Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started , hey all Sean Gerber , with CISSP cyber training and today we are going to be talking about some exam questions . This is exam question Thursday and it is going to be amazing . Yes , it will , but before we get started , one thing I want to kind of bring up is I noticed today that today is Patch Tuesday .
So when you're listening to this podcast , it might be a Thursday or a Friday , but today of recording this is Patch Tuesday . There's actually been three zero days that Microsoft is putting out right now that are focused specifically around . One is around WordPad , which I didn't even know people use that much anymore .
It's a disclosed vulnerability that is set up as it relates to the NTLM hashes that are tied to WordPad . And then there's also Skype for Business . There's two specific critical vulnerabilities zero days that are out there specifically for Skype as well . So it's also tied to NTLM hashes that you may be focused on or that you may have that aspect as well .
So if you've got that within your environment , I'd highly recommend that you go through your patches . One thing that I've learned just recently as we do more of these zero days , there's more zero days coming out Just in time . Patching , I think , is a really good factor .
Waiting until the Patch Tuesday or the Patch Wednesday to push these out to your organization , it can be a bit of a challenge just because trying to orchestrate all that .
One thing I've seen is that if you can set up your Microsoft devices to be automatically updated , not all organizations will do that , and if you set up your system to be automatically updated , you really do reduce the risk of that half of a zero day affecting your organization .
Now , the downside of that obviously is when you set up the automatic updates , you haven't had a significant amount of time to do testing . Is that going to basically break some of your systems ?
And so the change management process as we talk within CISSP , cyber Training , we talk about change management a lot and it's important to have a solid change management system .
I highly recommend you have that , but with the servers on the server side , it's much more important and much more critical than on the desktop or laptop type environments , and so I would recommend again this is just me recommending it , that doesn't mean anything that you have your , especially your newer systems are set up in an automatic update mode .
That will free up some of your opportunity costs and some of the time involved in trying to make sure your updates are done and , realistically , the amount of impact can be relatively small as it relates to that overall patches , because by the time Microsoft pushes them out , they've done a lot of thorough testing on these systems in most cases .
But bottom line is there's three vulnerable , three zero days that are out there right now that deal it specifically with WordPad and Skype for business . Okay , so let's roll into the questions today .
So this is a follow on to the questions we did around the different roles that require an SS or a CISSP , and so these questions are going to be covering all the eight domains , so there'll be various questions around those .
It's not specifically focused on one domain , because the last podcast didn't really focus on one specific domain , so we're going to get into that , all right . So these again , there's a 15 total questions that you are going to see , and of these 15 questions it will be covering the gamut .
Question number one Sarah , a software developer , is about to release a new application . Which software development methodology emphasizes security at every phase ? A waterfall , b Agile , c DevOps or D Secure SDLC . And SDLC is Secure Development or is not Secure ? It's Software Development Lifecycle .
So again that she's gonna release this new application and she wants to make sure that it emphasizes security in every specific phase , and the answer is D Secure SDLC . Question two Tim is leading an incident response team . What is the first step in a typical incident response process ? A Eradication , b Containment , c Identification or D Recovery .
What is the first step in a typical incident response process ? And the answer is C Identification . Identification is the initial step in any sort of incident response process where abnormal activity is detected and it really it's acknowledging by the security incident . Once you do that , you've known and you've got knowledge that you do have an incident .
So before you can contain , eradicate or recover from the incident , you must identify actually what is going on . Question three Robert is cataloging company assets . What type of asset is intellectual property ? A Physical asset , b Logical asset , d Digital asset or C Intangible asset . Okay , so what type of asset is intellectual property ?
And the answer is D it's an intangible asset . It's considered intangible because of its . It has value , but lacks physical substance . Now this includes copyrights , patents , trademarks , and , unlike other physical or digital assets , intangible assets cannot be touched or stored on a medium .
Now I say that you have an intellectual property , it's in your head , but the moment that you put it into a digital asset , that's where things can change , and so you have to just keep in mind , when you're talking about intellectual property , from the standpoint of what is it , it would be an intangible asset , but the moment you put it into a digital medium
or a physical medium , it would become a digital asset or a physical asset . Question four Emily is evaluating risk for a new project . What is the process of assigning a financial risk to a risk called , again , emily's evaluating risks for a new project ?
What is the process of assigning a financial value to the risk called A risk valuation , b risk assessment , c risk mitigation or D risk transference ? And the answer is A risk valuation . A risk valuation involves calculating potential financial impact of a particular risk .
This is often used for cost benefit analysis , or what they call a CBA when defining the risk treatment options . This process does go beyond the simple risk management and by adding a quantitative value to the risk . Question five Jim needs to segregate network traffic between multiple departments . What network device is best suited for this ?
Okay , he wants to segregate traffic between multiple departments ? A hub , b firewall , c router , d switch ? Okay , you want to segregate network traffic between multiple departments ? And the answer would be B ? A firewall is designed to enforce network segmentation and the access controls between the different departments or network segments .
It can filter based on the organization's policies and also provides a higher level of security than a simple hub , switch or router . Now , you can do those things with a switch . Yes , you can , but the primary purpose of the firewall is you want to deal with network segmentation . Question six Kate is responsible for data classification .
Which classification level is higher ? A public , b confidential , c restricted or D internal ? And the answer is C restricted . Restricted is usually a higher classification level than confidential or internal . Again , that comes down to your company . You may change that , you may want something different , but that is the baseline understanding .
Restricted data would have more stringent access controls and handling requirements due to its sensitive nature . Question seven Tom is defining security domains within his organization . Which security model focuses on state transitions ? A bella pola pula , pula , pula , pula . I can never say that word B is Biba , c is Clark Wilson or D is Brewer-nash .
So Tom's defining security domains within his organization . Which security model focuses on state transitions ? And that is A the bella pola pula model . It's designed to maintain different confidentiality through a set of access control rules .
It's particularly known for its state transition mechanism , which is ensuring security properties are not violated when you're transitioning from one state to another . So state transitions , not estate state STATE , state transitions are the bella pola pula model . Question eight Linda is deciding between the symmetric and asymmetric encryption .
Which encryption method uses two different keys for encryption and decryption ? A symmetric encryption , b asymmetric encryption . C substitution cipher or D hybrid encryption ? Again , she's deciding between symmetric and asymmetric encryption . So she's deciding that .
So maybe you don't need those two , right , you don't need cipher and you don't need hybrid , because she's looking at symmetric or asymmetric . Which one is it ? A symmetric encryption is B , that utilizes a pair of keys , a public for encryption and a private key for decryption .
So asymmetric this is a distinct from symmetric encryption , where the same key is used for both encryption and the decryption process . Again , keep in mind the term asymmetric is two , symmetric is one . Question nine Paul is drafting a business continuity plan , a BCP . What is the main goal of a BCP ?
A responding to incidents , b ensuring data backups , c minimizing operations disruptions or D detecting vulnerabilities . It is C minimizing operations disruptions . A BCP ensures that critical business functions can continue with minimum disruption in the event of a disaster .
While the data backups and incident response are part of this , the overarching goal is to minimize operational downtime . Question 10 , mary's developing a security awareness program . What is the primary objective ? A compliance with the laws , b employee training , c improving security metrics or d reducing security incidents .
Now , all of those are valuable , right For your security awareness program , but which one is the primary objective ? And the answer is d reducing security incidents .
Obviously , by teaching people and training people , you will help reduce the security incidents that would occur within your organization , and this is really done and achieved in many ways through ongoing training and awareness raising activities . Question 11 , steve wants to secure his wireless network . Which encryption method is most secure for wifi ?
A web that's whiskey , echo , papa ? B WPA2 , c WPA or D none of the above ? Okay , so if you're dealing with wifi , wifi , yeah , wifi . If you're dealing with a wifi , the best encryption is apples . No , the best encryption for wifi is WPA2 , which is answer B .
Wpa2 is wifi protected access to , and it uses AES encryption and provides the most secure option of this list for wifi encryption . Up to the latest updates . Again , web and WPA have been outdated and considered insecure and therefore deprecated .
However , I do still see a lot of WPA in networks Not in my company network , obviously , but within various business networks . You see this a lot . Wep is definitely in those networks . Question 12 , nancy is analyzing system logs . What is her primary aim ? A , compliance , b , performance monitoring , c troubleshooting or de-anomaly detection .
Question 12 is Nancy's analyzing system logs . What is her primary aim ? Okay , so all of those things are very good when you're dealing with logs Compliance , performance monitoring , troubleshooting but the main thing that you're looking for is it relates to this specific question is you're looking for anomaly detection ? So that would be D , the context of security .
The primary aim of log analysis is to identify anomalous or suspicious behavior , so that any of those things that could turn into a security incident you need to keep your eyes on Compliance and performance monitoring are very important and they are great aspects to it , but the overall goal is anomaly detection . Question 13 , kevin wants to ensure message integrity .
I was gonna say massage integrity . That just would not work . Kevin wants to ensure message integrity . What cryptographic mechanism should he use ? A a hash function . B a digital signature . C a symmetric encryption or D asymmetric encryption . So message integrity .
This is what happens when it's four o'clock in the morning and you're recording these things Message integrity . So we're dealing with the message digest . We're dealing with messages , right ? What cryptographic mechanism should he use ? And you're dealing with the hash .
The hash functions are designed to take an input and produce a fixed size string of characters which then can be used as a fingerprint for the data which we call a message digest . This hash function are commonly used to verify the data integrity by comparing the various hash values . If they match , then it hasn't been modified .
If they don't match , then the original data has been modified . Question 14 , rachel wants to secure a data center . What is the best physical security measure ? A biometric scanners . B CCTV which is closed not closed caption , but closed circuit TV . B or C alarm doors or D security guards . So Rachel wants to secure the data center .
What is the best physical security measure for her to do that ? And the answer is A biometric scanners . Now , all of those will work right your biometric CCTV , arm doors , security guards they all will work as a security measure . But your best , one of your best physical security measures , is your biometric scanners .
Security guards are very expensive and that's not there for the best . It can be very effective , but it isn't necessarily the best because of the cost that goes with it , whereas biometric scanners provide the highest level authentication as they have unique biological characteristics that are tied to it .
They're very hard to get around A security guard , depending on where you work . Maybe that security guard likes donuts and then you can get around that person with donuts , but most security guards are very professional in what they do . You just never know . You never know . Question 15 , lisa is planning a penetration test . What should be her first step ?
A reconnaissance , b scanning , c planning and authorization , or D gaining access . So Lisa is planning a penetration test . What should be her first step ? We talked about reconnaissance , scanning , planning and authorization , or gaining access , and the answer is C planning and authorization Before conducting any form of penetration test . I highly recommend this .
You need to have proper planning and authorization before you do it . If you don't have that , you can get really squishy really quick , because now you can be considered a hacker and then you get yourself into legal trouble very , very quickly . It's problematic , believe me . I always had to get out of jail free card anytime we did any sort of penetration testing .
All right , that's all I have for you today on CISSP Cyber Training . Hope you guys have a wonderful day . I really truly do . I hope things are going well for you in your life and I hope you're studying hard for your CISSP .
The ultimate goal of the CISSP Cyber Training is to help give you the tools you need to pass the CISSP exam and move on in your career . All right , thanks a lot for joining and we'll catch you on the flip side , see ya .