CISSP Cyber Training Podcast - CISSP Training Program
CCT 154: Security Assessments, Account Management, and Backup Verification (Domain 6.3.1-5)
Ever wondered how to fortify your organization against cyber threats? Join Sean Gerber as we uncover the essentials of Domain 6.3 of the CISSP exam, from security assessments to account management and backup verification. Learn about tools like Nessus and Qualys and the role of ethical hacking in identifying vulnerabilities. Discover the critical differences between authenticated and unauthenticated scanning, and how red teams elevate your security measures to the next level.
What sets SOC 1, SOC 2, and SOC 3 reports apart, and why do they matter? We break it all down, revealing how these reports demonstrate adherence to security standards. Understand the distinctions between Type 1 and Type 2 reports, with Type 1 focusing on control design and Type 2 evaluating operational effectiveness. Plus, we delve into the fundamentals of account management, emphasizing the importance of integrating with identity and access management programs and conducting routine audits for compliance and security.
Don't overlook the critical importance of backup data management and verification. Learn best practices for storing backups—whether on-site, off-site, or in the cloud—and ensure your restoration process is both reliable and efficient. We discuss how regular testing and cost-effective strategies enhance organizational resilience and highlight why training and awareness are crucial for both leadership and employees. Additionally, Sean introduces Reduce Cyber Risk, his consulting business, offering a range of cybersecurity services and valuable resources for those preparing for the CISSP exam.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
Ever wondered how to fortify your organization against cyber threats? Join Sean Gerber as we uncover the essentials of Domain 6.3 of the CISSP exam, from security assessments to account management and backup verification. Learn about tools like Nessus and Qualys and the role of ethical hacking in identifying vulnerabilities. Discover the critical differences between authenticated and unauthenticated scanning, and how red teams elevate your security measures to the next level.
What sets SOC 1, SOC 2, and SOC 3 reports apart, and why do they matter? We break it all down, revealing how these reports demonstrate adherence to security standards. Understand the distinctions between Type 1 and Type 2 reports, with Type 1 focusing on control design and Type 2 evaluating operational effectiveness. Plus, we delve into the fundamentals of account management, emphasizing the importance of integrating with identity and access management programs and conducting routine audits for compliance and security.
Don't overlook the critical importance of backup data management and verification. Learn best practices for storing backups—whether on-site, off-site, or in the cloud—and ensure your restoration process is both reliable and efficient. We discuss how regular testing and cost-effective strategies enhance organizational resilience and highlight why training and awareness are crucial for both leadership and employees. Additionally, Sean introduces Reduce Cyber Risk, his consulting business, offering a range of cybersecurity services and valuable resources for those preparing for the CISSP exam.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started.
Speaker 2:Good morning everyone. This is Sean Gerber with CISSP Cyber Training. Hope you all are having a blessed day today. Today is we're going to be talking about domain six today of the CISSP exam, so we're going to get into various aspects around domain six, and in this episode of this podcast, we're going to be getting into security assessments, audits, type one and type two reports, account management, various different aspects around this, as well as backup verification and training awareness, so we're going to cover all kinds of different pieces related to domain 6.3 of the CISSP exam. So I hope you all are having a wonderful day and that you're able to get some good studying done for this coming week.
Speaker 2:If you go out to CISSP Cyber Training, the Blueprint will help you walk through this process and make it a much more seamless transition as far as especially if you're self-studying for the CISSP exam. One thing I have learned is there's plenty of information out there on the CISSP. I mean, honestly, there's tons of free content that will help you get the information you need. One thing to think about, though, is the fact that, with the CISSP, you really need to be following through and following through on all the information you need to gather, and the one thing I learned is that when I was just kind of, there was so much information it was overwhelming I didn't know what to do. The CISSP Blueprint will help you with that, just because it will walk you through step-by-step what is in the book and how to manage the information that you would see and be able to study for the test. So just keep that in mind. The CISSP Cyber Training Again, if you purchase any of the content at CISSP Cyber Training, it is going to charity, all that information. We've got a charity that we've stood up, my wife and I, and we are focused on specifically providing adoption services as far as additional funds for those families that are looking to adopt children. So all the funds that go into CISSP are going into a nonprofit. So positive there.
Speaker 2:So, all right, let's move into domain six, and 6.3 is collecting security process data. That is what the topic of it is, but we're going to be getting into those various aspects, like I just mentioned earlier, related to assessments, audits and so forth. So let's get started. So a security assessment Now we've talked over around the CISP in various different ways. There are security assessments that you will conduct Now if you haven't done a security assessment or, if you're I've got a lot of the audience for this podcast are folks that have some substantial amount of time in the IT space, but maybe they just don't really have a whole lot in the security space, and so the goal of this is to kind of help give you some experience, not necessarily obviously hands-on experience, but some experience on what you can expect and what are some of the questions they may be asking you for the CISSP exam.
Speaker 2:So the security test this is basically an organization will conduct some level of testing throughout their environment. Now it could be a vulnerability scan, and this vulnerability scan could be testing the specific weakness on servers. It could also be a security test that's focused on the people and processes piece. It really just kind of comes down to what is being evaluated, but the scale will identify vulnerabilities in the network, servers and the applications, and these can be done through Nessus Qualys. Different types of scanning tools can help with these various security tests.
Speaker 2:If you're dealing with an assessment or just a view of how you want your processes will be in place, you may use something else outside of those. Now you, the purpose of this is to identify weaknesses that could be specifically exploited by an attacker. So that's your security test. You're actually going out physically, going out trying to find are there holes within your environment and to potentially test them. Now one thing you'll want to run into is, if you are going to run any sort of tests against a specific server or system, you're going to want to make sure that it is set up.
Speaker 2:There's different types of scanning that can be done, but we've talked about in previous podcasts authenticated and unauthenticated scanning. In many cases, the unauthenticated scanning is just basically doing a quick zap over the top of the device that you're looking at and it may not provide you the level of information you need. You may actually have to utilize credentials to log into these systems so that you can actually see what is wrong with these systems as well. So keep that in mind. You may get the question asked about authenticated and unauthenticated scanning. Authenticated means you have credentials. Unauthenticated means you do not and, from a practical perspective, you may want to look at authenticated scanning within your environment. Now security assessments. This may be done in various different ways. It can be done from a firm, it could be done internally and you may want to do this done from a.
Speaker 2:I know some organizations have their own red teams that are specifically designed to do ethical hacking against their organization. Very large organizations will have a dedicated team to do this. A friend of mine works at General Electric. They've got one. I know many of the insurance companies have them, and the ultimate goal is that they are constantly banging on, looking for holes to help sure up their environment to hopefully avoid somebody from the outside being able to attack and gain access to their environment as well. So this is what they call the ethical hacking, or the white hat hacking is what's being done. I did this when I was in the military. We were specifically set up to do against military installations globally, from all types of weapon systems down to just basic web servers as well, and it can be done from an external team or an internal team.
Speaker 2:Both have different pros and cons with it. The internal team, obviously, will understand some of the different nuances within your organization. The external team will not know that. However, in most cases, an external attacker will not have that information either, and so, therefore, when you're using a red team on the inside, sometimes your results can be maybe skewed in a direction more towards favoring the organization, but they also know where, in many cases go to where the dead bodies are. So they have the ability to maybe drill deeper into areas or systems that the attacker may not even know exist, Rather than have them just stumble across them. They actually can do a really good, strong evaluation of those systems. So they use real-world attacks, vulnerabilities against known vulnerabilities, and the design is to assess the effectiveness of the controls. Now, again, they look at the overall security posture and identify any gaps, provide a report, and this report will be given to, most likely to senior leadership, giving them an idea of what is going on within their environment. So, again, the more comprehensive you can make these, the better off they will be.
Speaker 2:However, if you're using an external resource, the more comprehensive you make them, the more expensive they are, and you may or may not get what you're actually looking for. So you have to be. If you're an outside, if you're a company looking to bring in an outside entity to do a security assessment, if a technological security assessment, then you just want to make sure that you have your scope well-defined on what you're trying to accomplish, because if you leave your scope which basically means what they're allowed to do very broad, you may get a very broad report that may not meet your specific needs. However, if you narrow that report or that scope down, you also may miss things that you're looking for. So it's finding that sweet spot, which means you need to truly understand your network to ensure that you're providing the proper amount of information for them to be able to be successful.
Speaker 2:Now we'll talk about security audits. Now, sometimes you'll hear the term security assessment, security audits, using synonymously Personal experience. So, when it comes to an assessment, anything that I'm doing within my organization that is not reportable to a government entity or to some sort of regulatory body, I consider what we call an assessment, and that is even if I'm dealing with technological assessments or I'm dealing with a paperwork assessment. This could be just the fact that I have somebody going through looking at the various controls. A test is what I'm actually physically trying to look for and find out what are some of the different types of effects that could go against that system. But when it comes to an audit, in most cases and again this is personal, you'll have to work through this, but in most cases, an audit, I'm actually providing a piece of paper to somebody to understand how my organization is doing. This may be a required audit. It may be something that is done by the government. It also could be done by a third party that's requiring something of me and therefore it is an audit. It's an external third party giving me some sort of data around this.
Speaker 2:Now we're going to break this down into three sections. You have an internal, external and third party audits. An internal audit is basically your audit team that reviews the controls of your systems. Now, in many cases this is a financial type system. They will review those security controls that are in place and they're verifying that only authorized people have the ability to modify financial records, do submissions for payments, etc. And that is an internal audit. Now it can be part of your overall security team, so I could have a team that has a group of people and they do internal audits of my organization.
Speaker 2:That is one way of doing it. Ideally, you would have somebody within your organization that is not within IT do an internal audit, or at least you have a specific audit team that is doing that audit for you. That's an internal audit. So, again, it's a little squishy. You have to kind of figure out what you're trying to accomplish with it. But an internal audit is somebody within your company, potentially within your organization, that is doing audits of your systems. Again, the assessment is that they're looking for various controls, they're trying to figure out what can they do to make some different changes to it. An audit to me is a more formalized process in which the response and the output is provided to senior leadership in a formal report and is kept on file as a formal report. Again, you're going to have to read the questions really closely when it comes to assessments and audits, even in the CISSP, because they're going to ask you very specific questions around those and you need to understand the context of the overall question to see what they're trying to get at. External audits these are done by an external auditor who examines the e-commerce platform payment processing system. They look whether it complies with payment card industry standards, which is one of the standards out there is PCI DSS and so they're going to provide that kind of level of understanding. Now, this will. Then the purpose of this is to provide assurance to stakeholders, ie your investors, customers and so forth, that the controls are effective and in place.
Speaker 2:Depending upon your company, you most likely will have a yearly external audit. When I worked as a CISO, I had external audits from the big three and these different auditing firms. You have your Deloitte and Touche, you have your, there's another one. I forgot them all since I've been away for the past three months, but the bottom line is you have Ernst, young and so forth. They will come in and do an audit of you and make sure that whatever's there. They will then provide the feedback to the senior leadership and to the financial reporting people.
Speaker 2:This is an external audit of somebody on the outside, and so they're very important. They are also very much required in most cases, especially for the type of size of your organization and if there are requirements based on the government, the third-party audits. These are basically a situation where you will get audited by an entity an outside entity because you are operating as a third party for another company. I had these happen to me numerous times where we, because we provided services to one company, that company was being had an outside auditor come in and want to audit us to make sure our controls are effective to protect that company, and I hope that makes sense. But I'll give you an example. A cloud service provider will undergo an audit by a customer's security team. We used to do this routinely, where we would then audit the cloud security team to make sure they had in place what we wanted them to have in place. The customer will want to verify that the provider meets the contractual and security requirements specifically for that situation and again, the ultimate goal is to assess the security practices of the business partner.
Speaker 2:So the next topic is going to be SOC audits. Now, these are what they call a service organization control audit or SOC one, through three type engagements and so these various engagements, these are designed to provide information to, basically, auditors. So, for SOC one engagement, this will give you an example of what this is. This is designed to provide some level of assurance to the clients and the regulators that you have something in place as it relates to protecting the cost of the financial systems of that organization. So, as I got, an example of a SOC 1 engagement would be a data center hosting financial data will undergo this SOC 1 audit, and we've done these various audits of data centers, and if you have a data center outside of your own control, you may want to make sure and double check what kind of audits they have in place. If they have a SOC 1 audit. What it does is it basically assesses the controls related to financial reporting. But if you look at those let's say you have no financial data in that data center looking at their SOC 1 report will also tell you how they're protecting your data. If they have to protect the financial data of an organization, it's usually at a higher level. So therefore they're going to do that. You'll be able to see from that report did they pass? And if they did, then that may give you some level of assurance that your data in that data center is going to be properly protected.
Speaker 2:A SOC 2 engagement will require a different type of report and this covers the security availability process, integrity, confidentiality and the privacy. So the ultimate goal there is you're getting into the five trust services criteria. That is an area that they will focus on with the SOC 2 report and it does demonstrate the adherence to security and privacy standards. So SOC 1 is assurance Are you doing it? Soc 2 is are you actually adherence to security and privacy standards? So SOC 1 is assurance are you doing it? Soc 2 is are you actually adhering to what you say you're doing? And then the SOC 3 engagement is you'll to get this report? This is something shared publicly and it summarizes the results of the SOC 2 without revealing the sensitive data. So it's basically saying if I was going to get a report, I would get a SOC 2 report. Now, if I want to see as a third party, I want to see somebody else's SOC 2 report. That's where the SOC 3 engagement comes in and that's where something they can actually share publicly, saying that, okay, we did pass our SOC 2, and therefore we passed it. This is what are the findings. However, it's been sanitized to the point where there's not sensitive data inside the SOC 2 report that you see. So that's your SOC 3 type engagement.
Speaker 2:But the ultimate goal is to build trust with your customers related to your security audits. So again, you have a SOC 1, a SOC 2, and a SOC 3. The main focuses that you'll get done within your organization is a SOC 1 and SOC 2. And the SOC again stands for Service Organization Control and then Audit a SOC S-O-C. So that's the overall SOC piece of this. Now we have Type 1 and Type 2 reports.
Speaker 2:A Type 1 report basically is more of a documentation process. It evaluates the design effectiveness of your controls. It also is a focus that conforms or looks at what has been done on your organization as of a specific date. So you're looking for the design effectiveness. You have documentation as the date that it was occurred and the goal is to assess whether the controls are appropriately created and designed for your organization. So someone comes in, they go and look at a type one that it was occurred and the goal is to assess whether the controls are appropriately created and designed for your organization. So if someone comes in, they go and look at a type one. They want to make sure that I had adequate controls for my identity and access management. I had substantial controls. What are the correct controls in place for my financial data, for my PHI type data? These are the types of reports that would be there.
Speaker 2:So an example would be you have a cloud service provider undergoing a type one audit. This would verify that the security controls obviously are properly designed and implemented. Are they there, are they in place? Do they make sense? That would be a type one report. It also, if you're looking at cost wise, the type one would be the least by the most inexpensive or the least expensive option of the two, because it's more of a paperwork drill making sure that you have actually properly designed and implemented the controls.
Speaker 2:Type two reports, though, are designed basically to do an evaluation of the operating effectiveness of your overall security program. So keep this in mind Type one design effectiveness. Type two operating effectiveness. So type one is you're just doing a paperwork drill. Type two, you're actually going out and trying to determine if it has been effective in what they have in place. It covers controls placed on the operations, including tests. Their effectiveness over a period of time demonstrate that the controls are not only designed well but consistently effective, and that means that they are in a good place, they've been tested, people understand them and they have a whole process defined, designed and substantiating those overall controls.
Speaker 2:So an example would be is that a data center is hosting financial systems? A type one audit obviously would look at the overall effectiveness, but a type two would assess the controls related to the accuracy, transaction processing and other aspects over a period of potentially several months. So your type one paperwork drill. Type two, actually operational effectiveness. Does it work? Like you anticipate? It will, okay. So now we're gonna get into account management.
Speaker 2:What's a key piece around this? So users must retain. When you're talking about accounts, you have to look at different aspects related to this. One is are the users retaining only the required accounts they're supposed to have? So you, as a security professional, need to make sure that that is one of the things in place that's happening. If you have security and audit happening, are you complying with that? Are you meeting with regulators? Are you meeting with audit professionals? I had routine meetings with the audit security folks, telling them where we're at from a security posture and where our organization is at. They would audit me, they would audit my controls, they would audit my controls, they would audit my paperwork. All of those things were done on a routine basis.
Speaker 2:Another aspect you need to think about is when you have account management, managing them correctly is that you have this in place for your high access accounts or your high entitlement accounts. The term used to be credentials, but now it's more entitlements. Do individuals have entitlements that are beyond what their scopes or their jobs are? Do they have high entitlements for their organization and if so, then are there proper controls in place for that as well? You also want to have from an account management standpoint do you have this all integrated with your identity and access management program? Have you created a process around auditing accounts. This is something to think about when account management goes. Are your users with elevated credentials or entitlements being routinely automated? Do you have an integration with terminated users? Do you have a random set of accounts?
Speaker 2:I would say if you're a large company, you may have random accounts that have been created and do you need those accounts from service accounts to different types of account, user accounts to just basic device accounts that are available do you need all of those? I would do a routine assessment of your company and do that now. You may have external auditors looking at your company, but I would do an assessment. This is at your company, but I would do an assessment. This is the term assessment or audit. I would do an internal assessment of my overall posture with my security accounts. You could call it an internal audit. In many cases I didn't provide normal or formal reports because of those internal assessments. I was just assessing my controls. But if I had to provide an external report to my senior leaders, I would then call in an audit. So you just need to kind of determine what you want to go down this path. The audit to me is a very strict guidelines of what I'm trying to accomplish and then the outgoing report for that. That would be an audit. Again.
Speaker 2:You want to decide when were your accounts, how do you want to handle that, develop a test prior to deletion? You want to also have a setup where, if you feel you have a bunch of accounts you want to delete, how are you going to manage those long-term? And then do you have a process in place to delete them? Do you have a process to test them to make sure they don't break things before you delete them? I'll give you an example.
Speaker 2:I had a whole bunch of accounts that I cleaned up and before and they were like maybe 600 different accounts that had just been going on for years and years and years. So what we did was is, rather than just delete all these accounts and then hope and pray nothing bad happens, we went through a series of phases and I would delete four to ten accounts, depending upon their severity, at a time, and then I would wait to see what's broken Again. That's when I didn't have owners, I didn't have a lot of things, that knowledge around what those accounts were good for. That's what I would do. And then, after that period of time has passed, I would delete another bunch of accounts and then that time has passed, I would delete another bunch of accounts. The goal, then, is just so that, as you delete all these different accounts, you at least have a plan to back that out. To go, wait a minute, okay, this deleted something I shouldn't have deleted. Roll it back. We need to fix that. So those are areas you're going to need to have a plan related to account management.
Speaker 2:Now, management review and approval. What does that entail? So you're going to want to have any sort of approval prior to doing any scanning or testing within your environment. So if you're going to be doing a test and you're going to be looking at what is available or what kind of issues you may have with all these different systems, you want to make sure there's some sort of prior approval before doing it. Now you may have a standing approval setting within your organization where you have the approval to do it once a month. That's great, but you need to make sure you get some level of approval before you do any of this.
Speaker 2:You need to document your scope and your expectations before starting, because scanning can disrupt operations in your environment. You need to document your scope and your expectations before starting, because scanning can disrupt operations in your environment. You need to ensure all parties understand these expectations and you need to de-conflict as much as you possibly can, depending on the test, with what you're trying to do with your business. So if you have a business that you know is very sensitive to their systems, their technical systems, you need to make sure that you have coordinated with them to ensure that they know that this test is going to happen, that it doesn't impact them on a daily basis. You need to ensure compliance and legal are informed. They need to have a significant.
Speaker 2:This could have repercussions on what they're doing, depending upon what you're scanning, and what you'll learn is what systems that you're scanning may or may not be important to your compliance and legal teams. It could be very benign and you go but I always communicate with them of saying this is what I'm scanning, these are the systems I'm scanning. Do you see any issues with me doing this? And again, it's important to do this. The reason I say that is because I scanned, when I was in the military, an IP space that accidentally belonged to the Japanese government and we scanned them. And when you're dealing with legal, if you scan an external set of IP address that's not within your company, it could be considered a network attack on that entity. And therefore, now I just created an attack against the Japanese government. Now that can have very large repercussions against an organization. And so, again, the military. That can have very large repercussions against an organization. And so, again, the military. That was bad. Right, that's like active war kind of thing. Supposedly not really, but it could. If things went bad, really bad, you could have a situation. So therefore, when you are scanning external IP addresses, you need to double check and make sure you have the correct IP addresses and that legal and compliance is aligned and involved with what you're trying to accomplish.
Speaker 2:Now we're going to roll into key performance and risk indicators. So, as you are providing these various things to your leadership, you need to give them some sort of metrics, and these metrics are KPIs they call them key performance indicators and or risk indicators as well. Now these metrics can be created for leadership such as your CISO, your CIO, cto and potentially, depending on your organization, maybe even your CEO. It could be given to your board. Many boards are requiring this level of engagement with their senior leaders. But it would talk about vulnerabilities, time to resolve older, outdated systems again, unapproved sites, all these types of things.
Speaker 2:Now, if you're passing this onto your board CIO, cto the CTO maybe not so much, but the CIO if you give them all these different things about this vulnerability and this site, their eyes are going to roll over in the back of their head and they're going to go enough time out. You want to be a senior leader. You're going to have to provide this information to them in a way that's digestible and understandable by your senior leaders, not just a bunch of numbers that you're throwing at them. You want to make sure that you provide them the key information what is the risk to their company, what are some of the key things that you've discovered and what are you doing to mitigate them? That is the key things you need to bring forward to your senior leaders, not just all these bits and pieces of data. So it's important to remember that, if you really want to have a career in security and you have aspirations to do, whatever that may be, you want to make sure that you are honing your skills and ensuring that you are on top of this and the fact that you've provided them the information they need to make adequate decisions, or they may want to just look to you and see what decisions are you going to make to fix these problems. You can create dashboards based on metrics, but what I would recommend is you start simple and you start small. Less is more. I highly recommend that you go less on this, because you're going to have so much data coming at you. It's overwhelming the amount of data. But start in a small subset of what you're trying to accomplish and work from there Again. Only put out what information is pertinent to them to help them make the proper decisions to protect or to give you the funding you need to protect the organization.
Speaker 2:Now we're at another topic around this section in 6.3 is the backup verification data. So these are key aspects around backup verification. I'm not sure why this was in here, because you would typically talk about this in backups as well. But one thing to think about with backup verification is that you want to make sure that you have consistent backup and recovery for your various logs that are out there. So you have backups for your data, but you also need to have backups and recoveries set up specifically for all your log data. Why, well, if somebody comes in and deletes your logs. You don't know what you really happened to it. So did someone inject malware into your backups? You don't know. So you need to protect your logs of your backups as much as you do protect your actual backups themselves. So you need to make sure you have that in place Now. Typically, your backup verification will be from 30, 60, 90 days or more.
Speaker 2:Is what you're looking at for your backup data. I know the Chinese cyber law at this time, the past few months the last time I looked at it was around six months you need to have backups in place. Well, when you're dealing with backup verification, you're looking at as that backup is occurring. Is that data being verified? Is it something that is you know has not been compromised from malicious software? Is it specifically being stored in this cloud? Is it protected? And you need to go through that process. You need to make sure whatever backup provider you have does a level of integrity checks against this data before it is uploaded.
Speaker 2:Backup storage again you want to look at where do you keep it? Is it on-site, is it off-site? Is it cloud? Is it in your cloud? Is it in a third party's cloud? Which cloud is it in? Is it in. I don't know, is it some guy's back of his car? I mean, who knows, in today's world he may have a roving data storage location, data backup storage location. I don't know. People do all kinds of crazy things. It's the other thing you'll learn in security is people do stuff that is like, really, why'd you think of that? But they had some crazy idea when they're in the shower and they thought, hey, this is a great idea, let's do that. Yeah, I've done those. Two hooked up stuff that I should have never hooked up and I'm like, why did I do that? I thought it was a good idea at the time, but it wasn't a good idea at all.
Speaker 2:Then you also want to look at how do you process to restore from backups. You need to build that process out. It's easy to put backup data into the cloud, but what's really hard is pulling it back down and restoring for it. Many times you'll think, well, hey, I'm putting it into long-term storage, I can get it when I need it and I can re-institute my images. That sounds great, until you try to do it, and then it takes days and you want to test that because it's not as simple a process as, hey, I just mash a button and it pops back up within an hour. I'm good. They can take up to two, three, four days to get some of these backups in place, depending upon the size of them.
Speaker 2:And then you have data verification. Whereas you're downloading this data, you need to make sure that it downloads it to a point where it's actually recoverable. So you need to test this. You do not need to wait on your crisis to go let's go get our data and try it. You need to be testing this on a routine basis, and this comes down to the overall continuity or business continuation of your organization. You need to make your organization resilient. You have to focus on how do you create a resilient organization for long-term capabilities? You have to do it. So one thing you'll take away from all this training build resiliency into your organization, but build it to a point where it is profitable, not just to build it for the sake of building it. You need to make sure it's actually profitable because your company is trying to make money and if they're spending all their money on IT, they're not as profitable as they could be. So your senior leaders will appreciate that.
Speaker 2:Last thing is training and awareness. You need to provide training to your leadership on the processes and how the reports will go. You need to provide training for your employees Now as it relates to the overall leadership. You need to have a way to explain the findings and the remediation steps. Like I mentioned earlier, keep it simple, stupid. Do not make this over complicated. Give them the basics of what they need, how they can make decisions, what you want from them, and then move on. Do not try to overwhelm them with your increased intellect and your large gray matter in your top of your cranium. Do not try to do that. You may look smart to yourself, but you'll look like the cybersecurity geek and they will not give you a seat at the table. I'm just talking from experience. If you want a seat at the table, you need to be a professional. Get to the point, ask what you need and have them help you make a decision. That's what you need to do In and out. Nobody gets hurt. That's the ultimate point. Now you explain the findings and remediation steps. You get that in place. You also provide training and development to your staff as well, and one example around this would be as you get into, let's say, the development life cycle.
Speaker 2:We talk about sprints and labs and staging and production. Okay, when you start talking these big terms to, especially for anybody outside of your ecosystem, outside of your little bubble, then these words are absolutely. They don't mean anything or they may mean something completely different than what you are trying to intend. An example is sprint. I've got a guy doing a sprint to the 100. I've got a guy that is doing sprint is the telecommunications company, a lab? A lab is someplace where you do R&D. Again, all of these different things mean different topics to different people, depending upon the context of the conversation.
Speaker 2:So you need to make sure that you create an environment where you are explaining exactly what's going on in levels and I say this at the third grade level. My old boss, he was a great guy, super nice guy, but he always gave me he kind of chewed on me a little bit. When he says you say you're communicating at the third grade level, you're kind of demeaning yourself. I'm like no, that's not the point of it. The point of it is is that I try to bring this conversation down to the third grade level because at the third grade, if you go to that level, so that's like an eight-year-old, 10-year-old person. If you can explain it to an eight to 10-year-old, then most people understand those conversations. The moment you try to get into high school, then different levels of understanding occur, like lab Lab for development versus lab for infectious diseases are two different things and therefore it gets very convoluted and very confusing.
Speaker 2:You need to make sure you have initial and foundational training for your employees. This would be phishing testing. This would be foundational testing around what is malware, what is ransomware? Explain those options to them. You need to have reoccurring training and awareness training throughout the entire year, depending upon your organization and the opportunity costs by doing this training over and over and over again. You may do one time, you may do once a quarter, you may do once a month. It just depends on what your organization is willing to accept and what you're trying to mitigate from a risk standpoint. I've had my organization say I don't want any more training than once a year, but then when people get fished, I'd have people tap me on the shoulder going we need to fire them. I'm like you're giving it to them once a month and they're still being a bonehead yeah, then that's a different conversation. And then you need to conduct various simulations or exercises to hone these skills, ie instant response, phishing, et cetera, et cetera, et cetera. Again, these are all different areas that you can get into and the ultimate goal is to help you with training and awareness. Okay, that is all I have for this podcast.
Speaker 2:Head on over to CISSP Cyber Training to help you with your CISSP Blueprint is there, it's available for you. Again, everything that's on CISSP Training is going to a nonprofit. I am not taking money from this. It's all going to get passed on to them to help with adopted families. The other thing is head on over to ReduceCyberRiskcom with adopted families. The other thing is is head on over to ReduceCyberRiskcom.
Speaker 2:Okay, I just started up my consulting business and at Reduce Cyber Risk, I can provide security assessments, testing, we can provide architectural support. All of these different aspects virtual CISO, fractional CISO All of those things are available to you at ReduceCyberRiskcom and there'll be more coming on Reduce Cyber Risk I'm just trying to work through my timing and when I can get that done. But head on over to reduce cyber risk for anything that I can do to help you as it relates to IT security related things. And again, see ISP cyber training. If you're working on your CIS, sp and you want to have the blueprint, go there again. All proceeds are going to my nonprofit. All right, have a great, wonderful day and we will catch you guys on the flip side, see you.