CCT 107: Practice CISSP Questions - EOL/EOS Maze and the CISSP Exam (Domain 2.5)

Is your organization's cybersecurity teetering on the edge with outdated technology? Find out how to fortify your defenses as I, Sean Gerber, navigate the treacherous landscape of end-of-life (EOL) and end-of-service (EOS) assets in the latest CISSP Cyber Training Podcast episode. We explore the harsh realities of increased vulnerabilities and compliance challenges that come with clinging to aging systems. Say goodbye to the misplaced hope of squeezing performance from obsolete technologies and hello to practical strategies for managing the inevitable twilight of critical systems. Listen in for a comprehensive breakdown of manufacturers' end-of-support announcements, secure data disposal, and risk prioritization that keeps your organization both secure and cost-effective.

Venturing further, we tackle the importance of crafting personalized plans for technology EOL and EOS, transcending beyond the vendor-driven advice that's all too common in the industry. As your guide, I stress the significance of self-sufficiency in asset reviews and support strategies, ensuring decisions are uniquely suited to your organization's needs. For those hungering for more than just a taste of cybersecurity expertise or aiming to conquer the CISSP certification landscape, CISSPcybertraining.com stands ready with a treasure trove of resources. Join us on this journey of enlightenment and leave equipped with actionable insights to outmaneuver the ticking time bomb of technological obsolescence.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started, let's go, let's go. Good morning it's Sean Gerber with CISSP Cyber Training, and I hope you all are having a wonderful day today. Today is CISSP Question Thursday. Today we're going to be getting over the going over questions in domain 2.5. So it's going to be pretty amazing today. I'm fully expecting you all will have a lot of fun with this Because we are recording this. It is hitting, getting hit with the polar blast, which is like super cold, really really cold, but so I'm nice and warm, tucked away, recording this podcast out in my office. So it is exciting, exciting stuff. So let's get started without any further ado. Okay. So question one which of the following is not a risk associated with retaining end-of-life assets? Now, as we get into these questions, we're going to be talking about end-of-life products and this is, as related to domain I should say, the episode that we last had, and this is domain 2.5. So what are the following is not a risk associated with retaining end-of-life assets? One increase accessibility to known and future exploits. B compliance violations due to unmet security controls. C improve performance and integration with newer systems. Or. D operational disruptions from hardware failures or software incompatibilities. So which of the following is not a risk associated with end-of-life assets? And the answer is C improve performance and integration with newer systems. This is typically not a risk that's be associated with end-of-life because it kind of contradicts the inherent decline as a functionality piece of this. So end-of-life assets are usually performance is going down, it's not actually going up. Question two a manufacturer stops providing technical support for an asset, marking its end of support date. This means what? A spare parts will no longer be available for the asset. B the asset cannot be connected to the internet anymore. C security patches and bug fixes will no longer be provided. Or D all of the above and the answer is actually let me go back real quick they're not supporting this anymore, so it's made its end-of-support date, which means C security patches and bug fixes will no longer be provided. Question three your organization identifies a critical business system approaching its end-of-life date. The most cost-effective option is, again, cost-effective. Focus on the words A immediately upgrade the latest version. B extend support from the manufacturer. C continue to provide support to the company and then continue using the system with additional security measures. Or D develop and implement a mitigation plan to a new system. Now the most cost-effective approach obviously you're kind of thinking, hmm, this is a tough one, it is D is develop and implement a mitigation plan to a new system. Bottom line is you really want to upgrade your system, and from a more cost-effective over the long term it's better to upgrade it. But when A it says immediately upgrade, you may not have a good mitigation strategy for it. So the most cost-effective method would be to come up with a plan and then implement that plan. Question four which of the following is not a secure data disposal practice for retired, end-of-life or end-of-service assets? Again, what is not a secure data disposal practice? What is that? A format the data drive. B use a certified data sanitation software. C physically destroy the storage media. Or D leaving the data intact and recycling the asset. So a not a secure data disposal would be D leaving the data intact and recycling the asset. You don't want to leave any data that's sitting on that asset when you go to the recycling? Question five which is the primary consideration when deciding whether to extend support to an end-of-life or end-of-support asset? What is the primary consideration when deciding whether to extend support for an end-of-life or end-of-support asset? A cost-of-extended support compared to upgrading. B availability of alternative solutions in the market. C security risks associated with continued use of the asset. Or D user familiarity with the comfort level of the existing asset. Again, what is the primary consideration when deciding whether to extend support for an end of life or end of service asset? And the answer is C security risks associated with continued use of the asset. Again, you should always consider the security risk when you're considering keeping any sort of end of life or end of support device active on your network. It's not basically just the cost user or the cost or the user preference. You need to make sure what is the overall risk. Question six what industry regulation mandates a specific security controls for a type of asset your organization uses? Most of these assets are approaching their end of life or end of service dates. The best course of action is, again, so an industry regulation mandates specific security controls for a specific type of access within your organization. What should you do Because they're going into life and into service? A ignore the regulation really not a good idea. B upgrade all assets immediately to meet compliance requirements. C develop a risk-based plan to gradually upgrade and replace the assets while implementing temporary mitigation measures. Or. D negotiate with the regulator for an exemption due to the impending retirement of assets. Again, the best course of action would be C develop a risk-based plan to gradually upgrade these. Again, you may have to work with your regulator on that if there's a specific hard date, but bottom line, most regulators will take that into account as long as you have a good plan and you're working the plan. That's just to keep that in the back of your mind. Question seven which of the following tools would be most helpful in automating asset inventory tracking and end of life and end of service risk assessments? Which of the following tools would be most helpful in automating asset inventory tracking and end of life, end of service risk assessments? A spreadsheet. B network monitoring tools. C a dedicated asset management software or. D security, incident and event management system? Most helpful is C dedicated asset management software. We talked about having spreadsheets and so forth and they're fine, but having an actual dedicated asset management software that would be set up, that would remind you, it would keep tabs of that, it would allow you to be able to document all of that information. It's a much better tool and a bunch better solution if you have one and if you can afford to put it in place. If you can't, well then a spreadsheet is fine, but there is some risks with that. Question eight during the business continuity planning exercise, you identify a single point of failure in your network caused by end of life and end of support switch. The best way to mitigate this risk is so, during a BC and DR planning, you identify a single point of failure in your network caused by an end of life and end of support switch. What should you do? All right. A schedule immediate replacement of the switch with a newer model. B implement redundancy by adding another switch to the network. C develop a disaster recovery plan for handling outages caused by the switch. Or D all of the above? And the question or the answer would be D all of the above. Right, there's a lot of little things going on there, but if you do all of those, those would be a very helpful plan to get you set up for mitigating that risk? Question nine an open source software alternative exists for end of life, end of support commercial software your organization uses. Before switching, you should prioritize what An open source software alternative exists for an end of life and end of support commercial software your organization utilizes. Before switching, you should do what A cost savings compared to the commercial license. B user training and adoption of the new software. C thorough security vetting of the open source project. Or D compatibility with existing systems and data formats. Okay, so all of those are important, but the best answer would be C a thorough security vetting of open source project. It doesn't do any good to do the planning, the training and all of those things if the actual product itself has got security issues. Question 10, which of the following is not recommended practice for employee awareness about end of life and end of support risks? A regularly conduct training sessions on secure data handling practices. B encourage employees to report suspicious activity or potential vulnerabilities. C install security updates and patches on end user devices automatically. And then D share information about upcoming end of life and the support dates and upgrade plans. So which of the following is not recommended practice for employee awareness? Now this is a tough one, because the answer you're going to pick on, that you might pick on would be any of the A, b or D. You see you wouldn't pick on because you go well, install security updates and patches on end user devices automatically. Well, you want that to happen, right, but it's not a recommended practice for employee awareness about end of life and end of support risks. So the A, b and D all are something you would probably want to talk to your employees about. C you wouldn't talk to them, you just install it automatically. So therefore, the answer is C. That's one of those that would catch you. Question 11. You manage a large fleet of laptops, many nearing their end of life date. A cost effective option to extend their lifespan while mitigating the security risk is A implement virtualization, migrate users to virtual desktops. B install open source security software on each laptop. C upgrade the operating system to a newer version supported on older hardware. Or D extend support from the manufacturer and patch diligently. Again, you manage a large fleet of laptops, many nearing end of life. What is a cost effective option to extend their lifespan? And the answer is A implement virtualization and migrate users to virtual desktops. It's one of the more cost effective ways. Now this can add up. It can be very expensive over time, but it is a cost effective way, especially in the short term, and then you can help, kind of it's easy also to provision and deprovision these systems when they're virtualized In 2012,. Your organization maintains a data archive on magnetic tapes approaching their end of service date or end of support date. The most effective and secure disposal method for these tapes is A degausing following physical destruction. B overriding the tapes with random data. C formatting the tapes and selling them as used media. Or. D wiping the data tape drive heads and recycling the tapes. Again, this maintains a data archive on magnetic tapes approaching end of support date. The most secure disposal method is A degausing, followed by the physical destruction of them. Basically, the rest of those are not the most secure options. They are available and they can be used, but they're not the most secure. Question 13, a third party vendor offers extended support for end of life, end of support network Network firewall your organization relies on. Before deciding, you should evaluate what the third party vendor offers extended support for end of life and end of support network firewalls your organization relies on. Which would you do? A the cost of extended support compared to the immediate replacement. B the security vulnerabilities known to exist in the end of life and end of support firewall. C the vendor's reputation track record for providing quality support. And then D All of the above. Yes, the answer would be D All of the above. They're all very important things that you would do to evaluate whether you would decide on doing extended support or not. During a risk assessment, you discover several end of life and end of support servers still running critical applications. The best mitigation strategy is okay. So during an assessment, you discover end of life and end of support servers still running critical apps. What should you do? A Immediately shut down the servers and find alternative solutions. B Implement additional network segmentation and intrusion detection systems. C Patch diligently and apply temporary security controls while planning a migration. Or. D Secure physical access in the servers and restrict user access. Okay, so, each of those could be used in some form or fashion, but bottom line, the best answer is C Patch diligently and apply temporary security controls while determining how you're going to migrate them off. Question 15. Which of the following is not a best practice for reviewing and adapting your end of life end of support management strategy? A Monitor industry trends and emerging threats related to the outdated technologies. B. Track changes in compliance requirements and regulations affecting your assets. C. Conduct periodic risk assessments to update the priorities for your asset retirement. Or D. Relay solely on vendor recommendations for upgrade paths and support options. Which of the following is not a best practice for reviewing or for re-reviewing your asset? Or? D. Relay solely on vendor recommendations for upgrade paths and support options? B. Bottom line is they can give you some recommendations and some paths to do this, but at the end of it, when it's all said and done, it still comes down to you. You have to be able to understand this yourself and be able to go down this path and understand what you're going to do from an end of life and end of support strategy. Okay, that's all I've got for you today. I hope you guys have a wonderful day. Go to CISSPcybertrainingcom and check it out. There's a lot of great stuff out there. If you are looking to take your CISSP or if you're just trying to learn cybersecurity, it's a lot of great information available to you. Alright, have a wonderful, wonderful day and we will catch you on the flip side, see ya.