WEBVTT 00:07.370 --> 00:11.570 Throughout your career as a cybersecurity specialist, you're going to come in contact with a lot of 00:11.570 --> 00:16.910 different regulations and compliance reports, even contractual obligations that you need to be aware 00:16.910 --> 00:17.240 of. 00:17.270 --> 00:21.680 In this episode, we're going to discuss the different frameworks that you need to be aware of and specifically 00:21.680 --> 00:27.110 for Cisa, the depth of which you need to be aware of these different frameworks, the different industry 00:27.140 --> 00:30.110 frameworks that you need to be familiar with are listed here on this slide. 00:30.110 --> 00:33.980 What you need to remember about those different industry frameworks is how they come into play. 00:33.980 --> 00:37.460 With your job or your role as a cybersecurity analyst. 00:37.460 --> 00:41.870 You don't need to go into such depth with these different security frameworks to where you know them, 00:41.870 --> 00:42.740 inside and out. 00:42.770 --> 00:48.800 However, your job as you're moving forward as an analyst may require you to go into more depth than 00:48.800 --> 00:54.350 what you're going to see here in our presentation today for Cisa, what you really need to understand 00:54.380 --> 00:59.270 is the different aspects of each different framework and how they are different from one another. 00:59.270 --> 01:01.350 As opposed to the same as one another. 01:01.350 --> 01:05.670 Within the different frameworks that we're providing you today, it's important to note that you don't 01:05.670 --> 01:08.520 have to know each and every one as a detailed level. 01:08.550 --> 01:13.440 The exam isn't specifically over one framework framework over another. 01:13.440 --> 01:18.480 It's more or less a ideology that you need to be familiar with and a high level overview. 01:18.510 --> 01:24.690 Meaning you may get a question on what type of framework is more for an international standard organization 01:24.690 --> 01:27.660 versus one that is specifically for the United States? 01:27.660 --> 01:33.690 You may also get different questions on related to the availability of the data specific to a specific 01:33.690 --> 01:34.380 framework. 01:34.380 --> 01:38.130 We'll go into each one of these frameworks moving forward to kind of give you a clue, and then we'll 01:38.130 --> 01:41.910 wrap out at the end of the episode to identify what kind of questions you might see. 01:41.940 --> 01:47.970 The first framework I want to talk about that isn't actually in Cisa is the NIST Cybersecurity Framework. 01:47.970 --> 01:54.780 This framework is all about understanding the specific standards and technologies specific to cybersecurity 01:55.140 --> 01:56.220 in the United States. 01:56.250 --> 02:01.750 Now, this framework is specific to Security Plus, but it's not technically in the CSA objectives. 02:01.750 --> 02:04.120 So why do we bring this up for you to understand? 02:04.150 --> 02:05.290 Well, it's quite simple. 02:05.290 --> 02:09.640 If it's in Security+, you probably need to know it because it's probably going to be added in later 02:09.640 --> 02:11.680 revisions for CSA. 02:11.710 --> 02:16.570 With that said, you have to remember that the NIST Cybersecurity Framework is all about United States 02:16.570 --> 02:20.290 standards and how that technology is used in cybersecurity. 02:20.320 --> 02:26.500 This framework is all about understanding those specific industry technology requirements, i.e., what 02:26.500 --> 02:32.740 does a firewall do and how does that firewall is supposed to be properly configured in order to maintain 02:32.740 --> 02:35.050 the best reliability within your network? 02:35.080 --> 02:41.530 NIST is all about understanding specific fundamentals of what the technology should do, and it's more 02:41.530 --> 02:45.190 technology eccentric rather than policy or procedure basics. 02:45.550 --> 02:48.370 It doesn't mean that it doesn't have policies or procedures really in there. 02:48.370 --> 02:51.070 It does, but not at an in-depth level. 02:51.070 --> 02:55.600 It's really more about the technology and how that technology should be utilized within each individual 02:55.600 --> 02:56.080 network. 02:56.110 --> 03:03.040 The payment card industry, data security Standard, or PCI, DSS is specific to cardholders. 03:03.040 --> 03:09.400 If you get exam questions specific to cardholder data or financial information related back to a security 03:09.430 --> 03:13.990 standard, you have to remember that PCI, DSS is most likely what they're referring to. 03:14.020 --> 03:20.320 This standard is all about protecting cardholder data and to maintain secure payment systems throughout 03:20.350 --> 03:24.880 not only the technology process, but also the procedures tasked with individuals. 03:24.880 --> 03:29.950 The PCI DSS framework is designed specifically for payment card industry. 03:29.950 --> 03:31.600 But it's not a regulation. 03:31.600 --> 03:36.310 It's not a government entity that's coming in and enforcing this contractual obligation. 03:36.310 --> 03:41.860 This is where the industry really took hold and said, we need to come up with our own standards so 03:41.860 --> 03:44.500 that the federal government doesn't come in and mess everything up. 03:44.500 --> 03:47.380 That's exactly what the PCI DSS is all about. 03:47.380 --> 03:52.990 It's a contractual obligation between the users of those credit cards and how those credit card information 03:52.990 --> 03:56.470 is processed versus the actual cardholder. 03:56.470 --> 03:59.590 Uh, security systems at the higher end. 03:59.620 --> 04:02.810 It enables such things as saying, hey, you need to have encryption. 04:02.810 --> 04:08.810 When you're sending payment card information over the wire, you need to store your information in this 04:08.810 --> 04:09.980 form or fashion. 04:09.980 --> 04:15.050 You'll see that I'm not really identifying specifics within the payment card industry, but more of 04:15.050 --> 04:16.220 a high level overview. 04:16.220 --> 04:19.730 And those are the types of questions that you should expect to see when it comes to PCI. 04:19.730 --> 04:23.510 DSS in relation to your Cisa exam. 04:23.510 --> 04:29.480 This payment Card industry data security standard is all about understanding the risk and the liability 04:29.480 --> 04:36.290 to the card holders and the processes that are in place, i.e. the financial institution, and to minimize 04:36.290 --> 04:38.660 that liability and risk as much as possible. 04:38.660 --> 04:45.470 If you see exam questions like this security standard is how you would facilitate encryption over credit 04:45.470 --> 04:48.140 card or over the transmission of cardholder data. 04:48.170 --> 04:52.280 That's usually going to be PCI, DSS when it comes to those exam questions. 04:53.900 --> 04:59.210 The Center of Internet Security CIS benchmarks was originally the Sans top 20. 04:59.240 --> 05:04.290 They over the years have migrated over to this new form of functionality, which we specifically talk 05:04.320 --> 05:05.310 about today. 05:05.340 --> 05:11.340 Again, you don't need to know the specifics of the CIS benchmarks, but you do need to understand what 05:11.340 --> 05:12.270 they're there for. 05:12.300 --> 05:18.000 The actions are designed to help enhance your overall security posture within the organization. 05:18.030 --> 05:20.130 We're going to discuss both of those right now. 05:20.130 --> 05:22.140 And I'm going to kind of show you what we're talking about. 05:22.170 --> 05:24.450 Let's talk about the NIST cybersecurity framework. 05:24.450 --> 05:27.000 And I'm going to show you what that website looks like right now. 05:27.030 --> 05:33.450 This is the nist.gov Cyber Framework website, which you can access via the link that we provide you 05:33.450 --> 05:34.740 in the resources page. 05:34.740 --> 05:40.290 You can see here on the website that we've got different resources available to us and that we're currently 05:40.290 --> 05:42.780 in the Cybersecurity Framework 2.0. 05:42.810 --> 05:46.020 You can read the document just by hitting this little tab right here. 05:46.020 --> 05:50.730 You can set up different templates or profiles associated with how you would utilize this framework 05:50.730 --> 05:52.350 within your own organization. 05:52.380 --> 05:55.590 You can see a different quick Start guides specific here. 05:55.590 --> 06:00.580 And of course there's the mapping which really provides you a resource to identify. 06:00.610 --> 06:06.310 I've got this issue and I want to map it to this policy or procedure that NIST has put out. 06:06.310 --> 06:10.300 If I click on the read document, you can see here that it's going to have a little pop up menu. 06:10.330 --> 06:11.590 I'm just going to press okay. 06:11.620 --> 06:14.110 On understanding that I understand my rights and privileges. 06:14.110 --> 06:15.820 And it pulls up the document. 06:15.850 --> 06:22.330 Now this document is fantastic for providing you a basic, abstract and understanding of what this information 06:22.330 --> 06:23.020 covers. 06:23.050 --> 06:28.270 Again, the table of contents come into play and you can see that this is a very hefty document and 06:28.270 --> 06:31.570 recently updated as of February 26th, 2024. 06:31.570 --> 06:36.550 You can scroll down and utilize different accesses for this document. 06:36.550 --> 06:40.090 For instance, let's say I wanted to improve my risk management communication. 06:40.090 --> 06:45.370 It talks about how you can improve those risk management communications within your own organization, 06:45.370 --> 06:48.310 and provide some handy dandy guides that come along with it. 06:48.340 --> 06:54.070 Again, this is really overall a good foundational level for the cybersecurity frameworks that you might 06:54.070 --> 06:54.700 utilize. 06:54.700 --> 06:58.510 And if you scroll down a little bit more, you can start to see where it comes into play with privacy 06:58.510 --> 07:00.150 risk versus cybersecurity risk. 07:00.150 --> 07:05.130 And it really does provide that cohesive knowledge base that you may see in the United States. 07:05.160 --> 07:11.100 Now, I did talk about a little bit of how NIST comes into play with understanding the technical terms 07:11.100 --> 07:12.360 within the framework. 07:12.390 --> 07:18.540 You can see here that if I scroll all the way down, if you scroll down to appendix B, you can see 07:18.540 --> 07:21.660 here that we have different tiers associated with risk governance. 07:21.660 --> 07:27.180 This document provides us the different risk governance associated with it and how to utilize that risk 07:27.180 --> 07:29.550 governance in our own different organization. 07:29.580 --> 07:36.180 Again, you can see tier one, tier two, tier three, and it goes down all the way to tier four, which 07:36.180 --> 07:40.980 we see adaptable, meaning that your organization is adaptive to what's going on. 07:42.690 --> 07:47.700 This specific document is only 27 pages long, so it provides a good understanding of their overall 07:47.700 --> 07:50.310 framework of how to utilize the cybersecurity framework. 07:50.310 --> 07:56.130 But it's not going to go into so much detail that it overrides your process or your thinking. 07:56.160 --> 07:58.440 Again, it's a good resource to have. 07:58.610 --> 08:03.380 We're going to take a look at the CIS benchmarks and how that web page looks as well, so that you can 08:03.380 --> 08:05.570 get a good handle on what it encompasses. 08:05.570 --> 08:10.790 When you first log into the CIS or the Center of Internet Security website, you'll have to log in with 08:10.790 --> 08:14.060 your email and provide that information to sign up for the website. 08:14.060 --> 08:17.240 Once you've signed up, you should see a web page that looks something similar to. 08:17.270 --> 08:17.720 Here. 08:17.720 --> 08:21.860 You can see that it provides the different benchmarks that need to be associated with the different 08:21.890 --> 08:24.860 technology that may use, for instance, operating systems. 08:24.860 --> 08:27.740 You can see here that it's distribution for independent Linux. 08:27.740 --> 08:32.420 We can scroll down and you see that it's got Windows 10, Windows 11 and the different editions. 08:32.420 --> 08:37.940 You can even see that it provides those Microsoft Windows 7 workstation benchmarks from way, way long 08:37.940 --> 08:38.600 ago. 08:38.600 --> 08:42.680 If you continue to scroll down, you can see Debian followed by ubuntu. 08:42.710 --> 08:48.050 We can also see Amazon CentOS, and you can see the full gambit of different operating systems that 08:48.050 --> 08:53.150 are out there and available today, where CIS has come in and said, this is how we're going to secure 08:53.150 --> 08:56.330 these different operating systems through the different benchmarks available. 08:56.330 --> 09:01.470 There's just a ton of them available here, including VMware, MongoDB. 09:01.830 --> 09:03.990 There's also Apache Tomcat. 09:04.020 --> 09:09.000 I mean, it's just an incredible amount of information available at your fingertips, each associated 09:09.000 --> 09:14.850 to a different operating system or provider associated with the different technology you may utilize. 09:14.880 --> 09:20.130 While it doesn't have 100% of every technology available, you can see that it covers even some of the 09:20.130 --> 09:22.860 more minute details, like snowflake. 09:22.890 --> 09:27.270 It even provides mobile devices such as Apple and Google Android. 09:27.270 --> 09:29.880 And further it goes down to Jupiter. 09:29.940 --> 09:31.350 We see Google Chrome. 09:31.350 --> 09:34.500 I mean, there's just a phenomenal amount of them out here. 09:34.500 --> 09:39.240 We're going to click on the distribution for independent Linux here and download the PDF. 09:39.630 --> 09:44.430 This is the cis benchmark for the distribution of independent Linux systems. 09:44.430 --> 09:46.290 Version 2.00. 09:46.320 --> 09:50.610 You can see here that it was updated in 716 of 2019. 09:50.610 --> 09:52.380 And it provides a quick terms use. 09:52.380 --> 09:58.360 I can go through this and identify the different aspects of this system that I want to know more about. 09:58.390 --> 10:04.420 For instance, if I wanted to know more about mounting of Cramfs file systems and is disabled, it's 10:04.450 --> 10:05.740 on page 21. 10:05.740 --> 10:12.190 If I want to go through and ensure that the separate partition exists for VAR and log scored, I can 10:12.190 --> 10:13.420 go 53. 10:13.450 --> 10:17.320 Let's scroll down to one and just at random to try to see what it looks like. 10:17.320 --> 10:24.220 So this one right here is literally ensuring that your node v option is set to tmp partition. 10:24.220 --> 10:25.150 And it's scored. 10:25.150 --> 10:30.490 We can see here that it's considered a profile applicability for server and workstation level one. 10:30.490 --> 10:32.470 And it's on the node V mount. 10:32.470 --> 10:38.200 If I scroll down to the bottom you can see that we can verify the node v option is set if the tmp partition 10:38.200 --> 10:44.110 exists by providing a mount with grep e and then it gives me the entire command. 10:44.110 --> 10:50.710 The best part is I can literally grab all of that, copy it, and then put it into my Linux system if 10:50.710 --> 10:52.390 I wanted to to run that command. 10:52.420 --> 10:58.290 It provides us a great foundation for understanding the different, uh, positions and how to secure 10:58.320 --> 11:02.400 our operating systems, and it provides the commands in order to make it happen. 11:02.430 --> 11:06.480 So this has gone through a lot of detail to provide this information to you as a user. 11:06.480 --> 11:11.970 But as far as Sisa is concerned, while you don't necessarily need to know each individual command or 11:11.970 --> 11:17.910 even understand the overall complexities of how to do it, you do need to know where the references 11:17.910 --> 11:19.980 are and how to utilize them. 11:19.980 --> 11:22.440 That's really where the Sisa comes into play. 11:22.440 --> 11:24.960 It's that high level overview of understanding. 11:24.960 --> 11:30.600 If I want to understand on an independent workstation, where would I get those specific commands from? 11:30.600 --> 11:35.340 The answer would obviously be the CIS benchmarks for an independent Linux system. 11:35.340 --> 11:39.270 Now, again, it provides us a load of different manuals to go through. 11:39.300 --> 11:40.800 You don't need to memorize all those. 11:40.800 --> 11:44.430 Just realize that that's where the CIS benchmarks really come into play. 11:44.910 --> 11:49.590 The other resource that I really want to show you is a guide for defining reasonable cybersecurity. 11:49.590 --> 11:51.720 This was again put out by CIS. 11:51.720 --> 11:53.640 And let's take a look at that right now. 11:53.880 --> 11:59.070 So in the reference material in the resources below, we've provided you this guide that you can download 11:59.070 --> 12:00.150 to your own machine. 12:00.150 --> 12:05.430 This guide is a simple PDF and it provides us a guide for defining reasonable cybersecurity. 12:05.460 --> 12:09.870 Again, it provides us a basic acknowledgements page, and then it provides us the executive summary, 12:09.870 --> 12:13.590 which basically says there's no minimum standard available across the United States. 12:13.590 --> 12:19.530 We don't have any laws or regulations that dictate across our industry exactly how we have to go through 12:19.530 --> 12:22.710 the different processes and procedures to secure our systems. 12:22.710 --> 12:24.240 There's no set standard. 12:24.240 --> 12:29.010 If IBM wants to do their way and Microsoft wants to do it their way, there's nothing in there as far 12:29.010 --> 12:33.570 as the law is concerned, and forcing those companies to meet those minimum standards available, that's 12:33.570 --> 12:36.180 where the reasonable cybersecurity guide really comes into play. 12:36.210 --> 12:36.570 It is. 12:36.570 --> 12:40.200 The latest edition was put out in May 1st of 2024. 12:40.200 --> 12:44.310 So it's somewhat recent and provides us a lot of great information. 12:44.310 --> 12:47.970 If you scroll down, you can see here that we have a timeline of federal security laws. 12:47.970 --> 12:52.800 So it gives us a little bit of a foundation of where we came from, what the laws are available, and 12:52.800 --> 12:55.230 how they intersect with cybersecurity. 12:55.230 --> 12:57.660 But if we skip down to the very bottom. 12:57.660 --> 13:03.480 On page 14, we can see how an organization should properly implement cyber safeguards to achieve reasonable 13:03.480 --> 13:04.440 cyber security. 13:04.470 --> 13:09.570 In section five, we can see how an organization should properly implement cybersecurity safeguards 13:09.570 --> 13:11.790 to achieve reasonable cyber security. 13:11.820 --> 13:17.490 This guide doesn't go into the specifics on exactly what needs to happen, but it does provide us an 13:17.490 --> 13:20.310 high level overview of your different environments. 13:20.310 --> 13:22.560 For instance, it says you should know your environment. 13:22.560 --> 13:24.960 We need to account and configuration management. 13:24.960 --> 13:29.940 We need security tools, data recovery, security awareness and of course business processes and outsourcing. 13:29.940 --> 13:36.390 And it provides some great guides and high level knowledge of what they constitute as a reasonable safeguard 13:36.390 --> 13:37.470 within the system. 13:37.500 --> 13:41.940 It provides us a blanket statement over what they consider to be security awareness, and all of that 13:41.940 --> 13:44.100 should be utilized within your organization. 13:44.130 --> 13:49.530 Again, it's not providing any specific details, but it is providing us a great overview of what you 13:49.530 --> 13:54.390 should be doing from a specific procedure or process point of view. 13:54.420 --> 13:59.660 If we scroll down even more, you can see the data privacy statutes available on a state by state basis. 13:59.660 --> 14:04.580 And again, if I keep scrolling down, it goes into more and more detail as we go through. 14:04.610 --> 14:11.510 Finally, on appendix H, you can see implementing all 153 safeguards for the CIS critical security 14:11.510 --> 14:12.260 controls. 14:12.260 --> 14:15.020 And it provides, again what you should be taking. 14:15.020 --> 14:17.870 But it doesn't exactly tell you how to take those actions. 14:17.870 --> 14:23.510 For instance, number two says we need to actively manage our inventory, track and correct all software, 14:23.540 --> 14:28.640 operating systems and applications on networks so that only authorized software is installed and can 14:28.640 --> 14:33.650 execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. 14:33.680 --> 14:34.970 It just tells us to do it. 14:35.000 --> 14:36.590 It doesn't tell us how to do it. 14:36.590 --> 14:42.710 And that's really where the blunt of the information comes in from a high level for the CIS exam, you 14:42.710 --> 14:47.000 really just need to understand that this document exists and that it provides us a reasonable guide 14:47.000 --> 14:48.350 for cybersecurity. 14:48.380 --> 14:54.470 That guide is very high level and provides us a list of things that we should do within our own organizations 14:54.470 --> 15:00.530 to better protect and safeguard not only our data, but consumer data that may be residing on our systems. 15:00.590 --> 15:08.000 The ISO, or International Organization of Standardization produced the 27,000 series specific to cybersecurity. 15:08.030 --> 15:15.200 The 27,000 really lists the overall objectives or vocabulary specific to cybersecurity, and it really 15:15.200 --> 15:21.290 doesn't go into finite decisions that need to be made, but it provides an overall arch of the different, 15:21.320 --> 15:24.320 different episodes or different guides available to it. 15:24.350 --> 15:31.370 For instance, ISO 27,001 goes over information security management systems and their requirements as 15:31.370 --> 15:32.870 seen by ISO. 15:32.900 --> 15:37.910 It's a standardization that they say, hey, we need to do this in order to meet the guidelines or requirements 15:37.910 --> 15:41.090 set forth by ISO 27,000 series. 15:41.120 --> 15:46.400 Now, each one of these little different guides specific to a specific industry requirement. 15:46.400 --> 15:52.850 Meaning while it all has to do with cybersecurity or security in general, the different guides associated 15:52.850 --> 16:00.630 with it come at different concepts associated with that security, for instance, to 27,005 goes over 16:00.630 --> 16:06.990 security risk management, and 27,006 goes over requirements for bodies proving audit and certification. 16:06.990 --> 16:13.380 While this guide or while this organization standardization can be certified, you can go through the 16:13.380 --> 16:19.020 actual, um, checks and balances and audits to be ISO certified for 27,000. 16:19.020 --> 16:22.650 It's not necessarily a requirement based on every organization that you work at. 16:22.680 --> 16:27.720 A lot of organizations in the United States, they go more towards the side of the House, but not all 16:27.720 --> 16:28.140 of them. 16:28.140 --> 16:33.630 Some organizations use one or the other, and some organizations use both, because NIST is more on 16:33.630 --> 16:37.470 the technical perspective and ISO is more on the process and procedures perspective. 16:37.470 --> 16:42.420 What you need to know about this, as far as CSA is concerned, is that a lot of questions that you're 16:42.420 --> 16:48.720 going to see come in, the fact of which standards organization is international or which one is worldwide? 16:48.720 --> 16:53.430 They really ask those questions providing the different numbers or nomenclatures associated with it. 16:53.430 --> 17:01.080 With ISO, you should expect to see questions like which of these ISO standards deals with specific 17:01.080 --> 17:02.970 to information security management? 17:02.970 --> 17:04.920 That's 27,001. 17:04.920 --> 17:09.990 You don't really need to know every last one of these different episodes or guides or remediations when 17:09.990 --> 17:12.600 it comes to play, but I would have an idea of that. 17:12.600 --> 17:18.750 27,001 is the most popular, followed by 27,005, which is risk management. 17:18.780 --> 17:23.280 The other ones you just need to realize are there and you should be okay for the exam. 17:23.280 --> 17:28.200 For the most part, I wouldn't expect to see questions that relate directly to what the guides hold, 17:28.200 --> 17:32.760 but more of a high level overview of knowing where to find the information if you need it to address 17:32.760 --> 17:33.360 the guide. 17:33.360 --> 17:38.940 For instance, you may be asked a question on which guide within the 27,000 series specifically deals 17:38.940 --> 17:39.990 with risk management. 17:39.990 --> 17:43.980 You would might need to know that that is ISO 27,005. 17:44.190 --> 17:48.210 Let's take a look at the 27,000 series and what it looks like on the web page. 17:48.210 --> 17:56.410 Now, if you go straight to the ISO standards and look at IEC 27,000 family, you can scroll down and 17:56.410 --> 17:58.240 actually get the email for updates. 17:58.240 --> 18:02.050 You don't necessarily need to subscribe to it, but just be aware that you can. 18:02.080 --> 18:06.910 Underneath you can see the different highlights of associated with the 27,000, and you can see the 18:06.910 --> 18:09.370 different dates associated with each manual. 18:09.370 --> 18:13.450 For instance, the Information Technology 27,000 series. 18:13.480 --> 18:18.130 The overall 27000 manual was produced in 2018. 18:18.160 --> 18:20.080 That is the latest copy you can see. 18:20.080 --> 18:23.380 The 27,001 was updated in 2022. 18:23.410 --> 18:25.060 Same with 2002. 18:25.090 --> 18:28.150 Now unfortunately these are blocked behind a paywall. 18:28.180 --> 18:34.930 However, if your organization or your infrastructure deals specifically with ISO as one of their components, 18:34.930 --> 18:39.010 these would be unlocked for you and you would have full access to each one of these manuals. 18:39.010 --> 18:42.430 Again, Cisa doesn't expect you to know exactly what's in each one. 18:42.430 --> 18:45.640 Just know where to find the information if you're asked a question about it. 18:45.970 --> 18:54.160 If we open up the 27,001 right here, you can see on this document that it provides us a basic understanding 18:54.190 --> 18:56.130 of what 27,000 1000 includes. 18:56.130 --> 18:57.450 We can see on the right hand side. 18:57.450 --> 19:03.150 It provides us a scope, the references and the specific information of what's going to be covered within 19:03.150 --> 19:04.470 each one of the documents. 19:04.470 --> 19:10.230 If I scroll down, it provides me the purpose of the document, the contents, the scope access. 19:10.230 --> 19:14.970 And we can see here that some of the information is notably missing based on the fact that it's behind 19:14.970 --> 19:15.780 a paywall. 19:15.780 --> 19:21.060 If I scroll all the way down, we can see information security, incident management, and it says to 19:21.090 --> 19:26.370 direct yourself to a 3.54 for detecting, reporting, assessing, responding, dealing with and learning 19:26.370 --> 19:28.380 from information security incidents. 19:28.410 --> 19:33.270 If I scroll down some more, we can see that the just provides us a different list of the different 19:33.270 --> 19:37.020 confines associated with the 27,000 series. 19:37.020 --> 19:39.630 It's literally just telling you where to find the information. 19:39.630 --> 19:44.400 If you're looking specifically for something in the 27,000 manual. 19:45.270 --> 19:51.480 Next, I want to talk about the OWASp top ten or the Open Worldwide Application Security Project Top 19:51.510 --> 19:56.580 ten when it comes to web application vulnerabilities, this website provides us some good information 19:56.580 --> 19:59.940 when it concerns specific to web application security. 19:59.970 --> 20:03.960 Let's take a look at their website right now and see what it has to tell us. 20:04.080 --> 20:09.120 Here you can see the OWASp top ten project associated with web application vulnerabilities. 20:09.150 --> 20:14.490 This is a standardized awareness document for developers and web application security, and it was recently 20:14.490 --> 20:16.200 updated in 2021. 20:16.230 --> 20:21.390 They update this website about every 3 to 4 years, depending on what's going on within the industry. 20:21.420 --> 20:27.180 You can see here that they provided us the 2017 and transposed it over into 2021. 20:27.210 --> 20:29.970 While some of this has changed, most of it has not. 20:30.000 --> 20:35.640 We're only seeing three new designs or vulnerabilities associated with their newest version. 20:35.640 --> 20:44.130 For instance, in, uh, a04, we can see insecure design, that insecure design is new compared to 20:44.160 --> 20:45.330 2017. 20:45.360 --> 20:48.300 You don't need to know as far as Cisa is concerned. 20:48.330 --> 20:50.460 The 2017 vulnerabilities. 20:50.460 --> 20:56.060 You only need to know the 2021 vulnerabilities, but it would be a good idea to understand and appreciate 20:56.060 --> 20:58.940 each one of the different vulnerabilities they've associated with this. 20:58.940 --> 21:00.980 And that's why I provided that cross reference. 21:00.980 --> 21:05.660 In order for you to to cross reference what you're trying to look at, for instance, broken access 21:05.660 --> 21:12.500 control, this one provides us that 94% of applications were tested for some form of broken access control. 21:12.530 --> 21:16.520 You don't necessarily need to know that 94% of applications were tested. 21:16.520 --> 21:17.870 You just need to know that. 21:17.900 --> 21:23.960 What broken access control is part of the OWASp top ten, you can expect to see questions related to 21:23.960 --> 21:28.970 which one of these security vulnerabilities is associated with which OWASp top ten. 21:29.000 --> 21:34.970 It's not uncommon to see different questions associated with Cisa, which through back to the different 21:34.970 --> 21:40.610 vulnerabilities listed in the OWASp top ten, you might see a question like which one of these relate 21:40.640 --> 21:42.980 back to an OWASp top ten vulnerability? 21:42.980 --> 21:47.300 And it might be insecure design where it relates this type of design. 21:47.300 --> 21:53.330 Or this scenario proceeds back into this OWASp top ten, you might see a question that relates back 21:53.330 --> 21:57.040 to the security design or security vulnerabilities within OWASp top ten. 21:57.070 --> 21:57.940 Something like. 21:57.940 --> 22:03.070 Which one of these security misconfigurations relate back to a top ten vulnerability? 22:03.100 --> 22:09.940 You might see a question like, uh, username and passwords are set for default or, uh, something 22:09.940 --> 22:15.640 else for triggering where we're not using a Captcha or something like that might relate back to a security 22:15.640 --> 22:16.900 misconfiguration. 22:16.930 --> 22:22.360 Obviously a Captcha is not a security misconfiguration, but default username and password is. 22:22.390 --> 22:27.220 This is where you might see different questions related specifically to top ten and OWASp. 22:27.250 --> 22:32.260 Be aware that you need to memorize each one of these top tens when it comes into play, and specifically 22:32.260 --> 22:36.430 to the 2021 version, not the 2017 version. 22:36.430 --> 22:39.550 If you can identify that, you should be go for most of the exam. 22:39.550 --> 22:43.120 Within this episode, we talked about the frameworks that you need to be familiar with. 22:43.150 --> 22:48.580 As you approach the Cisa exam within your own careers, you should be associated and known for each 22:48.580 --> 22:52.270 one of these different frameworks and how they're introduced within your separate organizations. 22:52.270 --> 22:56.870 For instance, if you're looking for a career, say, in the payment card industry, it would be expected 22:56.870 --> 23:01.070 that, you know more than just the high level overview of the Pci-dss framework. 23:01.100 --> 23:03.650 So on the same version, it's just like working in healthcare. 23:03.650 --> 23:08.030 If you were working in a healthcare environment, even as an IT perspective, you need to know more 23:08.030 --> 23:10.850 about HIPAA than, say, somebody that's working in telecommunications. 23:10.880 --> 23:16.730 As far as Cisa is concerned, it's a very broad overview of each one of the different standardizations 23:16.730 --> 23:22.520 that would come into play for regulatory compliance, meaning you only really need to know that Pci-dss 23:22.550 --> 23:27.200 has to deal with financial institutions and payment card industry, and that data should be encrypted 23:27.200 --> 23:29.180 from point A to point C. 23:29.210 --> 23:30.950 That's really where we're going with this. 23:30.950 --> 23:36.380 You don't need to dive into each one of the individual frameworks because the exam isn't decided upon 23:36.380 --> 23:37.460 an individual framework. 23:37.460 --> 23:39.080 It's a high level overview. 23:39.110 --> 23:43.490 Do not go into each one of these frameworks into a deep level, trying to figure out what each framework 23:43.490 --> 23:44.570 really encompasses. 23:44.570 --> 23:46.190 It's not going to be on the exam. 23:46.190 --> 23:50.930 You really just have to have a high level overview of what it includes and a memorization of the OWASp 23:50.960 --> 23:54.920 top ten, and you should be good for most of the exam questions that come into play.