CCT 179: Practice CISSP Questions - Data Security Controls, Labeling, and Cloud Access Security (CISSP Domain 2.6)
Sep 26, 2024Ever wondered about the real difference between a data leak and a data breach? Join me, Sean Gerber, on the latest episode of the CISSP Cyber Training Podcast as we unpack the nuances between these two critical cybersecurity concepts. Learn how data leaks often result from human mistakes like weak passwords, while data breaches involve deliberate cyber attacks. We'll walk through different types of sensitive data—including PII, financial information, PHI, and intellectual property—and emphasize the need for precise language to help cybersecurity leaders communicate more effectively and avoid unnecessary panic. Plus, get a sneak peek into a CISSP exam question focusing on the stringent security controls required for data in use.
Choosing the right Data Loss Prevention (DLP) solution doesn't have to be a headache. In this episode, we tackle cost-effectiveness and real-world challenges that come with selecting DLP solutions. Hear about the compatibility hurdles of Digital Rights Management (DRM) solutions, including the struggles between Adobe and Microsoft's products. Discover how DLP and DRM technologies sometimes clash, and learn what to look for to ensure seamless integration. Don't miss these invaluable insights designed to sharpen your cybersecurity acumen and prep you for the CISSP exam.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge.
Speaker 2:
All right, let's get started, hey all, sean Gerber, with CISSP Cyber Training and hope you all are having a beautiful day today. Today is Thursday and what happens on Thursdays Thursdays are the CISSP questions that are tied to Monday's podcast, and Monday we talked about domain 2.6, and that is, the various parts around data states, casbs and the like. So today's questions are going to be tied to that as well. But before we get started, we kind of want to talk about an article I saw that I think is pretty helpful in the fact that it gets kind of brings out the what is a data leak? What is a data breach? Those words are used synonymously or ubiquitously Actually, I don't think that's the right word, but they're used together and they're not always the same thing. I mean, they are using the same type of data but they have different meanings and so, to kind of put it a little bit in perspective, they have some statistics here that in the first quarter of 2023, 6.41 million data records were leaked out of 300 million accounts. Now this is on the register and you can be able to get access to this through CISSP Cyber Training. You can check it out, but if you go Google the register about data leaks and data breaches. It'll be there as well, but it talks about the different types of breaches and what they are, so it helps with the language a little bit. They also talk about a couple of data breaches and what they are, so it helps with the language a little bit. They also talk about a couple of data breaches that occurred that were pretty significant in size the Adahar I don't know how to even say that it was done in 2018 and exposed 1.1 billion. Yahoo exposed 3 billion, and then the Cam4 data breach exposed more than 10 billion data records. And these are all just data records that are out there. And then they also mentioned let us not forget the DOD and what happened with them. So I agree. I mean, it's just a lot of different data that's floating out there in the ether that affects people with their lives. One point I also brought into is the standard breach will cost about four and a half million million if you deal with the third parties to help you clean it up your potential downtime, reputational hit, even having to replace servers and the like. So that's the number I've seen floating around for a while and I think that's probably about right when it comes to dealing with a data breach of some kind. So what is the difference between a data leak and a data breach? What's the differences between that? Well, again, the words are important to understand because, as you, as a security professional, you'll be educating your leaders on what this means. So you have data leaks and data breaches.
Speaker 2:
A data leak is often often an unintentional, and usually it's caused by a human making a mistake. Okay, so that's your data leak. I've done this myself accidentally Sending stuff to your Gmail account, accidentally clicking on a phishing attack, weak passwords, all getting onto Wi-Fi networks that you shouldn't probably do. All of those are considered what they would say a data leak, and this can happen with sensitive type data, and so, therefore, you wouldn't consider that a breach. Now, the breach is often a deliberate and can be caused by a cyber attack or by unauthorized individuals attempting to access sensitive data. So, again, the breach is when it gets to be there and actively progressing towards something.
Speaker 2:
A leak is where it's usually done by humans and it's unintentional. It can be intentional, but in most cases, it is an unintentional type of situation. Now the data that's collected. I deal with this with multiple of my clients, and you've also have heard of it. You have PII, which is your personal identifiable information. I've talked to compliance folks and they say, well, it's really not called PAI anymore, but or PI. It could be just personal information, financial information, obviously, credit cards, personal health information, your PHI that's what dealing with your medical records and so forth Account information, your login, intellectual property obviously that's a huge factor and then other sensitive information that you may seem to be appropriate. So the ultimate thing of this is that how do you prevent them? How do you work through them? But they wanted to kind of talk about a data leak versus a data breach and you, as a person who's in the cybersecurity space, I've used them wrong. I know, and I think it's even with incidents and events, breaches. I've talked to senior leaders about using the word incident versus a breach. A breach will carry a very different connotation as a word than an incident will and depending on who you're talking to data regulators and so forth if they hear the term breach, that sends off all kinds of bells and whistles. So understanding the differences between the words and how they are used and how they are actually meaning is an important part in your cybersecurity journey. So let us get started.
Speaker 2:
We're gonna roll right into the CISSP questions for this week. Okay, so the question number one in data classification scheme, which data state would require the most stringent security? So again, which data in the classification scheme, which data state, would require the most stringent security controls? A data in transit. B data at rest. C data in use or D data in backup? Again, the classification scheme which data state would require the most stringent security controls? And the answer is C data in use. Again, that's when it's most sensitive is because it's actually being used and processed. There are various other types of data that you may deal with. I should say I'll disregard. I was going to talk about homomorphic encryption, but we'll get into that another time. But the bottom line is this is the most stringent type of security controls is data in use.
Speaker 2:
Question two which of the following is a key principle of data minimization? So again, data minimization, that's making it less right, that's you're minimizing it. A collecting the data only necessary for the intended purpose. B encrypting the data at rest. C regularly reviewing and deleting outdated data. Or D all of the above. So which of the following is a key principle of data minimization? And the answer is A collecting only the data necessary for the intended purpose, as you're collecting this. For that only key principle is data minimization, and it helps reduce the risk of breaches because you minimize your data.
Speaker 2:
You want to basically clean all your stuff up. You don't want to have it everywhere, one and two. Wherever you have it, you want to have it minimized so that only the data that you're keeping is what is necessary. One example is I've seen years I mean upon decades of data sitting in SharePoint sites that are totally unused. So the question is can we delete it? And their answer usually comes back, goes no, we never know if we might need it. It's that data hoarder mentality. Yeah, it's usually. It can get you, it can get you.
Speaker 2:
Question three what is the primary purpose of a data loss prevention system? A to detect breaches. B to prevent data breaches. C to recover data after a breach. Or D to encrypt the data at rest. What is the primary purpose of a data loss prevention system? Okay, so you might be going hmm, I don't know on that one, it is B to prevent, not detect. Prevent data breaches. A DLP system is primarily used to prevent data breaches by identifying and blocking attempts to exfiltrate sensitive data from an organization. Now I say that that's again you got to understand the question that's, in this specific context Will it stop breaches always? No. Will it stop every breach? No. Will data get out? Oh, most definitely. It is designed to help minimize and mitigate some of the risk associated with a data breach. But again, the question is what they're asking for in that specific question.
Speaker 2:
So you, as a security professional, when you're taking your CISSP, you need to think about it like that which of the following is a common challenge in scoping and tailoring security controls? Which of the following is a common challenge in scoping and tailoring security controls? A identifying all relevant assets. B assessing the risk levels. C allocating resources or D all of the above. Which of the following is a common challenge in scoping and tailoring security controls? And the answer is D all of the above.
Speaker 2:
All of the above are a common challenge in scoping and tailoring security controls, and it can be very difficult to identify all relevant assets and assess the risk levels accurately. And I would say that's probably one of the biggest challenges is trying to understand all the assets and then working through the risk. You need to we've talked about this on this podcast a bit in the past. Understanding the overall risk to your organization can really only be done by understanding what are all the assets that you're trying to protect. So your risk may go, oh, I'm good. And then you discover something that basically has the crown jewels in it. You're going, oh, I'm bad. So you're going to have to work through that. But understanding all the assets within your organization, especially those that contain critical or sensitive data, is a very important thing to do. It's a primary thing.
Speaker 2:
You need to consider Question five, which is the primary purpose of a digital rights management, drm. What is the primary purpose of DRM? A to prevent data breaches. B to ensure data integrity. C to protect intellectual property. Or. D to facilitate data sharing. Again, drm what's its purpose? To protect intellectual property C it's by controlling access and using the digital content. That's how DRM protects their IP. A good example to think of that is Sony and their music. So just kind of think of that as CDs that were out a long time ago, no longer MP3s. They were using CDs to protect their music.
Speaker 2:
Which of the following is a common limitation of a DOP system? A it's difficult in detecting encrypted data. B it's got high false positive rates. C the inability to protect data in transit or D limited effectiveness in preventing insider threats. Again, which of the following is a common limitation of DOP systems? And the answer is D limited effectiveness in preventing insider threats. When you're dealing with a DOP point, it'll help with protecting data leaving your organization, but insiders can typically bypass the DOP product by exploiting legitimate access privileges. So if you know that I have access, they can work around it. Now you can put controls in place to have a limit screenshots to do data not leaving through email. But if the employees need to use the data, they've got to use the data, so sometimes they will send the data home.
Speaker 2:
Question seven what is the primary purpose of a cloud access security broker, a CASB, cloud access security broker? What's the purpose of it? A to encrypt data at rest. B to provide secure access to cloud services. C to detect data breaches. Or D to prevent data loss? Again, what is the primary purpose of a cloud access security broker, casb? And the answer is B to provide secure access to cloud services. And a CASB is used to provide secure access by enforcing security policies and monitoring cloud usage. And a CASB is used to provide secure access by enforcing security policies and monitoring cloud usage.
Speaker 2:
Question eight which of the following is a key consideration when selecting a DLP solution? What should you consider when selecting a DLP solution? What is a key consideration? Key, not the best, but a key consideration A integration of existing systems. B cost effectiveness. C scalability or D ease of use. Which of the following is a key consideration of a DLP? And it is B cost effectiveness. Again, cost effectiveness is a key consideration because you must balance the cost of the solution with the benefits that you're trying to achieve with the product in place.
Speaker 2:
Question nine which of the following is a common challenge in implementing drm? Which of the following is a common challenge in implementing drm? A technical complexity, b user resistance. C compatibility with different devices and platforms, or d legal issues, legal issues A common challenge to implementing DRM, and again, drm is very use-specific. It is also very specific in what it's trying to protect, and it would be compatibility with different devices and platforms.
Speaker 2:
As an example, microsoft products do not work well with. They work well with Microsoft, but you really can't use them with other types of products. Adobe and Microsoft. They don't play well together. To give you an example Adobe has its own product, microsoft has its product and so, therefore, they are an interesting duck. They do. They're different devices, different platforms can have issues, and I say this with Microsoft, with DLP, and that's the same with DLP and DRM. They do struggle a bit. The other thing with DRM, that's the digital rights management piece of this is sometimes, if you're using some level of protection on IP, it won't talk to another type of product that wants to uninstall it or, I should say, utilize it, and Adobe and Microsoft are a good example of that too. But they don't work well. That's just a key thing. Dlp and DRM, they just don't work well together.
Speaker 2:
Which of the following is a key benefit of using CASB? What is a key benefit of using CASB? A improve visibility and cloud usage. B reducing risk of data breaches. C simplify compliance management or D enhance data security. Again, which of the following is a key benefit of using a CASB? And the answer is D enhanced data security. Enhanced data security is a key advantage of utilizing the CASBs because they help you protect the stored data that's in the cloud. Utilizing security policies, monitoring and cloud usage of going data going up and data coming down can be a very effective tool when you're trying to figure out budgeting with cloud utilization. Cloud utilization can be very expensive and or using the cloud can be, so you need to have a good plan of how you're going to put data up there and take it down. In many cases, putting data into the cloud is less expensive, obviously, than pulling it out, because once it's in there, they got you. So just consider your data usage when you're dealing with cloud activities. Which of the following is a common method for classifying data? A sensitivity labels, b business impact analysis, c data owners or D risk assessments. So which of the following is a common method for classifying data? And the answer is B business impact analysis. An impact analysis is a common method by which you can assess potential impact of data breaches on the organization, and that's an important part, right? Like we talked about before, understanding where your critical data resides and your critical systems is a very important part to your company. Question 12, which of the following is a key principle of data sovereignty? Data must be stored and processed within a, b, c. Data must be accessed by all authorized users, or D data must be regularly backed up. So which of the following is the key principle in data sovereignty? So think of the word sovereignty. What does that mean? It means what you own right or it's location, kind of thinking sovereign. Well, when you're dealing with sovereignty A, the data must be stored and processed in a specific jurisdiction, and a specific jurisdiction has a key principle around data sovereignty and addresses the concerns of data privacy and compliance. I had to deal with this. When you're dealing with stuff in Europe, they have data privacy aspects or sovereignty aspects. China has it as well. If you transfer the data out of the country, then you have to utilize certain levels of security controls, ie data masking, you have to be able to obfuscate the data and so forth. So there are certain key principles around data sovereignty. Question 13, which of the following is a common challenge in implementing data minimization? What is a common challenge in implementing data minimization? A identify unnecessary data. B resistance from users. C technical limitations or D lack of clear guidelines. So which of the following is a common challenge when implementing data minimization? And that is, lack of clear guidelines will be a problem, right? So if you don't have clear guidelines in implementing data minimization, your people won't know what to do, and this includes policies and procedures for basically identifying and deleting unnecessary data. Question 14. Which of the following is a key consideration when selecting a CASB A Integration of existing security controls or tools. B Support for multiple cloud platforms. C Cost-effectiveness or D Scalability. So which of the following is a key consideration when selecting a CASB? And the answer is C cost-effectiveness. That is one of the key considerations. Again, we talked about this. With data going in and coming out, you need to understand what is the overall cost to your organization. And finally, question 15. Which of the following is a key benefit of using sensitivity labels for data classification? What is a key benefit for using sensitivity labels for data classification? A Improved governance. B Improved access controls. C Simplified compliance management or D Enhanced data protection. So which of the following is a key benefit of using sensitivity labels for data classification? And the answer is A improved data governance. Again, this is around. Improved governance is a key advantage where sensitivity labels can help organizations establish clear policies and procedures, handling and of protecting of the data. So, again, there's lots of options there for you to consider. When the key benefit around sensitivity labels, I would recommend using them because governance around labels is an important factor. If you don't have a good handle on that before you roll them out, you will have some challenges on your hands. Okay, that is all I have for you today. This is CISSP Cyber Training. Head on over to CISSP Cyber Training and get access to all of my content. There's a lot of great stuff out there for you. You can check out my website, on my blog. The videos will be posted out there as well, and you know, if you purchase anything from CISSP Cyber Training, it does go to my nonprofit for adoptive parents. Again, this is the Good Shepherd is going to be the name of it, and so that's where all of the proceeds from our sales of my cyber stuff goes to. All right, thank you all for listening. I really do appreciate it. Head on over to iTunes. Please rate me on iTunes or any of those other places. That would be awesome. I'd greatly appreciate it. Even send me a note, send me how things are going for you, email me, let me know what's going on. You can do that at contact at CISSP Cyber Training. I'm happy to respond to you as well, but again, reach out to me anytime and I'm really excited to see how you've passed the CISSP and moving on, have a wonderful day and we will catch you on the flip side, see ya.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!