RCR 065: How to Study and Pass the CISSP Exam - CISSP Training and Study!

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will provide CISSP training for  Domain 3 (Engineering Secure Design) of the CISSP Exam.  His extensive training will cover all of the CISSP domains.

BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ 

CISSP Exam Questions

Question:  078

Which database security risk occurs when data from a higher classification level is mixed with data from a lower classification level?

1. A) Aggregation
2. B) Inference
3. C) Contamination
4. D) Polyinstantiation

Contamination

Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement.

Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328>

------------------------------------

Question:  079

How many major categories do the TCSEC criteria define?

1. A) Two
2. B) Three
3. C) Four
4. D) Five

Four

TCSEC defines four major categories: category A is verified protection, category B is mandatory protection, category C is discretionary protection, and category D is minimal protection.

Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328

------------------------------------

Question:  080

Which Bell-LaPadula property keeps lower-level subjects from accessing objects with a higher security level?

1. A) (star) Security Property
2. B) No write up property
3. C) No read up property
4. D) No read down property

No read up property

The no read up property, also called the Simple Security Policy, prohibits subjects from reading a higher security level object.

Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328

------------------------------------

Want to find Shon elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
• https://www.isc2.org/Training/Self-Study-Resources
• Online Article
• https://thorteaches.com/what-is-the-best-way-to-study-for-the-cissp-certification/

TRANSCRIPT:  

  what can reduce the risk podcast episode 65 how to pass the cissp and cissp Sample questions reduce Sakura's podcast where we provide you the training tools you need to pass the cissp exam while enhancing your cyber-security career hi my name is Sean Gerber and I'm your host for this action-packed informative podcasts each week is I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam good morning is Sean gay brothers beautiful day hope everybody's doing well and everything is going good around the world hopefully you are staying safe from the coronavirus and how that spread is going throughout the globe so it's a scary time right now for people and will as of today but there's something you still need to keep in mind and keep aware of so stay safe out there if you listen to the podcast and Aur should stay inside and study for your cissp exam probably pull your hair out 4 hours on decide to go right back at it again so it I know if you're staying for this it's his hard and it's one of those things that you put a lot of work into so when you do get it and you do pass it I highly recommend that you don't let it lapse cuz that that's what was discussed scary scary the cissp recently where I did my CPE but there was a problem with the billing and they told me that they were going to take my cissp away because I didn't pay while it got dumped into my spam email and I didn't even realize I had a payment so I freaked out for a little while and things were good so anyway talking about how you can pass the ciss and what you can do to be better at getting that completed in this is going to go over some different ideas what people have had online as well as some ideas that I've had as well and then we'll just get into it so bottom line is how do you pass the cissp and that ended that want to do some pretty good episode that many more people will want to listen to as everybody. There's trying to figure it out so let's just get right into it for teachers.com has he had on you to me as well as his website does a pretty good job I'm pretty impressed with or he's been doing this for a while you can tell and he's got a good program out there and this is some of the things that he's talked about how the best way to pass the cissp now you do any online looking you're probably noticed that most people will do give you privates similar kind of recommendations as well as myself but the difference is that give you a little bit more detail around on some different places you can go to get study groups and to get some more information and as if you've all are aware of it when you're studying for the cissp getting different points of view is really important especially trying to understand how are they going to ask the questions and it even says so much of that is just try to get the knowledge you need to pass the test cuz they're they're going to give you a little bit of guidance but at the end of the day if you don't know the content you're going to be real hard time passing the test cuz it's you you really have to know the content now he talks about what you should do as far as some you should be watching now he puts a list of videos and all of these will be available at that I'll have on my show notes along with I'll be putting out just a quick mini course around what do you need for passing the cissp you'll see that come out here in the next few probably likes you we come expecting so that's that one will talk about the getting a little bit more detail videos of one the three sources. Some of these sources are Thor's teaches right it didn't know about us or about me so Sean gerber.com obviously we'll be at the top of your your list and I would highly recommend that you put me in the top of your list so there's a strong gerber.com for teaches infosec 40c and it's with Muhammad Asif and there's another group of questions study notes in theory I know that that group is out there are quite a bit cybrary Kelly Hanrahan seeing some of her content out there on YouTube and then Sarah Green group is got some more cissp training as well as well I do recommend some of his are his questions that he puts out there was a really good if you look in those on YouTube so I would recommend if you're going to look at questions and for Content specifically you to give you a good sample shot at that and that's a good way for you if you're going to be a visual learner to pay attention of it that the other aspect around that is maybe you can just listen to it while you're driving do not watch it while you're driving but you can listen to it while you're driving those are some good resources out there you'll get my videos are available on my website as well as their on YouTube in the process of moving more of those out to you too so that you'll get them either on both you'll get them into the the audio version to the podcast you can also get some of the audio versions and video versions are on YouTube as well so that that that kind of information is there for you full set of videos from Sean gerber.com you also can go out to you to me and find what's Thor's God as well I do have stuff out on you to me as well just met a man like to get people to come to generate traffic those are those are cissp questions that are going to be videos that I have early updated most all my updated content is going to stay on Sean gerber.com but you'll see those out there at udemy as well what was at least one two three of those whatever you're trying to study for this the one difference is that I never had this when we were studying housing for the cissp it was not available to me that they're what they had to questions we had was Sean Harris wrestler Soul who who had put together the cissp book and I studied that is what I did for quite quite a bit and went through the test questions in the back of the book I'm also was very cheap and didn't really want to go and get the test Banks to pay for those cuz I was cheap and the other thing was on that is the test bank so we had at the time really work that good they were there full of a lot of joke and a lot of there's a lot of viruses that were connected with him so I just studied the book itself from Shawn Harris now you all that are studying for your cissp Dakota copia of different videos you can watch to help cissp and I know it does vary from person to person on how they explain things so it is good to give different perspectives I highly recommended you know you would think that for her it Arkham cortical competitors of mine but I highly recommend you check him out because people learn differently and through different sources and so it's important to use those different skills that other people have to help baby Converse it a little bit better what's the recommended reading the books obviously is are there sea ices professional manual and that addition will cover you for the test now obviously the in 2021 there will be version of the cissp Ethel release expecting and then from there we'll make changes to it as well cissp questions on Sean Gerber. Com as well as just going to looking for different content to consider with the questions a lot of people say while we want to stick with the 2018 versions for the questions I would I would disagree a little bit because of the fact that the Cyber questions that are on the cissp the questions are asking in general it for the most part unless they're wrong which I've come across some of those are wrong and if you see any on my site that are wrong please let me know I'll make some changes to him but if the contents pretty good so at least gives you educational to understand why the questions being asked and what is the context behind it the one trying to memorize questions obviously the 2015 version I'll give you some contextual knowledge around cissp so I highly recommend older questions as well just to just he also recommended the 11th hour cissp study guide It's the Third Edition I don't know if they put any more in print but this basically taken 2015 is where it takes you too and you can get that on Amazon as well recommend so first thing as reason watching videos read the books and then he says go back and watch the videos again for a second time does reaffirm what you read the book itself like that is e-squared book I'm looking at it right now it's like 2in thick tell me it's it's that big but the thing around that though is I have a hard time studying it so I would go through individually basically objective by objectives and I would then build out a framework or just even a bolt size list of each of those objectives and the purpose behind that was the it made it easier for me to study it also allowed me to add more context to it I would recommend that just depends on how your your learning style is because reading that book by itself it's it is it's like reading stereo instructions you will fall asleep at night and if you're reading this while you're falling asleep at night it's so heavy it will fall on your face and suffocate you so I would recommend the table so that when your head hits the floor it's if you're the table then your head one of your head falls asleep it won't quite fall as far that they would be more comfortable true but the book would probably hurt you or your partner or spouse whoever's with you till Paris watching the videos practice questions take these in batches after while your brain just shuts down take a couple of time actions and putting them in batches I'll re-watch the videos for test questions that's important listen to the podcast that's one thing he didn't have is that this podcast I go there over test questions so you will get a cissp training on a Monday and then you'll get test questions on a Wednesday and a Saturday and so go over my test questions are typically I read through those and that will give you some more Amor leg up if anything is just reaffirming and going back over this this information so that sticks in your cranium so that when you sit down and take the test you will pass it the first time right now great questions we watch the videos read parts of the book again with test questions is c squared have some great test questions in the back obviously since they write the test it might be good to look at those questions I would recommend it and you can get them from you also test questions from our sample exam questions from boson cissp practice practice practice practice exams is c squared cissp official study guide found the videos will have cissp questions as well one thing I've noticed with the cissp questions and I'm guilty to some that the questions are regurgitated so the questions are out there and they're kind of copy pasted and put into new versions Zion questions I put those out there I will tell you making your own questions as original as it is is extremely time-consuming and so when you're working a job another business this business take advantage of what I can when I can just to be out of there directions are made up from me and then the rest of those are probably pulled from just they are pulled from different places throughout the whip cuz that that's just the best way of doing it now again he talks about how you should educate yourself and what type of questions I'll be asking that is a key and you're also trying to understand what are the what are the main points are trying to pull out of this test when I fail it the first time what ended up happening with me is I did not focus so much Focus too much on passing the understand the questions to try to pass the test and not trying to actually understand that the actual question itself and so that's what tripped me up I would recommend that you you stay away from trying to memorize the questions just don't do it and specially today's world in the past when I was taking that's how we took the test was memorize the question but today I just do Kylie discourage that thought process how to take the test with the multiple questions is that our quote-unquote almost correct you're going to get that you're going to options that look while that one looks I really close which one is it feel confident which one it is navigate to glom onto a crab that the wrong question so make sure you read the questions slow it's just it's really important and it's again the question around to help you understand the terminology what are they asking for what is governance and he'll be honest I struggle with governess I left the military and came into the corporate world they kept talking about governance and I'm like what are you talkin about what this governess thing I don't get it cuz again the military have different vernacular what's the point of it was just that it is just different languages different terminology now basically you need to understand what are they asking this question about and then look for the double negatives you know if it's not do the knots that are there the mechanic at the right turn right now but it's basically a nun and a not then the double negatives that will get you as well so that what they're also talked about as you cannot memorize your way to a win and you can't memorize it to a when I tried no doubt are the next phase is he said that he would get into practice test and then he'd focus on his weak areas so would you take the practice test then you see where you fail and then you come back and focus on those I will say encryption is probably one of the bigger ones that people struggle with I had a person reach out to me the other day than and requested some understanding around symmetric encryption someone put something out there on that as well because it is and then you fall asleep and you wake up the next day and what the heck was that you forget it so has probably want to encryption is probably one of those that just people's really struggle with I know I did and there's times I still do cuz I have to a sit back and ask and then they can do it again oh yeah yeah yeah yeah so do weekends and then rinse and repeat that's what he saying practice test rinse repeat best face what his call is is that you take your practice test you watch weak areas with videos look online for Ares was still some concern and it's score at least 80% on the domain test now a little bit of Thor under the bus a little bit I still love his content so he's doing great no question about that but these are great ways to study for if your trick trying to take it by yourself now he took a boot camp and he mentioned that some of his content so the boot camp for awesome I will say that if you're going to do a boot camp I would recommend that you get some videos before you go to your boot camp understand the videos and understand what the contact is run is c squared and again you can get, I've got sales on from time to time you can get these videos very very reasonable they're not expensive at all you can probably find other videos online as well but bottom line is get the videos then what I would do is go through those and then go to your boot camp that will help out you helped you out substantially to be prepared for when you go you can ask the right questions and pay attention to the right conversations that are Keurig during the training pretty good looking for you the information that you didn't know they are expensive so he's got to ask yourself is it worth buy the $7,000 for the cissp exam sorry that the test enemy use the boot camp includes the exam itself so those are some things to consider my video on five steps for Success video series is out there. Calm and I'll have the link again in the show notes quick go over these tips that and just kind of walk you through wear with that's going to entail so with the tips tip was his know what the cissp is and make sure you meet the prerequisites for the exam I've seen this before where you people don't have the prereqs for it and that is a big challenge so I would highly recommend you have those and what I'll do is I'll climb any video course what kind of go over some of these these tits as well that will can I get into a little bit more of the detail repeat the cissp language fluently play rock that is don't get cocky right because you think you're understanding it and then you realize I'll wait I don't understand it on a daily basis I deal with security issues in my current role and there's days when I just do not understand it and I'm going to get to work Sundays in a security architect and he couldn't some really cool ideas and I'm like a great idea why didn't I think of that so you need to understand the language and also be open the fact that things change quite frequently space so definitely getting that I can help you, as well we can help you out on this stuff and give make sure that you got the information you need to pass the test Number 3 make use of multiple studies sources but you took a lot of great stuff and then podcast obviously in any other media that you may use partner with someone else to help you take the exam I know that in the hearing Wichita we have people that are in the icy squared study group and they actually study for the cissp exam together that's a really good thing if you can spend a few hours each each week maybe a couple times a month that would be very helpful in helping you pass the test 5 estimating distribute your time wisely that that's that's interesting enough cuz you really need to do that I spent three months like I said of my life to 3 hours a night studying it and it's it's hard so you just need to make sure you give yourself enough time also give yourself time to let your brain are out and do other things because the stuff will become overwhelming after a while before you know it you'll be walking around seeing the The Matrix everywhere you go I see data too much actually it's kind of scary don't try to cram the last minutes not like college where you try to cram barf out all the information and then if the other day going what did I just do yes I remember that many nights in College of doing that do not do that for this because if you're studying for your cissp you probably want a career in cybersecurity so I would take the approach of learning it I've heard in situations where individuals have gone into take the test that don't they base have a proctor take the test formula legal help against the ethics of the IC square but basically what they would do is and to get some general they would say hey Bill I'll pay you x amount of money go take the exam for me because Bill can pass the cissp with his eyes closed and Bill goes and takes it but says I'm Fred Fred pass one bill passes for a gift certificate for the cissp the problem is that doesn't help you and it doesn't help the community so it's a bad idea cybersecurity knowledge that you may not get in your current role because I struggle with going well how do I provide value of you guys this is something that I didn't have so hopefully you can use it and I don't just say come to to this podcast has many other podcasts are out there I would highly recommend you use those are great education tool to help you with passing the cissp exam and your cybersecurity career in general get sleep tickets 7S tablet strategy you use during the exam again set a strategy around the questions always answer ones you know breakdown what you thought was correct yada yada yada again you just have a methodical approach on how you do it if you do that that will set you up for some get rid of variables that are the test variable the only thing that you can't that you can control but you don't know it's going to happen if your brain and how much you regurgitate but get rid of the variables that are would cause you to fail and that would be not reading the question thoroughly and so far so bottom line is is a cissp worth it you got to ask yourself that I would say yes and you better study for it because it's financially if you have a family this is definitely a way for you to help increase your financial Revenue the future is extremely bright there is no downturn in any site whatsoever so opportunities are bound and it's definitely something you need to consider if you haven't done it yet and you're considering cyber you don't know how to get into it can give you some tips on what things to start going to do to get ready and prep for your cybersecurity career by it so that is what store recommends in his training and nobody put out on his block so again I can go check that out for teachers.com now let's get into some cissp training that I want to put out there from Chandra. Come all right so small little plug got to have that got stronger. Com sign up for my email list you will get some cissp training videos all right now I've got one through four come to you but that you will get to follow ons of 5 through 6 will come as well as a real mini course I'm going to be Ramada find that a little bit and all the people that sign up for that I will pass you the new link once it's done but there's make a few little changes to it to make a little bit more useful when I put together I must have been asleep and it's not real it's kind of Kluge in Conkey so we're going to make it a little bit better for y'all so ar.com and check it out it's some really good stuff okay in the cissp training from Shawn gerber.com we're at this going to go over some areas and domain 3 and this isn't a fundamental concepts of security models and so I'm just going to go over a few of the models for you too can I have an understanding of how those work and you're going to be asked questions on the cissp that are going to be around these models in your to have to understand what do each of them do now they're not going to ask you all 18 gazillions of them but they will ask you they'll take a sampling of the various models that are there and she's you need to understand some keep bullets around those those different security models not a security model is basically our design our desires map that designers map security policies to development so basically the map it's like a framework from what there was a trying to accomplish to what their What policies are trying to put in place these policies are typically not prescriptive and these models do help so cuz if you had been in the cybersecurity space the policies will change dramatically from a organization from one organization to another and models must support the security policy and that's just how important these things are they're very similar but they do provide some level of guidance around it you got it from Carnegie Mellon to you've got she just a few minutes but they very substantial as you got to pick the one that works best for you and which one may meet your overall security policy goals further extreme if that's something that you wish to do patient flow model this prevents unauthorized information flow between different levels of security so that would be one that would be very important as you are building out of product you may not you may think you know what it's all that it seems no it's not connected to anything at all it's what we want free use of data and whether it's encrypted or protected between different levels doesn't matter so you may not incorporate that that thought process from the information flow model there's a non-interference model which is based on information flow model which obviously you don't want to have data leakage and that's the key part around that is designed to avoid Italy kitchen programs such as Trojans and so that's the noninterference model print model this is a former model and computer security that is used to establish or disprove the safety of a given computer system that follow specific rules that they're the right thing around this is it's basically incursion to write that if they represent system of directed graph subjects or objects and two rights occur in every instance of the model that take and the grant Shuffle Wikipedia but that's the take Grant model now there's the Bell luppolo the but blah blah puto LAPD Padula Bella Paula model states that machine a state Machine model okay so we talked about that before is used for enforcing access controls in government and Military applications it was developed by David Elliott Bell and Leonard la pulla that's tense that's why the name for State transition model of computer security policies describing Access Control rule so that's where you get this makes sense from a military point of views that you want very tight controls on enforcing access obviously they just to go to anybody and describes access control rules where security labels are on objects and control rules for clearances for subjects so that's how it basically gets into the access controls it's got the sticky labels are the objects which we talked about as well for your cissp and in the control rules are for the for the clearances your labels would be your obviously top-secret to unclassified or even public depending upon the situation and then there's also no clear distinction between protection and security so that is the Bella pull up model and that was used in the military obviously a lot and it's one that I've seen quite substantially be a bit of model is was developed by Kenneth Piva in 1975 and this is a former State transition of a computer security policy of described access control rules ensuring data integrity and then it says data and subject our group in ordered levels of Integrity so that one has been I've seen that one on the test and people talking about that quite substantially is the bill and the Belles of Buddha and the bell model I know it is so much in the military and people will understand that you can probably expect that you may have a better chance of seeing that you'll also probably see some obscure model that is they talked about cuz it's like 15 different models that they go over on the cissp so you'll have to decide which ones do you need to study mall but I would pick bullets from them that help guide you in a direction you know obviously Bibble would be a really easy one if they gave that'll a test that was developed in 1975 but they won't be generous to you another one that I've seen at the Clark Wilson model this provides a foundation for specifying analyzing Integrity policy for a computer system other games we talked about CIA the confidentiality integrity and availability that obviously they thought their stream strong Focus was in that space finding the notion of information integrity and is maintained by preventing Corruption of data items in a system and that that's basically either do from air or from malicious intent so that the Integrity model from Clark Wilson I would focus on two hey it's around Integrity spot information integrity and that is something that you would want to keep in mind weather models out there as well unless I'm going to get into as a brewer Nash model Lauren Ash model was constructed to provide information security access controls that can change dynamically and this is really important it also was known as the Chinese wall model so is you're looking for keywords that kind of Club onto then you would know huh okay so in for information security access control Chinese wall model the it was designed to provide controls that mitigate conflict of interest in commercial organizations it was built upon information flow model so they'll be talked about that above so that's how it was built and it did model of the information flow information flow between the subject and the object in a way that would create a conflict of interest and it's commonly used by Consulting and accounting firms so that's how they do that now they had a model this awful Wikipedia they had a model with an example I should say which was really good and it's almost read this to you for example one a consultant accesses data belonging to Acme limited a Consulting client they may no longer access the data to any of Acme's competitors in this model the same consulting firm have can have clients that are competing with Acme limited while advising Acme limited so that's the allowed to keep that segregation and yeah that makes a lot of sense because you're dealing with accounting and consulting firm you don't want to cross any of the blending of the streams isolation within a conflict class of data to keep users out of potential conflict of interest situations because company relationships can change all the time Dynamic up-to-date updates to members and definitions for conflict classes are important so now you will say that based on this model you can probably get software out there that will do this for you you can do this through the standard if you have a good process in place to manager access if you're a company like that just through active directory groups in through your groups that use in your managing of your groups but there's probably software out there for this is a situation for you that I would recommend using because trying to do it yourself would be a bad idea you will screw up and when you screw up that's all I have for the cissp study so now we're going to roll real quickly in some questions alright so the questions which database security risk occurs when data from a higher classification level is mixed with data from a lower classification level okay so which database security risk occurs are from a higher classification level is mixed with data from a lower classification level aggregation to interference 3 contamination third grade education struggling aggregation B interference C contamination or polyinstantiation don't know if the fourth ward so I'm going to guess right because I would guess what I'm guessing about you and I don't know that Forth Worth so I'm just going to throw that out aggregation now that's when you put things together interference and inference means you're understanding something that's not really there and I'd okay so if you're challenging on my dictionary knowledge see I probably just screwed that up but I can't have an idea about the contamination that makes more sense level and or need to know requirements with the data to a lower classification level and orange requirement contamination next question how many major categories do T SEC t rtc's as secretary Define that's Tango Charlie Sierra Echo Charlie a is to B as C is for these 5 2 3 4 and 5 which one is it what's category is verify protection bees mandatory protection see is discretionary protection and D is minimal protection soti set defines those four categories categories a b c and d next question which Bella Buddha model which Bella Pune property keeps the lower level subjects from accessing object with a higher security level security property be no right of property see no Rita property deed notary down property is it queso the Bella blue model keeps lower level subjects from accessing object with a higher-security level to look at that question right security property that doesn't make any sense so know when you look at the three questions and it says no right no read know what does that mean so you got no right up property okay no read up property okay and no read down properties you can probably throw out the last one which is the read down property right so you're like okay snack at 2 to see if you don't know you basically asking it was his ass accessing obvious is not reading objects or is not writing because just accessing them so right up. O it is no real property also called the simple security policy object no read up property that's all I've got for you today already said risk hope you're all having a wonderful week this week and hope you take care and stay safe and we will catch you on the flip side see you thanks so much for joining me today on my podcast free concert that I have available for you there is a cissp mini course free cissp exam questions podcast and so much more it's all available to my email subscriber so sign up if you want my personalized cissp training purchase my training courses and I'll be there to help you with your cissp need so you can pass the test the first time thanks so much for listening will catch you on the flip side