CCT 313: CISSP Practice Questions and AI Agents As The New Insider Risk

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

What happens when your “helper” becomes your riskiest insider? We dig into the fast-approaching reality of AI agents acting with superuser access, approving transactions, and even signing contracts—creating doppelganger identities that expand attack surfaces in unexpected ways. Drawing from recent headlines and real operations experience, we break down how least privilege, identity governance, and auditable workflows can keep autonomy from turning into an open door.

From there, we get tactical with CISSP-grade scenarios that force hard choices under pressure. An unauthorized “emergency” firewall change takes down a service—how do you keep agility without chaos? A SOC drowns in 10,000 alerts a day—what truly cuts noise while catching multi-stage attacks? We make the case for SOAR playbooks that enrich, correlate, and act, turning acronym soup into a coherent response engine. When teams push back on PAM, we show how to implement full recording and vaulting without slowing incidents by using auto-approved, time-bound emergency access and strict post-incident review.

Then we navigate the thorniest problem in modern defense: patching during active exploitation when fixes break critical APIs. Instead of hair-on-fire deployments or risky delays, we map compensating controls—WAF hardening, segmentation, and targeted monitoring—while working toward a compatible patch path. And when a high-value database shows 45 days of persistence, we explain how to capture live memory and disk snapshots, coordinate isolation during a maintenance window, and communicate risk tradeoffs to leadership without tipping attackers or losing evidence.

If you want clear, applied guidance on AI insider risk, emergency change control, alert fatigue, PAM adoption, patch strategy, and forensics versus uptime, this conversation delivers practical answers you can put to work today. Subscribe, share with your team, and leave a review—what decision here changed how you’ll handle your next incident?

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Good morning everybody. It's Sean Griber with CISSP Cyber Trading and hope you all are having a beautifully blessed day today. Today is CISSP question Thursday, and we are excited about getting into some CISSP questions as we march right on into 2026. So we are excited about this new year. It's going to be ext, it's going to be amazing for everybody. I know it. I have some great plans for CISSP cyber training, as well as getting some things that are set up for a long-term play. So we're pretty excited about that. And I know you all are wanting to get your CISSP done this year. So we are going to put some things in place to help you do that even better. I have no quick question or doubt in my mind about that. But before we get started into what we're going to talk about as it relates to the CISSP questions, I wanted to go into an article that I just saw today. This was on the register. Now the register is a UK publication, but they have some really great content that they bring out that I thought is I always think is very good. This one actually made me scratch my head just a little bit, and I was like, oh, I didn't even think about this because it's all so new, right? So the question is is that this is around Palo Alto Network security intel boss calls AI agents 2026 biggest insider threat. Now, insider risk is a big issue that I've always dealt with for many, many years, and it should be a big issue for all companies. Now, if you are in any sort of regulated space, you have to have some level of insider risk program operating. And so that makes something that you have to go out and do. Now, that being said, this was an interesting article because it's calling up the AI agents and how they're becoming the proxies for insider risk. And the main point is this individual, Wendy Whitmore, she's the CISO for Palo Alto, warns that AI agents will become the biggest insider threat in 26. Basically, they're going to be the insider and they're not even, they're going to co-opt for the bad guys and girls on the outside. The superuser problem is what they're talking about. And this is where the AI agents have to be a super user, and they have to run as a super user because of the permissions they need to be able to do different kinds of tasks. Um the interesting part is that, as we all know, they there are different capabilities out there with the chats and the claws and all of these different LLMs that are going to be doing these operations for you. And they're going to be doing contract signing, contract reviews, all of those pieces. And they're calling that the doppelganger risk because the companies are deploying AI agents to handle executive level tasks like approving transactions or signing contracts, which potentially could lead to unauthorized access, right? So you have somebody that is going to go, or an LLM that's going to go and now sign things for you or in your behalf as you. So the doppelganger piece comes into play. There's more than one you. So an interesting piece of this. Now, the other metric that I just about fell over in my chair was the fact that they Gartner predicts that 40% of enterprise apps will integrate AI agents by the end of 26. Okay, so they're going to integrate these apps into doing these different types of things, right? And they probably won't have the arc or the security in place for them. And so this is where I mean 40% is a lot. Well, here's the key on this that I think, well, okay, that's a lot. But what it's up, it was from less than 5% in 2025. So it's going to go up 35% completely. And that's huge because now, if a company is doing this, they are now potentially at much more risk of having this doppelganger actually provide information out to people outside the organization. So they're already kind of talking about how attackers can will implement or already attacking AI systems. Uh, they had an incident in Whitmore decided in this September incident where Chinese attackers used anthropics clawed code to automate intelligence gathering attacks. So as a red teamer, I did this all the time, right? We did intelligence gathering for organizations and it would spend six weeks doing that. Well, now the Chinese in this specific situation used Claude to gather intelligence on the organization using anthropics clawed, right? So that it's an interesting part and all of that. Uh the prompt injection attacks remain a critical vulnerability with no fixes in sight. And then bottom line, though, is you need to use least privilege on everything, right? So even with the AI folks, you need to have least privilege to sensitive data and this various systems that are with it. So if you haven't had a security person that's involved in AI within your organization, you may want to consider that pretty hard. Now, those people out there are like unicorns of unicorns. You can't really find them. So what I would recommend is you, as a security professional, you become the unicorn. Yes, you do that. You learn, you grow, you become something more than what you are, right? That's like a the phoenix coming out of the flames. That's you. So you can learn to do these things, and if you learn to do them, then you can become the unicorn of unicorns. Yeah, that's that's pretty cool. Yeah, it actually is. I should I should patent that. The unicorn of unicorns. Anyway, back to the article. Does your CI CEO have an AI doppelganger? You're gonna need to make sure that your folks understand the risks that are associated with integrating AI within their comp your company, and that you have good plans in place to minimize that at all costs. Okay, so that's all I've got from the article. Go check that out at the register. This is Palo Alto Networks Security Intel boss calls AI agents the 26th biggest insider threat. Yeah, I totally agree with it completely. All right, so before we get into what we're gonna talk about today with some of the CISSP questions, head on over to CISSP Cyber Training and get access to all my free content. I have tons of free content available to you. There's all the questions. I've got probably close to 400 different questions that are available for free for you to be able to go and start studying for the CISSP exam. I have my rapid review audio videos, those audio and video videos that are available for you. Uh, my essential CISSP study guide, all of that is available for you specifically to get ready for the CISSP exam. So there's all of that aspect is there, ready and rocking and ready to go. So the bottom line is go check it out. If you need some more concierge type help, I have that available to you at CISSP Cyber Training. And then also if you're needing assistance in your career or in architectural support, I have a list of cons of consultants who can help you in that space as well. So we're all here for you. Just reach out to me at contact CISSP Cyber Training, and I can be happy to help you in any possible way you may need. All right, so let's get into our questions for today. Okay, so questions. This is based on domain 7.1, and these are the deep dive questions that you can have access to at CISSP Cyber Training. Okay, the first question: a security operations team is implementing a configuration management database, CMDB, to track all IT assets and their relationships. During a recent incident, an unauthorized change to a critical firewall rule set caused a service outage. Mm-hmm. The change was made by a senior network engineer who claimed it was an emergency fix. Which of the best, which of the following would best prevent this type of incident while maintaining operational efficiency? Well, so again, you had CMDB tracking assets. During a recent incident, they an unauthorized change occurred. That's bad. And then it caused an outage, but the senior network engineer came up and said, It was me, I did it. Okay, which is great, right? He took ownership. Nobody just sat there and looked at each other and went, I didn't do it. It wasn't me, I didn't do it. So let's look at some of the questions that are associated with this, or some of the answers associated with this question. Establish an emergency change process with predefined criteria requiring the after-the-fact review and documentation within 24 hours. B. Implement change advisory board or a cab that must approve all changes before implementation with no exceptions. C. Remove elevated privileges from all engineers and require that only the security team can make the firewall changes. Or D implement automated rollback capabilities that revert any unauthorized change within five minutes. Okay, so let's go through what what are the one questions that are not correct, and then we'll kind of go from there. So implement an automated rollback capabilities, question or answer D, uh, that revert back to unauthorized changes within five minutes. Okay, this would not be good, right? Because if you're doing that, this automated rollback would end up rolling everything back. So that is not something that you would want to do within your company. Just you wouldn't want to do that. Next one is remove elevated privileges of all engineers that require only a security team that can make firewall changes. Okay, so we know it's the senior network engineer. Now, as a senior network engineer, he or she probably has some level of credentials that allow them to make these changes as necessary because hence it's their title networked. Uh so I would not be removing the privileges from these folks. That's a that's a bad thing. That's kind of what they have to do, it's their job. So removing elevated privileges from all engineers, again, looking for absolutes. If you see all, that's not good, right? So if you're looking for this test and you see it all engineers requiring them to make all the firewall changes, we're gonna remove all their access. That is something you would probably flag on as an answer that would be incorrect. Next one is implement a change advisory board that must approve all changes before implementation with no exceptions. Okay, so no exceptions, that's a problem, right? And then implement a change advisory board that must approve all changes. Now that is not bad, right? That's that's okay. And that might be the red herring that you glob onto and go, oh, change advisory board, I'm going for it. Uh but you would be wrong. So that the change advisory board is good, but you when it comes down to saying no exceptions, there has to be exceptions because there always are exceptions. So the answer would be A, establish an emergency change process with predefined predefined criteria requiring the after-the-fact review and documentation within 24 hours. So in this case here, you have it you you have an emergency change process, which is part of your change management program, and that's part of the CAD that's most likely involved. But this emergency change process needs to be available and flexible for changes that have to occur within the network, especially if they're needed, if something bad goes go happens. So that is an important part. After the fact, review is an important aspect because now once it's completed, you reviewed what you did, other people are involved, the security engineer just can't go rogue and start making changes. And then there has to be documentation within a period of time. This one says 24 hours could be a little longer depending upon your company's uh organization, but I would recommend it's not more, I'd put like a business day type of thing that you have a documentation within two business days or three business days. The reason I say the 24 hours because uh that clock starts ticking, and then next thing you know, they're already blowing through that SLA. So just kind of think about what that might be for you and your company to kind of do for that. All right, question next question: an organization security operations center is experiencing alert fatigue. Oh yes, I can see that so often. With analysts receiving over 10,000 alerts daily, yeah, that would drive you nuts. The CISO wants to improve the signal-to-noise ratio without increasing the risk of missing critical security events. The organization has deployed the SIM and IDS IPS, EDR, DLP solutions, all of the acronyms that you want with your acronym soup. Which approach would you find most effective implementing or most effective improvement in the detection capabilities while reducing analysis analyst workload? Okay, that's a lot of words. So let's go back over it again. So your SOC, right? They have alert fatigue and they get 10,000 alerts a day. So that's a lot. The CISO wants to improve the signal-to-noise ratio and he wants to fix this, he or she. The organization has deployed, obviously, your SIM, your IDS and IPSs, your endpoint detection response, and DLP. So all that is deployed. What is the most effective improvement in detection capabilities while reducing reducing reducing reducing the analyst workload? All right, first answer. Increase alert thresholds across all security tools to reduce the volume of low severity alerts by 70%. That's a possibility. Not saying that's good or bad. That's that's a possibility. Implement a tiered alerting system where only high severity alerts are sent to analysts with medium and low alerts logged for weekly review. Okay, that that could be good. Uh just depends, right? Depends out of the 10,000, how many are you dealing with? So if you went from 10,000 to low-level alerts and you have like one high severity, you go, okay, let's just do the high severity. Um something to think about. Deploy a security orchestration automation response with automated playbooks for common alert types and correlation rules that identify attack patterns across multiple data sources. Okay, SOAR. So SOAR is an important part of any SIM deployment, and you want to think about that. Uh, so we'll come back to that one. And then D assign each analyst specific tools to monitor creating specialized specialization and reducing the cognitive load of context switching. Okay, so let's kind of walk through these. And again, you're looking at this as a as a manager, as someone who's trying to manage the the risk to your organization and manage the people. So, what would you do? So we kind of kind of already talked about A a little bit as not being correct, because you could run the risk of not to say you shouldn't potentially increase the alert thresholds. Uh, that may be a good thing, but re-re increasing those thresholds to get you to 70% might be too much, uh, especially if 10,000 alerts a day and most of them are medium and low, uh, you pretty quickly would not have a whole lot to do, maybe. Um, so it's just something to kind of consider. Now, implement a tiered alerting system to only high severity alerts are sent to analysts with medium and lows logged for a weekly review. Now, a lot of times lows and mediums will lead to highs. So having somebody look at those is important. This isn't a bad thing where if you had high severity alerts sent to the analyst with your medium and lows tagged for weekly review. I would probably say those need to be tagged for a bi-weekly review, maybe in a bi-weekly sprint. Maybe you have a stand-up in the morning and you want to go through some of the low and medium alerts that are there. Um, find out the bandwidth of your folks, and then have that set up to go to go do that. Now, the question I would say is that you need to have SLAs in place so that the weekly review doesn't get pushed off. As the tyranny of the urgent occurs and people start getting busier and busier, then the weekly review ends up getting pushed further and further away. And next thing you know, you have all these low and medium alerts that are kind of piling up. Uh so it it can't it is viable, but it's not the most effective, I would say, in this case. The next one was the assigned analyst specific tools to monitor, creating specialization and reducing cognitive load of context switching. So it's a big word to just basically say they can't keep their focus on multiple tools, so just give them one tool to focus on. And so if you're gonna be focusing on just one tool, which is great, there's nothing wrong with that, but it's probably not the most effective use of your people's time. Because if they already have alert fatigue, they're gonna go brain dead just looking at all of these different alerts coming in. They're gonna, oh my gosh, shoot me now. You know, it's gonna be like put bambo shoots under my fingernails. This is no fun. So you're gonna want to make sure that that's probably not the best solution. Um, it might be for a short term, but for long-term play, no, not so good. So, you what do you want to do? You want to deploy automation within your organization. The more automation can be very good. And a SOAR tool, which is your security orchestration automation and response play and with the associated playbooks can be extremely valuable to you. Now, I will tell you that deploying a SOAR within your organization, if you've never done it, can be a laborious process. And I would highly recommend that you get someone to help you with that. I know people reach out, I can help you with the right people. But SOAR is a very good tool to help you orchestrate between all these automated aspects. It will help dramatically reduce the amount of fatigue that your folks are going through when they're triaging all these attacks or all these different alerts that are popping up. The other thing it's going to do is it's going to give your folks something else to do, and it's going to give them a skill that they can utilize in other places. So it's a good thing. I highly recommend it. Next question. A financial services organization is implementing a privileged access solution or a PAM, privileged access management solution. It is the IT operations team to resist the implementation, arguing that the password vaulting and seasonal session recording will significantly slow down their instant response capabilities. Haha, I've heard that before. As the security manager, you need to balance security requirements with operational needs. Which implementation approach would best address both concerns? Okay, so you got to deploy a PAM. And in some cases, your regulatory requirements are gonna force you to deploy the plant PAM. That's a lot of pa. So there's a lot of stuff in there, right? So your folks that are security folks, they may not have a choice whether they like it or not. They're gonna get it. So again, being a manager, you got to think about how do I make this uh pill go down smoothly. So, what are some of the answers? Implement a PAM solution with full password vaulting session recording for all privileged accounts, but create, aha, an emergency break glass account with sea sealed envelope containing credentials in a stored physical safe. Okay, that's not bad, but okay, that's not bad. Configure the PAM solution to use password vaulting and check-in check-out process, but disable session recording if the IT operations team to maintain their trust and cooperation. Yeah, I got questions on that one. Phase the implementation by starting with password vaulting only, planning to add session recording after six months once the team is comfortable with the new workflow. Or D deploy PAM with full features, but implement a fast track approval process where privileged access requires only our requests are auto-approved during declared incidents with full session recording and automated post-incident review. Hmm, I'd like that one. But let's see, let's talk about the ones that are not good. So implement a PAM solution with full password vaulting and recording for all privileged accounts, but create create an emergency break glass account with sealed envelopes containing credentials stored in a physical safe. Okay, so this is not terrible. Um actually, we did something similar to I've done something similar to this in the past. That the downside with it is you're now adding a lot of complexity into this issue. One, you're creating an emergency break glass account that you have a credentials for that are in a vault that you have to go. Now you have to remember the password for the vault or the key code, and then you have to go and have the process by which you're pulling this thing out, cracking it open, utilizing it. It's it's it's very reminiscent of the two-factor control on nuclear missiles, right? Crack it open, look at it, okay. Ready? Proceed to launch. Yes, let's proceed to launch. Uh, it's a lot like that. And uh is it wrong? No. Is it the best? No, it's not the best. Uh, configure the payam solution to use password vaulting, check in, check out processes, but disable session recording for IT operations team to maintain their trust and cooperation. Uh, you just tell them to get on board. They don't have to worry about their trust and cooperation. It's trust, but verify. That's it. From a wise sage of the U.S., Years gone by, trust but verify. Okay. If you know who that person is, you're old like me. But no, that's not a good solution. Um, they just need to incorporate it, and it's that's okay. That they'll be fine. Uh phase the implementation by starting with password vaulting only, planning to add session recording in six months after the team is comfortable with the new workflow. Um, that not to say that that's a bad thing. I would say it if they're really someone's pushing back on you hard and they're gonna like revolt and jump off the ship, and you you don't have anybody else to replace them when they jump off into the ocean, then I would recommend, yeah, that could be an option. Maybe not six months, but maybe a period of time to make them feel more comfortable. The last one, which is the rec correct question, is to plan it, deploy that with full features, but implement a fast track approval process where privilege access requests are auto-approved during declared events. So again, if you have a declared event, then they auto-approved and you move on. Uh, I would say that's probably your best option out of the thr out of the four, just because it it will meet all the needs that you have, and it also helps the whining stop to be as much because yeah, they're like, what if I need to do it? You take the what-ifs out of all this. It's just always interesting working with people. Question the next question: an organization operates a hybrid environment with on-prem data centers, infrastructure as a service, cloud infrastructure, and SaaS applications, software as a service. A critical vulnerability, CVS 9.8, was announced, affecting the organization's web application framework. Okay, React2, what is a new new one? React to shell. That's one right there. That's Dike 10. The vendor releases a patch, but the initial testing shows it breaks integration with the business critical third-party API. The vulnerability is being actively exploded in the wild. What is the best course of action? Raise the Klaxen, turn it on. It's it's 9.8 and everywhere it is in the wild. So what should we do? Everybody run around. Uh no, okay. It's not that critical. I mean, it is critical, right? I'm not taking it's not, but sometimes we make more of it than it actually needs to be. Anyway, that being said, so you have you have a mix, you have IAS, you have SaaS, and you have a very big on uh vulnerability that is now being actively explored in the web against your web application framework, which is your front-facing stuff. So that's kind of important. Uh initial to shows that it breaks integration with your critical third-party APIs. So what should you do? First question or first answer, deploy the patch immediately to all systems despite the API breakage, as the C VSS score and active exploitation makes this critical security risk and outweighs business functionality. This is what I came back to, right? Everybody's running around like their own hairs on fire because it's critical and it's being actively exploited. Yes, and you need to get at it as soon as you possibly can. You don't delay, you get at it today, but you don't need to freak out. All right, that's this is where the management piece comes into play. Uh oh, I kind of already told you what that one wasn't good. Sorry. All right, so then moving on to the next one. Implement compensating controls, WAF rules, network segmentation, increase monitoring while working with vendors to resolve the API compatibility issue, and then deploy the patch. Next answer, patch only internet-facing systems immediately, defer to internal systems until API issue is resolved, and implement additional network segmentation between environments. And then the last answer, request the business acceptance of the risk from an executive leadership to defer patching until the API vendor provides compatible versions estimated two to three weeks. Okay, so let's go through the questions that are not correct. I kind of already mentioned first one not correct, right? No hair on fire, avoid that. The next one is request a business acceptance risk from an executive leadership to defer patching until the API vendor provides a compatible version estimated two to three weeks. Okay, so now we went from hair on fire to the slow sloth crawl. Yeah, no, we don't want to do that because we have to do something. We can't just sit there back and go, we're gonna wait for it, and we're gonna wait for them to come and tell us what to do. The problem is it's estimated at two to three weeks, and I can tell you right now, working with third parties, yeah, just double that. Now, that being said, uh they may have a little bit more of a fire under their tails to get it done just because of the fact that uh if it's that big of a risk, they might get it done in the two to three weeks, but don't count on it. Patch only internet facing systems immediately defer to internal systems until the API issue is resolved. So, internet facing systems, uh yeah, that's good. You want to do that. However, um waiting for the API issue to be resolved, I think, is still a bad idea. Um, because the other thing you don't know that could be in this is that is that API connecting with the internet facing systems as well. And if you get, it's just not a good idea if you can avoid that. If you have to and you have no choice, well then that's a it's an okay solution. It's not the best, but it's an okay solution. The one that's correct is implement compensating controls, WAF rules, network segmentation, increased monitoring while working with the vendor to resolve the API compatibility issue, and then deploy the patch. So again, now you're segmenting yourself out, you're putting things in place, compensating controls to help avoid the situation from expanding beyond what it is today. So that is the best course of action. Again, looking at this from a security professional perspective, uh, if you're looking at having to weigh the different cons, the pros and the cons, that is the least one with the one with the least amount of hair on it. Uh so yeah, they want to avoid hairy, nasty ones as much as you possibly can. During an incident to a suspected data breach, the security team identifies that attacker has maintained persistence in the critical production database server for approximately 45 days. Yikes. The server processed real-time financial transactions worth millions, billions of dollars. Forensics analysis analysis requires taking the server offline for six to eight hours. Which approach best uh balances out the incident response requirements with business continuity? Okay, so this thing has been you have somebody in your environment for 45 days, they want to take the server down to do a forensics analysis of it. What should you do? All right, A, the first answer create a live forensic image using memory capture and disk snapshots while the system remains operational, then isolate the server during the schedule maintenance window. Next one, immediately isolate and take the server offline forens for forensics imaging to preserve evidence and prevent further data exfiltration, notifying business stakeholders of the required downtime. C. Deploy an EDR agent with enhanced logging, maintaining network monitoring to capture any exfiltration attempts and schedule forensics for the next planned maintenance window in two weeks. And then the next one is rebuild the server immediately from clean backups to remove attackers' presence and persistence, and then perform a forensics analysis on the compromised system offline. Okay, so let's go through this. This can be actually very challenging, and this is something you're gonna have to figure out. You'll you'll work through this on your own, you'll see these situations come up, and you're gonna have to balance out what do you do. Because there's a lot of things that are going on here in this case. If you have someone within your environment for 45 days, uh, the problem you're also gonna run into is what else did they do? Uh so by you have to assume that they've probably placed logic bombs within your network. So in the event that something bad happens, the bomb goes off and everything turns into dust. So you may want to think twice about going out and just kind of nuking everything. So let's go through questions that we think are wrong. Uh rebuild the server immediately from a clean backup to remove attacker presence, then perform forensics analysis on the compromised system offline. Well, okay, so well, if you rebuild the server immediately from clean backups, you have just destroyed any forensics capability within that system. So you'd have to make a copy of it, right? But the moment you start dinking with it and start making changes like that, it's highly likely you're gonna tip your hand. And if you tip your hand, logic bomb could quickly ensue. So I'm not saying that's that's wrong, but the the this this question or this answer is wrong because you don't want to do that. But you again, taking your system offline to fix it um can tip your hand just a little bit. Deploy an EDR solution with enhanced logging, maintaining maintain network monitoring, and capture any exfiltration attempts and schedule forensics to the next plan maintenance window in two weeks. Okay, so not deploying EDR is not necessarily a bad thing. You should have it on there already, but let's say you didn't in this situation, um, that you'd want to deploy it, but keep in mind if you deploy it, you you could tip your hand. I'm not saying you shouldn't do that, I'm just saying that be prepared of the consequences that roll out of that. Uh, you also want to look at network blocking. I would say what you could do is just by blocking some of these things. Um, if as an attacker coming from the attack side, if my connection all of a sudden gets stopped, uh, that doesn't necessarily mean that they found me in my mind. It means that something went something went down. Now it does make me my hair in the back of my neck stand up a bit, going, they may have found me, but I wouldn't cause me to to go and immediately launch the logic bomb. Again, this is all very subjective, and other people may do some certain things depending upon their ROI or their ROI, the return on investment. No, their ROE, their rules of engagement. So, again, that's something you're gonna have to consider. However, in this case here, you know, that is the the two to three weeks or the two weeks issue, um, that is kind of pushing, kicking the can down the road. The another one is immediately isolate and take the server offline for forensics imaging to preserve evidence and prevent further data exfiltration, notifying business stakeholders of the required downtime. Now, this isn't bad, again, but taking it offline will automatically tip your potential your hand, especially if it is a database and it's got lots of good stuff in it. Uh again, you have to weigh out the pros and the cons and what is your risk tolerance for your organization. This is why the CISSP is so important, is that is it what about risk tolerance? And you as a manager, how do you handle risk? So the correct answer in all in this long drawn-out question is create a live forensic image using memory, capture the disk snapshots while the system remains operational, then isolate the server during a scheduled maintenance window. So this basically means you're you're taking snapshots of it to get the forensics image of it. You are then monitoring it. You're also then, I would assume that they've put in place things to help stop it from occurring, but then they're going to isolate the server during a scheduled maintenance window. This is all subjective, right? If it all comes down to is what is in that database. If it is like OMG bad, you may want to just shut her down and move on. Uh, but again, be prepared for the consequences that could fall out of that. And then it's your responsibility as a security leader and taking the CISSP that you communicate those risks to your senior leader so they're aware of what's going to happen or maybe potentially not happen. Just depends. Okay, that's all I've got for you today. And thank you so much for joining me. Head on over to CISSP Cyber Training. It is awesome. Lots of great free stuff out there. My blog's got all these videos that are out there, uh, my free content's available to you. If you want some more concierge service, or you know what, the CISSP is just a bit challenging for you, get up, but look at my packages that I can help actually work and mentor with you. I have some really great programs that are there to help you during this time. Um, I've had a lot of students that reach out and say, I'm good at in four of the of the eight domains, but the last four domains I'm struggling in, and I don't get this concept. I don't understand what the heck they're talking about. Look at the other options that I have that I can help you with. Again, my other tiers that are available for you to have that hand by hand total approach on getting this CISSP complete. And the goal is that this doesn't stop just with the CISSP. We move beyond this into other areas of your cybersecurity career and help you in coaching with planning your future and how you best navigate that in this ever, ever changing world. All right, thank you very much. Have a wonderful day, and we'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube, and just head to my channel at CISSP Cyber Training, and you will find a flip through a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Skyber Training and sign up for 363 CISSP questions to help you in your CISSP journey. Thanks again for listening.