Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Hey , all it's Sean Gerber . With CISSP Cyber Training , and today is Thursday , we're going to be doing CISSP exam questions . So get ready , get buckled up and let's see what you can think about as it relates to the CISSP exam questions .
Now I want to let you know that these CISSP exam questions are available to you at CISSP Cyber Training as well . So there all of the information that we go through here .
I have a vulnerable or vulnerable that's I've been talking security too long a variable list of a long list of CISSP questions that you can get at CISSP Cyber Training , and these are part of those questions I come out with , probably around anywhere from 15 to 30 questions every week Usually .
It's sometimes a little bit more than that , but it's around 30 questions a week is what I usually come up with , and I add that to my overall bucket and list of overall questions that you can study so that you can be prepared to pass the CISSP exam .
And this is all part of my CISSP blueprint that I have available to my members of my CISSP training course . Okay , so we're going to get into the questions and we're going to see how they all play out . All right . So what is what does stride methodology stand for ?
Okay , so a for you guys that are listening , i'm going to walk through all the questions and then you see if you can think of it while you're driving or wherever you're at and you're listening to this a security tampering , replication , intrusion , denial of service , escalation of privileges Okay .
B is spoofing , tampering , repudiation , information disclosure , denial of service , elevation of privilege . C is security tampering , right repudiation , intrusion , denial of service , escalation of privileges . And then D is spoofing , tampering , replication , information disclosure , denial of service and elevation of privilege .
So if you know stride , okay , that deals a lot with that . I'm not going to go through all those again because that's not a mouthful of words , but stride is an acronym that stands for spoofing , okay , so you , and again , as you're going through these questions , you know spoofing is one , so that could throw out , in this case of a multiple choice .
Two of the four questions tampering repudiation , information disclosure , denial of service and elevation of privilege Those are the the part of stride . So the answer is B . Now if you look at D if you're seeing this on the video you'll see that the difference with D is its replication versus repudiation . But don't focus on replication Security .
We don't really talk about replication a lot , we talk about repudiation a lot . So if you didn't know , you go these terms don't seem like this , replication doesn't seem like a security term , more of a networking term . Then you may want to at least glob onto B . So the point is is yet narrow down your focus , right ? What is the actual right question ?
All right , so I'm sorry I'm fighting a little bit of a cold , so I apologize if I sound a little congested . What are the main components of a threat model in the context of cybersecurity ? Okay , so what are the main components of a threat model in the context of cybersecurity ? A assets , vulnerabilities , threats and mitigations .
B assets , adversaries , threats and mitigations . C assets , adversaries , attack vectors . And then mitigations . Or D adversaries , vulnerabilities , threats and mitigations . Okay , so if you notice there's right now you got assets . So assets has got three of the four , i'd probably pick assets if I didn't know .
And when it dealing with adversaries , that is probably something you won't understand when it comes to threat modeling . So that was . I'd narrow that down to B and C And then , when it really comes right down to it , c is the main component of a threat model are assets , adversaries , attack vectors and then mitigations .
What are the main focus of the trite technology in threat modeling ? A is data , b is systems , c is people , d is processes . Now , if you listen to the last podcast , the trite methodology , the main part of the main focus of that threat modeling is data . So the answer is D or D it's A . The answer is A data .
So the trite methodology does focus on a highly data-centric approach . Which of those following steps in the threat modeling process involves the use of stride or dread ? That's another one that you're gonna have to know for your CISSP is dread , okay . So one is identifying assets . Two is identifying potential assets .
C is identifying potential threats , or D is identifying and implementing controls , and the answer is C . Identifying potential threats involves the use of methodologies like stride or dread . Which threat in stride refers to an act that modifies or alters data or the system configuration .
So which threat in stride refers to the act that modifies , the alters the data in the system configuration . So yet A is spoofing , b is tampering , c is repudiation or D is information disclosure Again , modifying or altering the data is tampering . So it's B . tampering refers to the act or modifying of alters data in the system configuration .
Which of the following is not a component of a threat in the context of threat modeling ? A vulnerability , b an asset , c an adversary or D an impact . Okay , so which is not a component of a threat ? So of a threat in the context of threat modeling ?
So the component of the threat is vulnerabilities , asset and adversaries are all components that are tied to threat modeling . D is the impact , is a result of a successful threat , but is not a component of the overall threat . So I hope that makes sense to you guys . Which of the following threat modeling methodology focuses on data flow diagrams ?
Okay , so we talked about data flow diagrams earlier in our CISSP cyber training . That was on the podcast that was on Monday . So A is pasta , b is stride , c is trike or D is octave . Okay , so we talked about it . So if you go well , since we talked about it , then it would be stride or trike . You'd be correct .
But when it kind of remember , trike was focused on data and stride was focused on data flow diagrams . That is stride , so it would be B . Stride is focused on data flow diagrams . What does R in stride stand for ? Again , a recognition , b replication We talked about the replication thing C repudiation or D restoration , and the answer is C repudiation .
That's what the R stands for in stride . What is the main goal of threat modeling ? One to comply with legal or A to comply with legal requirements . B to identify potential threats and develop appropriate countermeasures . C to purchase suitable cybersecurity insurance . Or D to train IT staff about cybersecurity . Okay , so you can do all of the .
I mean , well , you can definitely train staff about it , but that's not the main purpose behind it . Right , you can purchase security insurance by doing your stride . That'll help you understand your overall threat modeling . It'll help you understand what you need to do .
But when it really comes right down to it , the main goal of threat modeling is to identify potential threats and develop the appropriate countermeasures behind it . Each of those are helpful , not necessarily the legal requirements , but I mean you could have some legal requirements . I guess I've never seen that , but you could .
But definitely , b and C and D is a byproduct of doing a threat modeling . But the overall answer is B to identify potential threats and develop appropriate countermeasures , which is methodology involves creating a threat model that is at the design phase of a system or application .
So a methodology involves creating a threat model at the design phase of a system or application A , stride , b , dread , c , cvss , which isn't one , and then D , o , OSP . Okay , that's really not a threat model either .
So , yeah , so then , when it comes right down to it so if you knew CVSS isn't one and O OSP isn't one , you could narrow it down to stride and dread . But when it comes right down to it is is what should we talk about ? We talked about stride , but stride is a threat model that is at the design phase of the system or application .
That would be A stride . What type of threat does the E and stride represent ? A encryption , b , endpoint , c , elevation of privileges or DX filtration ? And the answer is C elevation of privileges is what we want . That's what the E is for in stride . We focused on that . In a threat modeling . What does the adversary represent ? A security control ? no .
A vulnerability , yeah , no . C . An asset no . The answer is D a threat actor . That is correct . That is the adversary . Now that threat actor can be multiple things . It could be a hacker that's sitting in Bangladesh , or it could be your person that's sitting right next to you in the cubicle .
That is what a threat adversary would be And that is represented as a threat actor . In the context of stride , what does information disclosure mean ? It means gaining unauthorized access to the information . A tampering with the information . B unauthorized alteration of the information . C , or releasing the information to the public .
Okay , so when the context is stride , what does information disclosure mean ? And that means A gaining unauthorized access to the information . That is referred to as information disclosure . Which of the following is not part of the threat modeling process ? That is A identifying potential threats , identifying vulnerabilities That is B .
Identifying assets as C , and then identifying network architecture is D . That's pretty easy one , right ? The answer is D , because we've talked about all A , b and C , but we have not really talked about identifying network architecture , so that would probably be not part of the threat modeling process .
And then , which of the following is true about threat modeling ? A it focuses only on external threats ? No , it performed . B it performed only after security breaches occurred . You know that's B . C it involves a proactive identification and mitigation of the threat . Hmm , maybe . And then D it's a one-time activity that does not require updates or maintenance .
Yeah , that's not it either . So the answer would be C . Again , it's proactive identification and mitigation of the threats , and it is always an ongoing activity and should always be updated on a routine basis . All right , that's all I got for you today . I hope you guys have a wonderful day . Go check me out at CISP Cyber Training . Check out the blueprint .
You will be happy you did And we'll catch you on the flip side . Have a wonderful day and have a great week . Talk to you later . Bye .