CCT 026: Understanding and Supporting Investigations (CISSP Domain 7)

Shon Gerber from CISSPCyberTraining.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge in cybersecurity from being a Red Team Squadron Commander; Chief Information Security Officer (CISO); and Adjunct Professor providing superior training from his years of experience in educating people in cybersecurity.  

In this episode, Shon will talk about the following items that are included within Domain 7 (Security Operations) of the CISSP Exam:

·         CISSP Articles – Supporting Investigations

·         CISSP Training –  Understanding and Supporting Investigations

·         CISSP Exam Questions

BTW - Get access to all my Training Courses here at:  https://www.cisspcybertraining.com

Want to find Shon Gerber / CISSP Cyber Training elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

CISSPCyberTraining.com - https://www.cisspcybertraining.com/

Facebook - https://www.facebook.com/CyberRiskReduced/

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Hey, y'all. This is Sean Gerber. Thank you so much for listening today. But before we get started, I have a question for you. Would you like to finally pass the CISSP and get started building a lucrative and rewarding career in cybersecurity? I can help you over at CISSPcybertraining. com with the resources and tools you need to pass the CISSP.

the first time at CISSPcybertraining. com. There's a vast array of resources available that will give you the guidance, direction, and training you need to pass the CISSP exam. As soon as you get done with this presentation, head on over to CISSPcybertraining. com so that I can begin helping you today to meet your CISSP goals and grow your career in cybersecurity.

All right, let's get started. Welcome to the Reduce Cyber Risk and CISSP Training Podcast. Where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge.

All right, let's get started

Hey y'all this is Shonker with a reduced cyber risk podcast I hope you all are having a great week this wonderful week actually since this podcast gets started It always comes out on a monday so you're probably

as it relates to cyber security and one of the aspects I should say of the There was like seven different topics they had on that article specifically, and they focused, I'd say, five of the seven focused on cloud, and I fully suspect that that's gonna be a huge issue coming. Well, it's gonna be forever, but especially in the next few years, as people are getting smarter on the cloud is how is it secured and what?

What are some of the mechanisms in place? And so I've learned with the Our deployment or the deployment I've seen with the cloud in my company that there's a lot of knowledge that needs to be learned, including myself on how much that I don't know, and it's really, it's been an eye opening experience of trying to work through everything because the thing you have the standard foundation with cyber security.

But then when you get into the cloud, there are different aspects that little nuances that in the past you'd have one server could get compromised. Well, now, if you screw up some pretty big aspects that almost anybody can configure, you could Basically compromise a large swath of whatever you put out there.

So there's a lot of nuances to it. It's going to be pretty cool. I, at least from my standpoint, I like to learn. So it's going to be pretty kind of neat. Well, so what's rolling today, today is episode 54 understanding and supporting investigations. And this is going to be domain seven. Of the security operations piece of this.

So there's a couple different articles. We're going to come out here and this is one that people kind of struggle with a little bit as it relates to investigations because you don't really know and it's It's kind of that legal stuff and how do I handle all that? And this has been an eye opening experience for me myself in the fact that i've had to deal with various other evidence or I should say investigations On activity that's occurred within various companies and things that I've worked with from the military to my current company that I'm dealing with right now.

And so it's, it's been an interesting thing that I never really expected or anticipated. But if you're going to get your CISSP, one of these are key aspects you need to understand and know. The other piece of this is these, the information that I'm going to be going over today is also extremely important with.

Your career and what you're going to do for other companies because a simple fact of it is, is that you as a cyber security person will be looked upon in most cases as the person who understands how to deal with cyber security evidence and and how to manage it. And also, you're probably the first person on the scene when the event happens.

So you need to have a good grasp and understanding of what are some of the expectations and what are the pitfalls that go into not doing a good job around this. So let's get started with our first, with the online aspect of this and the article that I pulled up that I found out there online was from InfoSecInstitute.

com and they're talking about security and how the investigations support the requirements. That again, the show notes will be in the website and you can go check those out at any time. All right. So for this was. From InfoSecInstitute. com, they talk, they break it out as far as infants, I can't even say the word, evidence collection and handling.

And to kind of break down what does this actually mean. Well, evidence includes facts, items, and information to be presented in a court of law to establish the validity or invalidity of a claim or statement. So when you're looking to collect evidence around a cyber security event that occurred, you are going to have to present this to, it's not going to be Like a court of law where you have all these people around you.

I shouldn't say it won't but it's highly unlikely that it will. It'll most likely be to a judge and some lawyers that you'll deal with on this statement. But you have to be able to present this sort of information to them, the evidence, in a fact or in a manner that proves that you just, they actually have a case versus you just look like a blithering idiot and you have no idea what you're talking about.

So you're going to have to provide that information. In the event that there is an investigation, the evidence is used to prove a person's entity of innocence or guilt, right? We know about that, but when you're dealing with cyber security pieces of this, you really need to have a proper chain of evidence and that it's exactly what it sounds like, right?

You have the You have evidence that kind of leads you down the path and points you in a direction. Now, this evidence will be, when I deal with computer security pieces, and this is something the CISSP will probably chat around, is the fact that computer evidence is typically a circumstantial evidence.

It's not, it's not something that's hardened proof that you must, if you have it, you are, it's rock solid, you're gonna win no matter what. No, because computer evidence obviously can be tampered with at some point. And so, therefore, they don't consider it as the rock hard status of evidence that you have to have to put to make the case open and closed.

Yeah, I think it's open and closed, right? Where it's basically, it will happen, right? If you present this evidence, the game's over. We win, you lose, done. That's not going to happen with cyber security or with computer type of evidence. Just because, like I said before, it can be manipulated. Now you're going to have to put out there, as far as when you're dealing with the chain of evidence, how it was collected, how it was identified, and how it was protected.

That's a key point. What did you do once you got it, and how did you protect it? How did you keep it from somebody actually getting a hold of it and messing with it? You also have to break out and how it was conducted, the the overall investigation that how the data was copied, cloned, but what was that done?

One of the things to consider with the CISSP is that you should not be manually Copying this information over you would take a copy of the device and image of the actual device or evidence itself So if it's in an operating system, you would clone that entire box. You wouldn't just do well Hey, I'm gonna go in here and cherry pick out.

Where is the evidence? These are the log files that allowed this to occur. You don't want to do that That, that will cause you all kinds of grief down the road. And what will end up happening is they'll probably throw out your evidence because you just cherry picked what you wanted. So those are important things to do.

And you also got to present, how is it presented in court and by whom? So I say this in the fact that why do, why do lawyers get paid a lot of money? Well, it's drama, it's theater, and they're putting on a case. If you bring in the, the computer nerd that just can't even. See straight and just can't put a couple sentences together kind of like this podcast at times Then what's gonna end up happening is is there's that's gonna cause doubt on your overall case So you're gonna have to have someone who is articulate and knows what they're talking about That's presenting your that is acting as a witness for your case.

So those are important I was talking to a guy that is a CISO with another company and he actually sits in He gets paid to go in and present evidence in courts for companies, and the reason is he's an expert on this stuff, on this technology, and therefore he is pulled in as an expert witness who can talk to these aspects.

And because he can talk at the third grade level to people, then what ends up happening is he gets called up a lot to go do it. So there's opportunities there if you ever become a, once you get your CISSP and you get into the space and you have some more education or, Not going to say education, but experience.

You potentially could be an expert witness. So, anyway, that's all that. So, the other thing they InfoSec Institute is whether the property has been returned to the owner after the investigation. You have to define was the... Was it brought back to them? Was it given back to them? Those are things you'll have to call up.

Now when you're also some other aspects around chain of custody is who obtained the evidence? Who secured it? Where and when was it collected? Basically the where, when, what, why kind of thing. You got to be able to call that out and be able to state what that was. Now, In the case of the evidence storage, it's typically stored in some locked environment.

You know, vault or some sort of safe, that kind of information, that kind of place was where you typically store this kind of information. You wouldn't just leave it in a, a drawer in your desk. Probably not a good idea. An encrypted thumb drive that can walk off? No, probably not a good idea. Well, even better, just a thumb drive that's not encrypted.

Those would be bad things to do. When you're dealing with evidence, you should make sure that it's labeled correctly and then it's protected, i. e. within some sort of encryption mechanism to ensure that it is not tampered with. And then it also must be protected with identical clones. We talked about the fact that you should have an identical clone of the system.

You should not just copy the information. Off of this information. Now, the one thing else that you should consider is that when you are messing with the data, it's important that there's monitoring occurring and recording what you're doing that the court's going to want to know how you did that. So you can't just say, Well, hey, I magically found these logs.

They just kind of showed up one day. I don't know where they were before, but they're here now that That won't work, they're going to look at that and they're going to frown on that pretty quickly and probably get you thrown out. So you need to make sure that it's recorded, monitored, and managed and those recordings are actually available to the court if they want to have them.

So and again, it must be presented in court accompanied by testimony and opinion. Those are key pieces around that as well. So, those are all aspects around the chain of custody piece of this. Now, the other thing that the InfoSec Institute brought out this bullet point is that the property must be returned to the victim after the trial or securely stored if the perpetrator is found guilty of a crime.

Not climbing a mountain, a crime. not

guilty, you give it back. If they're guilty, they lose access to it. And then they... Go break big rocks into little rocks. So, yeah, that's, or it's a white collar crime. They'll probably just go sit at a resort somewhere, drinking margaritas and relaxing. No, that's not really necessarily the case, but you kind of see that in movies sometimes.

Alright, reporting. So, the reports must be complete, detailed, and high enough quality to be accepted in a court of law. So, you've got to provide some level of reporting on this stuff. And so, something else to consider is that if you have bad English, Okay, that's probably just butchered the English language right there.

If you have bad grammar, bad English, you don't know what you're talking about, you don't know how to write a sentence together, then you probably better have somebody else file the report for you. Just, just saying. Might not be a bad idea to do that. It should include some of the following things.

Basically, how you got to where you were at. What was the forensic step and process in which you got to where you were at. Copies of your standard operating procedures. Again, you must have things documented. You can't just go and off the cuff and make things happen. A copy of the checklists that are used for the investigative process.

What are you using to get there? You know, step one, I copy files. Step two, I encrypt files. Step three, so on and so forth. And again, you gotta have to put this in the third grade level. I don't mean that people are foolish. As I've said before in some of my CISSP training, the ultimate goal is to bring this to the third grade level.

And why? Because the fifth grade level, people can't get it because If you ever play the game, you know, how, uh, how smart are you or who's smarter for you or a fifth grader? Most fifth graders are pretty pretty intelligent third grade. Yeah, you can probably talk at that level Then you're probably going to be okay.

Most people will understand what exactly you're saying. So it's it's important to do that You also need to make sure that you have the, you're again, you're using the right technology and terminology and talk in a layman's terms. One thing also you shouldn't deal with when you're dealing with logs, make sure they're time stamped on when they actually were taken.

Again, all of these things could be manipulated in the right situation, but it helps build your case. Now, when you're dealing with different techniques, you, you basically, it's important that You have some level of techniques in place to to ensure that you get this and this comes down to Forensic principles must be applied to all digital evidence evidence must not be altered during the collection phase so on and so forth You must make sure that that is and that would be followed up by a checklist that you maybe you have on how do you?

Actually get to this point I would highly recommend that you don't on your first investigation Especially if it's dealing with something of any significance for your company you bring in a third party but When I say that, is then you get smart on how does that third party do it. Now, if you have time and you haven't had an investigation, maybe it would be wise to go find a friend and talk to somebody about how to do a proper investigation around the IT space and the cyber security space.

And even if it's a regular investigation for a criminal investigation such as murder, robbery, whatever, that same processes can be used. It's just smart for you working on your CISSP to be able to understand these pieces of this. All training must be provided to anyone that accesses this digital evidence.

So if you have someone, the lawyer that needs to access it for whatever reason, you have specific training in place to help them how they access it. I would also recommend you put this Data if somebody does need to look at it You put it in an environment where they cannot manipulate it or do anything to it kind of like its own little walled off garden That all they can see in but they can't touch any of it I think that would be very important just because and if you can prove that in the court of law that you did that situation That would be very valuable.

It must not be altered in the collection phase of the investigation. You must talk about why how you didn't alter it during the collection phase. Personnel that are in possession of evidence are responsible for it until it's back into storage. You must be, it's a check in, check out process. Once you have it and you check it in, you're responsible for it until you, or check it out, then you're responsible for it until you check it back in.

And then all personnel and entities must be fully certified to work with evidence if the chain of evidence is is to be preserved. You gotta have a process. They gotta be certified. They've gotta be trained. You can't just go do it willy nilly. So, you know, it's just gotta have a process behind this stuff.

So forensics, there's some key aspects around this. We got many media. I mean, it's four in the morning. I'm a little tired. Sorry. It's media analyst analysis. Um, this includes the analysis of components such as Ram hard drives, optical media, USB SD cards, all that stuff. You must have some way of. How you analyze all types of media.

If you don't have that capability, outsource it. It's just important to have it done right. I will say for investigations that I've dealt with in the past that have been small, I've taken care of those. But if they've been of any significance, That I think could potentially cost the company a lot of money, even from not even financial, just reputational aspects.

I will call in a third party just because it's better to have that third party who has the quote unquote air quotes unbiased opinion about things that can, it would potentially testify in court. What would happen is, is if I went in to testify for my company in a large situation because I'm the sole investigator, it would probably be looked upon as.

Uh, not as trustworthy of an investigation that I'm looking in the best interest of my company. So I would highly recommend you bring in a third party to help you with some of those things. Network analysis is carried out on equipment such as routers, modems, firewalls, all those kind of things. Now the interesting part about this is when we started off the podcast is AWS.

Same concept can occur in AWS. However, it's not, you don't physically have You can't physically touch these things. Whereas in the past, you could physically touch a router, you could physically touch some sort of media, you could, you could go grab it and bring it and put it in storage. So adding it to the cloud adds a little bit of level of dynamics that I honestly, I'm not totally connected with how, I mean, the process would be the same, but I think there's some nuances that you would have to kind of think through and it's probably good to think through those before something bad actually happens.

Software analysis, uh, you would potentially have some level of analysis on the software depending upon the situation, and that would come down to evidence of activity within the software, log files, timestamps, metadata, anything that would add some level of ability to the investigation. You should consider that.

When you are looking at the investigation from a software standpoint. Now, there's some other factors to consider as you're dealing with this and some things that you need to know when you're looking at investigations for the CISSP. There's basically four investigation types that are covered in the CISSP and they should be understood by individuals that are taking this test and that would be operational, criminal, Civil, regulatory, and e discovery, and those are the different types of investigations that you will run into, especially taking the CISSP, and you may end up dealing with one or more of those once you start working for a company.

Now, there's other factors to consider as well, and we kind of talked about What are those? You got electronic inventory, data retention policies, recovery, data storage, data ownership, data handling, and having key people tied to all of those, I think is extremely valuable when you're dealing with a investigation for the data.

Okay, so that is all of that article I had about InfoSecInstitute. com. This is in this episode, and it's episode 54. You'll be able to find out all that information that you need to be able to be successful, or at least at a minimum, understand how an investigation can be completed and what you can do to better, do a better job with it.

All right, so now I'm going to roll into the CISSP training. This is based off Domain 7. 1 of the CISSP and the Objective 7. 1, Understanding and Supporting Investigations. And so a lot of the things like we talk about in the, the podcast is that you, you will get the information that will kind of go over to multiple times.

And the purpose behind that is the fact that I mean, I don't know about y'all, but I struggle with just remembering something once. If I hear it, if I hear it, I kind of reach a little hard back into my back of my cranium to figure out, did I really remember that? After I hear it three or four times, I start to get it.

But the rule of thumb that I've heard, whether or not this is true from marketing folks, is that you have to hear something, hear or see it seven times before you actually make a move on it. This is buying stuff, right? Now that we're in the Christmas season. So the question to consider is, as you're listening to this Reduce Cyber Risk podcast, some of these things I go over routinely, they may seem like, well, hey, dude, you just went over this again.

There may be a new, a different nuance to it, but at the end of the day, the more we go over these things, the better off you are, and when it comes time to take the test. Okay, so in understanding the supporting investigations, there are some key aspects, which we've talked about with evidence collection and handling.

Proper collection of evidence is challenging. We've talked about that and what what you have to deal with and it can surely should be only accomplished by professional technicians. Now that could be you once you are done with, well, you could be, I mean, obviously when you're dealing with your C. I. S. P.

You don't have to have, you can be doing this right now as a forensics person and you probably are people out there doing that who is studying for the C. I. S. P. But if you might want to consider If you have an opportunity, especially if you're working IT within an organization, is go find who could be doing this sort of collection for your organization.

Now also to think about if you're the CIS, if you're CISSP, if you're a, maybe the sole cybersecurity person or the sole IT person for your organization, start understanding how this would occur. And, and cause you, it's going to have to happen is if it does occur, you're going to have to visit with third parties and knowing the same language and the same lingo would be extremely useful.

in the event of a incident. So just kind of consider that. Individuals collecting evidence need to be trained on handling. Again, they document this training. This needs to be important and proper handling can jeopardize legal cases and it really, really can. If you don't have a good case, Because you did a shoddy job of collecting the evidence, the only person at fault of this, oh, I should say the only, one of the key contributors to the failure of your case would be potentially you.

It's always best to work on a copy of evidence. I don't say it's best, I say you must. Unless there's some reason you have to work on the original, you should never really work on the original. Document there might be some original data. There might be some reason behind that, but at the end of the day I would stay away from that at all costs when you're dealing with a media analysis Identification and extraction of data is extremely important and this could be media from a device usb stick digital optical drives You name it.

Anything that has, potentially has access to this data. Network analysis. This depends much on prior knowledge of the event. This could be various logs, such as IPS, flow logs, firewall logs, you name it. So you may have to put a sniffer on the network to get some of this information as it was going. Maybe you have a suspicion that there's something going on.

And maybe you decide to start collecting logs before an actual event. You may want to. That would be an option to do that as well. When you're dealing with software analysis, understand backdoors, logic bombs, or other vulnerabilities that could be potentially in your software. And you may need to review the log files of the application for a better picture.

Now here's the gotcha with that. Not all of the applications that you work on will have log files. I've run into this a lot. Numerous times where you think they have log files, but, uh, no, they don't. So it's something to consider. I would have a good understanding of the lay of your network or of the applications that are in your network way before you need to know that.

So something to consider on that end, hardware and embedded devices, computers, phones, tablets, again, you may want to have. Uh, an expert look at that. Now, there's various software out there that will help you with your phones, but unless you're a forensics company, unless you work for a forensics company, most, most of, most of this software is pretty expensive and you wouldn't just typically go out and buy it just to buy it.

Uh, I know the, the phone software for doing forensics was around 10, a few years ago when I was looking at it. Thinking of opening up a, starting up a business that dealt with this. And then I looked at the legal aspects of it and went, yeah, no, I don't think so. That's something I really want to get into.

When you're dealing with reporting and documentation, all investigations need to have a report and the report type will be dependent on the organization's policies and procedures. There's something that if you don't have good policies and procedures in place, that also is going to affect your case. And so that's something I've kind of realized myself in areas that I need to work better at is have a good situation around policies.

The final report does lay the foundation for potential legal action. So again, You got to know English, got to be able to speak it, got to be able to write it, and it's got to be discernible at the third grade level. It's imperative that you build relationships with legal counsel. I would do that ahead of time.

Do not wait until your investigation has occurred. I've been very blessed that I have some really good relationships with some legal counsel. And over the years, from when I was a hacker and also through working through the various enterprises, I have a good understanding. I should say a decent understanding of the legal side aspect, but I have some really good relationships of some awesome lawyers And that's that's extremely helpful and they talk about and hear about building relationships with law enforcement Something else to consider is you may want to do that I mean because here's something that can here's something to think about So I live in a very small town in the middle of rural kansas But I know all the police officers not because I get picked up but because it's small town and they're good friends So in the event that there would be something bad that would happen locally I actually would have to start open investigation with them First, depending upon if it was my company in my small town.

So that was something that you may want to build those relationships with them. I get picked up on speeding tickets, but at least build the relationships with them ahead of time in the event that You have an investigation at some point depending upon now also to keep in mind is when you're dealing with the fbi the fbi will They're law enforcement, but they're not the ones that you open up an investigation with locally.

You would do that with your local law enforcement. FBI also is not going to help you mitigate any issues. They're going to help find the bad guys that did this to you, but they won't help you resolve the challenges you're dealing with. So don't look to the FBI to help you. They just, they won't. So when you're dealing with investigative techniques, uh, conducting computer security investigations, you'll need a team and then you'll have to follow some sort of incident response policy that you have in place.

Again, this comes back to the policies and procedures that you have documented. You need to have an incident response process and policy in place and you should follow it based on your policy. So you follow the investigation based on what your incident response policy is saying and then when you do that what will end up happening is you will You have to build your case in court to make sure that you're doing what you're supposed to be doing.

You should have rules of engagement on how you do this, how you call in law enforcement, who calls in the law enforcement. You don't just have somebody arbitrarily call the police officers. You may want public affairs involved to do that. I'd highly recommend that. Um, do not. Just go, you call them. You need to stay out of the limelight as much as possible with this.

You want other people to do it, whether it's the president, the CFO, CEO, someone who's one of the the C level suite people, public affairs, they need to take care of this, not you. You are the boots on the ground and getting them the information they need, but you should not be the face of this. You want to avoid that at all costs.

When you're gathering evidence, there's three options. You have voluntary surrender, subpoena, or search warrant. Those are the three options that are available. And against voluntary surrenders, you provide it on request. Subpoena is a court order by law enforcement. And they give you enough notice saying, Uh, yo dude, you need to bring this data to us please.

If you don't, then you're in bad trouble. Or, The search warrant is someone just knocks on your door with guns blazing and they say, give us your stuff, okay? But again, they have to have credible evidence and a judge needs to approve it. Unless you're in the United States, then you don't need any sort of approval.

They can just go and lie about it and get a warrant. So that's a little political poo on that. So not, not good in the United States right now. So search warrant, that's that. All right. Digital forensics, tools, tactics, and procedures, administrative evidence. This is relevant to determining a fact. It must be merit, merit, not merit, must be material related to the case.

Basically what you've got to be able to, if you provide any admissible evidence, it's got to be material or evident to the case or related to the case. It must be competent or obtained. Types of evidence are as real evidence, documentary evidence, and testimonial evidence. Real evidence would be DNA or weapons, something like that.

That's like physical. You hit somebody over the head with a USB stick, then yes, that would be real evidence. Documentary evidence is written notes, and testimonial is whatever you are saying. It's your verbal information. We talked about chain of custody, how important that is, especially in the cyberspace, and this deals with labeling, evidence of logs, how you handle it, how you sign it in, how you sign it out.

All of these have to be an unbroken sequence of events. If it's broken, then you just put your case in jeopardy. So all of those things have to be in place. Okay, so that is from the CISSP training that SeanGerber. com that you can get out there. And it's just one of the aspects is Domain 7. 1. But I've got all kinds of videos that will tie back to that, that will show you this in a little bit.

A little bit quick, a little bit slower environment, but at the end of the day, that is just 4. 7. 1. A lot of good stuff in there, especially as you're dealing with investigations. You need to do it right. Don't screw it up. So, that's just saying. Okay, so now we're going to roll into TechTarget or into some domain questions.

This comes from TechTarget. This is domain 7. We've got three exam questions for you based on the investigations. So question one, a critical step in disaster recovery and contingency planning is which of the following? A. A complete business impact analysis. B. Determine off site backup facility alternatives.

C. Organize and create relevant documentation. D. Plan, testing, and drills. Okay, so the critical first step in DR and contingency planning is which of these? Complete a business impact analysis. Determine off site backup facility alternatives. Organize and create relevant documentation. Plan, testing, and drills.

And the answer is A! Complete a business impact analysis. It's usually the first step when you're dealing with a DR plan. Got to understand how it's going to affect your business. Question two! There are different types of off site facilities, either subscription based or company owned. Which type of subscription based backup facility is most often used?

A. Cold B. Warm See hot D redundant. Okay, so if you go through there, you can throw out One of those right away from you're taking a test. D, redundant. That ain't it. Okay, that's not a typical type of off site I've never heard of that word. So I would throw that one out. So now you're dealing with A is cold.

B is warm. C is hot. Okay, so if we know anything about these we know that cold is not really being There's nothing running and they stand it up at a certain amount of time. Warm is it's actually up and operational and Well to some point and you still have to do some more work to get it up and fully going and D is hot Which means it's it's a It's a running standby.

Okay, so if you're looking at this, which one of these if you're paying from a subscription based company owned situation, which one would it be? A, cold, B, warm, C, hot, D, no. Redundant, it's not it. The answer is B, warm. Okay, because what the challenge is, is when you're dealing with, you want to have the, you're paying for the ability to stand it up quickly because you know that there's some of it's up and ready to go.

You know, there might have to be some work to it, but at the end of the day, you want to, you're doing it to buy some time. If it's cold, why pay for something that you're going to have to stand up? You just wouldn't typically do that. All right, question three. In a disaster recovery, each level of an employee should have clearly defined responsibilities.

Which of the following is a responsibility of senior executives? A. Developing testing plans. B. Establish project goals and develop plans. C. Identify critical business systems. D. Oversee budgets and the overall project. Okay, so now we're talking disaster recovery. Each level of employee should have clearly defined responsibilities.

What is the responsibility of the senior executives? Develop plans. No. Establish project goals and develop plans. Probably not. C. Identify critical business systems. Maybe. D. Oversee budgets and the overall project. Usually when it deals with money, they're involved. Answer is D. Oversee budgets and the overall project.

Okay, that's all we've got for today as far as for the CISSP. Again, we were talking about domain 7. And this is on forensics and investigations. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also check out my videos that are on YouTube.

Just head to my channel. CISSP cyber training, and you will find a plethora of content to help you pass the CISSP exam. The first time. Lastly, head to CISSPcybertraining. com and look for the free stuff that is only available to our email subscribers. Thanks again for listening.