RCR 059: How to Understand Threat Modeling for the CISSP Exam Prep - CISSP Training and Study!

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam.

• CISSP Article – Threat Modeling
• CISSP Training – Data Integrity and Threat Modeling
• CISSP Exam Questions

CISSP Exam Questions

Question:  060

You are a security consultant. A large enterprise customer hires you to ensure that their security operations are following industry standard control frameworks. For this project, the customer wants you to focus on technology solutions that will discourage malicious activities. Which type of control framework should you focus on?

• A.  Preventative
• B.  Deterrent
• C.  Detective
• D.  Corrective
• E.  Assessment

Answer: [B] Explanation: Deterrent frameworks are technology-related and used to discourage malicious activities. For example, an intrusion prevention system or a firewall would be appropriate in this framework.

There are three other primary control frameworks. A preventative framework helps establish security policies and

security awareness training. A detective framework is focused on finding unauthorized activity in your environment

after a security incident. A corrective framework focuses on activities to get your environment back after a security

incident. There isn’t an assessment framework.

Source:  From <https://blog.netwrix.com/2018/05/16/cissp-practice-exam-free-online-test-questions/>

------------------------------------

Question:  061

You are performing a risk analysis for an internet service provider (ISP) that has thousands of customers on its broadband network. Over the past 5 years, some customers have been compromised or experienced data breaches. The ISP has a large amount of monitoring and log data for all customers. You need to figure out the chances of additional customers experiencing a security incident based on that data. Which type of approach should you use for the risk analysis?

• A. Qualitative
• B. Quantitative
• C. STRIDE
• D. Reduction
• E. Market

Answer: [B] Explanation: You have three risk analysis methods to choose from: qualitative (which uses a risk analysis matrix), quantitative (which uses money or metrics to compute), or hybrid (a combination of qualitative and quantitative but not an answer choice in this scenario). Because the ISP has monitoring and log data, you should use a quantitative approach; it will help quantify the chances of additional customers experiencing a security risk.

STRIDE is used for threat modeling. A market approach is used for asset valuation. A reduction analysis attempts to eliminate duplicate analysis and is tied to threat modeling.

Source:  From <https://blog.netwrix.com/2018/05/16/cissp-practice-exam-free-online-test-questions/>

------------------------------------

Question:  062

You are working on a business continuity project for a company that generates a large amount of content each day for use in social networks. Your team establishes 4 hours as the maximum tolerable data loss in a disaster recovery or business continuity event. In which part of the business continuity plan should you document this?

• A.  Recovery time objective (RTO)
• B.  Recovery point objective (RPO)
• C.  Maximum tolerable downtime (MTD)
• D.  Maximum data tolerance (MDT)

Answer: [B] Explanation: The RTO establishes the maximum amount of time the organization will be down (or how long it takes to recover), the RPO establishes the maximum data loss that is tolerable, the MTD covers the maximum tolerable downtime, and MDT is just a made-up phrase used as a distraction. In this scenario, with the focus on the data loss, the correct answer is RPO.

Source:  From <https://blog.netwrix.com/2018/05/16/cissp-practice-exam-free-online-test-questions/>

BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ 

CISSP Exam Questions

Question:  060

You are a security consultant. A large enterprise customer hires you to ensure that their security operations are following industry standard control frameworks. For this project, the customer wants you to focus on technology solutions that will discourage malicious activities. Which type of control framework should you focus on?

• A.  Preventative
• B.  Deterrent
• C.  Detective
• D.  Corrective
• E.  Assessment

Answer: [B] Explanation: Deterrent frameworks are technology-related and used to discourage malicious activities. For example, an intrusion prevention system or a firewall would be appropriate in this framework.

There are three other primary control frameworks. A preventative framework helps establish security policies and

security awareness training. A detective framework is focused on finding unauthorized activity in your environment

after a security incident. A corrective framework focuses on activities to get your environment back after a security

incident. There isn’t an assessment framework.

Source:  From <https://blog.netwrix.com/2018/05/16/cissp-practice-exam-free-online-test-questions/>

------------------------------------

Question:  061

You are performing a risk analysis for an internet service provider (ISP) that has thousands of customers on its broadband network. Over the past 5 years, some customers have been compromised or experienced data breaches. The ISP has a large amount of monitoring and log data for all customers. You need to figure out the chances of additional customers experiencing a security incident based on that data. Which type of approach should you use for the risk analysis?

• A. Qualitative
• B. Quantitative
• C. STRIDE
• D. Reduction
• E. Market

Answer: [B] Explanation: You have three risk analysis methods to choose from: qualitative (which uses a risk analysis matrix), quantitative (which uses money or metrics to compute), or hybrid (a combination of qualitative and quantitative but not an answer choice in this scenario). Because the ISP has monitoring and log data, you should use a quantitative approach; it will help quantify the chances of additional customers experiencing a security risk.

STRIDE is used for threat modeling. A market approach is used for asset valuation. A reduction analysis attempts to eliminate duplicate analysis and is tied to threat modeling.

Source:  From <https://blog.netwrix.com/2018/05/16/cissp-practice-exam-free-online-test-questions/>

------------------------------------

Question:  062

You are working on a business continuity project for a company that generates a large amount of content each day for use in social networks. Your team establishes 4 hours as the maximum tolerable data loss in a disaster recovery or business continuity event. In which part of the business continuity plan should you document this?

• A.  Recovery time objective (RTO)
• B.  Recovery point objective (RPO)
• C.  Maximum tolerable downtime (MTD)
• D.  Maximum data tolerance (MDT)

Answer: [B] Explanation: The RTO establishes the maximum amount of time the organization will be down (or how long it takes to recover), the RPO establishes the maximum data loss that is tolerable, the MTD covers the maximum tolerable downtime, and MDT is just a made-up phrase used as a distraction. In this scenario, with the focus on the data loss, the correct answer is RPO.

Source:  From <https://blog.netwrix.com/2018/05/16/cissp-practice-exam-free-online-test-questions/>

Want to find Shon elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
• https://www.isc2.org/Training/Self-Study-Resources
• Online Article
• https://www.varonis.com/blog/threat-modeling/>
• CISSP Exam Questions
• https://blog.netwrix.com/2018/05/16/cissp-practice-exam-free-online-test-questions/

 TRANSCRIPT:  

hails younger was reduced Severus podcast this is episode 59 did integrity and threat modeling welcome to reduce cyber risk p also check out my cissp videos that you can find out on YouTube just search for Shawn s h o n Gerber like the baby food toilet or whatever you choose and then you will find a plethora of content to help you pass the cissp exam the first time Leslie head over to Sean gerber.com and look at the Cornucopia free cissp materials available to all my email subscribersodcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host of this action-packed informative podcast join me each week cuz I provide the information you need to grow your knowledge so that you're better prepared to pass the cissp exam I sound quite terrible so I apply I think I'm getting a little bit of a cold and some stuff is just greater self into my lungs so I sound really cool and sexy are least that's what I think so it's like I've been smoking 30 packs a day for the past 30 years but bottom line is I'm going to be cold and so this is will be a very interesting podcast we'll see how the hell will I can last how long it goes for so this is 59 is of data integrity and threat modeling be getting into three different articles is going to be in Wonderland threat modeling that I've seen out there and the other one is going to be around the cissp training that you need to know as it relates to data integrity and the threat modeling and obviously has everything that goes on with the cissp training we provide at all of it is based around the objectives that you would have for the cissp along with that we throw in a little bit of a scattering of wonderful Knowledge and Skills from my years of being a CIS cssp but also being a Cicero and other various aspects in the cybersecurity space let's get going and get a right away as long as my voice can hang out the threat modeling training all right so this is from Verona's and they talked about threat modeling in one of their blogs and you could get this information at varonis. Com threat modeling and that you can find out a little more about that and I had to recommend you go check out as you're studying for your cissp other vendors and what they provide because the bottom line is is that you could come to pass the cissp it isn't going to be as simple as just I study a bunch of video trainings and then I go take the test or I look at a bunch of questions cissp questions and then I go take the test is going to be during halftime know the content and you know how to differentiate between what and what is sort of right and it's so that's going to be a big part of how you study for the CIA the thread is what's coming after you so you need to understand how they think and and what are the possible motives that they might be looking to get the information nothing loads are simple as they just want your stuff and they're going to do slash-and-burn to get there but in most cases many of these companies are people or companies that are trying to attack you and get your information they're doing it for a specific purpose and reason nothing else on this article to talk about strategies on how to use threat modeling as a proactive measure for cybersecurity what is threat modeling threat modeling is a practice process of identifying potential risks and threats and you want to do this again on the head ahead of time because right away she starts thinking what are the potential risks and threat to your organization also understand that this may change over time it won't always be the same situations where your company has a very specific threat to you your company but at the end of the day is probably going to change as technology changes and as people change now you want to create test and countermeasures to respond to potential threats know what does that mean that means you may come up with an idea so you were usually attacked you know that you're exactly will be attacked because your Executives have all the information stored in their brain well if that's the case then you're going to want y'all just have their the Threat Vector now they may end up having that the attack attack the Threat Vector may come from various sources that may come from the internet and may come from their email it may come from various aspects but you know that these are the guys that are always going to be attacked guys and gals so you may need to create test and countermeasures to respond to these Potential Threat modeling for cyber-security is rapidly evolving and you can create these scenarios in these models basically for any scenario that you might think of and in so you need to really brainstorm with people that are in your space that are in your business as well as others that are in your organization or in your environment so let's say for example you are a music industry executive or cybersecurity person to protect music interested industry rice you know that there's a window in which people will try to steal the information and get it out there so what you could do is go with your plans from your team standpoint and then but then also talked to other Industries people that are in your are other people that are in your industry to find out what they are doing to best protect themselves how they're doing it you know what you want to avoid while someone is protecting their company unless they're willing to share that it's more just along the lines of what have they found his best practices to help protect their companies now successful successful threat modeling requires identifying potential threats analyzing possible effects almost threats and determining if the threat is a significant and requires a neutralization strategy as we talked about threat modeling is a process to create models in these are based on the parameters that you define as a threat what do you consider as a threat to your organization and and again we talked about not all threat models May apply to every system I'm in the chemical industry business threats for chemical Industries may be very different than the let's just like I said like the music industry and maybe very similar in some aspects but for the most part that the people that are attacking the music industry are different than the people that are attacking chemical Industries the threat model Works threat Molly's asking answering lots of questions about the thing you're working to protect I will say that I'm not saying I'm a good sister I've got a lot to learn a lot and I learn more everyday and as a cybersecurity person will do you well in this world is if you learn how to ask really good questions and stay humble cuz he was going to happen if you don't stay humble you will get humbled but ask really good questions about the thing you're trying to protect and as I ask these questions I learn more more about the product or service or whatever it is I'm trying to protect but the end of the day I now can understand with all the business uses it and then I can understand how to best protect it it does require you step out of the day today Whirlwind of a data security and imagine what is the future going to be iot of things that's going to be a big factor I need to build threat models around iot and how would you manage and protect it there's some questions at that Verona's came up with another as a few minor just as you go what are we building and what is a product that we're building break down the system into small parts for example what is it is that application Celeste I'd your data is at an app people interact with does it have several components ORS a business base is it your employee base or the contractor base and by working through all these systems down you'll have a decent framework on how to begin I'd like to call IP protection framework you can call it a business protection framework whatever you want to do you bake the bottom line is you want to come with some framework on how you will protect your data also understand what can go wrong the what-if scenarios if a hacker steals in a was he or she going to get how would you know if that person gets access to the where they break into this database one forgets ransomware things that need to be need to think about because what if it can happen it will and so you need to make sure that you have at least thought through as many dissenters as you possibly can Sterilite believe a really strong document those but then you need to also understand how would you not all the way of Sinners will come true some of those maybe so far down the path of a just might as well what are you going to do about the what is how are you going to handle those they need to have specific step-by-step actions on how you're going to handle each of those situations there might be several mitigations options available at 8 Packers bottom lies you need to have thought about it in the Dominican so did we do a good enough job and that's why the questions were honest ask threat modeling isn't one and done and it's not you're going to have to continually keep modifying and thinking about it because as the business needs changed you will have to change the threats going to change their Vector their way of attack is going to change what does need to be thought about routinely and also as you get other restrictions that come across you such as privacy you name it all those aspects those are all key things that you need to be aware of and it's important to do that and whatever the case take the time to build the threat modeling team and bring them back together and talk about that okay so I'm going to go to Six threat modeling mistakes at that has brought up and it's they're pretty good though there's ones that you just need to consider as you're looking forward to putting this in your organization and they're just they're they're good to understand for the cissp exam as well because they will ask questions around these different items modeling mistakes think like an attacker people don't think like an attack on reason I've been somewhat successful in what I do is I was an attacker for 10 years I would work as a Air Force Red Team I thought like a bad guy think like a bad guy or gal and think about how they're going to try to get into the environment what are they interested in doing if you have intelligence back on that helps to because you think kind of Twisted lie so again thank like how the attackers going to go after you But Eric was that business to be $10 word that right third grade education struggles with that just does there's basically there's not going to know extraterrestrials is there quote are going to corrupt your data while they're Advanced systems of interface technology there. Basically these crazy things that you think that's not going to happen that they won't go go crazy go simple again Packers they're like any one of us they're all lazy okay we all do the least amount of work for the most amount of benefit and they're no different than you or I my threat model is complete we just talked about that it's a double-edged sword and I agree that you made you get to a point where you finish the threat model cuz you don't want to keep massaging it forever but at the end of the day it's never complete so you need to put it is done for this. Of time and then decide when do I move on to the next thing you know cissp no dyes basically saying if I have a cyst I don't have it I can't I want to see high speed modeling but wrong airline pilot flew military airplane and then I became a hacker okay my iq's that about 12 if anybody can do this now I don't see that if you have an IQ of 12 that you're going to do this you may start a little bit but my point of this is this it doesn't matter what certification you may or may not have it doesn't matter if you build this out and help people understand it you build out influence and you build some serious credentials with people that you're working for so I highly recommend it doesn't worry if you have a cissp or not so you can get the cissp so now you got one more little moniker to add to your name don't worry about the old system we don't need to develop a threat model for that yeah that's not a bad idea either aerial systems that I deal with on a daily basis and those systems need to be considered as well now in some cases are really old and would someone go after those that could but then I got to get a whole lot and all it's going to really do is be destruction aspects of it it's it's you got to kind of risk-based thought process run to protect everything old systems you may decide to not worry about it but you need to go through threat modeling understand what are the possible risks and the outcome people that abused them so I actually recommend them I think it'd be a great opportunity for someone if you want to if you don't have the time or the inclination to get into it or you want somebody to kind of help you from the beginning the ground-up varonis is a good option for you getting us something to consider along with that developed the court of them Daughters of threat models detect our cyber security threats in Aladdin and then again the ransomware things Abby with most companies it doesn't matter who you are ransomware as a big factor so I guess I kind of try to promote some of these security folks just because there's a lot of great stuff out there that they put out you just got to determine whether or not you want to pay the fees for that matinee times those fees can get very expensive but at the slips breach and you got to do with that those very small in comparison alright so let's go ahead and let's get into my cissp training that I have at Sean gerber.com it's only be one that one around the CIA triangle Integrity okay so the shoulder. Com 1.1 CIA triangle Integrity again you go to a shop. Com you can buy my training courses has this content and then some you will have access to all of my training you also have access to me so if you reach out to me I'll be happy to help you in any way I possibly can about allies I want to help you pass the cissp exam it is a booger it is painful but I know that when people start passing the cissp basically comes right down to it and be honest your income will go up substantially having that certification cuz they're the industry-standard I will put money in your pocket so it's worth spending the money to get you what you need I know right now the average for a cissp is around $120,000 that's a lot of money especially its $140 in US dollars cybersecurity professionals are needed for its supply-demand if they need it they'll pay for it so what we want to do is provide you good cyber security training to help you pass the cissp but at the we also want to be able to provide you the training you need to be a good CIS and a good cyber security professional so weird and integrity this description of this basically comes right down to his when you're dealing with the CIA triangle you got confidentiality integrity and availability the three Trifecta okay that a Triune these are three aspects of how you want to deal with data security and information security so you're dealing with Integrity to the Integrity of the data we didn't talk with talked about in our training before around confidentiality but Integrity is dependent upon the confidentiality the data is very closely tied maintaining insurance is around the accuracy and completeness of the data is extremely important as well basically life cycles from beginning to end and you need to ensure that you have the Integrity of the date is maintained if you're ever feel like you're questioning the Integrity of that data is basically the consistency of it is the date of really what I intended to be then you will throw it out you won't consider you won't consider it and like we talked about there's an Integrity issue with the data they will throw it out or will cause issued they can't use it as evidence within the process of the investigation or the subsequent so Integrity is extremely important data cannot be modified or in an auton authorized undetected manner again did it can be modified if it is it authorized matter if you have processes unloading it being modified then you can build trust in it if it's modified in an unauthorized manner you lose trust in that data and so you don't want to deal with that alright so it's the truth is our process to ensure proper change of data data may need to be changed but needs to have a proper process on how the data is that's what's important again you're in the cissp exam they're going to ask you questions around the data and they're going to ask you kind of goofy questions that may be closed but they're not quite right so you need to understand why is integrity of the data important the house Integrity maintain security mechanism in place will ensure that the data has not been compromised I eat encryption encryption that data is at rest or while it's in transit those are highly important pieces of security equipment to ensure that your data is maintained his integrity at rest has provided to the date of the authentication procedures have you ever found a kit to correctly do we know who it is it hasn't been logged and it's keeping unauthorized people and processes from your data do you have an audit an oversight Trail do you have proper logging and monitoring to ensure that same place do you have a way to keep the login monitoring from being messed with itself that would cause the concern that Integrity of the logging date as well have a lot of things in place to deal with that that doesn't mean you encrypt your log data it just means you have multiple logs sources that will bring feed a to answer that if one was to get compromised and one was to be modified you'll be able to pick it up on another motorcycle locks now what does integrity compromised look like its data transmitted and are stored in an unprotected containers or media without encryption you don't have encryption in place and it's store that way that would could be considered Integrity compromised how to put authentication methods in place you're basically on everybody on and you don't watch tuition at login that information that would do it logicmonitor to ensure data Integrity I was talking to a vendor check company while back and we were asking about how they're going to protect our data and ask him these questions around logging and monitoring basically they came back and said we don't really do that and we're like okay we're moving on bottom line is you can't evaluate evaluate because if they get breached and you'll have no way of knowing if they've been breached what's really a bad place to be so you need to evaluate that now if they're the only vendor you got you'll need to work with legal in the right people to be put contract language in your contract to ensure that they do in enable login monitoring those are some key points needed experience doing this a few years it's got an important piece vacations in place and then system where can I get talk to that other considerations around need to keep in mind it's accurate the data is accurate and precise fit so again bad data that output so you to make sure it's correct and precise there's non-repudiation involved as you basically cannot deny that the action or event has been performed or occurred you got to be able to say yes Sean Grover click on this link Sean Gerber download this file Sean Gerber did all this now did it I was sitting on the in the beaches of the Bahamas it wasn't me it was my account that that's different but bottom line you got to go to prove that this account actually did it certificates transaction logs all of those aspects are and keep peace of this there are such a part of our integrity again if you doubt the day that you're not going to resolve everything falls apart need to have a data custodian you have the right people for that and we'll talk about an upcoming Casas well-rounded custodians when you have someone who is the day the owner date of custodian that's in charge of the data and then it also needs to be complete having everything is needed for the result it doesn't need to be missing things and he's everything needs to be there so it's just a big part of that let's roll into some cissp exam questions okay you are a security consultant of a large customer are you to ensure the security operations are the industry standards control networks.com so I'm just going to get a little bit Prodigy the customer wants you to focus on Technology Solutions that will discourage malicious activity which type of control framework should you focus on you like to implement a security control framework which one you going to do preventive control framework a deterrent if a corrective or assessment okcu preventive detective corrective and assessment Rivera beach home people out term means you're saying you come here I'm going to hit you with this dick is always going to be well you did get into detectives you got in I'm going to go search you out correct it means okay you got in I dug you out and I'm going to fix it and the last one is assessment me tomorrow evaluate it okay the answer is deterrent Frameworks are technology-related the dark yard deterrent I got this big stick I'm hit you over the head don't come here go to your my neighbor and hack him that's a deterrent Network it didn't systems IPS SIDS has firewalls all those are for intrude or deterrent solutions to find something that'll keep him out completely is going to be a challenge and so these are ones that this customer wanted to wanted you so malicious activities deterrent right that's one option there then again that's from Network Wix Works its netwr IX works.com okay question to you would prefer a risk analysis for Internet service provider for an ISP thousands of customers on broadband networks the highest peaks got gobs of people has five years some customers have been compromised or experienced data breaches the ice P has a large amount of monitoring a log data for each of the customers you'll need to figure out the choices are the chances of additional customers Experian experiencing a security incident based on the data which type of approach should you use for the risk analysis the people they basically had a few people compromise over the years and they wanted mostly figure out hey what what is the best approach to determine doing risk analysis on it there's going to be future customers okay so you basically was different risk analysis medicine methods that we'll talk about through cissp but one of them will get into this one right here in Issaquah. Qualitative quantitative stride reduction or Market okay so there's there's three versions and we'll get into those it but there quantitative stride reduction and Market the market at Stride is a way to do risk analysis but it's not what they're asking for right so the different risk analysis methods so when you're dealing with that you want to forget about people numbers is wanted qualitative which is used to risk analysis Matrix qualitative use money in metrics to compute or the hybrid version that is the third version the combination of qualitative and quantitative but that's not a choice right so you have basically comes right down to it it is B quantitative cuz you're looking at numbers right so qualitative quantitative and hybrid and again okay question 3 you are working on a business continuity project is what keeps your business going otherwise known as a BCP for a company that generates a large amount of content each day for using social network your team establishes for hours as the maximum tolerable de los 4 in This Disaster Recovery or business continuity events to give me a 4 hours if you took 4 hours of downtime as if they're giving you real yeah it wouldn't be for a be like one do you have that agree to nurse a w but it'll do you want and which part of the business continuity plan should you document this so which part of the business continuity plan should you document our downtime a recovery time objective be recovery Point Objective C maximum tolerable tolerable downtime or D maximum date intolerance RTO RPO MTD is what point can you how much time do you have to be down but they're asking what if it comes back how much data loss are you asking for so they asked me how much down time or they ask how much data lost data loss would be RPO recovery Point objective yet you're only allow 4 hours of you want to be sedated for 4 hours so 4 hours so it's go starts at 1 and you go till 5 okay so the recovery Point objective would be that you'd want only 4 hours of data loss I think it's even high if you have any good solution your data loss should be like if you buy it less than an hour that's just losing data lost four more than that is really doing assistant that you can do that and not worry about it from networx.com you can check out their practice practice online test questions and I'll have them in the show notes all right that's all I have for you today again go to Sean gerber.com and check out what some great stuff I've got out there for you got my free some Freedom ain't raining out there for my videos is free for you just got to sign up for my email list the other thing is is that if you go to my website you also will get the ability to. Purchase my video training domains 1 through 8 and that would be very helpful for you as you're trying to pass cissp exam and then also you'll have access to me that's what we want right so I can help you out and give you the information you need to pass the first time on the flip side