CCT 123: Practice CISSP Questions – Data Security Controls and Compliance Requirements (D2.6)

Confront the cyber siege that has the healthcare industry on high alert; this episode sees me, Sean Gerber, dissecting the harrowing United Healthcare ransomware crisis that's rocked our nation. We're not just crunching numbers here—$22 million in ransom to Black Cat hackers signifies more than a hefty payout, it's a stark reminder of our critical infrastructure's fragility in the face of cyber threats. The recent episodes have armed us with knowledge, and now, it's time to put that to the test with CISSP Question Thursday, giving you the tactical edge to conquer the CISSP exam and fortify your cybersecurity defenses.

As we navigate the Cybersecurity Concepts and Questions segment, prepare for a thorough breakdown of the digital security toolkit—from honeypots that dupe attackers to the emerging realm of Post-Quantum Cryptography. We'll unravel the essentials of digital signatures with RSA, scrutinize the steadfastness of SIEM systems, and demystify access control models that stand guard over our data. By the end of our journey, you'll not only be versed in preventing cross-site scripting catastrophes but also equipped with a CISSP Blueprint for Success, your very own strategic study companion stocked with invaluable resources to guide you through the certification labyrinth. Join me, and together let's transform these insights into an unbreachable cybersecurity stronghold.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started.

Speaker 2: 0:26 

Hey y'all, sean Gerber, with CISSP cyber training. I hope you all are having a beautiful day today. Today is what is CISSP Question Thursday? Today we're going to be going over CISSP questions that are tied to the podcast that occurred on Mondays. The ultimate goal is to take this information that we have, that we've learned from Monday and then put it into action for some of the CISSP questions you can have at CISSP Cyber Training. The ultimate goal is to do that and to help you pass the CISSP exam the first time.

Speaker 2: 0:58 

But before we get started, we wanted to throw up a couple articles that I saw that hit the news just today. One of them is the United Healthcare situation. That was the change healthcare environment that got hacked back with the ransomware attack that occurred back in January I should say February 18th or February 22nd right around that time frame. It appears that they're saying operations will be up back and up and running by March 18th of this year. So basically, the change healthcare situation was they were down for about a month when it was all said and done. Now it appears that there was about a $22 million ransom payment that was made and we talked about this on one of the podcasts as well. That is now because of that ransom payment their operations are going to be going back up. They made the announcement on March 7th from Reuters that they are going to be up and operational and then there's a post that came out that there was $22 million paid from to the black cat folks in regards to encrypting their systems. Interesting part about all this is that it's sad because in reality they're paying a ransom for something that they don't get anything for and then they're going to have to deal with these, go up and clean all these systems that have now been infected. So operations will be back up and up and going.

Speaker 2: 2:23 

I know one piece that Department of Health and Human Services appears the United States got involved somehow. Did they help pay the ransom? I don't know, but they've considered it was a critical infrastructure to the United States. So therefore it was one of the headlines reads the most consequential cyber attack in healthcare history. And that's pretty obvious, right, if you have that many people that are tied to one system. Obviously, if you're just kind of listening to this, the change healthcare environment. They deal with the pharmacies in the United States and I guess it's kind of like a clearinghouse for the insurance agencies and the overall pharmacists and the small mom and pop pharmacies, and because they act as a central point. All of the claims are processed through them, through the various insurance providers that are there, and it's pretty much 50% of the United States pharmaceutical reports, such as their reports, but their claims go through this, this company. Well, looking at it from a security standpoint, that's a bad deal because, like you see what just happened, you hit it, you take it down. You now impact 50% of the United States's healthcare in as a relates to the insurance industry. Pretty, pretty big deal and we'll see how this all plays out in the coming months and potentially, years.

Speaker 2: 3:40 

Then there's this article that came out where ransomware surged up 74% from last from 2022 to 2023. 2022 is, they said, approximately $34 million in ransomware attacks, and then in 2024 or so to say, 2023, they're saying that they had been up to approximately $60 million. So it's a 74% rise from year over year. So it's a pretty big deal as it relates to the amount of money that's lost for nothing and it does more or less empower the folks that are doing the hacking for trying to steal money from people. They focused on the critical infrastructure and critical manufacturing and healthcare, where the key ones that were attacked so critical infrastructure aspects electrical water and so forth along with the healthcare and public health aspects, were being targeted as well. And the sad part is because many of the healthcare places have gobs of IOT type devices. They have all kinds of devices that are connecting to the internet. So therefore, from an attack standpoint, they are a prime target to get attacked. So it'll be interesting to see where the future takes us, especially since these folks are trying to get money from other individuals, one of the things that kind of comes up. They had talked about the different ransomware attacks, where Lockpit had about 175 incidents and the elf Blackcat did about 100.

Speaker 2: 5:06 

The interesting part, I feel, is that these guys and I know they realize this they're not stupid. They've made a lot of money doing a lot of nefarious things, but when you start becoming up into that top list with the FBI, you get on the radar real quick that they wanna take you down. So I would assume that, especially after this hack, they are probably watching what they're doing, because the attackers are probably the target of the FBI or other government type entities around the globe. Now, if they're all in, wherever they might be. I have no idea. I have ideas and speculations where they might be. They may not be too concerned about it because they are being shielded by their government, but, that being said, there's been plenty of instances where folks have left their country to go on vacation or go on a holiday and then have the FBI or authorities waiting for them when they arrive. So it will be very interesting. The world is never a dull moment and especially if you're in cybersecurity, you're gonna see more of this and your world is going to be very interesting coming forward, no question about it. But again, that's one of the big aspects that I kinda consider is the overall situation with the change, healthcare and when we're coming with ransomware type events.

Speaker 2: 6:18 

Okay, so let's get started into some of our CISSP questions. Okay, so this is focused on domain two. If you go to CISSP cyber training, you can gain access to these questions, along with a plethora a lot of other questions that are available for you. There's gobs of questions and we keep adding more and more to them each and every week, and these are all available to you. They would all be. You just have to go. You can take the tests at your convenience at any point in time and test your knowledge and on the CISSP questions. All right, question number one which of the following is an example of a technical control in information security? So which of the following is an example of a technical control in information security A security awareness training, b security policy, c firewall rule configurations or D risk assessment?

Speaker 2: 7:10 

So which of the following is a technical control in information security? And the answer is C. I was gonna say the wrong answer myself. It's C firewall rule configurations. Technical controls are mechanisms implemented through technology to protect the data systems and the data. So a firewall rule configuration obviously defines how the traffic is allowed or denied, and these options are administrative or procedural controls. But these are an example of a technical control, for information security is a firewall configuration. So again, the rest of them are more of an administrative type role.

Speaker 2: 7:45 

Question two what is the primary purpose of a honeypot in cybersecurity? A to attract and deceive attackers. B to detect and prevent malware infections. C to monitor network traffic and D to enforce access controls. Okay, so three of the four actually could fall into those lines, but let's walk through that Again. What is the primary purpose of a honeypot in security? And the answer is A to attract and deceive attackers. Obviously we want the honeypot to look like a target and if it looks like a target, then the attackers may go against it and they may use their tools against it and it acts as an alarm bell that someone is actually in your network. Now can you use it to detect and prevent malware infections? It may detect them, it wouldn't necessarily prevent them. And it can monitor network traffic. Many of the honeypots do have some sort of monitoring built into their capability, but that's not their primary function. And then to enforce access control well, they really don't do that.

Speaker 2: 8:41 

Question three which encryption algorithm is considered quantum resistant and suitable for long-term security? Okay, so which encryption algorithm is considered quantum resistant and suitable for long-term security? A, rsa, b, aes, eccc, eccc or D? Post-quantum Cryptography, pqc. Okay, now you may look at that. Well, that's an easy one, right? Post-quantum Cryptography? Yeah, it would be. But one of the aspects are is there's been the big push that came out of the United States government to and I think it was Carnegie Mellon worked was it Carnegie Mellon?

Speaker 2: 9:19 

MIT, mit, they actually came up with a standard to help with post-quantum encryption technology and how to make them so that they're not able to. It's basically it's not decrypting the overall encryption, breaking the encryption. It's decrypting that the actual key is what it comes down to. So the Post-Quantum Cryptography it's answered D these are designed to withstand attacks from quantum computers, which they have yet to prove that it can crack it, but they feel confident that it will in the future, and so therefore, that is why they're trying to get ahead of it now, to ensure that the algorithms that are out there that are coming out will meet the standard of the Post-Quantum Cryptography. Question four what is the purpose of a security token in two-factor authentication? A to generate a one-time password. B to store biometric data. C to verify user's identity. Or D to encrypt communications. So what is the purpose of a security token in a two-factor authentication? And the answer is A to generate a one-time password. Security tokens are there to generate this one-time password, which is considered OTP. You may see that acronym when you're studying for the exam and it is part of the second factor of the two-factor authentication. So that's the purpose of the security token within the two-factor or multi-factor authentication? Question five which security model enforces principle of least privilege? A BIBA, b BELLAPUDA, c CLARKWILSON or D BRUERNASH? Which security model enforces the principle of least privilege? And the answer is B BELLAPUDALA. I can never say that way. Bellapudala model does focus on confidentiality and forces the principle of least privilege. Question six what is the primary purpose of security information and event management systems? Okay, so a SIM. You'll hear a lot of talks about the SIM. What is the primary purpose of one of those? A to prevent security incidents. B to manage user access. C to detect and respond to security events. Or D to encrypt the data at rest? Okay, so, it could be used to help prevent a security incident from getting larger than what it is or a security event from becoming an incident. But what really comes down to is D is designed to detect and respond to security events that may be happening within your environment. That is the purpose of a SIM. Question seven which cryptographic algorithm is used for digital signatures? A RSA, b, aes, c, sha-256. Or D Diffie-Hulman? Okay, which cryptography algorithm is used for digital signatures? And the answer is A RSA. It's commonly used for digital signatures. It can be used for encryption, but mainly it's designed for data integrity and authenticity when you're dealing with the digital signature aspect?

Speaker 2: 12:11 

Question eight what is the purpose of a security control baseline? A to define security policies, b to establish security requirements, c to assess risk or D to measure compliance? Again, what is the purpose of a security control baseline? And the answer is B to establish security requirements. That's the main purpose of it and it's basically to do security controls and be implemented across an organization. That's the ultimate goal of a security control baseline. Question nine which access control model uses access control lists, or otherwise known as ACCOLS? A mandatory access controls, b role-based access controls, c rule-based access controls or D discretionary access controls? Which access control model uses access control list? Accels, and the answer is D discretionary access controls DAX. They use access controls for their own resources by the use of ACCELS.

Speaker 2: 13:08 

Question 10, which is the purpose of a certificate revocation list, otherwise known as a CRL. Okay then, when we're dealing with PKI, what is the purpose of a CRL? Why do they have them? A to issue digital certificates, b to verify the certificate authenticity. C to manage certificate expiration. Or D to revoke compromised certificates. So, again, they can do a lot of different things, but the main purpose of a CRL within the PKI infrastructure, which is your public key infrastructure, is to D is to revoke compromised certificates. It goes out there. If it's not trusted by relying parties, it will then revoke them and that's the overall purpose of that CRL list.

Speaker 2: 13:50 

Question 11, which security control is used to prevent cross-site scripting or X-ray Sierra-Sierra attacks? Cross-site scripting attacks, but you'll see the common acronym for it is XSS or X-ray Sierra-Sierra. So which certificate and security control is used to prevent these attacks from happening? A input validation, b output encoding, c intrusion prevention systems or D segmentation. So when you're dealing with input validation, it's a very good point to put in, but when you're dealing with a cross-site scripting attack, output encoding does is an important factor, which is C, and this involves converting the certain characters from the data's output into the web application to ensure that it's not in a safe format and it's not in an executable by the browsers. This does prevent malicious scripts from being injected and executed within the essence of the cross-site scripting attack. Now, input validation will also be a factor to help that, but when you're dealing with output encoding, that's a bigger factor. It does help better than just the input validation piece of this.

Speaker 2: 14:56 

Question 12, what is the primary purpose of security incident response planning? Okay, the primary purpose of security incident response planning A to prevent security incidents. B to detect security incidents. C to respond effectively to security incidents. Or D to recover from an incident that just occurred. What is the primary purpose of a security incident response plan? And the answer is C to respond effectively to security incidents. That's the overall goal of a security incident response plan. Because, again, if you don't respond effectively and quickly, it can quickly, it can quickly, it can very fastly get out of hand. So you want to make sure that you respond effectively to these incidents and not make bonehead mistakes like I have done on a various occasions.

Speaker 2: 15:41 

Alright, question 13, which authentication factor is considered the strongest for user identification? A something user is. B something user knows. C something the user has. Or D something the user does, so each of those are very important right for authentication, but what is considered the strongest as it relates to user identification, and typically the answer is A something the user is. The reason I say typically, because it's something user is is biometrics, but they've been able to figure out how to get around some of that now, even as it relates to fingerprints and so forth, especially as the AI is becoming and I say AI, it's really ubiquitous the fact that there is these models that are able to utilize. These fast learning models are able to make changes. They are able to get around some what we see, some ideas that they're potentially able to get around some of the biometric aspects of it. So that will be very interesting in the future to see how people talk about with biometrics and what ones are actually more secure than others.

Speaker 2: 16:47 

Okay, question 14, what is the purpose of a security control assessment? A to identify vulnerabilities. B to enforce access controls. C to measure compliance. Or D to create security policies. So what is the purpose of a security control assessment? A to identify vulnerabilities. That's the ultimate purpose of doing a security control assessment, which we've done lots of those, way too many, and the point of it is, though, is it does help you evaluate the effectiveness, implement the controls and identify weaknesses to ensure you're complying.

Speaker 2: 17:19 

Question 15, which security control is used to prevent session hijack attacks? Last question which security control is used to prevent session hijacking attacks? A input validation, b session timeouts, c IDS or intrusion detection systems, or D network segmentation? Again, which one is used to prevent a session hijacking attack? Again, use the term, the word that's in the overall sentence, and that session. So how would you stop someone from stealing your session on a browser? You would limit, you'd have timeouts set up that would ensure that inactive sessions are terminated, reducing the window of opportunity. Now, this can be very annoying at times when you need a timeout, but it's a way to help prevent some of that attacking from occurring.

Speaker 2: 18:04 

All right, that's all I've got for you today. Hey, go to CISSP Cyber Training, go check it out. Wanna, let you know also, I am quitting my full-time job at working and I'm gonna be coming to consultants, and so there's some great opportunities that are gonna be coming our way, but the great part about being this consultant is I get a little bit more freedom to say what I want to say, and I'm excited about that. Obviously, I won't be talking about anything about my company, but it's a little bit more of a relief in some respects. So you'll be getting a little bit more aspects around. The CISSP is a little bit deeper in some areas than I have been in the past, which is awesome. And but go check out CISSP Cyber Training.

Speaker 2: 18:40 

I've got some great products out there for you. There's a lot of free stuff. There's gobs of free stuff. That's more than enough for you to be able to get what you need to help pass the CISSP exam. Just go to CISSPCybertrainingcom.

Speaker 2: 18:50 

However, if you go, you will get my and you sign up. You can get my for my paid products, my blueprint. My blueprint is amazing. It will help you, step by step by step, get through the CISSP. I guarantee you it will. It'll help you with the guidance that you need if you're doing the self-study model. There's a lot of programs out there that will, that will say they can help you. This one with the blueprint will do that, just because it walks you through to each individual of when you should study, what you should study and and, in some respects, how you should study and plan to take the CISSP exam. If not, that's great. Well, go out there and get the free stuff as well. It's all available for you, all right? Thanks so much for today, for today, tonight, for today, have a great day and we will catch you guys all on the flip side, see you.