Welcome to the Reduce Cyber Risk and CISSP Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Hey y'all , this is Sean Gerber with CISSP Cyber Training , and today is exam question Thursday . We're gonna be getting you some awesome CISSP questions today , and the ultimate purpose of this is to provide you some questions and some potential work through , as what the question is asking for .
The ultimate goal of taking the CISSP is passing the test , right ? Well , if you're gonna pass the test , you need to understand some of the questions and how they may ask them . Now , these questions that we talked about previously is that we want you to understand . Just by understanding or trying to memorize questions is not gonna meet your needs .
You need to make sure that , as you're looking at the CISSP and the various questions that are tied to it , that you understand the concepts , not that you actually try to memorize the questions We talk about . That you need to have at least probably close to 2,000 questions under your belt , and I know you're probably going oh my gosh , that's a lot and it is .
But the ultimate goal of that is not for you to memorize 2,000 questions , it's for you to understand the process . When I took the CISSP and failed it the first time , i did not understand that . I thought I just had to pass it based on just memorizing the questions , and back then you probably could , because I'm really old .
But now , in today's world , you can't do that . There is no way that you're gonna be able to memorize all these questions . And because these questions now are getting access to the full bank of questions is very I don't know if you can , other than people , potentially , if they take a test , they go and write them down . That's too much work .
Just understand the content and you'll pass it . It's that simple . Okay , so we're gonna get into domain six and we're gonna talk about security controls and security assessments . So question number one which of the following is a primary objective of security control testing ? Which of the following is a primary objective of security control testing ? A .
Identify and remediate vulnerabilities , evaluate the effectiveness and implement security controls , establish a baseline for future security control testing or identify potential attack vectors for an attacker . Okay , which of the following is a primary objective ? Again , key words . Focus on key words when taking the test . A identify or remediate .
evaluate the effectiveness , establish a baseline or identify potential attack vectors . The answer is B . You want to . The primary objective is that the security control testing is to evaluate the effectiveness and implement security controls . Okay , because guess what , if you go down the fact of you're looking for vulnerabilities , they will come , they will go .
If you're looking for a baseline for future security control testing , that doesn't really help you any and that's what I would throw out . And then D identify potential attack vectors for an attacker . It does help you , give you some ideas , but at the end of the day , it's not going to be the be all , end all for that .
Which of the following is a type of security control test ? Okay , so it's a security control test . A penetration testing . B vulnerability scanning . C threat modeling . Or D code review . Okay , so which of the following is not a type of security control test ? So I'm reading through that going . Well , all of these are security control tests . Why are they not ?
Which one is not ? Look for that keyword not . So , of those that are not a security control test A penetration testing , b vulnerability scanning , c threat modeling , d code review . All three of A , b and D are all testing . Threat modeling is not a control test , so that's one that you want to look at .
Which of the following is an example of compliance-based security control tests A penetration testing , b security policy reviews , c vulnerability scanning or D risk assessments . So if you're looking at this , what are the different options around the security control test that might be available ? And the answer comes down to is B .
A security policy review is an example of a compliance-based security control test . So if you're doing a review of your policies , that is where it's more compliance-based . The other ones are more penetration testing and vulnerability scanning are more looking at the specific aspects of getting in . It's not really a compliance-based type test .
Which of the following limitations are a vulnerability scanning One it's time-consuming . B it's costly . C it does not identify zero-day vulnerabilities . Or D it provides a comprehensive assessment of security controls . It does not provide a comprehensive . So which is a limitation ? So the answer will be C It does not identify against zero-day vulnerabilities .
It just doesn't help you with that . The other ones and it's not any of A , b or D . They're really . They can be costly , but not so much . It's more on the lines of zero days . It does not dig out zero-day vulnerabilities .
Okay , which of the following benefit is a benefit of conducting a penetration test A it provides a comprehensive assessment of security controls . B identifies vulnerabilities in the system . C assesses the effectiveness of an incident response procedures . Or . D is less expensive than other types of security control tests .
Okay , so which of the following benefit of conducting a penetration test ? It provides a comprehensive assessment , it identifies vulnerabilities , it assesses effectiveness , or it's less expensive than other types of controls ? So , if you look at that , it is more or less expensive in most cases .
But that's not what the actual question , that's not the benefit of it , the benefit of a penetration . I shouldn't say no , i shouldn't say it's not less expensive . That's for vulnerability scanning . Penetration tests no , they are very expensive . Sorry , misquote .
Penetration tests , though , provide a comprehensive assessment of what you're trying to accomplish , so they are a when you're dealing with the actual answer it's a comprehensive assessment is A . They will give you a comprehensive assessment of the security controls for that specific area . Each of those areas won't be as much .
Which of the following is an example of a manual security control test A vulnerability scanning , b penetration testing , c security policy review Or D code review . So which of these example of a manual security control test We talked about in the last podcast manual security control test would fall under B ? Penetration testing is a very manual process .
We talked about not using it from an automated standpoint . You want to avoid that as much as possible . Next question which of the following is a limitation of security control testing ? A time consuming . B it's costly . C it requires specialized technical skills . Or D it cannot be performed on cloud based systems .
So which of the following is a limitation of security control testing ? A it's time consuming , can and cannot be . B it's costly It can be , but if you have an individual doing it , it may not be as costly as you think . C requires specialized technical skills Yes , it does .
And D it cannot be performed on cloud based systems Yes , it does require special skills . The answer is C . Again , we talked about if you would just have throw somebody at it to go out and start scanning things . Yeah , you could end up putting yourself in legal jeopardy . So you want to avoid that .
So it does require someone who understands what they're doing . Which of the following is an example of a black box security control test ? Okay , a code review . B vulnerability scanning . C penetration testing . Or D security policy review Okay , so which of the following is an example of a black box security control test ?
Okay , black box is what you're basically saying . It's its own box , you don't know much about it at all . It's black . Okay , a code review . So it's kind of hard to do a code review and you don't know what it . B is vulnerability scanning ? Well , you kind of have to know a little bit about the system of what it is .
C penetration testing I talked about individual And then D security policy review . The answer is C Penetration testing is a black box security control test because the tester has no prior knowledge of the system or its internal workings . So that is your black box . It's unknown , and so therefore , a pen test is usually what is the best answer for that .
All right , which of the following statements about security controls testing is false ? Security control testing is an ongoing process . A the goal of security control testing is identifying and assess security controls . B And C is the result of security control testing are used to improve security posture .
Or D security control testing is only performed once during the system development lifecycle . So which of the following statements is about security control testing is false . So , if you go through each of those , a is true , b is true , c is true , d is security control testing is only only only performed once during the system development lifecycle .
That is definitely false . Okay , you'd want to perform that on a numerous and routine basis . Last question which of the following is a limitation of using vulnerability scanner for security control testing ? A vulnerability scanners cannot detect false positives . B vulnerability scanners cannot identify zero days . C vulnerability scanners are expensive to use And .
D vulnerability scanners require manual intervention to operate . So which of the following is a limitation of using vulnerability scanner for security control testing ? If you go through those , the following limitation is B vulnerability scanners cannot identify zero day vulnerabilities . We talked about that before .
They can't do that because they don't know they're there , so therefore they can't do that . All right , i hope you all have a wonderful day . That's all I've got for today . Go out to CISSP cyber training and catch out all my free resources .
You can get access to my email distribution and we can go ahead and I can give you all kinds of great stuff that's coming . We're just in the building phase , so there might be a little things , a little wonky at times , but everything is growing and we are expanding every single day .
So go out to CISSP , cyber training and get everything you need to help pass the CISSP the first time . All right , have a great day . We'll catch you on the flip side , see ya .