CCT 189: Practice CISSP Questions - Applying Various Resource Protections for the CISSP Exam (Domain 7.5)

Unlock the keys to safeguarding the future of our global supply chains as we tackle the formidable intersection of IT and OT environments in cybersecurity. Imagine the chaos if operational technology systems on ships and cranes were compromised. Discover how the notorious Maersk hack serves as a cautionary tale illustrating the potential for worldwide disruption. We introduce PrivX OT Edition, a game-changing platform ensuring secure remote access to vital systems on container ships, emphasizing the delicate balance between operational integrity and cybersecurity. Your systems' resilience against cyber-threats starts with understanding the vital distinctions between IT and OT networks.

In our exploration of incident response, we highlight the paramount importance of learning from each security breach. Unusual outbound network traffic is a red flag not to be ignored, and the role of a well-prepared Computer Security Incident Response Team (CSIRT) cannot be overstated. We delve into proactive measures that keep your systems one step ahead, from regular software updates to rigorous incident response planning. Emphasizing documentation and the chain of custody, this episode equips you with the foresight and strategies needed to maintain a secure and reliable cybersecurity posture. Join us in this essential discussion as we pave the way to a more secure future.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

peaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge All right let's get started.

Speaker 2: 0:25 

Hey, I'm Sean Gerber with CISSP Cyber Training, and hope you all are having a wonderfully, beautifully blessed day, as your drive into work today is going well, or if you're at home just listening and trying to fall asleep. But hey, if you're listening to this, that's awesome. At home, a lot of my folks that actually listen to the podcast do this while they're driving into work. So you know, you just never know whether it's commuting via train or car. You get to listen to CISSP Cyber Training. That's pretty awesome. You should put it on speaker and see what people say. They might be pretty excited about it or they might just look at you like you have two heads. But we're not here to talk about that. We're here to talk about CISSP questions, which is today's plan. But before we do right before we do, we have a. There's an article that I saw just when I was scoping around InfoSec industry today and it's a really good article. And if you're in the OT space, which is the operational technology space, more or less manufacturing different types of you know those kind of processes, from airports to sea ships, to you name it in the OT space, where there's a lot of little bit differences and nuances as it relates to the overall IT space. There was a great article out there on the Hacker News. Now I haven't gone into and talked, done an evaluation of this company yet, but it looks very promising. It's assailing the seven seas securely from port to port. Ot access security for ships and cranes.

Speaker 2: 1:55 

Now I don't know if you all know, there was a situation that happened a while ago where there are some what was it? Some listening devices put on cranes on the West Coast of the United States, and cranes are of vital importance to pretty much every country when it comes to their import and export capabilities. And there was also a hack that occurred to Maersk, which is one of the largest shipping companies in the globe, a few years back, which just crippled them. And so we all know that we are dependent upon the supply chain for most of our activities that we deal with, from getting plugs in your house electrical outlet plugs to the food you eat, to whatever it might be. The supply chain is an important part of all of that. Well, the protection of the supply chain is also a critical part of this, and I taught this in college to a lot of my students around the OT security piece and how important it is to have some level of security around that, especially as it becomes more intertwined with our daily lives.

Speaker 2: 2:52 

So the reason I'm bringing this up is one of the big aspects was the integration between IT and OT and the blending. And how do you communicate from an IT environment into an OT environment securely? And they basically have talked about this company that is doing this remotely. Now there's a lot of other companies that will do this as well. But there's an SSH you know has been one of the pioneering solutions when you're dealing with the IT and OT space and it allows from a privileged access management into. How you get into the organ, into from an IT space, it area into an OT area is many times through SSH. Well, they have a solution out there called PrivX OT Edition and this supposedly will centralize, scalable and user-friendly platform for managing remote access. That is verbiage out of their you know, obviously, the thing they hand out.

Speaker 2: 3:42 

But an interesting part of this is one aspect when you're dealing with OT is the secure remote access into the OT environment. You really don't ever want to have it where your IT environment goes directly into your OT environment. You want to keep them separate, because if you have them all under one network your IT and OT network it can be very damaging. So let's put it in an example this way If you have a bunch of Windows laptops on your IT network and they get hit with a ransomware attack, those go down. Well, that's bad, right, people can't process funds, they can't do their daily jobs, but nobody really, in the most part, should die from that. However, if the OT environment were to be compromised by a ransomware attack, safety systems go offline. Potentially, people or things can get hurt or blown up, and so therefore, it's an important factor to have a really good program on how you would utilize a manufacturing facility in a way that is helpful from an IT point of view. But also they are very separate. So they bring up this company, this Priv OT Edition platform that's out there to provide remote access and some of the key bullets that they have in there. Again, I would recommend that you go, and if this is something that's important to you, go dig into it a little bit deeper. But they do have the ability to have in this case it's container ships. They have the ability to connect their customers thousands of container ships globally utilizing satellite links. Again, if you've got a ship on the middle of the ocean, you can't have an IT guy just drop in there and go fix stuff, so they're going to have to be able to do things remotely.

Speaker 2: 5:15 

It has just in time and just enough access, which is really an important part. Obviously, just in time access is important because that's usually something critical. You need to gain access to it and what happens is when things are melting down at the facility. That's why people give broad permissions to individuals, because I don't have time to try to do just in time access. Just give them the access. So that is a great part. The other thing is just enough access. Another key challenge when you're dealing with OT is again kind of back to the first point. I need them to be able to fix the problem. So give them whatever they need to have the maximum amount of authority to be able to gain and fix the problem. Well, that causes problems, right, that's a problem three times. I said so. It's lots of problems, but just enough access is a way to provide the access to an individual so they can do their job, but not so much that they can go out and cause all kinds of chaos and pandemonium.

Speaker 2: 6:08 

They have auditing, which is an important part, especially when you're dealing with the maritime aspects. In the United States, there's lots of regulations that fall under the maritime piece of this, and the Coast Guard is one of those aspects where they will audit you and they'll find out if you've been doing it. You have the right cybersecurity controls in place. So auditing is important. Centralized access and automation All of those are really key factors and if it's as good as this article says it is, it could be very valuable for any company that has a lot of remote locations that may need some level of access for their people. So it's another part of that.

Speaker 2: 6:42 

Now, the other part they had is vendor technicians' access to industrial cranes restricted and secured. So you have your employees are one thing, but in many cases when you're dealing with OT, they are a lot of times managed by vendors or third parties, because you as a company may not have the funds to be able to hire all these people in-house and into your organization be able to hire all these people in-house and into your organization. So therefore, what happens is is you will hire a third party to do this for you, and that becomes a bit of a problem as well, because now you have individuals that are not part of your organization remoting into your company. So, again, regional restrictions. If you've got somebody that is limited to only being able to operate within China, that's a good example. China, they want people that are in China working on China equipment. They're not a big fan of people within the Western countries working on China equipment. So there's regional restrictions. Just in time, just enough.

Speaker 2: 7:35 

Access is another part. Again, we talked about that earlier Comprehensive auditing and then non-disruptive deployment, something that goes in, drops in place and it doesn't impact your VPNs or firewalls or any other technology you may have in place. So I think it's a really interesting article, more or less the product itself, again that comes down to, it's called where is it at? Yes, ssh PrivX OT Edition. So something to consider if you are in the OT space and you want to look at that. So I know Dragos has brought in a new service that they're providing to deal specifically with these OT aspects as well. So there's a lot of really cool stuff going on in the OT space and as well, as you all know, if you deal in this world, it is changing dramatically and there's more and more reliance upon it. So I would highly recommend you get the article, look it over, see if it can meet your needs.

Speaker 2: 8:26 

All right, so let's get into the CISSP questions for today. Question number one what is the primary purpose of an incident response plan? A to define security policies. B to prepare and manage incidents effectively. C to train employees on security measures or D to enforce compliance with regulations? Again, question one what is the primary purpose of an incident response plan? And the answer is B to prepare for and manage an incident effectively. That's the ultimate goal of an incident response plan, because guess what? An incident is going to happen to you? You're going to get one, whether you like it or not. It's going to happen. It may be small, it may be big, it just depends. But you need to be prepared for the incident as best you possibly can, and that is the purpose of an incident response plan.

Speaker 2: 9:13 

Question two which of the following is not I repeat, not a phase of an incident response life cycle? So which of the following is not a phase of an incident response life cycle? A preparation, b containment, c identification or D mitigation? Again, which of the following is not a phase of a incident response life cycle? And the answer is D mitigation. Incident response life cycles will include preparation, identification, containment and eradication, as well as recovery and lessons learned. Mitigation is a concept that can be part of the containment, part of this, but it's not one of the formal phases of the life cycle, easy one to get mixed up on yeah, I can't even speak Mixed up on. So, again, the following is not a phase of the incident response life cycle is mitigation.

Speaker 2: 10:05 

Question three what does the term forensics analysis refer to in the context of an incident response? Again, what does forensic analysis refer to in the context dealing with context of incident response? A regular monitoring and network traffic. B collection of analysis and evidence from a cyber incident. C deployment of security updates. Or. D conducting security training sessions. So what does the term forensic analysis refer to when you're dealing with an incident response? And the answer is B collection, analysis of evidence from a cyber incident with forensics like your CSI, or is that what it is? I don't know, maybe it's CSA, I don't know what that is. But if you're dealing with any sort of forensics piece of this, you want to have collection, preservation, examination. All of those pieces need to happen as it relates to a forensics capability. You want to know how it happened, how to prevent it, how did it occur? All of those pieces you want to build into this and as well as restore those, because you may have some sort of legal ramifications that you may have to deal with. So the answer is collection and analysis of evidence from a cyber incident. B Question four which of the following in which stage of the incident response process is the effectiveness of the response measured?

Speaker 2: 11:18 

Again, in the stage of an incident response process, is the effectiveness of the response measures? What are you measuring it in the event that you have an incident that you need to deal with? A containment, b eradication, c lessons learned or D identification? So if you're looking for measured and after the whole thing is over, knock, knock, after it's over, then you're dealing with lessons learned. This is the stage at the end where you're dealing with all that aspects that happened, what worked well, what didn't, how the process can be approved and so on and so forth. So this feedback loop is essential for when you're dealing with continuous improvement.

Speaker 2: 11:55 

Question five what is a common indicator of a potential security incident? So again, what is a common indicator of a potential security incident? A increased user traffic. B regular software updates. C unusual outbound network traffic or D consistent system performance. So what's a common indicator of a potential security incident? And it is C unusual outbound network traffic. Obviously that one. There you're going. Well, yeah, that makes total sense, right? Anything that's leaving your organization would come up as some sort of external activity heading out and therefore could constitute a potential breach. So you have to look at that.

Speaker 2: 12:32 

Question six which type of incident response team is typically composed of full-time employees with specific security expertise? Again, an incident response team, which is typically composed of full-time employees with a specific security expertise A computer security incident response team, cisrt. B an ad hoc team. C an emergency response team. Or D a disaster recovery team, again composed of full-time employees with specific security expertise. Again, that's the key term specific security expertise. And the answer is A. In this case, a computer security incident response team is the one that's made up of full-time employees who possess the specialized knowledge and skills to respond and manage to security incidents effectively. They are prepared to address incidents promptly and strategically. That is your CISIRT.

Speaker 2: 13:25 

Question seven what is the main goal of a containment in the incident response? To permanently eliminate the threat? A to prevent the incident from spreading. B to preserve services quickly. Or. D to document the incident thoroughly. What is the main goal of containment in incident response? And it is obviously B to prevent the incident from spreading. You don't want it to go anywhere further than what it's already done. Once the damage is done, you want to limit the damage to that specific location Because, again, the more time you allow it to spread, the more damage it can cause and potentially, as we mentioned earlier in the OT space, it could be really bad. But at the end of it, anything that gets spread to just you have to consider it is going to be redone completely with new equipment. So now you're wasting time and you're wasting money.

Speaker 2: 14:11 

Question eight which of the following is a proactive approach to incident management? Again, which of the following is a proactive approach to incident management? A regularly updated software. B responding to incidents as they occur. C ignoring minor security alerts or. D conducting post-incident reviews. Which of the following is a proactive approach to incident management? And the answer is A regularly updating software. This is a way to ensure that you prevent security incidents by patching vulnerabilities and as they are exploited right. So you want a proactive approach as the best way to reduce your risk and enhance your security posture.

Speaker 2: 14:47 

Question nine what is a key consideration when developing an incident response plan? What is a key consideration when developing an incident response plan? A it must be lengthy and detailed. B it should remain static over time. C it should regularly be tested and updated. Or. D it must only focus on technical responses. So the key consideration when developing an incident response plan is C it should be regularly tested and updated. When you're dealing with any sort of IR plan, you want to update this thing routinely, because things changed Almost as soon as you put it together. Something has changed. So therefore, you're going to need to make sure you update it and you want to test it, because it's not one of those things you want to just make and set it up on the shelf, because the moment you need it, you're going to pull it down. You'll realize that it's all jacked up or people haven't been practicing it. So therefore, the response is very different.

Speaker 2: 15:35 

Question 11. Which of the following is a best practice for documenting an incident? Which of the following is a best practice for documenting an incident? A Use a simple log file. B Rely on memory to recall the details. Or. C To maintain a detailed incident report. Again, which of the following is a best practice for documenting an incident? And the answer is C. Again, you want to have a detailed incident report because the more documentation you have, it can help you one, determine what occurred. Two, it also from an audit perspective. You may be audited and they may want to know what you actually did. So, lessons learned, all those aspects should be documented in a format and saved for future reference. Now, one thing to keep in mind is, the more you keep this stuff, you now become legally liable for some of it. So you may decide your company may decide to hold it for a period of time and then delete it. It just depends on your company and what your plans are.

Speaker 2: 16:28 

Okay, question 12. What is the significance of chain of custody in an incident response plan? Again, significance of chain of custody A it ensures the privacies of user data. B it protects against unauthorized access. C it maintains the integrity of the evidence collected. Or, d it simplifies the recovery process. Again, what is the significance of chain of custody? It's maintaining it during the entire situation when you're dealing with an incident, and it is C it maintains the integrity of the evidence collected. So, as the evidence is collected per the incident, the documentation on who collected the evidence, how it was stored, any transfers between parties, all of those things need to be kept because it could come up in some sort of legal proceedings and analysis in the future. So therefore, chain of custody is an important factor.

Speaker 2: 17:21 

Question 13. Which of the following tools is commonly used for monitoring and detecting security incidents? Again, which of the following tools is commonly used for detecting and monitoring security incidents A Network intrusion detection systems. B Firewalls. C Antivirus software or D DLP or data loss prevention tools? And the answer is A NIDS, your network intrusion detection systems. Those are the ones that are specifically designed for monitoring network traffic.

Speaker 2: 17:48 

Question 14, what role do stakeholders play in the incident response plan? A they have no influence in the process, yeah right. B they need no need to be informed on the post-incident. C they have no influence in the process, yeah right. B they need no need to be informed on the post-incident. C, they provide input and support throughout the incident. Or D they should manage their technical response. Again, stakeholders, what do they play in the incident response plan? That is, c they provide input and support throughout the entire incident and if you have good stakeholders, they'll be there for you. However, that being said, if they are also very nervous, they may be in your chili a lot. You may have to deal with that, but that it's hey, it's their business, so you just expect it. That's what's going to happen.

Speaker 2: 18:25 

Question 15, which of the following is an example of post-incident activity? Again, which of the following is an example of a post-incident activity? A identifying the incident. B isolating affected systems. C conducting root cause analysis or D notifying law enforcement. So which of the following is an example of a post incident activity? And the answer is C conducting root cause analysis, or RCA. You'll commonly hear it as, but it's basically determine what happened, where did it happen, how did it happen, so on and so forth, and then figure out how to fix it in the future. So root cause analysis is an important part of any incident that you do have.

Speaker 2: 19:02 

Okay, that's all I've got for you today, but last thing I have is just again, go over to CISSP Cyber Training and you can gain access to all of this content, and all the proceeds that are created from CISSP Cyber Training Go to the nonprofit that we have for adoptive families. So, again, the ultimate goal of this is to help other people, and the money that is provided from CISSP Cyber Training goes specifically for that purpose of helping other families. If you do need a security consultant, please go to ReduceCyberRiskcom. You can reach out to me there or you can reach out to me here. It's fine too, and I'm happy to see if there's a possibility that I can help you in your cyber security journey. I've got a lot of contracts that are coming up and just want to get it out there. If you do need some assistance, reach out now, as time is of essence and because my calendar is filling up very quickly. All right, have a wonderful, wonderful day, and we will catch you on the flip side, see ya.