Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Let's go .
Cybersecurity knowledge All right , let's get started . Good morning everybody . It's Sean Gerber with CISSP Cyber Training , and hope you all are having a beautiful , blessed day today . Today is what is it ? It is CISSP question Thursday , so we're going to get into some CISSP questions that are associated with the podcast that occurred on Monday over domain one .
So it is going to be an exciting day , but before we get started , we have usually , I take to start with a little bit of some news , and there was just an article that popped out recently about the UK hosts an international cyber skills conference .
I know this is a big topic for a lot of different companies , and I get approached here and there about CISOs , or I should say CIOs that are looking for CISOs to do fractional CISO work , and this is no different . There are tons of opportunities out there for security professionals .
You just have to be able to be in the right place to find those and you have to have the experience to help you with that .
But the interesting part with that was that this UK is realizing that they are having challenges with filling their cybersecurity roles , and so , therefore , they had a three-day international conference to discuss how to tackle the growing threat of cyber attacks . Now I'll be very transparent . There is a lot of conversations that occur on how to deal with this .
Sometimes I feel there are conversations and not enough action , but at least within this conference they're trying to do some things to potentially offset some of those challenges .
One of the things they had was this Global Cybersecurity Skills Recommendations Report and in this report they did say that they're trying to figure out how to get this resolved , and they did say that the number of shortfalls within the UK of jobs has gone down . It's not as much as it was .
So they're saying about 11,000 jobs in 2023 down to about 3,500 in 2024 . But the interesting part in this is that they said 44% of UK businesses still do not have the fundamental skills to protect themselves from a cyber attack .
So the rules may have reduced , but I've seen this time and again they do not have the knowledge the businesses don't to protect themselves from a cyber event or incident , and what can happen is that , as they don't have the skills to do that , one event can be catastrophic for a business .
I mean , take it from me you already are running on very small margins your businesses and now you have a cybersecurity incident that occurs . It can be damaging and , if not , it can also potentially shut you down .
So it's important to understand that if you are a cybersecurity professional looking for a role , it is important that you work hard to get your education in a level that will be acceptable by people , but also to help businesses that maybe don't totally understand that they have a problem , and this is one thing I recommend is that doing this pro bono work
potentially like helping nonprofits is a very good way for you to kind of gain some knowledge , some expertise , but also help people out , because you have knowledge that you may not think you do , but you have knowledge that many people just are looking for , even if your knowledge in your mind is a more basic type of knowledge .
There's tons of individuals out there that are looking for someone that has something to be able to give them some guidance and some direction they also had in this article they talk about the UK launches two cyber skill schemes and one competition .
They're basically having to figure out how to have competitions to bring new people into cybersecurity as well as then educate and teach them so that they can go out and try to do more to help protect the overall country itself .
So again , they have a scheme that delivers tailored support to universities , councils and businesses across England and then they also have a competition to find young talent .
I will say that I have a young individual that I go to church with and he is super smart and we've done a lot to kind of help , kind of guide and direct him into the cybersecurity field , because he is going to do wonders for that .
But it also takes someone that can kind of lead and mentor individuals , these young folks , to kind of give them the direction that they need to get into the cybersecurity space . Ok , so let's get into the questions for this week . Question we're in group 10 .
This is of domain one and if you go to CISSP Cyber Training , you'll be able to get access to this courseware . All of it's there is available to you . All those questions are available . You can go and study for these questions for the CISSP and you can gain access to all the information there . It is all .
Again , when you go in , you purchase any of this content . It goes to a nonprofit that is associated with adoptive families . So I would highly recommend that if you're interested in the CISSP . What a great way for you to be able to get the training you need , as well as being able to help other people out . So it's a good deal .
Okay , so we're again group 10 , this is 15 questions and this is we're tied to . Today is domain one and it's 1.9 . So question one which of the following is the most effective method for preventing unauthorized access to sensitive data in a cloud environment ?
Again , which is the following is most effective method for preventing unauthorized access to sensitive data in a cloud environment ? A implementing strong encryption at rest and in transit . B conducting regular vulnerability assessments . C limiting network access to authorized users only or . D regularly updating software systems .
So the most effective way for preventing unauthorized access of sensitive data is implementing strong encryption at rest and in transit . So we talk about this in the past . Is that when people gain access to the data , it's very easy for them to gain access to it ? I mean , I shouldn't say easy , it's .
Odds are highly likely that they're going to gain access to the data that you may or may not want them to have , and having encryption is an important factor , especially when you're dealing with sensitive data in a cloud environment . Question two which of the following is a common weakness in the role-based access controls Our back A lack of segregation of duties .
B excessive privileges . C overlapping roles or . D lack of user training . Now , again , what is a common weakness ? Now , this can be a couple different things . Right , there can be weaknesses in this with lack of user training and there can be excessive privileges .
But realistically , the common weakness in role-based access controls is overlapping roles or credential creep . Again , in RBAC , this can create confusion and inconsistency , complicating the access management and increasing the risk of unauthorized access . So overlapping roles can be a problem with RBAC .
Question three which of the following is the best method for ensuring that employees are aware of and comply with the organization's security policies ? Again , which of the following is the best method for ensuring that employees are aware and comply with the organization's security policies ? A posting security policies in a visible location .
B providing security awareness training . C implementing technical controls to enforce compliance or D conducting regular security audits . Again , which of the following is the best method for ensuring employees are aware and comply with the organization's security policies ? And the answer is b providing security awareness training .
Again , this training can be effective way to help employees . Now , it isn't going to be the panacea and fix everything , but it is a really good way to help again getting this stuff in front of people on a routine basis over and over again . Question four which of the following is a disadvantage of using single sign-on solution ?
So what's a disadvantage of using SSO ? A increased complexity , b increased cost . C limited scalability or D reduced security . Now , when you talk about this , what do you mean ?
You're going to say , well , this doesn't make sense because it does have increased complexity , it does increase your cost and it does limit , it doesn't really limit your scalability , but I guess it can , because it depends not if everybody signs up for sso , but what the main disadvantage is ? It reduces security . And you're going what do you ?
The reason is and this is kind of a double-edged sword is that it can potentially expose it's a single point of failure within your organization and it can expose access to multiple systems and applications . It also is a benefit in the fact that not everybody has to remember passwords for all these logins , which is a lot of password reuse that occurs .
So reduced security in the best situation , right ? So in this question , the best answer of all these answers is the reduced security . But keep in mind you need to understand with SSO , what are the other positives and negatives that go along with that . Question five which of the following is a best practice for managing privileged accounts ?
So which of the following is a best practice for managing privileged accounts A use strong and complex passwords . B implement least privilege access controls . C monitoring privileged account activity or . D regularly changing passwords . So which of the following is a best practice for managing privileged accounts ?
And the answer is B implementing least privilege access controls . Again , least privilege is crucial . It's very important for the mapping or managing of privileged accounts and it minimizes potential damage from an account compromise right .
So if you have least privilege and your account is compromised , it does limit the blast radius in which someone can gain access to this data . Question six which of the following is a disadvantage of using cloud-based identity and access management solutions ? So what is a disadvantage of using cloud-based identity and access management solutions ? A increased cost .
B decrease flexibility . C decrease security or D longer implementation time . So , longer implementation time ? Isn't true , because when you're deploying IAM within the cloud , it's very easy . I should say it's easier than if you were deploying it on-prem . The decreased security ?
No , that's important , because IAM account management is an important factor , unless you were to just leave it wide open and then decreased flexibility . It does give you the flexibility that you need .
Now it sometimes can be a little bit problematic when you're dealing with on-prem and cloud and integrating your IAM solution between the two , but it is it's not a factor , it is actually increased costs . So they will lead to a higher cost , to ongoing service fees and potential additional charges , making it a potential , a notable disadvantage .
So there is increased costs by using IEM solutions . They don't do this stuff for free , so unfortunately you got to pay for it somehow . Question seven which of the following is a common attack vector for social engineering attacks ? Okay , this is probably easy , you guys , I'll get this one a malware , b denial of service . C phishing emails or .
D unauthorized physical access right , a common attack vector for social engineering attacks is c phishing attacks . Right , that's what's what they use to get as much of the information as they can , and the point is they mask around it as legitimate emails .
Question eight which of the following is a best practice for managing vendor access to an organization's systems ? A providing vendors with broad access to the network . B requiring vendors to sign nondisclosure agreements . C monitoring vendor activity , or . D limiting vendor access to specific systems .
So which of the following is a best practice for managing vendors' access to an organization's system ? And the answer is B . Okay , it's requiring vendors to sign non-disclosure agreements . Again , this is a best practice , and this is how you manage the access . It doesn't really manage it so much , it's more of just kind of , I guess it's managing it .
It's not physically managing it , it's managing it from a paperwork standpoint , and it does help protect sensitive information by legally binding them to confidentiality , which is an important part of any vendor agreement .
Just keep in mind , though any document somebody signs is not going to stop them from doing something with the data they shouldn't do , but it does add one more level of protection , that is , there's consequences associated if they were to be doing something inaccurate or wrong .
Question nine which of the following is a challenge associated with implementing a zero trust security model ? A decreased user productivity . B increased cost . C integration of legacy systems . Or . D increased complexity . So , again , the question is which of the following is a challenge associated with implementing a zero-trust security model ?
And the answer is D it is an increased complexity . Now , all of those are an important part of a zero-trust model Decreased user productivity , increased cost , integration with legacy systems . All of those can be a challenge associated with a zero trust model .
But when it comes to the complexity piece of this , adding zero trust security model does introduce a lot of complexity and is a rigorous requirement and requiring every access request and continually accessing trust .
It can be a very complicated security management plan and I would highly recommend , if you're going to implement zero trust within your organization , start small , start in areas that you know you can use or that are not complex , that don't have a lot of ties , and then just build upon it and I will say a zero trust for your entire environment .
It might be a great bumper sticker . I don't know how well that you can deploy zero trust from an environment that started off as a blended environment . What I mean by that is if you start Greenfield , where you start with a brand new building or a brand new network , that you can move to a zero trust relatively simply .
Not easily , but simply If you start with nothing . Now , if you start with a complicated network that already has an old legacy network built in to , you're trying to embed within a cloud environment new technology , old technology , moving to a zero trust environment can be a bit more problematic and I will say it could be very , very challenging .
So what you want to start off with , especially if you're dealing with a legacy environment that you have , start small , start in areas that you feel you can deploy zero trust and you may never get there , you may never get to a complete zero trust within your environment because of the additional costs that it may result in you moving forward .
So just kind of keep that in mind Now . If you have mandates from governmental officials that you must be zero trust , well then I guess you'll just be dumping gobs of money and try to figure it out .
But just know that if you don't have mandates that you must have your entire network zero trust , then it may I'm not saying it will , but it may come down where you are in smaller segments that you may deploy your zero trust . Question 10 , which of the following is a risk associated with outsourcing identity and access management services ? A loss of control .
B increased cost . C decreased security or D reduced vendor expertise . So again , you're outsourcing your IAM services and the answer is A loss of control . Okay , so outsourcing IAM can lead to loss of control over the management and security controls associated with it .
So one thing to think about is , if one of the requirements is you must maintain control , that would be one of the requirements that you talk to your vendor about and go what can we do here ? So you just need to kind of think about that before you start going down the IAM path . Get really prescriptive on what are your requirements .
What are you asking for specifically to try to accomplish with your IAM's deployment ? Question 11 , which of the following is a best practice for managing privileged accounts in a cloud environment ? Again , which of the following is a best practice for managing privileged accounts in a cloud environment ?
Again , which of the following is a best practice for managing privileged accounts in a cloud environment a using strong , complex passwords . B implementing least privilege across our access controls . C monitoring privilege access account activity or . D enforcing multi-factor authentication .
So which of the following is the best practice for managing privileged accounts in a cloud environment ? And the answer is B implementing least privilege access controls . Again , least privilege controls are vital for managing privileged accounts in the cloud . You want to do that anytime you can , but especially for privileged accounts .
It limits the account's access to only what is necessary , reducing the potential impact of a compromised account . Question 12 . Which of the following is a common weakness in identity and access management implementation ? A Overlapping roles , b Overlapping roles , b lack of segregation of duties , c excessive privileges or D inconsistent password policies .
So which of the following is a common weakness in identity and access management implementation ? And the answer is C excessive privileges . That is a common weakness that you will see in IAM . Question 13, . Which of the following is a best practice for managing vendor access to an organization's systems ?
Okay , we talked about this a little earlier , but it's a different question . Which of the following is the best practice for managing vendor access to an organization's systems ? A providing vendors with broad access to the network . B requiring vendors to sign non-disclosure agreements . C monitoring a vendor activity or . D regularly reviewing access permissions .
Which of the following is a best practice for managing access to an organization's systems ? And that is D regularly reviewing access permissions . This is a best practice for managing vendor access and it ensures that only necessary permissions are granted and helps identity and revoke the access of outdated or unnecessary access controls or access credentials .
Yes , sorry , I kind of lost my train of thought on that one . Question 14 . Which of the following is not a common personnel security policy control A Background checks , b Separation of duties , c mandatory vacations or . D risk assessments . So which of the following is not a common personnel security policy control ? And the answer is D risk assessments .
Risk assessments are a broader process used to evaluate the overall security posture of an organization , including personal security , but is not a specific control within the personnel security policies . Question 15 . Which of the following is a primary purpose of a non-disclosure agreement ? So what is the primary purpose of a non-disclosure agreement or NDA ?
A To protect the organization's intellectual property . B To ensure employees comply with company's policies . C To hold employees accountable for their actions . Or D To prevent unauthorized access to systems . And again , the primary purpose of an NDA is to protect the organization's intellectual property .
So , a NDAs , they're the primary use to protect the organization's IP and confidential information , again by prohibiting employees and contractors from disclosing to unauthorized parties . That being said , again , it's a piece of paper , so it doesn't mean people aren't going to do it . Okay , I hope you guys enjoyed this .
Again , this was off of domain 1.9 of the CISSP ISC Squared book . You can go out to CISSP Cyber Training and you can get all this content for you at CISSPCyberTrainingcom . Again , all proceeds go to non-profit for adoptive families . So again , go out and buy to your heart's content . Bye , bye , bye .
Have you guys have a wonderful day again and you go out there , attack the evil hacker horde and we'll catch you all on the flip side see .