CCT 205: Practice CISSP Questions - Apply Foundational Security Operations Concepts (Domain 7.4)

Unlock the secrets of cybersecurity mastery with me, Sean Gerber, on this week's episode of the CISSP Cyber Training Podcast. Discover why the U.S. government is investing a staggering $3 billion to replace TP-Link routers and the strategic implications for telecom companies nationwide. We'll also dissect the National Defense Authorization Act, which aims to fortify AI adoption and tackle emerging threats through an AI Security Center. This isn't just a glimpse into current events—it's your roadmap to staying ahead in the ever-evolving world of cybersecurity. 

Explore critical security practices, like the nuances of service level agreements and the essentials of privileged access management, tailored to elevate your cybersecurity strategies. Learn how to balance regulatory compliance with productivity by refining need-to-know policies and harness the power of data classification. Additionally, consider the wide array of consulting services from ReduceCyberRisk.com, including penetration testing and virtual CISO services, for those seeking to deepen their expertise or find mentorship. As we close, I extend warm holiday wishes and share enthusiasm for the opportunities ahead in 2025. Don’t miss out on these valuable insights—your future in cybersecurity starts here.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.

Speaker 2: 0:22 

Cybersecurity knowledge All right, let's get started. Hey all, Sean Gribber, with CISSP Cyber Training and hope you all are having a beautifully blessed day. Today is CISSP Question Thursday and we are going to be getting into Domain 7, which, again, this is going to be a follow-on to what we talked about on Monday and the questions are going to be associated with the content that we provided on Monday. So it's going to be available, it's going to be intriguing, it's going to be exciting and it's going to be riveting. But before we get started, obviously we want to talk about a couple things in the news really just one, and this is one that came out we talked about on Monday, as it relates to the TP-Link routers and technology that is being considered being forced out of the United States, and the US government has provided, through the National Defense Authorization Act, approximately $3 billion to do this actual thing. So, if you're a telecom company, which we talked about in the article, these telcos have a lot of this TP-Link data equipment inside their networks, and the main reason is because it's relatively inexpensive in comparison to their competitors. Well, the government realized this, and so they're going to offer an incentive that these folks are going to be able to rip and replace this TP-Link equipment with stuff that they will approve. So they've approximately set aside $3 billion to do this, and it's anticipated as reading through the article, that it's going to cost more.

Speaker 2: 1:51 

Yeah, it always costs more. It never is ever what you think it's going to be, and I've had this recently happen in my life where you think a price is something and then you go oh no, add 20%. So anytime you deal with any sort of and this is something for you all that are looking to get into security and potentially be a security leader the moment that you start thinking that a price is going to be X, just start rat holing in your mind it's going to be an additional 20%, just go with it. It may not be, but if you can build in contingencies, especially when you're doing your financial planning, that is a wonderful thing. Your CIO will be much happier for that, because it's easier to come in under budget than it is to go over. That being said, you don't want to just start padding your budgets so that your TP-Link router is $1 million and you come in and it costs you $150. Yeah, we don't want to do that, obviously, but you need to make sure you consider adding some time and some contingency costs into any sort of financial planning you do for buying equipment.

Speaker 2: 2:50 

Okay, so that was a little off topic, but the point of it is is that the NDAA is going to allow this to occur and trying to get some sort of funding set up for them. This is the funding for reimbursement program and it's going to be paid for by the FCC. Now what's going to end up happening is that the equipment that's out there they'll then try to do something with it. I suppose they'll repurpose it with somebody. Ideally, it will not end up in the government, because they don't want any sort of external back doors set up within the organizations, which they probably already do. But, that being said, they'll figure it out. Uh, so that's the ultimate point of it is is that the us government is really backing this by putting money behind it and also by the fact that they are really pushing hard to get this resolved. Uh, the other part I thought was really interesting at the bottom of this article is that this the nda also authorized the establishment of an ai security center to promote AI adoption and the development of guidance and prevent mitigation, counter AI techniques.

Speaker 2: 3:49 

So I know we talk about AI a lot and sometimes it gets really unnerving about what it could be and what people maybe make it to be. And it's not really there yet. I will tell you that I'm not an expert by any stretch of the imagination in it, but it's growing substantially and just that you see, with moore's law and how fast things change and people will say moore's laws is going away of the way of the dodo bird. But that being put aside, the ultimate point is is that this technology is changing extremely fast and the ability for people being interested in it is even causing it to change even faster. So you, as a security professional, I would highly recommend that you start getting smart on AI, and we've talked about this before. But your intelligence around AI will be extremely valuable, because the gap between the people who have this information and understand it and the people who do not is going to get only wider over time. So again, just a little plug there Highly recommend you get into the AI understanding, especially as it relates to the security of your companies. So again, bottom line is free money for all my friends. That's what it comes down to. Yeah, yeah, no, there's never free, right? Well, our taxes will continue to climb and go up.

Speaker 2: 5:02 

All right, so let's get into our questions for this week. Okay, so this is group seven. If you go to CISSP Cyber Training, you can gain access to all these questions. All these questions are available to you. If you go there and we purchase all of the software that we have or the training, you can get access to all these questions. The videos and audio actually are free. That will be available online online either both through youtube or through my site directly as well. So all that stuff is available for you. It just depends upon if you want to pay for it, if you don't, but it doesn't matter, it's all there and actionable.

Speaker 2: 5:35 

But today we're going to be talking about the domain 7.4 and this is where we get into the principles of least privilege and various other aspects. But question question one. Let's begin Question one. Which of the following best describes the principle of least privilege? Or if an acronym? If you like an acronym, it's POLIP, not yep, p-o-l-p. I've never said that before, but it's polyp.

Speaker 2: 5:59 

What is the principle of least privilege? A granting users access to all resources unless explicitly denied. B providing only the minimum permissions necessary to perform the tasks. C assigning users elevated permissions for the future, or d granting permissions based on hierarchical seniority within the organization. So which of the following best describes the principle of least privilege? And the answer is B providing only the minimum permissions necessary to perform the task and we talk about this in the training that you want to leave them or provide only the training that will be useful for them at that point in time, and the ultimate goal then is that they will not have any more access than they're supposed to. It does cause challenges, like we mentioned. It does slow things down potentially, and it can cause you some issues, especially if they don't have the credentials they're supposed to have. But you have to weigh that out on. What is the risk versus reward.

Speaker 2: 6:51 

Question two what is the primary benefit of implementing a two-person control in sensitive operations? So again, two-person control. Each person turns the nuclear key. And then what happens in sensitive operations? So again, two-person control. Each person turns the nuclear key. And then what happens in sensitive operations? A enhanced operational efficiency? Probably not. B faster decision-making in critical scenarios. C mitigating insider threat and increasing oversight. Possibly D preventing the need for additional authentication mechanisms. And the answer is yeah, you guessed it. It is C. Right, it helps with the insider risk issue and it does increase the oversight within the company. So again, if you have a second person who will approve the payments being made to an organization, that will give you greater oversight.

Speaker 2: 7:35 

Why is job rotation considered an effective security control? Question three why is job rotation considered an effective security control? Question three why is job rotation considered an effective security control? A it reduces dependency on a single individual for critical processes. B it increases the efficiency of employees in their primary roles. C it eliminates the need for access reviews. Or D it ensures all employees have privileged access to sensitive systems.

Speaker 2: 7:59 

Now, if you read too deeply into those last three, you will probably pick one of those, but the answer really comes down to is A it reduces the dependency on a single individual for critical processes. So really, what it boils down to is you've got Bill, who? Bill is the main person who deals with your overall financial aspects, and especially this occurs a lot in small companies when they don't have a real large quiver of people that have a good knowledge base Bill will get into that position and Bill will really just kind of embed himself like a tick and can't get him out. Well, what does Bill do? Bill Green gains lots of knowledge and in that lots of knowledge that he gains, he has influence. And then when you want Bill to do certain things, bill goes no, I don't want to do that because I've got influence. Yes, you can see it spiraling down out of control, but it does happen within all sizes of organizations but really it can happen real quickly in small and medium-sized organizations.

Speaker 2: 8:56 

Question four which scenario violates the separations of duty principle? Violates, not validates the separations of duty principle? Violates, not validates, violates. So which scenario violates the separations of duties principle? A a network administrator and security officer work on the same system but perform distinct tasks. B two employees jointly manage a critical operation. C a manager supervises and reviews the work of their subordinate. Or. D the same employee creates, approves and processes financial transactions? Yes, and the answer is D. Right, if you have the same employee creating, approving and processing the financial transactions, it is rife for having some level of embezzlement and fraud to occur. I have employees that work for me and guess what? I have to watch what they do because they have the ability to take money in, process payments, do all of those things and they can thieve and theft. They can thieve from me on, basically what they have. So you have to create processes in place to do a second check on what they're doing. Yeah, it's not fun, it adds more time and it is laborious.

Speaker 2: 10:01 

Question five which of the following is a challenge associated with implementing the need to know principle? Again, which of the following is a challenge associated with implementing the need to know principle? A classifying information based on sensitivity labels. B increasing the access for all users to avoid productivity issues. C permitting unrestricted access to reduce administrative workload or D allowing employees to self-assign their access levels. Again, which of the following is a challenge associated with implementing the need-to-know principle? And the answer is A classifying information based on sensitivity levels. As we talked about, data classification is an important part of this entire process and if you want to understand need-to-know, if you don't have a good classification strategy around your data and you implement the need-to-know concepts, it will cause problems. You just you've got to have a really good data classification plan.

Speaker 2: 10:59 

Question six what is the main purpose of mandatory vacations as a security measure? A to tick off all of your employees no, I'm just joking, that's not. A To encourage work-life balance for employees. B to train employees in multiple zone or roles during their absence. C to reduce the organization's operational costs. Or D to uncover potential fraudulent activities or irregularities. Okay, obviously, you guys probably know that one right it's to uncover fraudulent activities and irregularities but it can add a little benefit. So if you're trying to market to your people about this mandatory vacation thing, hey, I'm going to help you with your work-life balance. It's going to be great. You get to spend more time with your children, which they might be going. I don't want to spend more time with my children, but that it's one thing you may want to use as a positive for them. That you're going to mandate they get a vacation. Yay, you just don't get to know when you're going to take your vacation.

Speaker 2: 11:49 

Boo, okay, question seven which of the following is an example of a privileged account management? What is an example of privileged account management or PAM? It enforces password rotation for elevated accounts. B it grants all employees administrative access. C it removes all restrictions for privileged accounts. Or. D, it's allowing privileged accounts to bypass security monitoring. So what it can do is one of the aspects it has of PAM is enforcing password rotation policies for elevated accounts. It can do it also within servers, not it can do it within systems, depending upon which version you purchase and which add-ons you get. So they do they measure automated password rotation. They can enhance your security that way. They're a really good tool. Highly recommend a PAM of some kind, and these can be small ones or big ones. I know right, keeper Security has a solution that is a much smaller version for SMBs and it's available to people to purchase.

Speaker 2: 12:48 

Question eight how does the principle of separation of duties enhance accountability? How does the principle of separation of duties enhance accountability? B or A, by delegating tasks without oversight. B, by consolidating access controls into a single role. C, by requiring multiple individuals to complete critical processes. Or D, by granting blanket permissions to all employees. So how does the principle of separation of duties enhance, enhance accountability? And it does this by requiring multiple individuals to complete critical processes. So this is where this is. It was answer C. Right, you have a SOD that creates functions are distributed across various roles, right? So that requires collaboration between individuals and helps understand the accountability gap. So one of the things we used to do is that you had multiple people. When I was in, we were working on our SOC. Multiple people were understanding tier one, tier two, tier three. You had overlap between all the tiers, so if somebody was out, somebody else could actually manage those various tiers as well. But now, with that being said, you had separation of duties to understand that if I was only allowed to do tier one and tier two, anybody that came in on Tier 3 would overlook my work that I would actually do, and so they added a level of oversight into this. So the ultimate goal is you want to have a good plan when it comes to dealing with separation of duties and your employees.

Speaker 2: 14:12 

Question 9, in context of SLAs, what is a critical security consideration? So we're dealing with SLAs. What is a critical security consideration when dealing with a service level agreement, an SLA? A including the regulatory compliance and audit rights of the SLA. B guaranteeing 24 by 7 uptime regardless of the cost. C allowing service providers to define all performance metrics. Or. D excluding penalties for SLA violations. So, in the context of SLAs, what is a critical security consideration? And the answer is A including regulatory compliance and audit rights in the SLA.

Speaker 2: 14:50 

So if you're dealing with outside entities and they have some sort of they're underneath a regulatory requirement of some kind, you want to make sure that you include that within your SLA language. It's just a really important part of that and if there is some sort of critical security consideration that needs to be built into it. One example might be you have a, let's say, you have a managed service provider who is providing your security In there. You may have a situation that says you must contact the ex-US government, chinese government, whoever you need to have somebody involved in ex to be able to communicate to them because they're managing your security within a time frame Say, if there's a, you have a 36 hour window, you have to communicate an air quotes incident. Within 36 hours. You need to communicate it to the US Coast Guard. That might be something that is built into the SLA with this third party. So, just again, this requires you as a security professional, to understand the regulations that affect your company because, especially if you're working with third parties, what is their requirement or what is their requirement or what is the requirement that you are going to impose on them if they are acting in your behalf? I know it's a lot of words there, but bottom line is you need to understand your regs so that you can implement that within any sort of contextual legal language that you have to have.

Speaker 2: 16:07 

Question 10, which of the following is a drawback of overly restrictive need-to-know policies? Again, a drawback of overly restrictive okay, ones that are painful. A improved confidentiality controls. B increased employee satisfaction and efficiency yeah, no, not going to happen there, that's for sure. C hindrance of productivity due to access limitations. And. D decreased regulatory compliance. So we all know death and taxes and also government. That never goes away. So you're not going to have to decrease your regulatory compliance, but hindrance of productivity due to access limitations. Answer C is the one. If you have overly restrictive need to know policies Because I've been there, done that, got the t-shirt it's super frustrating when you want to know a piece of information and they go. You do not have a need to know. Have a nice day, let the doors hit you on the way out. Yes, that is very painful, I hate that and you go back away frustrated, yelling and screaming and kicking at the ground. It's not fun. So you want to make sure that you have a good strategy in place that doesn't over permissive but at the same time is not too restrictive.

Speaker 2: 17:12 

Question 11, which PAM? Okay, pam feature is essential for monitoring privileged user activity. So this is a feature that you'd get within the software, which one is essential for monitoring your privileged user activity A role-based access controls. B data encryption. C backup management or, D privileged session management. Again, which PAM feature? Their feature is essential for monitoring privileged user activity and it is the session management. If you haven't dealt with a PAM before, it has the ability to record your session from the moment that you start to the moment that you stop, and it can see you from when you checked out your password to when you utilized it, to also when you actually checked it back in. So all of that can be done and it works really well. So then you can actually tell if you have an insider who then takes that credential and uses it against a different system. It works really, really well. The downside is it costs extra money and you gotta have storage for it.

Speaker 2: 18:10 

Question 12. What is a key feature of a two-person control in cybersecurity? A granting unrestricted access to senior employees. Yeah, that's not like senior citizen like I am, that's just senior, like really big people up high right. Granting unrestricted access to senior employees Usually not a good idea either. Do not let the commanders have all access. That's a bad idea. B requiring dual authentication for sensitive operations. C automating access reviews for privileged accounts. Or. D sharing privileged credentials among members. So what is the key feature of two-person control in cybersecurity? And it is B requiring dual authentication for sensitive operations Again increases oversight and accountability.

Speaker 2: 18:53 

Question 13, which tool is best suited for enforcing the principle of least privilege? So we're talking about a tool for least privilege A identity and access management, im. B data loss prevention DLP. C intrusion detection systems, ids, or. D endpoint detection and response, edr. So which tool is best suited for enforcing P-O-L-P principle of least privilege? And the answer is A identity and access management. Right, if you have an identity and access management program and it's well integrated with the rest of your tools, that is one of the best ways to help enforce the principle of least privilege. There's other tools that you can use to enhance your IAM capabilities, but having a good IAM policy and tool set is a really critical part. It's kind of the keystone to making that happen.

Speaker 2: 19:43 

Question 14, why is the service classification critical for enforcing need to know Data classification? Why is it important? A it enables tailored access based on data sensitivity. B it ensures employees have access to all organizational data. C it simplifies regulatory compliance by eliminating unnecessary data protections. Or D it reduces the need for periodic access reviews. Okay, data classification why do we do it? It enables tailored access based on data sensitivity A right data sensitivity. It enables tailored access based on data sensitivity A right Data sensitivity. It's an important part and that will then force you into a need-to-know basis.

Speaker 2: 20:20 

Question 15. What distinguishes Zero Trust from traditional access control models? A static, role-based access controls without contextual analysis. B automatic granting of access based on network location. C continuous verification of access requests regarding the trust level. Or D reduced need for monitoring once access is granted.

Speaker 2: 20:44 

Okay, so what distinguishes zero trust from traditional access models? It is C continuous verification of access requests regardless of the trust model. Right, that's the ultimate goals. You want to keep looking at them. You don't want to say, oh, you've just been allowed, you're allowed forever. No, you don't want that. You want to have the ability to verify on a routine basis what is their trust level and what are you going to allow them to actually see and do?

Speaker 2: 21:08 

Okay, all right, that is all we have for today. It is exciting. Yes, okay, all right, that is all we have for today. It is exciting. Yes, today it's CISSP, cyber Training. You go over there, get this content. You can get this stuff and get on your CISSP immediately. You can get started automatically. You can get going on it right away. And you know what, as we're going into the holiday season, you have time. You have time on your hands, so you should go to CISSP Cyber Training and get access to this content. It's there, it's available, it's all there waiting for you. You can do it.

Speaker 2: 21:36 

The other thing is, though, is you also you can go to reducecyberriskcom, and you can check out what we have from a consulting aspect. I've got everything you could possibly need, from pen testers to insider risk programs to virtual CISOs. If you are needing any sort of mentoring and just need to understand CISSP cyber training, has that available to you, or we can work it out through reduced cyber risk. It doesn't matter, we can figure it out. The bottom line is is go to CISSP cyber training or reduced cyber risk to help you get what you need. A lot of the folks that come on my that are listening to this podcast are folks that have been doing this IT stuff for quite a while, so if you need some help and some assistance, don't hesitate to reach out Again. We've got everything from pen, testers, red teaming to CISOs, and you name it. It can all be available to you and we're here to help you get your needs and get it done.

Speaker 2: 22:25 

All right, that is all I have for today. I hope you all have a merry, merry Christmas and as we get into the new year 2025. Merry, merry Christmas and as we get into the new year. 2025 is right around the corner, baby, and we are going to have an awesome year in 2025. I just know it. Just feel it All right. We will talk to you all later and we'll catch you on the flip side, see you.