CCT 173: Practice CISSP Questions - Media Protection, Encryption, and Mobile Security for the CISSP (Domain 7.5)

Unlock the secrets to safeguarding your organization's most sensitive data and enhance your cybersecurity acumen. Join us on the CISSP Cyber Training Podcast as I, Sean Gerber, break down the critical importance of managing secrets within popular collaboration tools like Slack, Jira, and Confluence. Discover practical methods such as real-time monitoring and swift remediation to secure API keys and encryption tokens. Learn how fostering a culture of security awareness through educational initiatives can significantly mitigate risks and enhance overall security posture.

Next, we turn our attention to data sanitization and media destruction—essential processes for maintaining confidentiality and regulatory compliance. I’ll guide you through various methods of data sanitization and media destruction, from degaussing to shredding and pulping, while also demystifying the concepts of MTBF and MTTF. We'll delve into the challenges of data classification and the importance of proper data labeling. Whether you’re prepping for the CISSP exam or simply looking to deepen your cybersecurity knowledge, this episode is rich with actionable insights and expert guidance. Tune in and elevate your cybersecurity skills to the next level!

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge All right let's get started.

Speaker 2: 0:31 

Good morning everybody. It's Sean Gerber with CISSP, cyber Training, and hope you all are having a beautifully blessed day today. Today is an amazing day. Today we get to talk about CISSP questions. Yes, cissp. I don't know what I was going to say there. My wife gives me a hard time. I get in the middle of something and I kind of have two words blended together. Yes, that's what happens when you get old. Yeah, you blend words together, but hopefully they're. None of them are bad words. We wouldn't want that. But no, I am looking at.

Speaker 2: 0:55 

We're right now getting ready to do the CISSP questions for this week, and this week we're going to be focused on domain six. But before we get started we had an article I saw that I wanted to bring to your attention, as I know you all are just riveted riveted beyond belief for the different articles that I bring forward. But I'm bringing these to you as a CISO who has experienced many of these challenges. So if I bring an article up, it might be something you want to consider, especially if you're in the development space. This one, specifically this one, comes into around the use of Slack. Now, I don't know if you've all used Slack or not, but Slack, in some respects, isn't the problem. It's these collaboration tools on. Where you put your data is more of the challenge, and it could be Slack, it could be Jira, it could be any of these areas that you would keep your data in. That's the problem that it comes down to, and this article says why should your CISO worry about Slack? Now, what it's really coming down to is where do you store your secrets, where do you store your development code? And what I've seen in many, many times, many times, is that the development code that my developers would use or even if it is folks that are developing web applications, folks that are actually in AWS, whatever kind of code they're creating, in many cases they were keeping this data in a repository of some kind, and so, if they keep this in this repository, many times the encryption keys that are set up for this, the certificates that are used to authenticate, the encryption keys that are set up with it, they are all in not all, it's not the right word, but many of the cases these things are hard-coded inside the code, and they do this a couple of reasons. One, they don't know how to have it set up, where they would be using maybe an HSM or some other type of tool to do the negotiations for certificate management, and they may end up, just because they tested it, it worked. Well. If it tests, fine, don't fix it. Don't try to make it something more than what it already is. So they put something that would be a test type of product into production.

Speaker 2: 3:03 

Well, this talks about the fact that the secrets are everywhere and they are multiplying, and that is no joke at all. They are definitely growing at an exponential level. This could be secure API keys, access token, encryption keys anything you name it are is, in many cases, put within these repositories. So the main thing you need to think about is are you using these types of products One Slack, teams, jira, confluence are you using them? If you are using them and you are a security person within your organization it doesn't mean you have to be the CISO, but just say you're a security person within your organization you need to consider where is this data being stored and how is it being protected?

Speaker 2: 3:50 

These collaboration tools as I mentioned in the article, they are a goldmine for attackers because a lot of this information that they would be trying to find within your various network environments are stored within these collaboration tools. So it's an important part. I've used it. I've actually had our development team. They've used to have a scanning tool that would go through and scan for any secrets that are in our storage repositories and they would look for any of these challenges. Api keys is another huge one. You're going to see that everywhere. So I will just tell you that it's an alarming thing that you need to be aware of, and if you're trying to make a name for yourself within your security team, it's a great place to start. Go dig in there, find some things that you maybe find, some issues and then bring those up to your senior leader. Find some things that you maybe find some issues and then bring those up to your senior leader. Show them what you've done, but don't just show them that hey, hey, houston, we have a problem. You need to go with them as some ideas on how to fix that. So they have.

Speaker 2: 4:46 

They bring up a couple different solutions that you can look at. One is real-time monitoring. This is they've got. They mentioned. Get guardian scans, your collaboration tools detecting secrets. Uh, consolidation alerts. This is where they have multiple currents of the same secret across different platforms, basically consolidating that into one. They recommend validity checks. This is where the platform just doesn't flag a secret. It also checks if they're valid and if they still have some sort of existence, and then quick remediation is. With real-time alerts, you can make swift action to revoke these compromised secrets. Those are the four bullets they talk about in this article.

Speaker 2: 5:24 

The bottom line, though and this is kind of the next line that they bring up is you need to make sure that you cultivate this thought process of protecting your secrets within your organization, and this comes down to auditing your environment, also doing like lunch and learns with your folks, with your development folks walking them through. Hey, this is the proper way to secure your creds, this is the proper way to store your credentials. This is what you should do to scan your environment to ensure that there aren't any sort of issues within your environment. All of those things can be done as a proactive approach to avoid the unenviable position where you now have a situation that comes up and your credentials are actually stored in your repositories Bad idea. So it's just important for you to go through and try to find different ways you can to help ensure that your development folks have all the tools they need to best protect the environment within your organization. So, again, the bottom line is scan for them, look for them, teach people about them and then repeat, go over and over and over again, and having somebody within your team to help just do that on a proactive basis is a really important factor and I would highly recommend it within any organization.

Speaker 2: 6:41 

Okay, let's go ahead and get started into the CISSP questions for today. Okay, so we have 15 questions over domain six. So these are the folks that these are the questions that are tied specifically to the podcast that was released on Monday, and so I get a lot of feedback from my folks that listen to the podcast, that are taking their CISSP and passing, which is awesome. I also get feedback from folks that don't pass, and you know what I feel for you. I really do. It's a hard test, it's a bugger, but these questions are designed to go over some of the different things we talked about in the podcast on Monday.

Speaker 2: 7:15 

So question one what is the primary purpose of data classification? A to determine the value of data to the organization. B assign data to specific storage locations. B protect the data from unauthorized access. Or C to implement access controls. Now, all of those are important, right, but what is the primary purpose? And the primary purpose is A to determine the value of the data to the organization. So, again, when you're doing data classification, it helps determine the overall value of it. Now, it may not give it a specific number of what that specific data is worth, but it helps determine the value to the organization, which then in turn helps you guide and determine what security measures are best for the resource allocations and the allowing for to protect the information.

Speaker 2: 8:01 

Question two which of the following is a common data classification level? A, public, b, private, c, confidential or d. All the above and a common data classification level, what one is it? It is d. All of all of the above Public, private and confidential are common data classification levels. Now, these can vary from different company to company and they may have a different spin General, public, private, confidential, top secret. They may depend on the company, but those are a common data classification level. Data labeling is used to do what? A assign a unique identifier to each data item. B indicate security level or sensitivity level of the data. C categorize the data based on its content. Or. D protect data from unauthorized access. So data labeling is used for what, and it is to B indicate the sensitivity of the level of data that it is protecting. So data labeling will indicate the sensitivity of it to ensure that the appropriate handling and protection of this data is being accomplished. Again, you want to have it set up so that it's the proper way that it's being stored and being managed.

Speaker 2: 9:18 

Data sanitization what is that? What does that involve? Okay, data sanitization involves what? A removing sensitive data from storage media. B encrypting data to protect it from unauthorized access. C applying access controls to the data. Or D classifying the data based on its value. Again, data sanitization what is it? It is A removing sensitive data from storage media. So removing the data from the storage media, either physically or physically, such as shredding it, destroying it, or in a situation where you digitally move it from one location to another. The sensitivity of the data, what it actually is, may determine how you actually sanitize it, which the podcast kind of talked about. Right, either you shred it, you may override it. In some situations you may not even care you just may turn around and reuse it. Highly unlikely, though.

Speaker 2: 10:13 

Question five what is the purpose of a media destruction? A to prevent data recovery. B to ensure data confidentiality, c to comply with regulatory requirements, or D all of the above. So what is the purpose of media destruction? And it is D all of the above right. So media destruction in many cases are requirements of regulatory folks and they require this because they want to make sure that you destroy the media. They don't want it just floating around somewhere in a far-off place, such as Asia, and then something happening to it or wherever. It could be South America, it could be Mexico, it could be San Bernardino, you don't know. So it just depends on the media destruction. It's all of those. You wanna ensure data confidentiality and you also wanna prevent any sort of data recovery.

Speaker 2: 11:00 

Question six which of the following is a common method for media destruction? Which of the following is a common method for media destruction? A degaussing, c, shredding, c pulping, or D all of the above? If you're catching a trend here, I just kind of I was in a mood. I was in a mood for all of the above right. So degaussing obviously is magnets. It blasts it with magnetic fields. Shredding is, yes, it's the tree shredder. You just throw it in a tree shredder and it chops it all up. Actually, it's different than a tree shredder. It's a little bit better than that. And then there's pulping right. So setup designed specifically for depending on the level of security in which you are trying to destroy your data.

Speaker 2: 11:45 

Question seven mtbf mike tango, bravo, foxtrot stands for what meantime between failures? A, b, meantime between fixes, that's b, c meantime between failure and d meantime to fix. Okay, so we know that mttf is not what we're talking about, so you can reduce to get rid of the last two for sure, mtb. Mtbf is meantime between failures. It is a right, is the average time between failures of a system. But the key gotcha, the key thing to think about is it just means you can fix it. If it's mBF, mttf stands for what Meantime between failures? A, meantime between fixes, b, meantime between meantime to failure, c or meantime to fix, D. Get rid ofA and B, because it doesn't deal with anything of MTBF. It is meantime to failure. It's the average time of failure of a non-repairable system. Again, can't fix MTTF. Question nine which metric is more relevant for systems that can be repaired? Just like we mentioned, mtbf, MTTF, both MTBF and MTTF, neither MTBF or MTTF, or what other acronym soup you wish to make. And obviously we talked about it just a little bit ago. Mtbf allows it to be repaired. This measures the time between failures and subsequent repairs.

Speaker 2: 13:13 

Question 10. Data classification is primarily a responsibility of a IT security professional. Sometimes, many people would like the IT people, the security people, to do it for them, but yeah, no, it's not it. A or B, data owners, c data owners or data users, and then D all of the above. Okay, this is one where you glob onto and go no, it's not all of the above this time. No, so it's not. So, it's data owners. We've already talked about this with CISSP, cyber training over and over again. Data owners are the ones that are responsible. They do like to pass the buck, though. They do like to let anybody else make the decisions rather than themselves, because they don't know, and so sometimes they will say well, you guys just tell me what you need needs to be. Yeah, that doesn't always work.

Speaker 2: 13:58 

Question 11. Data labeling is most often implemented through A Metadata, b Encryption, c Access controls or D Auditing. Data labeling is often implemented through A Metadata. Metadata is used to store information about the data, including a sensitivity label, which in turn, is used for labeling. Again, metadata is a big factor in a lot of different aspects.

Speaker 2: 14:23 

Question 12, which of the following is a challenge associated with data classification? A lack of standardization, b difficult in determining data value. C resistance from data owners oh I mentioned that before or D all of the above? Which of the following is a challenge associated with data classification? And it is all of the above. You are correct, yes, it is all of the above. Lack of standardization, big time. Difficult in determining data value? Oh yeah, and resistance from data owners? Most definitely. So, it's all of the above.

Speaker 2: 14:54 

Question 13, media destruction should be performed according to what policies? Industrial standards or regulatory requirements? Okay, a organizational policies. B industrial standards. C regulatory requirements. Or d all the above. Media destruction should be performed according to what? Yes, all of the above, depending upon your organization. You may want to, some organizations don't care, but there may be a regulatory spin that may force you to do it. Industrial industry standards, depending upon if you're in the microchip industry, oh yeah. Healthcare, oh yeah. Manufacturing, maybe not so much, so it just depends. Question 14.

Speaker 2: 15:32 

Mtbf and MTTF are used to assess what A System reliability, b system availability, c system performance or D all of the above. So MTBF and MTTF are used to assess what and it is A system reliability. Mtbf and MTTF are used to measure reliability, indicating the frequency of failure and the time it takes to recover from them, depending upon which one it fails MTBF, you can fix it, mttf, you cannot fix it. And question 15. When evaluating the security of a system, which metric would be more important, mtbf or MTTF? Again, security of a system which metric would be more important? A, mtbf, b, mttf, c, both or D neither. And the answer is B. Mttf is more important for a security evaluation, as it indicates the time before a system fails completely, which can have significant security implications. Right, mtbf is an important part, but if you want to know that, especially from a DR standpoint or even doing a BIA, you will go well if this system goes away completely. What kind of pickle does that put me in? What kind of situation am I in? Again, mttf is the security metric you would want to be more aware of. Okay, that is all I have for you today.

Speaker 2: 17:01 

On CISSP Cyber Training. Head on over to CISSP Cyber Training. You can get content, all this content available to you. You can get access to my videos. You can also keep in mind that anything you purchase at CISSP Cyber Training is all going to a charity nonprofit that focuses on charity for adoptive children, helping parents that want to adopt kids.

Speaker 2: 17:22 

It's a lifelong goal of ours, my wife and I, that we want to give back to the community, give back to the world, and helping kids is what we're called to do. Helping foster kids and kids that want to be adopted into families that want them to that's not the right word that want to raise them and want to be a part of their lives and want to help nourish them. That is what we are there for. So we definitely want to do that with CISSP Cyber Training. Also, head over to cyberriskcom. That's my consulting website. Head over there. If you are looking for any sort of security consulting that is available to you as well. Just go out there and reach out. Take a look at it. It's still in the development stage, so it's not real super pretty, but it works and just reach out if you have any questions. All right, have a wonderful day and we will catch you on the flip side, see ya.