Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
Alright , let's get started . Let's go . Cybersecurity knowledge All right , let's get started . Hey , I'm Sean Gerber with CISSP Cyber Training , and today is Thursday . We're going to be doing CISSP exam questions , so get ready , get buckled up and let's see what you can think about as it relates to the CISSP exam questions .
Now I want to let you know that these CISSP exam questions are available to you at CISSP Cyber Training as well .
So all of the information that we go through here , I have a vulnerable or vulnerable I've been talking security too long a variable list of a long list of CISSP questions that you can get at CISSP Cyber Training , and these are part of those questions I come out with , probably around anywhere from 15 to 30 questions every week Usually .
It's sometimes a little bit more than that , but it's around 30 questions a week is what I usually come up with , and I add that to my overall bucket and list of overall questions that you can study so that you can be prepared to pass the CISSP exam .
And this is all part of my CISSP blueprint that I have available to my members of my CISSP exam and this is all part of my CISSP blueprint that I have available to my members of my CISSP training course . Okay , so we're going to get into the questions .
We're going to see how they all play out , all right , so what is what does stride methodology stand for ?
Okay , so a for you guys that are listening , I'm gonna walk through all the questions and then you see if you can think of it while you're driving or wherever you're at and you're listening to this A security , tampering , replication , intrusion , denial of service , escalation of privileges . That's A .
B is spoofing , tampering , repudiation , information disclosure , denial of service , elevation of privilege . C is security , tampering , repudiation , intrusion , denial of service , escalation of privilege . C is security , tampering , repudiation , intrusion , denial of service , escalation of privileges .
And then D is spoofing , tampering , replication , information disclosure , denial of service and elevation of privilege . So if you know STRIDE , okay , that deals a lot with and I'm not going to go through all those again because that's a mouthful of words , but STRIDE is an acronym , it stands for spoofing , okay .
So again , as you're going through these questions , you know spoofing is one . So that could throw out , in this case of a multiple choice , two of the four questions tampering , repudiation , information disclosure , denial of service and elevation of privilege . Those are the part of stride . So the answer is B .
Now if you look at D if you're seeing this on the video you'll see that the difference with D is it's replication versus repudiation . So don't focus on replication Security . We don't really talk about replication a lot . We talk about repudiation a lot .
So if you didn't know you go , these terms don't seem like this , replication doesn't seem like a security term , more of a networking term . Then you may want to at least glob on to B . So the point is is just narrow down your focus right on what is the actual right question . All right .
So I'm sorry , I'm fighting a little bit of a cold , so I apologize if I sound a little congested . What are the main components of a threat model in the context of cybersecurity ? Okay , so what are the main components of a threat model in the context of cybersecurity ?
Okay , so what are the main components of a threat model in the context of cybersecurity A assets , vulnerabilities , threats and mitigations . B assets , adversaries , threats and mitigations . C assets , adversaries , attack vectors . And then mitigations , or D adversaries , vulnerabilities , threats and mitigations . Okay , so if you notice there's right now , you get assets .
So assets has got three of the four . I'd probably pick assets if I didn't know . And when you're dealing with adversaries , that is probably something you won't understand when it comes to threat modeling .
So that was if I'd narrow that down to B and C and then , when it really comes right down to it , c is the main component of a threat model are assets , adversaries , attack vectors and then mitigations . What are the main focus of the TRIKE technology in threat modeling ? A is data , b is systems , c is people , d is processes .
Well , if you listened to the last podcast , the TRIKE methodology , the main part of the main focus of that threat modeling is data . So the answer is D or D . It's A . The answer is A data . So the TRIKE methodology does focus on a highly data-centric approach . Which of those following steps in the threat modeling process involves the use of stride or dread ?
That's another one that you're going to have to know for your CISSP is dread , okay , so one is identifying assets , Two is identifying potential assets , c is identifying potential threats or D is identifying and implementing controls . And the answer is C .
Identifying potential threats involves the use of methodologies like stride or dread , which threat in stride refers to an act that modifies or alters data or the system configuration . So which threat in stride refers to the act that modifies or alters the data in the system configuration .
So you get A is spoofing , b is tampering , c is repudiation or D is information disclosure . Again , modifying or altering the data is tampering right . So that's B . Tampering refers to the act or modifying of alters data in the system configuration . Which of the following is not a component of a threat in the context of threat modeling ?
Which of the following is not a component of a threat in the context of threat modeling ? A a vulnerability , b an asset . C an adversary , or D an impact . Okay , so which is not a component of a threat ? So of a threat in the context of threat modeling ? So the component of the threat is vulnerabilities .
Asset and adversaries are all components that are tied to threat modeling . Asset and adversaries are all components that are tied to threat modeling . D is the impact , is a result of a successful threat but is not a component of the overall threat . So I hope that makes sense to you guys .
Which of the following threat modeling methodology focuses on data flow diagrams ? Okay , so we talked about data flow diagrams earlier in our CISSP cyber training . That was on the podcast that was on Monday . So A is pasta , b is stride , c is trike or D is octave . Okay , so we talked about it .
So , if you go , well , since we talked about it , then it would be stride or trike . You'd be correct , but remember , trike was focused on data and stride was focused on data flow diagrams . That is stride , so it would be B . Stride is focused on data flow diagrams . What does R in stride stand for ? Again , a recognition , b replication .
We talked about the replication thing C repudiation or D restoration , and the answer is C repudiation . That's what the R stands for in stride . What is the main goal of threat modeling ? One , to comply with legal or A to comply with legal requirements . B , to identify potential threats and develop appropriate countermeasures .
C to purchase suitable cybersecurity insurance or D , to train IT staff about cybersecurity . Okay , so you can do all of the I mean ? Well , you can definitely train staff about it , but that's not the main purpose behind it . Right , you can purchase security insurance by doing your stride . That'll help you understand your overall threat modeling .
It'll help you understand what you need to do . But when it really comes right down to it , the main goal of threat modeling is to identify potential threats and develop the appropriate countermeasures behind it . Each of those are helpful , not necessarily the legal requirements , but I mean you could have some legal requirements .
I guess I've never seen that , but you could . But definitely C and D is a byproduct of doing a threat modeling . But the overall answer is B to identify potential threats and develop appropriate countermeasures . Which methodology involves creating a threat model that is at the design phase of a system or application .
So a methodology involves creating a threat model at the design phase of a system or application A , stride , b , dread , c , cvss , which isn't one , and then D , owasp . Okay , that's really not a threat model either . So then , when it comes right down to it ? So if you knew CVSS isn't one and OSP isn't one , you could narrow it down to stride and dread .
But when it comes right down to it , which one do we talk about ? We talked about stride , but stride is a threat model that is at the design phase of the system or application . That would be A stride . What type of threat does the E in stride represent ? A encryption , b endpoint , c elevation of privileges or D exfiltration .
And the answer is C Elevation of privileges is what we want . That's what the E is for in the stride , we focused on that . In a threat modeling , what does the adversary represent ? A security control ? No , a vulnerability ? Yeah , no See . An asset ? No , the answer is D a threat actor . That is correct . That is the adversary .
Now , that threat actor can be multiple things . It could be a hacker that's sitting in Bangladesh , or it could be your person that's sitting right next to you in the cubicle . That is what a threat an adversary would be your person that's sitting right next to you in the cubicle .
That is what a threat an adversary would be and that is represented as a threat actor In the context of a stride . What does information disclosure mean ? It means gaining unauthorized access to the information . A tampering with the information . B unauthorized alteration of the information . C or releasing the information to the public .
Okay , so , when the context is tried , what does information disclosure mean ? And that means A gaining unauthorized access to the information that is referred to as information disclosure . Which of the following is not part of the threat modeling process ? That is A identifying potential threats , identifying vulnerabilities is B .
Identifying assets is C , and then identifying network architecture is D . That's a pretty easy one , right ? The answer is D , because we've talked about all A , b and C , but we have not really talked about identifying network architecture , so that would probably be not part of the threat modeling process .
And then which of the following is true about threat modeling ? A it focuses only on external threats . No , b it performed only after a security breach has occurred . Yeah , no , that's B . C it involves a proactive identification and mitigation of the threat . Hmm , maybe . And then D it's a one-time activity that does not require updates or maintenance .
Yeah , that's not it either . So the answer would be C . Again , it's proactive identification and mitigation of the threats , and it is always an ongoing activity and should always be updated on a routine basis . All right , that's all I got for you today . I hope you guys have a wonderful day . Go check me out at CISSP Cyber Training .
Check out the blueprint you will be happy you did cyber training . Check out the blueprint you will be happy you did , and we'll catch you on the flip side . Have a wonderful day and have a great week . Talk to you later , bye .