See the video here:
Today. I’m actually gonna train on access controls and documentation that goes with it.
So we’re gonna be talking about something a little bit different. Normally what I do is I go through jobs, break all of those jobs down and then talk about like how to get the jobs. And then I break down what the employer wants to see. But today we’re gonna do some actual training. now, if you’re interested in this training, if you want to go deeper, if you want to deep dive, cuz I’m only gonna cover like a few security controls, but if you want a deep dive, if you really want to know this stuff, then I have a couple of courses for you.
I’ve got a risk management information system, security officer foundations course, if you want to actually know it from a scratch, like you, you’re an it person. You, this is not for entry level type person. The risk management framework foundations is gonna assume that you have some level of it background.
And from there I build on what you already know and it walks you through how to get into risk management framework, how to do the actual information system security officer work. So if you want to deep dive into this, go to combo courses.com and go check those courses out. I also have this what you’re about to see as one slice of.
Some of the stuff that I’m putting into a new course that I’m developing right now. And if you want to have a full blown, you want to really check it out. I’ve gotta free. The first port portion of the course is actually free right now. If you go to convo courses.com you sign in and you can actually see the context of what I’m talking about.
And it’s a lot of really good stuff, but right now let’s get into access controls and some of the documentation. Let me see here. All right. So here are the access controls. These are actually, these are all the security controls and why you’re seeing two sets of these is that one is from risk management framework, 37 version one and one.
The bottom one is from version two. That’s coming. That’s already out right now, but there’s a set of N 853 controls that are coming soon. And so that’s what you’re seeing right now on the screen. So the top one is from version four version. Is it version three or version four? The top one you’re seeing is from the current version of the 800 nest, 853 controls.
The bottom one is the one that’s in draft right now, but it should be out. I think this year is when they recently pushed it out to some other date. So anyway, so those are, that’s what you’re seeing. You’re seeing access controls. You’re seeing at controls, training controls, MP controls, media protection, physical controls, all these different controls, that I’m gonna cover all of these in the training, I’m gonna be releasing a month over month until we get all the way to the end. And then I also ask questions if you purchase the actual course, but right now we’re gonna focus on just. AC controls and just a few of those AC controls, by the way.
If it would take us, it is gonna be many lessons to actually break down all that just AC controls. There’s 25 of ’em right now as up the time of this recording. All right. So first of all, what are access controls? So access controls are what an organization uses to control physical. Not it’s just not, it’s not just logical con controls, not just access to the information, but it also includes access to the system itself.
So some of that is in there, but it also includes things like roles. My cats in here, this is live by the way. , this is gonna conclude things like role based privileges. It’s gonna include things like. Separation of duties. There’s a lot of different things, but let’s talk about access.
What is access? It’s the ability to make use of any system or resource. So somebody walks into your facility and they want access to your servers, right? They need access. So access control is the process of granting or denying specific requests and obtaining obtaining access access, obtaining access to that information is what we’re talking about here.
And so the N 800 controls, actually it goes through a breakdown of how an organization goes about managing access to the information. All right. So these top six controls. Are some of the most important ones. And I talk about this in greater detail in the course, in the part of the free course, I talk a little bit about it, but I go in more depth in the one that’s coming out.
I’m gonna try to release it this month, but I talk about C one C two, and now we’re gonna right now, we’re gonna talk about C three, a C three access control three is access enforcement. So what is access enforcement? It is the organization’s ability to implement the actual access control policies. So not only does your organization have to put a policy in place that talks about how to control access a C three says not you have to implement it.
How have they implemented this the actual access. To the information like you’re saying in this document that you have access controls. And you’re saying that a person has to be trained before they come in. You’re saying now, do you do it, are, is it implemented throughout your organization? All right.
So that’s what we’re gonna talk about. All right. Let me show you what I’m talking about. You could follow along, feel free to follow along with me. If you like, what I’m doing is I am on this. Let me see if I can give you this link here. If you wanna follow along. Nope. I can’t sign into the chat, but where I’m at is N dot it’s nvd.n.gov.
If you wanna follow along with me, that’s where I’m at right now. So you go to Google and type in nvd.n.gov. You’ll find it. And if you go to, once you get there, you’ll click on the families like this. Let me just show you real quick. Click on the families that this site has. All the families breaks each one down, as you can see here.
And then I went to access controls and you got access control one, two, and now we’re on three. So I’m clicking on three right here. If you wanna follow along, you can also just download the PDF, the N 853 PD PDFs PDF, and then look at 853 C three, and you’ll find everything we’re seeing right here.
So what are we talking about here? This right here breaks down. What a C three is access enforcement. All right, so let’s just look at the actual description here. Let me just make this a little bit bigger so we can read this together and then we’re gonna interpret it. The information system. Enforces approved, authorized authorization for logical access to information and in and system resources in accordance with the applicable access control policy.
All right, so let’s break this down. So the information system enforces information system, what is an information system? It’s a computer, it’s a server. It’s a workstation. It’s a Cisco device. It’s an internetworking device. It’s a firewall information system covers all like that ground. It’s a very general term, but it, where we’re saying here, the C three says it enforces whatever system that is.
Let’s say it’s a windows 6, 20 16 server. It enforces approved authorizations for logical access to the information system. So in other words, there’s logical. What do we mean by logical? So there’s technical. Things in place on the system that enforce what you have written in your security policy. That is what they’re saying here.
So logical access, I’ll give you a specific example on our example of a server 2016 windows server, right? So a logical access would be, or enforcement of that logical access would be username and password. Simple enough. So if you written, if you, if your organization wrote in your policy that everyone who comes in has to have a username and the username has to be.
20 characters the username has to fit a certain certain policy. And then the password has to fit certain policy. Password has to be 14 characters long has to use upper lowercase, all that stuff’s in your policy, right? They’re saying that you have to have implemented that into the actual server itself.
And and before I show you how you, as an information system, security officer can actually check this out and make sure that the organization’s doing it. Let’s just deep dive into this a little bit further.
All right. So in here it’s lives finishing out the sentence. It says the information and system resource in in the, in accordance with applicable access control policies. Yeah. There. So there you go. The organization writes the policy and then the system has to actually implement what you said in the policy.
That’s what it’s saying right here. That’s really the name of the game here. So as an information system, security officer, I’ve been doing this for a long time. And the name of the game is the organization creates a policy, right? The policy states, what the rules are to having access to your environment.
And then you’re making sure as the information system, security officer, you are making sure that all of those policies are documented and they’re that they’re in place. And if they’re not in place, you have. Work it out with the stakeholders. And one of the things that you can do is a plan of action and milestone, but that’s for a whole nother discussion.
Okay. So let’s, this is look at a little bit more of this so we can get more details, supplemental guide. So this is a great supplemental guides are great because they put it in plain English. What they’re saying here. So once again, if you’re joining this late, this is AC three and I’m talking about we’re interpreting it.
And then we’re talking about how to implement this as an information system security officer. All right. So let’s get back into this. The supplemental guide says access control policies, and it says identified based policies, role based policy control, matrix cryptography. So these are some of the things you might put in your security control in your access control policy or your overall security policy.
That’s just why they’re examples. They’re just giving you some examples. So control. Access between activities, entities, or subjects. So they’re talking about, here are some examples you might have cryptography that cryptographer cryptography might be between might be between the user object and a file.
So they’re trying to be the way they write these is try to be as general as possible so that the organization has the freedom to implement the level of security that they need for their environment. Cuz there’s many kinds of environments. That’s why they write these like this.
All right. And they said, okay, give you an example of different kinds of entities, active entities and subjects, users or processes acting on behalf of users. Passive entities or objects. See just what I just said. So they’re saying that the access control policy will have some sort of a role based or a cryptography or something between different objects within the environment.
That’s what they’re saying here in this guidance, but let me show you, let’s put this in action. Let’s put this in action. Let me see, what can we do here? Okay. Where I’m at right now is what’s called AC. We’re on C three, but I’m on a document called 800 dash 53. A here’s how you can determine whether or not your organization is actually implementing the AC three in access enforcement.
You go to, this is just one of the things you can do by the way. One of the, one of the main things that I do, you go to 853, a. And 853 a is how you assess each one of the controls, all the controls, the act has every single one of the controls. So 853, a the reason why so useful is because when it’s, whenever a system is assessed, this document is what they actually use.
Or some parts of this document is what they might use name. The assessor might even not even know that they’re using 853 a but all the assessment stuff comes from this source document. So it’s very useful. Okay. So first of all, assessment objectives for a C three, determine if the information system forces approved authorizations for logical access is what we just read.
So the assessor has to make sure that number one, You have a security policy, right? Or some kind of a policy and that a policy addresses access controls. Now the assessor, one of their objectives is to make sure that the logical, the technical security features that you put on your system are in place and they match what you, what was written by and approved by your organization, in the security policy.
That’s all they’re doing. They’re saying, okay. What do you have in your security policy? All right. Are you doing that on this window? 16, 20 16 server. Let’s see. That’s what they’ll do. They’ll just say, okay. Log into the system. You’ll log into the system and it meets that just you logging in meets one of the access controls, because one of the access controls is that everybody will have a role.
Everybody will have a username password. Everyone will have a role. And then what they might do is say, okay, log in. Let me see you log in with a normal user account. And then they’ll say, okay, now try to access this this file system that, that you’re not supposed to access. They’ll tell you to access, say the audit logs or something, a normal user shouldn’t be able to access the audit logs.
So that’s the kind of things that they do now. Let me show you something else. Potential assessment methods and objectives. So this is things that a, an assessor can use to assess whether or not you have implemented a C three. You can either examine, you can interview or you can test, right? So normally for AC three, from what I’ve seen, they do two things.
They look at your your access control policy, which is normally in your security policy. And then they see, they say, okay, let me see what you got. Let me see you do it. Let me see you access that system. Let me see you access the backup drives, and then they’re determining whether or not you can.
So that’s one of the things that they do now. Let’s go to another control here. Let’s go to the next control. And I’m gonna go through a few controls here for you guys.
Let’s go to AC four and this is information flow enforcement. We’re gonna talk very briefly about this one and won’t spend a lot of time on it, but it is important just so you know, what is AC four information flow enforcement is the organization controlling the flow of data. And is it documented as an information system, security officer?
Those are the main questions for AC four. So let’s go ahead and let me show you what we’re talking about here. We’re gonna go to C4 and I’m still on nvd.n.gov. And I just want to, if you’re joining me late, you can just, you can follow along if you want, but I’m on nvd.n.gov, 853. Here we are. We’re gonna interpret it.
And then I’m gonna show you how it’s implemented, how some of the things that you can do to actually check on it. So AC controls, let’s see, let’s just go right to the description here. Here we are. And it says the information system we already described what the information system is enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on what the organization says, right?
They don’t the N doesn’t tell you, tell the organization what those control policies, what you should. What elements should be controlled. They allow the organization to control. And that’s why they say interconnection systems based on organization defined flow information flow policy. So the organization defines what the flow, the information flow is.
And then you’re suppo the informa. The organization has to enforce those policies that they put forth. So one of the main things that I have seen done to document information flow enforcement is a diagram. So a diagram that kind of maybe looks like this, it has firewalls. Let’s go through this.
This is on the N this is on cisco.com, by the way, network diagram, it has a DMZ, it has three servers in the DMZ, right? And we can see our DMZ is connected to a switch. The switch is. Connecting two different networks. Those networks are protected by these two different firewalls. Here’s one land, but that’s behind a firewall and it has some VPNs that are connected to the internet, right?
So this one has more exposure than these ones over here. This is the inside of our organization. So this one’s behind an internal firewall. So this is an external firewall and this is an internal firewall. And so this right here is showing what kind of flow enforcement we have. So we’re just saying that our data just doesn’t go out everywhere.
It’s controlled. We have a inter protected sanctum here with land computers, with all of our protected data on it. And then we have outside systems. We have a. We have a protection from the internet. So this is actually the internet. Maybe we have VPN clients that log in or guest accounts that can log in to certain limited resources that we have out there.
But what we’re saying with flow control is that we’re our, data’s not going anywhere, not I’ve seen this done and documented different ways. Another way that I’ve documented in the past, or I’ve seen other organizations documented is to just have a list of all of the land. If you have land and building five, a land and building seven and a land and building 10, you would just list out here’s the lands.
And here’s what they connect to. You could have like in a spreadsheet and explain what’s going on with those things. All right. So I’m gonna go ahead and move on from this one. And I’m going to address a couple of more access controls real quick. We’re gonna go straight into. these two right here.
We’re gonna talk about AC five separation of duties and ACC six privileged least privileged. These ones right here are probably the most overlooked security controls in the AC control family. And the reason I say that is because a lot of organizations, I go to one of the main vulnerabilities that they have is they either give too many permissions to users that don’t need it, or they don’t separate.
They don’t separate the different organization, organizational duties. And it’s an easy one to do, especially if you’re in a smaller, if you’re in a smaller organization where you only have 10 users, a lot of times those 10 users will have 10 different hats. You know what I mean is your security guy will do all the administrator work and they’ll do all the system analyst work.
And then they’ll also. be making multimillion dollar choices for the whole organization that they don’t, that’s not separation of duties. And sometimes you don’t really need, multiple people cuz you, you have five computers, five assets and you don’t really need a bunch of people to do all these different jobs.
So this is this one, these two right here are foundational. Like you, you real, the organization really needs to have these, but I notice a lot of people don’t have them. Let’s dive into what these actually mean. Cuz I realize I’m probably talking about stuff that you don’t, you might not understand.
So let’s go back here. I’m on nvd.n.gov once again, and I’m going to go to families just to show you how I got here and I’m gonna go to AC controls and then I’m gonna go to. I’m gonna go to separation of duties. I just wanna explain what separation of duties is, and then we’ll go to C six lease privilege.
All right, here we are right here and I see some people joining me. Thanks for watching. I’ll be answering questions after I cover these two items right here. All right. AC five separation of duties. What is separation of duties?
What do you do with separation of duties? The organization? This is N 853. The organization, whatever organization you work for, this is what they will do. The organization operates organization, defined duties of individuals. What does this mean? Let me interpret it for. All right. So it says the organization, if it’s the department of health and human services, if it’s the department of agriculture, the department of labor and Maine, whatever organization it is the organization, let’s say the department of health and human services separates whatever or whatever duties that they define.
So the organization has to actually define different duties and then they separate the duties. So the N is not telling you, yay. Veely all sec, cyber security people can’t do any kind of administrator work or administrator work. Can’t do firewall work or a server guy. Can’t be also be a firewall guy.
That’s not what they’re saying. They’re saying that where it makes sense. You’re gonna separate duties apart. So if you have. And what you’re trying to avoid is conflict of interest. That’s what, the reason why you’re trying to do it. And there’s certain places where it makes sense. If you are in a very small organization, you don’t really have to necessarily, if you don’t have the resources to do it, or if there’s no reason to do it, if you don’t have a server that’s controlling a thousand different systems or a hundred different systems, you probably don’t really need separation to duties.
You can have your ISSO, your information system, security guy also do some the firewall and also look at logs, and there’s no conflict of interest, but if you have a whole bunch of computers systems and you, can’t not even possibly track all the users on a day to day basis. And there’s data.
There’s thousands of terabytes of data coming in now of your network. Yes. You probably even want to think about separation duties. You probably want to have a whole security unit that, that also watches the administrators and then separate administrator. That is controlled by a whole nother office.
All right. Let’s keep reading this and get an idea of what’s going on. You have to document the separation of duties of these individuals that the organization has deemed necessary to have, right? So if you have a firewall team and you have a server team, you have to document that these are the individuals who control this.
And these are the roles that control these items here. Define information system, access, authorizations to support separation of duties. So you’re gonna define what level of access these people have. and then what systems that they have access to. So that’s what, in a nutshell, that’s what you’re doing.
That’s what separation of duties is. And like I said, I do see this one violated quite a bit. It’s a kind of find it’s a foundational best practice that you do in larger organizations, especially, or medium size organizations. Let’s get a little bit more supplemental guidance on this separation of duties, addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activities without collusion.
What does that mean? So think about it urine, a large organization like Lockheed Martin has a large contract with a. Health and human services. Now I don’t have any pre I’ve never worked for Lockheed. I don’t have any pre any kind of special information on either one of these things.
I’m about to say this is pure speculation on my part. So if I accidentally guess it was an accident. Okay. so anyway, Lockheed Martin I’ve never worked for has a large contract with health and human services, they have a thousand computers and 10,000 users, right? So these 10,000 users let’s say, are managed on on a server and on several different act active do active directory servers somebody, one of the administrators is doing something they shouldn’t do.
They are making new users over and over again. Why do we have 10,000 users? Somebody is making new users. . So in this case you would wanna have separation of duties so that this person who’s abusing their power is monitored by a whole nother organization. This is just one example of separation of duties.
By the way, you could have a security operations team. And what their job is to do is to watch everything on the network. They’re not only watching data going in and out of the network, but they’re also watching users. Maybe they have a flag set up to whenever somebody creates a new user, they can see who created the user, what account made that user, when did they made that user?
And then, and maybe they even set up something like a justification, like a why? So every time you make a new user account, you have to make a justification and go through the SOC team. That is one way that you can make it so that these people aren’t abusing their power. And that’s what they’re saying here.
Separation of duties addresses the potential for abuse of author authorized privileges, cuz somebody could give themselves more privilege or they can make 15 other accounts and then make all those accounts, these secret backdoor user accounts that allow them in and in inside access. There’s just so many different things you can do if you don’t have separation of duties in a large environment.
And that’s really mainly what it’s for. So you wanna do it when it’s, when it makes sense to do it. All right. So I think we beat that dead horse. Let’s keep going here. And then what we’ll do is, ah, show you how you can document separation of duties. But for now let’s talk about the next item, which is least privilege is this one right here.
ACC six least privilege. Let’s go into this one and talk about least privilege, access, control, least privilege. And if you’re, if you don’t have any context here, if you’re, you just jumped on this live and you’re like, man, what’s what is he talking about? What is N special publication? 853 rev four.
What is that? What’s going on? If you’re interested in actually knowing more about this kind of this field, this path, what I’m talking about is security compliance, specifically with N and I have a whole course. If you’re interested, it’s called risk management framework, information system, security officer foundations, and it talks about it talks about how to do security compliance using the N standard.
But then I have another one coming out real soon. That talks about how to document everything I’m talking about to you. Now, I give you context of how it all works. I tell I’ll break down different documentation and I’m gonna go through. All the families or most of the families, I don’t know if I’m gonna cover all of them, but I’m gonna cover most of the families in that.
In that course, that’s coming out soon. So go ahead and check that out on combo courses.com. If you’re interested. All right, let’s keep going here. Least privilege. Now this one right here, this one’s near and dear to my heart. This is something that many different organizations I would say most of the organizations that I’ve ever worked for violate this one.
The reason why is because we as human beings are. We wanna do the least amount of work for the greatest amount of impact . So if there’s a way that we can give somebody, if we have a really smart system administrator in our organization, and we want that server fixed this guy, who’s really the smartest guy in the organization does Cisco routers, but we also want him, we just start giving this person all of these different privileges that they don’t need.
That’s one of the things that happens with least privilege. Another thing we’ll do, and, or especially in large organizations, is we will we’ll have say a thousand different users, right? And the users don’t really need, they only need to access their workstation, but they keep coming up with these different things that happen.
Like maybe they have this annoying popup and we restricted their laptop to where they can only do their job. They can only, but they got this annoying popup. So every time they get this popup, they contact the help desk. And they’re like, Hey, could you guys fix this popup after a while? The help desk is okay.
Forget it. Let’s just give these guys local admin privileges so that they can fix it themselves. And then they tell ’em how to fix it. But they, and then it’s just local admin privileges. What could possibly go wrong with that? A lot can go wrong with that. that’s another violation of least privilege.
What is least privilege? Let’s talk about it. The organization employs a principle of least privilege, allowing only authorized access for users which are necessary to accomplish the assigned tasks in accordance with the organization’s mission or business function. What did I just say? So what I’m saying is you only give people the privileges that they need to do their job period, full stop.
That’s it that’s what least privilege is. the, like I said, the reason why this is violated is because we are lazy. We want to do the easiest thing possible, and it’s harder to give people limited privileges when every time they need extra privileges, they have to go and ask, they gotta play mother may eye to go get access to the logs or this popup just keeps popping up.
I wanna stop it. So lease privileges. It’s one of the biggest issues I’ve that I’ve seen in organizations. Let’s look at the supplemental guidance here, organizations the organization employs lease privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at a privileged level, no higher than necessary to accomplish the required organizational or business mission or business function.
You only give the privileges that are needed to do the job period. So runaway privileges is one of the biggest issues in most organizations. I’ve in 90% of the organizations I’ve been to, this is the biggest violation, and this is the one that gets the most people in trouble. Let’s talk about how to document these two controls that we just talked about here.
What I’m gonna do is bring up, I’m gonna bring up a couple things. If you’re doing risk management framework, documentation is the name of the game. We, the reason why we document so much. And I know I talked to some of my system, administrators who are very technical they’re all their head is always, deep in the weeds on how to implement these systems or set up a new Linux server or whatever.
So they don’t have time for documentation a lot of times, or at least how they feel. But the reason why documentation is so important to somebody who does what I do, which is security compliance, is that if we don’t have documentation, a lot of times we don’t know who has privileges and who don’t, we don’t know what privileges are needed here or to this person or what role we even have sometimes.
Organizations are so large that they don’t even know what roles they have and they don’t even know what roles have, what privileges and the reason why is because they didn’t document it. So you have to make sure that you document and that’s why it’s so important. One of the biggest reasons why we have to document is is having a security baseline.
If you don’t document, you don’t know what baseline you have. And a lot of times that’s the reason why you have a legacy system out there on windows 2003 or windows 2000 or something like that in the year 2020, and then there’s no support for that system. And so it’s out there and you didn’t even know it was out there.
So that’s why you have to document document. Let’s talk about documentation here. So what I’m gonna do is I’m gonna bring up an example of how you would. These two controls. What this is here is a one example, one format of a system security plan. This is system security plan right here. And what we were just looking at is ACC six here’s ACC six, right here, C six.
And how will we document this? So in a system security plan, normally you have an implementation statement. And so that’s what we’re gonna put right here. And normally this thing will say, okay, did you tailored it in? What did you, is it implemented or not? Is it tailored in or is it tailored out?
Meaning did you, it is implemented and if you didn’t have it, let’s say we didn’t we know we need least privilege, but we don’t have it. We would say. Now, keep in mind, this is just one way to document into a security plan. I there’s also, here’s a, let me just show you real quick, another way that you can document it like this.
If you wanted to, this is a word document and this word documents a template. I’ve seen organizations do it like this before. A little easier to on the eyes. I think easier on the eyes, but harder to deal with when you have large amounts of data than a spreadsheet, spreadsheets, in my opinion are easier, but there’s another level that’s above this that most organizations, large organizations are going to, which is like a database.
You put that stuff in a database and the re it’s way easier to deal with in a database. Cause the more data that you have on these spreadsheets the more confusing it gets, the more you lose track of things. So what kind of control is it? it’s a common control inherited, which is something we talk about in the course.
And then here’s where we, the implementation statement comes in. So we would say something like this least let’s say our organization is Lockheed gen general. I’m just making stuff up. Adheres to the principle of least privilege
by enforcing a global policy
GPO. So that it’s a technical way that they are enforcing all privileges throughout the whole environment. You’re just saying what the organization is doing. This is how you document, you’re not making this stuff up. All right. Let me just be very clear about this in the real world. What you okay. My head is covering this up.
Let me just move myself outta the way here before I that’s what I typed right there. So let me just be very clear. You’re not making this stuff up as an information system, security officer, as a security compliance person, whether you work for the bank or the government or hospital, you’re not making any of this stuff up.
You’re gathering the information from the organiz. So you, that means you have to bring in stakeholders. That’s the people who do this stuff on a regular basis. That means it might even mean you’re CIO. It might mean you’re CFO. It might mean you’re the actual people implementing it, the system administrators, or maybe you’re the system administrator, or maybe it’s already written in their, another policy somewhere else.
You would grab that information and then you’re gonna put it into this system. Security plan. All of our system security documents are focused on security. Like you might have, HR has their own documents. The architects guys have their own documents. The technical team have their wikis and their work instructions and their all that stuff.
We are focused on the security features of this system. And so that’s what we’re doing. We’re gathering from all these other existing documents where we can, and we’re interp, we’re putting those into pouring those into our system security. Plan now another place that’s really good. Let me move my face here.
Another place that’s really good to document these security features is a security policy. A security policy is really good, cuz you can really break down. You can really break down each individual item with a security policy. I’ve got a C four, a C five, a C, 11, and many other things.
So in the security policy, I can really focus in and say, here’s what we have here and be very specific. And you’re not making this stuff up. You’re getting it from the actual people who know the system. So that’s what you have to do as a system security person. And that’s AC the AC controls in a nutshell.
And like I said, if you’re interested in this. You can go check out combo courses, if you want to deep dive into this kind of stuff. And now I’m gonna open up to any kind of questions that anybody has to let you know what’s going on. Any questions whatsoever about anything we talked about is a great opportunity to talk about it.
I see a few people here that’s joined me a cyber security guy. How do you ever defeat your arrival hacker? So I think that it’s, there’s, that’s not how that’s not how I would format. That’s not how I see it. That’s not my perspective on how what’s going on here. So what’s going on is you’re controlling your data as best your POS as possible in your organization.
It’s not, you’re not defeating an individual person. This is just how I see it. This is not personal. The way I see it is I am working for my organization to protect their information. I’m working for their interest. So whatever their interest is I, that’s what I’m protecting. And it’s a team effort.
It’s not me against some random hacker out there. And then, from the hackers perspective, from the malicious criminal hackers perspective, cuz some hackers are good from a malicious attacker’s perspective. It’s not personal. They just, they have a mission too. And it’s either money or it’s, it is activism.
Or, and they’re not usually just going after one organization, they’re going after many organizations and seeing what works and me as a cybersecurity guy, same thing. I’m just working for the interest of my organization. And it’s a team effort. I’m working with several other people who. This guy does firewalls.
This guy does vulnerability management. This other person is the CEO of the company. They have to manage all of the resources of the company. They have a fiduciary responsibility for the organization’s information. So there’s many different people working on this. It’s not me against one lone hacker.
And then from the hackers perspective, from the attacker’s perspective, it’s nothing personal. They just want to find the weakest link. And they’re just usually what they’ll do is they’ll search the whole, a whole spectrum of the internet to look for the weakest link or to look for free information that’s being given out there that they can use that information to infiltrate the weakest person who’s out there.
So that’s it guys. If there’s no other questions I’m going to. Go ahead and go, oh wait, I got somebody here. Let me see. They said I need a job and I don’t have any information system security background coming from a Lenox system engineering background. What will be the best advice? What would be your advice?
Please help me. This is easy. If you have a Lennox background you don’t. So right now, even with the virus, even with all the stuff’s happening, even with the lockdown, now it has slowed down. Like I, some of the employers that have talked to me said that there’s right now, there’s a free hiring freeze going on throughout.
That’s hiring freeze going on, for obvious reasons. You can’t do interviews in person. You can’t, you don’t know what, we don’t know how long this is gonna last. We don’t know. For large organizations, they don’t know what kind of what their fiscal year is gonna look like if they’re losing sales, depends on what kind of industry they’re in.
But there’s just a lot of uncertainty right now. So obviously the markets have slown down a lot. But that being said, people do still need information system, security officers. So if I were you, here’s what I would do. If I were you, here’s one of the things that, and I have a whole series about this, by the way, I would go to indeed.com.
I’ve gotta, if you’re interested in this, I got an entire series that talks about, I got a whole series that talks about how to market yourself and that’s what it’s all about. Marketing yourself. I would go to indeed.com. Here’s one of the places I would go to Mr. Bun me golden. And then I will type in, I don’t know what your skillset is, but you said Lenox is pretty hot.
What kind of Linux is it? Red hat. You gotta be specific. Let’s say red hat. I’m gonna assume you’re a red hat, Lenox guy, red hat. I’m gonna assume you’re a red hat administrator.
All right. And where, what, where are you? Where are you at? Let’s say you are I’m gonna assume you’re in Texas, Houston, Texas. You’re a red hat administrator. I have, I’d have to know more about what you have going on to, to actually help you out in a more realistic way. But I’m assuming you’re a red hat administrator and that you have about five years of experience and you are in Houston, Texas, and I’m gonna go find jobs now.
I’m assuming you’re in the us. So now look at this. DC. And you’re looking for a job. Come on, man. Come on, man. This always blows my mind. DC is one of the hottest areas for it, DC, Virginia, that whole area is hot. Like I, there’s not almost, there’s barely a week that goes by to somebody from from Washington.
DC is not trying to contact me about a job. The thing is most of us it guys, and it’s not your fault. Your profession is technical, right? We’re not marketers thing is you wanna market your resume. You wanna market yourself. That’s the key. That’s the whole key to this whole thing. If you’re interested in this, you have somebody else having you watching this kind of thing.
I gotta you go to combo courses.com. You’re gonna go check out my course. It talks about how to, how I’ve been able to have not only a job. but a six figure job working from home for the last X years. And I’m not some freaking genius, man. I’m not some freaking prodigy. I’m not some freaking genius.
The only thing that se separates me from other people is that I work really hard. That’s it? I know having seen extremely brilliant people. I know I’m not one of those guys. I know I’m not one of those guys, everything I do, I have to work my ass off for. So that said, and I, I have a level of success that allows me to take care of my family, my wife and kids and travel the world and do what I want, if, when I want, how I want.
But anyway, okay. Back to your question, you said, how do I find a job? You’re I’m assuming you’re a red. Okay. So you said red hat, six and seven in Washington, DC. All right. So let’s look at this. I would go. indeed.com I would make, I would upload my resume. See this. It says, upload your resume. If you’re following the law, if you’re really hungry, man, you could, right now, I’m gonna show you how to do it.
Upload your resume, fill this out. Don’t just upload it. Fill out the complete profile. If you look at my course walks you through everything. What kind of key words to use, how to find the right keyword, all that kind of stuff. If you’re not interested in that, you wanna get it for free. I’ll show you right now, upload your resume.
Fill out the entire profile. Alright. Put in all, every one of your skills in there don’t even leave one out. Cuz there’s a place where it allows you to put your skills in how to it allows you to put in all, every place you’ve ever worked. How many years of experience do you have if you don’t mind me asking.
Okay, so red hat administrator. Now look at this and let me show you something. . So if you look at this, it’ll tell you who’s hiring like right now. And these two places, one in Virginia, one in DC are hiring right now. Right now. It means they have an urgent hiring. They really need somebody who knows this stuff.
So here’s S AIC, SIS IIC is a good company, by the way. At least when I was doing it many years ago, the guy you got medical industry, you’ve got Linux. There’s a couple of industries that lend themselves or four years, man. That’s perfect. So there’s a couple industries that really lend themselves to you work in almost anywhere in almost any industry.
And one of those is Linux is super hot. It, somebody always need it needs it because they just don’t. We just don’t have enough people who know it now. So what I did was I clicked on this top one right here, and let’s just break this thing apart. Let’s look at this. So these guys will tell you what they need from you.
If you don’t fit this, then move on to the next thing. The magic of putting your resume into indeed.com, putting it, uploading it and putting all your skills is that after a while, indeed. Now it’s not the best algorithm. I’m gonna show you a better one in a second, but it’s but the thing about it is once you put your stuff in there, it will match up different jobs that fit your resume.
So right here, as we’re looking, we’re being very active and we’re looking at this job here they require a bachelor’s degree. Do you have a bachelor’s degree? If you have a bachelor’s degree, guess what? This that’s great. Good for you. Demonstrate experience with system engineering to include network design documentation installation.
Now, like I said, if you don’t fit this, go onto the next job. If you do apply. Now, if you put your resume in there, when you hit apply, now it’ll take your resume and it sends it to them.
let me show you what let’s keep going here. All right. This one is Exel logic administrator remote. This is a remote position right here. Look at this. You just go through what requirements, what re skill requirements. And now they want Oracle. I don’t know if Oracle, but if you don’t know Oracle move on to the next one.
We want Linux administrator. We want red hat administrator, S a I C. Now here’s S CICS. One of their job pages here. Pretty good company. And let me see here. Yeah. See, look at this happiness score. I never seen that before. I think I clicked the wrong thing here. We wanted, I wanted to actually see the job.
So let’s just go to the job itself of S a I. Okay. It’s talking about a little bit about S a I C, and we’re looking at the job screwed. This is what you do. If you’re really hungry for a job, you go through every single one of these, every single one. And you find a match for you. But if you put your resume in, it does have to work for you because the hour room’s gonna match you up with certain jobs, but you don’t want to just wait for that.
You wanna put that in there, let it do this work. And then you want to be extremely active and look at every one of these and look at which ones look at the duties. If you can do it, apply for it. If it’s a really long drive, factor that into your final decision, you wanna probably find something closer to you, but don’t rule it out, right?
Don’t like, I’m the type of person. If I need to feed my family, I’ll work at freaking McDonald’s man. I’ll work the fries. And then at night I’ll Moonlight and deliver pizzas, do what you gotta do. To take care of yourself and your family. You know what I mean? So let’s go to the next one system administrator, but you don’t have to do that.
You’re a Lenox administrator. You don’t have to, you don’t have to flip burgers. You don’t have to, Lenox administrator is no joke and you have four years of experience. You should have a really good job right now. And I’m gonna show you how to get one. All right. So bottom line go through every one of these upload your resume, and then you can type in your location, your skillset right here, you can search ’em.
But the big thing is to upload your resume. Now, lemme show you something else. LinkedIn. If you’re in the us, LinkedIn is one of the best sites to find jobs. I’m gonna show you a better one after this, a better one than LinkedIn, in my personal opinion. couple better ones for LinkedIn. Now, in my course, I tell you exactly how I’m able to.
Get so many job opportunities from LinkedIn. This, I don’t have a lot of people who actively follow me here, but I could tell you most of the people who contact me, these are real opportunities for me. So what I did was what you’re gonna do is you’re gonna fill out, you’re gonna sign up on LinkedIn and you’re gonna fill completely fill out this profile, completely fill it out.
And the more you fill it out, the more targeted that it will be the more targeted the traffic you’re gonna get. The more targeted, the people who contact you, the technical recruiters that contact you the more targeted they’ll be towards you. And that way more peop the most of the people who contact you will be legitimate jobs for you, fill it out.
But here’s another thing you can do. red hat, Linux administrator. Look at this. You can join groups, right? Join groups. Here’s another thing you can do.
So you’re gonna join groups. You’re gonna make a complete profile. I hope you’re taking notes. And then you’re going to admin. We’re gonna look for jobs. We just typed in red hat, Linux, admin, and these are all the other people who are also admins. Now look at this. I want you to take note of this. This guy came up number two.
This means technical recruiters are literally typing this in red hat, Lennox administrator. And they’re seeing this guy’s face. Why is this guy number one? Think about it. Why is this guy? Number one? Why is he coming up? Why is everybody seeing this guy’s face? Why is he getting so many job opportunities?
He filled out his complete profile. That’s why he filled this entire profile out. That’s why he is getting so many jobs. That’s what you have to do. Now, if I go to this next, now I’m actually looking for jobs here. So let’s just keep scrolling. Now note how this is broken, broke down. So see it has, it starts off with other people.
Then it talks about the jobs and then groups should be here somewhere. I’m looking. Yeah here’s different. Oh, these are different companies. You can follow the companies. If you follow them every time they come out with a new something new they’ll, it’ll pop up in your messages or notifications.
But what I’m looking for is jobs. I’m gonna say, see all, if you’re following along. And once again, what we’re gonna do is we’re gonna go through every one of these, even though this says Kafka engineer, analyst, I’m gonna go see what this is. I don’t know what this is. It says promoted. I usually avoid the promoted ones.
Because they’re paying for it, but that’s fine. Even check those wounds out too. It’s telling you where, what location? Oh, look, we didn’t put our location in. Let’s make sure we put our location. You said Washington, DC, Baltimore. Look at this Washington, Baltimore, one of the hottest places for jobs by the way.
And they pay a great amount of money, especially if you’re willing to travel. Okay. So this one is, I don’t know if Splunk, but Splunk developer. Okay. So that’s not what we want. Let’s keep going. We want some more like Linux kind of administrator type work. This one’s looking for sci clearance.
I’m assuming that you don’t know as you don’t have that. That’s a clearance. Not a lot of people have it. I don’t have a Ts S C I, I don’t think anymore. That’s Splunk. Let’s skip that one. Let’s go to the next one. So if you, if it’s obvious, you don’t know that, just move on to the next one, but this one right here.
this one deserves our in our time. Let’s look at this one. What are they looking for now? Notice I’m just, I’ll come back to this later. They’re talking about what kind of business it is. It’s women owned and all this kind of stuff. I’ll come back to that right now. When I’m looking for is what is in the job description?
Can I do it? Nope. Look at this. It says security. Does TSS C I clearance. I don’t have a clearance, so let’s keep it moving. Notice how I’m just going through these. If I don’t if there’s any indication I can’t do the job I move on. And the reason why is because I got stuff to do, I need to find people who are a good fit for me.
That’s what we’re doing. We’re trying to find what’s the best fit for our Linux red hat administrator in Washington, Baltimore. Is this even in the same right location, Virginia. Okay. I could drive there. Security plus requirements. Do you have a security plus, do you have any kind of security clearances?
okay. I’m assuming not. And this is asking for Oracle stuff, so no, I’m gonna move on. This is how you do it right here. Now my, it looks like my search is not great. So what I’m gonna do is I’m gonna change my keyword here. I’m gonna go to, I’m gonna call this red hat, Linux administrate.
Look at this man. I can barely spell you’re a Lenux administrator and I’m a American with one language who can barely spell. And if I can get a job, you can get a job. that’s all I’m saying all. Okay. Look at this rest in Virginia. Okay. That’s not too far from Washington. You’re willing to make the drive, but security clearance.
So we can’t do that one. Let’s keep going here. Security clearance. Raytheon. Raytheon is a, is an okay company. They get a lot of contracts, so you’ll see tons of jobs from these guys must be a us citizen and S sci clearance. Okay. Moving on now, I’m assuming that in the east coast, this is one of the problems we have is looking for jobs with that don’t require clearance.
So I’m moving on to general dynamics. Another very large company has 10,000 employees. Let’s see here. Okay. Here we go. Scope of work. They explain to you what you, what they’re expecting from you. Looking for requirements, education, no degree, 10 years of trip wire experience. Okay. If you don’t have trip wire experience, let’s move on.
So you need to go through every one of these. After you make your profile. First thing you want to do go tod.com put in your profile, go to linkedin.com, make a profile. Once you make the profile, it starts to find jobs that fit you. The reason why this is coming up with stuff that fits me is because I have my pro I have my, I already have a very full profile there.
So it’s automatically searching things that fit me. So it’s I’m having a hard time finding stuff that fits you. That’s why it’s very imperative that you do this. Okay. Let’s look at these skills right here. They’re saying in-depth knowledge of HBSS. Okay. Let’s I’m assuming you all know that let’s just keep going.
Red hot platform and applications administrator. So I’m assuming this one’s a software engineer, somewhat qualifications. This one might fit. You obtain a public trust clearance. Okay. So this one might fit you because. , they’re not looking for a sci clearance, which not everybody can get or has, but public trust clearances just means that they’ll do a background check on you and you don’t have to be a us citizen.
You could be a green car holder or whatever, but public trust is easier to get five years experience with red hat. You said four, you could still pull it off. I would still apply for it. I’d apply for this one. This one might be good for you. Actually, I would look at this one right here. Look at this co this is some stuff you can learn.
Cold fusion. They’re saying three to five years of WebSphere experience. If you have that, I’d apply for this one that we’re getting closer. All right, let’s keep going. Let’s go. Keep going down here. You get the idea. You’re gonna go through every one of these and try to find a match. All right. Try to find a match for you.
If it doesn’t, if it in anything’s out of place, the closer you get to a match. You wanna apply for those jobs, right? The closer you get to a match, the better, because those are gonna be give you the most probability of actually getting an interview with them. Now, let me show you a couple of other places that are really good to apply for there’s dice.com, which is probably the best technical place to find a job in the United States of America.
So what you would do is go to dice.com and then type in red hat, Linux. You know what? Let’s change it up. Let’s type in Linux administrator. There we go right there. See this look at, take note of this. Look at this, see how this keyword popped up. That means this is highly searched and they have tons of jobs for this, but then they also have other job titles here, too.
Linux administration, Linux administrator. senior Linux administrator, an Sr senior administrator. There’s many different ones. What you wanna do is click one of the ones that fit closest to you. Let’s look at another keyword red hat. Let’s see what pops up with, let red hat look at this. See all these keyword.
These are the key words you want to use all these keywords right here. These ones that people are typing in these people that have hot jobs that you’re looking for. But I wanna go back to Lenox administrator. And then this is the one right here. And then we gotta type in a location. You said Washington and Washington DC, boom, fine jobs.
So y’all notice all these jobs. Look at it. Look how technical all these technical jobs. Look how this one’s way better than indeed and way better than LinkedIn, as far as search options go for technical people. What another thing you wanna do is don’t look for anything too old. If it’s months old, then just forget it.
This one’s one hour, this one’s nine days. This one’s 12 hours, 12 hours, 10, 10 hours, two hours. These are just recently posted some of these, right? I said there was a hiring freeze, but look at this one hour, 16 days ago, 30 days ago, I would avoid these one. That’s a long time. If it’s after 30 days, I would not apply for that.
But you never know, never know this one 11 hours ago, one day ago, one hour ago, Restin VA two days ago. That’s not too far from where you live. Linux engineer, Linux, admin experience. You get the idea, but what you wanna do is make yourself a full blown profile.