welcome to the fifth and final domain of the Security Plus exam cram series 2024 Edition and here in domain 5 we'll focus on a domain in six parts beginning with a look at security governance we're going to do a deep dive into risk management including the quantitative risk analysis formulas which by the way you expected to know how to use on the exam this year this is a change from the 601 exam we'll discuss the elements of third-party risk assessment we'll look at the importance of security compliance we'll explore the types and purposes of audits and assessments and we'll wrap with a look at implementing effective security awareness practices important information for governance and oversight of your security efforts let's dig [Music] in you'll find a PDF copy of this presentation available in the video description intended for you to download and use in your exam preparation and the chapters within this course should appear automatically on the timeline but just in case you'll find a table of contents that's clickable in the video description so you can hop forward and back in the video as necessary as you prepare and as with the previous release of the Security Plus exam I recommend the official study guide from Cybex which includes 500 practice questions 100 flashcards and and two practice exams as well as the companion practice test manual which brings another thousand practice questions into practice exams and if you register for the online resources so you can leverage these questions in an electronic format I believe it's all the practice quizzing you're going to need to prepare yourself for exam day and I will leave you links in the video description to the least expensive copies on amazon.com now don't five focuses on security program management and oversight and through these installments we'll go line by line through every item mentioned in the official exam syllabus our focus in 5.1 is effective security governance and we're asked to summarize the Elements of Effective security governance and there is some terminology I'm going to establish for you here right out of the gate from guidelines to policies to standards and procedures you'll need to know what these four are how they're related and how they affect one another we then have external considerations in our security governance monitoring and revision essentially monitoring our program efficacy and then revising as necessary and we'll look at types of governance structures we're going to wrap with a look at roles and responsibilities for systems and data it's really the data roles that we'll want to focus on here and you will want to understand who is responsible for what and which role is ultimately accountable so let me start with a baseline definition of those four important terms we have the security policy which sets the overall vision and goals for information security security standards translate the policy into specific technical requirements and best practices security procedures provide detailed instructions on how to implement the standards and security guidelines offer additional recommendations and best practices that can be adopted to further enhance security now we're going to work through these four in the order they appear in the syllabus beginning with security guidelines so the function of a security guideline is to offer recommendations and best practices for achieving security objectives but are not mandatory they provide the could for additional security measures what could we do to improve our security posture and they tend to be the least specific offering recommendations that can be adapted to specific situations for example employees are encouraged to take advantage of security awareness training programs a gentle nudging of sorts next we have security policies which provide the overall highlevel direction and objectives for information security within an organization it defines the why behind security measures so when we get down the road and attempt to implement our security strategy will derive what we do from the why we're going to do it contained in our security policies these are General statements and principles often pretty Broad in scope for example the organization is committed to predicting the confidentiality integrity and availability of its information assets so in spite of the fact that that's high level it is actionable policies are a major input to procedures policies of the why the procedures are what there are half a as and policies called out in the syllabus we'll step through those now we have the acceptable use policy which defines allowed and appropriate uses of the organization's it resources and will also generally detail prohibited activities that could compromise security so things like downloading unauthorized software using social media during work hours and it's often a document that employees sign as part of their onboarding process and we have the information security policy which sets the overall direction for information security within the organization this can provide some guidance to it and Security in designing and implementing systems and services establishing the right amount of resilience and recoverability incident response which sets the high level direction for how the organization will identify contain eradicate and recover from security incidents and the software development life cycle which is high level guidance that software development teams must follow follow in creating software it acts as a road map ensuring quality security and efficiency during development and this may steer the organization's development team the Development Group in making decisions on what Frameworks they'll follow what project management strategies they'll follow a startup would often go the agile route which is going to be very Nimble and iterative larger organizations might use scaled agile organizations working on Mission critical infrastructure for example High sensitivity materials and projects may choose waterfall next we'll talk about standards security standards Define technical specifications often mandatory as well as best practices for implementing the security policy it provides the what and when for achieving security goals certainly more detailed than policies from a technical perspective because it specifies technical requirements for systems configur ation or processes for example pcidss which applies to processors of credit card transactions would be mandatory it's typically enforced in contracts for example credit card data must be encrypted at rest in transit and in use using a compliant encryption algorithm so there we see the word must which tells us it's a requirement it's mandatory now we'll touch on some standards called out in the syllabus guidance on password complexity and password management comes from a number of sources some vendor specific but authoritative sources like nist and the center for information security maintain guidance on password complexity and management access control which specifies who has access to specific systems data and resources based on the principle of least privilege so for example ISO 271 offers guidance on information system management that can help here standards around physical security can be numerous to protect physical access to system systems and data so this could include access badges security cameras fire suppression HVAC security guards there are a number of authoritative entities that offer guidance on physical security an ISO and nich you've perhaps heard of NFPA the National Fire Protection Association perhaps you haven't heard of and for example we could look at fips 140-2 or 1403 a mandatory standard for protection of sensitive data within Federal systems which at its highest level also includes requirements around physical security encryption standards which specify the algorithms and key management practices for encrypting sensitive data at rest and in transit to ensure confidentiality so you'll see guidance here not only on the algorithms for various scenarios but also the minimum key links and these evolve over time and they will be impacted by Quantum Computing which is actually why a few years ago nist kicked off a competition to identify some quantum resistant algorithms and they've selected a few in the last handful of years to run through the certification process moving on to procedures security procedures provide stepbystep instructions on how to perform specific tasks related to security controls it defines the how for implementing standards procedures are going to be highly detailed outlining the exact actions to be taken in specific situations a simple example a procedure for incident response upon discovering a security incident follow these steps isolate the affected system notify the security team document the incident and no doubt the steps beneath each of these the subtasks would also be detailed in that procedure so let's talk for a moment about how policies affect procedures the relationship between the two so I'm talking about procedures here so procedures derive from policies procedures are directly derived from the specific requirements outlined in corporate policies procedures ensure consistency consistent implementation of policies across the organization they provide Clarity they translate broad policy statements into clear actionable steps for employees to follow whether those are folks in it and security or are end users and they can facilitate training procedures serve as a reference point for training employees on how to comply with policies if you're new to cyber security let me give you an analogy I'm a big fan of analogies to make sure we're all coming along together here so the policy is the recipe the recipe would State the inputs and the outputs the ingredients if I'm making a pie it's going to have things in there like flour and oil and butter for security we're talking about the data and the resources and we need to desired outcome a secure environment efficient operations I want a nice you know beautifully Brown pie if I'm baking right so same situation and the procedures are the cooking instructions so for a pie I'm going to put it in the oven pull it out after X number of minutes I'm going to cook it at a specific temperature so for example it would detail the how-to mixing the ingredients our data handling cooking temperature would equate to security protocols cooling time our incident response protocol there were some procedures called out in the syllabus let's walk through those briefly we have changed man man agement procedures which would detail the steps involved in proposing reviewing approving implementing and documenting the changes to it systems and infrastructure to ensure security risks are assessed and mitigated along the way onboarding and offboarding procedures which would outline processes for granting access to new employees and revoking access for terminated employees ensuring appropriate access controls are maintained throughout the user life cycle playbooks which are detailed step by by step instructions for responding to specific security events and ensuring a consistent and efficient response so in the security Operation Center playbooks are automated as runbooks in sore security orchestration Automation and response moving on to external considerations so here we're talking about external influences to our policies and procedures so regulatory so compliance with data privacy regulations like gdpr Hippa and pcids might dictate specific security controls and Reporting requirements this will influence our policies processes and procedures legal obligations can Factor as well concerning you know data breaches electronic Discovery and intellectual property laws surrounding all of these will influence our policies processes and procedures industry best practices and standards relevant to your sector May provide additional security guidance this would be aeal impactful in regulated Industries and highrisk areas regulated Industries like Banking and Health Care high risk areas like health care and Public Utilities nuclear facilities and depending on where you're located you may have other influences at the local Regional National or even Global level laws and regulations can all Impact security requirements and our policies processes and procedures should address all of these moving on to monitoring and revision it's important to remember that effective security governance is a continuous process not a one-time task it's continuous oversight monitoring can take multiple forms including security audits regular reviews of access logs periodic vulnerability scans and Analysis of our incident response metrics and this can highlight for us areas where the security measures are working and where Improvement is needed then we have revision this is is the process of updating security governance documents and practices and these changes are based on the insights gained from monitoring so monitoring can trigger the need for revision and also changes in corporate strategy May trigger the need for revision let's shift gears and talk about types of governance structures so to restate our purpose here security governance is a process for overseeing the cyber security teams who are responsible for mitigating business risks that are security related so security governance leaders make decisions that allow risks to be prioritized and amongst other things this ensures security efforts are focused on business priorities rather than their own and there are a number of different security structures that may be employed these might include a board or a committee even a government entity and these governance structures can be sent centralized or decentralized now the most effective structure depends on the organization size complexity and their risk profile so let's take a look at each of these a board typically a board of directors holds the highest level of authority within an organization their decisions are binding on the entire organization so that means companywide a committee on the other hand would be a subgroup within an organization and committees typically focus on specific areas or tasks that are assigned to them and they're often created by and reporting to the board of directors their Authority is generally limited to the specific area they are assigned to oversee and their focus may vary next we have government entities so there are a number of government entities nist is one that I bring up repeatedly and these entities May issue security regulation standards and best practices that organizations must comply with in some cases there only providing oversight to government entities in other cases providing oversight to regulated Industries so for example fed ramp only applies to government agencies but US Government provides oversight to the banking and healthc Care Industries the nist risk management framework applies to government agencies and is mandatory the nist cyber security framework is designed for commercial entities non-government and it's optional so the government entities purview really varies by scenario okay and then we had centralized and decentralized so in a centralized structure security decisions and controls are managed by a Central Security team it sets policies and standards for the entire organization in a decentralized structure we're delegating security decisions and controls to some extent to business units or departments or teams a Central Security team typically still provides guidance and oversight in this model but some of the day-to-day decision making and management is delegated out to whatever unit we've selected we're going to wrap up with a look at roles and responsibilities and what we see in the syllabus really look like data roles so I would know these two roles the data owner which holds legal rights and complete control over a single piece of data usually a member of Senior Management they can delegate some day-to-day duties what they can't do is delegate total responsibility they're still accountable we have a data custodian which is responsible for safe custody transport and storage of data implementation of business rules technical controls you know confidentiality integrity and availability audit Trails Etc usually someone in the IT department they do not decide what controls are needed but they do Implement controls for the data owner if the question mentions day-to-day management that's typically a data custodian we're talking about and if we look at gdpr a regulation which applies to any organization with customers in the European Union gdpr does their data roles a bit differently so there are two roles that appear in gdpr that also show up here there's the data processor which is described as a natural or legal Person Public Authority agency other body which processes personal data solely on behalf of the data controller and notice it says processes personal data so we're talking about the data of individuals gdpr is considered the gold standard of privacy regulations then we have the data controller the person or entity that controls the processing of the data who is responsible for the data so controller sounds a bit like data owner processor sounds a bit like custodian they're not exactly the same but there are some similarities and these are called out in the official study guide so they may appear on the exam there are a couple of other roles I want to make sure you're familiar with also so two other roles data subject which refers to any individual person who can be identified directly or indirectly via an identifier so it's the person who can be identified the person is the subject we talked about subject and object earlier in the series the subject is the person the object is the data or other resource identifiers might include an ID number location data or via Factor specific to a person's physical psychological genetic mental economic cultural or social identity any direct or indirect identifier essentially then we have the data Steward who ensures the data's context and meaning are understood and business rules governing the data's usage are known and followed they use that knowledge to ensure the data they are responsible for is used as intended so data owners often delegate some duties to this role and that's a wrap for 5.1 and here in section 5.2 our Focus will be risk management and more specifically the syllabus asks us to explain the elements of the risk management process and I'll tell you in this module I see a massive amount of overlap with the cissp exam a security leadership exam so we're going to touch on risk identification risk assessment we will dive into risk analysis and specifically into quantitative risk analysis and the related risk analysis formulas we'll talk about a risk register risk tolerance risk appetite risk management strategy also known as responses to risk we'll take a look at risk reporting techniques and we'll wrap with business impact analysis as someone who's taken the cissp exam and created content here on YouTube for the cissp I can tell you from experience every topic I see here is on that exam and there are a few that are not many people think of the Security Plus exam as entry level I'm telling you the knowledge you're acquiring here is anything but this is going to be great Real World Knowledge for you and a big head start on another very popular security certification so we're going to get into a couple of important terms just starting right at the top of our syllabus all important risk management Concepts you should be familiar with for the exam we'll start with risk identification exactly what it sounds like the process of identifying threats and vulnerabilities that exist in an operating environment which can come from a variety of sources this can include cyber threats system failures where we don't have good resiliency built into systems and services and disastrous both natural and man-made risk assessment is the broader process of identifying analyzing evaluating and prioritizing potential risks risk assessment really encompasses the broader process from the initial identification of the risks all the way through developing mitigation strategies which would include risk analysis now risk assessment is not a one-time strategy it's not a one-time event there are multiple types of risk assessment we can use to identify analyze and prioritize our potential risks there's the ad hoc risk assessment which is an informal one-time assessment conducted in response to a specific event or concern these are often conducted on an as-needed basis when we see a change in the environment introduced by a project or an implementation when we have a new application or ser Serv or system come into the environment that changes our risk profile we need to assess on an as needed ad hoc basis we have recurring assessments these are conducted periodically at predetermined intervals annually quarterly this is just part of the ongoing monitoring to track the evolution of risks over time in our environment then we have onetime risk assessment which is a more formal version of onetime assessment as compared to ad hoc it's usually in response to a security incident or a request from management may be brought on by a change in business strategy or management says hey we need to go back and reassess based on our new risk appetite there's continuous risk assessment which is an ongoing process where risk identification and Analysis are integrated into daily operations these are often automated like recurring system scan we're about to dive into risk analysis but I want to quickly pause and make sure that we're clear on the difference between risk assessment and risk analysis so just a quick level set so we'll just look at the two side by side here so in terms of scope risk assessment is the broader process andcompany risk identification analysis evaluation and mitigation and risk analysis is a specific step within risk assessment focused on analyzing the risks we've identified assessment is identifying analyzing prioritizing and mitigating where risk analysis is is evaluating likelihood and impact of identified risk so it's that step within the process so in terms of focus risk assessment is the highlevel life cycle risk analysis is down in the weeds in the detailed examination of risk characteristics in fact we see it right here it is the analyzing step in assessment now we're going to step into risk analysis so there are two ways to evaluate risk to asset there's qualitative risk analysis and quantitative risk analysis quantitative assigns a dollar value to evaluate effectiveness of counter measures that dollar value is the key it is objective it uses formulas so on the quantitative side sometimes to prioritize we'll see an initial calculation using an impact times probability score but that just gives us a rough cut on priority so we can then follow up with our formulas and really a assess effectiveness of countermeasures the impact the probability Etc now on the qualitative side we use a scoring system to rank threats and effectiveness of countermeasures it's a very subjective system qualitative risk analysis often uses low medium high or a number scale but we're not getting down to True numeric probability impact and cost effectiveness of the counter measures so qualitative is easier faster and less accurate so if I were to summarize it just put it simply quantitative measurements use numbers like asset values and the cost of our security controls qualitative measures use judgments and both methods aim to help management make educated risk decisions based on priorities and the fact of the matter is not every risk can be easily calculated through quantitative methods how do I put a dollar value on the loss of my customer's trust how do I put a precise value on reputational damage I'm about to take you through the quantitative risk formulas but before I do I want to just mention an important note that you'll find on quantitative risk formulas in the official study guide where it mentions you should be prepared to explain the terminology of quantitative risk analysis and perform these calculations when you take the Security Plus exam that means you need to know the quantitative risk analysis formulas generally speaking I would say this was not true with the Sy 0601 exam so this represents a bit of a shift but I've got you covered so we're going to start with some important terminology some terms you'll want to be familiar with before we get to the formulas so we'll start with impact which is the potential consequence or negative effect that occur if a risk materializes asset value is the monetary value of the asset for which we're making calculations and Safeguard evaluation answers the question is this Safeguard cost effective because the bottom line is organizations will not spend more than an asset's value to protect the asset at that point they could simply save their money earn interest and then pay to replace that asset should a risk be realized so let's look at the formulas we'll be dealing with and when it comes to quantifying potential loss these four should be top of Mind exposure Factor single loss expectancy annualized rate of occurrence and annualized loss expectancy so we'll run right down the list starting with exposure factor which is the percentage of loss that an organization would experience if a specific asset were violated by a realized risk for example if I expected a $330,000 loss on a $100,000 asset every time a risk was realized that would be an exposure factor of 30% next we have single loss expectancy which represents the cost associated with a single realized risk against a specific asset the formula for single loss expectancy is the value of my asset times the exposure Factor so if we take that exposure Factor example I gave you an exposure factor of 30% on a $100,000 valuation means we have a single loss expectancy of $30,000 so if I state it as a formula asset value of $ 100,000 times the exposure Factor 30% represented as a decimal equals a single loss expectancy of $30,000 next we have the annualized rate of occurrence or Aro this is the expected frequency with which a specific threat or risk will occur within a single year so within a single year is key so for example a risk occurs two times in a year two occurrences divided by one year equals two that's our annualized rate of occurrence twice a year a risk occurs once every two years one occurrence divided by two years equals 0.5 risk occurs once every five years one occurrence divided by 5 years equals 0.2 and I'll warn you on the exam watch for annualized rate of occurrence that is less than once per year because you're going to have that fractional Aro that's something I expect they might try to use to trip you up next we have the annualized loss expectancy so this is the possible yearly cost of all instances of a specific realized threat against a specific asset so if a risk is realized five times a year what is that yearly cost if the risk is realized once every 5 years we average that cost out over 5 years so let's look at an example so our formula is pretty simple it's the single loss expectancy times the annualized rate of occurrence and here's an example we have an office building that's worth $200,000 our office is on the Gulf Coast of Texas so if a hurricane hits us estimated damage is 50% hurricane probability is one every 10 years so a 10% chance so we'll start by calculating our single loss expectancy so we have a $200,000 asset damage is 50% that's an exposure factor of 50% or 0.5 that means our single event total or single loss expectancy is $100,000 however we say that a hurricane only occurs with a 10% probability once every 10 years so let's calculate our annualized loss expectancy we take that single loss expectancy of 100,000 times that 10% chance that 10% annualized rate of occurrence which gives us an annualized loss expectancy of $10,000 a year so $10,000 is the magic number there that is the value of a safeguard on an annual basis the maximum value so if I could ensure my office building for less than $110,000 a year that is going to be Break Even or better if the insurance company said you're on the Gulf Coast we're going to charge you $155,000 a year for this insurance well it would be less expensive to just keep the money and pay for the damage when it actually occurs now certainly I'm taking a risk there because what if if a hurricane happens more than once every 10 years but on the other hand what if it happens less than once every 10 years so just to recap some terms and formulas here we have the exposure factor which is the percentage of the value of an asset loss due to an incident single loss expectancy how much would it cost you if it happened just one time and remember the single loss expectancy formula is the asset value times the exposure Factor annualized rate of occurrence how many times does it happen in one year remember to watch for annualized rates of occurrence where it occurs less than once a year so the rate of occurrence is longer than a year because you're going to have a fractional Aro remember one occurrence every 5 years is 1 divided by 5 or 0.2 I think that's an area where you could get tripped up annualized loss expectancy how much will you lose per year so for the annualized loss expectancy that's single loss expectancy times the annualized rate of occurrence or if you wanted to State it another way the asset value times the exposure factor which equals the single loss expectancy times the annualized rate of occurrence then last but not least we have annualized rate of occurrence which answers the question how many times is the risk realized in one year so remember to watch for annualized rate of occurrence longer than one year which will be represented as a fraction so one occurrence every 5 years 1 / 5 equals an Aro of 0.2 all right that's what I have for you on the risk formulas do remember the official study guide suggests these formulas may come up on the Security Plus exam I understand this is a lot so in case you feel you need a little more coverage here I have a video that's 20 minutes long or so that is over in my cissp exam cram collection and it is quantitative risk analysis just the formulas this is the thumbnail I'll put a link in the video description if you feel you need a bit more time with the formulas that video in 20 minutes walks you through an example end to end using those formulas I tell you at the end of every video feel free to drop questions in the comments or ping me on LinkedIn I'll tell you that ahead of time today if you have questions on the formulas if there's something that's just not quite clicking leave me a comment we'll talk about it okay couple of terms that show up on the syllabus you need to know and these are two terms that refer to the possibility of a risk event occurring so on the surface they appear to be synonyms and they are but there's a subtle difference so we have probability which refers to the chance of an event happening it's often expressed as a numerical value between zero which is impossible and one which is certain so probability represents a quantitative approach much like quantitative risk analysis and then we have likelihood which expresses the chance of a risk occurring using descriptive terms like high medium low or rare this represents a qualitative approach let's move on to the risk register so the risk register is a tool we use in both risk management and project management now sometimes it's used to fulfill Regulatory Compliance but often it's just used to track potential issues that can derail intended outcomes a risk register typically includes several details like the risk ID description probability impact severity intended response and the owner of that risk the metrics in a risk register are going to vary from company to company it should be considered a living document and updated periodically at least annually in a project you're definitely going to be updating it more frequently than that sometimes even weekly and then we have the heat map so a risk Matrix is used to provide a visual representation of risks affecting a company so the heat map shows the severity of the situation with the most severe risks being in red so you see the likelihood ranging from very unlikely to very likely as we go up and the impact from left to right becoming more severe so remember likelihood is the qualitative version of probability right and you notice the risk Matrix here the heat map it's using qualitative terms low medium high Etc some key Concepts associated with a risk register you should be familiar with for the exam so we have we have key risk indicators which are measurable metrics that signal potential changes in the likelihood or the impact of a risk so monitoring kis allows for early detection escalation and mitigation and we also have to think about risk owners so each risk should be assigned a designated owner typically a person or Department responsible for managing and mitigating the risk if there's not a specif ified owner of the risk nobody owns it it's going to be sure to get ignored assigning that owner just ensures accountability for addressing the risk then we have the risk threshold which refers to the level of risk tolerance established by the organization the risk register may be qualitative as was the one I showed you here but it could also be quantitative using numeric scoring especially in project management I find that the risk Matrix the heat map is almost always qualitative because it's just human judgment as we go along and we're estimating the severity and likelihood based on our past experience okay now there's a phrase here at the tail end of risk Matrix risk tolerance I want to talk to you about risk appetite and tolerance now so risk appetite and risk tolerance are two terms often used interchangeably but there's a difference so risk appetite describes the am amount of risk an organization is willing to accept without mitigating the organization uses its risk appetite to determine its risk threshold the threshold is the level of risk a situation must rise to before the organization chooses to take action to manage that risk risk Tolerance on the other hand refers to the organization's ability to take on risk so for example an organization with more cash on hand has a greater ability to maintain stability through Financial Risk it's important that an organization's appetite and tolerance are aligned that the organization's willingness to accept risk is well matched to their ability to manage that risk to weather that storm so the syllabus mentions levels when it comes to risk appetite so again just to restate risk appetite refers to the amount of risk an organization is willing to accept and there are three levels of risk appetite so organizations with expansionary risk appetites are willing to take on a high level of risk in pursuit of high rewards neutral risk appetites take a balanced approach to risk-taking and conservative risk appetites prefer lowrisk Investments and prioritize preserving their current security posture appetites going to vary by organization based on their goals and their strategic objectives but generally speaking startups and organizations investing in cuttingedge Tech tend to have greater appetite for risk now let's talk risk management strategies also called response to risk so there's risk acceptance where we do nothing you just accept the risk and the potential loss that goes with it if the threat occurs we as we say if the threat is realized risk mitigation so you mitigate a risk by implementing a countermeasure and accepting the residual risk residual risk is the risk that remains the amount of risk that remains once you have implemented your security control so risk mitigation is the act of reducing risk then we have risk transference where we transfer or assign risk to to a third party such as when we buy an insurance policy to protect against damage whether that's Insurance on a physical structure or it's cyber Insurance to help in the event of a Cyber attack and then there's risk avoidance when the cost of mitigating or accepting the risk are higher than the benefits of the service we just avoid the risk altogether and this could mean not implementing a new service because we want to avoid a risk that we can't can't mitigate or accept now there's a bit of nuance when it comes to risk acceptance we need to talk about it's called out in the syllabus and that's exception versus exemption these are the two flavors of risk acceptance so exception is a temporary deviation from a security policy or control due to specific circumstances it's a documented and approved decision to accept a higher level of risk for a defined period exemption on the other hand is a permanent deviation from a security policy or control it's a formal decision to permanently accept a risk because mitigation is deemed impractical or infeasible then we move on to the reporting phase of risk assessment the risk report will detail risks discovered and generally recommendations for remediation as well and the organization's leadership uses this to decide which controls to implement and which risks they're willing to accept the risk report contains sensitive information so it should be restricted to those with need to know reporting is the last phase of the risk assessment process and arguably the most critical phase because it's delivering actionable guidance to the organization's leadership so they can then respond respond to that risk next we have the business impact analysis which identifies Mission critical functions and critical systems that are essential to the organization success it also identifies maximum downtime limits for these systems and components as well as the scenarios that can impact these systems and the potential losses from an incident and these inputs enable the organization to make some decisions around their critical infrastructure so the organization has some decisions to weigh and a business impact analysis contains two important items a cost benefit analysis and a calculation of the return on investment the cost benefit analysis lists the benefits of the decision alongside their corresponding cost now that CBA can be strictly quantitative adding the financial benefits and sub sub tracting the cost to determine whether a decision will be profitable a thorough cost benefit analysis will also consider intangible benefits those you cannot calculate directly and there are a couple of key recovery metrics we settle on in the process of our business impact analysis there's the recovery Point objective or RPO which is the age of data that must be recovered from backup storage for normal operations to resume if a system Network goes down effectively the max tolerable data loss between the last backup and the disaster then we have the recovery time objective or RTO which is the duration of time in a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with that break in continuity generally the slas between a company and its customers will heavily influence the RPO and RTO and finally we have a couple of business continuity related definitions that you should know for the exam there's the mtbf meantime between failures which is a Time determination for how long a piece of it infrastructure will continue to work before it fails and there is the mean time to repair mttr which is a Time determination for how long it will take to get a piece of Hardware or software repaired and back online pretty straightforward definitions moving on to section 5.3 and here we're asked to explain the processes associated with third-party risk assessment and management we'll review activities associated with vendor assessment potential issues arising in Vendor selection different agreement types we might use with vendors the importance of vendor monitoring the value of periodic vendor questionnaires and the all important rules of engagement we'll start with vendor assessment which focuses on understanding the security posture and the risk profile of both potential and existing vendors and there are a few Common Assessment methodologies including penetration testing so effectively simulating a Cyber attack to identify vulnerabilities in the vendor systems and data security measures and especially in the software and platform world we see vendors include a right to audit clause in their proposed contract terms so including a clause in the contract that allows our company to audit the vendor security practices at designated intervals another method is evidence of internal audits so requesting proof that the vendor conducts regular internal audits of their own security controls independent assessments utilizing audit reports from independent external security firms that have evaluated ated the vendor security posture exactly what we see happening with the public cloud service providers and a method that is really top of Mind in recent years and that is supply chain analysis so mapping your vendor ecosystem to identify potential risks introduced by their subcontractors or suppliers in fact let's just unpack that briefly because today most services are delivered through a chain of multiple entities a supply chain and a secure supply chain includes vendors who are secure reliable trustworthy reputable so organizations have to perform due diligence to assess their vendor security posture their business practices and their reliability indeed their viability and this may include periodic attestation requiring vendors to confirm continued implementation of security practices as we've discussed previously maintaining One Security posture is an ongoing process not a onetime event and a single vulnerable vendor in the supply chain puts the organization at risk so in addition to a vendors security business practices and reliability I also mentioned viability and I want to unpack that just briefly so organizations need strong project and people management to effectively perform vendor management activities which includes assessing vendor viability and I mention this because liability is a process often not conducted by the security team as it deals with an operational risk and it typically involves assessing public information on vendors like their financial statements performance history and reputation or even a formal report like a sock one which focuses on that vendor's internal controls over financial reporting all of these identify potential weaknesses that could impact the vendor's ability to continue operations remember the Third Leg of the CI IIA Triad is availability and if we wake up one day and our cloud provider is out of business that's going to affect availability so let's unpack right to audit just a bit further so some vendors definitely smaller vendors that don't have the ability to give us audit report on demand type at the station a right to audit Clause is an important element of our contract so written into supply chain contracts it allows an auditor to visit the premises to inspect and ensure that the contract is complying with contractual obligations it can help us ensure that we're getting the quality of goods we've been promise that we're not being shorted on shipments that there are no Financial issues no malfeasant in terms of financial transactions happening no unnecessary Services being tacked on to our contracts that's causing us additional expense so that being said when it comes to supply chain analysis on site of assessment is definitely an option although I'd say that option is fairly rare in my experience document exchange and review so to investigate data set and dock in an exchange and review process is very common a policy or process review where we request copies of a vendor security policies processes Andor procedures and often ask them to eign to verify to attest that these policies processes and procedures are in place and currently in use at that organization giving us a fair level of confidence that the vendor is secure third party audits sometimes happen so certainly when there's enough risk involved when there's enough on the line with a mission critical vendor thirdparty audits can happen having an independent auditor provide an unbiased review of an entity security infrastructure so where we see that come into play often is in the cloud service provider space so right to audit exists in many contracts that right to audit a service provider certainly happens but contracts are often written to allow your csps to provide their standard audits in place of a customer performed audit I can promise you you will never audit a big public cloud service provider like Microsoft Amazon or Google you'll be using their standard thirdparty Audits and they're very easy to get it only takes a second in fact I'm just going to show you an example of how you can retrieve an audit report on demand from a CSP so I'll show you on the Microsoft Azure platform the process is pretty similar for all three major csps so I'm going to go to Microsoft's service trust portal service trust. microsoft.com I've logged in with my Azure subscriber account because some of these reports do require an NDA because they contain sensitive information so we see ISO I see sock I see gdpr I'm going to click on on sock we know that sock 2 type 2 report is kind of an industry standard and I can scroll down here and see applicable documents and you'll notice that they offer these reports up not just for the platform as a whole but for specific services or components of the platform and I can see when they were last updated so what they'll do for a lot of these sock 2 reports is if there hasn't been any significant change they'll provide you a bridge letter that says hey there's been no change since our last audit and you can click in there and then download that specific document so I get to the page detail and it's a PDF and I'll click and you see here it wants to make sure I'm actually a customer so I have to sign in in order to get to that document because they're going to ask me to agree to an NDA now I'm not going to go any further than that because that report does contain sensitive information specific to subscribers but point being you can go here sign in and download a sock 2 type 2 On Demand and it solves that need without the need for the customer themselves to perform that audit so in the vendor selection process we have due diligence which is the process to collect and analyze information before making a decision signing a contract or transaction it involves a comprehensive review of a prospective vendor's Financial Health their reputation security practices compliance with any relevant regulations especially if we're in a regulated industry but due diligence doesn't stand alone it supports the due care efforts which are the actions taken by the organization based on their due diligence we'll talk about due diligence and due care a bit further in this domain so let's park that for now the other area of potential concern is conflict of interest we want to be certain that in selecting a vendor there are no circumstances that may unfairly influence results in the selection process so Financial interests certainly come up vendor ownership for example if a customer employee or someone close to them has a financial stake in the vendor company that can influence the decision-making process during vendor selection or contract negotiations Kickbacks or bribes where a vendor offers gifts trips or other incentives to a customer employee in exchange for preferential treatment uh this could even include inflated contract prices or relaxed quality standards in fact with our federal government when federal government employees attend technical conferences the conferences have to ask attendees are you a government employee and if they check yes then they're not allowed to receive gifts of any kind and that can include all the way down to not accepting something as simple as a backpack or a t-shirt a simple gift that they would get at the the registration desk when they pick up their badge in some cases information sharing is another concern in the conflict of interest category so confidentiality breaches so for example a vendor with access to a customer's confidential information might misuse it for their own gain or even sell it to a competitor this could include Trade Secrets or sensitive customer data of any kind really or unequal information sharing so a customer might not receive all the necessary information from a vendor about their product or service limitations which potentially leads to biased decisionmaking or unexpected problems later because a customer signs a contract and then later discovers something they didn't know because it was withheld by the prospective vendor during negotiations and professional relationships so pre-existing relationships can be problematic where a customer employee has a close personal or professional relationship with a vendor repes representative which can impact that person's objectivity during vendor selection or issue resolution and then the revolving door problem where an employee leaves their position and takes a job with a vendor they previously worked with and can create a conflict if they possess sensitive customer information or knowledge giving them something of an Insider Advantage as they're negotiating their contract now we're going to step into agreement types we'll start with the service level agreement SLA so slas stipulate performance expectations like maximum downtime and often includes penalties if the vendor doesn't meet expectations but it's generally used with vendors so we'll sometimes see service level agreements within an organization where one Department makes promises to another we generally call those operating level agreements or Olas these next two agreements sound very similar in their name but you should understand the difference between them there is the memorandum of understanding orou which is a formal agreement between two or more parties indicating their intention to work together toward a common goal it's similar to an SLA in some respects that it defines the responsibilities of each party it is a more formal alternative to a handshake but it lacks The Binding power of a contract it's less formal than an SLA because it typically includes no monetary penalties and then we have the memorandum of agreement Ora it's similar to anou but it serves as a legal document and describes terms and details of the agreement so an MOA is a legal contract andou is not that's the key difference you should take away next we have the MSA or Master service agreement which provides structure to the agreements for vendors that you work with repeatedly so the MSA is a contract with general terms between two or more parties as they enter into a service agreement it should address compliance and process requirements the customer passing along to the provider the MSA should include breach notification and vendor duty to inform the customer of a breach within a specific time period after detection so this MSA comes before a statement of work and spans projects throughout the life of the relationship next we have the statement of work commonly called in s so it's a legal document usually created after an MSA has been executed and it governs a specific unit of work so an MSA May document services and prices and a s documents requirements expectations and deliverables for a project so the MSA focus is overall and ongoing the sa is limited and specific next we have the non-disclosure agreement or NDA which is a contract with vendors and suppliers that prohibits disclosure of the company's confidential information it's also used by companies to prohibit employees from sharing proprietary data and the duration and terms may vary so an NDA should be entered into with considerable care know what you're signing up for before you sign true of any contract really and to close out agreement types we have the business partners agreement or BPA which is used between two companies or individuals who want to participate in a business venture to make a profit details will include each partner's contributions rights and responsibilities details of operations decisionmaking and sharing of profit as well as rules for the partnership ending either at a given point based on an event or time or if one of the partners dies or moves on moving on to monitoring so continuous monitoring is essential to keep track of evolving risks with our vendors and vendor monitoring means continuous monitoring to identify the emergence of new vulnerabilities also remembering that the vulnerabilities of one vendor can impact the entire supply chain and validation of vendor security reduces risk your key takeaways being that monitoring your vendors is a continuous process and it reduces your risk questionnaires so sending periodic questionnaires to vendors together updates on their security controls and risk management practices is really a form of self self attestation for these vendors and it should elicit lower confidence versus an external vendor assessment but it gives us a way to check in on the vendor to see if anything has changed since the last time we had a discussion of their security controls and their risk management practices and finally we have the all important rules of engagement so when we think about vendor monitoring and management we want to establish clear boundaries and we do that through Rules of Engagement we want to define the purp purpose of any tests and what the scope will be for the people who are performing the test we want to establish a clear agreement outlining expectations for data security incident response any communication protocols means we have a communication plan with the communication medium the audience and the intervals we want to ensure everyone is aware of what systems will be considered date and time any constraints everyone should be aware of and it should also include clear processes for issue resolution in the to findings or disputes you can apply rules of engagement to a penetration test you can apply rules of engagement to ongoing vendor monitoring of any sort it's just good manners and at the end of the day if a vendor knows that they are being continuously monitored even in a passive way it's going to encourage good behavior and encourage compliance that does it for section 5.3 moving on to 5.4 and here the syllabus asks us to summarize Elements of Effective sec compliance we'll begin with a look at internal and external compliance reporting we'll talk about the consequences of non-compliance we'll look at compliance monitoring Concepts and we're going to finish our session with a dive into various aspects of privacy so let's jump right into compliance reporting reporting serves a couple of important functions in this case number one it ensures organizations meet regulatory requirements but but it also ensures they maintain transparency with internal and external stakeholders internal reporting focuses on regularly informing internal stakeholders and management about the organization's compliance posture it demonstrates transparency and it keeps leadership informed about potential compliance risks for which they as the leaders of the organization are ultimately accountable accountability they cannot transfer and external reporting so submitting reports to external entities like regulatory bodies or Auditors as required by specific regulations to demonstrate compliance with those regulations and for example gdbr PCI and Hippa all require either annual or on request reporting moving on to the consequences of non-compliance there's the potential for reputational damage which can result in a loss of customer trust and a loss of Revenue and the effects of reputational damage can last for years or even decades sanctions these are legal repercussions that can be harsher than fines including restrictions on operations or even criminal charges contractual impacts so failure to comply with regulations might lead to contractual breaches resulting in penalties or termination of Partnerships fines failing to report a breach for example can result in fines that can reach into the millions of dollars and may lead to lawsuits and loss of license in some cases non-compliance can lead to the revocation of a business license or a permit to operate moving on to compliance monitoring due diligence and due care involve taking reasonable steps to assess and mitigate security risks associated with vendors systems and data handling practices the assessment is due diligence and then the ACT the mitigation would be due care attestation and acknowledgement obtaining formal confirmation from relevant parties like employees that they understand and will comply with security policies and procedures such as when we have employees read and sign that they agree to our acceptable use policy internal and external audits which are regular assessments conducted by internal or external Auditors to evaluate the effectiveness of security controls and to identify areas for improvement and if Done Right internal Auditors reveal issues to correct before we're subjected to an external audit a very common practice that an organization will self- audit a few weeks to a few months before they have say an annual external audit for a compliance scenario because they can self-identify issues and correct them before that external auditor shows up we can use automation Sim and sore tool sore is really the automation arm of a Sim solution vulnerability scanners or other automation solutions to streamline compliance monitoring activities these can automate investigation incident response and Reporting moving on to privacy I want to start by making sure we are clear on the difference between privacy and confidentiality privacy focuses on the rights of individuals to control their personal information it's about giving people ownership and control over their data confidentiality on the other hand ensures that data is only accessed and disclosed to authorized individuals or entities it's about keeping data protected from unauthorized access to State it even more simply privacy is about people confidentiality is about data so diing into privacy what is the source of our privacy rights here in the United States for example and Beyond so in the US the basis for privacy rights is the Fourth Amendment to the US Constitution and also the stored communication Act of 1986 extends the Fourth Amendment into the electronic realm now Elsewhere for example we have in the EU the general data prot protection regulation act which is gdpr it protects subjects in the EU but it applies also to us companies it's considered the gold standard of data privacy laws and it applies to every company with customers in the EU and by every I mean every company regardless of country if you have customers in the EU you will respect their privacy rights as laid out in gdpr or you will be fined potentially sued you will potentially be the target of a lawsuit you will potentially be sanctioned and the fines can be horrendously large Security Professionals are essentially responsible for protecting the confidentiality integrity and availability of all the sensitive information under their care the CIA Triad and there are a few Concepts we should all be familiar with here certainly legal implications so navigating privacy regulations that apply to the organization considering local Regional National and international data protection laws this requires constant monitoring and oversight to ensure compliance when you're looking at data privacy laws or privacy laws in general you'll see the data subject mentioned this speaks to the individual to whom the personal data belongs and compliance practices should respect the the rights of data subjects such as the right to access Rectify or erase their data the laws will vary we'll talk about some influences on law here in just a moment and you want to know the difference between the controller versus the processor we talked about this earlier in domain 5 when we were discussing data roles so distinguishing between that data controller who determines purpose and means of processing data and the data processor who does the actual processing on behalf of the controller those roles get called out specifically in gdpr if you'd like to revisit those they're covered in section 5.1 in Greater depth the rules around data privacy the law really comes down to jurisdiction meaning which country has legal Authority and different laws and regulations May apply depending on the location of the data subject the data collector the cloud service provider the subcontractor's processing data company headquarters of the entities that are involved and we can have wide ranging legal concerns legal concerns can prevent the utilization of a specific cloud service provider they can add cost and time to Market they can drive changes to technical architectures required to deliver Services because based on these laws we might make different decisions about where we host our infrastructure and our data but one truth that always remains you never want to replace compliance with convenience when evaluating Services as this increases risk and many privacy Frameworks impose fines or other actions for non-compliance and just to throw another wrinkle into it sometimes you have laws between different countries that are conflicting and it's up to you as the consumer providing services to customers to figure out how you make your next move to comply with those laws which means you really need to work with your legal team so moving on I want to get back to those Concepts around protecting confidentiality integrity and availability so we have data ownership which is about determining who has ultimate control and decision-making authority over specific data sets within the organization then there's the consideration around data inventory and retention we need to maintain a comprehensive and accurate record of all personal data collected and processed and it must be accompanied by data retention policies that specify how long data will be stored before secure disposal what does secure disposal mean it means not recoverable even through forensic technique and then there is the right to be forgotten this speaks to a data subject's right to request deltion of their personal data under certain circumstances such as those mandated by regulations like gdpr and regulations like GDP are also come with timing meaning limits or boundaries around how quickly an organization must respond to subject request which means organizations must have processes and resources in place to handle those subject requests and as an aside it really all begins with an accurate data inventory as a first step organization should develop a data inventory containing the following types of sensitive information meaning they need to identify instances of these data types in their environment including personally identifiable information or pii protected health health information Phi financial information intellectual property Legal Information regulated information we actually talked about these sensitive information types in Greater depth back in section 3.3 if you'd like to go back and revisit that's a wrap on Section 5.4 and here in section 5.5 our Focus will be Audits and assessments and more specifically the syllabus challenges us to explain the types and purpose purp es of audits and assessments we'll explore the concept of attestation we'll look at internal audit and assessment versus external audit and assessment we will explore the types and categories of penetration testing and their purpose we're really not just talking about the what here in terms of audit and assessment but the why we would use each but before we do any of that I need to quickly lay some foundation for you here and answer what exactly is the difference between a security audit and a security assessment allow me to explain and I'll give you a nice side by-side visual here so you can digest these quickly in terms of focus a security audit is focused on compliance with standards or regulations a security assessment is identifying and prioritizing risks one is measuring your compliance on the audit side the other is assessing if there any risks of non-compliance the purpose here from an audit perspective is verification is the organization compliant yes or no an assessment is evaluating and analyzing the organization to see if there are risks if there are gaps the security audit is generally a formal exercise Often by external auditor certainly we can have an internal audit which is also Al Formal the level of formality with a security assessment will vary and the more formal it is the more likely we are to have a very clear scope of what is being assessed in any audit or any assessment the scope of what is being audited or assessed is quite important and in terms of outcome an audit will result in a report on compliance gaps on areas of non-compliance an assessment will include a report on identified risks and recommendations for closing those gaps and you're going to find different people have different opinions of the definition of an assessment and an audit I'm giving you the clinical definition here that is factually accurate to give it to you most simply perhaps think of the security assessment as studying for the exam preparing for the exam and the audit is the exam and again there's a bit of context that's important here how punitive the audit results will be depends on the context of the audit if it is a formal audit conducted by an external auditor as mandated by a regulatory body there's going to be potentially some punitive measures if we're out of compliance on the other hand if we are conducting our own internal audit ahead of the external audit or we have contracted a third party to audit our organization ahead of the official external audit that can give us Clarity on whether we would pass or fail the real deal but it also gives us time to prepare to close those security gaps those control gaps with that out of the way let's dig into the syllabus beginning with attestation attestation is an independent verification of an organization's adherence to specific controls or standards attestation engagement can be internal or external meaning performed by internal or external entities and there's a bit of wiggle room in the phrase independent verification there are levels one can certainly interpret that to mean it must be an external verification because it must be independent but the fact of the matter is Auditors whether internal or external should always be independent meaning for an internal auditor independent means free to report results without fear of punishment or retaliation so that is to say I can have independent verification of a fashion from an internal exercise but there's going to be a higher degree of confidence to anyone else I'm presenting those results to if the attestation comes from an external source and the syllabus calls out a few elements of internal and external audit and assessments we'll begin with internal so internal Audits and assessments are performed within the organization itself usually by a dedicated team so we have compliance audits these audits assess an organizations internal controls against industry standards or Regulatory Compliance they ensure compliance with policies and procedures and if we are in a regulated industry our policies and procedures should align to our regulatory obligations especially in larger organizations we'll typically see an audit committee this is a committee usually repor in to the board of directors that is responsible for overseeing the internal audit function and ensuring its independence it doesn't work exactly the same in any two companies but that's the typical structure now self assessments are internal evaluations conducted by an organization's own staff to identify areas for improvement in controls or processes the organization's own staff is the key differentiator here but not surprising given we're talking about internal functions now let's talk about external audit and assessment external Audits and assessments are performed by entities outside of the organization so for example regulatory audits these are audits required by government agencies or other regulatory bodies to ensure compliance with specific regulations like sarban oxly for publicly traded companies Hippa High trust for healthc Care organizations PCI DSS for companies that are processing credit card transactions and the Auditors and the auditing is coming from an appointed third-party firm quite typically so it's not always the government agency or the regulatory body itself but someone they have appointed often a big consulting company that specializes in that audit function examinations this is a broader term encompassing various types of external reviews and including compliance Audits and security assessment an independent third party an external unbiased entity that conducts the auditor assessment free from conflicts of interest within the organization moving on to penetration testing and we'll start with the categories of penetration test so just a level set penetration testing is a process that actively assesses deployed security controls trying to exploit vulnerabilities by simulating or performing an attack a physical penetration test evaluates the physical security measures of a facility assessing the possibility of unauthorized physical access to systems or data offensive testing focuses on the technical security of computer systems and networks attempting to exploit vulnerabilities to gain unauthorized access defensive testing focuses on evaluating the effectiveness of existing security controls to withstand attacks and integrated testing combines physical offensive and defensive techniques for a more comprehensive evaluation so to be clear integrated is physical plus offensive plus defensive and next we have types of penetration testing so we have the known environment where the pin tester is given a map of the target systems and networks and they go to test with substantial or even full information of the target systems and networks we sometimes call this a white box test essenti because the light has been shown on the environment on our behalf unknown environment where the pentester knows nothing about the target systems and the network they go into the test completely blind in the dark so to speak and build out the database of everything they find as they go because they are in the dark we call this the blackbox test then we have the partially known environment where limited information is shared with the tester sometimes in the form of login credentials this simulates the level of knowledge a hacker with long-term access to a system would achieve through research and system footprinting sometimes called the gray box test so we can think of that as being a partially illuminated view into the environment so I call those terms out because you might see white box black box or gray box test appear as a potential answer on a question so I wanted you to know the also known as options for these environments then just again to remind you of the all important Rules of Engagement engagement The Rules of Engagement in the context of a pen test Define the purpose of the test and what the scope will be for the people who are performing this test on the network they ensure everyone will be aware of what systems will be considered date and time and any constraints everyone should be aware of moving on to active and passive reconnaissance in passive reconnaissance we're not interacting directly with the Target and as such the target has no way of knowing recording or logging activity this involves G Gathering data from publicly available sources a few examples of passive reconnaissance searching the internet so searching for information about the target organization its employees and its systems reviewing media we can examine social media posts news articles and public records that might reveal details about the target's security posture analyzing DNS records to understand the target's Network infrastructure and using search in with Advanced operators to find specific information about the Target on the Google search engine we call that Google Dorking and next is active reconnaissance which interacts directly with the Target in some way and as such the target may discover record or log these activities so this involves using tools and techniques to probe and scan the target for vulnerabilities and potential entry points let's look at a a few examples of active reconnaissance so we could use port scanners to identify open ports on target networks and services running on those ports sending ping sweeps to identify active devices on the network using vulnerability scanners to identify known weaknesses in the targets systems and software employing social engineering techniques to trick the target's employees into revealing information about the target's security practices it's important to remember that you should never do these without a written signed contract from that Target organization if you don't have scope and permission in writing and signed these are not activities you'll want to engage in because they are trackable discoverable and potentially punishable and it is our ethical responsibility to always do things by the book and that brings us to the end of section 5.5 and here in section 5.6 we'll be focused on security awareness practices the syllabus asks us to implement security awareness practices which is another way of saying various forms of security awareness training so we'll touch on topics like fishing anomalous Behavior recognition which means helping our users to recognize risky unexpected or unintentionally bad behavior an array of practices around user guidance and training reporting and monitoring to monitor the efficacy of our efforts and some endtoend examination of the process including development and execution but before we dig into the syllabus here we're going to get into some foundational material quickly around social engineering helping our users to understand the principles of social engineering lie at the core of teaching them how to make better decisions when it comes to protecting our organization from threats so there are six or seven principles of social engineering depending on who you talk to we're going to go through seven the first is Authority an attack or citing position responsibility or affiliation that grants the attacker the authority to make the request whether that's impersonating a third party Authority or someone of authority within the organization that's a common approach intimidation suggesting that you may face negative outcomes if you do not facilitate access or initiate a process consensus claiming that someone in a similar position or a peer of yours has carried out the same task in the past scarcity a request focused on limited opportunity diminishing availability that requires we get this done in a certain amount of time it's similar to urgency which we'll touch on in a moment scarcity tends to focus on on quantity next we have familiarity attempting to establish a personal connection often citing mutual acquaintances using social proof to establish a connection a personal connection we call this liking as well meaning it's an attempt to get the victim to like the attacker because we'll do things for people we like right next there's trust ciding knowledge and experience sometimes even assisting the target with an issue to establish a relationship to build trust and finally urgency time sensitivity that demands immediate action similar to scarcity sometimes used together with scarcity limited time limited quantity limited opportunity what these principles have in common is they are all attempts to get users to circumvent our standard security policies and procedures so at the core of security awareness practices and training is to teach our users to recognize Bad actors using these principles to get them to step outside their normal decision making process and to round out the foundation here I want to touch on some social engineering attacks and at a high level there are two categories of social engineering attacks there are physical attacks and virtual attacks and the physical would include attacks like tailgating and shoulder surfing and dumpster diving on the virtual side we have an array of what are largely fishing variants along with the watering hole but together with those seven elements of social engineering those seven principles you'll have a good foundation for what we're dealing with what we're trying to teach our users when it comes to security awareness because bottom line in the world today email is the number one way in the door to an organization for ransomware fishing is that delivery mechanism so to summarize social engineering is an attempt by an attacker to convince someone to provide info like a password or to perform an action they wouldn't normally perform like clicking on a malicious link and they'll often even try to gain access to the it infrastructure or the physical facility but as I mentioned fishing is that number one way in the door it's commonly used to trick users into giving up personal information account passwords click a link open an attachment and you want to know the fishing variants out there so you have spear fishing that targets specific groups of users you have whaling which tends to Target highlevel Executives or whales as they're called sometimes fishing which is voic Mail based fishing it's phone-based and smishing which is text based messaging on mobile but it's the number one Cyber attack it's an entry point for ransomware you want to know these variants for the exam and on the job actually the official study guide also mentions that the best defense for social engineering techniques is security awareness training now we see spam and spim show up in the official study guide as well so more fishing variants so spam you've heard of No Doubt which is unsolicited email generally considered an irritant but we defeat that with strong filtering and we have spim which is Spam over instant messaging also generally considered an irritant but your IM your instant messaging and your mobile providers are providing some protection here for all of your major carriers now you can download an app that will identify malicious text messages for example and send those to the bin but you want to create usernames that are not easily guessable you don't want to add your ID to a public directory on an instant messaging platform to try to maintain some anonymity for sure but do bear in mind while these are generally considered an irritant they're not always just an irritant both are delivery channels for ransomware let's talk through some physical attacks we have dumpster diving which is gathering important details from things people have thrown in the trash this can Target individuals or organizations this could be the bin behind the corporate office this could be your rubbish bin at the end of your drive that you carry down for weekly delivery so we want to make sure we don't put sensitive information into the bin we want to securely shred any paper that contains information we wouldn't want external entities to see secure shredding typically involves shredding in two directions it's not going to be just shredding One Direction into long strips it'll be doing kind of a crisscross next we have tailgating when an unauthorized individual might follow you through an open door without badging in themselves this is usually not an accident then we have eliciting information this is leveraging social engineering techniques so here we'd see casual conversation being used to extract information without arousing suspicion which means they're going to be employing some of those seven principles of social engineering to gain trust but you'll often see these attempts involving very complex cover stories to provide social proof to provide that connection to someone within the organization to make it sound as though what they are asking is okay then there's shoulder surfing which is a criminal practice where thieves will steal your personal data by spying over your shoulder and it's important we teach users to be aware of this because it can happen anywhere on any device it can happen in the office with a consultant or other visitor in the office it can happen at a coffee shop anywhere with any device really computer phone Etc next we have farming which is an online scam where a website's traffic is manipulated through DNS and it redirects the user to a different malicious website that's a appointment toe of uh the words fishing and farming okay that's some Foundation that's some background now let's shift to the items we see in the syllabus so fishing as we saw is a deceptive attempt to steal sensitive information by masquerading as a trustworthy entity in an electronic communication might be email might be a text message might be a voicemail so what we want to do to prepare our employees number one is to conduct simulated fishing campaigns to test employee awareness and their preparedness this can help identify knowledge gaps that require additional training and what you'll find is some of your online email platforms for the Enterprise or thirdparty products allow you to create very realistic simulated fishing messages so you can test your employees and those who click on the message and fail can be redirected to training in real time where that malicious Link in that simulated fishing email when they they click on it says hey you've been fished let's go turn this into a training opportunity we also need to teach our employees to recognize a fishing attempt so training employees on red flags associated with fishing emails generic greetings typos urgency suspicious attachments or links a known sender name but unknown sender email address and then how to respond to reported suspicious messages so we need to establish a clear procedure for employees to report suspicious emails to the it security team this should include instructions on how to Ford the email without compromising security this way the it security team can look into that we can forward that on to the AI service that trains our cloud email protection all your anti fishing anti-malware email protection these days uses AI uses machine learning so anything your users report is generally speaking going to roll into that service and train the service to do better next on the syllabus anomalous Behavior recognition our employees should be trained to recognize when risky unexpected and unintentional Behavior takes place so let me give you some examples in each of these three categories so risky would be activities like downloading files from untrusted websites clicking on suspicious links in an email sharing passwords or other sensitive info with other users leaving work devices unended in public unexpected situations a sudden increase in failed login attempts for a user so we're going to recognize this from the it side right a user accessing sensitive information outside their normal duties working unusual hours outside of their normal schedule transferring large amounts of data to personal devices this could indicate a malicious Insider this could also indicate a compromised ID Identity or device then we have the unintentional so a user using weak passwords and also using the same password repeatedly across multiple sites we can do a fair bit to prevent that a user falling victim to a fishing attack and entering credentials which we address through awareness training through fishing simulations printing sensitive documents and leaving them unattended we'd certainly want to prohibit this in a company policy but also some worth reminding our users of periodically in our security awareness training and then there's the very common oversharing sensitive documents what we'd call a data leak next on the syllabus we see user guidance and training and there are several important topics that should be included in end user security training programs we see an official list or a quasi official list at least in the official study guide so the company's security policy handbook should include a section with guidance on fishing awareness and this should also include guidance on reporting those suspicious messages we should codify in our policy handbooks what we have trained users in our periodic security awareness training situational awareness so train employees on the evolving threat landscape emphasizing The increased risk of fishing attacks in a remote work environment and teaching them to open emails from unknown senders with caution we should educate employees about the dangers of Insider threats such as disgruntled co-workers who may attempt to steal data or interrupt business operations this can help our employees to identify what may be potentially malicious requests from co-workers but we also want to make sure that our entire it and it security staff are aware of the Hallmarks the common signs of Insider threat Mass download Mass upload Mass deletion doing a lot of work outside normal work hours continuing down the user guidance list password management we want to train employees on strong password creation and management practices and advise against password reuse across multiple sites and encourage the use of password managers removable media and cable so reminding employees about the security risks associated with using removable media USB drives external hard drives and public charging cables training should guide use of authorized devices and data encryption which means also from a security perspective we should have controls in place that only allow the use of known approved removable media types which you can typically control through policy based Administration using the ID of the various device types also on the list social engineering so educating employees on different social engineering techniques commonly used in fishing attacks training users on those seven principles of social engineering I have seen that play out in the real world and it works over time and repetition it creates a Savvy user that can recognize social engineering attempts okay this user guidance and training list is a long one so to wrap it up the last couple here we have operational security so training employees on operational security principles like being mindful of the information they share online or in public places and risks of unsecured Wi-Fi networks or public computers hybrid and remote work are very common these days so we need to develop specific security guidelines for remote work setups and include guidance on home Wi-Fi and work data on personal devices so making sure our employees set set up a secure home Wi-Fi network and if we allow work data on personal devices that we establish some guard rails and best practices so let's talk development and execution in developing our security awareness training we want to develop training materials that are interesting right engaging informative and tailored to the specific needs of the organization and its employees we want to consider using also a variety of training methods everyone benefits from the employment of multiple training methods like online modules interactive in-person workshops video presentations whether live or recorded people have different preferences for learning so we want to hit them all execution so launching the security awareness training program across the organization ensuring all employees participate regardless of location hybrid training sessions on site and remote are very common where some users are in a room with a live instructors and others are on Zoom watching from home and we need to promote the training program internally and encourage employees to actively participate and ask questions many organizations will establish learning goals and send out automated reminders to the user so they complete the training periodically by specific deadlines and we need to regularly measure the effectiveness of the training program through assessments and Reporting and make adjustments so let's talk about assessment M and Reporting so reporting and monitoring so initially we could conduct an assessment to gauge employees current level of security awareness regarding fishing and related threats now this could be achieved through surveys or knowledge-based test quizzes of A Sort that can help us establish a Baseline and then we establish recurring training scheduling regular security awareness training sessions to reinforce best practice and keep employees updated on the latest fishing tactics the latest threats that they're going to face in their mailbox and out in the world and we want to monitor reporting Trends to identify areas where employees might need additional training or support it is a fact that regular updates to training material are necessary to address evolving threats and employees weak areas so some companies will deliver training annually others semiannually I'm a big fan of quarterly so we can keep employees appr priced and gain that benefit of spaced repetition where we are having regular touch points with our employees to make them just a little bit better every time just as recurring contact with material space repetition helps you with exam prep it also helps your employees all righty my friends that's a wrap on Section 5.6 and indeed the end of domain five and a wrap on the Security Plus exam cram series I will have a Consolidated full course out in the next few days as always if you have questions leave them in the comments drop me a line on LinkedIn always happy to help anywhere I can I'll wish you the best of luck on your Security Plus exam be sure to come back and let me know your result and I look forward to seeing you on a future exam prep series and until next time take care and stay safe