CCT 120: CISSP Essentials: Navigating Security Policies and BIA Basics (D1.7-1.8)

Imagine your Ubiquiti router as an open treasure chest amidst cyber pirates—how long before it's plundered? This episode throws you a lifeline, urging IoT and critical infrastructure pros to safeguard their digital booty by updating those default credentials, stat! But it's not all about fending off Russian cyber threats; we also turn the tables with CISSP Question Thursday, sharpening your cybersecurity smarts. We dissect the anatomy of a bulletproof security policy, navigate the waters of compliance, and tailor guidelines fit for the remote access odyssey. For those mapping their course through the CISSP certification, this treasure map of insight isn't just for exam prep, it's your compass to mastering the cybersecurity seas.

Hoist the sails to the cloud and set a course for the uncharted realms of security standards. This episode's horizon teems with ISO 27001 and ISO 27018—beacons of security in the nebulous cloud. You'll learn to detect anomalies with the sextant of configuration baselines and craft password management protocols as unique as your crew's roles. By charting the tricky waters of BYOD policies and weighing the merits of government-recommended frameworks, we ensure your vessel is shipshape for whatever digital squalls may come. Remember, my cyber training blueprint is your trusty first mate, here to guide you to that CISSP certification, with a trove of resources for every buccaneer, whether ye be sailing solo or with a fleet.

Gain access to 6- FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning, it's Sean Gerber with CISSP Cyber Trading, and I hope you all are having a great day. What a beautiful day today. Today is CISSP Question Thursday, so today we're going to be going over the CISSP questions that are tied to the actual podcast that was set out on Monday. The ultimate goal is to create an environment where you learn these questions based on the content that you received and you heard, so that when you take the test, it makes more sense to you. So, before we get started, I was going to talk about an FBI alert on Russian threats targeting ubiquity ubiquity routers. Now, this came out of the US Cyber Command, as well as the National Security Agency, and these routers are to being targeted by the Russians, and they otherwise known as APT-28. These edge routers are particularly vulnerable because of the fact that they're being shipped with, obviously, the login information that's set up on them already and in many cases this is admin admin and they would go in and they'd be able to be someone can log in remotely and gain access to these systems. I've also seen that I've heard that these ubiquity edge routers are used a lot in IoT environments, which also could be tied to critical infrastructure. So you're obviously hearing about this because they're a Linux based operating system. That's an edge router that is specifically set up with admin admin type login credentials, so therefore it allows external entities to be able to remote into these systems utilizing these passwords. And I'll tell you right now when I was in the military and was doing this for the US government, that was one of the first things that we looked at was are the default login credentials still available? And we would go and we would look at various vendors from basically your wireless vendors that were out there, your link sys and different types of vendors, and we would look to see what are the default login credentials for these systems. Now, if you go to a link sys router today, our link sys wireless access point, you'll notice that they don't have those default configurations set up, but they did in the past and in many cases, these systems are still in operation today. So it's important that if you're listening to this podcast, you understand that you need to go out and get look at any of the default passwords that you have on your systems and change those to something that is not obviously the default password. Now, another problem, they said, with these routers is that they are in the perfect position because of the fact that they're able to move advanced command and control functions into these systems as well. It does allow for them to basically use them as a jumping off point to various other entities within an organization. So, again, if you're utilizing these routers and if you are in critical infrastructure, you want to make sure that you go in and you reconfigure these systems. So the fact is they're not set for the default configuration. Okay, so let's get started on today's podcast. So let's start off with. This is again domain one, and this is group eight. If you go to CISSP cyber training, you'd have access to all these questions. You can get be able to have these and test yourself on a daily basis to see how you're doing, as well as you'll have access to all of my training videos that are available to help you pass the CISSP exam in that CISSP cyber trainingcom. Okay, so question one XYZ Corporation is drafting a new security policy to address the increasing threats to its sensitive data. Which of the following elements would be explicitly defined in the policy to ensure clarity and effectiveness? So which of the following elements should be explicitly defined within the policy to ensure clarity and effectiveness A encryption algorithms to be used. B details of routine security audits, c scope of the policy coverage or D procedures for incident handling. And what would be the something that you'd explicitly define to ensure clarity and effectiveness? And the answer be C the scope of the policy coverage. You want to make sure that you extend the scope of what you need it to be, so that it one, it's not too broad, but the other side, it's not too narrow. You want to define what that is, and it helps prevent any ambiguity that might be out there. I should say any is not the right word. It helps prevent some ambiguity, most ambiguity as it relates to your policy, and to ensure that it's clear and effective. Question two ABC Corporation wants to establish a security standard for its cloud services. Which of the following would be a primary consideration for ABC Corp in selecting a suitable standard. Again, which of the following will be a primary consideration for this company to select a suitable standard because the security standard? A the cost of implementing the standard. B compliance with industry regulations. C flexibility to adapt to future technologies. Or d the reputation of the standard setting body. Well, obviously I have reputation of the body. That doesn't really matter, right? But what would be the primary consideration? Compliance with industry regulations. As we're seeing more and more today, all the time more there's more regulations that are hitting the streets. I dealt with some just with the US Coast Guard just this week. So there's various compliance industry regulations that are coming out and therefore it's imperative that you work to have compliance with these various regulations. Question three this company is developing a security guideline for employees regarding remote access. Which characteristic of the guideline would be best allowed for an adaptation to different scenarios and technologies? So this company is developing security guidelines. Which characteristic of the guidelines would allow for adaptation to different scenarios and technologies? A flexibility. B specific, specific, specific I can't think of it Specific stuff, mandatory compliance and complexity. Which of the characteristics of the guidelines would best allow for adaptation to different scenarios and technologies? And the answer is A flexibility. Flexibility does allow for the adaptation of different scenarios and technologies you want it to have. That's what guidelines are working for is to help some flexibility in there, so that way it ensures that they remain relevant and effective across various diverse environments. Okay, ghi Corp is reviewing its security pop procedures to ensure effective incident response. Which type of procedure should GHI Corp prioritize in handle unforeseen security breaches? So what kind of procedure should they prioritize to handle unforeseen security breaches? A preventive procedures. C corrective procedures, d or C routine procedures or D emergency procedures? Okay, unforeseen security breaches. What would that be? It would be D an emergency procedure. Emergency procedures are designed to address unforeseen security breaches swiftly and effectively. Well, I don't know about them effectively, but they are swiftly right. Yeah, when you deal with one, you'll realize real quickly that what you have in place isn't what you need, but at least you have something to go by. Now I think it was Mike Tyson made a comment. He said you have a plan going into the ring until you get hit in the face and then your plan goes out the window. It's all same kind of concept. Okay, in Chapter 5, jkl Corporation is implementing an AI-driven threat detection system. Which aspect should JKL Corp focus on ensuring that the trust and accountability of its AI applications. A Algebra-Rhythmic See, I can't. These are big $10 words. As you know, it's like 5 AM when I'm doing this, so I have a sleep. Algorithmic complexity. B model explainability. C data diversity and D training duration. Okay, so which should to ensure the trust and accountability of its AI applications. What should they focus on? And the answer is B model explainability. Okay, so we didn't really talk about this too much in the podcast, but overall with AI is you wanna have the ability to explain the model. You don't want it to have these secret things that are in place. I know Google just ran into that today, where or this week, where they have a secret kind of protocol in place of some kind. I don't understand that part, but they basically do and it's supposedly it's being it picks out. I don't understand it. It doesn't show white people, it shows other people of color. I don't get it, don't understand it. But you wanna be able to explain the model, whatever it is, and if you can ensure that you can explain the model, then it will show that you have trust and accountability with your AI applications and it does. It allows for the stakeholders to understand how AI makes decisions, which is essential for building and verifying the integrity of the system. Question six N-O Corp is migrating its infrastructure to the cloud. Which standard would be most relevant for ensuring security of its cloud services? Okay, so which standard would be the most relevant for ensuring security of its cloud services? So, if you're looking at standards, what would be a potential standard? Now, there's various ISO standards around the cloud piece of this, but one that they're talking about will do with the questions is ISO 27001. The other one is IEEE 802.11, nist Special Publication 853, or PCI DSS. So, again, when you're talking about the standard which will be for cloud services, well, you can throw out then the NIST Special Publication 853 could be considered one, maybe, but realistically, the one that you wanna consider is ISO 27001. It does make it suitable for cloud services. It's a comprehensive framework overall. There are specific frameworks. I think it was. 27,018 is a cloud specific framework, but 27,001 will definitely get you into the right ballpark. Question seven PQR Corp is establishing a baseline for its network configurations. Which component of this baseline would help to identify deviations from the desired state? A performance baseline, b risk baseline, c configuration baseline or D compliance baseline? So establishing a baseline for its network configurations. Which component of the baseline would help identify deviations from the desired state? Okay, so if you wanna know the deviations from a desired state you wanna look at, how is it configured? Right? So the answer would be C configuration baseline Configuration baseline will specify the desired state, making it essential for identifying any deviations that may exist. That allows your organization to detect and address deviations from the desired state, helping maintain security and stability. Yes, that's the configuration. But if you know your configuration state then you know how it deviates from that, right. If you didn't know that, then it would be kinda hard to determine where you deviated from. Which characteristic of a guideline ensures they provide actionable recommendations without being overly prescriptive? Okay, which characteristic of the guideline ensures they provide actionable recommendations without being too prescriptive? A mandatory compliance. B flexibility. C specificity yeah, specificity, specifics, right. Okay, too early. And then D complexity. So actionable recommendations without being prescriptive. It is obviously. We talked about this a little bit before and in a different kinda question. Flexibility does allow that to happen when you're dealing with guidelines. Question nine STU Corp wants to develop guidelines to secure password management. Which type of guideline would provide specific recommendations tailored to different user roles A specific guideline, b general guideline, c mandatory guideline or D flexible guideline? Again, which guidelines do us for secure password management which would provide specific recommendations tailored to different user roles? And you'd want a specific guideline, again obviously, around secure password management and you'd want that to be very specific to what it does. You wouldn't want it to be really general and you're dealing with passwords and kinda make it all into one big bundle. You'd want to avoid that and you're dealing with something with passwords, that is, specifically you want an employee to do a specific task. Then you'd want a very specific guideline on what you want them to and how you want them to accomplish that. Which advantage of using baselines helps organizations identify vulnerabilities and misconfigurations? A enhanced accountability, b improve performance, c increase visibility or D streamline compliance. Okay, which advantage of a baseline helps organizations identify potential vulnerabilities and misconfigurations? Well, when you're trying to determine something like that, you wanna understand the visibility behind it, and they provide a reference. Baselines will provide a reference point for a desired state of where you wanna go. By comparing the desired state to configurations against the baseline, you can determine any deviations or discrepancies and then thus gives you visibility into your vulnerabilities and potential misconfigurations. So visibility allows for this and that's what you want. Specifically, as it relates to this question, which guidelines should an organization follow to ensure security of their cloud deployment? Okay, again, something that's very specific cloud deployment a general guideline, c specific guideline or B specific guideline, c mandatory guideline or D flexible guideline. And because we're dealing with something very specific, such as your cloud environment, you would want a specific guideline. Again, we want very to the point, what you're trying to accomplish. Question 12, vwx Corp is drafting a security policy for its BYOD, which is bring your own device program. Which element of the policy would address responsibility of the employees in safeguarding corporate data on personal devices? So, again, which element of the policy would address responsibility of employees in safeguarding corporate data on personal devices A purpose, b enforcement and compliance, c review and revision, or D roles and responsibilities. And then, obviously, the question is asking for responsibility, right? So therefore, it would be roles and responsibilities. These are a lot of times you see these as RREs roles, responsibilities and expectations. That would be something that would be clearly defined within the policy to ensure your employees are understanding the role and maintain the security of the corporate data. Question 13, yza Corp is adopting a new security standard recommended by the government agency. What advantage does YZA Corp gain by following this standard? So the government is recommending a security standard and this company wants to do that. So what's the advantage they get to do this? A increased flexibility? Maybe not really. Government regulations are kind of decreased flexibility, reduced complexity. That's definitely not gonna be the case. Lower the cost? Not gonna happen either, because it's gonna cost you more money. C or D enhanced and operability yes, if you have that, you can now work with the government much better. They understand you, you understand them. That would be the interoperability between the government and you. Anytime you deal with the government, just being blunt, they have interesting ideas and they have their own ideas, and not all of them are bad, not all of them are good. It's just what it is. Anytime you deal with them, you will have additional expenses to incur One. You're dealing with an outside entity and you have to meet their standard and by meeting their standard, it will take opportunity costs, it takes money, it takes capital and therefore it will take time. So, not saying they're bad, not saying they're good, it's one of those things that when you get into security, you will deal with government agencies, no matter where you live. You will have to deal with them at some point in time and you just need to embrace the love and do what they ask and go from there and then challenge respectively, if you can. Question 14, which type of procedure should organizations prioritize to minimize the impact of security breaches? A emergency procedures, b preventive procedures, c corrective procedures or D routine procedures? So which of the following type of procedure should an organization prioritize to minimize the impact of a security breach? And that would be A emergency procedures right, so you want to go ahead are specifically designed to address unforeseen issues and therefore, prioritizing those in a lot of something else does allow you to respond quickly to the incidents or events, to mitigate their impact and therefore minimize the disruption to your company. So, again, well-defined emergency procedures or incident response plan is very important to your organization and you should highly recommend stressing to get that completed. Last question what aspect should organizations focus on to ensure the reliability and effectiveness of AI-driven anomaly detection systems? A emergency procedures or emergency procedures, algorithmic diversity See, I couldn't say that. See, it's too early. B Model explainability. C Data volume or D Training frequency? Again, which aspect of an organization focus on ensuring reliability and effectiveness of AI driven anomaly detection systems. Again, which aspect so kind of comes back to AI driven again, model explainability B you want to ensure your transparency and understanding the AI decisions. I'm focusing on that because you're out there today you're going to get all kinds of AI stuff and you have to have the ability to explain what it does and how it does it and you have to have transparency on how it's actually doing it, because once if you put it in this black box, you don't know what you're getting. It can be very damaging just because we see it just in the in the political piece of this Not focus on any political person or any personal thing but now it can create a lot of different divisive comments that may not be correct and therefore it's imperative that you understand the model and what it can do from an explanation standpoint. So you must ensure they're reliable, effective and aligned with your organizational objectives, ultimately improving the security posture and operational efficiency. Okay, that's all I've got for today. Again, head on over to CISSP, cyber Trading. You can get 60. I repeat, 60 CISSP questions every single month. I used to have them 30 for the month, but you know what I realized that took out a whole year, so I did it and crammed them into six months. So, because it's six months and most people study for the CISSP anywhere from three to six months, uh well, wanted to give you all the questions you could. So sign up today. If you go sign up I mean I mean it it's you get free. You get free questions. You get 60 questions every single month and they are available to you. Also, in addition to that, I can have lots of CISSP training that's available for your purchase and and there's also a bunch of free content on my site. If you go to my site, realistically, there's a goba free stuff that you can just watch and ingest and that, between the 60 questions that you would get plus the free stuff I have, it would put you off in a really good spot. However, on the site I mean again, I got to put a plug in because this is how I pay my bills you can go to get the access to my blueprint. You get access to all my video training. You get access to me. Potentially, depending on what package you purchase, all of that's available to you by going to CISSP cyber training. I gotta push it, gotta market it, because guess what I want you guys? It's not about the money, it's about helping you pass the doggone test. However, I gotta have the time to be able to do these things and they're available for you, so go check it out. If not, use the free stuff, that's fine too. That'll be, that'll give, put you down the way to help you be very successful in passing the CISSP. All right, have a wonderful day and we will catch you on the flip side, see ya.