CCT 103: CISSP Practice Questions - Domain 1-8

Unlock the secrets to conquering the CISSP exam as I, Sean Gerber, take you by the hand in our powerhouse 102nd episode, guiding you through the labyrinth of cybersecurity knowledge. Imagine stepping into the exam room equipped with the ultimate blueprint, the same one that has become the hallmark of success for our students. It’s holiday season and we’re serving up a festive feast of CISSP insights, sprinkled with a preview of the upcoming changes to the CISSP exam slated for April 2024. 

This episode is not just about celebration but also preparation, as I tease out thought-provoking exam questions that will fine-tune your understanding of what lies ahead. We’ll resume our domain-by-domain mastery sessions post-new year, but for now, let the spirit of learning be your guide through the discussion on incident response teams and secure software design. Whether you’re tuning in during your morning jog, the evening commute, or as the day unwinds, prepare to have your cybersecurity skills sharpened to a gleaming edge. Join us on this journey, and let's tackle the challenges of the security landscape, one question at a time.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning, it's Sean Gerber with CISSP Cyber Training, and I hope you all are having an awesome day today. Today is an amazing day. Yes, you guessed it, you all have guessed it. It is Thursday and, as of Thursday, it is CISSP exam question Thursday. Some great things are coming out of this and we are in the holiday season. I will tell you that I've got some CISSP exam questions. We're going to push off domain one of the CISSP until probably right after the first of the year you'll be seeing that come out and then we'll start again as we do at CISSP Cyber Training domain one, two, three, four and five each following week, followed on with some training around domain, whatever domain we're in, and then some CISSP exam questions on that follow on question. It's hard to believe we are in episode 102,. I believe that this one is, and it's just crazy how fast time has gone by, but it is. A whole year has gone, a whole year is in the books and we are excited at CISSP Cyber Training. Things are just exploding and we're super excited about having been able to provide some awesome training for our students. Had a lot of students that have just been passing the CISSP exam and the one comment that comes out of it all is the blueprint. They all love the blueprint and if you follow it, you will pass the test, and it's just that obvious. I didn't have the blueprint when I started on the CISSP journey and so therefore, we created it. It's awesome. I'm going to step you through what, step by step, as it relates to the exam. Also, there's going to be some updates in the CISSP exam. I know is coming out in April of 2024 and you'll be seeing some changes, and also on the site, we'll be making some modifications as the new content rolls out. Don't anticipate a lot of changes to the content. In reality, the great thing about the CISSP is this information is pretty much consistent. They do a lot of adding in new material that is up and coming and then make modifications to the test questions as it relates to that. But the best part is that just even understanding the old content, even in a couple of past exams, will put you in a much better position for taking the test. So that's what's so great about it. It isn't like they rewrite a whole bunch of new content for these exams, they just basically make some changes and modifications. So it's awesome, let's roll into some of these questions and we'll get you going. So you guys are sort of listening to this while you're in your drive to work or while you're just sitting there working out, and hopefully you're maybe listening to this before you go to bed so that you can go to sleep quickly. Alright, question 16. These are all of the CISSP exam questions. These are tied to my free monthly exams. I recommend you go out to CISSP cyber training and you'll be able to get access to all of these free questions. This is question 16 off of month one, but we'll just actually just go and call it question one. We'll make it simple that way. Alright, question one what is the primary goal of a computer incident response team? What is the primary goal of a CIRT computer incident response team? A to investigate security incidents. B to respond to and manage security incidents. C to create new security policies. Or D to repair the systems after a security incident. Again, what is the primary goal of a CIRT? And the primary goal of a computer incident response team is B to respond and manage security incidents and to minimize their impact and restore normal operations as quickly as possible. Question 17 or question two, sorry. So what does the term secure by design mean in software development? A securities considered and incorporated from the initial phases of design and development. B the software is designed with a particular security posture in mind. C the software is designed to resist all possible security threats. Or D the software is designed by security professionals. Again, what does the term secure by design mean in software development? Question 17,. What does the term secure by design mean in software development? A security was considered and incorporated from the initial phases of design and development. B the software was designed in a particular security posture in mind. C the software was designed to resist all possible security threats. Or D software was designed by security professionals. Again, what does the term secure by design mean? And it's A security was considered and incorporated from the initial phases of design and development. And again, this is an important factor, especially when you're having any sort of software development team, that it is incorporated at the beginning rather than at a later point. Question 18, what is residual risk? And again, what is residual risk? A the risk that remains after all security controls have been applied. B the initial level of risk before any security controls are applied. C the risk that can't be mitigated. Or. D the risk from employees within an organization. And the answer is A. Residual risk is A the risk that remains after all security controls have been applied. Question 19, which of the following best describes data remnants? Again, which of the following best describes data remnants? A the active remaining logged onto a system for extended period of time. B the residual representation of data after attempts have been made to remove or erase it. C the practice of regularly updating a data. Or. D the constant flow of data between systems. Again, which of the following best describes data remnants? And it is B the residual representation of the data after has been attempted to be removed or erased. This occurs a lot with hard disk drives. If there's data left over after an erasure has occurred, then you may have to deal with either running through a degauser or shred it. Basically, there is a concern around this because you can have data leakage after the fact. Question 20, which of the following cryptographic keys types key types is used only for decrypting data, not for encrypting Again, which of the following cryptographic key types is used only for decrypting data, not for encrypting the data A a private key in symmetric encryption. B private key in asymmetric encryption. C a public key in asymmetric encryption. Or D the secret key in symmetric encryption. This is always the one that gets everybody and I believe me, I struggled with it for years, but it's B private key in asymmetric encryption. This is used for decrypting the data that was encrypted with the corresponding public key Again, public and private key. This is part of the PKI infrastructure, the specific asymmetric encryption systems. They primarily are used for decryption and digital signature creation, but they are not used for encrypting data in standard practices. Question 21, which of the following attacks aims to assume all available network bandwidth or disruption connections by flooding the network with traffic? Again, which of the following attacks aim at consuming all available network bandwidth or disrupt the connections by flooding the network with traffic? A a Smurf tag. B a Fishing attack. C a man in the middle attack. Or D a buffer flow overflow attack. Okay, so depending upon the type of question and the type of answer, which one is going to cause a disruption by flooding the network with traffic. This is what we call a denial of service attack. But a smurf attack is a type of denial of service attack where it floods the network with traffic, overloading it and making it unavailable for its users. In 22, in the context of risk management, what does risk transference mean? So, in dealing with risk management, what is risk transference? A implementing security measures to mitigate the risk. B accepting potential impact of the risk. C passing the risk onto another party or entity. Or. D ignoring the risk as it is deemed not critical. Again, in the context of risk management, what does risk transference mean? And it basically means passing the risk onto another party or entity. This is shifting the risk to those folks or through that entity, and one good example of that is through insurance policies will happen and you may have different situations set up as a CISO or as a security professional, where they'll require you to have an insurance policy in place depending upon the risk that they're trying to transfer, based on the cyber risks that you might be encountering. 23, which method is most effective in protecting data at rest on a hard drive. Which method is most effective at protecting data at rest on a hard drive? A network firewalls. B intrusion detection systems, c encryption or D2 factor authentication Most effective at protecting data at rest on a hard drive? Well, you can throw a lot of things out, right, and the number one or not number one it's letter C, it's C encryption. Encryption is a way to convert data into code to prevent unauthorized access. Encrypting stuff that's on the hard drive is the best way to manage that, especially if you're trying to protect that data specifically. All right, quick next question In the context of computer security, what is a sandbox? A a tool for detecting network intrusion. B a type of malware. C a secure network within an organization. Or. D a virtual environment within an untrusted programs that can be run safely. So what is a sandbox as it relates to security? And it is D a virtual environment where you get untrusted programs can be run safely. It's a mechanism that, basically, applications can be put in this environment and they allow them to be run safely and then they don't touch anything else. So it's just designed to protect your environment. Question 25, what is a honeypot in a network security mindset or architecture? A a weak point in the network that is intentionally left unprotected. B a decoy system designed to lure potential attackers and detect malicious activities. C a software tool used for cracking passwords. Or D a type of malware that targets network devices. Again, what is a honeypot in networks? As it relates to network security? It's a decoy system designed to lure potential attackers and detect malicious activity. That's where, if it's B, it's what it is, and it's designed to gather information around these threats. You put them out there hoping that they will attack it, and in the process of attacking it, you get some idea of actually who is on your network. I've implemented them various times. I have yet to see them be very effective, but for some people out there I'm sure they are very effective. Okay, what is a one? Next question is what is a one-time path or OTP? A one-night, one-time password? A a password is used only once before it expires. B a unique password for each user that cannot be changed. C a password that is shared among multiple users for a single session. Or D a password that is used across multiple systems. So what is a one-time password? It is A a password that is used only once before it expires. It's typically designed for a valid single logon session or transaction and it's designed to help against various password type attacks. Question seven which method is used to validate that an organization's disaster recovery plan will work as intended? Again, what is? What plan do you have in place to deal with an organization's disaster recovery plan to assure that it works as intended? A penetration testing, b disaster recovery exercise, c vulnerability assessment or D risk assessment? And the answer is B disaster recovery exercise. This is a test that validates the effectiveness and efficiency of an organization's DR plan. Question 28, which of the following is a primary goal of an incident management? A to restore service operations as quickly as possible. B to identify the attacker, seed, upgrade security systems or. D punish those responsible for the incident. Again, which of the following is a primary goal of incident management? And it is A to restore normal service operations as soon and as quickly as possible. The purpose of that, then, is to minimize the adverse actions that could happen to your business as a result of the outage and just deal with that. Almost all the time there's some sort of outages you're working through. Next question, in the context of software development what is peer review? In the context of software development, what is peer review? A the process where developers review each other's code to find and fix errors. B the process where managers review developers' performance. C the process where customers review the software before it is released. And. D the process where developers review their own code. Again, what is the context of software development? What is peer review? Very important concept, very important thing for you to implement within your organization. And it is A a process where developers review each other's code to find and fix errors. Again, you want someone else to look at your code. You've been looking at code and you type it all in. You lose sight of the errors that are in it. You're real quickly to overflow, go over them. Therefore, it's important to have someone else look at them to find the errors that may exist within your code. All right, last question, question 30. What does the term due diligence mean in the context of information security? What does the term due diligence mean in the context of information security? A the process of implementing security controls. B the act of assessing the security posture of a company before a merger. C the act of ensuring that all laws and regulations are followed. Or. D the process of educating employees about security best practices. So what does due diligence mean in the context of information security? It is C the act of ensuring that all laws on and regulations are followed. It's important that a reasonable person exercises this to ensure that they're avoiding harm to others or their property. It also means that if there's any legal or regulatory requirements you must adhere to as well, deal with due diligence a lot in a security space all the time. Okay, that's all I've got for today. Head on over to cisspcybertrainingcom. It's an incredible place. You have lots of great content there. It's available. These questions are available too. Just sign up for free Doesn't cost you anything and you will gain access to these various questions as well. So they're all there. They're there and available for you, and you can get 350 of them just by signing up. It's pretty simple. There's also a lot of free, other free training available for you, too, to be able to get the information you need to pass the CISSP. You really want to pass this thing because it will put money in your bank, it will help you get your next future or your next career, and I guarantee you that if you do get it completed, you will increase your return on your investment by at least a thousandfold, because there's no question in my mind that you will be able to make significant amounts of money as a CISSP with experience in the security space. You will do very, very well. All right, have a wonderful day and we will catch you all on the flip side, see you.