CCT 095: CISSP Practice Questions - Assessment, Compliance, and Improvement Strategies (CISSP Domain 6.5)

Ready to unlock the secrets of cybersecurity and ace that CISSP exam? Strap in as we delve into the intriguing realm of ISO 27001 standards, exploring their critical role in safeguarding key infrastructure such as our municipal water facilities. Learn how to assess, comply with, and improve upon these standards, and get a sneak peak at potential exam questions you'll find on our website.

But it doesn't stop there. We're pushing the envelope further by integrating cloud security assessments into your testing strategies. Get to grips with your cloud service provider's security policies and controls, and understand why legal and regulatory compliance is non-negotiable. Discover valuable tools like Nessus for vulnerability assessments and the importance of black box tests on new web applications. We'll also discuss the crucial role of account management audits and management reviews in ensuring your security policies are not just effective, but adhered to. Stay tuned for a fascinating deep-dive into the world of cybersecurity!

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started, let's go, let's go. Good morning, this is Sean Gerber with CISSP Cyber Training, and I hope you guys are having a great day today. Today is Thursday, which means what is today Today is exam question Thursday. So that is what we're going to get into today and we're going to go over all these great exam questions, as it related to our last podcast that we did, and this is going to be focused on assessment, compliance and the various approval, improvement, improvement I can't say that word Improvement strategies that were just associated with the podcast on Monday. So we're going to go over a lot of questions that you may see on the CISSP exam, but again, we want to talk about the key on doing this is the fact that when you do study for the CISSP, you want to make sure that you're studying this from the perspective of senior management. The questions that you hear will probably and most likely not be the exact same question you will see on the test but they will, may be similar and therefore the thought process on how we go through them would be similar. So that's what the overall purposes. Now, before we get started, wanted to talk about a couple of quick attacks that we saw. I just saw today in the news there's two municipal water facilities here in the United States that were attacked by hackers, and I think that's this is interesting because I personally believe this is probably one of the key underpinnings of our overall art for global society. Whether you're in the United States or someplace else around the globe, when you start affecting critical infrastructure that affects people's lives, such as water, it can get very precarious very quickly, and there's two situations where one was in Pennsylvania and they basically shut down a pump. Now it was tied to a PLC, which is a programmable logic controller and if you've been listening to this podcast for any period of time, you know we do talk about PLCs and the importance of them within your SCADA or industrial control environment and these PLCs was hacked and it basically had a message on there that was in support, I believe, of the Palestinians or maybe even the Jewish state I'm not real sure around that regard, but the point of it was actually was an anti Israeli message, and the point was was not the fact that the political aspects around it, it's the the fact that they put something on there. They put a message on this PLC to basically display this anti Israeli message. So it was tied to a PLC that's from Unitronics and it basically read above that PLC as the primary PLC for the water treatment facility. So they took it offline. They went to manual operations, which Obviously that's the right call to do. But the challenge is is this is becoming a bigger and bigger threat to our way of life. Now this is in ours Technica. You can actually go to ours Technica and read the actual situation there if you want. But this water facility was around 6,000 people that were connected to it. My small little town that I live in is probably about the same size, so it's one of those aspects that's pretty concerning as it relates to controlling the critical infrastructure aspects. Then there was a second attack that happened in North Texas. As you guys are well aware, the United States, texas, is a very large state and a very high population density. They this attacked this PLC that's there as well, and they were able to. Basically it's a ransomware attack that hit this facility and it was able to get around 33,000 files outbound. But the bottom line again is just that if they're attacking these wastewater or water treatment facilities, this is what people drink and by we saw in conversations we've had about the wastewater facility that was attacked in Florida, they were getting ready, the attackers were getting ready, to put a very poisonous thing was lie into the water system which, if it's in significant amounts, would be very deadly. It's considered poisonous. So we want to make sure that you guys are studying for your CISP, because it is extremely important that you get your CISP completed and that you get out there in the world and you help protect our overall infrastructure that we have within this global economy that we do live in. So that's basically it for what I wanted to go over as it relates to the different security topics of today. So we're going to roll right into the overall the test questions that are tied to domain six, dot five, and these will get will go over all these questions. These are tied to the ones that we dealt with on Monday and as we head through the overall training. On Monday this is going to be coming back and just reaffirming that training with the various CISP questions. You can gain access to all these CISP questions at CISPCybertrainingcom. You can go over there, you can check them all out. They are available to you. Just you go ahead and become one of my purchase the product you can actually have access to all of these questions. You can also go to the website. You can get access to my free 30 day CISP questions that you get. You get 30 questions every single month that are available to you for an entire year. That's available as well. That's for free. You also can go to CISP cyber training and gain access to this video that is on the websites and the blog and that will also go over these questions as well. So there's a lot of great ways for you to be able to get the information you need to pass the CISP. Okay, question one which of the following assessment types is best suited for an organization looking to ensure compliance with ISO 27001 standards? Again, which of the following assessment types is best suited for an organization looking to ensure compliance with ISO 27001 standards? A black box penetration testing. B technical vulnerability assessments. C internal audits or D synthetic transaction testing. So which of the following assessment types is best suited for an organization looking to comply with 27001? And that would be C internal audit. An internal audit are usually structured in ways to evaluate the measures and organizations internal controls against a set standards, such as, I saw, 27001. And they're specifically designed for insurance of these compliance and identify the areas for improvement within the scope of the overall assessment. Question two what should be the primary consideration when choosing the type of security assessment for an organization? A the cost of assessment. B the organization's risk profile and the overall resources. C preference of the management the management, the leadership. B or C the availability of assessment tools. Okay, so what should be the primary consideration when choosing the type of security assessment for an organization? And the answer is B the organization's risk profile and the overall resources available. Deal with this time and time again. You definitely have to focus on the risk for your company. It's just crucial you don't come up with your preconceived notions of what you think it should be. You need to make sure the organization's risk profile and the resources are available for them, and they should be tailored specifically for your organization's situation. Question three regularly reviewing and updating security testing strategies is crucial for which of the following reasons? A to maintain alignment with the organization's changing security needs. B to comply with international testing standards. C to ensure that the cost of testing remains constant. D to follow the industry trends in security testing. So, again, regularly, regularly reviewing and updating security testing strategies is crucial for which of the following reasons? A to maintain alignment within the organization's changing security needs. So you, when, as an organization, changes, you need to have regular reviews to ensure that the testing strategies remain relevant and effective in the face of the changing security threats. It's just, it's really important factor. Question four when incorporating cloud security assessments into testing strategies, what is the most important new factor to consider? When incorporating cloud security assessments into a testing strategy, what is the most important new factor to consider? A the physical location of the data center. B the cost effectiveness of cloud services. C the ease of migrating to cloud services. Or. D the cloud service providers own security policies and controls. Again, when incorporating cloud security assessments into the testing strategy, what is the most important new factor to consider? And the answer is d the cloud service providers own security policies and controls when moving services to the cloud. It is extremely important that you do have assessed the cloud service providers security measures, what they have in place and how they will impact the security of your organization's data and the overall applications. Which of the following best exemplifies the need for legal and regulatory compliance in the security assessment strategies? Okay, so which of the following best exemplifies the need for legal and regulatory compliance in security assessment strategies? A assessments that include checks for SQL injection vulnerabilities. B audits that ensure employees adherence to security training. C assessments tailored to GDPR and HIPAA requirements. Or. D penetration tests that simulate external attacks. Again, which of the following best exemplifies the need for legal and regulatory compliance in the security assessment strategies? And the answer is c assessments tailored to GDPR or HIPAA requirements. And the reason is compliance with legal and regulatory requirements such as GDPR and HIPAA. Their critical and the assessments must be designed to address the specific requirements. Again, when you're dealing with GDPR and HIPAA, you want the assessment to be tied directly to them, because you're going to have to submit that to somebody else as a requirement. Question six a financial institution is conducting a vulnerability assessment. Which tool is most appropriate for this purpose? A nessus, b metasploit, c wire shark or d snort case. So, again, you're doing a vulnerability assessment. This is where you have to know some of the tools that you're gonna be dealing with. I'll just kind of quickly go from nessus Well, that's the vulnerability assessment. Ah, menopoint, you're dealing a lot with pen testing type activities. Wire shark is something you would put on the line and you would be measuring and monitoring traffic going across the line and snort. These are like snort rules. I deal with your SIM, your security incident and event management tool. That's a snort rules will be put in place for something like that. So the answer is a Nessus and it's a tool you widely use for vulnerability assessments. Okay, so you're able of scanning systems for known vulnerabilities. Question seven when conducting ethical hacking exercises, what is the primary goal of performing a black box test on a new web application? A to evaluate the security awareness of the application and its users. B to identify potential exploits in the application. C to check for compliance with development standards. Or D to assess the network infrastructure security. When conducting an ethical hacking exercise, what is the primary goal of performing black box tests on new web applications? And the answer is B to identify potential exploits in the specific application. Black box testing simulates an external attack with no prior knowledge of the system, basically aiming to uncover the potential exploits in web application security. I would use black box when I say this. The fact of it it's no known knowledge. You will kind of do some scanning of that, but the bottom line, with the black boxes you're just going after and you don't know much about it at all. Which of the following activities is most likely to detect signs of malicious activity within an organization's network? Reviewing security logs? A, b conducting synthetic transactions. C performing code reviews or D running compliance checks. So which of the following activities is most likely to detect signs of malicious activity within an organization's network? And the answer is A reviewing security logs. So as you review the security logs, these are vital for detecting anomalies that may indicate malicious activities. Now, if you don't have logs, well, it's kind of hard to review. So it's important that you do work with your security teams to make sure that you do have some level of logging and monitoring enabled. Question nine in the context of synthetic transactions, what is the primary security concern that this testing method addresses? Okay, question again what? In the context of synthetic transactions, what is the primary security concern that this testing method addresses A performance bottlenecks in network infrastructure. B user interface design flaws. C the accuracy of financial transactions. Or. D security vulnerabilities during user interactions. So in the context of synthetic transactions, the primary security concern is D security vulnerabilities during user interactions. This is important because they are designed to simulate. These synthetic transactions are designed to simulate user interactions with the application, which can potentially reveal vulnerabilities that may be exploited during normal use. We had guys that work on this and they basically ran. It was like a robot that would act like a user and they would look for vulnerabilities. Which of the following best describes the purpose of an account management audit in the context of security process data collection? A to ensure user accounts have completed mandatory security training. B to verify that user accounts are managed according to principle of least privilege. C to track the creation and deletion of administrative accounts. Or. D to monitor the frequency of user password changes. So which of the following best describes the purpose of an account management audits in the context of security process data collection? That's a mouthful, and the answer is B to verify the user's accounts are managed according to the principle of least privilege. So when you're doing account management audits, again, least privilege is the most important factor, that they only have the necessary rights to adhere to the principle that they are designed to have. Question 11, management review in security processes are essential for which of the following reasons? So, again, management reviews in security processes are essential. For which of the following reasons? A to address the technical competence of the security staff. B, to evaluate the effectiveness of security policies and their adherence by the staff. Or D to analyze the impact of security measures on employee productivity. Okay, so the management reviews in security processes are essential for which of the following reasons? And that is B, to evaluate the effectiveness of security policies and their adherence by the staff. Again, when you're doing this, management reviews are crucial because of the security policies you need to make sure that they're effective and whether the employees are actually following them as they are expected to do so. Question 12, in the context of compliance with agreements, third-party security standards are most likely reviewed. During which of the following? In the context of compliance with agreements, third-party security standards are most likely reviewed during which of the following A security audits of SLAs your service level agreements. B penetration testing. C code testing. Or D user access reviews. So, in the context of compliance with agreements, which is most likely reviewed? During which the standards? Third-party security standards are most likely reviewed during which of the following, and that is A security audits of service level agreements. Service level agreements are conducted to ensure that the third-party provides the meeting that are providing and are meeting the agreed upon security standards and their obligations. Okay, question 13, which activity is most indicative of an organization's commitment to continuous improvement in security? So, most indicative of an organization's commitment to the continuous improvement in security A regular updates to the organization's risk assessment and management strategies. B frequent changes to the security management team. C consistent investment in new security technologies. Or D periodic redesign of the network infrastructure. So which activity is most indicative of an organization's commitment to continuous improvement in security? And the answer is A regular updates to the organization's risk assessments and their management strategies. Question 14, what is the primary purpose of generating detailed reports after analyzing test reports? Again, what is the primary purpose of generating detailed reports after analyzing the test reports? A to maintain logs of all security tests conducted. B to allocate budgets for future security investments. C to document your findings, risk and provide recommendations. Or. D to train new employees in the security best practices Again, the primary purpose of generating detailed reports after analyzing test inputs. And the answer is C to document your findings, risk and provide recommendations for improvements. That's the overall purpose of any sort of report is to provide those recommendations. The last question, question 15, when planning a structured audit, what is the most crucial aspect to define, to ensure to define and to ensure its success? When planning a structured audit, what is the most crucial aspect to define and to ensure its success? A qualifications of the audit team. B the scope, methodology and objectives of the audit. C the schedule and duration of the audit. Or D the tools and technologies to be used in the audit. Again, the most crucial part is the scope, methodology and objectives of the audit. Without those, why would you even do the audit? It would be painful, it would just be like poking yourself in the eye with this with a pencil not fun at all. Okay, hope you guys enjoyed this. This again, this is CISSP cyber training. We have. This is related to domain 6.5 and we're dealing with assessment, compliance and the overall improvement strategies associated with those. This is also tied to the podcast that occurred on Monday. Again, go to CISSP cyber training for all of your training needs. It's out there to help you pass the CISSP exam. Just had multiple people that have passed recently and they are excited about basically following the blueprint and getting what they need to pass this dog on test. All right, have a wonderful day and we will catch you on the flip side, See you.