CCT 083: CISSP Practice Questions - All Eight Domains for Cybersecurity Excellence (Supplement)

Do you consider change management as a lifeline for your organization? Or are you aware of the magic a 'get out of jail free card’ can cast in legal situations? Buckle up, because this episode of CISSP Cyber Training Podcast is going to take you on a journey where you'll learn to balance these and more. We kick off with an analysis of the latest Patch Tuesday updates, and discuss how you can streamline risk valuation and change management processes to shield your organization from zero-day vulnerabilities. You'll discover how tools like Skype for Business and WordPad can be secured, and the significance of setting up systems for automatic updates. 

Then, we pivot to the realm of planning and authorization in cyber training, highlighting the indispensable role of a 'get out of jail free card' when running penetration tests. We focus on helping you sidestep potential legal roadblocks and smoothly drive your cybersecurity efforts. To help you excel in the CISSP exam, we also dissect several exam questions, offering deep insights into domains such as risk management, incident response, data classification, and encryption methods. This podcast is not just about acing an exam; it's about empowering you with a wide array of cybersecurity knowledge. Brace yourself for an enriching encounter.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started, hey all Sean Gerber, with CISSP cyber training and today we are going to be talking about some exam questions. This is exam question Thursday and it is going to be amazing. Yes, it will, but before we get started, one thing I want to kind of bring up is I noticed today that today is Patch Tuesday. So when you're listening to this podcast, it might be a Thursday or a Friday, but today of recording this is Patch Tuesday. There's actually been three zero days that Microsoft is putting out right now that are focused specifically around. One is around WordPad, which I didn't even know people use that much anymore. It's a disclosed vulnerability that is set up as it relates to the NTLM hashes that are tied to WordPad. And then there's also Skype for Business. There's two specific critical vulnerabilities zero days that are out there specifically for Skype as well. So it's also tied to NTLM hashes that you may be focused on or that you may have that aspect as well. So if you've got that within your environment, I'd highly recommend that you go through your patches. One thing that I've learned just recently as we do more of these zero days, there's more zero days coming out Just in time. Patching, I think, is a really good factor. Waiting until the Patch Tuesday or the Patch Wednesday to push these out to your organization, it can be a bit of a challenge just because trying to orchestrate all that. One thing I've seen is that if you can set up your Microsoft devices to be automatically updated, not all organizations will do that, and if you set up your system to be automatically updated, you really do reduce the risk of that half of a zero day affecting your organization. Now, the downside of that obviously is when you set up the automatic updates, you haven't had a significant amount of time to do testing. Is that going to basically break some of your systems? And so the change management process as we talk within CISSP, cyber Training, we talk about change management a lot and it's important to have a solid change management system. I highly recommend you have that, but with the servers on the server side, it's much more important and much more critical than on the desktop or laptop type environments, and so I would recommend again this is just me recommending it, that doesn't mean anything that you have your, especially your newer systems are set up in an automatic update mode. That will free up some of your opportunity costs and some of the time involved in trying to make sure your updates are done and, realistically, the amount of impact can be relatively small as it relates to that overall patches, because by the time Microsoft pushes them out, they've done a lot of thorough testing on these systems in most cases. But bottom line is there's three vulnerable, three zero days that are out there right now that deal it specifically with WordPad and Skype for business. Okay, so let's roll into the questions today. So this is a follow on to the questions we did around the different roles that require an SS or a CISSP, and so these questions are going to be covering all the eight domains, so there'll be various questions around those. It's not specifically focused on one domain, because the last podcast didn't really focus on one specific domain, so we're going to get into that, all right. So these again, there's a 15 total questions that you are going to see, and of these 15 questions it will be covering the gamut. Question number one Sarah, a software developer, is about to release a new application. Which software development methodology emphasizes security at every phase? A waterfall, b Agile, c DevOps or D Secure SDLC. And SDLC is Secure Development or is not Secure? It's Software Development Lifecycle. So again that she's gonna release this new application and she wants to make sure that it emphasizes security in every specific phase, and the answer is D Secure SDLC. Question two Tim is leading an incident response team. What is the first step in a typical incident response process? A Eradication, b Containment, c Identification or D Recovery. What is the first step in a typical incident response process? And the answer is C Identification. Identification is the initial step in any sort of incident response process where abnormal activity is detected and it really it's acknowledging by the security incident. Once you do that, you've known and you've got knowledge that you do have an incident. So before you can contain, eradicate or recover from the incident, you must identify actually what is going on. Question three Robert is cataloging company assets. What type of asset is intellectual property? A Physical asset, b Logical asset, d Digital asset or C Intangible asset. Okay, so what type of asset is intellectual property? And the answer is D it's an intangible asset. It's considered intangible because of its. It has value, but lacks physical substance. Now this includes copyrights, patents, trademarks, and, unlike other physical or digital assets, intangible assets cannot be touched or stored on a medium. Now I say that you have an intellectual property, it's in your head, but the moment that you put it into a digital asset, that's where things can change, and so you have to just keep in mind, when you're talking about intellectual property, from the standpoint of what is it, it would be an intangible asset, but the moment you put it into a digital medium or a physical medium, it would become a digital asset or a physical asset. Question four Emily is evaluating risk for a new project. What is the process of assigning a financial risk to a risk called, again, emily's evaluating risks for a new project? What is the process of assigning a financial value to the risk called A risk valuation, b risk assessment, c risk mitigation or D risk transference? And the answer is A risk valuation. A risk valuation involves calculating potential financial impact of a particular risk. This is often used for cost benefit analysis, or what they call a CBA when defining the risk treatment options. This process does go beyond the simple risk management and by adding a quantitative value to the risk. Question five Jim needs to segregate network traffic between multiple departments. What network device is best suited for this? Okay, he wants to segregate traffic between multiple departments? A hub, b firewall, c router, d switch? Okay, you want to segregate network traffic between multiple departments? And the answer would be B? A firewall is designed to enforce network segmentation and the access controls between the different departments or network segments. It can filter based on the organization's policies and also provides a higher level of security than a simple hub, switch or router. Now, you can do those things with a switch. Yes, you can, but the primary purpose of the firewall is you want to deal with network segmentation. Question six Kate is responsible for data classification. Which classification level is higher? A public, b confidential, c restricted or D internal? And the answer is C restricted. Restricted is usually a higher classification level than confidential or internal. Again, that comes down to your company. You may change that, you may want something different, but that is the baseline understanding. Restricted data would have more stringent access controls and handling requirements due to its sensitive nature. Question seven Tom is defining security domains within his organization. Which security model focuses on state transitions? A bella pola pula, pula, pula, pula. I can never say that word B is Biba, c is Clark Wilson or D is Brewer-nash. So Tom's defining security domains within his organization. Which security model focuses on state transitions? And that is A the bella pola pula model. It's designed to maintain different confidentiality through a set of access control rules. It's particularly known for its state transition mechanism, which is ensuring security properties are not violated when you're transitioning from one state to another. So state transitions, not estate state STATE, state transitions are the bella pola pula model. Question eight Linda is deciding between the symmetric and asymmetric encryption. Which encryption method uses two different keys for encryption and decryption? A symmetric encryption, b asymmetric encryption. C substitution cipher or D hybrid encryption? Again, she's deciding between symmetric and asymmetric encryption. So she's deciding that. So maybe you don't need those two, right, you don't need cipher and you don't need hybrid, because she's looking at symmetric or asymmetric. Which one is it? A symmetric encryption is B, that utilizes a pair of keys, a public for encryption and a private key for decryption. So asymmetric this is a distinct from symmetric encryption, where the same key is used for both encryption and the decryption process. Again, keep in mind the term asymmetric is two, symmetric is one. Question nine Paul is drafting a business continuity plan, a BCP. What is the main goal of a BCP? A responding to incidents, b ensuring data backups, c minimizing operations disruptions or D detecting vulnerabilities. It is C minimizing operations disruptions. A BCP ensures that critical business functions can continue with minimum disruption in the event of a disaster. While the data backups and incident response are part of this, the overarching goal is to minimize operational downtime. Question 10, mary's developing a security awareness program. What is the primary objective? A compliance with the laws, b employee training, c improving security metrics or d reducing security incidents. Now, all of those are valuable, right For your security awareness program, but which one is the primary objective? And the answer is d reducing security incidents. Obviously, by teaching people and training people, you will help reduce the security incidents that would occur within your organization, and this is really done and achieved in many ways through ongoing training and awareness raising activities. Question 11, steve wants to secure his wireless network. Which encryption method is most secure for wifi? A web that's whiskey, echo, papa? B WPA2, c WPA or D none of the above? Okay, so if you're dealing with wifi, wifi, yeah, wifi. If you're dealing with a wifi, the best encryption is apples. No, the best encryption for wifi is WPA2, which is answer B. Wpa2 is wifi protected access to, and it uses AES encryption and provides the most secure option of this list for wifi encryption. Up to the latest updates. Again, web and WPA have been outdated and considered insecure and therefore deprecated. However, I do still see a lot of WPA in networks Not in my company network, obviously, but within various business networks. You see this a lot. Wep is definitely in those networks. Question 12, nancy is analyzing system logs. What is her primary aim? A, compliance, b, performance monitoring, c troubleshooting or de-anomaly detection. Question 12 is Nancy's analyzing system logs. What is her primary aim? Okay, so all of those things are very good when you're dealing with logs Compliance, performance monitoring, troubleshooting but the main thing that you're looking for is it relates to this specific question is you're looking for anomaly detection? So that would be D, the context of security. The primary aim of log analysis is to identify anomalous or suspicious behavior, so that any of those things that could turn into a security incident you need to keep your eyes on Compliance and performance monitoring are very important and they are great aspects to it, but the overall goal is anomaly detection. Question 13, kevin wants to ensure message integrity. I was gonna say massage integrity. That just would not work. Kevin wants to ensure message integrity. What cryptographic mechanism should he use? A a hash function. B a digital signature. C a symmetric encryption or D asymmetric encryption. So message integrity. This is what happens when it's four o'clock in the morning and you're recording these things Message integrity. So we're dealing with the message digest. We're dealing with messages, right? What cryptographic mechanism should he use? And you're dealing with the hash. The hash functions are designed to take an input and produce a fixed size string of characters which then can be used as a fingerprint for the data which we call a message digest. This hash function are commonly used to verify the data integrity by comparing the various hash values. If they match, then it hasn't been modified. If they don't match, then the original data has been modified. Question 14, rachel wants to secure a data center. What is the best physical security measure? A biometric scanners. B CCTV which is closed not closed caption, but closed circuit TV. B or C alarm doors or D security guards. So Rachel wants to secure the data center. What is the best physical security measure for her to do that? And the answer is A biometric scanners. Now, all of those will work right your biometric CCTV, arm doors, security guards they all will work as a security measure. But your best, one of your best physical security measures, is your biometric scanners. Security guards are very expensive and that's not there for the best. It can be very effective, but it isn't necessarily the best because of the cost that goes with it, whereas biometric scanners provide the highest level authentication as they have unique biological characteristics that are tied to it. They're very hard to get around A security guard, depending on where you work. Maybe that security guard likes donuts and then you can get around that person with donuts, but most security guards are very professional in what they do. You just never know. You never know. Question 15, lisa is planning a penetration test. What should be her first step? A reconnaissance, b scanning, c planning and authorization, or D gaining access. So Lisa is planning a penetration test. What should be her first step? We talked about reconnaissance, scanning, planning and authorization, or gaining access, and the answer is C planning and authorization Before conducting any form of penetration test. I highly recommend this. You need to have proper planning and authorization before you do it. If you don't have that, you can get really squishy really quick, because now you can be considered a hacker and then you get yourself into legal trouble very, very quickly. It's problematic, believe me. I always had to get out of jail free card anytime we did any sort of penetration testing. All right, that's all I have for you today on CISSP Cyber Training. Hope you guys have a wonderful day. I really truly do. I hope things are going well for you in your life and I hope you're studying hard for your CISSP. The ultimate goal of the CISSP Cyber Training is to help give you the tools you need to pass the CISSP exam and move on in your career. All right, thanks a lot for joining and we'll catch you on the flip side, see ya.