CCT 146: Defense in Depth and Secure Defaults for the CISSP Exam (Domains 3.1.2 & 3.1.3)

Show Notes

Curious about how to implement robust cybersecurity measures and avoid costly breaches? In our latest episode of the CISSP Cyber Training Podcast, we unravel the intricacies of defense in depth and secure defaults as outlined in domains 3.1.2 and 3.1.3 of the CISSP exam. Starting with a weather update from Kansas, we shift gears to dissect a critical incident at UnitedHealthcare, revealing the repercussions of appointing a CISO lacking specific security expertise. We emphasize the essential role of multi-factor authentication and discuss the internal politics that can shape security decisions in large organizations.

Ever wondered how to shield your data from unauthorized access effectively? Join us as we outline comprehensive data security strategies, including encryption, data loss prevention, and the often-neglected practice of system hardening. Learn how encryption safeguards data across different stages and how data loss prevention tools limit unauthorized channels. We also highlight the critical importance of Security Information Event Management (SIEM) tools for a centralized security overview, and introduce you to the concept of abstraction—simplifying user interactions while minimizing security risks.

To wrap things up, we dive into practical tactics for implementing secure defaults. We'll cover the essentials: strong passwords, disabling unnecessary services, and automatic security updates. Discover the best practices for configuring application settings, network devices, and security tools to enhance your security posture. We also tackle real-world challenges like vendor flexibility, usability concerns, and legacy systems. Finally, we offer invaluable tips and resources to help you set and achieve your CISSP goals with confidence. Don't miss out on these actionable insights to elevate your cybersecurity expertise!

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Chapters

• 0:00: CISSP Cyber Training Podcast
• 12:49: Data Security Strategies and Tools
• 16:29: Data Security Abstraction Techniques
• 29:35: Implementing Secure Defaults
• 34:39: Feedback and Goal-Setting for CISSP

Transcript

Speaker 1: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge.

Speaker 2: 0:24

All right, let's get started. Good morning everybody. This is Sean Gerber with CISSP Cyber Training, and hope you all are having a wonderfully blessed day today. Today is an amazing day here in Kansas. Yeah, it's actually going to be like 75 degrees, 75 to 85 degrees. It's going to be amazing.

Speaker 2: 0:40

The sun is out, so it's really quite pleasant for this time of year. The interesting part, though, is the 125 degree weather is soon around the corner. Well, actually I'm exaggerating just a little bit it's not going to quite get to 125, maybe 120, but it gets really warm here and sticky, and yeah, it's not fun, but that's okay. We enjoy it while we can when it's pleasant. But you're not here to hear about the weather. Yeah, no, this is not a weather podcast. This is about the CISSP, and today we're going to be talking about domain 3.1.2 and basically 3.1.3. And we're going to be getting over defense in depth and secure defaults. This is all part of domain three of the CISSP exam, and so this is going to be some fun stuff, right, but actually it's a little bit apropos that one of the things that happened in the news yesterday that I saw actually is a little bit disconcerting. If you are a security professional that doesn't have the experience. I'm saying this not to scare anybody off, but it's actually quite interesting.

Speaker 2: 1:44

In the register there was, a US Senator had claimed that the UnitedHealthcare debacle that occurred, where basically the ransomware occurred, cost $22 million all kinds of stuff. Right, then who knows how much more they're going to gain, how much more it's going to end up costing UnitedHealthcare. But if you all aren't connected, unitedhealthcare was one of the main UnitedHealthcare, but if you all aren't connected, unitedhealthcare was one of the main. Basically it's kind of a clearinghouse for what do they call it? Insurance products that are going out there from when you go. I have an insurance company such as UnitedHealthcare and then they go through another clearinghouse and that's like there's lots of stuff that basically has to happen. So, as you can tell real quickly, I don't know what the crud I'm talking about when it comes to all that healthcare stuff. So we'll just keep moving on. But bottom line, it's like a clearinghouse of some sort. But what ended up happening is they had a ransomware attack back this last year and it was pretty traumatic. It cost a lot of money, cost a lot of drama. It was a big deal.

Speaker 2: 2:42

Well, come to find out that there now is going to be some situations that are coming out with the unqualified CISO for UnitedHealthcare's CEO. Basically he had appointed, so this CEO had appointed the CISO, and then the hack occurred and now they're trying to find somebody's head to lop off. And again, I don't know this individual at all. It's a gentleman by the name of Steve Martin. He was appointed CISO in 2023. And the interesting part is they said he didn't hold any security specific role during his career, despite his high level experience in other tech roles, and it is interesting. So this kind of flies in the face of what we talk about here in security, where you need to work your way up through the corporation, get some level of experience, and you may bounce around from job to job a little bit to do that, but you need some level of experience in security and when you start off, you may not have that and that's okay, but you really need to have, when you deal in your roles, that you have some level of security tied to your role, that you understand the concepts. Now, I don't know Mr Martin, so nor am I to say whether he does or doesn't know it. He looks like he has a very solid career and he's done a lot of stuff in IT. But bottom line is they're looking for somebody's head to chop off and he's in the situation where he didn't have a specific security role in his job job title per se so he wasn't the director of security, he wasn't the security analyst, he wasn't whatever that might be. So when he ended up getting the role as the CISO, they're saying that well, because he didn't have that experience, they should have never done that. So they're really going after the CEO and they're going after him.

Speaker 2: 4:28

Now I will say that if you read through the article, there's some pretty bonehead things that did occur where they didn't have any multi-factor authentication on remote access server. You know that's kind of a big basic practice type of aspect. However, if you've been in security long enough to know that there may be a good reason why I don't think I could actually figure that one out but there might have been a good reason why they didn't have MFA on those systems. And I would also say sometimes you get into the political schema that rolls into these large corporations and you get a lot of pushback for putting stuff like MFA on the remote access because it causes disruption, maybe causes some level of outage just going through that whole process. So I don't know the details, nor am I going to comment on whether it's right or wrong.

Speaker 2: 5:14

The only other thing I want to bring up was the fact that now in this article they're having people within the legislative groups are wanting him, they're wanting somebody's head, and the point is that they're saying that careless activities. You know you wouldn't have a brain surgeon work on somebody's brain if they never went to school to be a brain surgeon or they never had the background of being a brain surgeon. So I understand what he's saying. It's a little bit more nuanced than that and unfortunately, a lot of times the politicians will say things that they don't truly understand. So I hope for Mr Martin and for the CEO that they can work this out. But it's a good lesson for all of us to know that if you are working as a security professional, you need to make sure that you are working to get your title to match up with it and you need to follow best practices. Especially if you're in a publicly held company where there's people's livelihoods are on the line, especially when it comes to stock and shareholders, you are under a lot more scrutiny and, as such, those articles that I put out there. You need to also be compensated for this, because I'm hoping that Mr Martin had been compensated well for his activities, because there's a lot of responsibility that he had. So check it out Again. Us Senator claims UnitedHealthcare CEO and board appointed an unqualified CISO.

Speaker 2: 6:35

So, yeah, it's an interesting world we live in, but you don't want to hear about all of that. We could go down many different tangents. So we're going to get into domain 3.1.2 and 3.1.3. And this is around the overall piece of defense in depth and secure defaults. So, when we talk about secure defense in depth, one of the key concepts around this is we talk about just in the case of what we had with this last article with MFA, mfa would be considered a defense in depth. It's one of the first things that you would run into if you're an outsider. Just in the case of what we had with this last article with MFA, mfa would be considered a defense in depth. It's one of the first things that you would run into if you're an outsider trying to get into a network. Is you run into MFA? Well, it's a layer to security approach that you must have multiple controls in place to help mitigate the potential risks, and so, therefore, you need to have these controls in place to do that. This layered approach, again, is designed so that if one layer fails, the other still can provide some level of protection against basically everything falling apart. So this layered approach ensures that this is set up in place.

Speaker 2: 7:35

Now. One example that you've seen or maybe you've heard of people talking about is the medieval castle where you have the moat. So you'll have this if you look at it from a mind's eye, you have this medieval castle sitting on a hill Probably not a hill, probably more of a flat plain, because a moat won't really work too well on a big hill but you have this castle sitting out there and there's this moat, a big trench dug around it, and inside that trench is all kinds of there's water and alligators and snakes and whatever else things. Those are just basically designed that if you want to get into this really tall castle, you've got to go through this moat to get to the castle. Well, the same kind of concept it has in security is that you want to have this set up so that if one of your protection mechanisms fails, there's another one waiting to catch the attacker and I try to bring this up when I was talking about security to partners and to individuals is that the fact is that these controls are not designed to necessarily stop the individual.

Speaker 2: 8:34

I mean, you want them to stop the individual, but there's many cases if there's one control, they'll find a way around it and you want them to run into another one. There's two different concepts with this. One is you want to slow them down enough that they get frustrated and they move on to somebody else. Fortunately, that's how it works. Right, it's the law of the, not law of the fittest. That's where, okay, if you're the little tiny gazelle and there's tigers everywhere and you broke your leg, you're gonna get eaten. Yeah, it's the law of is something like that, but bottom line is you're going to get eaten right. So we want to have it so that your gazelle has all four legs, maybe six legs, and can run really, really fast. So by having these protection mechanisms in place, you are that gazelle with six legs. I know it's a really weird tangent, but it kind of sort of works. The bottom line is then they will move on to somebody else and eat somebody's other gazelle, but if they penetrate one, you also want to have.

Speaker 2: 9:28

The second concept is that if they are determined to get into your network and they're going to bridge your moat and they're going to bridge and cross your high walls of your castle, you want to have sentries that are going to be alerting you that hey, somebody just did something. You that, hey, somebody just did something. So another reason about having these multiple controls is the fact that they can be triggers. They can be alerts to go okay, someone has just crossed this line. Okay, now, someone has just crossed this line, and by doing so, you now have the ability to have better situational awareness of what are some of the attackers trying to do within your environment. So it's really important to have a defense strategy around with multiple controls.

Speaker 2: 10:06

Now, also, knowing this full well, you're going to be in security. At any point in time in your career. You're going to realize that that isn't always the case. There may be situations where you've only got one control and that is it. It may happen. You may not have the luxury of putting in multiple controls in place for a specific area. So if that is the case, then you have to be keenly aware of what you're going to put there to protect yourself and alert on it, so that if anybody gets into the inner sanctum of this one thing because you only have one control, then you better have all kinds of fireworks go off, bells and whistles, you name it, you need to know about it. So just keep that in mind as you're thinking about this from an attacker's perspective.

Speaker 2: 10:50

Now, some of the protection mechanisms we're going to talk about and this is not all inclusive this is just a good example of some of them that you can use. Perimeter security is one of the first ones, and that is like the firewall. The firewall will act as your first line of defense as far as coming into the network. So, again, though, there's many other controls, it isn't just the first one, a lot of one comes into. Another one is that you're allowing who has access to your network is another really great control that you have in place. So your firewalls, they're your first line of defense. They filter incoming and outgoing traffic based on rules that are maybe predefined, set up already. Some of the firewalls today can actually be thinking on the fly, and they can do that work for you, but that's your first line coming in Now. You could then run into IDS and IPS systems, which is your intrusion detection and prevention systems. These two will monitor traffic and they'll look for suspicious activity and in many cases, your IDS IPS can be embedded and ingrained within your firewall and, again, they're designed specifically to block attacks. Now the downside of this is is when you block anything, you're causing a disruption, so you're disrupting the bad guys or you potentially could be disrupting yourself if there's a problem.

Speaker 2: 12:09

Okay, so role-based access we're talking about access controls is the next level down from perimeter security. Role-based access controls they assign permissions to users, to an individual users based on their specific job role within their company, and this ensures that they only have access to the data and functionality that they need to perform their specific duties. Now, that would be where they would have one individual is able to do I don't know they're able to pull out data for their EDI system, which deals with electronic file transfers. Another person is not allowed to do that, but they're allowed to have access to the HR system, and so it's based on their specific role and what they're allowed to do within the company. Data security is where it's a beyond.

Speaker 2: 12:49

The encryption piece of this, data security rolls into. The encryption obviously is a big factor where you've got data at rest, data in transit, data basically in use, so you have those different types of access that are within the encryption mechanisms. However, what you can also add is data loss prevention tools that will help limit or restrict the access to individuals gaining to that data itself that these tools are limiting that. One of the things can be done through emails, usb drives and other types of channels that can be put in place to limit those activities. I've seen it time and again where individuals, if they can't use a USB drive, they will then try to use Bluetooth or they will try to email it, which is the typical one they use, but they're trying to look for different ways to get the data out of their organization.

Speaker 2: 13:40

Another one is system hardening. This is where this involves security updates to fix vulnerabilities in the specific software. Now, this could be software of the application, it could be the hardware itself that you're trying to update, it could be the operating system software, many different factors that roll into it, but system hardening is an important factor within trying to create various levels of defense in depth. Now One thing to think about with system hardening it's not sexy, it's not something that people like to do a lot with. But when you're dealing with ransomware as an example, that is a really good way to be able to. If you have these systems in place that you have gone and you've changed the configurations of your environment, you've hardened some of these systems. Now this ransomware does not not in all cases, but does not have a foothold within your organization. There may be other things it tries to leverage, but if some of those pieces have been firmed up and you now don't have to worry about them as much, system hardening can go a long ways to protecting your company Detection and response.

Speaker 2: 14:45

Now we talk about SIM tools. Now these are security information event management tools, or otherwise known as SIM. Now, sim tools can range in various forms. You can see them as ArcSight, they are Azure Sentinel, there's XOR from Palo Alto, there's numerous companies, splunk. They all have a various SIM capability. Now these are designed to have a centralized, or they call a single pane of glass, as it relates to security tools, providing centralized view of their security activity. This allows all this stuff to be aggregated into one location. Then from there, you can then set up a triage like tier one, two or three to be able to triage these different incidents as they come into your organization, triage these different incidents as they come into your organization, and this deals with identifying, containing, eradicating and then recovering from various security incidents within your company. Now do you have to have a SIM for your company? No, you do not. You can outsource that to a third party. You also can get SIMs that are much smaller in size and scope. They're not as large as what you would anticipate you would see in a large enterprise. So there's lots of different things that you can do when it comes to a SIEM.

Speaker 2: 15:56

So a big factor we get into is abstraction. Now the CISSP book talks about what is abstraction? How does this work? Well, abstraction hides the internal workings of a system from users, the applications, from exposing them to unnecessary or from necessary functionality. So it's basically hiding it off to keep it from people from seeing it, so that it abstracts, it, removes it from view. Now, this simplifies the interaction with your users and it reduces the risk of inadvertently causing potential security issues. Right?

Speaker 2: 16:29

So what it comes right down to is like a more simplistic version of this is if you think about your driving, your vehicle, you do not need to understand how the more complex aspects of your vehicle work. So, as an example, I have a truck and this truck has a diesel motor and this diesel motor has two fuel systems or two cooling systems, one for the transmission, one for the engine. If I didn't know that I wouldn't really care right, all I care about is the fact that the truck runs. Now, it's important to know these things if you're trying to maintain it. But in reality, you don't need to know the inner workings of your vehicle, you just need to know that it runs. So that's what part about abstraction is is removing that from people's view, so they don't need to worry about it.

Speaker 2: 17:13

Now, some of the protection mechanisms that are available in this space is you have operating systems. Obviously, these operating systems operate with limited privileges to restrict your users from modifying critical systems or critical data that's on this system, right? An example of that would be RAM. Right? You have RAM that's available and that the system does all of this for you so that you don't physically have to be modifying it. So virtual memory, all of those pieces are operating within the operating system, abstracted from your view. Networking is another example where TCP IP will hide the underlying network technology and it will then do the internal routing of applications, allowing them to communicate without the detailed knowledge of what your overall network infrastructure looks like. That being said, if you are in security, you need to understand the networking concepts around this and why they are important, but you may not have to know, especially as a user, how does all of this work within your company Databases. These are views of virtual tables that expose the subset of data from the underlying database tables, restricting users from accessing all database type elements. So, again, you have the database in place. You don't need people going in and knowing all the different fields that are tied to that database, all the records that are tied to that database. You just want them to be able to access that database and therefore, that information is abstracted from your view.

Speaker 2: 18:43

Another one is APIs. Apis work really great and they're awesome for your organization. One thing to think about as it relates to APIs, though they are probably one of the most potentially abused pieces of technology within your company, and those are areas where we talk about configuring and knowing how they work. You, as a security professional, need to understand how do the APIs connect into your environment, how do they leave from your environment, but how they would potentially, as an individual user connect. That would be abstracted away. How does an API work? Does it go into a gateway? The data comes in, is it authenticated? Those are the pieces that you want to abstract away from the user so that they don't have to dig into it and understand it.

Speaker 2: 19:23

Now, one thing I've seen this be a little bit problematic is when you have a citizen-type developer creating APIs of their own. That can then create some potential challenges for you. But again, it's important for you to understand these concepts for the CISSP one, so that when you implement them within your organization, you understand the concept, and two, also to help you pass the test the first time. Oh, speaking of which, I had one individual just pinged me just recently that I've been listening to the podcast for a while and the podcast and the blueprint have been extremely helpful to him, and he was able to get past the CISSP the first time. So sorry, I get these on a daily basis, but it just came to my mind when he made that comment. In my email he says he passed the first time, so he did that. Anyway, sorry to digress, all right.

Speaker 2: 20:10

So data hiding what exactly is that? So this is where it conceals the existence or the contents of the data within the system, so you're hiding it, you're moving it away so that people cannot even see it as it relates to sensitive information and it's designed to protect that sensitive information or prevent unauthorized access of this information as well, Because, again, if it's found, it could be a huge factor right Now. One of these things that would help, that is, you get individuals who will try to hide data within pictures as an example, and this is what they call steganography. This is where you're embedding data within another file. Pictures is an example. It's happened with that. I've seen that personally, where you'll get a file, a picture that should say, let's say, it's like two meg in size and for some reason it's 35 meg. That doesn't make a whole lot of sense. Or if it should be two meg and that all that picture is always two meg and now it is 2.8 meg. Now that would be one that would be really hard to find, but it is possible and I've seen people do it. And again, they're hiding data within another file itself. There's access controls. Again, those are you wanna have these in place to help limit what people have access to, such as read, write and execute. Those are access controls you'll typically see within a firewall, but that doesn't mean they can't be used in applications as well, and all it is is just allowing what people have the ability to read, what people have the ability to write and also to execute any sort of program that they may have.

Speaker 2: 21:42

And then our last one is obfuscation. Again, this is where you alter the data representing to make it harder to understand without the appropriate key or decryption method. Now, this could be tokenization will replace, like such as credit card numbers as an example. You'll get systems that will, instead of, let's say, you process a lot of sensitive data, such as credit card numbers or social security numbers. They will use a tokenization or anonymization type technology which will then replace that credit card number. So, let's say, credit card one through nine and it will replace it with XYZ 345678. But there is the underlying technology behind the scenes that will know that XYZ 73578, whatever that number was, I said is credit card number one through nine, and that is obfuscation. Right, that's a tokenization will help hide that information and it then obfuscates it from people's field of view.

Speaker 2: 22:39

Another area is encryption. Now, encryption is we talk about this, the different types of encryption. I'm not gonna get into that detail because that's not really for this podcast right now, at this moment, but there's different types of encryption that's available to you. You have symmetric and asymmetric encryption. Now, each of those will be determined different aspects around what you're trying to do as relates to protecting the document and the data itself, but understand that each of those has the ability to add another layer of protection against people trying to gain access to it. So, between the fact of that I know I have a laptop and on this laptop it is encrypted with BitLocker and I now lose my laptop or it is stolen I now have the ability to one, potentially depend on the software that's in place to remote wipe it. Two, I know that it's encrypted, so them being able to get access to it is extremely limited, and so, therefore, all of those different types of protection mechanisms can be a laying on feature, an additional concept. Okay, so let's just kind of roll this back a little bit and talk about what we just, or recap what we talked about here.

Speaker 2: 23:51

Defense in depth is an important part of what we do, and, as a security professional, you need to always be thinking about how do I ensure that I protect this data in a way that allows it to be. The defense and depth aspects are maintained. So, like we talked about, do you have the ability of encrypting the data? Do you have the ability of adding other protections such as IPS or IDS? Do you have the ability to put in role-based access controls? All of those things have to be layered on top of that and then you have the abstraction piece.

Speaker 2: 24:24

Are you hiding the system's complexity and the functionality for user simplicity and for security? Are there ways that you can abstract this information from the user? Does the user need to have the ability to modify, have administrative rights to be able to modify things within that system? If you can remove that or abstract that from their field of view, then you now potentially reduce some of your risk as well. Do you have data hiding, where you're concealing data in its existence to prevent unauthorized access? Do they need to know that that data even exists? And then, do you have encryption in place to ensure confidentiality, both that they can gain access, but then also that unauthorized users cannot gain access to this data? So again, it's a really important dance you're going to be doing, but understanding how you do that isn't a big factor in this overall concept. So the thing you need to consider when you're dealing with all of these implementations and these big three things come back time and time again Complexity.

Speaker 2: 25:23

You need to ensure that you have a complex system that's in place, that you have. Each mechanisms add a complexity to it, so therefore they can cause you one a lot more concern with. If they break they, then potentially what could they release to the, the user? As an example, we used to hit servers from the external side and you, if you sent a certain command to a server, uh, it would give back an error. Right, I like a 404 error, but a little bit different. 505. I can't remember the 505 error, but it gives you a specific error. Right, I like a 404 error, but a little bit different 505 error, but it gives you a specific error. And that error will then tell you what kind of server it is, what, what is the patch that's running on it currently. It'll give you information. So the more complex you make these systems, then what ends up happening is it does potentially have the ability to cause you problems in the future. And again, you've got to find the right balance between security and manageability, because the more complexity you make, make products or make systems, the better chance one it's going to break, but at the same time, you have to make it complex enough so that it's just not open to everybody.

Speaker 2: 26:25

Another thing is we talk about a lot in security is the performance aspects. So every time you add security to a system, it's going to cause some level of performance hit. I'm working on a project right now that deals with decryption. One of the points that's come up is how much of a performance hit is that going to affect the company that is trying to implement this? And so anytime you add any level of security, it's going to have some level of performance challenges that you're going to have to run through. Usability again, the user experience is very important, and overcomplicating this with complex security challenges can make it very challenging for the individual, and so because of that, then they will look for ways to try to get around your security controls, which we don't want them to do right. We want to avoid that by all costs. We want to make it as secure as we possibly can but at the same time, allow the user to be able to do their daily job, because then if you make it too painful, then you get fired because they find somebody better that will allow them to do that. It's a vicious cycle, I know it is Okay.

Speaker 2: 27:31

One area we wanna get into is a thing called secure defaults, and this is in 3.1.3. And this is a area that the CISSP book talks about. So we're just gonna kind of just pull on this a little bit and dig into it just a little bit deeper, go just a few more minutes into this. So what it does is it helps align around the security of the systems, but it has a secure default in place. What exactly does that mean? Well, it basically comes up and sets up the example of you have an apartment and you have this apartment that you live in or this flat that you live in. It comes by default. The doors are equipped with deadbolt bolts and security chains, which basically means you chain, you put over the door. That is the default setup for the home. Depending upon that could be an apartment or a flat. Whatever they have locks on the doors. They don't come without locks. They have a lock. Well, that is a default security mechanism that is in place. Well, when you're implementing this, you want to ensure that.

Speaker 2: 28:29

How do you set up secure defaults within your organization, a reason. I say this because most people will bring, especially in the past. You'd bring a software and you'd unpackage it right Like a YouTube video. You'd pull back the cellophane, unpackage it and say, hey, look what I have. But instead you do that and you start running it. The problem is is, in many cases, this software is not set up to be secure from the beginning. It's opened in a or it's set up in an open mode. Why? Because they know that people are going to take it out of the box, their shiny new toy, and they're going to want to run it. And when they run it, they don't want things to break. So you, as a security professional, need to help your teams understand how to set up a, basically a default security mechanism when it the moment that it comes out of the box. Now it may not be where you get it from Microsoft and you it's right away, it's secure. But your security team should then tweak it and modify it so that now, as it gets deployed to your individuals within your organization, it is security configured the way it's supposed to be out of the box as far as they are concerned.

Speaker 2: 29:35

And so what are some things you can do, and real quickly. We're going to get into strong passwords, right, that can be something that can be set up as a configuration, as a default. Having that set up where you can't allow, like an eight character password or less, with just ones and zeros. Disabling unnecessary services, right. Setting up automatic security updates these are example of secure defaults. Now, applications again. You might want to set up where in the application you have file sharing options that are automatically configured within the application. You may want to turn those off. You may want to turn on encryption. Maybe the application has it, but they didn't configure it that way. When it came home to you, when you got it as a nice little present under your Christmas tree, it didn't have encryption. So now you turn encryption on Again. You want to test all these aspects because typically when you don't test them, they break things, and even when you do test them they break things. But you'll want to test these different applications within your organization.

Speaker 2: 30:33

Network devices again some pre-configure would deny all rules by default. Well, okay, that would be bad, right, that would cause all kinds of challenges. But this would only allow authorized traffic. Well, you may have to make some changes so that it has a look beyond basically deny all. So just things you're going to have to work through and then ensure your security tools are in place with your SIM and your IDS and IPS. Again, they're pre-configured with basic security rules. You will have to go in and tweak them to make them set up as a default to be configured for security. So what are some of the challenges when it comes into this?

Speaker 2: 31:13

Vendor flexibility, again, vendors sometimes do not offer a lot of flexibility in this area and the reason is is because they don't want support calls. They want to be able to give you your shiny little toy. You then go play with your toy and everybody's happy the moment that they allow you to make changes to it. That deals with higher support calls that they're going to have to field to understand what's going on. So just keep that in mind.

Speaker 2: 31:39

Usability concerns. So when you set this up, it takes special people to be able to configure these systems right and to make changes to them. Well, you may not have the right people to help you with that, so therefore, it may be something that you have to outsource to a contractor to help you. So you have to help understand the balance between usability and security. But another piece around usability is the individual users themselves. Do they have the ability to actually have access to the system without it causing them lots of drama? So usability concerns are another challenge.

Speaker 2: 32:14

And then legacy systems. Implementing secure defaults on older systems can be extremely difficult, if not near impossible, because they just can't do it. I've worked on systems from back in the 70s and early 80s and you know what they don't have defaults that you can really change. The passwords are six characters, if they even have a password. So it's understanding. Legacy systems can be a challenge in this space. So what are some best practices? We finish this up and tie it all up and put a bow on it.

Speaker 2: 32:43

Is you want to have document your secure default? So you want to specifically define what are the secure defaults you haven't set in place. One thing to consider is a minimum security expectations or minimum security standards. If you set that for your organization and then you document that, that gives people something to come back to to understand. Okay, this is what the basic security product should look like. You should also regularly review and update the security best practices to ensure your defaults have been reviewed and updated.

Speaker 2: 33:14

Right, you want to go over that. It's like doing assessments. You want to have yearly assessments that are completed. You want to finalize that and then automate the configuration management. You want to leverage tools for configuration management to automate this process as much as possible. You do not want to be the person that is going out and manually hand jamming each of these configuration changes within your organization. One, you're going to goof it up and two, you don't have the time for that. So you want to have some way of automating this entire process to help you with your security in your company.

Speaker 2: 33:45

Okay, all right, so that is it we have for today and our podcast on domain 3.1.3 and 3.1.4. But just want to let you know go to CISSP Cyber Training. There's some great content out there. All the videos are out there as well. This video will be there and you can check it out. You want my blueprint Sign up for that.

Speaker 2: 34:06

There's going to be some changes. I've been saying that but it's been pretty busy lately. My wife's business has just been kicking my tail a little bit. But will be some changes as it relates to my software and the trainings not necessarily the software, but the training program itself. That's going to allow for greater access and more ability, because you know what it's important that you all get the ability to learn your CISSP and to gain the access you need to be successful in your cybersecurity career. We need more people like you doing security. We do. We definitely do so.

Speaker 2: 34:39

Something to keep in mind I have great people that are sending me feedback. You can go to that contact at CISSP Cyber Training and send me any feedback that you have feedback. You can go to that contact at CISSP Cyber Training and send me any feedback that you have. I get lots of emails that come in of people that are interested in getting their CISSP, that have been in business or have been in the IT space for many years. It's important that, as you see that, like we talked about in the article today, as a CISO, you need to make sure you have a good plan in place for getting your security stuff and document it well. But you can do this. You really can, and there's no question in my mind that you can get all the goals you want for your CISSP. All right. So head on over to CISSP Cyber Training and check it out. Sign up for my 360 free questions. It's easy peasy, lemon squeezy. All right, have a great day and.