CCT 101: CISSP Practice Questions - Domain 1-8

Are you prepared to level up your cybersecurity expertise and ace the CISSP exam? That's exactly what we're here for! I'm Sean Gerber, and this episode of the CISSP Cyber Training Podcast is a treasure trove of knowledge, from unraveling the intricacies of the STRIDE methodology to understanding the subtleties of 'repudiation' versus 'replication'. Get ready to delve into the depths of the Mandatory Access Control model and discover why 'Top Secret' isn't just a phrase out of a spy novel. We'll also decode the critical role of data classification for compliance, and I'll shine a spotlight on the nuanced differences between stateful and stateless firewalls that could make or break your security policy.

But the learning doesn't stop there. I'll take you behind the scenes of conducting a thorough Business Impact Analysis, illustrating its undeniable importance in maintaining operational integrity in the face of threats like a ransomware epidemic. As we explore the art of calculating downtime impacts and the construction of robust recovery strategies, you'll gain invaluable insights that will not only prep you for the CISSP exam but also fortify your organization's risk mitigation framework. And for those fascinated by the covert operations of cybersecurity, I reveal the secret weapon of Perfect Forward Secrecy in VPNs – a must-have for any security-conscious network. Join me in this podcast chapter where we unpack these topics with precision, leaving you enriched and exam-ready.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning, it's Sean Gerber with CISSP Cyber Training, and I hope you all are having a blessed day today. Today we are rolling into the holiday season and therefore we have a lot of great things to be thankful for, and one is the CISSP Cyber Training Podcast. Yes, yes, indeed, you should be very thankful for it, just joking. So I hope you guys are having a wonderful day and I hope you have great plans set up for your Christmas holidays and to be do here in the Gerber household in Wichita, kansas. Things are getting very festive and having to deal with children, grandchildren, all those fun things. So it is a great time, well, but so we're going to be talking today about a wonderful topic and the topic is Thursday. That's not the topic, but today is Thursday. So the topic is yes, you guessed it CISSP exam question Thursday. So today we're going to be talking about various exam questions that cover all eight domains and we kind of I went down this path because one is the holidays and I have you can get free CISSP exam questions on my site and I'm using some of those free exam questions today, but you'll have the domain one. We'll kick off again here in a couple of weeks and we'll get through the first of the year and go from there. So let's roll into question one. What does the stride and then that's an acronym, stride stride methodology stand for as it relates to threat modeling? Again, what does stride the methodology stand for as it relates to threat modeling? A security, tampering, replication, intrusion and denial of service, escalation of privileges. B spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege. C security tampering, repudiation, intrusion, denial of service, escalation of privileges. Or D spoofing, tampering, repudiation, replication, information disclosure, denial of service, elevation of privilege. So, again, when you want to look at this, you want to consider what are some of the answers and what of them have the basically the term of a threat modeling in them? Well, if you go through questions answers A and B, they have security in the first word and that's not a threat modeling term, so you can throw those two out immediately. Then the next one you come down to is when you're dealing with basically B and C, and you'll be able to see or B and D. You'll be able to see these on CISP, cyber training as well, as you'll be able to look at them on YouTube at some point, but the video would show you a little bit more. Bottom line is that the word in their replication versus repudiation. Those would be a key term that you would glob onto and you would say, okay, well, it's repudiation, because that's a threat modeling term. Replication is not so, therefore, the answer would be repudiation and that would be B, all right, so then question two security risk management. This is that domain. Which of the following, which one of the following represents the highest level of confidentiality in mandatory access control model? Again, which of the following represents the highest level of confidentiality in a mandatory access control model? A, unclassified, b confidential, c secret or D top secret? Now, it's probably pretty obvious, but again the question is which of the following represents the highest level of confidentiality in a mandatory access control model? So, in a MAC model, and that would be the answer is D top secret In a MAC model levels of confidentiality from the lowest to the highest are unclassified, confidential, secret and then ultimate goal of top secret. Question three which of the following Question three which of the following is a primary purpose of data classification in an organization? Again, which of the following is a primary purpose of data classification within an organization? A to reduce cost. B to minimize resource allocations. C maintain compliance with laws and regulations or D speed up data processing? Again, so which of the following is a primary purpose of data classification in an organization? Now, there's lots of different reasons for doing data classification, but in this question, which would be the primary purpose, and that would be to maintain compliance with laws and regulations? That is C it does help you to ensure compliance with these various regulatory requirements and data handling and the protection. One of the things that comes into, that is, gdpr, does require that level of understanding, especially with data handling and its overall protection. Question four what is the difference between a stateful inspection firewall and a stateless firewall? Okay, so what is the difference between a stateful inspection firewall and a stateless firewall? A a stateless firewall inspects content, whereas the stateful inspection firewall only inspects headers. B stateless firewall is an application to wear, whereas the stateful inspection firewall is not. C a stateless inspection firewall can't filter packets, whereas the stateless firewall can. Or D a stateless inspection firewall remembers the state of the content connections, whereas the stateless firewall does not. Okay, so what is the difference between a stateful and a stateless? And the answer is D stateful firewalls will keep track and remember what the state of the network connections, such as your TCP or UDP communications, which does allow you to have much more granular security policies. So the answer is D stateful inspection firewall remembers the state connections, whereas stateless firewalls do not. Question five in a VPN, what does a perfect forward security refer to? Again, a VPN. What does perfect forward security refer to? A the ability to secure communications when the session key is compromised. B guaranteeing the integrity of data transfer by using hashing algorithms. C ensuring that past session keys are safe even if the private key is compromised. Or D ability to prevent replay attacks. Again, what is it In VPNs? What does a perfect forward security refer to? And the answer is C ensuring that past session keys are safe, even if the private key is compromised. That is what perfect forward security, or secrecy, means. So, basically, pfs. You may see the answer of it. It's a session key that's derived from a set of long-term keys that will not be compromised if one of the long-term keys is compromised in the future. That is perfect forward security, and I know I've heard of other places trying to incorporate that level of security. It does take a bit more work to do so, but it's definitely worth it if you can make it happen. Question six which of the following is not an example of type three authentication factor? Again, type three, what is it, what it is, and that's something type three. If you understand what that is, you need to kind of know that, and the type three would be something you are. Okay, so let's consider that one. Which of the following is not an example of type three authentication factor? A fingerprint, b facial geometry, c retina scan or D smart card? Which of the following is not an example of type three authentication, which is something you are, and that would be D a smart card? A smart card is something you have. Thus it is type two, not type three, which is something you are. When conducting a vulnerability assessment, what kind of result would be considered? A false positive. A a non-existent vulnerability flagged as existing. B An existing vulnerability flagged as non-existent. C An existing vulnerability flagged as existing, or d A non-existent vulnerability flagged as non-existent. And the answer is b An existing vulnerability flagged as non-existent. Basically, false positives are when vulnerability assessments refer to a situation when the system flags a vulnerability that does not exist. Question 8. What is the primary purpose of an intrusion detection system? A Preventing attacks. Again, what is the primary purpose of an IDS? A Prevent attacks. C Detect attacks. C Recover from attack. C Assess damage from attack. What is the primary purpose of an intrusion detection system? It is b. I can't figure it out myself. It's b Detecting an attack. These systems are primarily designed to detect potential attacks and alert folks of what's going on. That's the ultimate purpose of them. Question 9. What is the key principle in the waterfall model in software development? A An iterative development. So, again, what is the key principle of the waterfall model in software development? A it's an iterative development. B it's a continuous integration. C it's concurrent activities or d it's a sequential phase. Again, what is the key principle in the waterfall model development? Waterfall model in software development? And it is d Sequential phases. The waterfall model is a linear, sequential, non-iterative approach for software development where pages basically flow downwards through the various phases. Question 10. What is the primary objective of a business impact analysis? A To assess potential vulnerabilities in an organization. B Calculate an organization's annual budget. C Identify critical business functions and their dependencies. Or. D Assess the overall security posture of an organization. So what is the primary objective of a business impact analysis? The answer is c Identify critical business functions and their dependencies. I've done this numerous times, where we put a BIA together looking to see where are the essential business functions, to determine what happens if they didn't work anymore. Basically, if there was a ransomware attack and they went down, how would you recover from that situation? And this helps in developing strategies for effective business continuity and disaster recovery plans. Question 11. What is the primary purpose of a data loss prevention system? A To provide backups of the data. B To ensure data confidentiality and prevent unauthorized data exfiltration. B To protect against data corruption. Or. C To speed up data recovery processes. So what is the primary purpose of a DLP system? And the answer is b DLP systems help prevent unauthorized data exfiltration and protect sensitive data from being accessed, modified or transferred by unauthorized users. Question 12. In a system designed for high availability, what is the purpose of the failover clustering? Again, high availability for these systems. They need to be up and operational a lot. A Provide full tolerance. B to increase computing power. C to provide load balancing. Or D to improve network security. So what is a high availability system and what is its purpose? For fail-overing, and that would be A provide fault tolerance, fail-over clusters. That, basically, is set up so that if one fails, another node will take over to ensure you have continuous service, thus providing fault tolerance. In 13, in terms of network security, what does the term defense in depth refer to? Again, what does defense in depth mean and the answer or not the answer, a question or one of the answers A placing all defenses in a network perimeter. B implementing multiple layers of security controls throughout the IT system. C implementing the strongest possible defenses. Or D defending in all directions. Okay, in the terms of what does it mean for defense in depth? It is B implementing multiple layers of security controls throughout your entire IT system. This defense in depth strategy employs multiple layers of defenses to slow down an attacker and protect the system, but it's also to provide what we call like little trips, like in the days of having a Claymore mine. You'd trip a trigger and it would send off an alert, send off a sound, and that's the same concept as it relates to question 13. Question 14, what does the principle of least privilege mean? Question 14, what does the principle of least privilege mean? A every user must know the minimum about the system. B users should have privileges regularly reduced. C users should be given a minimum level of access required to do their jobs. Or D all users should have the same level of access. What does the principle of least privilege mean? And the answer is C users should be given the minimum level of access required to do their jobs. Basically, the minimum access to perform their job is important because it does reduce the potential damage from accidents or even misuse. Last question what is the main goal of penetration testing? Okay, what is the main goal of penetration testing or pen testing? A find as many vulnerabilities as possible. B gain unauthorized access to a system. C test the organizational's incident response capabilities. Or D test the effectiveness of the security controls in place Again, main goal. So you get find as many vulnerabilities. The pen test won't do that. Gain authorized access to systems it will, but that's not the main goal. Test the organization's incident response process that's also a secondary goal, but the primary one would be to go and effectively check the security controls in place to see if they are set up so that they can protect from exploitation. All right, all right, that's all I have for today. I hope you guys have a wonderful, wonderful day, have a great Christmas holiday and we will catch you on the flip side, see you.