https://thorteaches.com/udemy/

Today, there are more mobile devices than people in the world. We connect everything to the internet.

With so many mobile devices, it is critical that we understand where and what they are and that we have the proper protection for all of them.
In this video, I cover those at the level you need for the CISSP exam.

Remember, the CISSP exam is a management-level exam, you need the right point of view to pass the exam.

https://youtu.be/PmgrYBCg5O8

You can get all my courses, free study materials, my free CISSP course and much more on https://thorteaches.com/

Transcript:

In this lecture, we’re going to talk about mobile security and when most people think mobile security, they think cell phones.
But it really is anything you can walk around with, anything we attach, that can be external USB drives, hard drives, tablets, CDs, laptops, anything that is mobile.
And obviously this also covers cell phones.
We have over the last five to eight years, started to add so many more devices to our networks.
And I’m sure this is going to exponentially grow over the next coming years.
The more devices and the more different types of devices we connect, the more complex policies, procedures and standards we need.
We need to ensure that every device we have data on is secure to a point that makes sense for that device and the data.
Most of the internal threats we have is not from malicious people.
They either just don’t know any better or it’s just easier to do it this way.
It’s probably not going to hurt anything.
It’s probably not going to be found out.
So as much as we can, we need to be able to eliminate them, even having the option to try to take the shortcut.
I know of one breach where a guy just wanted to go outside to have a smoke.
He didn’t want to go through the access point, all the control, all that stuff.
It was just much easier to open the back door, go out and smoke and then close the door when he was done, he had been doing it for months.
But one night he forgot to close the door all the way.
He closed it, but he didn’t get that little snap when the lock actually closes, and with that door not being closed, someone was able to get into the building, effectively circumventing all our other security.
He wasn’t malicious.
He wasn’t an intentional, bad actor.
He was just lazy.
Another example that is maybe more appropriate to mobile security was a doctor that compromised Protected Health Information or PHI.
Being the good doctor that he was, he just wanted to check on some patient records and he did not have his laptop with him.
So on his phone, he configured an unsecure mail client.
He checked the patient record he needed and then went on with his day.
A couple weeks later, he did the same thing.
It was easy and he kept doing that.
After some months, the phone was stolen and all that patient information was still on the phone in the mail client.
Again, not a bad guy, just someone who found a loophole and used it because it was easier.
To help with both of these, we obviously need to do the proper training to raise the awareness of our users.
But part of our role is to make sure that those loopholes are closed.
We close the loopholes and then we give them the tools that they need. With the guy that wanted to go out and smoke, he probably just needs to follow protocol.
But with the doctor, what he really needed was a secure male client on his phone.
And then maybe we need to ensure that the phone has full disk encryption and maybe remote wipe capabilities.
For all our mobile devices, we want to ensure that we have the policies, the procedures, and standards in place that we need so we can be as secure as we need to be.
On the technical side of things, we should lock our USB ports down, the CD drives, the network ports are wireless devices, wireless networks and disable auto run on any media that is attached to a laptop or any other portable device.
Wherever it is possible we should have full disk encryption if the device is stolen.
The attacker really has no way of accessing our data and with any device where it is possible that holds sensitive data, we should have some sort of remote wipe capabilities.
Either we send the command to the device and the next time it is online, it wipes itself. Or if it has not been online for 10 or 20 or 30 days, it does a remote wipe on its own.
And yes, there are ways you can circumvent this.
There is anything in IT Security.
That’s not really the point.
The point is we have enough security to protect whatever we are protecting.
Most cell phones already have the remote wipe capability and it is pretty inexpensive to add it to laptops as well.
For this as anywhere else, we want our defense in depth and user training and awareness is a huge part of that.
Cell phones are obviously the most common mobile device we use, and they are also the ones that gets lost the most often, which is probably also lucky, with any current Android or iOS operating system, it will by default have full disk encryption.
I mean, it is possible to turn it off.
But why would you? Now how our employees use their phone if they lose them is something we don’t really have a lot of control over.
If it is their personal phone, all we can do is make sure that they don’t have any confidential or sensitive data on their phones.
What we can do something about is if we issue company phones.
Here, we have a lot more control.
And regardless of which type of phone it is, both private and company phones, we need to ensure that we have the good security standards in place that we need.
And here we are not talking about phones that they only use for private use.
This is phones that is used partially for private use and partially for company use, as well as phones that we have issued.
So for any of the phones that have some sort of company data on it, it doesn’t matter if it is confidential or not.
They should, at a minimum, have the ability to be remotely wiped.
They should be able to be tracked so we can find them.
They should have a lock screen that after a certain amount of minutes where the phone is not used, the screen locks.
And it should be set to if you enter the wrong password so many times the phone becomes a brick.
And if it is a company phone, we should also disable removable storage.
If we give our employees mobile devices and we are a small organization, it is possible we might just configure the phones by hand.
But as you know by now, anything that is done by hand is more susceptible to mistakes and omissions than anything that is automated.
This is the same reason we don’t harden our servers manually.
It should all be automated.
So when we start moving into the hundreds or thousands of devices, that automation should have it in a centralized system and that will be an MDM, a mobile device management system.
Using that, we can give every single phone a standard basic configuration that we know is secure.
And then on top of that, we can add to our group specific configurations.
So the server team might need access to certain things or the phone needs certain capabilities.
Well, then we add that to the server team profile.
We can also add application, white or black listing.
Here, white listing is preferred because white listing is us saying only these applications are allowed.
If you try to install anything that is not on that specific list, you can’t install it.
Whereas a blacklist is us listing all the applications we don’t want installed, which is almost impossible to keep up with.
I mean, there are thousands of new applications every day.
We can, also with MDMs, at storage segmentation, we can add or remove remote access, we can push new configuration out, take backups of the device and so much more.
Now, let’s say an employee leaves the company and they don’t bring their phone back.
Well, then we can either completely wipe it or we can just wipe the parts of the drive that we know contains company information.
It gives us that flexibility that we need to secure our company data.
And now a slightly controversial topic.
Since we monitor and manage their device, we can also see what traffic they use, where they are, which phone calls they make.
Now, that may or may not be legal where you live, if we as a company do that in any way, shape or form, they need to be told and they need to sign a form where they say, I agree to all of this before they get the device.
The MDMs can be an amazing tool, it can help us a lot.
But we need to make sure that what we do with it is also legal.
And the MDM is not just for smartphones.
It can easily track laptops, tablets and really anything that can be managed and tracked in a centralized system.
Laptops, smartphones, and tablets are amazing productivity tools.
I know that anywhere where I have worked, where we have had them, they certainly make my day and my work life much, much easier.
But as with anything else, they have to be secure the right way or they are a liability.
Which then brings us to BYOD.Bring your own device, which is super awesome if you are a user.
Maybe not so much if you are someone in security, now instead of having fifteen different devices that we hand out that we have configurations for, now, we may have hundreds or thousands of different devices that gets brought to work and used on our network.
So with BYOD, we should have a clear policy, when they bring their own devices to work.
We have a policy, we have procedures and we have guidelines on what is acceptable use and what is not.
They need to clearly understand how they are allowed to use their own devices.
And we also need to be very clear on how much support we offer for their own devices.
If we have, like I said, 10, 15 devices that we issue, well, then our help desk can easily keep up with that.
They can have the proper procedures in place.
But they most likely won’t have that for the hundreds of different devices our employees bring in.
And how we do that is really depending on our organization, what are we trying to do and what our capabilities.
It is that fine balance that we always need to strike between being user friendly while still having enough security.
Here, a possible solution could be that we add their personal devices to our MDM.
They accept that when they are on company property, we to some extent monitor what they do and cannot do.
So with the MDMs and mobile security, we have a lot of questions that we need to ask.
And then with those answers, we design our policies, our procedures, and our guidelines.
If we give them mobile devices, how do we make sure we get them back when they’re terminated or leave the company?
Or at least that we can wipe the device, if they use their own devices? How do we ensure there’s no company data left on it when they leave?
And how do we ensure that the sensitive data they have on their device is not accessible to anyone from the outside?
How do we ensure that they don’t go home and transfer that data to another device?
How do we make sure they have the latest patches, the latest antivirus and on and on.
Before we add any mobile devices to our networks or allow our employees to bring their own devices?
There’s a lot of thoughts and considerations we have to go through to make sure that the implementation we choose is both secure enough while still allowing our employees to do what they need to do in the easiest possible way.
And with that, we are done with this lecture.
I will see you in the next one.

Having the right approach, the right materials and using the materials at the right time in your CISSP studying is critical for passing your CISSP exam.

Learn how to build your own CISSP study plan, how to manage your study time right, and what to study in which order.

Get my free CISSP study course to get the full free CISSP: How to study course, it also has the fillable study plans for you to use. https://thorteaches.com/get

https://youtu.be/hVI-0T9OvUk

You can get all my courses, free study materials, my free CISSP course and much more on https://thorteaches.com/

Transcript:

In this lecture, we’re going to talk about study plans, how to get them, how to tailor them to your specific needs and how to use them in your studying.
And to begin, I’m going to answer a question I get asked multiple times a week, how long should I study?
And every time I get the same answer, I have no clue.
I have had students who studied for one week and passed their exam and I have had others that been over a year.
Normal is somewhere between four to six months, and it varies so much because everybody comes into the CISSP studying from a different point of view.
You have a different background, you have different knowledge, people are different in how fast they learn.
How much time they spent every day studying, how focused they are, and 50 other things that will influence how long you need to study to pass your exam.
So in this lecture, I’m going to approach it with a normal student in mind that uses the four to six months.
For something as big and as complex as the CISSP, I suggest you study at least two to three hours every day, and when I say every day, I actually mean it.
It is every day.
And many of my students say, “Well, I can’t just find two hours in the day or three.
I can’t make more hours in the day than there are.”
Completely true.
What you need to do is do less of other things and you need to find those little pockets of time where you have 10, 15, 20 minutes where you’re not doing something else, your commute, your breaks, your lunch break, all of that I use for studying.
I also take a close look at what else I do that is not urgent or important.
So I spend less time on Facebook or social media.
I watch less TV, I play less games, and try to do it in a way that doesn’t ostracize your friends and family but you still get the study time that you need to pass your exam.
And before we start looking at the actual plan, remember, the study plan is a living document.
If for some reason last week you did not have time to study enough or you all of a sudden had extra time, well, then you adjust the plan.
And now for the actual study plan, download the attached study plan from this lecture or go to thorteaches.com/study/ and then click on free stuff.
The first thing at the top on the free stuff is the study plan.
On the front page of the study plan, I have my suggestion on how you should approach your studying and which order you should do it in.
First off, get one to three video resources, watch them all and then take notes.
In my video courses, I have study guides you can use and then add your notes alongside those.
Once you have watched all the videos, then you read your primary book, you supplement your notes, then I suggest you read the Memory Palace, the CISSP Process Guide, the Sunflower Notes and the NIST documents.
And the NIST documents, you can find the same place that you do the study guide, thorteaches.com/study/ and then click on the free stuff.
Then you re-watch all the videos again, maybe at 1.5 or two times speed, you update your notes and after you have watched the videos the second time, either reread the book or just skim the highlights, the areas you’re not completely sure on or start doing practice questions.
Practice questions is where you are going to spend maybe 50% of your study time.
Do a practice test mark everything you’re not completely sure on for review, once the test is over and you get the results, everything you had marked for review or that you got wrong, you go, restudy those topics, read the book, watch the videos, do online research, look in the study guides, and then you do another practice test.
And that is really what you’re going to do for the rest of your studying.
Plus some reviews every so often, use the easy to mid questions first, fifteen hundred to thirty five hundred of those and then the hard questions towards the end of your studying and you have probably heard me say before, do not reuse practice questions.
First off, if you have already used those questions, then you have already found the weak areas that you have that they could show you.
Second off, next time you reuse those questions, you’re going to remember some of the answers, meaning if you took it the first time, maybe you scored 70%.
When you take it the second time, maybe you score 85.
But that 85% is not really a true representation of where you are as far as being ready.
And now that we have all the practical stuff out of the way, let’s look at the actual study plan.
So my template study plan here is based on two hours every day, seven days a week.
If you can use more time, wonderful.
And of course, I use my resources, the ones that I recommend in this study plan, if you’re using something else, well just replace it with that.
And the last page in this study plan is a blank page.
It has the days.
It has the weeks, but it has nothing filled in, meaning you can fill it in with whatever you are using.
So the first two days I have, make your own study plan and watch the Thorteaches.com CISSP Intro course.
The Intro course has no set curriculum, but it has all the practical stuff.
How you should study, how you can be better prepared, how you should approach videos, books, questions, and everything else.
So you make sure that you study as efficiently as possible.
Then for the rest of the first four weeks, you watch two hours of my videos and the secondary videos you have chosen every day and you take notes.
Most students that I have talked to download my study guide and then alongside that they add their own notes.
And if you are a student on Thorteaches.com, one of the first lectures of the video course will have all the study guides for all eight domains.
If you are a student on Udemy, it is attached to the first lecture of each domain.
So that is all the time if you use two hours a day for four weeks.
Then we’ll go to week five.
Here, you read your primary book and as you can see, I have selected 50 pages a day.
Plus, take your own notes.
Some students might be able to read more, some less.
Adjust it to fit what you do.
And remember, it’s not just read the book.
It is read it, understand it, and be able to explain it.
I have had students who told me, “But Thor, I did what you said.
I read the whole book twice.
I did 5,000 questions and I didn’t pass.”
But then when I start talking to them about the concepts, they have no clue.
They just read as fast as they could through the entire book, not remembering anything.
And they did the same with the questions.
They just did a test.
Oh, I scored 65%, and then they moved on.
They never looked at all the things they had wrong.
And since they never looked at all the things they had wrong, they never improved their knowledge.
So it is not just read the book, it is read the book, take notes, understand the topics and be able to explain them.
Reading your primary book continues all the way into the middle of week eight, at this point, start reviewing your notes.
I have set aside four days for that use, more or less, depending on what you want, but be able to explain all the concepts and for each concept, be able to explain what it is, where we would use it, when we would use it, why we would use it, and how we would use it.
After those four days of review, I suggest you read the Sunflower Notes, the Memory Palace, CISSP Process guides and all the relevant NIST documents.
For this, I have a lot of six hours.
After those, you have two weeks of review, review the videos, watch them at 1.5 or two times speed, supplement you notes where you’re lacking, then reread or reskim the book, again at your notes and then another review session.
Two days where you explain why, where, when, how, what.
At this point, you’re about halfway in your studying.
From here on out, it is practice questions.
For the first week, I have set you to do between 50 and 100 questions every day.
After the first week, I dial that up to 100 to 150.
So every day you do one full practice test between 100 and 150 questions, once you are done, you review everything you marked for review and you review everything you got wrong.
Restudy those areas and then the next day you do another test.
For some students, there’s just not enough time to do 100 or 150 questions and then review them in two hours.
Well, then one day you do the test, the next day you review everything and restudy.
If you look here at week 13 to 16, you can see everything is practice questions that continues all the way into week 17.
Now at this point, if you are not consistently scoring 80% plus on the mid to easy tests or at least 70-75% on the hard ones, then do more questions.
If you are scoring in those areas, well then it is time to review, review your study notes, the PDFs, the videos and the areas of the book you had issues with and do that for three days.
Then re-watch all the thorteaches.com videos, here watch it as fast as you can.
Most students can do this at at least 1.5 or two.
When you’re done with this, we’re in week 19, here, I suggest you read the 11th Hour, Luke Ahmed’s and Wentz Wu’s books and then research online for any topics that you’re not completely clear on.
We have six days or 12 hours allotted to that, after that, reread the Sunflower Notes, the Memory Palace, the CISSP Process guides and the NIST documents, and pretty much do this until you’re ready for the exam.
After reviewing everything, I have some students that go back and take two or three days of practice questions just to get back in the practice question mindset.
And I also have some that on exam day right before going into the exam, do 10, maybe 20 questions.
Not enough to wear your brain out, but enough to get yourself back into the question mindset.
They should take you all the way to exam day.
Remember to adjust the plan as things change.
It is a living document and good luck on your exam.
And with that, we’re done with this lecture.
I will see you in the next one.