CCT 043: CISSP Exam Questions (Domain 6)

Welcome to the Reduce Cyber Risk and CISSP Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey y'all, this is Sean Gerber with CISSP Cyber Training, and today is exam question Thursday. We're gonna be getting you some awesome CISSP questions today, and the ultimate purpose of this is to provide you some questions and some potential work through, as what the question is asking for. The ultimate goal of taking the CISSP is passing the test, right? Well, if you're gonna pass the test, you need to understand some of the questions and how they may ask them. Now, these questions that we talked about previously is that we want you to understand. Just by understanding or trying to memorize questions is not gonna meet your needs. You need to make sure that, as you're looking at the CISSP and the various questions that are tied to it, that you understand the concepts, not that you actually try to memorize the questions We talk about. That you need to have at least probably close to 2,000 questions under your belt, and I know you're probably going oh my gosh, that's a lot and it is. But the ultimate goal of that is not for you to memorize 2,000 questions, it's for you to understand the process. When I took the CISSP and failed it the first time, i did not understand that. I thought I just had to pass it based on just memorizing the questions, and back then you probably could, because I'm really old. But now, in today's world, you can't do that. There is no way that you're gonna be able to memorize all these questions. And because these questions now are getting access to the full bank of questions is very I don't know if you can, other than people, potentially, if they take a test, they go and write them down. That's too much work. Just understand the content and you'll pass it. It's that simple. Okay, so we're gonna get into domain six and we're gonna talk about security controls and security assessments. So question number one which of the following is a primary objective of security control testing? Which of the following is a primary objective of security control testing? A. Identify and remediate vulnerabilities, evaluate the effectiveness and implement security controls, establish a baseline for future security control testing or identify potential attack vectors for an attacker. Okay, which of the following is a primary objective? Again, key words. Focus on key words when taking the test. A identify or remediate. evaluate the effectiveness, establish a baseline or identify potential attack vectors. The answer is B. You want to. The primary objective is that the security control testing is to evaluate the effectiveness and implement security controls. Okay, because guess what, if you go down the fact of you're looking for vulnerabilities, they will come, they will go. If you're looking for a baseline for future security control testing, that doesn't really help you any and that's what I would throw out. And then D identify potential attack vectors for an attacker. It does help you, give you some ideas, but at the end of the day, it's not going to be the be all, end all for that. Which of the following is a type of security control test? Okay, so it's a security control test. A penetration testing. B vulnerability scanning. C threat modeling. Or D code review. Okay, so which of the following is not a type of security control test? So I'm reading through that going. Well, all of these are security control tests. Why are they not? Which one is not? Look for that keyword not. So, of those that are not a security control test A penetration testing, b vulnerability scanning, c threat modeling, d code review. All three of A, b and D are all testing. Threat modeling is not a control test, so that's one that you want to look at. Which of the following is an example of compliance-based security control tests A penetration testing, b security policy reviews, c vulnerability scanning or D risk assessments. So if you're looking at this, what are the different options around the security control test that might be available? And the answer comes down to is B. A security policy review is an example of a compliance-based security control test. So if you're doing a review of your policies, that is where it's more compliance-based. The other ones are more penetration testing and vulnerability scanning are more looking at the specific aspects of getting in. It's not really a compliance-based type test. Which of the following limitations are a vulnerability scanning One it's time-consuming. B it's costly. C it does not identify zero-day vulnerabilities. Or D it provides a comprehensive assessment of security controls. It does not provide a comprehensive. So which is a limitation? So the answer will be C It does not identify against zero-day vulnerabilities. It just doesn't help you with that. The other ones and it's not any of A, b or D. They're really. They can be costly, but not so much. It's more on the lines of zero days. It does not dig out zero-day vulnerabilities. Okay, which of the following benefit is a benefit of conducting a penetration test A it provides a comprehensive assessment of security controls. B identifies vulnerabilities in the system. C assesses the effectiveness of an incident response procedures. Or. D is less expensive than other types of security control tests. Okay, so which of the following benefit of conducting a penetration test? It provides a comprehensive assessment, it identifies vulnerabilities, it assesses effectiveness, or it's less expensive than other types of controls? So, if you look at that, it is more or less expensive in most cases. But that's not what the actual question, that's not the benefit of it, the benefit of a penetration. I shouldn't say no, i shouldn't say it's not less expensive. That's for vulnerability scanning. Penetration tests no, they are very expensive. Sorry, misquote. Penetration tests, though, provide a comprehensive assessment of what you're trying to accomplish, so they are a when you're dealing with the actual answer it's a comprehensive assessment is A. They will give you a comprehensive assessment of the security controls for that specific area. Each of those areas won't be as much. Which of the following is an example of a manual security control test A vulnerability scanning, b penetration testing, c security policy review Or D code review. So which of these example of a manual security control test We talked about in the last podcast manual security control test would fall under B? Penetration testing is a very manual process. We talked about not using it from an automated standpoint. You want to avoid that as much as possible. Next question which of the following is a limitation of security control testing? A time consuming. B it's costly. C it requires specialized technical skills. Or D it cannot be performed on cloud based systems. So which of the following is a limitation of security control testing? A it's time consuming, can and cannot be. B it's costly It can be, but if you have an individual doing it, it may not be as costly as you think. C requires specialized technical skills Yes, it does. And D it cannot be performed on cloud based systems Yes, it does require special skills. The answer is C. Again, we talked about if you would just have throw somebody at it to go out and start scanning things. Yeah, you could end up putting yourself in legal jeopardy. So you want to avoid that. So it does require someone who understands what they're doing. Which of the following is an example of a black box security control test? Okay, a code review. B vulnerability scanning. C penetration testing. Or D security policy review Okay, so which of the following is an example of a black box security control test? Okay, black box is what you're basically saying. It's its own box, you don't know much about it at all. It's black. Okay, a code review. So it's kind of hard to do a code review and you don't know what it. B is vulnerability scanning? Well, you kind of have to know a little bit about the system of what it is. C penetration testing I talked about individual And then D security policy review. The answer is C Penetration testing is a black box security control test because the tester has no prior knowledge of the system or its internal workings. So that is your black box. It's unknown, and so therefore, a pen test is usually what is the best answer for that. All right, which of the following statements about security controls testing is false? Security control testing is an ongoing process. A the goal of security control testing is identifying and assess security controls. B And C is the result of security control testing are used to improve security posture. Or D security control testing is only performed once during the system development lifecycle. So which of the following statements is about security control testing is false. So, if you go through each of those, a is true, b is true, c is true, d is security control testing is only only only performed once during the system development lifecycle. That is definitely false. Okay, you'd want to perform that on a numerous and routine basis. Last question which of the following is a limitation of using vulnerability scanner for security control testing? A vulnerability scanners cannot detect false positives. B vulnerability scanners cannot identify zero days. C vulnerability scanners are expensive to use And. D vulnerability scanners require manual intervention to operate. So which of the following is a limitation of using vulnerability scanner for security control testing? If you go through those, the following limitation is B vulnerability scanners cannot identify zero day vulnerabilities. We talked about that before. They can't do that because they don't know they're there, so therefore they can't do that. All right, i hope you all have a wonderful day. That's all I've got for today. Go out to CISSP cyber training and catch out all my free resources. You can get access to my email distribution and we can go ahead and I can give you all kinds of great stuff that's coming. We're just in the building phase, so there might be a little things, a little wonky at times, but everything is growing and we are expanding every single day. So go out to CISSP, cyber training and get everything you need to help pass the CISSP the first time. All right, have a great day. We'll catch you on the flip side, see ya.