CCT 139: Practice CISSP Questions (All 8 Domains)

May 09, 2024
 

Cybersecurity isn't just about the tech; it's about making tough calls under pressure, and this episode is your field guide to navigating those high-stakes scenarios. I'm Sean Gerber, and today we dissect not only the ins and outs of crucial security measures like multi-factor authentication—underscored by the UnitedHealthcare ransomware fiasco—but also the contentious debate surrounding ransom payments during cyber-attacks. Get ready to gain managerial insight that could be the difference between a contained incident and a full-blown crisis, all while contributing to a cause that's reshaping lives—one adoption at a time.

We take a deep dive into the intricacies of Annual Loss Expectancy, Digital Rights Management, and why fault tolerance isn't just a buzzword—it's a lifeline. But it doesn't end there; we scrutinize the importance of weaving security into the very fabric of software development and tailor defenses against modern digital threats. From the nitty-gritty of end-to-end encryption to the frontline defenses against SQL injection, this episode isn't just a conversation—it's an arsenal of knowledge that'll arm you for the cybersecurity battles ahead, and a step on your path to CISSP certification.

TRANSCRIPT

Speaker 1:  

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go cybersecurity knowledge.

Speaker 2:  

All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training, and hope you all are having a blessed day today. Today is CISSP Question Thursday. Yes, we're going to be going over CISSP questions that you may see something similar to it on the CISSP exam as we talk about when we go over this podcast. The main point of it is that the questions you see on this exam or in the exam will not be the same questions that you're hearing here on this podcast. The ultimate goal of this podcast and the questions is to give you some insight and some guidance on how to answer a question based on a manager, based on someone who's been doing cybersecurity from a management standpoint, and those are the decisions you'll have to make and that's primarily what the CISSP is for.

Speaker 2:  

But before we get started, one thing that I saw as a news article that came out just recently is around the UnitedHealthcare situation that happened with the Change Healthcare piece, where there's a ransomware attack that occurred and in that it was interesting. If this is true is true. If it is true, it's actually quite scary on why they got hacked and it's it's understandable. Why they got hacked, honestly, is that they had did not enable multi-factor authentication. Supposedly this came from an article in the register and it basically says united health care's egregious negligence led to change health care's ransomware effect. And they talk about how the fact that they did not have multi-factor enabled on their systems. Now, I'm not the one to say that they did or didn't, because I wasn't there, didn't look at any of the investigations. But if that is the case, that is unfortunate, because having multi-factor authentication does not stop these types of attackers, but it does put a significant roadblock or a speed bump in the way of them trying to gain access to your system. So I'm not sure how that did not occur, but it's an important factor that they need to consider as they're putting in this as they went forward.

Speaker 2:  

The other part of that article they talk about is the fact that they did pay $22 million in ransom and they're saying that the government should ban this. Well, they've tried that. It didn't work and I will say that the interesting part on all of this is that if you are in business and as a manager, if you're studying for the CISP, you're actually considering being in a higher level position within your organization, not paying the ransom. Yeah, it sounds great. Don't pay it. But if you have a business that has to run, I can see where people would pay it, just because, if they don't, because of bad, poor choices in the past, they may be in a situation where, if they don't, their business goes out of business. So it's the devil you know versus the devil you don't know, and they may make the decision that you know what. It's better off to pay it and fix our problems, fix our woes, than to just ignore it and go on. So I don't necessarily agree with the individual, and it's actually a video that talks about it. I haven't watched the video personally, I'm just kind of going through the article itself and they may have a part that they talk about in the video that is maybe more in lines with the way I'm thinking as it relates to the ransomware piece of this.

Speaker 2:  

I I totally agree with them. You should not pay the ransomware. But also, working in a business and and having a business and also working in a very large business, I would say my senior leaders would have been very hard pressed to say, well, we're just not going to pay it. Yeah, in the situation that they may be in Now. Then again, if their systems are fully operational and they feel like they've got good redundant backup systems and they feel very resilient, which is where businesses need to go. If they feel confident in the resiliency, then they shouldn't pay it, but if you're not confident in the fact that you're gonna be able to recover from a situation like this, yeah, it's a tough call. That's where the CEOs make their money. Right Is to make this decision and decide if they wanna do that or not. Do that.

Speaker 2:  

All right, so let's roll into the questions we have for today. All right, these questions are covering all eight domains. Next week we'll be starting domain one, but starting domain one. But this week I had, with my wife being out of town, I was able to focus just on getting all eight domains put up for you guys. But next week will be a little bit more towards domain one and then we'll move on from domain one on up to domain eight. Okay so, group two this is part of the CISSP cyber training. You can go there and get access to these questions along with all the recordings that I have available. I highly recommend you go to CISSP Cyber Training, just because there's a lot of free content out there and we'll be making some changes here in the near future, once I have some time about some. I want to make this more affordable for people that are just wanting to get the CISSP. I'm basically looking at breaking this into a tiered program where I have right now where you can just buy the CISSP products and then you can also get some mentorship if you want, and then I have also a larger package where it's all mentorship and helping companies that have maybe a CISO or a senior executive that needs some assistance. Those hours are available for you as well. So basically a couple different packages.

Speaker 2:  

However, we are starting up a nonprofit my wife and I are as it relates to adoption for children, and what I want to do is and my plan is is that the sales that come from, obviously, cis, pci, cyber training are all going to go into that nonprofit, and the goal is I'm not going to take any money from this business. I want to put all that into the nonprofit, and the goal is I'm not going to take any money from this business. I want to put all that into the nonprofit and the goal of this is that it'll help families that want to do adoption. If you guys look at our story. I've got seven kids, four of which are adopted internationally, and we feel very called that we should provide ways for people to be able to adopt kids and get them out of the foster care system and into family homes that they can actually have a family move on with, whether it's international, whether it's local. We want to help provide some of that, either through low interest loans, through grants, whatever it might be, and the goal is then to have CISSP Cyber Training pay for that. My wife has a couple other businesses that were goals to help utilize that money as well, but they're not at a position they can do that at this point. So the goal, then, is just to have CISSP Cyber Training fund that endeavor, but that's on a different podcast. We'll talk about that. That's just kind of where we're headed, and so if you hear about it and you see about it, just know that all the finances, all of the money that goes to CISSP cyber training, is going to be going into this nonprofit Question one a multinational corporation is evaluating the risk associated with a potential data breach.

Speaker 2:  

The estimated single loss from such an event is $5 million, because it's your SLE and the likelihood of this occurrence is once every 10 years. What is the annual loss expectancy, the ALE, for this event? So again you got to talk in a single loss event is 5 million and the likelihood of this occurrence is once every 10 years. What is the annual loss expectancy for this event? A 500,000. B 50,000. C 5 million, d 50 million. And so the question is again what is your single loss? It's $5 million. Your annual occurrence is 10 years. What is the ALE? And the answer is A $500,000. So your ALE is calculated by multiplying the ARO, which is your annual rate occurrence, by the single loss expectancy, or SLE. So in this case, the ARO is 0.1, basically once every 10 years, and the SLE is $5 million, resulting in a $500,000 loss.

Speaker 2:  

Okay, question one or question two an organization is implementing a DRM system to protect the intellectual property and shared with external partners. Okay, so your digital rights management is DRM. Which of the following best describes the primary purpose of a DRM system? A ensuring data availability. C enforcing access control policies. C providing data integrity or D preventing data leakage. Again, what is the most important thing? It's been implemented a DRM system. What following is the best describes the primary purpose of a DRM system? And the answer is D preventing data leakage. Again, these DRM systems are designed primarily to prevent unauthorized distribution and access to digital media, therefore preventing the leakage.

Speaker 2:  

Question three a security architect is designing a new system that requires high availability and fault tolerance. The architect decides to implement a system with redundant components. Okay, so that's basically more than one. Which of the following design principles is the architect applying A Defense in depth. B fail-safe defaults, c fault tolerance or D economy of mechanism. Again, so the architect wants to have high availability in fault tolerance. So what are they applying? And the answer is C fault tolerance.

Speaker 2:  

That is achieved through a system with redundant components that can continue to operate in the event of one that fails. So what you're dealing with there, obviously, is you have multiple systems and they are tied together. So obviously you're looking for something that is redundant, and then, when you would have a we'll use an example of a process control environment you may have redundant firewalls, which means if one fails the other one, all the data goes to the other one, and you want to do that in certain situations. Now, not, you don't always need that. It depends on the amount of money you have, obviously, and the amount of complexity you want to add to your organization, but redundant systems are very valuable, especially in highly critical locations. Question four.

Speaker 2:  

An organization is implementing a new network infrastructure, the security team is tasked with ensuring the confidentiality of data in transit. Which of the following would be the most effective method A implementing VLANs. C using WPA2 encryption for Wi-Fi. C deploying end-to-end encryption. Or. D installing stateful firewalls. Say, an organization is looking to put in new infrastructure and this team is looking to ensure confidentiality of the data in transit. Which of the following would be most effective method? And the answer is C deploying end-to-end encryption. Right, so using WPA and Wi-Fi is good, but that would affect only one area, same with a VLAN. When you're dealing with deployed end-to-end encryption, that obviously is any communication that goes from point A to point B is encrypted during this entire process and that is the highest level of confidentiality that you can provide. I will say deploying end-to-end encryption is not an easy task and it can be very cumbersome. It can be done, but it's best to start off from what they call a greenfield approach, where you start off with a brand new blank slate. You just got a green field that you're building a building in. That is your best approach.

Speaker 2:  

Question five a company is experiencing a high number of phishing attacks. The IT department is considering implementing a solution to improve user authentication. Which of the following would best address this issue? So again, they're looking. Have a high number of phishing attacks. They're considering implementing a solution to improve the user authentication, hence change healthcare. Maybe they should have had something else there. Again, I'm just making a comment A password complexity requirements. B multi-factor authentication. C single sign-on or. D regular password changes. Okay, what is the best to address this issue of a high number of phishing attacks? They all will work right, but the deal with the best number is the multi-factor authentication. Again, it requires multiple pieces of evidence to authenticate and it does reduce the number of phishing attacks.

Speaker 2:  

Question six a security consultant is conducting a penetration test on an application to identify potential vulnerabilities. What should be the first steps in this process? So a security consultant is conducting a penetration test on an application to identify potential vulnerabilities. What should be the first step in this process? A running a vulnerability scan. B establishing a scope and rules engagement. C reviewing the application source code. D conducting social engineering attacks. So, again, the consultant is conducting a penetration test on an application using looking for specific identities or vulnerabilities. What would be the first step? And it would be B establishing the scope and rules of engagement. When you're dealing with any sort of organization, you want to define your scope and rules of engagement, especially when you're dealing with pen tests. I'll give that as an example. You come in and you have someone that's attacking your network. If you don't provide the scope and rules of engagement for engaging in that pen test, they could span much larger than you want. They could get into areas you don't want them to go to. They could spend waste a lot of time chasing areas that are potentially not as valuable to your organization. So you really truly want to have the scope and the rules of engagement defined for that in that penetration test.

Speaker 2:  

Question seven an incident response team is dealing with a suspected data breach. They need to prioritize their actions. What is the first thing they should do? A notify law enforcement. B contain the breach. C perform root cause analysis. Or D restoring systems from backups. And obviously, if you guys listen to this podcast long enough, the answer is B containing the breach. You want to make sure that you have the breach under control as best as you possibly can before you end up doing any of these other options. Now you may have a situation where you might be working those in parallel, whereas notifying law enforcement as you're containing the breach. That may be something you may be considering, depending upon your organization and maybe the fact the requirements are that you have to get a hold of law enforcement within a short period of time.

Speaker 2:  

Question eight a software development team is implementing security measures in the early stages of software development lifecycle, sdlc. Which of the following is a proactive approach to security? A implementing security requirements in the design phase. B conducting a code review after deployment. C running a vulnerability scan post-deployment or. D applying patches to software after release? So, again, the software development team is in the early stages of the SDLC process.

Speaker 2:  

Which of the following is a proactive approach to security? And the answer is A implementing security requirements in the design phase of the project. Again, working through, always having security in the front of your minds. That does not mean it has to take over, especially when you're dealing with development, but it should be something that should be foremost in your minds as you are moving down this path of SDLC. Question nine an organization is considering adoption of cloud services but is concerned about the potential risks. Which of the following is a key consideration when assessing cloud service providers? A the physical location of the data centers, c the cost of services. C the scalability of services or D the color of the data center buildings. Oh yeah, that's pleasant right.

Speaker 2:  

The color you could probably throw that one out right, unless you really like Moab. If you really like Moab, then you'll definitely go with them, because that's the most important thing. I think Moav it's like peach pink something. Yeah, it's an 80s thing, if I'm not mistaken, 80s or 90s, because I am that old and I would know that Again.

Speaker 2:  

Question nine the organization is considering the adoption of a cloud service, but is concerned about the potential risk. Which of the following is a key consideration when assessing cloud service providers? And the answer is A physical location of the data centers. Why is that important? Well, so if you're dealing with your data centers and their location, one, you may have regulatory requirements on where the data is being stored. Two, you may want to know where they're stored, what data centers are using. Because, in the fact of a DR environment where, let's say, you have an earthquake and they're all located within the same geographic location, even if they are in separate data centers, that does not help you, especially if there is an earthquake or a tornado you would want them to be at least geographically separated by a distance that you are comfortable with. The most people kind of consider is at least 100 miles. Is the recommended? I think it's 100 to 150-ish in that space, but you would want to have them at least geographically separated a distance of greater than X, whatever your company is comfortable with. And if you're dealing with AWS or obviously Microsoft, they have data centers that are scattered all over the globe and there's different options around disaster recovery if you want to use those for that.

Speaker 2:  

But something, consider question 10. A company's proprietary data has been leaked. The investigation reveals reveals that an employee copied data to a usb drive. Which security, which security control could have prevented this incident? Okay, a network segmentation, b, dlp, a data loss prevention system, c, ant antivirus or D firewall rules? Now, obviously, all of those except for antivirus, unless the USB blocking is built into your antivirus, which that is a possibility, but they're not asking that question. But all those will help in some regards to limiting the blast exposure from a USB drive. However, dlp or having some sort of DLP type system within your environment would be a great first step, and that could include banning of USB drives. That, and you could have the DLP system such as Purview or other types of products out there monitoring USBs. But you may have an endpoint system like CrowdStrike that's actually set up to block USB access as well. So it just depends on the company.

Speaker 2:  

Question 11, a company is deploying a new public-facing web application. Which of the following would be the most effective in protecting against SQL injection attacks? A intrusion detection systems. B regular patching. C input validation or D strong password policies. Okay, protecting against SQL injection? It would be input validation, right. So I've used various inputs multiple times hacking into companies or, I should say, military installations, and that input validation would have stopped me dead in my tracks multiple times. Now it won't stop them all. Right, it's like there's not one perfect fit for all these different things that you can stop the attackers in, but it's a great place to start.

Speaker 2:  

Question 12, a network administrator is configuring a firewall to secure an internal network. Which of the following rules would be most effective in preventing unauthorized access? So a network administrator is configuring a firewall to secure an internal network, so they're basically out of VLAN. Which of the following rules would be the most effective in preventing the unauthorized access? A allowing all outbound traffic. B blocking all outbound traffic. C permitting traffic from trusted IPs only, or D denying all traffic by default. Okay, so what is the most effective? You'd be going well, permitting traffic to trusted ip addresses only. That would be the logical one. You would go to right. But they're asking the most effective. That doesn't mean the most correct, but it means the most effective. Most effective would be denying all traffic by default. Obviously, permitting traffic by trusted ips would be the logical choice where you'd want to go down this path. But if you really truly want to have the most secure it in the most effective way preventing unauthorized access you would deny all traffic by default.

Speaker 2:  

Question 13. An organization wants to ensure that the user access rights are appropriate and not excessive. Which process would be most effective in achieving this? A User account provisioning. B periodic access reviews. C implementing role-based access controls or. D enforcing password expiration? Question 13 again is what organization wants to ensure that user access rights are appropriate and not excessive? Which process would be most effective in achieving this? And the answer is B periodic access reviews. Obviously, looking at reviews are important, especially when you're dealing with access rights. So often a company will set those up and they will forget about them and then they have credential creep. You have all kinds of things that occur and then you look back at this going what did we just do? So again, you want to have. The process that's most effective in achieving this would be a periodic access reviews.

Speaker 2:  

Question 14, a company wants to evaluate the effectiveness of its security controls. Which of the following would provide the most comprehensive assessment A compliance audits, b security awareness training, c penetration testing or D vulnerability assessments. They want to evaluate the effectiveness of their security controls. Which of the following would provide the most comprehensive assessment? So this is a tough one, right? This really comes down to is, if you're going to be dealing with the assessment, you may want to have more information. So this one would be the point of going. Well, are they asking for a vulnerability assessment, just an assessment of a system, of an application? Are they asking me something that is related to the overall application or my infrastructure, or what right? So there's this question in here. So this is a tough one. So each of these, as I'm going to go through, will kind of give you an idea that, well, maybe I could bite off on that one, maybe I could bite off on this one. A is compliance audit Okay. C is security awareness training, c is penetration testing and D is vulnerability assessments. So which is the most effective of its security controls? Security controls which would provide the most comprehensive assessment. So if you're looking at security controls, you may be tend to blend into going well, I'm going to do a vulnerability assessment that will help me understand the most comprehensive piece of this. Or a compliance audit may be. You know what? I've got an audit that you might focus on the audit name and go aha, there we go. Realistically, when you're talking security controls, the best and most effective comprehensive assessment would be your penetration testing. They would be focused on those controls specifically, so that would be your best. Now you just again, you're going to may have to whittle this down. Obviously, security awareness training could be thrown out right away, but the main part of this is considering the security controls. And then, what is the most comprehensive assessment in that?

Speaker 2:  

Question 15. A security analyst is monitoring the network traffic and notices unusual activity that could indicate a cyber attack. Which tool will be the most useful in analyzing this activity? A a network diagram. B a security information and event management system, a SIM C data classification schema. Or D a change management log? Okay, well, you guys probably can figure this one out, but if you don't have a background in it, obviously, then that may be a little bit more challenging when it comes to analyzing the activity.

Speaker 2:  

The key thing here is using a SIM, and your SIM is an important factor in an organization, and this is where all the different types of security events come into. Now I will say that the SIMs will range they can be very complex, very complicated to something that's very simple and just more or less SIM in a box and you can plug it in and you're good to go. The interesting part, though, is it just depends on the size of your organization and the SIM that you want to use. Various other options out there. Obviously, you have Microsoft, you have ArcSight, you have I mean, pretty much everybody's got a SIM du jour that you can use, but you need to find something that works best for you and your organization.

Speaker 2:  

Question 16, a developer is concerned about the security of a third-party libraries used in an application. What is the best practice to mitigate the risk associated with these libraries? A using the latest version of all libraries. C conducting a thorough code review for each library. C using only the libraries from all reputable sources. Or. D all of the above. So again, the third party libraries using an application. What is the best practice to mitigate the risk associated with these libraries, and the answer is D. Again. All of the above. You want to use the latest version, right? What? The most up-to-date code. You want to conduct a thorough code review of each library and then you use only the libraries from reputable sources. Sometimes, even the reputable sources have issues.

Speaker 2:  

Okay, that is all I have for you today. Excited, excited, to help you guys pass your CISSP. Had another person reach out and say they just passed Woo-hoo. Last year CISSP, had another person reach out and say they just passed, woo-hoo. So life is good. I get emails all the time on people that are passing this test through the use of CISSP, cybertraminy and other resources that they have found out there on the internet, which is great. I highly recommend that you look at other places online, especially for the CISSP. People learn in different ways and therefore, not just one way is the only option for you, so please go check out different options. Let me know, keep me informed on if you're passing the CISSP. If, actually, if you give me your name and you're allowing me to say it on the air, I'm happy to put a shout out out there for you, but I'm getting multiple emails from people that are passing the CISSP Head on over to CISSP Cyber Training.

Speaker 2:  

Again. Check out what's out there and available. Again, I'll tell you right now. I haven't posted it on the website just yet, but it's in the process of doing it. I'm just running out of time but all the sales that are going on at CISSP Cyber Training are all going to be going to our nonprofit. More to follow on that and I will put that on the website itself what the nonprofit name is and so forth. My wife is still trying to figure out what the name is going to be, but everything's going to our nonprofit for adoptive kids, because the money is not important. That's what's important, period. All right, hope you guys have a wonderful day. Again. Let me know if you have any questions or concerns, but we will catch you on the flip side, see ya.

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!