The CISSP Mindset: Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> We've looked at the first half of the CISSP Mindset,
00:00
so I want to take you through
00:00
the second half of suggestions that I have for you.
00:00
Picking up with the mindset,
00:00
I want to start off with this idea of think 'End Game."
00:00
That's an important idea that
00:00
a lot of people miss when you're testing.
00:00
A gain, I ask a question and
00:00
a lot of the answers look good,
00:00
but what you've got to think about is
00:00
which answer takes you all the
00:00
way through to the point
00:00
where you've satisfied your objectives.
00:00
For instance, if I were to say,
00:00
why do we train people and give you maybe answer A,
00:00
to raise security awareness
00:00
and then B, to modify behavior.
00:00
I think most people would go
00:00
with raising security awareness.
00:00
But the problem with that answer is
00:00
that security awareness isn't
00:00
>> what I'm audited based on.
00:00
>> I'm not liable based on what I know.
00:00
I'm accountable for what I do.
00:00
Training without modifying behavior
00:00
really doesn't satisfy any objectives.
00:00
If I'm going to train you and everybody
00:00
goes back to doing things the old way,
00:00
that wasn't a very good training.
00:00
Really when it gets to it,
00:00
the reason that we
00:00
train is to modify behavior ultimately.
00:00
You want to think this and that can go back
00:00
to what we talked about in part 1.
00:00
Why do we classify data?
00:00
Well, the answers I had given you
00:00
were to indicate harm if compromised,
00:00
to indicate harm if not available, to indicate value.
00:00
None of those are end game.
00:00
Indicating something's valuable actually
00:00
makes it more vulnerable.
00:00
If I've got a wallet and say,
00:00
I've got $500 cash in here and I
00:00
set that wallet on my desk and I walk out of the room,
00:00
that wallet is very desirable to
00:00
an attacker now because I've labeled it.
00:00
Labeling data's top secret,
00:00
if that's where I stop,
00:00
doesn't accomplish any security benefit.
00:00
But labeling it top secret,
00:00
because top secret items get protected a certain way.
00:00
That's what really satisfies what we're looking for.
00:00
You've got to play that out all the way.
00:00
You will have multiple questions
00:00
where the answer seem very comparable.
00:00
But one is end game, choose that.
00:00
Security transcends technology.
00:00
This has been a phrase or
00:00
a catchphrase of ISC square for
00:00
a long time, security transcends technology.
00:00
What that means is technology comes
00:00
and goes and it always will.
00:00
There will always be a newer,
00:00
bigger, faster, louder device to do something.
00:00
But security principles have
00:00
to be the basis for what you do.
00:00
Otherwise, all the technology
00:00
in the world won't help you.
00:00
When we talk about security mindset,
00:00
we think about isolating resources.
00:00
Keep your trusted resources away
00:00
>> from untrusted entities.
00:00
>> Isolation. We think about
00:00
principles like principle of
00:00
least privileged need to know.
00:00
We think about separation of duties.
00:00
We think about the ideas of protection,
00:00
making people identify and
00:00
authenticate to access resources.
00:00
It doesn't matter how much money
00:00
you've spent on a firewall.
00:00
If you don't have those inherent elements in
00:00
place that just provide the foundations for security,
00:00
then, like I said before,
00:00
all the technology you put on top
00:00
>> isn't going to matter.
00:00
>> Focus first on security principles,
00:00
then add the technology and we'll
00:00
talk about that actually a little
00:00
bit as we move into Chapter 1.
00:00
Next bullet point. Physical safety is
00:00
always the first choice. Yes, it is.
00:00
What that means is,
00:00
anytime you've got a question and one of
00:00
the answers would protect human life above the others,
00:00
that's going to be the first choice you always make.
00:00
Now I know that feels weird
00:00
when we're talking about a cybersecurity class.
00:00
But there might be some questions
00:00
like a surrounding physical security.
00:00
For instance,
00:00
maybe you've been tasked with choosing the type
00:00
of electronic doors for your facility
00:00
and because what you protect is confidential,
00:00
you're considering having the doors feel secure,
00:00
which would mean of course,
00:00
that in the event of a power failure,
00:00
the doors are locked.
00:00
Well, that's going to influence human life.
00:00
That's going to make it difficult to evacuate.
00:00
That's never going to be the right choice on this exam.
00:00
You will never have anything on this exam where
00:00
the data is valued higher than human life.
00:00
I know in the real-world there may
00:00
actually be some exceptions to that,
00:00
but not on this test.
00:00
Always choose to protect your people first.
00:00
Next point, technical questions are for managers,
00:00
management questions are for technicians.
00:00
Most managers,
00:00
many managers have had experience in the field.
00:00
For instance, I came up through the ranks
00:00
like I talked about is a hardware technician,
00:00
the network person and project manager and so on.
00:00
But I have to tell you I haven't been
00:00
pulling cable in years.
00:00
They're not in a get down to the elements of how
00:00
do you lire a crossover cable.
00:00
That's way too technical for somebody that's
00:00
a manager that makes security decisions.
00:00
If you're a technical person and you're looking for
00:00
the really technical answer, backup.
00:00
This is not a technical exam
00:00
and I know a lot of people think it is,
00:00
but it's actually a management exam
00:00
with the technical focus.
00:00
Don't be too technical with your answers.
00:00
No correct answer is going to have you going in and
00:00
using regetic and making changes to the registry or,
00:00
writing your own batch file.
00:00
That's just not what this test is about.
00:00
Technical questions, those are the ones that
00:00
are going to be worded in
00:00
such way that it's there for managers.
00:00
Now the flip side of that is true as well.
00:00
You don't need an MBA,
00:00
and you don't need
00:00
business theory in order to do well
00:00
>> on this exam either.
00:00
>> It's right there in the middle.
00:00
It's knowing the business the way a technician
00:00
should and knowing the tech the way a manager should.
00:00
As long as you stay right there in
00:00
the middle, you're going to be fine.
00:00
Last two points go together.
00:00
Incorporate security into the design
00:00
as opposed to adding it on later.
00:00
The reason we have the degree of security breaches that
00:00
we do is that security is often an afterthought.
00:00
We focus on the functional requirements of a product.
00:00
Then afterwards we ask ourselves, is it secure?
00:00
Instead of saying, does it work and then is it secure,
00:00
what we need to be asking is,
00:00
does it work securely or it doesn't work?
00:00
That's an entirely different mindset.
00:00
What that means, and we'll talk about
00:00
>> this in Chapter 8,
00:00
>> but what that means is from the very beginning,
00:00
where we're doing our feasibility study,
00:00
we're building our business case.
00:00
We need to start thinking about
00:00
risks associated with the product,
00:00
and how security is going to play
00:00
out so that we can design a product to be secure.
00:00
We build it to be secure.
00:00
We test to see if it's secure,
00:00
and we implement it securely.
00:00
We're a long way from that as an industry.
00:00
Part of that security should include a layered defense,
00:00
and that layered defense
00:00
means that we're going to have a series of
00:00
security controls that an attacker would have to
00:00
go through in order to access the data.
00:00
Layer defense.
00:00
That also means that we don't put all
00:00
of our eggs in one basket, so to speak.
00:00
We don't just load up on
00:00
technical controls and forget everything else.
00:00
If somebody can walk into
00:00
your server room and walk out with your server,
00:00
without physical security,
00:00
none of the technical controls matter.
00:00
We want to balance our controls between technical,
00:00
physical, and administrative.
00:00
Again, we want those multiple layers of defense.
00:00
It's going to really take a different mindset for us
00:00
to turn around the current security posture
00:00
that most applications,
00:00
the degree of risk and most applications
00:00
>> are exposed to.
00:00
>> Maybe it's a good way to say that.
00:00
But it can be done,
00:00
but we have to start now and we have to stop
00:00
being reactive in relation to threats.
00:00
We have to stop looking at what happened last week.
00:00
We have to start thinking about what's coming
00:00
down the pike and planning
00:00
again to be secure as
00:00
opposed to finding out later we weren't secure.
00:00
Those are the things that I really want you to
00:00
take into the CISSP exam.
00:00
I always tell people, if you're waiting,
00:00
you get to the test center and you've got
00:00
10 minutes before they're going to bring you in.
00:00
If you're trying to memorize
00:00
the OSI model in those 10 minutes,
00:00
if you don't have it now, you're not going to get it.
00:00
But if you're sitting there
00:00
reviewing these points of
00:00
the mindset that I have for you,
00:00
that is going to stick and
00:00
that's going to help you in the test itself.
00:00
I promise you again,
00:00
think like a manager, don't touch things,
00:00
collect information, advise, hands off,
00:00
>> all those things.
00:00
>> Think in game, everything that we talked about is
00:00
really going to make the difference
00:00
in how successful you are on this exam.
00:00
I hope this was helpful for you.
Up Next
Instructed By
Similar Content
