Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Hey , all of Sean Gerber with the CISSP Cyber Training Podcast , and today is Thursday , and what does that mean ? That means it's exam question Thursday . That's exciting news , and there's lots of little children around the world screaming for joy because today is CISSP exam Thursday . Yes , yes , it's the questions today it is .
But before we get started , we're going to talk about actually , something that popped up in the news that I thought you all might be very , very interested in .
As you're studying for the CISSP , you know that it's really important for you to be in a position so that you can better protect the companies that you go work for , and one of the areas that is a big thing in the news today is obviously critical infrastructure , and there was an article that is in the Washington Post that I thought was very interesting , and
the fact is is it's around a disruption that occurred in Poland . It's believed that it's tied to sympathetic people with Russia and that they did an attack on the Polish railway network . One interesting question around that , though , is how did they do it ?
Was it like the sophisticated hackers that were attacking , from I don't know , a Russian satellite , going after a specific server in the United States , bouncing off of that going into Poland ? No , was not nearly anything as sexy as that . So , basically , what they're talking about and what I read in this article is kind of interesting , is it ?
They dealt with this different level of sabotage that's occurred , and this occurred several incidents on Friday night and Sunday involving someone using an unauthorized emergency stop signal , and what this basically is is it's interesting .
I didn't even know this happened , but they exploited a Polish radio stop command system , which brings all the trains to stop when three tonal signals are broadcast through their radio network . So I mean , I'm an old guy , but you'd have a situation where it would like something like that . That's really cool . I did a great job with that .
I know I did you all like that , didn't you ? No , you're actually no , but the problem is , is this small these three tones , these up down , whatever they are , cause the entire rail system to stop .
So this reminds me very eerily similar to areas where they used to do this in the old days of phones and you have a certain tone that would go over a phone line and it would allow you to get international calls . Same kind of concept , but it's just .
It's amazing how the fact that we are so dependent on something so small as three tones on a radio network that probably is not encrypted by any stretch of the imagination , and it caused the entire train system to stop . So the cool part is is that it actually worked . So that's a good thing to keep all the trains from going somewhere .
The bad thing is is now other people will figure that out and I'm sure that they're probably scrambling very quickly to try to patch that up in other rail systems around the globe . So I guess something for you to chew on as you study your CISSP questions . So today we're going to get into domain number two .
So we got a bunch of questions for you and we are going to start rolling right into those . Okay , so question number one your organization studies PII , not studies stores . Your organization stores customer PII . Which of the following should be implemented to ensure its protection . Okay , so we understand PII is personally identifiable information .
So which of the following information , or which of the following should be implemented to ensure its protection ? A plain text storage . B database encryption . C log file monitoring or de-intrusion detection .
So if you're looking to store customer PII , you want to have some level of database encryption , again , that is designed to protect against unauthorized access while the log files are being stored . And then it's important to have all this , but the log files won't help you .
The intrusion detection will help after the fact or as you're trying to get in , but when you're dealing with just protecting this , the PII on that database , then it should be database encryption . Question number two you are responsible for data destruction . What should you do after degausing a tape ? A validate that the data is unreadable .
Now , again , we talk about degausing . This is where a magnetic field goes across the tape and makes the contents unreadable . So , a you validate the data is unreadable . B you shred the tape . C you overwrite the data on the tape . Or D nothing Degausing is sufficient . So the answer is you validate the data is unreadable .
Now I want to say that , in the fact that if you are going to go to the pains of doing a degause on a tape , a magnetic tape . You obviously had the idea that you want to reuse that tape , so you got to think about that . If don't read too far into the question , where you go , well , I'll just shred the tape . Why am I even bothering with it ?
The question comes into is is they're probably asking for you to reuse the tape . The easiest option is to just shred it . You don't need it . But if they are wanting to keep it , what is the policy for your organization ? You may want to just validate . The data is unreadable . Question three a company operating globally is worried about data sovereignty .
So that means the data stays where it's at locally . Which of the following is the best approach ? Again , key words best A storing all the data in the cloud . B encrypting all the data . C data masking . Or D storing the data in the country of origin . Okay , so the company operating globally is worried about data sovereignty .
Which of the following is the best approach ? And the answer is D storing the data in the country of origin . So by doing that , you will ensure that it is compliant with the local laws .
Now you may have a situation where you're storing this data in the cloud as well , and that cloud may be in that country , but if you're wanting to ensure that this data is best protected , you would store it and it's compliant with the laws of the local laws . You'll want to ensure that it is in the country of origin .
Question number four which of the following is most appropriate for destroying SSDs ? So these are solid state devices , so this is your solid state drives . These are the hard drives . These are what's moved from the standard platter hard drives to what they're at today and they're just basically a big , really big chip or group of chips that's storing data .
So which of the following is most appropriate for destroying SSDs ? A degausing , b securing , secure erase . C shredding or de-incineration . So which is the most appropriate for destroying SSDs ? So if you're dealing with an SSD , obviously degausing doesn't work . Secure erase will leave the data there , but do you know if it's gone ?
Shredding is probably the best thing to do with SSDs , just to be honest , because you can't really clean them the way you can as normal plattered hard drive , so shredding them is the best Incineration .
Obviously there's lots of chemicals that create these hard drives and so using incineration releases a lot of toxins into the air , so shredding is your best choice . Question five what consent form is explicit and needs direct action from the user ? A opt in , b opt out ? C passive consent or deactive consent ?
So , if you're looking for explicit consent from a user , you want a opt-in opt-in as a consent that requires explicit actions from the user .
So such as taking a checkbox , joining CISP , cyber training yes , I have one of those and then may you're basically making an explicit form that you're consenting to the terms and conditions that are associated with that site , or whatever it might be . Question six you are asked to ensure compliance with CCPA . What is one of the first steps you should take ?
So CCPA is the California Consent Privacy Act . I think that's what it is , but it's the California Act , right , and it's about . You basically want to be forgotten . So what you are asked to be in compliance with CCPA , what is the one of the first steps you should take ? A update your privacy policies . B develop a mechanism for handling consumer requests .
C identify in scope customer data and then D appoint a data protection officer . So each of those are important factors in the CCPA compliance and you'll need to know that . However , what you want to determine is what consumer data is in scope , that would be C . So if you just want you to determine that scope , then you can determine how to best protect it .
If you don't determine the scope , you could really fall into the trap of I'm just gonna put everything in there . Yeah , that's not a good idea . That's too hard to protect everything . So you'll want to make sure that you have defined the scope . Question seven which of the following regulatory standards is most relevant to healthcare data in the United States ?
Okay so , each country has a different healthcare plan . They have different ways of dealing with the standards associated with it . So we're just talking healthcare in the United States . A is GDPR , b is CCPA , c is HIPAA , d is PCI DSS .
Okay so , gdpr is regulatory aspects in Europe , ccpa is California Protection Act for the consumers and D is PCI is your payment card industry data security standards . Yeah , I can't remember all these acronyms . And the last one is HIPAA . So HIPAA deals as the Health Insurance Portability Accountability Act . I think that's what it is .
Again , if you understand HIPAA , it's healthcare , healthcare , regulatory . Yep , that's the right one . Answer is C . Which of the following is a key feature of GDPR ? A write to opt out of data sale ? B mandatory two factor authentication . C data masking or D data portability . Okay , which of the following is a key feature of GDPR ?
Again , each of those questions , or each of those answers , is part of GDPR , but what is a key feature in that ? And data portability is the part that is the key feature in GDPR . It allows individuals to take their data from one service provider to another .
That is a key feature behind it , but the key around that , though , is that , as they do those , there's data masking involved . There's two factor there's a right to opt out or there's right to be forgotten . All of that is all tied into it , but you want it to be portability . You just don't want your data to be shared with everybody else .
Question nine You've discovered an API collecting customer PII without proper security . What is your first action ? Okay , an API is an application programming interface , right . So you've discovered an API that's collecting this information . A disable the API . B implement OAuth . C notify customers . Or . D update your privacy policy .
So if you notice that it's API is collecting it without proper security , you want to stop it immediately . So you want to disable the API . The rest of those areas are important , but if the data is leaving , you don't want to continue to leave Question 10 . What is the best method for securely transmitting financial data over a network ?
A , ssh , b , https , c , ftp , d , sftp . So , again , you're transmitting data over a network . Https B provides the best way from a secure , encrypted and web communications . Again , it's more suitable for transmitting financial data , especially over a web protocol . Your company collects data from users via online forms . What should you employ to prevent SQL injection ?
A input validation , b output validation , c capture or D data masking ? Okay , if you're looking for online forms , people are adding information into it and you want to prevent SQL injection , which basically is adding code to the input form , you want to have input validation .
This checks the data for integrity before being processed and it does help prevent SQL injection and SQL attacks . Not perfect , but it does work . After securely erasing a hard drive , what should be the next step ? A validation , b shredding , c degausing or D incineration ? So , after securely erasing a hard drive , what should be the next step ?
So , if you securely erased it , you want to validate and ensure that the data is erased . Again , back to the point . If you're taking the time to erase it , then that's something that you want to reuse . If you don't want to erase it and you just want to destroy it , then obviously shredding is probably your better choice .
Which destruction method involves deleting cryptographic keys ? A degausing , b shredding , c cryptographic shredding or D secure erase . Again , focus on the question Deleting cryptographic keys . It would be cryptographic shredding . This deletes the cryptographic keys that are used to encrypt the data , making it completely unreadable .
Now , this is also one of the great things that bad hackers do as well , is , they'll encrypt the data and then you don't have access to the keys . So that's also destroying your data . Question 14 , what is data scraping ?
Data scraping is A the automatic gathering of data from websites , b user data input manually , c manual copy pasting of data from websites or D downloading a database . So data scraping is typically used by a lot of bots that are on the web and it is automatically gathering the data from websites . That is data scraping .
Question 15 , which of the following is not an authorized data collection method ? A data scraping in violation of robotstxt . B user consent , c APIs or D direct input methods like forms . So what is a non-authorized data collection method ? Obviously , data scraping is not authorized .
Now the robotstxt you'll see that on WordPress websites a lot but the data scraping is being done in an automated format and then it takes this data and puts it wherever you might have it . So that is the best answer of all of those is this data scraping . What is data sovereignty ? No-transcript data is available globally .
C data is stored in the cloud , c data subject to laws of the country it's located in , and then D data stored within a specific domain . So data sovereignty is C .
This is where it refers to data being subject to the laws in the country where it is stored , and if you have a data sovereignty concern and you want to make sure that it stays there , then you would put it there . One example is China . China does , at this point , does not have a data localization or sovereignty laws . They sort of do .
It's very squishy , but that is highly likely that they will have that in the future . So you want to consider that when you're putting business in China . What is the first step in the data lifecycle management ? A data classification , b data storage , c data creation or D data disposal . So what is the first step in data lifecycle management ?
And that is C data creation . You want data create . You got to create it before you can do anything else with it , so you can't classify , storage or dispose it . Question 18 . Which of the following is not a data destruction method A shredding , b logging , c incineration or D degausing ?
Well , okay , the only one on here that is not destroying something is logging . Logging doesn't destroy the data , it actually keeps the data . Question 19 . Which of the following methods is not suitable for destroying paper records A shredding , b incineration , c degausing or D pulping .
Well , all of those deal with some level of destruction , right , but the degausing is focused on an IT aspect and therefore it is degausing . It is the other ones . You can shred paper and incinerate it , but you also can do that to IT systems , but for destroying paper , degausing is the right answer .
Last question which of the following is a requirement under CCPA ? A data localization , b right to be forgotten , c data masking or D mandatory encryption . And , like I mentioned earlier before , with the California Consumer Privacy Act , you have the right to be forgotten .
Okay , so a provision that allows California residents in the United States to request the deletion of their personal information , which is commonly referred to as the right to be forgotten . Same concepts that fall under GDPR , and they is basically focused on the rights of the individual . All right , that's all I've got for you today .
I hope you all have a beautiful , blessed day and I hope you go out to CISSP cyber training . All of these questions are there for you at CISSP cyber training . They're also in video and audio format , so you're going to get the full Monty . Everything you could ever want is there . All you got to do is go .
So go check it out , cissp cyber training , and we will catch you on the flip side , see ya .