Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Good morning , it's Sean Gerber with CISSP Cyber Training , and I hope you all are having a blessed day today . Today we are rolling into the holiday season and therefore we have a lot of great things to be thankful for , and one is the CISSP Cyber Training Podcast .
Yes , yes , indeed , you should be very thankful for it , just joking . So I hope you guys are having a wonderful day and I hope you have great plans set up for your Christmas holidays and to be do here in the Gerber household in Wichita , kansas . Things are getting very festive and having to deal with children , grandchildren , all those fun things .
So it is a great time , well , but so we're going to be talking today about a wonderful topic and the topic is Thursday . That's not the topic , but today is Thursday . So the topic is yes , you guessed it CISSP exam question Thursday .
So today we're going to be talking about various exam questions that cover all eight domains and we kind of I went down this path because one is the holidays and I have you can get free CISSP exam questions on my site and I'm using some of those free exam questions today , but you'll have the domain one .
We'll kick off again here in a couple of weeks and we'll get through the first of the year and go from there . So let's roll into question one . What does the stride and then that's an acronym , stride stride methodology stand for as it relates to threat modeling ? Again , what does stride the methodology stand for as it relates to threat modeling ?
A security , tampering , replication , intrusion and denial of service , escalation of privileges . B spoofing , tampering , repudiation , information disclosure , denial of service , elevation of privilege . C security tampering , repudiation , intrusion , denial of service , escalation of privileges .
Or D spoofing , tampering , repudiation , replication , information disclosure , denial of service , elevation of privilege . So , again , when you want to look at this , you want to consider what are some of the answers and what of them have the basically the term of a threat modeling in them ?
Well , if you go through questions answers A and B , they have security in the first word and that's not a threat modeling term , so you can throw those two out immediately . Then the next one you come down to is when you're dealing with basically B and C , and you'll be able to see or B and D .
You'll be able to see these on CISP , cyber training as well , as you'll be able to look at them on YouTube at some point , but the video would show you a little bit more . Bottom line is that the word in their replication versus repudiation .
Those would be a key term that you would glob onto and you would say , okay , well , it's repudiation , because that's a threat modeling term . Replication is not so , therefore , the answer would be repudiation and that would be B , all right , so then question two security risk management . This is that domain .
Which of the following , which one of the following represents the highest level of confidentiality in mandatory access control model ? Again , which of the following represents the highest level of confidentiality in a mandatory access control model ? A , unclassified , b confidential , c secret or D top secret ?
Now , it's probably pretty obvious , but again the question is which of the following represents the highest level of confidentiality in a mandatory access control model ?
So , in a MAC model , and that would be the answer is D top secret In a MAC model levels of confidentiality from the lowest to the highest are unclassified , confidential , secret and then ultimate goal of top secret . Question three which of the following Question three which of the following is a primary purpose of data classification in an organization ?
Again , which of the following is a primary purpose of data classification within an organization ? A to reduce cost . B to minimize resource allocations . C maintain compliance with laws and regulations or D speed up data processing ? Again , so which of the following is a primary purpose of data classification in an organization ?
Now , there's lots of different reasons for doing data classification , but in this question , which would be the primary purpose , and that would be to maintain compliance with laws and regulations ? That is C it does help you to ensure compliance with these various regulatory requirements and data handling and the protection .
One of the things that comes into , that is , gdpr , does require that level of understanding , especially with data handling and its overall protection . Question four what is the difference between a stateful inspection firewall and a stateless firewall ? Okay , so what is the difference between a stateful inspection firewall and a stateless firewall ?
A a stateless firewall inspects content , whereas the stateful inspection firewall only inspects headers . B stateless firewall is an application to wear , whereas the stateful inspection firewall is not . C a stateless inspection firewall can't filter packets , whereas the stateless firewall can .
Or D a stateless inspection firewall remembers the state of the content connections , whereas the stateless firewall does not . Okay , so what is the difference between a stateful and a stateless ?
And the answer is D stateful firewalls will keep track and remember what the state of the network connections , such as your TCP or UDP communications , which does allow you to have much more granular security policies . So the answer is D stateful inspection firewall remembers the state connections , whereas stateless firewalls do not .
Question five in a VPN , what does a perfect forward security refer to ? Again , a VPN . What does perfect forward security refer to ? A the ability to secure communications when the session key is compromised . B guaranteeing the integrity of data transfer by using hashing algorithms . C ensuring that past session keys are safe even if the private key is compromised .
Or D ability to prevent replay attacks . Again , what is it In VPNs ? What does a perfect forward security refer to ? And the answer is C ensuring that past session keys are safe , even if the private key is compromised . That is what perfect forward security , or secrecy , means . So , basically , pfs . You may see the answer of it .
It's a session key that's derived from a set of long-term keys that will not be compromised if one of the long-term keys is compromised in the future . That is perfect forward security , and I know I've heard of other places trying to incorporate that level of security .
It does take a bit more work to do so , but it's definitely worth it if you can make it happen . Question six which of the following is not an example of type three authentication factor ? Again , type three , what is it , what it is , and that's something type three .
If you understand what that is , you need to kind of know that , and the type three would be something you are . Okay , so let's consider that one . Which of the following is not an example of type three authentication factor ? A fingerprint , b facial geometry , c retina scan or D smart card ?
Which of the following is not an example of type three authentication , which is something you are , and that would be D a smart card ? A smart card is something you have . Thus it is type two , not type three , which is something you are . When conducting a vulnerability assessment , what kind of result would be considered ? A false positive .
A a non-existent vulnerability flagged as existing . B An existing vulnerability flagged as non-existent . C An existing vulnerability flagged as existing , or d A non-existent vulnerability flagged as non-existent . And the answer is b An existing vulnerability flagged as non-existent .
Basically , false positives are when vulnerability assessments refer to a situation when the system flags a vulnerability that does not exist . Question 8 . What is the primary purpose of an intrusion detection system ? A Preventing attacks . Again , what is the primary purpose of an IDS ? A Prevent attacks . C Detect attacks . C Recover from attack .
C Assess damage from attack . What is the primary purpose of an intrusion detection system ? It is b . I can't figure it out myself . It's b Detecting an attack . These systems are primarily designed to detect potential attacks and alert folks of what's going on . That's the ultimate purpose of them . Question 9 .
What is the key principle in the waterfall model in software development ? A An iterative development . So , again , what is the key principle of the waterfall model in software development ? A it's an iterative development . B it's a continuous integration . C it's concurrent activities or d it's a sequential phase .
Again , what is the key principle in the waterfall model development ? Waterfall model in software development ? And it is d Sequential phases . The waterfall model is a linear , sequential , non-iterative approach for software development where pages basically flow downwards through the various phases . Question 10 . What is the primary objective of a business impact analysis ?
A To assess potential vulnerabilities in an organization . B Calculate an organization's annual budget . C Identify critical business functions and their dependencies . Or . D Assess the overall security posture of an organization . So what is the primary objective of a business impact analysis ? The answer is c Identify critical business functions and their dependencies .
I've done this numerous times , where we put a BIA together looking to see where are the essential business functions , to determine what happens if they didn't work anymore . Basically , if there was a ransomware attack and they went down , how would you recover from that situation ?
And this helps in developing strategies for effective business continuity and disaster recovery plans . Question 11 . What is the primary purpose of a data loss prevention system ? A To provide backups of the data . B To ensure data confidentiality and prevent unauthorized data exfiltration . B To protect against data corruption . Or . C To speed up data recovery processes .
So what is the primary purpose of a DLP system ? And the answer is b DLP systems help prevent unauthorized data exfiltration and protect sensitive data from being accessed , modified or transferred by unauthorized users . Question 12 . In a system designed for high availability , what is the purpose of the failover clustering ? Again , high availability for these systems .
They need to be up and operational a lot . A Provide full tolerance . B to increase computing power . C to provide load balancing . Or D to improve network security . So what is a high availability system and what is its purpose ? For fail-overing , and that would be A provide fault tolerance , fail-over clusters .
That , basically , is set up so that if one fails , another node will take over to ensure you have continuous service , thus providing fault tolerance . In 13 , in terms of network security , what does the term defense in depth refer to ?
Again , what does defense in depth mean and the answer or not the answer , a question or one of the answers A placing all defenses in a network perimeter . B implementing multiple layers of security controls throughout the IT system . C implementing the strongest possible defenses . Or D defending in all directions .
Okay , in the terms of what does it mean for defense in depth ? It is B implementing multiple layers of security controls throughout your entire IT system .
This defense in depth strategy employs multiple layers of defenses to slow down an attacker and protect the system , but it's also to provide what we call like little trips , like in the days of having a Claymore mine . You'd trip a trigger and it would send off an alert , send off a sound , and that's the same concept as it relates to question 13 .
Question 14 , what does the principle of least privilege mean ? Question 14 , what does the principle of least privilege mean ? A every user must know the minimum about the system . B users should have privileges regularly reduced . C users should be given a minimum level of access required to do their jobs . Or D all users should have the same level of access .
What does the principle of least privilege mean ? And the answer is C users should be given the minimum level of access required to do their jobs . Basically , the minimum access to perform their job is important because it does reduce the potential damage from accidents or even misuse . Last question what is the main goal of penetration testing ?
Okay , what is the main goal of penetration testing or pen testing ? A find as many vulnerabilities as possible . B gain unauthorized access to a system . C test the organizational's incident response capabilities . Or D test the effectiveness of the security controls in place Again , main goal . So you get find as many vulnerabilities . The pen test won't do that .
Gain authorized access to systems it will , but that's not the main goal . Test the organization's incident response process that's also a secondary goal , but the primary one would be to go and effectively check the security controls in place to see if they are set up so that they can protect from exploitation . All right , all right , that's all I have for today .
I hope you guys have a wonderful , wonderful day , have a great Christmas holiday and we will catch you on the flip side , see you .