Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started .
Good morning . It's Sean Gerber with CISSP Cyber Training . Hope you all are having a wonderfully blessed day today . Today's an amazing day . Why is it today amazing ? Well , because it's CISSP Question Thursday . Yes , and we are going to be getting into some questions as it relates to domain 3.1.2 and 3.1.3 .
But there's some various questions that we'll have that you can gain access to directly through cisspcybertrainingcom . Go ahead there and you can get them immediately . Yes , you can , all right , but before we get started , we want to talk about one little article I saw come out today and if you deal in the United States , you deal with a company called Cox C-O-X .
Cox has a situation set up where they're potentially they're supposedly a authorized bypass that are issued that's dealing with the Cox modems . Now , I don't know if you all have dealt with Cox as your service provider . So I have ISPs . Cox is one of them .
There's many other ISPs out there , but Cox is a very large company within the United States and they are an internet service provider that provides , obviously , your bandwidth to many , many residential locations .
Well , supposedly there is a potential challenge with the Cox modems that could be abused and it could provide unauthorized access to devices to run malicious commands . Now , this came out of the Hacker News , and you can actually be able to see this in the show notes . It's Researcher-Uncovers-Flaws in Cox Modems and the Hacker News .
An interesting part about this , though , is I don't know if you all are aware , but many , many people in the country have COX available to them , and they're basically these issues were addressed by the broadband provider within about 24 hours , so they did say that they were able to get this issue resolved very quickly .
However , they can't confirm if it's been abused over the past .
Now , one thing that it's interesting about this and I mentioned this in the podcast on Monday was around the fact of exposed APIs , and I say this exposed APIs , I feel , are probably one of the largest data exfiltration points within an organization , because , in many cases , organizations really truly do not understand how many API connections they have leaving their
organization or connected into their organization , and so , if you're not familiar , an API is a connection that will allow for standard protocols between .
It's basically an application programming interface is what they call it , but it's basically a standard protocol that allows you to communicate with traffic back and forth between applications , and it works really well because it allows for the streamline of data transfers versus having to have gateways in between or just having just communication challenges , so it makes a
really good , easy way to communicate . Well , because of that , though , many people stand them up , and if they stand them up , they don't always know that they exist , and so there was a situation where , supposedly , some external APIs were set up with these Cox systems .
Now , again , no one can guarantee or can say that this was actually manipulated by people , but the interesting part is that this is a lot of different organizations that have Cox , as well as a lot of homeowners that have it , so I will say that I've never been real impressed with the Cox modems as themselves .
They seem a little janky and they don't really give you the ability to do a whole lot with them , which I'm not a big fan of . But , again , something to check out if , supposedly , they have fixed this issue as it relates to Cox , but you may want to ask them a little bit about that .
All right , so let's get started , as it relates to our questions for today . So , again , a CISSP cyber training . You can go there . You can get access to all these questions and many , many more , as it relates to the CISSP exam . This is going to be again over domain 3.1.2 and 3 .
So question one a company is migrating its data storage to a cloud platform . The cloud provider offers multiple encryption options , including AES-128 , 256 , and proprietary encryption algorithm . Which encryption standards should the company prioritize for maximum security ?
Okay , so , basically they're moving to a cloud platform and they have different versions 128 , 256 , 256 and a proprietary encryption algorithm . When you hear proprietary , get very squeamish . A aes128 is faster and more efficient . B AES-256 . It offers stronger encryption key length . C the proprietary encryption algorithm for vendor-specific benefits .
And then D it doesn't matter . All options provide sufficient security . Well , the answer is B 256 , right ? So while both 256 and 128 are considered secure , it does offer a longer key length that's 256 , making it much more resistant to brute force type attacks . So you would go with that one . Question two a company utilizes database with a complex data schema .
Developers interact with the database through custom APIs that expose only specific data elements relevant to their tasks . That's a good thing . What security principle is demonstrated here ? A data hiding , as sensitive data elements are concealed from developers . B abstraction , as the API simplifies the database interaction for developers .
Or C access control , as the API restricts developer access to certain data . Okay , so again , let's think about that for just a second . The company's database with a complex data schema . Developers interact with the database through custom APIs that expose only specific data elements relevant to their tasks . Which security principle is demonstrated ?
And the answer is D , both B and C abstraction and access controls . Again , that's the big factor around , that is , we use the abstraction layer , hiding the database complexity and exposing only necessary functionality , whereas it also enforces access controls by limiting their abilities of the developers .
Question three a company embeds secret message within an image to conceal its existence . This technique is most closely related to A stenography , as it hides data within another file . B encryption , as it scrambles data and message confidentiality . C data hiding , as it prevents unauthorized access to the message .
Or D hashing , as it creates a unique fingerprint to verify data integrity . And the answer is A stenography . We talked about that in the podcast . It's basically hiding files inside of another file and you want to watch the size of that , but then you have to understand what size is the file supposed to actually be ?
Question four a company implements access control list on a file server , allowing for specific users read-only access to certain files . Additionally , some highly sensitive files are renamed with generic names , making them less conspicuous . Which security principle are is at play here ? Principles are at play .
So a company implements a access control list on a file server , allowing specific users read only access to certain files . Additionally , some highly sensitive files were renamed with generic names . Which security principle is working here ? A defense in depth and data hiding are both employed . Abstraction simplifies it for users and access controls enforce control .
C encryption protects the data and ACLs restrict access permissions . Or D stenography hides the data within other files and ACL controls access . And the answer is A defense in depth for data hiding are both employed . So basically , you've got it through access controls are in place , as well as your data hiding piece with your tokenization .
It through access controls are in place as well as your data hiding piece with your tokenization . Question five a company needs to encrypt the data at rest on its servers . Which of the following is most relevant factor when deciding between symmetric and asymmetric encryption ? So a company needs to encrypt data at rest on its servers . Which the most .
Which of the following is the most relevant factor when deciding between the symmetric and asymmetric encryption ? A Processing power required for encryption and decryption . B the need for secure key distribution and management . C . Scalability of encryption solutions for large datasets . And . D . All of the above are important and the most relevant factor is D .
All of the above are important and the most relevant factor is D . All of the above are important , both processing power , key distribution and scalability of the encryption solution . Question six A company implements a new operating system with pre-configured settings that disable unnecessary services and enforce strong password policies .
How does this demonstrate a security principle ? Which one is it ? A Data hiding , as sensitive information is concealed from users . B encryption , as data is scrambled for confidentiality . C data are secure defaults , as the system is pre-configured with a more secure state . Or D abstraction , as a complexity of the security settings is hidden from users .
So again , we're talking disable unnecessary services and strong password policies . It would be C secure defaults , as they're pre-configured to be a more secure state . Question seven a company segments its network , placing the development environment in a separate zone from the production environment . How does this contribute to data hiding ?
Okay , they segment their network from separate zones in the production environment . How does this contribute to data hiding ? A it hides the data context , making it invisible . B it restricts access to development data , hindering unauthorized viewing . C it conceals the existence of development environment altogether .
Or D it doesn't directly contribute to data hiding , but improves security . So what does this contribute ? It B it restricts access to development data , hindering unauthorized viewing . Question eight a company encrypts its data at rest , in transit and in use . How does this exemplify DEMP defense in depth ?
A Encryption places the need for other security controls or replaces the need for other security controls ? B it protects the data in multiple states , adding layers of security . C Strong encryption algorithms ensure data remains unreadable . Or D Encryption simplifies access controls for authorized users . Simplifies access controls for authorized users .
And the answer is b it protects the data in multiple states . States adding layers of security , like we talk about again defense in depth . You want to have multiple layers to one stop them and two to also trip them up . Question nine a security analyst configures a secure boot on a laptop .
How does this relate to the concept of abstraction , abstraction and secure boot ? A Secure boot hides the underlying boot process complexity from the users . B it prevents unauthorized modification of the boot settings and simplifies the management . C Encryption is applied to the boot process , making it more secure .
Or D Secure boot doesn't directly relate to any sort of concept of abstraction , and the answer is A Secure boot hides the underlying boot processes . Complexity from the users , again forcing them to have unauthorized modifications at a deeper level , while the users interact with the operating system as they typically would . Question 10 .
A company encrypts sensitive data with strong encryption algorithm . However , all encryption keys are stored on a single server with minimal security control Not good . What is the biggest security risk in this scenario ? Okay , well , let's see what you all think . A the encryption algorithm itself might be weak and easily broken .
B the encryption might be slow in data processes , which affects access times . C the lack of access controls in the server storing the encryption keys . Yeah , ding , ding , ding , ding ding . Or D the users might not be trained on how to properly use the encryption software . Yeah , that's . C you put all this stuff in one basket and you don't take care of it .
You're going to have problems with that . Encryption keys are compromised . Then it's a jackpot for the bad guys and girls . Question 11 , a company uses a hashing algorithm to verify the integrity of downloaded software files . An attacker modifies the software before uploading it . How will this impact the verification process ?
Okay , they're using a hashing algorithm to verify the integrity of the downloaded software , so integrity of software . Attacker modifies the software before uploading it . How will this impact the verification process ? A the hash value remain unchanged , along for compromised software to pass verification .
B the hash value will be different , raising red flags about the file's integrity . C the encryption would be more effective solution for verifying the software integrity . Or D hashing only ensures confidentiality , not data integrity . So again , the hashing provides a unique fingerprint . That's the key right .
And the answer is B Any modification of the data will result ina different hash value . This alerts would be in the case . So you'd want to make sure that if you're going to be doing hashing algorithm is the integrity of the downloaded files .
You'd want to make sure that if they're making changes to the file , okay , you want to make sure that that has been double-checked and modified . So it would make sure that the hashing algorithm matches with what the file should be . Question 12 . A company utilizes sandbox environment to test untrusted code .
How does this approach demonstrate the concept of abstraction ? A Sandboxing simplifies the testing process by isolating the code . B it hides the complexity of the underlying system from the tester . C Sandboxing restricts code access and resources and prevents harm ? Are both B and C are correct ? Which hiding and sandboxing restricts ?
And the answer is D Both B and C are correct . It hides the complexity of the underlying system and it restricts the code's access to resources and prevents harm . Question 13 . A company implements DLP to prevent unauthorized data exfiltration . How does this relate to the concept of access controls ?
A DLP complements the access controls by monitoring the data movement and identifying suspicious activity . Dlp focuses on data in transit , while accessing controls restricts access to data at rest . B dlp replaces the need for access controls altogether . C dop forces the data out encryption , making it invisible for exfiltration attempts .
And the answer is DLP complements the access controls by monitoring data movements and identifying suspicious activity . Question 14 , the security team monitors various security metrics , such as firewall logs and intrusion detection alerts . How does this contribute to the defense in depth ? Again , they monitor various things and how does this contribute to defense in depth ?
A security metrics provide a clear picture of the overall security posture . B monitoring allows for early detection and potential security incidents . C analyzing metrics helps identify weaknesses in existing security controls . D all of the above contribute to defense in depth . And the answer is all of the above right Security metrics .
Monitoring and analyzing them all help around defense in depth . Question 15 . A company implements a strict patch management process to ensure all systems are updated with the latest security patches . How does this relate to the concept of secure defaults ? Defaults Again , they have a strict patch management process . How does this relate to secure defaults ?
A patching vulnerability strengths existing security configurations . C secure defaults eliminate the need for regular patching altogether . C patching might introduce new vulnerabilities or compatibility issues . Or D both A and C are correct . And the answer is D both A and C are correct .
Patching vulnerability strengthens existing security controls and patching might introduce new vulnerabilities for compatibility issues . So , again , those are all situations that they have to work through . Okay , that's all I've got for you today on CISSP Cyber Training . Hope you guys have a wonderful day .
Head on over to cisspcybertrainingcom for this video , for access to my content . You will love it , guaranteed . I guarantee you Get on my email list and we will be getting updates on a regular basis on all great things that are happening at CISSP Cyber Training . Have a wonderful day , everyone , and we will catch you on the flip side , see ya .