Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Hey y'all , it's Sean Gerber with CISSP Cyber Training , and I hope you all are doing a having a wonderful day today , and I'll tell you I'm doing great . My wife is in Uganda at this point with my daughter , so that part is not so good , but I'm glad she's having a good time .
So I'm home just recording podcasts and getting other stuff done , so it is positive . I can tell you that that's a very positive . So we're going to go over some CISSP questions .
As it relates to what we put out last week was around certifications I should say on Monday was around certifications This is going to be focused on CISSP questions that are going to cover all eight domains , because that's something just kind of I just kind of did a reset And since next week will be domain one , two and three and so forth , this is kind of a
reset that we've got for this week . So we'll start off with question one . So question one is around domain one , security and risk management . And what is the purpose of a risk register in the context of risk management ? Now , this is something you're going to probably deal with when you move on to working for a company at least you should .
Risk register is something that keeps data that's very important and identifies risks , that and how you plan to mitigate them . So let's look at responses . A is to list all identified threats and their potential impact . That would be kind of tough .
To list all identified risk and planned mitigations , that would be a little bit better , because the risk you can understand the risk versus the threats .
To record all risk assessments performed That's not really what a risk a risk registers for And then to record all risk incidents and the associated responses , that really wouldn't fall under either , but you could bite off on that one . But the actual answer is B to list all identified risks and planned mitigations .
All right , moving on to question number two , this is over asset security and domain two Data classification should be primarily , should primarily be , based on what The software used to store the data . Okay , so should the classification should be based on the software I don't know if that sounds right . The sensitivity of the data that's probably closer .
The location of the data not probably . And then the age of the data . Now you may have very aged data that's classified , but at the end of it it's your data classification . All comes down to sensitivity of the data . Question three this is domain three and this is security architecture and engineering . So what best describes a stateless firewall ?
Okay , so you're getting . You're gonna need to know these things When it comes to the CISSP . There is some technical aspects you're gonna have to be aware of . You don't have to get into changing firewall rules , that's per se , but you do need to understand how the firewalls work . And what is a stateless firewall ?
Now , a stateless firewall is A a firewall that does not maintain any information about the previous packets . B a firewall that can only inspect incoming traffic . C a firewall that does not require authentication . Or D a firewall that has no active connections . Okay , so you might want to think about that one .
So if it's incoming , if it can only inspect incoming traffic , that really isn't a very good firewall . A firewall that does not require authentication , you wouldn't want . So you could narrow it down to A and D ? right , the answer is A . It's a firewall that does not maintain any information about the previous packets .
Question four this is domain four communications and network security . In asymmetric encryption , which key is used for decryption when the goal is confidentiality ? Okay , so , this is domain four asymmetric encryption . So which key is used for decryption when the goal is confidentiality , which basically means you wanna keep it confidential ? A public key of the sender .
B public key of the receiver . Okay so , though , but that's not really confidential , because public keys you can keep out in the open right Private key of the sender or private key of the receiver . Now , again , you wanna understand that the confidentiality is achieved by encrypting . That's what we want .
Now , the only corresponding private key again , that's the one you should have is the one that's held by the recipient . So it should be D the private key of the receiver . Question five identity and access management . What are three components of the AAA model in network security ? A is authentication , authorization and accounting .
B is authentication , access control and auditing . C authorization , access , control and accounting . Or D authentication , authorization and access control . So when you look at the AAA model that does , it stands for authentication , which is verifying the identity of the user , authorization which provides access to the resources based on their identity and accounting .
It's tracking what actions the user has taken after gaining access . Question six this is under security assessments and testing . Which tool or technique is best suited to identify unencrypted credit card data stored across an enterprise network ? So which technique or tool is best suited to identify unencrypted credit card data stored across an enterprise or network ?
A vulnerability scanner ? no , b penetration testing ? yeah , no , it's not really a tool . D data loss prevention solution , possibly . Or D intrusion detection system . Really , the only one that you can pick on this one is C data loss prevention solution . Question eight domain seven security operations .
Which incident response phase involves taking steps to minimize the impact of an incident ? Okay , the answer , or one of the answers , is A preparation , b identification , c containment or D eradication . Again , which incident response phase involves taking steps to minimize the impact of an incident ? A preparation , b identification , c containment or D eradication ?
And the answer is C , it's containment . Again , this is a phase of the incident response process where steps are taken to limit the damage of the incident and prevent further harm . Question eight this is domain eight software development . And well , software development security . What is the primary security concern in a system which employs microservices architecture ?
Okay , so , microservices ? hmm , what is that ? Microservices deals a lot with the cloud , right ? So which primary security concern is a system which employs microservices architecture ? So , dependency checking , network segmentation , communication , security between services , r-d , insecure direct object references ?
Now , this would be hard if you didn't understand microservices , but then what you wanna do is , like I say , focus on the question and it comes down to what are the primary security concerns in a system which employs microservices architecture ? so , something from a microservice standpoint , so services might be a key factor .
Well , dependency checking I don't honestly not really even sure what that is . B , network segmentation isn't really a security concern . It's something you may wanna put in place . And then D insecure direct object references is a coding situation , but when it comes right down to it , communication between services makes the most sense and it's for these services .
There's a key area of vulnerability , making it important to secure these inter-service communications , and that's one of the things I feel is missing a lot in most environments . Is that inter-service connectivity and the encryption that goes with that ? All right , that's all I've got for the questions today .
Hey , go check out all of these questions on CISSP cyber training . I got a bunch of free questions . I'm putting a bunch new ones out there for you , so you'll have access to those , as well as go check out my blueprint . My blueprint will walk you through , step by step , what you need to do to pass the CISSP .
All right , have a wonderful day and we will catch you on the flip side , see ya .