Video Activity

The CISSP Mindset: Part 2

Video Transcript

We've looked at the first half of the CISSP Mindset, so I want to take you through the second half of suggestions that I have for you. Picking up with the mindset, I want to start off with this idea of think 'End Game." That's an important idea that a lot of people miss when you're testing. Again, I ask a question and a lot of the answers look good, but what you've got to think about is which answer takes you all the way through to the point where you've satisfied your objectives. For instance, if I were to say, why do we train people and give you maybe answer A, to raise security awareness and then B, to modify behavior. I think most people would go with raising security awareness.

But the problem with that answer is that security awareness isn't what I'm audited based on.  I'm not liable based on what I know. I'm accountable for what I do. Training without modifying behavior really doesn't satisfy any objectives. If I'm going to train you and everybody goes back to doing things the old way, that wasn't a very good training. Really when it gets to it, the reason that we train is to modify behavior ultimately. You want to think this and that can go back to what we talked about in part 1. Why do we classify data? Well, the answers I had given you were to indicate harm if compromised, to indicate harm if not available, to indicate value. None of those are end game. Indicating something's valuable actually makes it more vulnerable. If I've got a wallet and say, I've got $500 cash in here and I set that wallet on my desk and I walk out of the room, that wallet is very desirable to an attacker now because I've labeled it. Labeling data's top secret, if that's where I stop, doesn't accomplish any security benefit.

But labeling it top secret, because top secret items get protected a certain way. That's what really satisfies what we're looking for. You've got to play that out all the way. You will have multiple questions where the answer seem very comparable. But one is end game, choose that. Security transcends technology. This has been a phrase or a catchphrase of ISC square for a long time, security transcends technology. What that means is technology comes and goes and it always will. There will always be a newer, bigger, faster, louder device to do something. But security principles have to be the basis for what you do. Otherwise, all the technology in the world won't help you. When we talk about security mindset, we think about isolating resources. Keep your trusted resources away from untrusted entities.  Isolation.

We think about principles like principle of least privileged need to know. We think about separation of duties. We think about the ideas of protection, making people identify and authenticate to access resources. It doesn't matter how much money you've spent on a firewall. If you don't have those inherent elements in place that just provide the foundations for security, then, like I said before, all the technology you put on top isn't going to matter.  Focus first on security principles, then add the technology and we'll talk about that actually a little bit as we move into Chapter 1. Next bullet point. Physical safety is always the first choice. Yes, it is. What that means is, anytime you've got a question and one of the answers would protect human life above the others, that's going to be the first choice you always make.

Now I know that feels weird when we're talking about a cybersecurity class. But there might be some questions like a surrounding physical security. For instance, maybe you've been tasked with choosing the type of electronic doors for your facility and because what you protect is confidential, you're considering having the doors feel secure, which would mean of course, that in the event of a power failure, the doors are locked. Well, that's going to influence human life. That's going to make it difficult to evacuate. That's never going to be the right choice on this exam. You will never have anything on this exam where the data is valued higher than human life. I know in the real-world there may actually be some exceptions to that, but not on this test. Always choose to protect your people first. Next point, technical questions are for managers, management questions are for technicians.

Most managers, many managers have had experience in the field. For instance, I came up through the ranks like I talked about is a hardware technician, the network person and project manager and so on. But I have to tell you I haven't been pulling cable in years. They're not in a get down to the elements of how do you lire a crossover cable. That's way too technical for somebody that's a manager that makes security decisions. If you're a technical person and you're looking for the really technical answer, backup.

This is not a technical exam and I know a lot of people think it is, but it's actually a management exam with the technical focus. Don't be too technical with your answers. No correct answer is going to have you going in and using regetic and making changes to the registry or, writing your own batch file. That's just not what this test is about. Technical questions, those are the ones that are going to be worded in such way that it's there for managers. Now the flip side of that is true as well. You don't need an MBA, and you don't need business theory in order to do well on this exam either.  It's right there in the middle. It's knowing the business the way a technician should and knowing the tech the way a manager should.

As long as you stay right there in the middle, you're going to be fine. Last two points go together. Incorporate security into the design as opposed to adding it on later. The reason we have the degree of security breaches that we do is that security is often an afterthought. We focus on the functional requirements of a product. Then afterwards we ask ourselves, is it secure? Instead of saying, does it work and then is it secure, what we need to be asking is, does it work securely or it doesn't work? That's an entirely different mindset. What that means, and we'll talk about this in Chapter 8,  but what that means is from the very beginning, where we're doing our feasibility study, we're building our business case. We need to start thinking about risks associated with the product, and how security is going to play out so that we can design a product to be secure. We build it to be secure. We test to see if it's secure, and we implement it securely.

We're a long way from that as an industry. Part of that security should include a layered defense, and that layered defense means that we're going to have a series of security controls that an attacker would have to go through in order to access the data. Layer defense. That also means that we don't put all of our eggs in one basket, so to speak. We don't just load up on technical controls and forget everything else. If somebody can walk into your server room and walk out with your server, without physical security, none of the technical controls matter. We want to balance our controls between technical, physical, and administrative. Again, we want those multiple layers of defense. It's going to really take a different mindset for us to turn around the current security posture that most applications, the degree of risk and most applications are exposed to.

Maybe it's a good way to say that. But it can be done, but we have to start now and we have to stop being reactive in relation to threats. We have to stop looking at what happened last week. We have to start thinking about what's coming down the pike and planning again to be secure as opposed to finding out later we weren't secure. Those are the things that I really want you to take into the CISSP exam. I always tell people, if you're waiting, you get to the test center and you've got 10 minutes before they're going to bring you in. If you're trying to memorize the OSI model in those 10 minutes, if you don't have it now, you're not going to get it.

But if you're sitting there reviewing these points of the mindset that I have for you, that is going to stick and that's going to help you in the test itself. I promise you again, think like a manager, don't touch things, collect information, advise, hands off, all those things. Think in game, everything that we talked about is really going to make the difference in how successful you are on this exam. I hope this was helpful for you.

Course link:
Certified Information Systems Security Professional (CISSP)
CISSP certification is essential for cybersecurity professionals aiming to move up in their career. This course will cover all aspects of security, risk management, and architecture to help you prepare for the CISSP exam. Learn from experienced professionals and gain the knowledge needed to become a certified security expert.
Instructed by
Senior Instructor
Kelly Handerhan

I am the owner of CyberTrain.IT, and I have over twenty years of experience in information assurance and cybersecurity. I am one of the Top 100 Trainers World-Wide. I hold the PMP, CISSP, CISM, CRISC, Security+, and CCSP certifications.