp with Mike and Dave. 10 | 11 | 3 12 | 00:00:22.320 --> 00:00:26.490 13 | Michael Shannon: sounds like a morning radio show the Mike and Dave show. 14 | 15 | 4 16 | 00:00:27.660 --> 00:00:38.130 17 | Michael Shannon: And we're going to continue our practical cryptography here, looking at digital signatures, a form of electronic signature that had the goal. 18 | 19 | 5 20 | 00:00:38.520 --> 00:00:49.530 21 | Michael Shannon: To either augment or replace physical handwritten signatures, and in many countries, a digital signature is considered just as valid as a written signature. 22 | 23 | 6 24 | 00:00:51.360 --> 00:01:00.780 25 | Michael Shannon: So let's talk about how you create or how you do the digitally signing process now one thing to remember about digital signatures. 26 | 27 | 7 28 | 00:01:02.880 --> 00:01:08.640 29 | Michael Shannon: kind of find this lot, I want to be on there we go is that this is not confidentiality. 30 | 31 | 8 32 | 00:01:09.600 --> 00:01:23.760 33 | Michael Shannon: Okay, so, for example, let's say I have something like a purchase order or maybe something is a contract or an agreement, maybe it's an API whatever this goes to a cryptographic hash. 34 | 35 | 9 36 | 00:01:24.360 --> 00:01:39.330 37 | Michael Shannon: It says sha one on the diagram, but this is a little bit older diagram so let's say, we would like to gravitate towards shot to Okay, and then it generates that let's say a shot to 56 it'll be a 256 bit. 38 | 39 | 10 40 | 00:01:40.740 --> 00:01:44.130 41 | Michael Shannon: fingerprint or digest right so that's the result. 42 | 43 | 11 44 | 00:01:46.260 --> 00:02:04.410 45 | Michael Shannon: That is what is quote signed or basically encrypted with the private key so the sender generates an RSA key pair Okay, or it could be elliptic curve dsa also commonly use, but that. 46 | 47 | 12 48 | 00:02:04.950 --> 00:02:13.200 49 | Michael Shannon: algorithm is what is used to encrypt the fingerprint and so obviously when you encrypt it. 50 | 51 | 13 52 | 00:02:14.010 --> 00:02:21.690 53 | Michael Shannon: you're going to have a different result and that's what gets attached or appended to the original transactions. 54 | 55 | 14 56 | 00:02:22.140 --> 00:02:29.580 57 | Michael Shannon: purchase order and so on the other side, you know they're going to have the public key and you know this key. 58 | 59 | 15 60 | 00:02:30.570 --> 00:02:41.640 61 | Michael Shannon: It can either be obtained through some handshake to an out of band method, but usually this public key of the sender is in a certificate. 62 | 63 | 16 64 | 00:02:42.360 --> 00:02:59.790 65 | Michael Shannon: Okay, in a certificate and both parties are relying upon a trusted third party right so remember this is integrity, this is origin authentication. 66 | 67 | 17 68 | 00:03:00.420 --> 00:03:06.600 69 | Michael Shannon: And it's non repudiation right, so this sender cannot come back at a later time and say. 70 | 71 | 18 72 | 00:03:07.200 --> 00:03:13.830 73 | Michael Shannon: I didn't sign that digital contract I didn't do that digital agreement I didn't send or receive that money. 74 | 75 | 19 76 | 00:03:14.400 --> 00:03:30.360 77 | Michael Shannon: because their private key was used and they're responsible for their private key okay so but what's not happening here is confidentiality, if you want that, then you would send it through some secure channel. 78 | 79 | 20 80 | 00:03:31.410 --> 00:03:38.250 81 | Michael Shannon: Transport layer security an IP SEC vpn something like that okay now. 82 | 83 | 21 84 | 00:03:39.450 --> 00:03:52.740 85 | Michael Shannon: lots of things are digitally signed okay here we're talking about you know, a purchase order or whatever, but one of the best practices to be aware of, on the exam is, we would like to digitally sign. 86 | 87 | 22 88 | 00:03:53.700 --> 00:04:13.500 89 | Michael Shannon: All of these things that we get from vendors, or whatever you get an ISO image, you get a device driver you download something it's digitally sign, so you get those you get those high degree of competence of integrity origin authentication non repudiation. 90 | 91 | 23 92 | 00:04:14.850 --> 00:04:27.000 93 | Michael Shannon: A digital certificate is one of those things it's also commonly digitally signed Okay, and so a certificate, you know just has fields, it has metadata. 94 | 95 | 24 96 | 00:04:27.570 --> 00:04:48.450 97 | Michael Shannon: and basically a digital certificate has information in it that ties that certificate and their public key to some entity, it could be a person, it could be an organization, it could be a device like a router or a firewall Okay, it could be some service running. 98 | 99 | 25 100 | 00:04:49.650 --> 00:04:57.960 101 | Michael Shannon: The certificates going to have and usually we use the X 509 version three certificate, so in that it'll have. 102 | 103 | 26 104 | 00:04:58.470 --> 00:05:24.180 105 | Michael Shannon: Some information about who the party is right, the subject we called it now that field historically it's called the subject field but we don't really use that field anymore Okay, so in the in the 509 certificate we use a field called subject alternative name. 106 | 107 | 27 108 | 00:05:25.410 --> 00:05:31.170 109 | Michael Shannon: Okay i'm just going to do this subject alternate here's an i'll tell you the main reason why. 110 | 111 | 28 112 | 00:05:31.710 --> 00:05:41.070 113 | Michael Shannon: The main reason why we use the subject alternative name field is so that you can put an IP version six address in there, instead of some domain name. 114 | 115 | 29 116 | 00:05:41.970 --> 00:05:49.380 117 | Michael Shannon: that's really why because eventually everything's going to be identified into end with IP version six. 118 | 119 | 30 120 | 00:05:50.130 --> 00:06:00.480 121 | Michael Shannon: So we use that field so that's something about the entity, possibly their ipv6 address also they're going to have. 122 | 123 | 31 124 | 00:06:00.930 --> 00:06:09.900 125 | Michael Shannon: generated some there's some algorithms that are going to be used for what was the algorithm that was used to generate their key pair right. 126 | 127 | 32 128 | 00:06:10.800 --> 00:06:20.220 129 | Michael Shannon: Because the public key is going to be in there, what algorithm that I use it, I use RSA or elliptic curve dsa Okay, I need to know that algorithm and that certificate. 130 | 131 | 33 132 | 00:06:20.850 --> 00:06:42.150 133 | Michael Shannon: also need to know what was used to sign that digital certificate, so if we go back to this diagram right what we want to know in this say this is a certificate down and not a purchase order right, well, we want to know a couple of things in the certificate, ultimately, you know what. 134 | 135 | 34 136 | 00:06:43.200 --> 00:07:01.260 137 | Michael Shannon: Did you use to sign it, or what was the algorithm used to create the hash and what was used to digitally sign it okay and we're going to talk about who digitally signs it in a minute it's usually the entity that that. 138 | 139 | 35 140 | 00:07:02.280 --> 00:07:11.130 141 | Michael Shannon: offers or gives that digital certificate to the entity, because the entity, probably went through some enrollment process with some authority. 142 | 143 | 36 144 | 00:07:12.300 --> 00:07:21.540 145 | Michael Shannon: And that authority digitally signed it OK, so the public key the algorithms that are used the digital signature. 146 | 147 | 37 148 | 00:07:22.560 --> 00:07:33.180 149 | Michael Shannon: Other metadata, for example, the certificate will have a serial number in there and that serial number, which is a unique it's not really even a serial number anymore okay. 150 | 151 | 38 152 | 00:07:33.780 --> 00:07:44.640 153 | Michael Shannon: that's not that's not a good name for it, the reason the reason why it's still called serial number is because early on those numbers were issued in series. 154 | 155 | 39 156 | 00:07:45.180 --> 00:07:53.100 157 | Michael Shannon: But we don't do that anymore, the number is a pseudo it's a very large pseudo random number because. 158 | 159 | 40 160 | 00:07:53.880 --> 00:08:05.610 161 | Michael Shannon: By by issuing them in series that was kind of a vulnerability, you know you could you could determine like the next serial number, so we don't do that anymore, but that serial number is super important. 162 | 163 | 41 164 | 00:08:06.090 --> 00:08:17.790 165 | Michael Shannon: Because it's mapped to that public key and that subject let's say in a domain name or an ipv6 address right and that serial numbers important because. 166 | 167 | 42 168 | 00:08:18.150 --> 00:08:25.020 169 | Michael Shannon: That is the thing that we may have to say, this is not valid anymore and we're going to let everybody know. 170 | 171 | 43 172 | 00:08:25.320 --> 00:08:45.690 173 | Michael Shannon: This particular serial number is not valid, you cannot trust somebody using this public key or this certificate yeah pseudo random number, not a purely random number purely random generated numbers are kind of difficult to create pseudo random okay. 174 | 175 | 44 176 | 00:08:46.770 --> 00:08:47.850 177 | Michael Shannon: Random enough. 178 | 179 | 45 180 | 00:08:49.560 --> 00:08:50.640 181 | Michael Shannon: Alright, so. 182 | 183 | 46 184 | 00:08:53.940 --> 00:09:08.760 185 | Michael Shannon: Often, what we use in the signing process is elliptic curve cryptography we've already talked about that, and because we have you know mobile devices and phones and iot and other things that are going to have certificates on them. 186 | 187 | 47 188 | 00:09:09.630 --> 00:09:22.200 189 | Michael Shannon: it's nice to use the elliptic curve cryptography because it even says here a 256 elliptic curve key is equivalent to a 3072. 190 | 191 | 48 192 | 00:09:23.250 --> 00:09:24.840 193 | Michael Shannon: legacy or normal key. 194 | 195 | 49 196 | 00:09:26.550 --> 00:09:27.480 197 | Michael Shannon: that's pretty good to know. 198 | 199 | 50 200 | 00:09:32.700 --> 00:09:44.070 201 | Michael Shannon: Sorry, whenever I have my whenever I use my annotation tools, I can't move my slides forward okay so other topics. 202 | 203 | 51 204 | 00:09:44.640 --> 00:09:54.030 205 | Michael Shannon: Now we're going to revisit digital signatures and digital certificates in a little bit when we talk about public key infrastructure but there's some other topics that are on the exam. 206 | 207 | 52 208 | 00:09:55.230 --> 00:10:06.390 209 | Michael Shannon: We talked about cryptographers and crypt analysis and this is all under the umbrella will be called cryptology the study of crypto systems, the study of ciphers. 210 | 211 | 53 212 | 00:10:06.870 --> 00:10:20.040 213 | Michael Shannon: And it's like a seesaw where sometimes the cryptographers are ahead and sometimes the analyst or ahead by just constant battle and, by the way, this is not necessarily adversarial. 214 | 215 | 54 216 | 00:10:21.120 --> 00:10:32.850 217 | Michael Shannon: We need crypt analysis experts, because we need to test our crypto systems, we need to put them through rigorous brute force. 218 | 219 | 55 220 | 00:10:33.330 --> 00:10:40.680 221 | Michael Shannon: tests and attacks to determine the trustworthiness so it's like not it's not always an adversarial thing. 222 | 223 | 56 224 | 00:10:41.160 --> 00:10:47.370 225 | Michael Shannon: quantum computing we hear about quantum computing and we immediately think Oh, this is an adversarial. 226 | 227 | 57 228 | 00:10:48.240 --> 00:10:57.960 229 | Michael Shannon: type of technology, that the only goal of quantum computing is to crack crypto systems well that's just not true, is it possible. 230 | 231 | 58 232 | 00:10:58.920 --> 00:11:12.360 233 | Michael Shannon: Is it probable eventually but just as you have quantum computing you have what's called post quantum where the cryptographers are already thinking about things to stay ahead of the quantum computers. 234 | 235 | 59 236 | 00:11:12.930 --> 00:11:26.040 237 | Michael Shannon: But what makes quantum computing get its power is the fact that it uses what's called superposition whereas you know, a normal server or a PC or a 64 bit operating system is going to. 238 | 239 | 60 240 | 00:11:26.820 --> 00:11:43.950 241 | Michael Shannon: operate or it's going to process 64 bits at a time which is still pretty good it's 64 zeros and ones at a time, a quantum computer is relying on the fact that it uses cubits so it can express multiple numerous. 242 | 243 | 61 244 | 00:11:44.730 --> 00:11:56.490 245 | Michael Shannon: combinations of one and zero at the same time, and that superposition is what gives it its power and so quantum computing is going to lead to you know, obviously. 246 | 247 | 62 248 | 00:11:58.200 --> 00:12:07.470 249 | Michael Shannon: Doing analytics much faster high performance computing is going to you know empower artificial intelligence and all those things. 250 | 251 | 63 252 | 00:12:08.130 --> 00:12:32.100 253 | Michael Shannon: But it can again potentially be used to crack crypto systems and that's not good, so the cryptographers are now involved in post quantum cryptography which is going to be, you know larger key spaces right larger symmetric key sizes and 512 larger a symmetric key sizes than 4096. 254 | 255 | 64 256 | 00:12:34.500 --> 00:12:46.440 257 | Michael Shannon: crypto systems use trap door functions basically it's easy to compute compute in one direction but difficult and the opposite like a cryptographic hash is a form of trap door function. 258 | 259 | 65 260 | 00:12:47.550 --> 00:12:54.360 261 | Michael Shannon: So developing more complex trap door functions lattice base cryptography. 262 | 263 | 66 264 | 00:12:56.430 --> 00:13:16.020 265 | Michael Shannon: These are also showing resistance, these are developed for resistance to quantum computing defeat helmet right, so we went from defeat hellman key exchange to elliptic curve defeat hellman and now we're getting past that so this final bullet point. 266 | 267 | 67 268 | 00:13:18.390 --> 00:13:20.520 269 | Michael Shannon: super singular I saw Jimmy. 270 | 271 | 68 272 | 00:13:21.990 --> 00:13:36.300 273 | Michael Shannon: That is actually the next generation of defeat hellman ephemeral that already working on super singular I saw Jimmy I downloaded the White Paper on it and i'm good at math. 274 | 275 | 69 276 | 00:13:37.530 --> 00:13:40.290 277 | Michael Shannon: I was raised by a algebra teacher. 278 | 279 | 70 280 | 00:13:41.490 --> 00:13:51.240 281 | Michael Shannon: But man it just it blew my mind okay i'm not a mathematician, but it was way way above my pay grade but let's just say. 282 | 283 | 71 284 | 00:13:52.320 --> 00:14:00.630 285 | Michael Shannon: A mechanism for key exchange that has the goal of meeting the challenges of quantum computing okay. 286 | 287 | 72 288 | 00:14:03.420 --> 00:14:09.390 289 | Michael Shannon: Now we mentioned earlier, we have data at the very beginning, we have data in transit. 290 | 291 | 73 292 | 00:14:09.930 --> 00:14:22.200 293 | Michael Shannon: We have data at rest and we have data in use, so one of the primary methods to protect data and use and actually beyond that, to allow multiple parties. 294 | 295 | 74 296 | 00:14:22.770 --> 00:14:44.070 297 | Michael Shannon: To use encrypted data in us is homomorphic encryption, as a matter of fact aws Amazon web services has a whole team of cryptographers they're they're constantly working on post quantum solutions and they have a whole team and they're you know. 298 | 299 | 75 300 | 00:14:45.450 --> 00:14:47.220 301 | Michael Shannon: solutions for. 302 | 303 | 76 304 | 00:14:50.340 --> 00:15:06.360 305 | Michael Shannon: Protecting data in use, for example, data in reddest clusters, they it's not it's not really a fancy word it's just called cryptographic computing, I guess, they were able to you know. 306 | 307 | 77 308 | 00:15:07.440 --> 00:15:16.170 309 | Michael Shannon: crypto it doesn't sound like a phrase that they should be able to like use it's very generic but that's what their initiative is called. 310 | 311 | 78 312 | 00:15:16.830 --> 00:15:36.330 313 | Michael Shannon: And like I said, not only are they using homomorphic encryption to encrypt data in use so but, while being processed, it remains encrypted and uses algebraic operations advanced algebraic operations on the ciphertext it's an asymmetric crypto system. 314 | 315 | 79 316 | 00:15:37.980 --> 00:16:00.510 317 | Michael Shannon: But they also have other mechanisms that don't use cryptography special types of enclaves kind of similar to like the way the iPhone has the secure operating system inside of the ios the SEC POs the secure enclave kind of that kind of mentality, but in the cloud. 318 | 319 | 80 320 | 00:16:02.550 --> 00:16:03.060 321 | Michael Shannon: So. 322 | 323 | 81 324 | 00:16:04.680 --> 00:16:14.820 325 | Michael Shannon: One of the main weaknesses, we think about you know crypt analysis, you know how do we find vulnerabilities and crypto systems for the most part. 326 | 327 | 82 328 | 00:16:15.960 --> 00:16:33.990 329 | Michael Shannon: When we're using newer emerging crypto systems we're just not yet worried about brute force attacks, because the computing power and the time is not there yet, and by the time the quantum computers get rolling, we will have much larger key spaces and other mechanisms. 330 | 331 | 83 332 | 00:16:35.040 --> 00:16:43.320 333 | Michael Shannon: Most of the attacks of the of the analysis is leveraging poor implementation. 334 | 335 | 84 336 | 00:16:44.700 --> 00:16:59.310 337 | Michael Shannon: Of a algorithm or a mechanism or poor key management just using a symmetric key for too long, of a time a week a symmetric key are using md five things like that. 338 | 339 | 85 340 | 00:17:00.690 --> 00:17:15.840 341 | Michael Shannon: So key management is important that you have and, by the way, if you do this on site, most likely, this will be done is key, imagine we done with a hardware security module and hsm. 342 | 343 | 86 344 | 00:17:16.770 --> 00:17:29.550 345 | Michael Shannon: Okay, all of these aspects of key management or you'll be using cloud hsm which is basically you're going to be using an abstracted hsa of. 346 | 347 | 87 348 | 00:17:30.420 --> 00:17:38.730 349 | Michael Shannon: hardware security models that the cloud provider now whether you're able to do that or not, it depends on your governance some organizations. 350 | 351 | 88 352 | 00:17:39.150 --> 00:17:56.640 353 | Michael Shannon: Like like I don't know I don't even know if it's like pci DSS don't quote me on this, but some mandates if the auditors are coming to do an audit your hardware security modules must be on premises or in your data Center with physical security. 354 | 355 | 89 356 | 00:17:57.810 --> 00:18:08.400 357 | Michael Shannon: Other types of organizations who aren't don't have those requirements regulations can use cloud based hsm so the cloud is kind of their you know their repository. 358 | 359 | 90 360 | 00:18:14.430 --> 00:18:34.980 361 | Michael Shannon: Another concept that's been around for a while, is taking a relatively weak key and stretching it there's algorithms like be crypt or BP BP BP caveat to that will go through these elaborate processes to stretch the original key so. 362 | 363 | 91 364 | 00:18:37.740 --> 00:18:43.380 365 | Michael Shannon: Like your original key is this is my password it will stretch into 128 bit. 366 | 367 | 92 368 | 00:18:44.400 --> 00:18:45.660 369 | Michael Shannon: Very you know. 370 | 371 | 93 372 | 00:18:46.920 --> 00:18:58.890 373 | Michael Shannon: Strong alphanumeric key without you having to even worry about it sometimes when you download those password managers that you might be running on your. 374 | 375 | 94 376 | 00:18:59.400 --> 00:19:03.780 377 | Michael Shannon: workstation or your laptop like last pass or. 378 | 379 | 95 380 | 00:19:04.350 --> 00:19:18.270 381 | Michael Shannon: Oh there's a bunch of them where you create a master password and you register everything with the with the manager and you just put in one master password it's like a single sign on to all of your web mail accounts and whatever. 382 | 383 | 96 384 | 00:19:18.690 --> 00:19:31.800 385 | Michael Shannon: Right often those tools will take your original master password and stretch it into something at least 128 bits, in fact, when we talk about wireless security. 386 | 387 | 97 388 | 00:19:33.180 --> 00:19:44.070 389 | Michael Shannon: wpa three it's personal mode actually does that it's a protocol called Sae simultaneous authentication of equals. 390 | 391 | 98 392 | 00:19:44.610 --> 00:19:55.110 393 | Michael Shannon: So with wpa three you're at you know your access keys, or you know, whatever keys you use your you know your your wireless password can be simple. 394 | 395 | 99 396 | 00:19:55.830 --> 00:20:10.770 397 | Michael Shannon: And in the the algorithm will stretch it for you, so you can you can use easy to remember you know wireless passwords like your dog's name your cat's name things like that that's part of wpa three. 398 | 399 | 100 400 | 00:20:13.140 --> 00:20:18.570 401 | Michael Shannon: And I mentioned hardware security modules different companies provide these. 402 | 403 | 101 404 | 00:20:19.080 --> 00:20:36.930 405 | Michael Shannon: crypto processing modules they have a lot, they have a wide variety of use cases ssl accelerators storing keys private keys public keys symmetric keys generating rotating they do a wide variety of things they're often in a one or two rack unit. 406 | 407 | 102 408 | 00:20:38.010 --> 00:20:52.980 409 | Michael Shannon: box and they they would be tamper resistant so like if you, you know, if you like, forced open the box, it would zero eyes everything inside of it okay. 410 | 411 | 103 412 | 00:20:54.720 --> 00:21:11.850 413 | Michael Shannon: So these are very common as a matter of fact, a key management service a cloud based key management service it's basically under the hood is just fleets of virtualized hardware security modules running in a cluster. 414 | 415 | 104 416 | 00:21:13.800 --> 00:21:14.220 417 | Michael Shannon: Okay. 418 | 419 | 105 420 | 00:21:15.660 --> 00:21:18.060 421 | Michael Shannon: remember how I mentioned earlier, that you know. 422 | 423 | 106 424 | 00:21:19.590 --> 00:21:38.760 425 | Michael Shannon: It would be nice if somebody is getting somebody else's public key whether they're going to they want confidentiality, or whether they went orange i'm sorry, whether they want integrity or origin authentication you know if somebody says, I used my private key. 426 | 427 | 107 428 | 00:21:40.500 --> 00:21:43.920 429 | Michael Shannon: You have to kind of just trust that that private key is not compromised. 430 | 431 | 108 432 | 00:21:45.150 --> 00:21:48.180 433 | Michael Shannon: So a mechanism to. 434 | 435 | 109 436 | 00:21:49.470 --> 00:21:51.330 437 | Michael Shannon: build some trust. 438 | 439 | 110 440 | 00:21:52.710 --> 00:21:55.170 441 | Michael Shannon: began with a guy named Philip Zimmerman. 442 | 443 | 111 444 | 00:21:56.460 --> 00:22:07.710 445 | Michael Shannon: and fill up a zoom room was kind of like a defeat and hellman he kind of had his run in with the NSA because he created a protocol. 446 | 447 | 112 448 | 00:22:08.880 --> 00:22:32.580 449 | Michael Shannon: called pretty good privacy and it was built on the this web of trust on the Internet, so if one party trust let's say if Alice trusted Chris and Bob trusted Chris then Alice could trust Bob and they could have trusted primary and secondary trust and they could build a web of trust. 450 | 451 | 113 452 | 00:22:35.310 --> 00:22:40.980 453 | Michael Shannon: Sebastian a a trusted platform module is a form. 454 | 455 | 114 456 | 00:22:42.420 --> 00:23:04.320 457 | Michael Shannon: it's a you can consider it a smaller form factor of what hsm can do hf Sam full blown like H SMS can do a lot more, because the tpm is specific to the system board of the motherboard usually the hardware, but yeah it does as a lot of the same purposes. 458 | 459 | 115 460 | 00:23:05.430 --> 00:23:10.560 461 | Michael Shannon: Okay, of what it stores and and some of the use case yeah. 462 | 463 | 116 464 | 00:23:12.330 --> 00:23:19.170 465 | Michael Shannon: You can even have a trusted platform module or you can even have these kind of things running on like a on an sd card now. 466 | 467 | 117 468 | 00:23:21.720 --> 00:23:24.570 469 | Michael Shannon: I forgot, where I was OK so pk. 470 | 471 | 118 472 | 00:23:25.740 --> 00:23:36.750 473 | Michael Shannon: So Zimmerman introduced this concept of a web of trust in a trusted in reducer so people could start doing like secure email on the World Wide Web, for example. 474 | 475 | 119 476 | 00:23:37.920 --> 00:23:48.390 477 | Michael Shannon: So public key infrastructure, which is an eXtensible architecture which means you can add functionality to it, it really solves two problems. 478 | 479 | 120 480 | 00:23:49.470 --> 00:24:03.930 481 | Michael Shannon: One problem is I need a I need a scalable secure way to distribute my public key to a lot of different potential participants. 482 | 483 | 121 484 | 00:24:04.590 --> 00:24:24.750 485 | Michael Shannon: People that I want to have secure communications or transactions or activities with potentially a lot of people or systems on an ongoing basis, so I need something massively scalable globally scalable and secure and so that we can have a trusted third party. 486 | 487 | 122 488 | 00:24:26.880 --> 00:24:37.710 489 | Michael Shannon: That pretty much kind of backs up your public and private key because, in fact, in some situations, the the entity, like the user. 490 | 491 | 123 492 | 00:24:38.220 --> 00:24:46.980 493 | Michael Shannon: will generate the key pair but sometimes the trusted introduce are the trusted third party, the security. 494 | 495 | 124 496 | 00:24:47.730 --> 00:24:58.980 497 | Michael Shannon: authority, they can actually generate the key pair on your behalf for you and put it in your identity certificate, so you don't even have to generate the key pair. 498 | 499 | 125 500 | 00:24:59.460 --> 00:25:15.900 501 | Michael Shannon: Often the CA will do it for you put it in your certificate and they'll digitally digitally sign it so that's the first goal is to have this global way to really exchange public keys, so I can do, what I want to do. 502 | 503 | 126 504 | 00:25:18.240 --> 00:25:43.020 505 | Michael Shannon: The second main reason for a peek Ai is how does user a and user see and user D and on and on and on how do they find out if that private key and public key which is associated with a entity and a serial number is no longer valid because a couple of the other fields in the certificate. 506 | 507 | 127 508 | 00:25:44.100 --> 00:26:07.290 509 | Michael Shannon: says this certificate is not valid before this date and time and it's not valid after this date and time usually a year, two years, three years, five years but there's a validity period that's two fields that's also in that certificate well if the if it's no longer valid. 510 | 511 | 128 512 | 00:26:08.490 --> 00:26:24.540 513 | Michael Shannon: And by the way, that validity thing can actually be, it is no longer valid or it can happen when devices that are interacting with the certificates their time clocks get screwed up. 514 | 515 | 129 516 | 00:26:26.040 --> 00:26:47.490 517 | Michael Shannon: So that's why like network time protocol that we often use, we need to use network time protocol version three because version three has confidentiality integrity in origin authentication of the communication between the client and server of NTP because if you can hack. 518 | 519 | 130 520 | 00:26:48.720 --> 00:26:50.850 521 | Michael Shannon: someone's network time protocol. 522 | 523 | 131 524 | 00:26:51.990 --> 00:27:00.840 525 | Michael Shannon: And you can let's say roll back the date and time you can then catastrophic Lee affect all of their certificates. 526 | 527 | 132 528 | 00:27:02.490 --> 00:27:04.050 529 | Michael Shannon: Because they're no longer valid. 530 | 531 | 133 532 | 00:27:05.850 --> 00:27:17.040 533 | Michael Shannon: According to the devices that are processing, so this kind of goes hand in hand with protecting your network time protocol servers and the atomic clocks they connect to. 534 | 535 | 134 536 | 00:27:18.030 --> 00:27:26.250 537 | Michael Shannon: So, but there's other reasons, you know you can have an employee who loses their mobile device, or they lose their laptop or it gets stolen. 538 | 539 | 135 540 | 00:27:26.490 --> 00:27:40.470 541 | Michael Shannon: or they leave the company and as part of the D provisioning or off boarding process you let the CA know this certificate is no longer valid so a pk Ai has to have some way to revoke. 542 | 543 | 136 544 | 00:27:42.240 --> 00:27:46.080 545 | Michael Shannon: That certificates serial number and let everybody know. 546 | 547 | 137 548 | 00:27:47.550 --> 00:28:02.040 549 | Michael Shannon: that's really when it gets right down to the two main reasons that we use pk I either an enterprise pk Ai which you can have that's just for the users and devices in your campus. 550 | 551 | 138 552 | 00:28:03.810 --> 00:28:14.850 553 | Michael Shannon: Or you could be using a trusted third party on the Internet komodo GEO trust digital jit digit CERT thought the list goes on and on. 554 | 555 | 139 556 | 00:28:16.620 --> 00:28:17.040 557 | Michael Shannon: Okay. 558 | 559 | 140 560 | 00:28:19.200 --> 00:28:25.680 561 | Michael Shannon: So here's what happens the certificate authority, by the way, there is no higher authority. 562 | 563 | 141 564 | 00:28:28.530 --> 00:28:39.930 565 | Michael Shannon: If we look at whether it's you know, on the Internet, so their certificate, they have an identity certificates and they have a key pair but there's a self signed. 566 | 567 | 142 568 | 00:28:40.830 --> 00:28:46.170 569 | Michael Shannon: Now what that also means is there's a web of trust between these ca's. 570 | 571 | 143 572 | 00:28:47.160 --> 00:29:00.600 573 | Michael Shannon: And if there's an issue that happens, like with symantec or whatever and there's been issues they've had to go and Reno revoke a bunch of has been security issues they've had to revoke a bunch of certificates and reissue them there's been things that have happened. 574 | 575 | 144 576 | 00:29:01.650 --> 00:29:08.910 577 | Michael Shannon: But for the most part they're very secure because they're using you know hardware security module secure data centers and all those things. 578 | 579 | 145 580 | 00:29:10.320 --> 00:29:18.720 581 | Michael Shannon: And by the way, it's also difficult if not impossible anymore to become a certificate authority, we already have too many. 582 | 583 | 146 584 | 00:29:19.770 --> 00:29:20.610 585 | Michael Shannon: already have too many. 586 | 587 | 147 588 | 00:29:21.900 --> 00:29:33.150 589 | Michael Shannon: Right, if you want to know go look at these certificates store either for your browser or in your operating system where you have root certificates for all these entities way too many. 590 | 591 | 148 592 | 00:29:36.270 --> 00:29:44.340 593 | Michael Shannon: But the it's the CA that signs this certificate which means they're using their private key to sign it. 594 | 595 | 149 596 | 00:29:46.260 --> 00:29:54.960 597 | Michael Shannon: And so the participants have to first get the root certificate of the CA which has their public key in it. 598 | 599 | 150 600 | 00:29:56.250 --> 00:30:01.830 601 | Michael Shannon: Or, they have to get the root certificate of a CA that trusts that CA. 602 | 603 | 151 604 | 00:30:03.420 --> 00:30:12.750 605 | Michael Shannon: And they're going to get the public keys of the participants, they want to communicate with in the form of a digital certificate now initially. 606 | 607 | 152 608 | 00:30:13.920 --> 00:30:22.380 609 | Michael Shannon: And remember, as I mentioned there's two algorithms involved in the X 509 v3 certificate okay to public key algorithms. 610 | 611 | 153 612 | 00:30:23.220 --> 00:30:38.280 613 | Michael Shannon: The subjects public key algorithm the subjects public key algorithm like some maybe elliptic curve 160 bit and then what was used to sign this certificate by the certificate authority. 614 | 615 | 154 616 | 00:30:39.960 --> 00:30:40.380 617 | Michael Shannon: Okay. 618 | 619 | 155 620 | 00:30:42.480 --> 00:30:54.060 621 | Michael Shannon: Now the initial exchange of user a and user see preferably that needs to be under some authenticated channel. 622 | 623 | 156 624 | 00:30:56.940 --> 00:31:22.170 625 | Michael Shannon: Fortunately, we have handshake protocol's and things like T lls that are going to provide that mechanism for us now with us, with a certificate authority, it may be an enterprise so you've got like a windows CA or red hat enterprise CA and it's providing this services for your enterprise. 626 | 627 | 157 628 | 00:31:23.340 --> 00:31:28.710 629 | Michael Shannon: Either way, whether it's a public CA or enterprise, there may be some hierarchy. 630 | 631 | 158 632 | 00:31:30.900 --> 00:31:41.070 633 | Michael Shannon: Some hierarchy, and this is kind of like DNS instead of the root DNS servers responding to queries you've cached. 634 | 635 | 159 636 | 00:31:42.180 --> 00:31:57.360 637 | Michael Shannon: Responsibility to down level DNS servers the same thing here whether it's a service provider like godaddy or thought or an enterprise, you may have intermediate ca's that are the ones directly enrolling with. 638 | 639 | 160 640 | 00:31:59.370 --> 00:32:05.790 641 | Michael Shannon: And, and the root CA it may be offline and then just brought online periodically. 642 | 643 | 161 644 | 00:32:08.880 --> 00:32:13.740 645 | Michael Shannon: But there is a hierarchy and in that hierarchy we call that a chain. 646 | 647 | 162 648 | 00:32:14.940 --> 00:32:31.470 649 | Michael Shannon: And the chain has to be in there, the chain of trust, these are two other fields in the certificate, it was issued to, and it was issued by and those issue to and issued by maybe intermediate ca's. 650 | 651 | 163 652 | 00:32:33.210 --> 00:32:33.630 653 | Michael Shannon: OK. 654 | 655 | 164 656 | 00:32:38.220 --> 00:32:39.900 657 | Michael Shannon: notice the second bullet point. 658 | 659 | 165 660 | 00:32:41.190 --> 00:32:59.190 661 | Michael Shannon: Alternatively, it is very common for certificate authorities to cross certify each other without some strict hierarchical relationship being in place that sentence means that it's not necessary that user a. 662 | 663 | 166 664 | 00:33:00.150 --> 00:33:17.790 665 | Michael Shannon: and users see have the same root certificate of the same certificate authority now it's very common that they will because your browser stores or your operating system stores many, many routes certificates. 666 | 667 | 167 668 | 00:33:18.900 --> 00:33:20.070 669 | Michael Shannon: But on the Internet. 670 | 671 | 168 672 | 00:33:21.420 --> 00:33:29.430 673 | Michael Shannon: it's not necessary, in every situation because they can cross certify each other now if it's an enterprise CA. 674 | 675 | 169 676 | 00:33:30.210 --> 00:33:40.350 677 | Michael Shannon: every participant every mobile device every laptop has to have the root certificate of your CA server of your enterprise CA server. 678 | 679 | 170 680 | 00:33:41.310 --> 00:34:01.680 681 | Michael Shannon: Now if it's an enterprise CA that you're setting up one of the things is interesting about, that is when when you're the administrator and you set up the server you decide how often the list of revoked serial numbers gets distributed. 682 | 683 | 171 684 | 00:34:03.420 --> 00:34:06.630 685 | Michael Shannon: it's the it's the administrator that decides that. 686 | 687 | 172 688 | 00:34:08.040 --> 00:34:16.200 689 | Michael Shannon: And you can say you know what every four hours every 24 hours every 72 hours you decide. 690 | 691 | 173 692 | 00:34:17.490 --> 00:34:34.410 693 | Michael Shannon: And the challenge, though with that certificate revocation list, which is the original method that's used is that if you decide to have a large window between when that list gets propagated. 694 | 695 | 174 696 | 00:34:35.730 --> 00:34:38.550 697 | Michael Shannon: That is a window of opportunity for an attacker. 698 | 699 | 175 700 | 00:34:39.990 --> 00:34:49.560 701 | Michael Shannon: Or if some certificate expires during the window it's still being used until the next revocation update. 702 | 703 | 176 704 | 00:34:51.030 --> 00:34:58.380 705 | Michael Shannon: So the CRM can be useful in an enterprise CA can still it's still used. 706 | 707 | 177 708 | 00:34:59.910 --> 00:35:06.690 709 | Michael Shannon: And even in some situations like legacy situations, you could use a back end radius server. 710 | 711 | 178 712 | 00:35:07.890 --> 00:35:12.360 713 | Michael Shannon: To say hey here's your CRM server you could use radius. 714 | 715 | 179 716 | 00:35:14.250 --> 00:35:23.100 717 | Michael Shannon: But on the Internet, this is just not practical so they came up with a protocol Oh, by the way, let me mention this. 718 | 719 | 180 720 | 00:35:24.330 --> 00:35:38.190 721 | Michael Shannon: The revocation list is a list of revoked serial numbers as as an as a administrator as a CIA administrator let's say enterprise pk I you could suspend a certificate. 722 | 723 | 181 724 | 00:35:39.300 --> 00:35:47.460 725 | Michael Shannon: Like somebody's going on a leave of absence, or they think they lost their device but they're not sure you can suspend it. 726 | 727 | 182 728 | 00:35:48.000 --> 00:36:02.490 729 | Michael Shannon: Now that's not going to be on the revocation list, but if you suspend it, you can reactivate it if you revoke it, you cannot reactivate it, you have to issue a new certificate and a new key pair and digitally sign that okay. 730 | 731 | 183 732 | 00:36:03.630 --> 00:36:04.980 733 | Michael Shannon: But you can suspend it. 734 | 735 | 184 736 | 00:36:06.180 --> 00:36:07.860 737 | Michael Shannon: But that's not the same thing as revoking. 738 | 739 | 185 740 | 00:36:10.020 --> 00:36:11.970 741 | Michael Shannon: So they came up with a protocol. 742 | 743 | 186 744 | 00:36:13.200 --> 00:36:27.540 745 | Michael Shannon: Because they want to send them as transactional like real time, like a real time database of revoked serial numbers, instead of some you know list that gets pushed and pulled at the whim of an administrator. 746 | 747 | 187 748 | 00:36:29.010 --> 00:36:44.250 749 | Michael Shannon: And this is what's used not always but, more often than not, on the Internet with web browsers and websites part of the problem is, this is not strictly enforced on the Internet. 750 | 751 | 188 752 | 00:36:45.780 --> 00:37:01.350 753 | Michael Shannon: Because here's the deal with vendors, with people who develop web browsers and all of the financial entities commercial entities that are on the World Wide Web they don't like things to get in the way. 754 | 755 | 189 756 | 00:37:02.430 --> 00:37:06.120 757 | Michael Shannon: between them and the consumer, they don't like overhead. 758 | 759 | 190 760 | 00:37:08.850 --> 00:37:11.850 761 | Michael Shannon: So this is still an ongoing. 762 | 763 | 191 764 | 00:37:13.260 --> 00:37:14.820 765 | Michael Shannon: initiative to use this. 766 | 767 | 192 768 | 00:37:15.900 --> 00:37:19.080 769 | Michael Shannon: method this transactional database. 770 | 771 | 193 772 | 00:37:20.370 --> 00:37:31.560 773 | Michael Shannon: It slows things down and entities on the Internet don't like that, so one thing you can do if you're using transport layer security is you can staple it. 774 | 775 | 194 776 | 00:37:32.130 --> 00:37:44.340 777 | Michael Shannon: This is a method to quickly determine whether the server certificate is valid okay so basically you staple it with a vendor response okay. 778 | 779 | 195 780 | 00:37:45.090 --> 00:37:55.620 781 | Michael Shannon: This is another common method that's used to speed up the process and it makes you know website vendors and the people who develop a browsers happier. 782 | 783 | 196 784 | 00:37:56.250 --> 00:38:07.650 785 | Michael Shannon: it's actually something that's done in the transport layer security protocol in as tms one point to transport layer security which we're going to talk about. 786 | 787 | 197 788 | 00:38:09.120 --> 00:38:20.040 789 | Michael Shannon: has two main protocols, it has the core record protocol, then it has a handshake protocol and the handshake protocol is the one that's really eXtensible. 790 | 791 | 198 792 | 00:38:20.430 --> 00:38:38.910 793 | Michael Shannon: whenever you see things like pls 1.1 1.2 1.3 if you ask yourself what is changing in each different iteration it's really adding eXtensible functionality to the handshake protocol and making it more secure. 794 | 795 | 199 796 | 00:38:40.140 --> 00:38:42.870 797 | Michael Shannon: In the handshake protocol okay. 798 | 799 | 200 800 | 00:38:44.280 --> 00:38:48.450 801 | Michael Shannon: Now, another thing that that's often done is, and this is interesting. 802 | 803 | 201 804 | 00:38:52.170 --> 00:38:52.770 805 | Michael Shannon: yeah baby. 806 | 807 | 202 808 | 00:38:53.970 --> 00:38:57.300 809 | Michael Shannon: yeah DNS is critical and. 810 | 811 | 203 812 | 00:38:59.880 --> 00:39:05.640 813 | Michael Shannon: which introduces some things we're going to talk about in application security but DNS is probably. 814 | 815 | 204 816 | 00:39:06.990 --> 00:39:17.040 817 | Michael Shannon: The when it comes to Internet security kind of the low hanging fruit, so we have protocols like DNS SEC that adds new. 818 | 819 | 205 820 | 00:39:19.020 --> 00:39:19.890 821 | Michael Shannon: records. 822 | 823 | 206 824 | 00:39:21.180 --> 00:39:34.980 825 | Michael Shannon: To DNS what a lot of what's what's happening, though going forward as far as DNS is concerned you're seeing a lot more managed security services, for example, like Dave and I. 826 | 827 | 207 828 | 00:39:35.520 --> 00:39:51.060 829 | Michael Shannon: Are laptops are provisioned laptops they use Cisco umbrella so when we use Internet DNS servers were using cisco's encrypted DNS servers so all of our queries are encrypted. 830 | 831 | 208 832 | 00:39:51.780 --> 00:40:02.040 833 | Michael Shannon: we're using Cisco umbrella, which is kind of a managed security service provider for our DNS services because it works in concert with our Cisco any connect mobility client. 834 | 835 | 209 836 | 00:40:03.960 --> 00:40:14.880 837 | Michael Shannon: So that that open DNS initiative DNS security DNS SEC, and what some large global providers are doing is they're not even using DNS at all. 838 | 839 | 210 840 | 00:40:16.170 --> 00:40:25.800 841 | Michael Shannon: they're using cloud providers and they're using what's called global acceleration so they're using IP version six any cast addressing. 842 | 843 | 211 844 | 00:40:27.000 --> 00:40:43.050 845 | Michael Shannon: they're just bypassing the whole donate domain name service, all together, and using any cast from IP version six so a lot of things are in the works to overcome the low hanging security weaknesses of DNS. 846 | 847 | 212 848 | 00:40:44.610 --> 00:40:50.910 849 | Michael Shannon: So one thing about a certificate authority it's interesting is that a certificate authority. 850 | 851 | 213 852 | 00:40:52.110 --> 00:41:07.290 853 | Michael Shannon: can issue a certificate for anybody for any domain for any subject, there is no police force out there really enforcing that now there are you know validation methods. 854 | 855 | 214 856 | 00:41:08.670 --> 00:41:22.410 857 | Michael Shannon: And you know there were traditionally you know, a company That said, we will do extended validation for you and we'll give you a green padlock. 858 | 859 | 215 860 | 00:41:23.010 --> 00:41:43.800 861 | Michael Shannon: They will show up in the browser when someone's using your certificate domain that shows you went through extended validation and that was kind of a trend, the problem was like one company have the monopoly on that so vendors kind of stopped doing that. 862 | 863 | 216 864 | 00:41:46.560 --> 00:41:48.420 865 | Michael Shannon: So a. 866 | 867 | 217 868 | 00:41:50.550 --> 00:41:58.830 869 | Michael Shannon: Certain because a CA can can technically issue a certificate for anybody an organization will generally pin. 870 | 871 | 218 872 | 00:42:00.330 --> 00:42:07.080 873 | Michael Shannon: The browser's certificate to their domains, and so google's a prime example. 874 | 875 | 219 876 | 00:42:08.250 --> 00:42:12.300 877 | Michael Shannon: As I mentioned it here in chrome 13 and beyond. 878 | 879 | 220 880 | 00:42:13.710 --> 00:42:24.930 881 | Michael Shannon: Any domain that Google owns is pinned so so no other certificate authority can issue a certificate for that Google domain. 882 | 883 | 221 884 | 00:42:27.060 --> 00:42:27.960 885 | Michael Shannon: And you would use it. 886 | 887 | 222 888 | 00:42:29.160 --> 00:42:38.400 889 | Michael Shannon: pinning can also be used for authentication through a secure channel pinning can also be used to bypass a tcp handshake. 890 | 891 | 223 892 | 00:42:41.250 --> 00:42:47.130 893 | Michael Shannon: Alright, so that's our our pk discussion we offer, we also have crypt analysis. 894 | 895 | 224 896 | 00:42:51.360 --> 00:43:00.330 897 | Michael Shannon: Sorry there's a big thread going on over here like my a boot camp Microsoft i'm trying to see if I need to address any of that all right. 898 | 899 | 225 900 | 00:43:02.340 --> 00:43:02.880 901 | Michael Shannon: A. 902 | 903 | 226 904 | 00:43:03.900 --> 00:43:19.290 905 | Michael Shannon: crypt analysis i'm already kind of alluded to this right, this is the other side of the coin right most weaknesses, though, are not found through brute force attacks that are found through implementation poor implementation. 906 | 907 | 227 908 | 00:43:20.310 --> 00:43:28.080 909 | Michael Shannon: A key management even can say a side channel attacks Okay, let me give an example of poor implementation. 910 | 911 | 228 912 | 00:43:29.130 --> 00:43:41.580 913 | Michael Shannon: When wireless came out in the late 90s, the Ai the 802 ieee 802 11 okay when it initially was released, there was no security. 914 | 915 | 229 916 | 00:43:42.960 --> 00:44:00.390 917 | Michael Shannon: It was just open authentication open authorization if your radio was in a range of the access point you were on and you were talking to other radios in your area open authentication Okay, the first level of security they added was called Web. 918 | 919 | 230 920 | 00:44:01.620 --> 00:44:12.330 921 | Michael Shannon: Not a good name because web stands for wired equivalent privacy and it wasn't it wasn't equivalent to a wired privacy, it was wishful thinking. 922 | 923 | 231 924 | 00:44:14.580 --> 00:44:23.520 925 | Michael Shannon: But the algorithm they used at the time was RC for in the late 90s RC for was a trustworthy algorithm. 926 | 927 | 232 928 | 00:44:24.930 --> 00:44:30.120 929 | Michael Shannon: Does was the trust, where the algorithm md five was a trust for the algorithm. 930 | 931 | 233 932 | 00:44:31.410 --> 00:44:35.010 933 | Michael Shannon: So it was the way that RC for was implemented in Web. 934 | 935 | 234 936 | 00:44:36.060 --> 00:44:46.740 937 | Michael Shannon: Specifically, with a 24 bit and visualization vector or a nonce there was in clear text that was Problem number one so web was. 938 | 939 | 235 940 | 00:44:48.210 --> 00:44:54.870 941 | Michael Shannon: quickly cracked not because of RC for, but because the way was implemented in Web. 942 | 943 | 236 944 | 00:44:56.070 --> 00:45:06.870 945 | Michael Shannon: Now eventually RC for because of computing power is not trustworthy you know public web server will use RC for is it sweet. 946 | 947 | 237 948 | 00:45:08.370 --> 00:45:11.340 949 | Michael Shannon: But there's key management vulnerabilities. 950 | 951 | 238 952 | 00:45:14.580 --> 00:45:16.680 953 | Michael Shannon: And there's implementation attacks. 954 | 955 | 239 956 | 00:45:18.900 --> 00:45:23.550 957 | Michael Shannon: classical crypt analysis mathematical analysis brute force analysis. 958 | 959 | 240 960 | 00:45:26.340 --> 00:45:38.070 961 | Michael Shannon: The most common types of implementation attack is a side channel attack okay in wireless a common side side channel attacks in wpa two is called crack. 962 | 963 | 241 964 | 00:45:39.720 --> 00:45:42.570 965 | Michael Shannon: kr Ak it got patched. 966 | 967 | 242 968 | 00:45:44.400 --> 00:45:59.220 969 | Michael Shannon: But crack was a side channel attacks, you had to have you had to have relative proximity to the access point to do a crack attack what's interesting is there was another attack it's a side channel attacks in wpa three. 970 | 971 | 243 972 | 00:46:00.540 --> 00:46:01.710 973 | Michael Shannon: called dragon blood. 974 | 975 | 244 976 | 00:46:04.260 --> 00:46:05.910 977 | Michael Shannon: And you know what the same guy. 978 | 979 | 245 980 | 00:46:07.110 --> 00:46:12.120 981 | Michael Shannon: The same guy found that vulnerability it's a side channel attack. 982 | 983 | 246 984 | 00:46:13.320 --> 00:46:19.050 985 | Michael Shannon: In it, it exploits the dragon fly handshake also quickly. 986 | 987 | 247 988 | 00:46:20.430 --> 00:46:39.600 989 | Michael Shannon: You know crack wasn't found until years down the line dragon blood was discovered right away because you in the world of wireless, you have the ieee the engineers right the put out the you know dot a B G and H whatever. 990 | 991 | 248 992 | 00:46:41.280 --> 00:46:52.200 993 | Michael Shannon: The International engineers and the wi fi alliance right well the wi fi alliance is always in a hurry to get the products on the shelves, or you know up to Amazon. 994 | 995 | 249 996 | 00:46:54.060 --> 00:47:04.230 997 | Michael Shannon: So they're more than happy to let us be the alpha and beta testers so they'll they'll put products out before the publications finalized. 998 | 999 | 250 1000 | 00:47:06.870 --> 00:47:08.790 1001 | Michael Shannon: So those are side channel attacks. 1002 | 1003 | 251 1004 | 00:47:10.140 --> 00:47:28.020 1005 | Michael Shannon: Another one if you could get access let's say to a to a to a device or like a smart card, you could actually measure the power consumption and you could determine with a power trace what a zero is and what a one is, and you can extrapolate the plain text information. 1006 | 1007 | 252 1008 | 00:47:29.520 --> 00:47:37.680 1009 | Michael Shannon: But aside channel attack usually needs some type of either physical access or proximity and to the access point. 1010 | 1011 | 253 1012 | 00:47:38.910 --> 00:47:52.380 1013 | Michael Shannon: social engineering is another type of attack, where you can trick people into giving you passwords and keys right, you can hoax you can make fake phone calls, you can send phishing emails right. 1014 | 1015 | 254 1016 | 00:47:53.520 --> 00:47:57.120 1017 | Michael Shannon: Another common way to break down a. 1018 | 1019 | 255 1020 | 00:48:00.690 --> 00:48:04.890 1021 | Michael Shannon: crypto system cool dragon Louise cool dragon. 1022 | 1023 | 256 1024 | 00:48:06.150 --> 00:48:19.710 1025 | Michael Shannon: Alright, so let's move on to our next topic and we're going to get into the identity and access management or IBM we've only it's not only got like 20 something slides i'm not going to blow through them, though. 1026 | 1027 | 257 1028 | 00:48:20.490 --> 00:48:30.450 1029 | Michael Shannon: Okay well we'll take up tomorrow, where you know, we need to be now, we do have, I do have a content on physical security. 1030 | 1031 | 258 1032 | 00:48:31.500 --> 00:48:37.800 1033 | Michael Shannon: So we're not going to get bogged down here, but just realize that when it comes to access control. 1034 | 1035 | 259 1036 | 00:48:39.000 --> 00:48:46.710 1037 | Michael Shannon: there's also physical access we use lighting we use these types of physical controls usually lighting and cameras. 1038 | 1039 | 260 1040 | 00:48:48.300 --> 00:49:08.310 1041 | Michael Shannon: cams work hand in hand right, because if you have cameras that are functioning at night, you want lighting and they both suffer from the same vulnerability, the dead spots right dead spots in your lighting dead spots in your cameras, we have barricades we have bollards. 1042 | 1043 | 261 1044 | 00:49:09.960 --> 00:49:17.880 1045 | Michael Shannon: They can be physical I mean it can be temporary, they can be you know permanent bollards can just simply be like a post. 1046 | 1047 | 262 1048 | 00:49:19.350 --> 00:49:33.720 1049 | Michael Shannon: You know, a cement pillar or bollards modern pop bollards can be raised up and down, they can have sensors in them, they can have cameras in them, they can be quite intelligent, we have fencing a varying heights. 1050 | 1051 | 263 1052 | 00:49:34.800 --> 00:49:46.050 1053 | Michael Shannon: electrified barbed wire interfacing out facing we have gates either wooden gates to come down, we have metal gates, we have tire shredders. 1054 | 1055 | 264 1056 | 00:49:46.950 --> 00:50:04.110 1057 | Michael Shannon: security guards signage all these types of physical access, controls we're going to talk more about those, but we want to, I want to I want you to forget them we talked about controlling access well we're also controlling physical access as well. 1058 | 1059 | 265 1060 | 00:50:05.940 --> 00:50:10.260 1061 | Michael Shannon: Air yapping systems man traps okay. 1062 | 1063 | 266 1064 | 00:50:12.360 --> 00:50:28.710 1065 | Michael Shannon: What makes a man trap, a man trap is at some point the person, I guess, we should call these people traps, but at some point the person is in a room or an enclosure and there's a locked door behind them and a locked door in front of them. 1066 | 1067 | 267 1068 | 00:50:29.730 --> 00:50:42.510 1069 | Michael Shannon: Just walking into a building and there's an area with maybe like a bulletproof window and a locked door if the door behind me is not locked that's not a man trap. 1070 | 1071 | 268 1072 | 00:50:46.020 --> 00:50:56.550 1073 | Michael Shannon: So I have to be be let in and then i'm in an area with cameras, maybe somebody behind a bulletproof glass window and have to be led into another area. 1074 | 1075 | 269 1076 | 00:50:57.360 --> 00:51:04.800 1077 | Michael Shannon: Maybe provide my credentials or a token or or passport or matt I may have to at that point in time, in that area. 1078 | 1079 | 270 1080 | 00:51:05.670 --> 00:51:12.750 1081 | Michael Shannon: With a security guard or a desk they'll take my picture they'll create a temporary badge and then I can get in whether. 1082 | 1083 | 271 1084 | 00:51:13.500 --> 00:51:24.210 1085 | Michael Shannon: it's a man trap area or not security guards may be involved in those types of temporary credentials and you have to wait for an escort whatever locking mechanisms biometrics. 1086 | 1087 | 272 1088 | 00:51:25.020 --> 00:51:37.890 1089 | Michael Shannon: alarms sensors and also under physical our environmental controls and that would include fire prevention, detection and depression, so it goes without saying that under access. 1090 | 1091 | 273 1092 | 00:51:38.430 --> 00:51:46.380 1093 | Michael Shannon: Controlling access, we cannot forget physical I mean when we say penetration test often. 1094 | 1095 | 274 1096 | 00:51:47.040 --> 00:51:56.940 1097 | Michael Shannon: We just automatically jump to the fact that the pen test is done against systems and applications and services, but there can be physical. 1098 | 1099 | 275 1100 | 00:51:57.630 --> 00:52:13.410 1101 | Michael Shannon: Access penetration testing as well now we're going to switch gears and talk about controlling physical access and the different mechanisms that we use for identity and access management or what we call ids identity management. 1102 | 1103 | 276 1104 | 00:52:14.850 --> 00:52:22.080 1105 | Michael Shannon: Now, with our security models were typically in looking at subjects and objects. 1106 | 1107 | 277 1108 | 00:52:23.130 --> 00:52:34.200 1109 | Michael Shannon: When we look at these various models subjects and objects, but realize that a subject is not always a person and an object can be physical or it can be logical. 1110 | 1111 | 278 1112 | 00:52:35.070 --> 00:52:49.440 1113 | Michael Shannon: The subject can be a person, it can be an n P, a non person entity, it can be a robot or some robotics it could be an embedded device an iot device that can be a big hub. 1114 | 1115 | 279 1116 | 00:52:50.520 --> 00:52:50.940 1117 | Michael Shannon: Right. 1118 | 1119 | 280 1120 | 00:52:52.860 --> 00:53:01.590 1121 | Michael Shannon: So the subject anything that needs to take action on an object, so we have to think broader okay. 1122 | 1123 | 281 1124 | 00:53:07.710 --> 00:53:08.880 1125 | Michael Shannon: So uh. 1126 | 1127 | 282 1128 | 00:53:09.930 --> 00:53:13.680 1129 | Michael Shannon: One of the things that when that question. 1130 | 1131 | 283 1132 | 00:53:14.700 --> 00:53:19.590 1133 | Michael Shannon: Is a great question about physical access control when it comes to the cloud. 1134 | 1135 | 284 1136 | 00:53:21.480 --> 00:53:28.260 1137 | Michael Shannon: we're going to talk about cloud computing, but if you go to aws. 1138 | 1139 | 285 1140 | 00:53:30.510 --> 00:53:32.130 1141 | Michael Shannon: But Amazon COM. 1142 | 1143 | 286 1144 | 00:53:35.610 --> 00:53:36.540 1145 | Michael Shannon: blogs. 1146 | 1147 | 287 1148 | 00:53:38.250 --> 00:53:39.120 1149 | Michael Shannon: Security. 1150 | 1151 | 288 1152 | 00:53:41.550 --> 00:53:44.070 1153 | Michael Shannon: And search for. 1154 | 1155 | 289 1156 | 00:53:45.360 --> 00:53:45.930 1157 | Michael Shannon: A. 1158 | 1159 | 290 1160 | 00:53:47.310 --> 00:53:48.270 1161 | Michael Shannon: Data Center. 1162 | 1163 | 291 1164 | 00:53:53.910 --> 00:53:59.070 1165 | Michael Shannon: And this is just for this question coming up in the chat we're going to talk about this new cloud security. 1166 | 1167 | 292 1168 | 00:54:00.270 --> 00:54:03.690 1169 | Michael Shannon: But cloud data centers are highly secure. 1170 | 1171 | 293 1172 | 00:54:05.190 --> 00:54:08.640 1173 | Michael Shannon: highly secure they have massive amount of. 1174 | 1175 | 294 1176 | 00:54:09.750 --> 00:54:27.720 1177 | Michael Shannon: resources to secure data centers, but if you go to the security blog of aws they have they'll take you to a video and a site that shows you the what they go through to protect their data centers. 1178 | 1179 | 295 1180 | 00:54:28.830 --> 00:54:32.940 1181 | Michael Shannon: The types of stringent controls at their data centers. 1182 | 1183 | 296 1184 | 00:54:34.170 --> 00:54:42.660 1185 | Michael Shannon: If netflix can trust an aws data Center with their next season of stranger things. 1186 | 1187 | 297 1188 | 00:54:44.820 --> 00:54:54.030 1189 | Michael Shannon: We can have a pretty high degree of competence in aws or Google or azure data centers to protect our assets and our data. 1190 | 1191 | 298 1192 | 00:54:57.120 --> 00:54:57.690 1193 | Michael Shannon: So. 1194 | 1195 | 299 1196 | 00:54:59.400 --> 00:55:04.890 1197 | Michael Shannon: we're going to talk about sick tomorrow we're going to come back we're going to talk about some security models. 1198 | 1199 | 300 1200 | 00:55:05.310 --> 00:55:18.690 1201 | Michael Shannon: And we're going to begin with a what's referred to as a mandatory access control model to provide confidentiality bell up a doula is not somebody hyphenated name. 1202 | 1203 | 301 1204 | 00:55:19.380 --> 00:55:29.670 1205 | Michael Shannon: Okay, this is not like Steve bell up a doula okay it's two different people bell and lapa doula, and this is the first mathematical model. 1206 | 1207 | 302 1208 | 00:55:30.300 --> 00:55:38.490 1209 | Michael Shannon: That uses multi level security that uses a state machine and information flow modeling all these different. 1210 | 1211 | 303 1212 | 00:55:38.880 --> 00:55:49.650 1213 | Michael Shannon: techniques in a mandatory access control environment for confidentiality, this is what's used by government agencies military military installations. 1214 | 1215 | 304 1216 | 00:55:50.340 --> 00:56:03.630 1217 | Michael Shannon: Government contractors places like that there's there's no discretion, there is a board or a committee that puts in this state machine in place. 1218 | 1219 | 305 1220 | 00:56:04.020 --> 00:56:23.490 1221 | Michael Shannon: All the rules are defined, and every state between the subject and object and transitions are known and identified and accounted for and usually these are accounted for using some type of lattice or matrix. 1222 | 1223 | 306 1224 | 00:56:25.080 --> 00:56:34.500 1225 | Michael Shannon: And there's there can be flexibility built in, but it must be determined at the outset, this is not something you can just. 1226 | 1227 | 307 1228 | 00:56:34.890 --> 00:56:47.910 1229 | Michael Shannon: ad hoc escalate privileges if it's not allowed in the model by the original design by the committee or the team so once you once you put the model in place. 1230 | 1231 | 308 1232 | 00:56:48.690 --> 00:57:08.040 1233 | Michael Shannon: At some point three months down one of the subjects, regardless of how high they are in the hierarchy can't just decide okay i'm going to add my discretion i'm going to allow somebody at the secret level to get access to the top secret level if it's not built into the model. 1234 | 1235 | 309 1236 | 00:57:09.360 --> 00:57:12.180 1237 | Michael Shannon: The person to the secret level has to get promoted. 1238 | 1239 | 310 1240 | 00:57:13.770 --> 00:57:16.350 1241 | Michael Shannon: No other options. 1242 | 1243 | 311 1244 | 00:57:17.370 --> 00:57:29.910 1245 | Michael Shannon: period so we're going to talk about when we get back tomorrow mandatory access control models discretionary role based rule based and access. 1246 | 1247 | 312 1248 | 00:57:30.540 --> 00:57:49.860 1249 | Michael Shannon: Based which are really critical in a zero trust environment a zero trust environment they're going to gravitate towards MAC models or attribute based access control models okay so we'll stop here will take up here tomorrow and so i'm going to go ahead and stop the recording. 1250 | 1251 | -------------------------------------------------------------------------------- /Archive/Session3Transcripts/part03.vtt: -------------------------------------------------------------------------------- 1 | WEBVTT 2 | 3 | 1 4 | 00:00:05.730 --> 00:00:07.890 5 | Michael Shannon: Alright we're recording. 6 | 7 | 2 8 | 00:00:09.330 --> 00:00:11.340 9 | Michael Shannon: i'm going to repeat that mistake so. 10 | 11 | 3 12 | 00:00:13.259 --> 00:00:17.310 13 | Michael Shannon: We are recording welcome back from break everybody. 14 | 15 | 4 16 | 00:00:19.080 --> 00:00:22.260 17 | Michael Shannon: And SCI fi our. 18 | 19 | 5 20 | 00:00:25.710 --> 00:00:30.600 21 | Michael Shannon: Micro services specific service oriented application components. 22 | 23 | 6 24 | 00:00:31.680 --> 00:00:36.030 25 | Michael Shannon: kind of the next generation of what we would call so a years ago. 26 | 27 | 7 28 | 00:00:37.350 --> 00:00:46.650 29 | Michael Shannon: And approach to software development, where the results are small, independent services that communicate using api's. 30 | 31 | 8 32 | 00:00:47.550 --> 00:01:05.850 33 | Michael Shannon: queuing services, the do or api's to do queuing and communication channels notifications so kind of decoupling monolithic applications so with microservices you can use a micro service, obviously in different applications. 34 | 35 | 9 36 | 00:01:09.060 --> 00:01:25.500 37 | Michael Shannon: Obviously, but it also you know feeds into rapid deployment and rapid scalability tightly coupled tightly scoped little diagram they're tightly scope loosely coupled thoroughly modulator and encapsulated. 38 | 39 | 10 40 | 00:01:26.820 --> 00:01:29.100 41 | Michael Shannon: Independent independently deployable. 42 | 43 | 11 44 | 00:01:32.670 --> 00:01:50.580 45 | Michael Shannon: We have a lot of embedded systems that use older APP operating systems specialized APP or systems thin operating systems and often unpatched and older versions of APP of operating systems. 46 | 47 | 12 48 | 00:01:51.840 --> 00:02:04.380 49 | Michael Shannon: Sometimes device drivers are no longer available you bought a specialty embedded system or a programmable logic controller or some sensor from some manufacturer. 50 | 51 | 13 52 | 00:02:04.830 --> 00:02:16.080 53 | Michael Shannon: And then that manufacturer was bought out by some other company and that company simply bought them to get rid of a competitor, and you know no longer have tech support. 54 | 55 | 14 56 | 00:02:17.070 --> 00:02:30.030 57 | Michael Shannon: You can't replace that, but it still works, so if it ain't broke don't fix it, but you don't have patch management you don't have updates or upgrades or security patches. 58 | 59 | 15 60 | 00:02:31.290 --> 00:02:36.930 61 | Michael Shannon: And there is just hundreds of millions of devices all over the world that are. 62 | 63 | 16 64 | 00:02:38.040 --> 00:02:48.240 65 | Michael Shannon: Using IP version for addresses and IP version six with these different types of specialty systems, some of these came from. 66 | 67 | 17 68 | 00:02:48.780 --> 00:03:07.200 69 | Michael Shannon: raspberry pi which was kind of a phenomenon in the UK, and it was a way to teach kids how to do computer programming computer science and then it kind of exploded in popularity one of my favorite shows is a. 70 | 71 | 18 72 | 00:03:08.310 --> 00:03:09.450 73 | Michael Shannon: battle bots. 74 | 75 | 19 76 | 00:03:10.830 --> 00:03:18.450 77 | Michael Shannon: it's it's one of my favorite shows and it's you know where people create robots and they you know destroy each other. 78 | 79 | 20 80 | 00:03:20.340 --> 00:03:30.060 81 | Michael Shannon: I find it very fascinating rather watch machines do that, then people do that, personally, but I just love the different designs well, a lot of those. 82 | 83 | 21 84 | 00:03:30.690 --> 00:03:45.060 85 | Michael Shannon: robots that they create in the battle bots they use specialty embedded operating systems and maybe maybe raspberry pi or others like arduino system on a chip those different variants. 86 | 87 | 22 88 | 00:03:46.260 --> 00:04:08.250 89 | Michael Shannon: This is pretty practical you know we're talking about Linux based operating system, so you know don't use empty passwords avoid any type of auto configuration unnecessary services secure Shell there's a fail to band tool that detects brute forces attacks and blocks them. 90 | 91 | 23 92 | 00:04:09.390 --> 00:04:26.490 93 | Michael Shannon: So raspberry pi system on a chip, you know, regardless of these special components or iot devices or wearables they have a general lack of security, and so this is a area of specialty. 94 | 95 | 24 96 | 00:04:28.260 --> 00:04:39.030 97 | Michael Shannon: Just like skate systems fca da which are you know specialty approaches to securing different types of utility companies. 98 | 99 | 25 100 | 00:04:40.170 --> 00:04:42.810 101 | Michael Shannon: Water processing sewage. 102 | 103 | 26 104 | 00:04:44.880 --> 00:05:02.520 105 | Michael Shannon: That you know the electric grid municipal lights, you know stop lights, and I mean just vitality traffic lighting, I mean terrible traffic lights wind farms solar farms nuclear facilities, the list goes on and on. 106 | 107 | 27 108 | 00:05:04.170 --> 00:05:06.780 109 | Michael Shannon: Those types of facilities have are you know. 110 | 111 | 28 112 | 00:05:08.580 --> 00:05:18.060 113 | Michael Shannon: well known for their specialty embedded devices system on ships sensors real time operating systems. 114 | 115 | 29 116 | 00:05:20.370 --> 00:05:31.260 117 | Michael Shannon: That present vulnerabilities there are organizations like the gic gic has a whole bunch of different. 118 | 119 | 30 120 | 00:05:32.760 --> 00:05:41.370 121 | Michael Shannon: certifications and usually have to go through sands.org to get a gic certification. 122 | 123 | 31 124 | 00:05:42.660 --> 00:06:02.490 125 | Michael Shannon: Sometimes you can not do that not go through a sans.org and you can just try to take the exam but, yet you kind of have to challenge it like you have to apply and say I have this experience and then challenge it and not pay to go to a boot camp for a week. 126 | 127 | 32 128 | 00:06:04.920 --> 00:06:21.060 129 | Michael Shannon: So I did that to get my G SEC there the G SEC is kind of their version of security, plus or SS CP so I didn't want to go pay $7,000 to get that I wanted that certification, so I. 130 | 131 | 33 132 | 00:06:22.170 --> 00:06:38.040 133 | Michael Shannon: Applied challenge did, and I just had to pay for the exam which was still expensive like 1500 dollars or something, but they have the point i'm making is they have like specialty certifications for like skater and embedded systems. 134 | 135 | 34 136 | 00:06:39.150 --> 00:06:47.550 137 | Michael Shannon: it's kind of like storage area networking it's kind of it's a real specialty from an IT standpoint and a security standpoint. 138 | 139 | 35 140 | 00:06:51.120 --> 00:07:01.440 141 | Michael Shannon: We want to if we can we want to test the newer embedded devices, you know in some sandbox environment type to hypervisor or whatever before deploying. 142 | 143 | 36 144 | 00:07:02.040 --> 00:07:12.750 145 | Michael Shannon: The problem is a lot of these legacy embedded devices they're embedded there in use they're in production and we don't really have a substitute. 146 | 147 | 37 148 | 00:07:13.440 --> 00:07:22.620 149 | Michael Shannon: We don't have other vendor solutions and even over the like the last two years that's really reduced our you know our options. 150 | 151 | 38 152 | 00:07:23.550 --> 00:07:31.950 153 | Michael Shannon: A lot of these especially devices aren't necessarily involved in our inventory system, why they should be are changing configuration management. 154 | 155 | 39 156 | 00:07:32.460 --> 00:07:42.180 157 | Michael Shannon: patch management, maybe impossible they're just simply aren't know patch there are no patches or the vendor or the manufacturer is no longer in business. 158 | 159 | 40 160 | 00:07:44.160 --> 00:08:02.070 161 | Michael Shannon: We can use digitally signed code on some newer solution definitely want to do that if we can run these with trusted platform module or with trusted operating systems like se Linux that can be part of trusted computing even better. 162 | 163 | 41 164 | 00:08:03.120 --> 00:08:06.630 165 | Michael Shannon: If you were running specialty devices and at a Google. 166 | 167 | 42 168 | 00:08:07.680 --> 00:08:20.790 169 | Michael Shannon: site, they would be you know adherents zero trust they would need to be running those you know secure platforms and trusted computing. 170 | 171 | 43 172 | 00:08:22.140 --> 00:08:34.590 173 | Michael Shannon: You know, it takes possibly a special skill set with these other specialty systems now, these are the reason, these three are listed is this is one of the objectives. 174 | 175 | 44 176 | 00:08:35.040 --> 00:08:47.070 177 | Michael Shannon: Okay, so don't forget about the multifunction printers you know the biz hubs that kind of do it all, you know, a combination of email, fax scanner printer. 178 | 179 | 45 180 | 00:08:48.420 --> 00:08:51.390 181 | Michael Shannon: It can make Espresso I don't know does everything right. 182 | 183 | 46 184 | 00:08:53.550 --> 00:09:05.190 185 | Michael Shannon: Those are usually on the network and those ports, you know from a layer to security standpoint, we have those specialty devices that are kind of always on that. 186 | 187 | 47 188 | 00:09:06.360 --> 00:09:14.880 189 | Michael Shannon: ethernet port and you know Can somebody unplug that you know biz hub and plug their laptop into it. 190 | 191 | 48 192 | 00:09:16.170 --> 00:09:19.380 193 | Michael Shannon: Hopefully, if you're using dot one X. 194 | 195 | 49 196 | 00:09:21.090 --> 00:09:23.250 197 | Michael Shannon: That particular port is not enabled. 198 | 199 | 50 200 | 00:09:24.420 --> 00:09:27.330 201 | Michael Shannon: To accept a P O l frames so. 202 | 203 | 51 204 | 00:09:28.710 --> 00:09:29.760 205 | Michael Shannon: it's been restricted. 206 | 207 | 52 208 | 00:09:32.700 --> 00:09:49.380 209 | Michael Shannon: So UAE these are unmanned aerial vehicles drones those are security issues, because they can be used against us as a reconnaissance tool for our physical security, but they can be hijacked or hacked as well. 210 | 211 | 53 212 | 00:09:51.630 --> 00:09:54.420 213 | Michael Shannon: advantage adaptive voltage scaling. 214 | 215 | 54 216 | 00:09:55.440 --> 00:09:56.820 217 | Michael Shannon: And they're really know what that is. 218 | 219 | 55 220 | 00:09:57.870 --> 00:10:09.690 221 | Michael Shannon: A closed loop dynamic power minimization method adult you know I haven't dealt with that in years on system boards adjusting the voltage sent to a computer chip. 222 | 223 | 56 224 | 00:10:11.520 --> 00:10:17.640 225 | Michael Shannon: You know, a closed loop system has the ability to self correct, I know that. 226 | 227 | 57 228 | 00:10:24.720 --> 00:10:42.690 229 | Michael Shannon: On most systems, the legacy bios to be ios basic input output system has been replaced, but like I said on legacy components and devices, they may be still running the traditional bios which is vulnerable. 230 | 231 | 58 232 | 00:10:43.950 --> 00:10:50.910 233 | Michael Shannon: you're you're more modern workstations and laptops and PCs and servers are running the. 234 | 235 | 59 236 | 00:10:53.700 --> 00:11:12.030 237 | Michael Shannon: which provides boot integrity better security now, it says offers the ability to protect with a password well, you could have a password on a legacy system border motherboard with a legacy bios that's not necessarily a new thing. 238 | 239 | 60 240 | 00:11:14.790 --> 00:11:27.420 241 | Michael Shannon: But we talked about the hardware root of trust, and this is part of zero trust moving anchoring trustworthiness down to the hardware and depending less on software. 242 | 243 | 61 244 | 00:11:29.340 --> 00:11:41.970 245 | Michael Shannon: security systems on a chip So these are trusted execution environments trusted computing so those modules embedded in a system, a system board a server board. 246 | 247 | 62 248 | 00:11:44.100 --> 00:11:50.670 249 | Michael Shannon: Self encrypting drives its were transparently encrypts without the knowledge or the. 250 | 251 | 63 252 | 00:11:52.440 --> 00:11:54.210 253 | Michael Shannon: interaction of the end user. 254 | 255 | 64 256 | 00:11:55.380 --> 00:11:57.840 257 | Michael Shannon: hardware security module talked about those. 258 | 259 | 65 260 | 00:11:59.250 --> 00:12:14.580 261 | Michael Shannon: So part of zero trust is using those low level tamper resistant security chips to store passwords encryption keys private keys certificates to provide security services. 262 | 263 | 66 264 | 00:12:17.610 --> 00:12:26.370 265 | Michael Shannon: Self encrypting drives will implement F D full disk encryption often like I said, without end user intervention. 266 | 267 | 67 268 | 00:12:27.240 --> 00:12:46.020 269 | Michael Shannon: Providing pre boot authentication possibly with the certificate, it can enhance endpoint security, so this would be something part of like Palo Alto networks next generation endpoint security would involve self encrypting drives. 270 | 271 | 68 272 | 00:12:53.250 --> 00:12:53.880 273 | Michael Shannon: opal. 274 | 275 | 69 276 | 00:12:55.980 --> 00:13:02.040 277 | Michael Shannon: Security subsystem class specifications created by the trusted computing group. 278 | 279 | 70 280 | 00:13:04.710 --> 00:13:10.110 281 | Michael Shannon: high performance computing this may be done in your own data Center. 282 | 283 | 71 284 | 00:13:11.160 --> 00:13:27.420 285 | Michael Shannon: But for sure you're going to be getting access to high performance computing at a cloud provider they're going to offer specialized images they're going to offer more expensive machine images to do high performance computing. 286 | 287 | 72 288 | 00:13:28.950 --> 00:13:40.740 289 | Michael Shannon: I know that aws that I would say all of their data centers maybe not all of them, but the majority of their data centers they have transition to 100 gigabit. 290 | 291 | 73 292 | 00:13:43.290 --> 00:13:44.070 293 | Michael Shannon: So. 294 | 295 | 74 296 | 00:13:45.510 --> 00:13:54.660 297 | Michael Shannon: they're going to offer high performance computing images for doing you know high speed calculations Ai. 298 | 299 | 75 300 | 00:13:56.100 --> 00:13:57.180 301 | Michael Shannon: Those types of things. 302 | 303 | 76 304 | 00:13:58.710 --> 00:14:15.270 305 | Michael Shannon: And one of the vulnerabilities of high performance computing is think about a cluster or distributed high performance computers, if there is a Bot or distributed attack it's going to happen much quicker because it just the speed that these systems operate. 306 | 307 | 77 308 | 00:14:18.480 --> 00:14:24.450 309 | Michael Shannon: They may not, they may run you know specialized hardware stacks so high performance computing. 310 | 311 | 78 312 | 00:14:26.280 --> 00:14:38.160 313 | Michael Shannon: Well, often by the way, run for their storage they'll use what's called a femoral instance store so as opposed to like having a. 314 | 315 | 79 316 | 00:14:38.970 --> 00:14:50.670 317 | Michael Shannon: elastic block store that's just virtualized over the network from a raid array of hard disk or solid state drives this is directly attached at the hypervisor. 318 | 319 | 80 320 | 00:14:51.210 --> 00:15:00.390 321 | Michael Shannon: That the htc blades are running it, so this is the ephemeral storage, so if you were to stop the high performance computing instance. 322 | 323 | 81 324 | 00:15:00.960 --> 00:15:10.770 325 | Michael Shannon: Like stop it or terminated that data would be lost so because of the type of computing that it does it needs those. 326 | 327 | 82 328 | 00:15:11.430 --> 00:15:26.040 329 | Michael Shannon: Directly attached solid state drives to store temporary files log files to do other calculations, with a femoral storage so at a cloud provider, yes, we divide up. 330 | 331 | 83 332 | 00:15:26.730 --> 00:15:39.960 333 | Michael Shannon: Blocker volume storage from object storage, but even within block storage that can be elastic abstracted block storage over the network. 334 | 335 | 84 336 | 00:15:41.670 --> 00:15:52.860 337 | Michael Shannon: or it could be that directly attached ephemeral instance store with the elastic storage, if you have it let's say attached to a Linux red hat Linux server. 338 | 339 | 85 340 | 00:15:53.340 --> 00:16:04.560 341 | Michael Shannon: And you stop or you terminate the server the block storage is elastic and there's a snapshot created of it automatically so you don't lose the data. 342 | 343 | 86 344 | 00:16:05.700 --> 00:16:16.020 345 | Michael Shannon: And since you've been creating snapshots you could something did happen, you could just recreate the volume from the snapshot that happens to be stored in object storage. 346 | 347 | 87 348 | 00:16:17.940 --> 00:16:25.770 349 | Michael Shannon: This effect this a femoral instance store, however, that you might use with a high performance computing instance that's the ephemeral. 350 | 351 | 88 352 | 00:16:27.240 --> 00:16:28.080 353 | Michael Shannon: it's temporary. 354 | 355 | 89 356 | 00:16:30.630 --> 00:16:37.860 357 | Michael Shannon: edge computing the term edge computing really relates to content distribution networking. 358 | 359 | 90 360 | 00:16:40.200 --> 00:16:53.160 361 | Michael Shannon: Okay, now I would say, from the standpoint of a service provider, they would broaden the term edge computing, but I would say, from the standpoint of this exam. 362 | 363 | 91 364 | 00:16:54.660 --> 00:17:10.920 365 | Michael Shannon: Is C squared is going to is going to define edge computing as basically distributing content getting as close to the customer as possible, for example, caching in reddest clusters at. 366 | 367 | 92 368 | 00:17:14.040 --> 00:17:21.660 369 | Michael Shannon: providers broadband providers telecoms, whatever that you have high speed fiber connections with. 370 | 371 | 93 372 | 00:17:23.400 --> 00:17:26.190 373 | Michael Shannon: So your corporate edge is really blurred. 374 | 375 | 94 376 | 00:17:27.780 --> 00:17:40.320 377 | Michael Shannon: that's what is C squared we consider this edge computing I would say that would be broadened by a cloud provider to include it will be called hybrid cloud. 378 | 379 | 95 380 | 00:17:45.720 --> 00:17:48.060 381 | Michael Shannon: And like a diagram right. 382 | 383 | 96 384 | 00:17:49.140 --> 00:17:49.560 385 | for that. 386 | 387 | 97 388 | 00:17:51.180 --> 00:18:10.980 389 | Michael Shannon: So if you're using something like akamai or cloud flare or aws cloud front, there are security mechanisms for sure when you're the one doing the the devops but you're developing the Web application or the content that you're distributing you'll have a node. 390 | 391 | 98 392 | 00:18:12.030 --> 00:18:18.060 393 | Michael Shannon: And that node at the edge location will probably be running a web application firewall. 394 | 395 | 99 396 | 00:18:20.730 --> 00:18:31.080 397 | Michael Shannon: You know, doing the deep packet inspection it's not simply going to say we're only going to allow http https from this prefix to this IP address. 398 | 399 | 100 400 | 00:18:31.410 --> 00:18:43.620 401 | Michael Shannon: But you can use, you know you can restrict certain geographical regions or countries from using your distribution you're gonna you know run this firewall to look for. 402 | 403 | 101 404 | 00:18:44.640 --> 00:18:55.230 405 | Michael Shannon: Cross site scripting variance and injection attacks right the kind of you know, the oh wasp top 10 type stuff. 406 | 407 | 102 408 | 00:18:56.460 --> 00:19:00.870 409 | Michael Shannon: So you'll deploy a wealth there you'll usually have cloud based. 410 | 411 | 103 412 | 00:19:01.950 --> 00:19:04.200 413 | Michael Shannon: distributed denial of service protection. 414 | 415 | 104 416 | 00:19:07.680 --> 00:19:19.380 417 | Michael Shannon: All the API calls to that, from a management standpoint would be digitally signed to mls enabled endpoints you can control. 418 | 419 | 105 420 | 00:19:19.890 --> 00:19:28.320 421 | Michael Shannon: Who can download content for your distribution, but you can also control, who can go through the distribution node to get to the back end content. 422 | 423 | 106 424 | 00:19:29.010 --> 00:19:44.880 425 | Michael Shannon: And if it's cloud flare akamai or cloud front that backend content, the original origin, we call that could be in your data Center it could be at azure blob Google cloud storage. 426 | 427 | 107 428 | 00:19:45.900 --> 00:19:50.190 429 | Michael Shannon: aws s3 or multiple locations. 430 | 431 | 108 432 | 00:19:52.500 --> 00:19:53.790 433 | Michael Shannon: For high availability. 434 | 435 | 109 436 | 00:19:55.830 --> 00:19:56.460 437 | Michael Shannon: So. 438 | 439 | 110 440 | 00:19:59.640 --> 00:20:09.120 441 | Michael Shannon: Next is the transition to physical security now there's not a dedicated physical security, you know. 442 | 443 | 111 444 | 00:20:10.350 --> 00:20:20.250 445 | Michael Shannon: domain it's part of operational security and asset security right, so it kind of bleeds over into a couple of different domains. 446 | 447 | 112 448 | 00:20:21.660 --> 00:20:34.710 449 | Michael Shannon: But this is that third category of control, we have administrative slash managerial controls technical controls and then physical. 450 | 451 | 113 452 | 00:20:35.940 --> 00:20:44.820 453 | Michael Shannon: And the goal is to protect from a wide variety of different man or people made. 454 | 455 | 114 456 | 00:20:46.290 --> 00:20:50.160 457 | Michael Shannon: threat actors, but also natural disasters. 458 | 459 | 115 460 | 00:20:51.780 --> 00:20:55.560 461 | Michael Shannon: And you know pandemics supply system. 462 | 463 | 116 464 | 00:20:56.730 --> 00:21:01.680 465 | Michael Shannon: interruptions socio political threats like we're going through now. 466 | 467 | 117 468 | 00:21:03.090 --> 00:21:04.890 469 | Michael Shannon: And Ukraine and on and on. 470 | 471 | 118 472 | 00:21:06.090 --> 00:21:07.860 473 | Michael Shannon: I already alluded to the fact that. 474 | 475 | 119 476 | 00:21:08.940 --> 00:21:14.190 477 | Michael Shannon: under the umbrella of physical security, we do have primary and secondary loss. 478 | 479 | 120 480 | 00:21:15.210 --> 00:21:27.000 481 | Michael Shannon: You know, probably the number one you know the worst case scenario primary loss loss of life or injury. 482 | 483 | 121 484 | 00:21:28.380 --> 00:21:39.330 485 | Michael Shannon: And like I said it depends on your organization and the way that you handle risk as to you know is that the primary loss. 486 | 487 | 122 488 | 00:21:42.210 --> 00:21:45.210 489 | Michael Shannon: And it can be secondary again cascading. 490 | 491 | 123 492 | 00:21:46.920 --> 00:21:53.550 493 | Michael Shannon: Loss now we typically take a Defense in depth approach when we design our physical security solution. 494 | 495 | 124 496 | 00:21:54.480 --> 00:22:09.060 497 | Michael Shannon: Okay, just like we would have a logical Defense in depth with a series of infrastructure devices right a perimeter edge router and then maybe a honey net. 498 | 499 | 125 500 | 00:22:09.570 --> 00:22:28.590 501 | Michael Shannon: And then maybe behind that a firewall and then maybe ips sensor than a multi layer switch in all of those things in line providing Defense in depth, or a single highly available router or appliance running all the services and the Defense in depth happens. 502 | 503 | 126 504 | 00:22:29.700 --> 00:22:45.720 505 | Michael Shannon: To the order of processing of the data Graham and frame moving through well really the data gram flowing through the device right the data Graham the frame doesn't flow through the device the frame comes to the device. 506 | 507 | 127 508 | 00:22:46.740 --> 00:22:58.200 509 | Michael Shannon: The data Graham goes through the device, and then, whatever the outbound or the egress interface technology is that's where the frame comes in. 510 | 511 | 128 512 | 00:22:59.070 --> 00:23:11.730 513 | Michael Shannon: Right, so when I said the frame to the device know the data ground packet to the device, so we have a Defense in depth approach with physical security and it needs to be methodical. 514 | 515 | 129 516 | 00:23:13.110 --> 00:23:29.070 517 | Michael Shannon: Okay, so you would start at the edge of your facility your property line if that's the case like a at a campus and you would work your way back to your where your most valuable assets are could be a walk in safe. 518 | 519 | 130 520 | 00:23:30.120 --> 00:23:36.270 521 | Michael Shannon: It could be a safe in the CEOs or the president's office in her office, it could be the data Center. 522 | 523 | 131 524 | 00:23:39.630 --> 00:23:44.850 525 | Michael Shannon: But a methodical approach outside in inside out now of course. 526 | 527 | 132 528 | 00:23:46.320 --> 00:23:56.850 529 | Michael Shannon: It depends on you know where you're located you know if you're in a if you're in a business Center and you basically just a single office and you're sharing. 530 | 531 | 133 532 | 00:23:57.420 --> 00:24:17.310 533 | Michael Shannon: with other businesses or you're on a floor of a building and there's multiple businesses Those are all factors, we have to consider, whatever our domain of control is which may be, you know if we're on a floor of a building the locked door that comes into the foyer day. 534 | 535 | 134 536 | 00:24:18.330 --> 00:24:31.770 537 | Michael Shannon: Or the area where the reception is that's our domain regardless outside in or inside out methodical approach, one thing we do have to know is what are all of the. 538 | 539 | 135 540 | 00:24:32.700 --> 00:24:46.920 541 | Michael Shannon: ingress and egress points, and that would be including air ducks any access could Could somebody easily access through a wall if it's just simply you know. 542 | 543 | 136 544 | 00:24:49.050 --> 00:24:55.710 545 | Michael Shannon: it's if the walls between your different offices are just simply like you know particle board stuff. 546 | 547 | 137 548 | 00:24:58.530 --> 00:24:59.700 549 | Michael Shannon: You have to consider that. 550 | 551 | 138 552 | 00:25:01.110 --> 00:25:03.690 553 | Michael Shannon: Any area through the roof. 554 | 555 | 139 556 | 00:25:04.920 --> 00:25:11.730 557 | Michael Shannon: All possible ingress and egress points of the facility, have to be examined. 558 | 559 | 140 560 | 00:25:13.050 --> 00:25:21.300 561 | Michael Shannon: But if we do have a perimeter like a property line perimeter let's say we're going to start there, what kind of barriers are we going to have. 562 | 563 | 141 564 | 00:25:23.160 --> 00:25:30.090 565 | Michael Shannon: You know, sometimes you can just have a man made lake or a pond. 566 | 567 | 142 568 | 00:25:31.170 --> 00:25:35.250 569 | Michael Shannon: And you'll see that, like when you're coming into some large company. 570 | 571 | 143 572 | 00:25:36.450 --> 00:25:52.890 573 | Michael Shannon: And you as you approach their entry you'll see you know ponds, you know, like wow What are those for are they fishing at for lunch they go out to lunch and fishing know they're kind of a moat it's a modern day moat. 574 | 575 | 144 576 | 00:25:55.530 --> 00:26:05.670 577 | Michael Shannon: You can use landscaping hedge rows trees as barriers, combined with your fencing of various types. 578 | 579 | 145 580 | 00:26:07.500 --> 00:26:10.440 581 | Michael Shannon: Do you have the ability to only come one way. 582 | 583 | 146 584 | 00:26:11.820 --> 00:26:12.720 585 | Michael Shannon: With a vehicle. 586 | 587 | 147 588 | 00:26:13.920 --> 00:26:30.540 589 | Michael Shannon: And you can't go back there's a tire shredder, for example, bollards bollards are used too often a temporary bollards can be used like little plastic things that stick up are there, the cones you can use those to just temporarily redirect. 590 | 591 | 148 592 | 00:26:32.280 --> 00:26:39.660 593 | Michael Shannon: pedestrian traffic in on a path you want them to stay on or they can be permanent bollards of different types. 594 | 595 | 149 596 | 00:26:41.130 --> 00:26:43.650 597 | Michael Shannon: and different types of gates with different ratings. 598 | 599 | 150 600 | 00:26:44.940 --> 00:27:01.590 601 | Michael Shannon: So you know, the point is, you need to be aware of the different perimeter barrier types and what's appropriate and what's affordable for your organization, you know, in the US, we separate gates and do like four main classes. 602 | 603 | 151 604 | 00:27:03.150 --> 00:27:12.840 605 | Michael Shannon: So if you add an apartment complex or a you know single family home, you would have like a class one residential gate. 606 | 607 | 152 608 | 00:27:14.310 --> 00:27:32.250 609 | Michael Shannon: You know, as a hook, and you open it up, then you go to you know commercial class to like on a parking garage it would come down at the end of the day, maybe you get to physically bring it down, it may look like just a you know event I be completely. 610 | 611 | 153 612 | 00:27:34.260 --> 00:27:46.410 613 | Michael Shannon: Solid it may be, you can still see through it like a cage all the way up to the kinds of things you would see at prisons and airports and military installations. 614 | 615 | 154 616 | 00:27:51.330 --> 00:27:57.210 617 | Michael Shannon: So obviously you know most organizations, you have a campus or facility, are going to have. 618 | 619 | 155 620 | 00:27:58.230 --> 00:28:17.850 621 | Michael Shannon: Protected fence barriers, which is where they're going to begin on their Defense in depth bollards typically concrete or strong metal high tech bollards, however, can you know be raised and lowered can be mechanical they can also include cameras and sensors of various types. 622 | 623 | 156 624 | 00:28:19.290 --> 00:28:29.700 625 | Michael Shannon: Probably the most the least expensive and most common you know preventative are determined control that is is signage. 626 | 627 | 157 628 | 00:28:31.080 --> 00:28:36.660 629 | Michael Shannon: You definitely if you're going to have a preventative control in the form of an electric fence. 630 | 631 | 158 632 | 00:28:38.310 --> 00:28:51.180 633 | Michael Shannon: you're going to have you're going to combine that with the deterrent control every six to eight feet of a sign saying warning, this is an electric fence like you might see it, a military base or a prison. 634 | 635 | 159 636 | 00:28:53.400 --> 00:28:59.010 637 | Michael Shannon: I live in Texas, and we have a lot of both Okay, a lot of both. 638 | 639 | 160 640 | 00:29:02.520 --> 00:29:06.540 641 | Michael Shannon: Signs window stickers scientists, you can just have. 642 | 643 | 161 644 | 00:29:07.590 --> 00:29:08.190 645 | Michael Shannon: You know. 646 | 647 | 162 648 | 00:29:09.210 --> 00:29:11.940 649 | Michael Shannon: In the in the grass or in different areas. 650 | 651 | 163 652 | 00:29:13.500 --> 00:29:17.910 653 | Michael Shannon: You know, we have banners but those are logical lizard technical controls. 654 | 655 | 164 656 | 00:29:18.390 --> 00:29:36.690 657 | Michael Shannon: So, like a banner that comes up if you try to access a router or a multi layer switch or some corporate edge device and you're trying to you know brute force, maybe a banner comes up saying I know authorized, you know access will be punishable by law or whatever that's a logical banner. 658 | 659 | 165 660 | 00:29:38.970 --> 00:29:45.990 661 | Michael Shannon: But a banner is also signage you know authorized personnel only beware of dog keep out. 662 | 663 | 166 664 | 00:29:47.220 --> 00:29:51.630 665 | Michael Shannon: Armed guard on duty no trespassing all those good things. 666 | 667 | 167 668 | 00:29:54.480 --> 00:30:05.580 669 | Michael Shannon: We have security cameras closed circuit TV, these can be wired or wireless these are, this is an important security control, obviously. 670 | 671 | 168 672 | 00:30:07.350 --> 00:30:11.970 673 | Michael Shannon: It kind of checks off several boxes right it's detective. 674 | 675 | 169 676 | 00:30:13.650 --> 00:30:21.450 677 | Michael Shannon: Primarily detective but just the you know just the fact that the cameras exist, can be a deterrent. 678 | 679 | 170 680 | 00:30:23.070 --> 00:30:32.250 681 | Michael Shannon: You have to be aware of the media that it's writing the video to protection of that the high availability of that. 682 | 683 | 171 684 | 00:30:34.380 --> 00:30:46.980 685 | Michael Shannon: Can that can the system itself be hacked it's on a network is it accessible over the Internet, so you know there's a couple ways to approach this just like. 686 | 687 | 172 688 | 00:30:47.850 --> 00:30:57.990 689 | Michael Shannon: Your cameras work hand in hand with with lighting, you want to eliminate any kind of dead spots your lighting can be internal and or external. 690 | 691 | 173 692 | 00:30:59.070 --> 00:31:07.830 693 | Michael Shannon: It can be continuous something can trip it whether it's something that's trip, but with a timer or through some sensor. 694 | 695 | 174 696 | 00:31:09.480 --> 00:31:14.940 697 | Michael Shannon: It can be, emergency lighting standby lighting and there's different use cases. 698 | 699 | 175 700 | 00:31:15.990 --> 00:31:16.470 701 | Michael Shannon: There we go. 702 | 703 | 176 704 | 00:31:19.470 --> 00:31:37.380 705 | Michael Shannon: sodium vapor is good outdoor lighting VF appear live in a foggy area like San Francisco or San Diego summer on the coast mercury vapor is the kind of lighting, you see, often like city lights or in a stadium. 706 | 707 | 177 708 | 00:31:38.430 --> 00:31:38.850 709 | Michael Shannon: Right. 710 | 711 | 178 712 | 00:31:40.380 --> 00:31:46.710 713 | Michael Shannon: so very important another term to be aware of industrial camouflage. 714 | 715 | 179 716 | 00:31:48.030 --> 00:31:59.940 717 | Michael Shannon: Your cameras your surveillance devices your sensors are often camouflaged there in trees and landscaping elements many times when you're on a. 718 | 719 | 180 720 | 00:32:00.690 --> 00:32:20.310 721 | Michael Shannon: let's say a campus of a of a company like a high tech company and you'll see you know art statues that's not just there for aesthetic reasons, usually that type of statue or artwork or whatever is industrial camouflage. 722 | 723 | 181 724 | 00:32:22.860 --> 00:32:23.280 725 | Michael Shannon: Okay. 726 | 727 | 182 728 | 00:32:30.180 --> 00:32:37.320 729 | Michael Shannon: security guards lots of considerations are they 24 seven right. 730 | 731 | 183 732 | 00:32:38.730 --> 00:32:49.740 733 | Michael Shannon: Every day, all you know, maybe three shifts three eight hour shifts or maybe you just have security guards during business hours or maybe you just have security guards that are there. 734 | 735 | 184 736 | 00:32:50.550 --> 00:32:56.370 737 | Michael Shannon: That are not business hours, maybe you have to share your security guard with other businesses. 738 | 739 | 185 740 | 00:32:57.240 --> 00:33:08.310 741 | Michael Shannon: The guards, maybe if they if they are your guards, or they employees are they contractors do they come from a third party are they licensed are they armed How does that affect. 742 | 743 | 186 744 | 00:33:08.820 --> 00:33:20.880 745 | Michael Shannon: You know, an armed guard that that may affect your insurance your business insurance policy but security guards can do a wide variety of things besides just you know. 746 | 747 | 187 748 | 00:33:22.200 --> 00:33:32.010 749 | Michael Shannon: be a present determined, they can often be at a guard gate at your perimeter and they're looking at credentials they're checking credentials. 750 | 751 | 188 752 | 00:33:32.790 --> 00:33:39.150 753 | Michael Shannon: Maybe they're doing you know when somebody's trying to get into facility you're going to have them pull aside. 754 | 755 | 189 756 | 00:33:39.630 --> 00:33:52.770 757 | Michael Shannon: backup and park over here because it's going to take us 15 or 20 minutes because we're going to go and we're going to do some background we're going to do some you know we're going to run some services against your identity. 758 | 759 | 190 760 | 00:33:54.540 --> 00:34:02.220 761 | Michael Shannon: Maybe you know follow up on some facial recognition technology if you go to interview. 762 | 763 | 191 764 | 00:34:02.940 --> 00:34:13.350 765 | Michael Shannon: You know if you go to interview for a high tech company it's not unlikely that right when you walk in there'll be a security guard and they'll have you, you know. 766 | 767 | 192 768 | 00:34:13.890 --> 00:34:22.260 769 | Michael Shannon: step back and they're going to take a picture of you they're going to collect your identity information right you're the proofing. 770 | 771 | 193 772 | 00:34:22.950 --> 00:34:36.840 773 | Michael Shannon: they'll get two forms of ID and they'll take a picture and let make a temporary badge that you have to wear at all times and then that may give you access, but you may only be able to get access with an escort. 774 | 775 | 194 776 | 00:34:38.040 --> 00:34:43.320 777 | Michael Shannon: But security guards are often involved in those activities but they're also responders. 778 | 779 | 195 780 | 00:34:45.000 --> 00:34:55.320 781 | Michael Shannon: If there's somebody walking around on your floor without a badge on you don't recognize them they're going to come and you're not going to interact with them you're going to call the security guard security team. 782 | 783 | 196 784 | 00:34:56.970 --> 00:35:08.430 785 | Michael Shannon: They may also have to interface with other law enforcement agencies so did you are they are they hired are they contracted or they certified or they licensed armed or unarmed. 786 | 787 | 197 788 | 00:35:09.870 --> 00:35:15.660 789 | Michael Shannon: Are they involved are you involved with the screening and the background check of the security guard. 790 | 791 | 198 792 | 00:35:17.010 --> 00:35:22.830 793 | Michael Shannon: or and or are they involved on doing that for guests. 794 | 795 | 199 796 | 00:35:23.910 --> 00:35:34.500 797 | Michael Shannon: That show up or contractors or temporary workers or whatever or visitors who is going to do the online training of the guards I mentioned robots and robots centuries. 798 | 799 | 200 800 | 00:35:35.310 --> 00:35:47.820 801 | Michael Shannon: This is an older model, but this is just a prototype the Samsung sgr a one a sixth century gun that's used at the Korean dmz. 802 | 803 | 201 804 | 00:35:49.170 --> 00:35:51.630 805 | Michael Shannon: Like I said black mirror kind of stuff. 806 | 807 | 202 808 | 00:35:53.430 --> 00:35:55.680 809 | Michael Shannon: lots of different ways to. 810 | 811 | 203 812 | 00:35:57.300 --> 00:35:58.350 813 | Michael Shannon: detect motion. 814 | 815 | 204 816 | 00:36:00.510 --> 00:36:02.580 817 | Michael Shannon: Okay, very important. 818 | 819 | 205 820 | 00:36:03.600 --> 00:36:06.450 821 | Michael Shannon: Additional control physical control. 822 | 823 | 206 824 | 00:36:10.080 --> 00:36:17.820 825 | Michael Shannon: You know, most of us if we have an alarm system at our business that are home, a lot of us are using similar like electromechanical. 826 | 827 | 207 828 | 00:36:18.240 --> 00:36:33.150 829 | Michael Shannon: Right you've got something on the window or the door and if it's breached that breaking electrical circuit, if you don't put in a code within 30 seconds to a minute the alarms go off. 830 | 831 | 208 832 | 00:36:36.060 --> 00:36:38.460 833 | Michael Shannon: Others will use passive infrared. 834 | 835 | 209 836 | 00:36:39.600 --> 00:36:43.770 837 | Michael Shannon: photo electric or combinations of okay. 838 | 839 | 210 840 | 00:36:45.360 --> 00:36:53.250 841 | Michael Shannon: So whatever you're using to detect the unauthorized intrusion, it is a trigger something. 842 | 843 | 211 844 | 00:36:54.270 --> 00:37:16.350 845 | Michael Shannon: It may send a silent alarm to the security operations Center or the security guard, it may be something that flashes on a display panel, there may be some audible or a combination of lighting, emergency lighting and you know 130 plus decimal Horn or sound or whistle. 846 | 847 | 212 848 | 00:37:18.330 --> 00:37:23.520 849 | Michael Shannon: A text message, it could be sent phone call email you get the idea. 850 | 851 | 213 852 | 00:37:29.070 --> 00:37:35.160 853 | Michael Shannon: It depends so JEREMY what type of digital signature is used with API calls. 854 | 855 | 214 856 | 00:37:37.320 --> 00:37:42.360 857 | Michael Shannon: i'm assuming this is an application programming interface request it depends. 858 | 859 | 215 860 | 00:37:43.590 --> 00:37:45.750 861 | Michael Shannon: Sometimes they'll use just. 862 | 863 | 216 864 | 00:37:46.770 --> 00:38:00.900 865 | Michael Shannon: You know RSA elliptic curve something elliptic curve a digital signature a aws they use a protocol like if you're doing. 866 | 867 | 217 868 | 00:38:02.160 --> 00:38:09.840 869 | Michael Shannon: Like programmatic console access, like the aws console they have they use what's called signature for. 870 | 871 | 218 872 | 00:38:11.280 --> 00:38:15.570 873 | Michael Shannon: that's the protocol that they use to digitally sign the API calls. 874 | 875 | 219 876 | 00:38:17.340 --> 00:38:31.950 877 | Michael Shannon: But it's some type of a symmetric key crypto system using either an access key or a key pair so there's there's different ways to digitally sign the API calls. 878 | 879 | 220 880 | 00:38:35.580 --> 00:38:44.280 881 | Michael Shannon: The most common form of physical security mechanism by far is the lock and again for the exam, it is a preventative mechanism. 882 | 883 | 221 884 | 00:38:45.150 --> 00:39:00.780 885 | Michael Shannon: Okay, we don't want to get we don't want to argue with ourselves it's gonna go with the obvious if they give you some type of scenario, we know that the last can be physical we have various types of physical locks physical locks there's different ways to breach them. 886 | 887 | 222 888 | 00:39:02.040 --> 00:39:20.250 889 | Michael Shannon: We can use PICs, and these are kits you can go you're familiar with what lock picks or raking looks like just go do a Google search a rake is something that you insert all the way to the back of the physical and it kind of you know rakes it. 890 | 891 | 223 892 | 00:39:21.810 --> 00:39:36.480 893 | Michael Shannon: As a as opposed to the PIC that usually uses two components and, of course, as mentioned all physical locks are subject to brute force one degree or another. 894 | 895 | 224 896 | 00:39:37.830 --> 00:39:49.380 897 | Michael Shannon: But I wouldn't get too bogged down, and all the different types of locks Okay, but usually we want to combine and have more than one lock. 898 | 899 | 225 900 | 00:39:50.430 --> 00:40:09.000 901 | Michael Shannon: We would like to use locks that would contribute to a multi multi factor authentication process, so, in addition to just presenting some smart card or token possibly we're going to have a crypto lock or some other biometric sensor. 902 | 903 | 226 904 | 00:40:10.320 --> 00:40:17.880 905 | Michael Shannon: And it really depends upon the data sensitivity, the property whatever is, on the other side of that lock right. 906 | 907 | 227 908 | 00:40:26.580 --> 00:40:34.410 909 | Michael Shannon: So I already kind of talked about this, you know physical security Bay involved, you know personnel controls. 910 | 911 | 228 912 | 00:40:35.520 --> 00:40:48.930 913 | Michael Shannon: guests visitors contractors temporary workers, we always want to consider, as this is an administrative type control but piggybacking and tailgating. 914 | 915 | 229 916 | 00:40:50.340 --> 00:41:05.040 917 | Michael Shannon: Right piggybacking and tailgating where somebody presents their card or their token or their badge they go in the door, and you just follow right behind and without presenting yours. 918 | 919 | 230 920 | 00:41:12.390 --> 00:41:15.270 921 | Michael Shannon: Also part of physical security is power. 922 | 923 | 231 924 | 00:41:16.350 --> 00:41:25.320 925 | Michael Shannon: And usually we want to have more than one power source to our facility, if possible, we like to have redundancy. 926 | 927 | 232 928 | 00:41:26.010 --> 00:41:37.320 929 | Michael Shannon: want we want redundancy in our site to site vpn we want redundancy in our Internet connectivity if we can't we want redundancy and power now that's not always available. 930 | 931 | 233 932 | 00:41:38.250 --> 00:41:54.450 933 | Michael Shannon: in different regions of the world, the electrical power grid maybe very you know monopolistic Okay, so you just don't have even if you have multiple sources. 934 | 935 | 234 936 | 00:41:55.200 --> 00:42:06.570 937 | Michael Shannon: Of let's say who's billing you for electrical or providing your electrical it's still coming from the same grid you're just going through a different broker right. 938 | 939 | 235 940 | 00:42:08.040 --> 00:42:27.210 941 | Michael Shannon: But we have to make sure that we as part of business continuity and continuity of operations, we need the ups right the interoperable power supplies and generators, which I have, I have ups, the ups goes into my generator. 942 | 943 | 236 944 | 00:42:31.860 --> 00:42:35.910 945 | Michael Shannon: So a backup generators. 946 | 947 | 237 948 | 00:42:37.200 --> 00:42:40.020 949 | Michael Shannon: Diesel driven perhaps. 950 | 951 | 238 952 | 00:42:41.640 --> 00:42:45.000 953 | Michael Shannon: blackouts and brownouts or blackouts a complete. 954 | 955 | 239 956 | 00:42:46.080 --> 00:42:49.560 957 | Michael Shannon: interruption of electrical power for a period of time. 958 | 959 | 240 960 | 00:42:50.730 --> 00:42:58.170 961 | Michael Shannon: Now, on the exam once you to remember that, often, yes, the blackout, is something that we want to be able to. 962 | 963 | 241 964 | 00:42:59.400 --> 00:43:00.420 965 | Michael Shannon: protect against. 966 | 967 | 242 968 | 00:43:01.590 --> 00:43:05.310 969 | Michael Shannon: But often a brown out can be more destructive. 970 | 971 | 243 972 | 00:43:06.390 --> 00:43:11.340 973 | Michael Shannon: The intentional or unintentional sag or slump or voltage drop. 974 | 975 | 244 976 | 00:43:12.960 --> 00:43:19.080 977 | Michael Shannon: can actually do more damage than simply we don't have power right now. 978 | 979 | 245 980 | 00:43:23.610 --> 00:43:27.390 981 | Michael Shannon: So we have to have contingencies, and this is, of course, part of. 982 | 983 | 246 984 | 00:43:29.310 --> 00:43:42.180 985 | Michael Shannon: Business continuity environmental controls, you know, fortunately, because of virtualization and the ability to use hypervisor many companies now have been able to. 986 | 987 | 247 988 | 00:43:43.080 --> 00:43:58.590 989 | Michael Shannon: shrink down their server farms and their data centers so we no longer have the same kind of power consumption needs we no longer have the same carbon footprint we don't have the same age VAC needs. 990 | 991 | 248 992 | 00:43:59.640 --> 00:44:10.500 993 | Michael Shannon: But, regardless of the fact that we have been able to condense our data Center down to a much smaller area or a much smaller facility, we still have to contend with. 994 | 995 | 249 996 | 00:44:11.370 --> 00:44:26.430 997 | Michael Shannon: ventilation air conditioning temperature humidity and those types of controls need to be redundant and often the H pack systems and the control system should be on a separate network. 998 | 999 | 250 1000 | 00:44:28.410 --> 00:44:34.980 1001 | Michael Shannon: They shouldn't be accessible across the local area network, it should be isolated maybe. 1002 | 1003 | 251 1004 | 00:44:35.490 --> 00:44:50.370 1005 | Michael Shannon: As part of your security operations Center or maybe you have a facilities department that's a separate department and, of course, you know physical security of all of those different controls, physical and software. 1006 | 1007 | 252 1008 | 00:44:53.580 --> 00:45:05.850 1009 | Michael Shannon: You have to be considering, are you dealing with any type of chemicals that are harmful chemical leaks biological leaks those things are part of the environmental controls. 1010 | 1011 | 253 1012 | 00:45:07.500 --> 00:45:16.050 1013 | Michael Shannon: You know, historically traditionally in large data centers or server rooms, we would have the hot and cold aisles. 1014 | 1015 | 254 1016 | 00:45:17.310 --> 00:45:24.780 1017 | Michael Shannon: Where you had your devices in the racks lined up where the fans were all facing in the same direction. 1018 | 1019 | 255 1020 | 00:45:25.650 --> 00:45:46.290 1021 | Michael Shannon: Where the hot air went and then it got maybe moving through a cold aisle to a separate system or a room, but you know, generally speaking, the recommended humidity for the server rooms, or the data centers or whatever you call them 40 to 60% humidity. 1022 | 1023 | 256 1024 | 00:45:47.970 --> 00:45:51.270 1025 | Michael Shannon: And then the degrees 72 to. 1026 | 1027 | 257 1028 | 00:45:52.380 --> 00:46:00.120 1029 | Michael Shannon: 76 as it that's in Fahrenheit so somebody can convert that to Celsius for me and put that out there. 1030 | 1031 | 258 1032 | 00:46:02.850 --> 00:46:03.750 1033 | Michael Shannon: So if. 1034 | 1035 | 259 1036 | 00:46:04.770 --> 00:46:21.930 1037 | Michael Shannon: Most of us when we go into a facility and we are using the wired ethernet when we go to the cubicle or the desk that we're at and we plug in our ethernet cable with the R J 45 jack you know into the the port. 1038 | 1039 | 260 1040 | 00:46:23.760 --> 00:46:31.920 1041 | Michael Shannon: The the the cable run behind that port is not going directly to a switch. 1042 | 1043 | 261 1044 | 00:46:32.940 --> 00:46:44.160 1045 | Michael Shannon: Like right into a switch port, maybe in a small office Home Office in most facilities that cable is a part of a distribution run. 1046 | 1047 | 262 1048 | 00:46:44.700 --> 00:47:03.780 1049 | Michael Shannon: And there are distribution frames so it's going to maybe a closet or a room where it's being punched down on a distribution frame and then the cabling continues, whether under the floor through the wall, or the ceiling to either another distribution frame or then finally into the. 1050 | 1051 | 263 1052 | 00:47:04.830 --> 00:47:09.660 1053 | Michael Shannon: server room or the wherever the network room or whatever data Center. 1054 | 1055 | 264 1056 | 00:47:11.100 --> 00:47:22.050 1057 | Michael Shannon: depends on the size of the building, you may have distribution closets you know per floor or several in a building and then extends to your campus so you have to be. 1058 | 1059 | 265 1060 | 00:47:22.590 --> 00:47:32.040 1061 | Michael Shannon: You know that's part of your physical security is securing those cable run areas, maybe cameras other types of sensors. 1062 | 1063 | 266 1064 | 00:47:32.550 --> 00:47:43.560 1065 | Michael Shannon: You don't want people malicious insiders or somebody who's conducting a hoax coming in and disrupting that because that distribution frame and wiring can be quite elaborate. 1066 | 1067 | 267 1068 | 00:47:44.970 --> 00:47:54.000 1069 | Michael Shannon: The larger your campus the larger your built building now usually this is under the kind of umbrella of the facilities management and the network. 1070 | 1071 | 268 1072 | 00:47:55.470 --> 00:47:58.740 1073 | Michael Shannon: Right, the network engineers and operators. 1074 | 1075 | 269 1076 | 00:47:59.820 --> 00:48:11.160 1077 | Michael Shannon: But as a security manager, we want to make sure that whatever departments and teams that are responsible for this infrastructure that they're taking the proper. 1078 | 1079 | 270 1080 | 00:48:13.560 --> 00:48:16.050 1081 | Michael Shannon: physical security precautions. 1082 | 1083 | 271 1084 | 00:48:22.020 --> 00:48:41.520 1085 | Michael Shannon: So i've got several slides here that just talks about controlling physical access, you know we're talking about a strong doors multiple locks maybe no or fewer windows, if you do have windows secure security windows that have metal mesh in them. 1086 | 1087 | 272 1088 | 00:48:43.080 --> 00:48:46.950 1089 | Michael Shannon: Biometric multi factor authentication to these areas. 1090 | 1091 | 273 1092 | 00:48:48.720 --> 00:48:58.200 1093 | Michael Shannon: Obviously we need to have automatic fire detection and suppression systems i'm going to talk about those here the last slide. 1094 | 1095 | 274 1096 | 00:49:01.260 --> 00:49:20.190 1097 | Michael Shannon: An air gap is the physical separation so often, when I mentioned like we want our age fact systems or environmental systems to be on a separate network those would be air gapped possibly and have no connectivity to the Internet or no wi fi management capability. 1098 | 1099 | 275 1100 | 00:49:22.140 --> 00:49:28.680 1101 | Michael Shannon: Now, having systems air gapped isn't a you know foolproof solution. 1102 | 1103 | 276 1104 | 00:49:30.000 --> 00:49:43.920 1105 | Michael Shannon: Just because it's done on the local area network or has no wi fi access that's really where physical security and personnel security comes in, remember the Stuxnet virus, the famous virus that. 1106 | 1107 | 277 1108 | 00:49:45.390 --> 00:49:48.000 1109 | Michael Shannon: I guess everybody knows who did it now. 1110 | 1111 | 278 1112 | 00:49:49.980 --> 00:49:54.660 1113 | Michael Shannon: The two countries that were involved, and you know at the Iranian. 1114 | 1115 | 279 1116 | 00:49:55.890 --> 00:49:57.180 1117 | Michael Shannon: nuclear facility. 1118 | 1119 | 280 1120 | 00:49:58.380 --> 00:50:05.640 1121 | Michael Shannon: It was an air gapped environment, the Stuxnet virus got in on the laptop of a contractor. 1122 | 1123 | 281 1124 | 00:50:06.780 --> 00:50:07.530 1125 | Michael Shannon: who came in. 1126 | 1127 | 282 1128 | 00:50:10.980 --> 00:50:26.790 1129 | Michael Shannon: So remember Eric yapping certain systems in certain areas, definitely is important but it's again that also emphasizes the need for physical and personal security and a zero trust environment. 1130 | 1131 | 283 1132 | 00:50:29.130 --> 00:50:31.170 1133 | Michael Shannon: Constant logging and auditing. 1134 | 1135 | 284 1136 | 00:50:34.680 --> 00:50:42.120 1137 | Michael Shannon: Your secure enclosures if you have a clean desk policy, you have a locking desk. 1138 | 1139 | 285 1140 | 00:50:43.170 --> 00:50:50.040 1141 | Michael Shannon: Now those those locks on those desks are easily pickle by somebody with. 1142 | 1143 | 286 1144 | 00:50:51.270 --> 00:50:57.090 1145 | Michael Shannon: who spends an hour on YouTube, but they also may have you know locking cabinets or whatever. 1146 | 1147 | 287 1148 | 00:50:58.770 --> 00:51:09.210 1149 | Michael Shannon: But we're we're talking about you know safes either embedded safes a standalone safe, that is, you know. 1150 | 1151 | 288 1152 | 00:51:10.920 --> 00:51:16.890 1153 | Michael Shannon: bolted down into the cement floor reinforced filing cabinets. 1154 | 1155 | 289 1156 | 00:51:18.090 --> 00:51:41.040 1157 | Michael Shannon: These may be mandates, by the way of you know you're in the military or government agency or whatever, but the safes that protect those valuables currencies precious metals policy insurance policies bonds stocks cyber currency wallets failsafe passwords. 1158 | 1159 | 290 1160 | 00:51:42.120 --> 00:51:46.560 1161 | Michael Shannon: break the glass passwords keys all those good things. 1162 | 1163 | 291 1164 | 00:51:48.630 --> 00:52:00.330 1165 | Michael Shannon: In the US, we have the ul the underwriters laboratory, and so they give a specifications and classifications for safes so you know if you're involved in that. 1166 | 1167 | 292 1168 | 00:52:00.840 --> 00:52:14.700 1169 | Michael Shannon: As far as physical security goes the example here is that a tool resistant to 30 means it'll take 30 minutes to use a tool and a torch to get through it. 1170 | 1171 | 293 1172 | 00:52:16.800 --> 00:52:33.180 1173 | Michael Shannon: So the locking mechanism often me when I have multiple locking mechanisms, possibly a biometric maybe voice recognition an ocular fingerprint the material that's used the weight, whether it's in the wall. 1174 | 1175 | 294 1176 | 00:52:34.500 --> 00:52:40.620 1177 | Michael Shannon: doesn't have a relaxing devices that have a time lock on it does it connect to. 1178 | 1179 | 295 1180 | 00:52:42.900 --> 00:52:49.290 1181 | Michael Shannon: Does it have the ability to send an alarm system or to law enforcement okay. 1182 | 1183 | 296 1184 | 00:52:51.150 --> 00:52:55.350 1185 | Michael Shannon: got to be aware of our media storage facilities, where we store our. 1186 | 1187 | 297 1188 | 00:52:56.730 --> 00:53:15.120 1189 | Michael Shannon: database backups whatever media type we're using redundant spares hot spares are hard copies of our documentation right we don't have everything, everything is not digital, we do have some hard copies even microfiche is still used so. 1190 | 1191 | 298 1192 | 00:53:16.440 --> 00:53:29.850 1193 | Michael Shannon: Some storage facilities that are storing let's say evidence, so if you're a law enforcement entity and evidence room or an evidence storage may be a different type of facility. 1194 | 1195 | 299 1196 | 00:53:30.960 --> 00:53:37.470 1197 | Michael Shannon: For example, it's not going to be like a dry wall it's going to be concrete or brick or whatever. 1198 | 1199 | 300 1200 | 00:53:41.100 --> 00:53:49.350 1201 | Michael Shannon: It may have no window access if it has it may only have one way in one way out, if there is a fire door. 1202 | 1203 | 301 1204 | 00:53:50.520 --> 00:53:55.890 1205 | Michael Shannon: A fire way out there'll be no the door the on the outside, will have no way to. 1206 | 1207 | 302 1208 | 00:53:57.900 --> 00:54:00.150 1209 | Michael Shannon: there'll be no handle whatsoever. 1210 | 1211 | 303 1212 | 00:54:01.170 --> 00:54:04.800 1213 | Michael Shannon: it'll just be a smooth door, you can get out an emergency door. 1214 | 1215 | 304 1216 | 00:54:06.060 --> 00:54:10.230 1217 | Michael Shannon: But i've seen areas that don't even have only have one way in one way out. 1218 | 1219 | 305 1220 | 00:54:13.230 --> 00:54:13.710 1221 | Michael Shannon: So. 1222 | 1223 | 306 1224 | 00:54:17.130 --> 00:54:26.790 1225 | Michael Shannon: Also, along the lines you know the destruction and disposition policy, you know the physical destruction will be part of physical security there's a nist. 1226 | 1227 | 307 1228 | 00:54:27.960 --> 00:54:31.740 1229 | Michael Shannon: Special publication, you might want to add that to your knowledge base. 1230 | 1231 | 308 1232 | 00:54:36.090 --> 00:54:39.780 1233 | Michael Shannon: The guidelines for media sanitation okay. 1234 | 1235 | 309 1236 | 00:54:43.050 --> 00:54:44.580 1237 | Michael Shannon: I mentioned evidence storage. 1238 | 1239 | 310 1240 | 00:54:46.110 --> 00:54:55.080 1241 | Michael Shannon: And again with evidence storage, it also brings in the administrative control of chain of custody, that we need to be aware of. 1242 | 1243 | 311 1244 | 00:54:56.190 --> 00:55:08.010 1245 | Michael Shannon: And evidence storage, maybe if it's the law enforcement type of environment, often we're going to be using some type of digital evidence management or inventory software. 1246 | 1247 | 312 1248 | 00:55:09.090 --> 00:55:20.220 1249 | Michael Shannon: Right, this is not like some 1970s COP show where the police officer comes in and he's like there's like a you know, a window with like. 1250 | 1251 | 313 1252 | 00:55:20.550 --> 00:55:30.330 1253 | Michael Shannon: Little bars on it it's got a little opening and the guy you know here's my here's the heroin, I found, and then you sign off on and it's all just done with paperwork. 1254 | 1255 | 314 1256 | 00:55:31.350 --> 00:55:35.340 1257 | Michael Shannon: No, we have modern digital evidence management software. 1258 | 1259 | 315 1260 | 00:55:36.420 --> 00:55:55.710 1261 | Michael Shannon: We have modern solutions and things are being tagged they do with rf ID tags other asset tags right they can be scanned maybe a qr code so we're using much more modern techniques now to maintain that evidence and that chain of custody. 1262 | 1263 | 316 1264 | 00:55:56.820 --> 00:55:59.520 1265 | Michael Shannon: I mentioned earlier, that a man trap. 1266 | 1267 | 317 1268 | 00:56:01.020 --> 00:56:06.810 1269 | Michael Shannon: To truly be a man trap, the person has to be trapped okay so. 1270 | 1271 | 318 1272 | 00:56:09.840 --> 00:56:21.930 1273 | Michael Shannon: The individual gets into this area this enclosed area and the door locks behind them either electronically or mechanically and then the door in front of them, so there is a period of time. 1274 | 1275 | 319 1276 | 00:56:23.280 --> 00:56:39.840 1277 | Michael Shannon: and often that there's no piggybacking or tailgating it's one person at a time and then they may be talking through an intercom system or a video camera system, there may be a bullet bullet proof window and they're interfacing with somebody to provide credentials, or whatever. 1278 | 1279 | 320 1280 | 00:56:45.960 --> 00:56:56.190 1281 | Michael Shannon: can include once you're in that area can include include some biometric reader along with possible closed circuit TV and security guards. 1282 | 1283 | 321 1284 | 00:56:59.760 --> 00:57:00.270 1285 | Michael Shannon: A. 1286 | 1287 | 322 1288 | 00:57:02.790 --> 00:57:04.470 1289 | Michael Shannon: Alright, one last thing. 1290 | 1291 | 323 1292 | 00:57:06.030 --> 00:57:21.330 1293 | Michael Shannon: And then we'll then we'll finish up for the day but a faraday cages can be built around servers can be built around racks of equipment of your infrastructure of your data Center. 1294 | 1295 | 324 1296 | 00:57:22.020 --> 00:57:44.250 1297 | Michael Shannon: And these are to prevent damage from some electromagnetic interference or pulse or solar flare or whatever, so the faraday cage can be built into the actual design of the room, it may be enclosures It may be a bag a faraday bag. 1298 | 1299 | 325 1300 | 00:57:45.420 --> 00:57:48.330 1301 | Michael Shannon: I have faraday bags, you can get them. 1302 | 1303 | 326 1304 | 00:57:49.770 --> 00:57:50.970 1305 | Michael Shannon: You can buy them online. 1306 | 1307 | 327 1308 | 00:57:52.290 --> 00:57:58.920 1309 | Michael Shannon: Like there that these like US military grade of different sizes, so my. 1310 | 1311 | 328 1312 | 00:58:00.180 --> 00:58:03.960 1313 | Michael Shannon: Cyber currency wallets there in a faraday bags. 1314 | 1315 | 329 1316 | 00:58:05.520 --> 00:58:16.920 1317 | Michael Shannon: and technically, you can take a mobile phone and put it into a faraday bag and put it in your microwave oven and rude and then take it out in the phones and damaged don't test that. 1318 | 1319 | 330 1320 | 00:58:18.900 --> 00:58:25.440 1321 | Michael Shannon: But this may be something that, as part of your physical security existing. 1322 | 1323 | 331 1324 | 00:58:26.580 --> 00:58:32.130 1325 | Michael Shannon: You know, ongoing usage, or maybe something you're planning for in the future need to consider. 1326 | 1327 | 332 1328 | 00:58:34.350 --> 00:58:45.240 1329 | Michael Shannon: yeah Victor says they're testing right now, oh no no don't test that alright so that's it there's a few more slides in here, you can you can when you're doing your study you can read up. 1330 | 1331 | 333 1332 | 00:58:46.080 --> 00:58:57.090 1333 | Michael Shannon: You know, like air gap couple of slides on air gap and then fire controls just remember there's three elements there's prevention, detection and suppression. 1334 | 1335 | 334 1336 | 00:58:57.660 --> 00:59:12.900 1337 | Michael Shannon: The more we focus on prevention, the less we have to be concerned with detection and suppression right, the more effective the prevention that's going to remove the need for the other two areas, and then you may have to know. 1338 | 1339 | 335 1340 | 00:59:13.620 --> 00:59:27.240 1341 | Michael Shannon: types of extinguishers and so that's the last slide of this session with the newer type K flammable liquids unique to cooking extinguished using dry powder okay. 1342 | 1343 | 336 1344 | 00:59:28.350 --> 00:59:36.510 1345 | Michael Shannon: So that's it uh yeah wi fi routers yeah I know that yeah people that's arguable. 1346 | 1347 | 337 1348 | 00:59:38.820 --> 00:59:44.370 1349 | Michael Shannon: But we won't get into that debate, but it's that's that's true Andrew people do that. 1350 | 1351 | 338 1352 | 00:59:46.800 --> 00:59:50.250 1353 | Michael Shannon: Maybe you should do that with your five g phone while you're at it. 1354 | 1355 | 339 1356 | 00:59:51.600 --> 01:00:03.210 1357 | Michael Shannon: Alright folks Thank you a lot of great chat today a lot of you guys helping each other out men and women, helping each other out you guys are providing links. 1358 | 1359 | 340 1360 | 01:00:04.050 --> 01:00:11.370 1361 | Michael Shannon: you're following up on some of the things you're you know it's all great really love that I encourage it right. 1362 | 1363 | 341 1364 | 01:00:12.120 --> 01:00:26.490 1365 | Michael Shannon: we're you know you guys are all in this together we're in this together and to get this CIS SP thing going to give that sort of occasion and then I want to see you in July, for the CCA SP boot camp That being said, i'm going to stop the recording. 1366 | 1367 | 342 1368 | 01:00:29.490 --> 01:00:30.210 1369 | Michael Shannon: Have a great. 1370 | 1371 | -------------------------------------------------------------------------------- /Archive/test.txt: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /CISSP Bootcamp 2025 Syllabus.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP Bootcamp 2025 Syllabus.pdf -------------------------------------------------------------------------------- /CISSP_DAY1_part1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP_DAY1_part1.pdf -------------------------------------------------------------------------------- /CISSP_DAY1_part2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP_DAY1_part2.pdf -------------------------------------------------------------------------------- /CISSP_DAY2_part1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP_DAY2_part1.pdf -------------------------------------------------------------------------------- /CISSP_DAY2_part2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP_DAY2_part2.pdf -------------------------------------------------------------------------------- /CISSP_DAY3_part1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP_DAY3_part1.pdf -------------------------------------------------------------------------------- /CISSP_DAY3_part2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP_DAY3_part2.pdf -------------------------------------------------------------------------------- /CISSP_DAY4_part1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP_DAY4_part1.pdf -------------------------------------------------------------------------------- /CISSP_DAY4_part2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP_DAY4_part2.pdf -------------------------------------------------------------------------------- /CISSP_DAY5_part1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP_DAY5_part1.pdf -------------------------------------------------------------------------------- /CISSP_DAY5_part2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Skillsoft-Content/CISSP_Bootcamp/74ed53fe91fe6fe0c690060148fc34f7bc700d3a/CISSP_DAY5_part2.pdf --------------------------------------------------------------------------------