CCT 209: Practice CISSP Questions - Digital Evidence, Forensics, and Investigation (Domain 1.6)

Unlock the secrets to mastering cybersecurity and prepare yourself for the CISSP exam with our latest episode of the CISSP Cyber Training Podcast. Ever wondered how a simple API misstep could lead to a major breach? We dive into a recent incident involving the Department of Treasury and Beyond Trust, showcasing the critical importance of API security. As we navigate through domain 1.6, we promise to enhance your understanding of key concepts like the preponderance of evidence in civil investigations and the main objectives of regulatory probes. This episode is packed with insights that are not only essential for your exam preparation but also invaluable for your cybersecurity strategy.

Join us as we unravel the complexities of legal and regulatory investigations. From understanding why reviewing an organization's policies is the cornerstone of internal administrative investigations to dissecting the GDPR framework for data protection, we cover it all. Learn the nuances between civil and criminal investigations and how insider trading is scrutinized by financial regulators while non-compete violations are typically handled administratively. Whether you're gearing up for the CISSP exam or looking to bolster your cybersecurity knowledge, this episode offers comprehensive insights that will certainly enrich your perspective and expertise.

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge.

Speaker 2: 0:24 

All right, let's get started. Good morning everybody. This is Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is CISSP question Thursday. So, yes, we are going to be getting into the questions related to domain 1.6 as it relates to the content that we provided on Monday's podcast. So that's the ultimate goal of this. Thursday's is to provide you information you need to pass the CISSP through some of the questions and potential questions you may see on the CISSP exam. Again, these questions are not questions that were pulled from ISC squared by any stretch of the imagination. These are ones just to get you thinking and to think about how domain 1.6, I thought the questions could be asked of you of that.

Speaker 2: 1:08 

But before we get started, I had an article I wanted to kind of just briefly bring up to you, and it is around the recent breach that occurred with the Department of Treasury and this is defined as a attack that would occur from the Chinese government, supposedly. Again, I don't know those information, just reporting what they have here in the news. But the bottom line is that there was an issue that occurred later this week, or I should say earlier this week related to the Department of Treasury and how they had a major air quotes security incident involving Beyond Trust, which is a cloud-based service, and the point of Beyond Trust is it gives you a lot of different kind of credentials, it acts as a PAM solution and so, yes, it would be a great target for someone to attack. One of the things that they said was they're bringing up in this article is that no other agencies within the US government were affected by this situation. Okay, I love how these articles come out and I'm just going to just be very transparent. I'm not. I have no idea if there were more people or more agencies affected by this by any stretch, but what I would ask or bring up is how this attack occurred. You might want to think about. How is it affecting other agencies within the US government? And this attack occurred because of a compromised API key for remote management services from BeyondTrust. Now, that whole hole between BeyondTrust and the API key for the Department of Treasury those specific key points is probably covered. Yeah, it's probably good. There's probably no issues there whatsoever.

Speaker 2: 2:39 

That being said, if you are the federal government, they are working with other companies as well and they also use APIs and they use API remote management services. So the question really comes down to is what kind of control do they have over their API infrastructure? I've been saying this for a long time on CISSP, cyber Training, and anybody that'll listen to me is the APIs, in my mind, are one of the biggest vulnerabilities we have within the security space, and the reason I say that is because in most cases, they are unmanaged. They're allowing people to make a connection into your environment and the goal is that you have tight controls over it, allowing what comes in, what goes out. But because they're so easy to establish, it can be very tempting for an individual to go and start up an API connection and go, oh it works, life is good and, yeah, it does work. Unfortunately, it could, if it's not configured correctly, will create a nice little backdoor for people to get into your environment.

Speaker 2: 3:37 

So again in this article they're saying that at this time, there's no indication of any other federal agencies that have been impacted by this air quotes incident. So if you are a cybersecurity professional or an IT professional of any kind and you have APIs within your environment, you may want to look at this pretty hard on how you are managing your APIs. We talked about this. They need to go through a gateway of some kind. You need to route all of your APIs through one central spot, one at a minimum. It gives you a level of visibility into these API connections and two, it gives you some security controls over what's occurring. You should not allow just anybody to willy-nilly add APIs to your organization. So again, I bring this up to the point of the fact that if you have this situation, or at least in the case of the Department of Treasury, there's probably other holes within their environment that they truly need to look at. Again, the CVE score on this was a 9.8, which is about as high as you can get, and if this is one situation that occurred, well, you can expect there are probably more. So again, this is an article from Security Week and this is the CISA. No federal agency beyond the treasury was impacted by the air quotes beyond trust incident. Yeah, go check out your APIs, don't wait for it.

Speaker 2: 4:53 

All right, let's move into the questions for today. Okay, so again, this is over domain 1.6. Question one which type of investigation is most likely to involve preponderance of the evidence as a standard of proof, again, in this type of investigation? Which type of investigation, I should say, is most likely to involve a. Air quotes preponderance of evidence as the standard of proof a criminal, b, civil, c, regulatory or d? And the answer is B civil right, the preponderance of evidence is a civil matter, right, that's what it means that the evidence must show that there's more likely than not that the claim is true. Okay, the lower standard than that is beyond a reasonable doubt, which is used in criminal investigations, and so that the point of it is is youonderance is civil.

Speaker 2: 5:47 

Question number two what is the primary purpose of a regulatory investigation? Again, what is the primary purpose of a regulatory investigation? A, to enforce internal organizational policies, B, to resolve disputes between private parties, c, to ensure compliance with legal and industry regulations. Or D to collect evidence of criminal prosecution. For criminal prosecution, I should say. So what is the primary purpose of regulatory investigations? The answer is C, to ensure compliance with legal and industry regulations. Again, the ultimate goal is that you have many masters in the cybersecurity space. The ultimate goal is that you have many masters in the cybersecurity space and one of those is the industry, or is your local regulations, between your local and also your federal, depending upon where you are at. So you need to make sure that if you fall under those guidelines of regulations determined by your local or federal agencies, you need to make sure that you follow them.

Speaker 2: 6:43 

Question three in which scenario would chain of custody documentation be most critical? Again, in which scenario would chain of custody documentation be most critical? A administrative investigations for policy violations. B internal audit for process improvement. C regulatory investigation for non-compliance or. D criminal investigations for data theft. In which scenario would a chain of custody documentation be most critical? And the answer is D criminal investigation for data theft. So, again, chain of custody refers to the documentation and handling of the specific evidence to ensure that its integrity is maintained throughout the entire process. In a criminal investigation, it will be essential to document all of this right. So if you're going to be dealing with somebody that could potentially go to jail, could have some sort of sentence, you're going to want to make sure that the information or the documentation you have, the evidence, is ironclad.

Speaker 2: 7:41 

Question four which of the following is the best example of direct evidence in a criminal investigation? Again, which of the following is a best example of direct evidence in a criminal investigation? A a witness statement about observing the theft. B a log file showing unauthorized access to a server. C circumstantial evidence linking a suspect to the crime. C circumstantial evidence linking a suspect to the crime. Or. D forensics analysis report of a compromised system. So which of the following is a best example of direct evidence in a criminal investigation? And the answer is A a witness statement about observing the theft. Again, you have somebody, a direct person, a witness. Seeing that they saw you lift it off of this USB drive would be a direct evidence and that would be admissible in court, right. So you'd be brought in and you would be used to answer what you saw. This is in contrast. You know, a log file or a forensics report would be considered a digital evidence or circumstantial evidence. If I have somebody that has eyeballs on it, it's a direct evidence. If I have something that's a little bit tangential on the side, it would be something that is more along the lines of digital evidence or circumstantial evidence.

Speaker 2: 8:55 

Question five when conducting an internal administrative investigation, what is the most important first step? So, when conducting an internal administrative investigation, what is the most important first step? So, when conducting an internal administrative investigation, what is the most important first step? A alerting law enforcement. B notifying all employees of the investigation C reviewing the organization's policies and procedures. Or. D collecting all available digital evidence. Again, when conducting internal administrative investigations, what is the most important first step? And it is C reviewing the organization's policies and procedures. That's the ultimate goal when you're dealing, your most important first step, because if you don't have those in place and you're trying to do an administrative investigation and the person did something that's outside of what your policies and procedures are, that are outside of what they define, then you could run the risk of you know what. You really don't have a case here and you just might want to let that sleeping dog lie. It also will maybe make you go. You know what? I need to make some changes to our overall policy structure.

Speaker 2: 9:52 

Question six what legal principle must be followed to avoid evidence exclusion in a criminal trial due to unlawful seizure? What legal principle must be followed to avoid evidence exclusion in a criminal trial due to unlawful seizure? A search and seizure laws. B chain of custody. C subpoena authority or D incident response guidelines. So what's the legal principle must be followed to avoid evidence exclusion in a criminal trial, which means you can't submit the evidence due to unlawful seizure and it would be A search and seizure laws. Again, these laws are set up to govern how evidence can be collected legally In the United States. The Fourth Amendment protects against unreasonable searches and seizures, and this came out actually, this little bit of trivia came from during the Revolutionary War. There was one of the big issues they had was around the British being able to just go in and seize whatever they want. So the US created these laws to help put the guardrails upon this and dictate what would be unreasonable searches and seizures. So again, if it's obtained unlawfully, then it may be excluded from the trial.

Speaker 2: 11:02 

Question seven which regulatory framework specifically addresses data protection and privacy for European Union residents? Which regulatory framework specifically addresses data protection and privacy for European Union residents, eu residents? Okay, a, sox, b GDPR, c PCI, dss or D CCPA. And the answer is B yeah, general Data Protection Regulation, gdpr, aka. It's a comprehensive data protection plan that was put into place, man, many years ago. There was another one that was set up I can't remember it was data, oh, I can't remember Data Shield or something like that. But this GDPR was designed as an overarching kind of protection and if you fail to meet what GDPR asks for, it is expensive. So people put a lot of time and money into being compliant with GDPR.

Speaker 2: 11:52 

Question eight a company's internal investigations revealed an employee is violating a non-compete clause. This type of investigation falls under which category? So non-compete, an employee's violating it A regulatory, b, civil, c, criminal or D administrative? Okay then, an employee violating non-compete laws? And it would be D administrative. So internal investigations into non-compete clauses would typically be an administrative type of investigation in nature, and they were all more or less come down to you want to enforce the company's policies, so that would be an administrative.

Speaker 2: 12:28 

Question nine what distinguishes civil investigations from criminal investigations in terms of penalties? Again, what distinguishes a civil investigation from a criminal investigation in terms of penalties? A, criminal investigations focus on financial or injunctive relief. B criminal investigations can result in imprisonment. C criminal investigations only result in financial restitution. Or D criminal investigations are always initiated by private entities. Okay, what's the difference between civil and criminal? A, civil investigations focus on financial or injunctive relief. Right, that's the main point of them. They put injunctions in place to prevent certain actions rather than punitive measures like imprisonment. That's the ultimate point. But again, that comes back to with civil and criminal, the differences in what is defined and needed for evidence Beyond a reasonable doubt is criminal and so therefore, the evidence aspect falls into that category.

Speaker 2: 13:24 

Question 10, which of the following best describes circumstantial evidence? Question 10 is which of the following best describes circumstantial evidence? A the direct observation of a criminal act. B evidence that implies a fact but does not directly prove it. C evidence that is inadmissible in court or. D evidence obtained through direct forensic. So again, what best describes circumstantial evidence? It is B evidence that implies air quotes a fact but does not directly prove it. So if you see something that isn't directly corroborates that there was an issue, it will then be circumstantial evidence. So again, finding a suspect's fingerprints on a door does not necessarily prove that they committed the burglary, but implies they were present or maybe they showed up earlier or later. Again, that's just kind of bringing all this little story together. That the circumstantial piece of it. When you're dealing with IT, did the guy actually have USB access? Did the person log in that day? Did the person use their USB access, so on and so forth.

Speaker 2: 14:28 

Question 11, an investigation into insider trading is likely conducted. By which type of authority? So insider trading, who would be doing that? A criminal law enforcement? B administrative review committee? C a private arbitration panel or D financial regulatory body. So an investigation into insider trading is conducted by which type of authority? And it would most likely be the D, the financial regulatory body. Now, insider trading again buying and selling securities based on non-public information. If you do that, that violates what the SEC has out there, and so they're highly likely that they would get involved when you're dealing with insider trading. That being said, you can also say that there would probably be other people involved in this as well, but the financial regulatory body would take lead on these types of situations. It doesn't mean they won't come back after you for criminal aspects, aka Martha Stewart. That's where she ended up dealing with that.

Speaker 2: 15:25 

Question 12, which concept ensures that every individual who handles evidence is recorded? Which concept ensures that every individual who handles evidence is recorded? A evidence integrity. B chain of custody. C forensics readiness. Or D digital signature. Again, which concept? That every individual who handles, touches, deals with it any way is recorded? And the answer is B chain of custody. Again, chain of custody tracks the evidence from its collection to the presentation in court, ensuring that everybody who touches it has access that is supposed to have access to it. There's a record of who touched it, when they touched it, and so forth.

Speaker 2: 16:02 

Question 13. Which act governs electronic communication privacy in the United States? A Sarbanes-Oxley. B computer fraud and abuse act. C electronic communications and privacy act or. D federal information security management act or fisma? And the answer is c electronic communications privacy act, otherwise known as ecpa. This, basically, is an act that was put in place for electronic communications and how they can be accessed and intercepted in the united states. Okay, so that's a key factor around that. When you're dealing with socks, you know that focuses on financial practices, computer fraud and abuse act at cfaa. Cfaa, this deals with computer related crimes, and fisma is focused on the federal information system security. So if you're gonna know the differences, if you're gonna whittle them down, the electronic communications privacy act at least at a minimum has it in the name.

Speaker 2: 16:52 

Question 14 which of the following is a primary objective for forensic readiness? A ensuring regulatory compliance. B reducing investigation time. C enhancing user privacy or. D preparing systems for collection and preserving evidence? Again, what's the primary objective for forensic readiness? It is A ensuring regulatory compliance. So forensic readiness involves configuring and managing systems so that the evidence can be efficiently collected and preserved. So the ultimate goal is you're ready for it, right, this can occur because maybe you have in your organization, you have taps within your organization's network so that you're collecting packet captures, pcaps, and that is then sent to another location where it is stored. So you are then being primarily ready for the event that you may have to have some sort of forensics capability and this is all. These log files are being sent to a certain spot. Again, this is a strategic kind of thought process that you need to plan for if this is something that's important to your organization.

Speaker 2: 17:50 

Question 15, a whistleblower protection policy primarily addresses which investigation-related concern? Again, a whistleblower protection policy primarily addresses which investigation-related concern A evidence handling, b investigator bias, c protection from retaliation or D preservation of chain of custody. So a whistleblower protection policy addresses which investigation-related concern primarily? Right, and the answer is C protection from retaliation. Whistleblower protections are designed to protect the individuals who report potentially unethical or illegal activities. Right, it's to help them. It's helped to encourage people to come forward and without having to be worrying that someone's going to throw you under the bus. So that, again, that's the ultimate goal is that the whistleblower piece is protection from retaliation. If you violate that, that can go ugly for everybody. So you want to make sure that, if you do have that within your organization, you are watching it very closely and you have a good plan in place to deal with whistleblowers, because, yeah, if it comes across that you are not doing well to protect them, you got a lot bigger issues they're going to be fighting. So they're just a piece of advice, again, not a lawyer just telling you some stuff from experience.

Speaker 2: 19:00 

Okay, that is all I have for you today. Head on over to CISSP Cyber Training. Go there, you'll enjoy it. I guarantee it. You'll love it. It's awesome. It's got everything you need to pass the CISSP exam. It's all there. No reason to go around checking out other places, watching videos and other things. It's got it all available for you to include an overall plan for get passing the CISSP.

Speaker 2: 19:23 

Now, again, I have a blueprint that's within the CISSP network in there in the overall product plan and that plan. That blueprint, will help you step by step by step, on what you should study to get ready for the CISSP. There's a lot of people out there that can go and cram for this thing, pass it and move on. Well, that's great, but the nice part about what I have with the blueprint is the blueprint will step you through, help you learn the information so that when you move on to the next role, you actually understand what they're asking of you. And, to be honest, if you want more money, there's a lot of different companies out there that will promote hey, we can help you get more money. The way you're going to get more money in cyber is you understand the content. You ain't going to be able to get it just by winging it, because you might wing it for a little while, but then they'll find out and you'll be fired. So the ultimate or you'll get hacked and then you'll be fired the ultimate goal is again to learn this information so that you can then help your company, protect your company from the evil hacker horde.

Speaker 2: 20:16 

Now the last thing is is go to also ReduceCyberRiskcom and you can go there, and if you're looking for a consultant, I can help you with that. I've got a lot of partners that I'm working with and we can help you with your needs, from virtual CISOs down to individual security pen testing you name it. It's available to you at reducedcyberriskcom. So again, cisspcom or cisspcybertrainingcom and reducedcyberriskcom. Head to those, check them out. A lot of great stuff for you. Have a wonderful, wonderful day, and we will catch you all on the flip side, see ya.