CCT 187: Practice CISSP Questions - Cybersecurity Audits and Compliance (Domain 6.5)

Can cheaply made smart devices compromise your security? Uncover the hidden risks of AI and hardware hacking as we explore the vulnerabilities in these devices that make them prime targets for cybercriminals. Learn how secure coding practices and proper device isolation can serve as critical defenses, and consider the implications of AI misconfigurations that could lead to remote code execution. Through engaging discussions, we shed light on the growing threat landscape and the necessity of protecting both personal and business environments from these emerging challenges.

We dig into the world of audits and compliance, dissecting internal, external, and third-party audits to reveal their unique roles and shortcomings. Discover the dangers of leaning solely on internal audits and why third-party assessments are vital in evaluating vendor and partner security controls. This understanding is key for organizations to effectively manage risks and enhance supply chain security. Our insights will arm you with knowledge on how to navigate these audits and make informed decisions that bolster your cybersecurity posture.

Lastly, we navigate through the essential elements of cybersecurity audits, from security policies to incident response plans. Learn about the auditor's role in ensuring compliance and the importance of follow-up audits to verify the implementation of recommendations. We emphasize the critical nature of documented incident response procedures in maintaining business resilience, underlining regulations like HIPAA that protect sensitive health information. Tap into our rich resources and elevate your understanding of cybersecurity to safeguard your operations against an evolving threat landscape.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge All right let's get started.

Speaker 2: 0:26 

Hey all Sean Gerber, with CISSP Cyber Training and hope you all are having a wonderful day today. Today is what? Cissp Question Thursday. So today we're going to be talking about CISSP questions as it relates to 6.5 of the CISSP and this is going to be focused on audits. So we had talked about the content on Monday and then on Thursday we actually get into the CISSP questions. Around that content, the goal is to help you build your knowledge and experience as we move forward. But before we do, one thing we wanted to get into was this recent article I saw on AI and hardware hacking on the rise, and this is from Security Week and you can go check it out. You can go Google it and look for AI and hardware hacking on Security Week and it'll give you an idea of what the article is about.

Speaker 2: 1:13 

Now, like many of these articles that are out there you guys all read them right the point comes into is many times this stuff is just like regurgitated stuff that's just out there and realistically, this is not a whole lot different than that, but there are some key concepts I think that it's important for you to know, especially as you are security people that are in this world and you are going to be leading organizations or are leading organizations as it relates to security, some things you need to kind of keep in the back of your mind. They're saying that hardware hacking is on the rise and they're seeing it growing because it's the cheaply made, it been overly complex smart devices, and I would totally agree with that. There's a lot more development work that is being desired and needed, and so, as such, uh, people are developing all kinds of code. They don't really know what they're doing, um, and they're learning it off of youtube, and I'm not saying that's bad by any stretch of the imagination. They're learning it off of YouTube, and I'm not saying that's bad by any stretch of the imagination. I'm saying that's great. Honestly, I think people need to get into this stuff.

Speaker 2: 2:08 

However, that being said, they're not being taught how to do this securely and therefore, stuff that's coming out is really junky. It just really is. It's got all kinds of issues with it, and I'm guilty of this. I've made code, just hey, I'm going to throw this in here to make sure it works and it works, but when it comes down to being a really elegant, secure code, it's usually not, and a lot of these smaller devices are specifically getting that, and so they're seeing that this hardware hacking is on the rise, in the fact that you're getting fault injection side channel attacks and this is one where I see a big one would potentially is firmware manipulation, and so by doing this, you can gain access to these systems and deploying whatever you want it to do.

Speaker 2: 2:53 

They mentioned that there's a Starlink hack out there where there's a $25 mod chip that you can buy that will allow you to bypass the security of the actual antenna itself, which I think is interesting. I don't know what value you would get out of that, but maybe there's something you would get out of it. I do know that. I should say I read the article whether it's real or not that the Russians have been able to get some of these Starlink antennas and make them basically the Starlink-ish type of antenna and get access to Starlink. So it's definitely becoming more and more a factor, specifically since there's more of these devices out there in the world and I love them, I use them all the time. But securing them, you have to make some assumptions, and if you're going to not go and focus and dig into the code on these devices yourself. You need to put them off on their own subnet, especially in your home environment and most definitely in your business environment.

Speaker 2: 3:41 

But when you're dealing with they talk about, there's the three T's of AI and overall hacking and they go the tool, the target and the overall threat. Now the tool is again increased for AI. This increases the speed, sophistication and so forth. Now we talk about AI. I still have yet to see a lot of stuff coming out that AI is actually doing the attacking, but I know it's out there. It's just it maybe hasn't hit mainstream at this point, but it's going to. Everybody will say it, everybody over and over that it's going to be a problem in the future. Everybody understands that and so therefore, how do we deal with it? The target now we're dealing with target.

Speaker 2: 4:16 

They mentioned multiple LLMs and the conversational aspects and using those to be able to manipulate people and people's actions or potentially, depending on how the LLM is working, maybe if it's incorporated with some sort of processes, it could incorporate and manipulate the processes as well. One of the comments they made in there is they achieved a remote code execution accidentally air quotes by chatting with an AI bot that was misconfigured and was able to execute commands on that, uh, the os, the host os that it was sitting on, so interesting, uh. But the question is what does that do? How is that going to affect you? And in most cases, right now, it's okay, you're gonna make the chat bot mad at you, but realistically, what does that mean? And I can say I don't think really anybody knows at this point, but they all see the value in it going forward.

Speaker 2: 5:03 

I also read an article that everybody's seeing the AI bust. That's worse than the dot-com bust and I was like, oh, definitely you can see that, but what's going to happen is it's all going to blow up, it's all going to. Then the dust will settle and then more stuff will come out of it. Because if you look at the dot-com bubble, that burst, if you're old enough to know that, then what ended up happening is a lot of great stuff came out of it. But boy, it was pretty heinous on your retirement plans if anybody was buying into all that.

Speaker 2: 5:30 

The threat again, the threat is going to be using you're using to both AI inadvertently and by manipulation, to cause harms to its users, and this could come in multiple ways. Again, if you incorporate it within processes, most definitely. But if it's just a chatbot, the question is is people are then paying attention to it and going? Well, if I'm paying attention to it and it's telling me to take two doses of my medicine versus one, well, I'll take two. This is where people have to have enough sense to go. Hey, do not trust everything you read online, which you shouldn't at this point. Right, there's so much out there that is just garbage. It doesn't make sense, but it's twinged to the point where it makes you want to believe it, and I'm guilty of that. I've fallen into that trap myself. So you need to just make sure that you're helping train your employees on how they should use these tools.

Speaker 2: 6:15 

And they mentioned they threw out the arbitrary anecdote of the percentages. One of the percentages they said of 21% of hackers said that it was AI, was bad and that it was going to be used and grow. And then they says now, 71% of hackers say it's going to grow. Well, first off, who's a hacker? I'd like to know that. I'm a self-proclaimed hacker. Okay. Now, the FBI now knows who you are. So it's 21% of hackers say it's going to grow is low, and now 71% say it's going to grow. Okay, I agree with that. It's going to grow.

Speaker 2: 6:47 

Now, when they talk about the AI-assisted hardware attacking, this is where, again, it's still very squishy, but they're expecting the AI algorithms to perform complex analysis power consumption, electromagnetic emissions, timing of the devices, all that kind of stuff which we can see, and when it comes right down to it, you're like well, as we talked about earlier, iot devices, they're getting more and more complex with what they can offer and what they provide. However, at the same time is they're usually a relatively small device, because they are one, have low power consumption and they're in austere locations. But if you can get into those, what happens? If there's one that's controlling the floodgates of new orleans, then that could be bad, and so, therefore, understanding how could ai be used against these systems is an important factor too, but a lot of this is oh my goodness, the world is falling, coming to an end. That is true. There's some challenge with that. I think there's a little bit of uh hype in it, and and nothing against these guys that write these articles, because they are way smarter than me by far, but sometimes there's articles to be created for the sense of creating articles, and this is a good one.

Speaker 2: 7:54 

In the fact that it talks about where AI is going and where you can have some, you should be concerned and the ultimate goal is, like you said, you guys all know this, you've dealt with these, you hear it all the time and you're going. This isn't anything new to me, sean. You're not telling me anything new and you might be right, but I still remember when I was driving home from going into work and listening to my podcast as I'm heading in and going, oh yeah, I remember that, and then I went in and actually took action on it. So this might be something for you to think as we're talking through this going, oh yeah, I could do that. Or you might be going, oh yeah, I need a pumpkin spice latte. I don't know what you're going oh yeah about, but it could be.

Speaker 2: 8:33 

So, that being said, we're going to move on to the questions, which is why you are here. Okay, so we are going to get into the questions. This is again over domain 6.5, but before we do, just want to bring up the fact is head over over to CISSPcybertrainingcom. I'm just bringing it up because you can go over there, you can buy any of my content and all the proceeds go to my nonprofit for adoptive families. Again, the money to side. The proceeds all go to help families who want to adopt children. Again, I'm not taking the money for me and my family. It's going to help adoptive kids and give out low interest or no interest loans to them. That's the ultimate goal, right? Or you can go to reducecyberriskcom and if you're looking for a consultant there, you can check me out. But that's not why you're here. You are here to hear these questions and this is the second take.

Speaker 2: 9:21 

You know what, as you guys, as you do podcasts, people go no-transcript policies. Now, some of those are good, right, there's some really good things about having an audit, but the answer, the correct answer that best describes the primary objective of a cybersecurity audit, is B to ensure compliance with regulations. Right, your laws, regulations and standards have to be complied with, depending on the role that you're in, or I should say, the business that you're in, and therefore you may have to have that audit done for that. Again, we're dealing with PwC, deloitte. They make gobs and gobs and gobs of money. I mean, I said that three times. Because they do, they make tons of cash and it's because they charge you for this expertise and therefore you have to have it because regulations require it, because if you're in business and you didn't have to do it, you wouldn't because it costs a lot of money.

Speaker 2: 10:35 

Question two what is the primary difference between internal and external audits? Internal audits are conducted by external parties. B external audits are less formal than internal audits. C internal audits are focused on operational effectiveness, while external audits are focused on compliance. Or. C external audits do not require management approval. Okay, so if you look through all of those, external audits definitely require management approval because it's spent a lot of money. The answer is C Internal audits are focused on the operational effectiveness, while external audits are focused on compliance. An internal audit you can also consider potentially like an assessment, but the internal ones are focused on your operational effectiveness.

Speaker 2: 11:14 

Question three which of the following audit is most likely to provide an independent verification of compliance with regulatory requirements? Which type of audit is most likely to provide an independent verification of compliance with regulatory requirements? A external audits. B internal audits. C self-assessments or. D continuous monitoring. Which type of audit is most likely to provide an independent verification of compliance with regulatory requirements? And the answer is A external audits. They are the ones that give you that independent air quotes verification. They are also the ones that come in. They're not as biased as you might be with your audit. So therefore, bringing in an external audit firm is a good choice.

Speaker 2: 11:54 

Question four what is the significant risk of relying solely on internal audits? Okay, so all you ever do is do an internal audit. You don't do an external one ever. All you ever do is just internal ones. That's the question. What is the downside of that? A increased risk of operational costs. B limited scope of review. C incomplete documentation or D the lack of impartiality. All of those can be very true to having an internal audit, because you get lacks, you don't have the scope defined well and it does increase your costs because you go find all kinds of dead bodies and you go I got to fix them all. But the answer is D lack of impartiality. Because you know where all the dead bodies are at. You may go, we're going to get to that one next month, and next month becomes next year and you forgot about it. So it's important for you to bring them in if you're worried about impartiality.

Speaker 2: 12:44 

Question five what is a common objective for third-party audits? What is a common objective of a third-party audit A to enhance internal team capabilities. B to evaluate the effectiveness of marketing strategies. C to assess the security controls of vendors and partners. Or D to evaluate the effectiveness of marketing strategies. C to assess the security controls of vendors and partners. Or D to develop a new cybersecurity technologies. Okay, what is a common objective of a third-party audit? We've talked about this a little bit in these questions To assess the security controls of a vendor and a partner. Oh, I didn't talk about that one. That was C, right? So the point we've talked about it in the podcast earlier, but you really want to have, when you have a third-party audit, come in. They can look at your different vendors. Supply chain risk is a humongous deal and I would say understanding your supply chain is a very important factor. Bringing these auditors in is great because if somebody takes out your supply chain and you are highly dependent on your supply chain, boom, you are dead in the water potentially. Supply chain boom you are dead in the water, potentially. So therefore, you need to have someone look at it, find the risks and then determine whether you want to accept the risk, find new ways to mitigate that risk, how you want to handle it or transfer that risk to somebody else.

Speaker 2: 13:47 

Question six which of the following is not typically included in a cybersecurity audit? Which of the following is not typically included in a cybersecurity audit? A the review of security policies and procedures. C or B. B analysis of user access controls. C assessment of marketing strategies or D examination of incident response plans. So which of the following is not typically included? And that would be yeah, you guessed it. C marketing strategies you typically do not do that within your cybersecurity audit, unless I guess maybe you're a cybersecurity audit marketing strategies you typically do not do that within your cybersecurity audit, unless I guess maybe you're a cybersecurity audit marketing firm. Yeah, I guess, but no, the other three yes policies, access controls and incident response should definitely be part of your cybersecurity audit.

Speaker 2: 14:30 

Question seven what is the primary role of an auditor during an external cybersecurity audit? What is the primary role of an auditor during an external cybersecurity audit? What is the primary role of an auditor during an external cybersecurity audit? A to verify compliance and provide you an objective report. B to implement security solutions. C to provide recommendations or D to train your internal staff. And the answer is A to verify compliance and provide objective reporting. However, if you get a really good auditor and they're not on your ticket, you're not paying for them at that time. So I say this because I've had some that have done a really good job with providing recommendations and training to my staff and they didn't charge before because they were just really into providing good security. And I say that, auditors, if you're out there and you are an auditor or you're going to be an auditor, it's a really good way to help your customer. You guys see lots of interesting different aspects and dynamics. So therefore you come in with a different perspective and having a view and doing some training and recommendations which would be extremely valuable to companies.

Speaker 2: 15:31 

Question A which of the following is a critical factor when planning an audit? A organizational culture towards security. B the availability of marketing funds. C the audit team's familiarity with the industry, or D the length of the audit period. So which of the following is a critical factor when planning an audit? And the answer is A an organizational culture towards security. This is an important factor. If your people don't have a good organizational culture towards security, it'll be very evident within the audit and they'll be going. I don't know anything about phishing attacks what are those? But oh wait, it checkbox. It looks like it's been checked. Okay, cool, that's a part where you want to make sure that you are also teaching them about security, not just giving them a bunch of information.

Speaker 2: 16:14 

Question nine which of the following audit types focuses on the effectiveness of risk management processes A compliance, b operational audits, c financial audits or D performance audits? So which of the following audit types focuses on effectiveness of risk management processes? And the answer is B operational audits. They focus on risk management and they are more. You may even see them a little bit as an assessment. They focus on risk management and they are more. You may even see them a little bit as an assessment, but anything dealing with the operational side, making it more efficient, more cost effective that's where that kind of audit will come into play.

Speaker 2: 16:45 

Question 10, what is the importance of a follow-up audit? Okay, this is one that you're coming back to to reassess the marketing trends, to analyze competitor strategies or to increase the number of audit staff? Okay, that's A, b and C D. To ensure that the previous audit recommendations were implemented. Okay, so A assess market trends. B analyze competitor strategies. C increase the staff of your audit staff your staff yeah, I screwed that up your audit staff. And then D ensure the previous audit recommendations were implemented. Okay, what is the importance of your follow-up audit? And it is D to ensure the previous audit recommendations were implemented. That's the whole purpose of having somebody come back around is to ensure that things were done the way you set them to be done. You definitely don't want to increase your audit staff unless you absolutely need to.

Speaker 2: 17:28 

Question 11, which regulation is specifically designed to protect privacy of health information and require audits? So key terms privacy bing, bing, bing, bing. Health information bing, bing, bing, bing. Yeah, that's it. So what are they? Pci DSS no, that's payment card industry deals with credit cards. Sox, sarbanes-oxley deals with financial aspects. Gdpr that is privacy. Oh, yeah, yeah, no, uh-uh, no, that's Europe. So don't, that's not it. The answer is D HIPAA right, health Insurance Portability and Accountability Act. Hipaa that it deals with your privacy and it is dealing with health information. So that answer would be D.

Speaker 2: 18:03 

Question 12, during an audit, which of the following is a red flag that may indicate a problem with the organization's cybersecurity posture? So again, which audit have a red flag to indicate a problem with your posture? Your cybersecurity posture, not your standing up posture. A regular updates to security policies. B frequent changes to staff roles and responsibilities. D lack of documented incident response procedures. Or D high employee satisfaction scores Okay. So a red flag Okay, high satisfaction is good. Updates to security policies good. Frequent changes to staff and roles. It may not be so good. That could be a red flag. And then, but the real one is C lack of documented incident response procedures.

Speaker 2: 18:42 

If you do not have a good incident response procedures and business resiliency, go, as you're listening to this podcast, stop your car, write this down and then go do this. Yes, make sure you go into your office and go do this. I would do this immediately. Start working on it immediately. Do not delay, because this is one of the biggest factors that will help save your business and, potentially, your job and your marriage, depending upon how tied to your job you are. And then again, what is the advantage of conducting Okay, I was really digressing there, but the point of it is incident response procedures are a really important factor. I want to get them done.

Speaker 2: 19:14 

Question 13, what's the key advantage of conducting audits on a regular basis? A they eliminate all security risks. B they help identify and address vulnerabilities proactively. C they ensure compliance with only the industry standards. And D they are legal requirements for all organizations. Again, what is the key advantage of conducting audits on a regular basis? And the answer is B they help to identify and address vulnerabilities proactively Again, you're looking for all these issues and your security gaps and allows you to strengthen your defenses before they become an issue and you will find some dead bodies and you'll fix those dead bodies and you'll bury them correctly and then new ones will come up, but the ultimate day is that it allows you to have better insight in the security of your company. Question 14, almost done the context of security audits.

Speaker 2: 20:00 

What does the term scope refer to? Now, this term is used way too often and I don't think people truly understand the word, what it means, especially in the context when you're saying it. I think they probably understand what scope is, unless you're hunting deer, but they understand what scope is. It's just it gets used out of context so often. A the budget allocated for the audit. B the time frame in which the audit must be completed. C the number of auditors involved in the process. Or. D the specific areas and processes that the audit will cover. Again, in the context of cybersecurity audits. What does the term scope refer to? And the answer is D the areas and processes that the audit will cover.

Speaker 2: 20:38 

And you want to be very specific with your scope. You really do. Do not go in there with a broad brush scope and you may want to think, well, hey, I'm paying $18 gazillion, I want to have everything looked at. Don't do that. Just walk away from the hedge. Don't do that, because what will happen is you'll get all kinds of stuff and then you won't do anything with it and you'll just have a really expensive report card, and you don't want that. So, be very targeted and focused Now. Don't be so focused, as I want you to look on this one thing, because you will get challenged from your senior leadership of going. You got to look at more than just one thing if I'm paying $18 gazillion. So, again, make the scope doable. Challenge the audit team and then know that whatever they come back with is something that you are going to be actioned on and you're going to do because and that way, keep it small. That's something you know you can do Now. If you have a staff of 50 people, well then maybe you can make it bigger, but in most cases, you don't have a staff of 50 people that can work on this stuff. So just consider that Last question, the last melon, question 15.

Speaker 2: 21:49 

What is the primary goal of the audit trail in the cybersecurity audits? What is the primary goal of an audit trail in a cybersecurity audit? And the answer is A to provide documentation of the audit findings so that you can address them and get to it, and you also may have to have the documentation for your senior leaders and to maintain certifications and so forth. That's it. So that is the last question, yes, of the second take of this podcast. Oh yeah, baby. So I've had 30 questions. Unfortunately, you just get only 15, but I've done 30. That being said, we are done for today. If you can go to CISSPcybertrainingcom, go check it out. Go look at all the free stuff that's there and go buy the products. If you purchase the products, see a little child looking at you with big eyes, going no-transcript, so that they have some of the funds and they don't feel so overwhelmed with trying to bring on a child and pay for it, because it can be overwhelming, all right, again, go out to CISSPcybertradingcom, go to ReduceCyberRiskcom. If you're looking for any sort of consulting aspects, I'm