CCT 049: CISSP Exam Questions (Domain 1-8)

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey y'all, it's Sean Gerber with CISSP Cyber Training, and I hope you all are doing a having a wonderful day today, and I'll tell you I'm doing great. My wife is in Uganda at this point with my daughter, so that part is not so good, but I'm glad she's having a good time. So I'm home just recording podcasts and getting other stuff done, so it is positive. I can tell you that that's a very positive. So we're going to go over some CISSP questions. As it relates to what we put out last week was around certifications I should say on Monday was around certifications This is going to be focused on CISSP questions that are going to cover all eight domains, because that's something just kind of I just kind of did a reset And since next week will be domain one, two and three and so forth, this is kind of a reset that we've got for this week. So we'll start off with question one. So question one is around domain one, security and risk management. And what is the purpose of a risk register in the context of risk management? Now, this is something you're going to probably deal with when you move on to working for a company at least you should. Risk register is something that keeps data that's very important and identifies risks, that and how you plan to mitigate them. So let's look at responses. A is to list all identified threats and their potential impact. That would be kind of tough. To list all identified risk and planned mitigations, that would be a little bit better, because the risk you can understand the risk versus the threats. To record all risk assessments performed That's not really what a risk a risk registers for And then to record all risk incidents and the associated responses, that really wouldn't fall under either, but you could bite off on that one. But the actual answer is B to list all identified risks and planned mitigations. All right, moving on to question number two, this is over asset security and domain two Data classification should be primarily, should primarily be, based on what The software used to store the data. Okay, so should the classification should be based on the software I don't know if that sounds right. The sensitivity of the data that's probably closer. The location of the data not probably. And then the age of the data. Now you may have very aged data that's classified, but at the end of it it's your data classification. All comes down to sensitivity of the data. Question three this is domain three and this is security architecture and engineering. So what best describes a stateless firewall? Okay, so you're getting. You're gonna need to know these things When it comes to the CISSP. There is some technical aspects you're gonna have to be aware of. You don't have to get into changing firewall rules, that's per se, but you do need to understand how the firewalls work. And what is a stateless firewall? Now, a stateless firewall is A a firewall that does not maintain any information about the previous packets. B a firewall that can only inspect incoming traffic. C a firewall that does not require authentication. Or D a firewall that has no active connections. Okay, so you might want to think about that one. So if it's incoming, if it can only inspect incoming traffic, that really isn't a very good firewall. A firewall that does not require authentication, you wouldn't want. So you could narrow it down to A and D? right, the answer is A. It's a firewall that does not maintain any information about the previous packets. Question four this is domain four communications and network security. In asymmetric encryption, which key is used for decryption when the goal is confidentiality? Okay, so, this is domain four asymmetric encryption. So which key is used for decryption when the goal is confidentiality, which basically means you wanna keep it confidential? A public key of the sender. B public key of the receiver. Okay so, though, but that's not really confidential, because public keys you can keep out in the open right Private key of the sender or private key of the receiver. Now, again, you wanna understand that the confidentiality is achieved by encrypting. That's what we want. Now, the only corresponding private key again, that's the one you should have is the one that's held by the recipient. So it should be D the private key of the receiver. Question five identity and access management. What are three components of the AAA model in network security? A is authentication, authorization and accounting. B is authentication, access control and auditing. C authorization, access, control and accounting. Or D authentication, authorization and access control. So when you look at the AAA model that does, it stands for authentication, which is verifying the identity of the user, authorization which provides access to the resources based on their identity and accounting. It's tracking what actions the user has taken after gaining access. Question six this is under security assessments and testing. Which tool or technique is best suited to identify unencrypted credit card data stored across an enterprise network? So which technique or tool is best suited to identify unencrypted credit card data stored across an enterprise or network? A vulnerability scanner? no, b penetration testing? yeah, no, it's not really a tool. D data loss prevention solution, possibly. Or D intrusion detection system. Really, the only one that you can pick on this one is C data loss prevention solution. Question eight domain seven security operations. Which incident response phase involves taking steps to minimize the impact of an incident? Okay, the answer, or one of the answers, is A preparation, b identification, c containment or D eradication. Again, which incident response phase involves taking steps to minimize the impact of an incident? A preparation, b identification, c containment or D eradication? And the answer is C, it's containment. Again, this is a phase of the incident response process where steps are taken to limit the damage of the incident and prevent further harm. Question eight this is domain eight software development. And well, software development security. What is the primary security concern in a system which employs microservices architecture? Okay, so, microservices? hmm, what is that? Microservices deals a lot with the cloud, right? So which primary security concern is a system which employs microservices architecture? So, dependency checking, network segmentation, communication, security between services, r-d, insecure direct object references? Now, this would be hard if you didn't understand microservices, but then what you wanna do is, like I say, focus on the question and it comes down to what are the primary security concerns in a system which employs microservices architecture? so, something from a microservice standpoint, so services might be a key factor. Well, dependency checking I don't honestly not really even sure what that is. B, network segmentation isn't really a security concern. It's something you may wanna put in place. And then D insecure direct object references is a coding situation, but when it comes right down to it, communication between services makes the most sense and it's for these services. There's a key area of vulnerability, making it important to secure these inter-service communications, and that's one of the things I feel is missing a lot in most environments. Is that inter-service connectivity and the encryption that goes with that? All right, that's all I've got for the questions today. Hey, go check out all of these questions on CISSP cyber training. I got a bunch of free questions. I'm putting a bunch new ones out there for you, so you'll have access to those, as well as go check out my blueprint. My blueprint will walk you through, step by step, what you need to do to pass the CISSP. All right, have a wonderful day and we will catch you on the flip side, see ya.