Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Let's go . Cybersecurity knowledge . All right , let's get started . So we're going to roll right into the overall the test questions that are tied to domain 6.5 . And these will , again , we'll go over all these questions .
These are tied to the ones that we dealt with on Monday and as we head through the overall training on Monday , this is going to be coming back and just reaffirming that training with the various CISSP questions . You can gain access to all these CISSP questions at cisspcybertrainingcom . You can go over there . You can check them all out .
They are available to you . Just go ahead and become one of my purchase the product . You can actually have access to all of these questions . You can also go to the website . You can get access to my free 30-day CISSP questions that you get . You get 30 questions every single month that are available to you for an entire year . That's available as well .
That's for free . You also can go to CISSP Cyber Training and gain access to this video . That is on the website , it's on the blog and that will also go over these questions as well . So there's a lot of great ways for you to be able to get the information you need to pass the CISSP Okay .
Question one which of the following assessment types is best suited for an organization looking to ensure compliance with ISO 27001 standards ? Again , which of the following assessment types is best suited for an organization looking to ensure compliance with ISO 27001 standards ? A black box penetration testing . B technical vulnerability assessments . C internal audits or .
D synthetic transaction testing ? So which of the following assessment types is best suited for an organization looking to comply with 27001 ? And that would be C internal audit .
An internal audit are usually structured into ways to evaluate the measures and organizations' internal controls against a set standard , such as so 27001 , and they're specifically designed for insurance of these compliance and identify the areas for improvement within the scope of the overall assessment .
Question two what should be the primary consideration when choosing the type of security assessment for an organization ? A the cost of assessment . B the organization's risk profile and the overall resources . C preference of the management , preference of the management , the leadership . B or c the availability of assessment tools .
Okay , so what should be the primary consideration when choosing the type of security assessment for an organization ? And the answer answer is B the organization's risk profile and the overall resources available . I deal with this time and time again . You definitely have to focus on the risk for your company .
It's just crucial you don't come up with your preconceived notions of what you think it should be . You need to make sure that the organization's risk profile and the resources are available for them , and they should be tailored specifically for your organization's situation . Question three regularly reviewing and updating security testing strategies is crucial .
For which of the following reasons ? A to maintain alignment with the organization's changing security needs . B to comply with international testing standards . C to ensure that the cost of testing remains constant . D to follow the industry trends in security testing . So again , regularly reviewing and updating security testing strategies is crucial .
For which of the following reasons ? A To maintain alignment within the organization's changing security needs . So when an organization changes , you need to have regular reviews to ensure that the testing strategies remain relevant and effective in the face of the changing security threats . It's just just , it's really an important factor .
Question four when incorporating cloud security assessments into testing strategies , what is the most important new factor to consider when incorporating cloud security assessments into a testing strategy ? What is the most important new factor to consider ?
A the physical location of the data center be the cost-effectiveness of cloud services see the ease of migrating to cloud services or , d the cloud service providers own security policies and controls . Again , when incorporating cloud security assessments into the testing strategy , what is the most important new factor to consider ?
And the answer is D the cloud service providers own security policies and controls . When moving services to the cloud , it is extremely important that you do assess the cloud service provider's security measures , what they have in place and how they will impact the security of your organization's data and the overall applications .
Which of the following best exemplifies the need for legal and regulatory compliance in security assessment strategies ? Okay , so which of the following best exemplifies the need for legal and regulatory compliance in security assessment strategies ? A assessments that include checks for SQL injection vulnerabilities . B audits that ensure employees' adherence to security training .
C Assessments tailored to GDPR and HIPAA requirements . Or . D Penetration tests that simulate external attacks . Again , which of the following best exemplifies the need for legal and regulatory compliance in the security assessment strategies legal and regulatory compliance in the security assessment strategies ?
And the answer is C assessments tailored to GDPR or HIPAA requirements . And the reason is compliance with legal and regulatory requirements such as GDPR and HIPAA . They're critical and the assessments must be designed to address these specific requirements .
Again , when you're dealing with GDPR and HIPAA , you want the assessment to be tied directly to them , because you're going to have to submit that to somebody else as a requirement . Question six a financial institution is conducting a vulnerability assessment . Which tool is most appropriate for this purpose ? A Nessus , b Metasploit , c Wireshark or D Snort ?
Okay , so again , you're doing a vulnerability assessment . This is where you have to know some of the tools that you're going to be dealing with . So I'll just kind of quickly go from Nessus Well , that's the vulnerability assessment . Ah , metasploit , you're dealing a lot with pen testing type activities .
Wireshark is something you would put on the line and you would be measuring and monitoring traffic going across the line and snort . These are like snort rules . I deal with your SIM , your security incident and event management tool . That's a snort . Rules will be put in place for something like that .
So the answer is a Nessus , and it's a tool you widely used for vulnerability assessments . Okay , and it's capable of scanning systems for known vulnerabilities . Question seven when conducting ethical hacking exercises , what is the primary goal of performing a black box test on a new web application ?
A to evaluate the security awareness of the application and its users . B to identify potential exploits in the application . C to check for compliance with development standards . Or D to assess the network infrastructure security . When conducting an ethical hacking exercise , what is the primary goal of performing black box tests on new web applications ?
And the answer is B to identify potential exploits in the specific application . Black box testing simulates an external attack with no prior knowledge of the system , basically aiming to uncover the potential exploits in web application security . I would use black box when I say the fact of it . It's no known knowledge . You will kind of do some scanning of that .
But the bottom line with a black box is you're just you're going after it and you don't know much about it at all . Which of the following activities is most likely to detect signs of malicious activity within an organization's network ? Reviewing security logs . A . B conducting synthetic transactions . C performing code reviews or . D Running compliance checks .
So which of the following activities is most likely to detect signs of malicious activity within an organization's network ? And the answer is A Reviewing security logs . So , as you review the security logs , these are vital for detecting anomalies that may indicate malicious activities . Now , if you don't have logs logs well , it's kind of hard to review .
So it's important that you do work with your security teams to make sure that you do have some level of logging and monitoring enabled . Question nine in the context of synthetic transactions , what is the primary security concern ? That is test , that is , that this testing method addresses . Okay , okay , question again what ?
In the context of synthetic transactions , what is the primary security concern that this testing method addresses ? A performance bottlenecks in network infrastructure . B user interface design flaws . C the accuracy of financial transactions or D security vulnerabilities during user interactions .
So , in the context of synthetic transaction , the primary security concern is D security vulnerabilities during user interactions . This is important because they are designed to simulate . These synthetic transactions are designed to simulate user interactions with the application , which can potentially reveal vulnerabilities that may be exploited during normal use .
We had I had guys that work on this and they basically ran . It was like a robot that would act like a user and they would look for vulnerabilities . Which of the following best describes the purpose of an account management audit in the context of security process data collection A to ensure user accounts have completed mandatory security training .
B to verify that user accounts are managed according to principle of least privilege . C to track the creation and deletion of administrative accounts . Or D to monitor the frequency of user password changes . So which of the following best describes the purpose of an account management audits in the context of security process data collection ?
That's a mouthful , and the answer is B to verify the user's accounts are managed according to the principle of least privilege . So when you're doing account management audits , again , least privilege is the most important factor that they only have the necessary rights to adhere to the principle that they are designed to have .
Question 11 , management review in security processes are essential . For which of the following reasons ? So , again , management reviews in security processes are essential for which of the following reasons ? A To address the technical competence of the security staff . B To evaluate the effectiveness of security policies and their adherence by the staff .
C To review the financial budget . Or D To analyze the impact of security measures on employee productivity . Okay , so the management reviews in security processes are essential for which of the following reasons ? And that is B to evaluate the effectiveness of security policies and their adherence by the staff .
Again , when you're doing this , management reviews are crucial because of the security policies , you need to make sure that they're effective and whether the employees are actually following them as they are expected to do so . Question 12 . In the context of compliance with agreements , third-party security standards are most likely reviewed during which of the following ?
In the context of compliance with agreements , third-party security standards are most likely reviewed during which of the following ? A security audits of SLAs your service level agreements . B penetration testing . C code testing or D user access reviews . So , in the context of compliance with agreements , which is most likely reviewed during which the standards ?
Third-party security standards are most likely reviewed during which of the following ? And that is A security audits of service level agreements . Service level agreements are conducted to ensure that the third party provides the meeting that are providing and are meeting the agreed upon security standards and their obligations . Okay , question 13 .
Which activity is most indicative of an organization's commitment to continuous improvement in security ? So , most indicative of an organization's commitment to the continuous improvement in security ? A regular updates to the organization's risk assessment and management strategies . B frequent changes to the security management team . C consistent investment in new security technologies .
Or . D periodic redesign of the network infrastructure . So which activity is most indicative of an organization's commitment to continuous improvement in security ? And the answer is A regular updates to the organization's risk assessments and their management strategies . Question 14 , what is the primary purpose of generating detailed reports after analyzing test reports ?
Again , what is the primary purpose of generating detailed reports after analyzing the test reports ? A To maintain logs of all security tests conducted . B To allocate budgets for future security investments . C To document your findings , risks and provide recommendations . Or D To train new employees in the security best practices .
Again , the primary purpose of generating detailed reports after analyzing test inputs and the answer is C to document your findings , risks and provide recommendations for improvements . That's the overall purpose of any sort of report is to provide those recommendations . Any sort of report is to provide those recommendations . The last question , question 15 .
When planning a structured audit , what is the most crucial aspect to define and to ensure its success ? When planning a structured audit , what is the most crucial aspect to define and to ensure its success . A qualifications of the audit team . B the scope , methodology and objectives of the audit . C the schedule and duration of the audit .
Or , d the tools and technologies to be used in the audit . Again , the most crucial part is the scope , methodology and objectives of the audit . Without those , why would you even do the audit ? It would be painful , it would just be like poking yourself in the eye with a pencil Not fun at all . Okay , hope you guys enjoyed this .
This again , this is CISSP Cyber Training . We have this related to Domain 6.5 and we're dealing with assessment , compliance and the overall improvement strategies associated with those . This is also tied to the podcast that occurred on Monday . Again , go to CISSP Cyber Training for all of your training needs . It's out there to help you pass the CISSP exam .
Just had multiple people that have passed recently and they are excited about basically following the blueprint and getting what they need to pass this doggone test . All right , have a wonderful day and we will catch you on the flip side , see ya .