CCT 055: CISSP Exam Questions (Domain 3)

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all it's Sean Gerber. With CISSP Cyber Training, and today is Thursday, we're going to be doing CISSP exam questions. So get ready, get buckled up and let's see what you can think about as it relates to the CISSP exam questions. Now I want to let you know that these CISSP exam questions are available to you at CISSP Cyber Training as well. So there all of the information that we go through here. I have a vulnerable or vulnerable that's I've been talking security too long a variable list of a long list of CISSP questions that you can get at CISSP Cyber Training, and these are part of those questions I come out with, probably around anywhere from 15 to 30 questions every week Usually. It's sometimes a little bit more than that, but it's around 30 questions a week is what I usually come up with, and I add that to my overall bucket and list of overall questions that you can study so that you can be prepared to pass the CISSP exam. And this is all part of my CISSP blueprint that I have available to my members of my CISSP training course. Okay, so we're going to get into the questions and we're going to see how they all play out. All right. So what is what does stride methodology stand for? Okay, so a for you guys that are listening, i'm going to walk through all the questions and then you see if you can think of it while you're driving or wherever you're at and you're listening to this a security tampering, replication, intrusion, denial of service, escalation of privileges Okay. B is spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege. C is security tampering, right repudiation, intrusion, denial of service, escalation of privileges. And then D is spoofing, tampering, replication, information disclosure, denial of service and elevation of privilege. So if you know stride, okay, that deals a lot with that. I'm not going to go through all those again because that's not a mouthful of words, but stride is an acronym that stands for spoofing, okay, so you, and again, as you're going through these questions, you know spoofing is one, so that could throw out, in this case of a multiple choice. Two of the four questions tampering repudiation, information disclosure, denial of service and elevation of privilege Those are the the part of stride. So the answer is B. Now if you look at D if you're seeing this on the video you'll see that the difference with D is its replication versus repudiation. But don't focus on replication Security. We don't really talk about replication a lot, we talk about repudiation a lot. So if you didn't know, you go these terms don't seem like this, replication doesn't seem like a security term, more of a networking term. Then you may want to at least glob onto B. So the point is is yet narrow down your focus, right? What is the actual right question? All right, so I'm sorry I'm fighting a little bit of a cold, so I apologize if I sound a little congested. What are the main components of a threat model in the context of cybersecurity? Okay, so what are the main components of a threat model in the context of cybersecurity? A assets, vulnerabilities, threats and mitigations. B assets, adversaries, threats and mitigations. C assets, adversaries, attack vectors. And then mitigations. Or D adversaries, vulnerabilities, threats and mitigations. Okay, so if you notice there's right now you got assets. So assets has got three of the four, i'd probably pick assets if I didn't know. And when it dealing with adversaries, that is probably something you won't understand when it comes to threat modeling. So that was. I'd narrow that down to B and C And then, when it really comes right down to it, c is the main component of a threat model are assets, adversaries, attack vectors and then mitigations. What are the main focus of the trite technology in threat modeling? A is data, b is systems, c is people, d is processes. Now, if you listen to the last podcast, the trite methodology, the main part of the main focus of that threat modeling is data. So the answer is D or D it's A. The answer is A data. So the trite methodology does focus on a highly data-centric approach. Which of those following steps in the threat modeling process involves the use of stride or dread? That's another one that you're gonna have to know for your CISSP is dread, okay. So one is identifying assets. Two is identifying potential assets. C is identifying potential threats, or D is identifying and implementing controls, and the answer is C. Identifying potential threats involves the use of methodologies like stride or dread. Which threat in stride refers to an act that modifies or alters data or the system configuration. So which threat in stride refers to the act that modifies, the alters the data in the system configuration. So yet A is spoofing, b is tampering, c is repudiation or D is information disclosure Again, modifying or altering the data is tampering. So it's B. tampering refers to the act or modifying of alters data in the system configuration. Which of the following is not a component of a threat in the context of threat modeling? A vulnerability, b an asset, c an adversary or D an impact. Okay, so which is not a component of a threat? So of a threat in the context of threat modeling? So the component of the threat is vulnerabilities, asset and adversaries are all components that are tied to threat modeling. D is the impact, is a result of a successful threat, but is not a component of the overall threat. So I hope that makes sense to you guys. Which of the following threat modeling methodology focuses on data flow diagrams? Okay, so we talked about data flow diagrams earlier in our CISSP cyber training. That was on the podcast that was on Monday. So A is pasta, b is stride, c is trike or D is octave. Okay, so we talked about it. So if you go well, since we talked about it, then it would be stride or trike. You'd be correct. But when it kind of remember, trike was focused on data and stride was focused on data flow diagrams. That is stride, so it would be B. Stride is focused on data flow diagrams. What does R in stride stand for? Again, a recognition, b replication We talked about the replication thing C repudiation or D restoration, and the answer is C repudiation. That's what the R stands for in stride. What is the main goal of threat modeling? One to comply with legal or A to comply with legal requirements. B to identify potential threats and develop appropriate countermeasures. C to purchase suitable cybersecurity insurance. Or D to train IT staff about cybersecurity. Okay, so you can do all of the. I mean, well, you can definitely train staff about it, but that's not the main purpose behind it. Right, you can purchase security insurance by doing your stride. That'll help you understand your overall threat modeling. It'll help you understand what you need to do. But when it really comes right down to it, the main goal of threat modeling is to identify potential threats and develop the appropriate countermeasures behind it. Each of those are helpful, not necessarily the legal requirements, but I mean you could have some legal requirements. I guess I've never seen that, but you could. But definitely, b and C and D is a byproduct of doing a threat modeling. But the overall answer is B to identify potential threats and develop appropriate countermeasures, which is methodology involves creating a threat model that is at the design phase of a system or application. So a methodology involves creating a threat model at the design phase of a system or application A, stride, b, dread, c, cvss, which isn't one, and then D, o, OSP. Okay, that's really not a threat model either. So, yeah, so then, when it comes right down to it so if you knew CVSS isn't one and O OSP isn't one, you could narrow it down to stride and dread. But when it comes right down to it is is what should we talk about? We talked about stride, but stride is a threat model that is at the design phase of the system or application. That would be A stride. What type of threat does the E and stride represent? A encryption, b, endpoint, c, elevation of privileges or DX filtration? And the answer is C elevation of privileges is what we want. That's what the E is for in stride. We focused on that. In a threat modeling. What does the adversary represent? A security control? no. A vulnerability, yeah, no. C. An asset no. The answer is D a threat actor. That is correct. That is the adversary. Now that threat actor can be multiple things. It could be a hacker that's sitting in Bangladesh, or it could be your person that's sitting right next to you in the cubicle. That is what a threat adversary would be And that is represented as a threat actor. In the context of stride, what does information disclosure mean? It means gaining unauthorized access to the information. A tampering with the information. B unauthorized alteration of the information. C, or releasing the information to the public. Okay, so when the context is stride, what does information disclosure mean? And that means A gaining unauthorized access to the information. That is referred to as information disclosure. Which of the following is not part of the threat modeling process? That is A identifying potential threats, identifying vulnerabilities That is B. Identifying assets as C, and then identifying network architecture is D. That's pretty easy one, right? The answer is D, because we've talked about all A, b and C, but we have not really talked about identifying network architecture, so that would probably be not part of the threat modeling process. And then, which of the following is true about threat modeling? A it focuses only on external threats? No, it performed. B it performed only after security breaches occurred. You know that's B. C it involves a proactive identification and mitigation of the threat. Hmm, maybe. And then D it's a one-time activity that does not require updates or maintenance. Yeah, that's not it either. So the answer would be C. Again, it's proactive identification and mitigation of the threats, and it is always an ongoing activity and should always be updated on a routine basis. All right, that's all I got for you today. I hope you guys have a wonderful day. Go check me out at CISP Cyber Training. Check out the blueprint. You will be happy you did And we'll catch you on the flip side. Have a wonderful day and have a great week. Talk to you later. Bye.