Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Let's go . Cybersecurity knowledge .
All right , let's get started , hey all , sean Gerber , with CISSP Cyber Training and hope you all are having a beautiful day today . Today is Thursday and what happens on Thursdays Thursdays are the CISSP questions that are tied to Monday's podcast , and Monday we talked about domain 2.6 , and that is , the various parts around data states , casbs and the like .
So today's questions are going to be tied to that as well . But before we get started , we kind of want to talk about an article I saw that I think is pretty helpful in the fact that it gets kind of brings out the what is a data leak ? What is a data breach ?
Those words are used synonymously or ubiquitously Actually , I don't think that's the right word , but they're used together and they're not always the same thing .
I mean , they are using the same type of data but they have different meanings and so , to kind of put it a little bit in perspective , they have some statistics here that in the first quarter of 2023 , 6.41 million data records were leaked out of 300 million accounts .
Now this is on the register and you can be able to get access to this through CISSP Cyber Training . You can check it out , but if you go Google the register about data leaks and data breaches . It'll be there as well , but it talks about the different types of breaches and what they are , so it helps with the language a little bit .
They also talk about a couple of data breaches and what they are , so it helps with the language a little bit . They also talk about a couple of data breaches that occurred that were pretty significant in size the Adahar I don't know how to even say that it was done in 2018 and exposed 1.1 billion .
Yahoo exposed 3 billion , and then the Cam4 data breach exposed more than 10 billion data records . And these are all just data records that are out there . And then they also mentioned let us not forget the DOD and what happened with them . So I agree .
I mean , it's just a lot of different data that's floating out there in the ether that affects people with their lives .
One point I also brought into is the standard breach will cost about four and a half million million if you deal with the third parties to help you clean it up your potential downtime , reputational hit , even having to replace servers and the like .
So that's the number I've seen floating around for a while and I think that's probably about right when it comes to dealing with a data breach of some kind . So what is the difference between a data leak and a data breach ? What's the differences between that ?
Well , again , the words are important to understand because , as you , as a security professional , you'll be educating your leaders on what this means . So you have data leaks and data breaches . A data leak is often often an unintentional , and usually it's caused by a human making a mistake . Okay , so that's your data leak .
I've done this myself accidentally Sending stuff to your Gmail account , accidentally clicking on a phishing attack , weak passwords , all getting onto Wi-Fi networks that you shouldn't probably do . All of those are considered what they would say a data leak , and this can happen with sensitive type data , and so , therefore , you wouldn't consider that a breach .
Now , the breach is often a deliberate and can be caused by a cyber attack or by unauthorized individuals attempting to access sensitive data . So , again , the breach is when it gets to be there and actively progressing towards something . A leak is where it's usually done by humans and it's unintentional .
It can be intentional , but in most cases , it is an unintentional type of situation . Now the data that's collected . I deal with this with multiple of my clients , and you've also have heard of it . You have PII , which is your personal identifiable information . I've talked to compliance folks and they say , well , it's really not called PAI anymore , but or PI .
It could be just personal information , financial information , obviously , credit cards , personal health information , your PHI that's what dealing with your medical records and so forth Account information , your login , intellectual property obviously that's a huge factor and then other sensitive information that you may seem to be appropriate .
So the ultimate thing of this is that how do you prevent them ? How do you work through them ? But they wanted to kind of talk about a data leak versus a data breach and you , as a person who's in the cybersecurity space , I've used them wrong . I know , and I think it's even with incidents and events , breaches .
I've talked to senior leaders about using the word incident versus a breach . A breach will carry a very different connotation as a word than an incident will and depending on who you're talking to data regulators and so forth if they hear the term breach , that sends off all kinds of bells and whistles .
So understanding the differences between the words and how they are used and how they are actually meaning is an important part in your cybersecurity journey . So let us get started . We're gonna roll right into the CISSP questions for this week . Okay , so the question number one in data classification scheme , which data state would require the most stringent security ?
So again , which data in the classification scheme , which data state , would require the most stringent security controls ? A data in transit . B data at rest . C data in use or D data in backup ? Again , the classification scheme which data state would require the most stringent security controls ? And the answer is C data in use .
Again , that's when it's most sensitive is because it's actually being used and processed . There are various other types of data that you may deal with . I should say I'll disregard . I was going to talk about homomorphic encryption , but we'll get into that another time . But the bottom line is this is the most stringent type of security controls is data in use .
Question two which of the following is a key principle of data minimization ? So again , data minimization , that's making it less right , that's you're minimizing it . A collecting the data only necessary for the intended purpose . B encrypting the data at rest . C regularly reviewing and deleting outdated data . Or D all of the above .
So which of the following is a key principle of data minimization ? And the answer is A collecting only the data necessary for the intended purpose , as you're collecting this . For that only key principle is data minimization , and it helps reduce the risk of breaches because you minimize your data . You want to basically clean all your stuff up .
You don't want to have it everywhere , one and two . Wherever you have it , you want to have it minimized so that only the data that you're keeping is what is necessary . One example is I've seen years I mean upon decades of data sitting in SharePoint sites that are totally unused . So the question is can we delete it ?
And their answer usually comes back , goes no , we never know if we might need it . It's that data hoarder mentality . Yeah , it's usually . It can get you , it can get you . Question three what is the primary purpose of a data loss prevention system ? A to detect breaches . B to prevent data breaches . C to recover data after a breach .
Or D to encrypt the data at rest . What is the primary purpose of a data loss prevention system ? Okay , so you might be going hmm , I don't know on that one , it is B to prevent , not detect . Prevent data breaches . A DLP system is primarily used to prevent data breaches by identifying and blocking attempts to exfiltrate sensitive data from an organization .
Now I say that that's again you got to understand the question that's , in this specific context Will it stop breaches always ? No . Will it stop every breach ? No . Will data get out ? Oh , most definitely . It is designed to help minimize and mitigate some of the risk associated with a data breach .
But again , the question is what they're asking for in that specific question . So you , as a security professional , when you're taking your CISSP , you need to think about it like that which of the following is a common challenge in scoping and tailoring security controls ? Which of the following is a common challenge in scoping and tailoring security controls ?
A identifying all relevant assets . B assessing the risk levels . C allocating resources or D all of the above . Which of the following is a common challenge in scoping and tailoring security controls ? And the answer is D all of the above .
All of the above are a common challenge in scoping and tailoring security controls , and it can be very difficult to identify all relevant assets and assess the risk levels accurately . And I would say that's probably one of the biggest challenges is trying to understand all the assets and then working through the risk .
You need to we've talked about this on this podcast a bit in the past . Understanding the overall risk to your organization can really only be done by understanding what are all the assets that you're trying to protect . So your risk may go , oh , I'm good . And then you discover something that basically has the crown jewels in it . You're going , oh , I'm bad .
So you're going to have to work through that . But understanding all the assets within your organization , especially those that contain critical or sensitive data , is a very important thing to do . It's a primary thing . You need to consider Question five , which is the primary purpose of a digital rights management , drm . What is the primary purpose of DRM ?
A to prevent data breaches . B to ensure data integrity . C to protect intellectual property . Or . D to facilitate data sharing . Again , drm what's its purpose ? To protect intellectual property C it's by controlling access and using the digital content . That's how DRM protects their IP . A good example to think of that is Sony and their music .
So just kind of think of that as CDs that were out a long time ago , no longer MP3s . They were using CDs to protect their music . Which of the following is a common limitation of a DOP system ? A it's difficult in detecting encrypted data . B it's got high false positive rates .
C the inability to protect data in transit or D limited effectiveness in preventing insider threats . Again , which of the following is a common limitation of DOP systems ? And the answer is D limited effectiveness in preventing insider threats .
When you're dealing with a DOP point , it'll help with protecting data leaving your organization , but insiders can typically bypass the DOP product by exploiting legitimate access privileges . So if you know that I have access , they can work around it . Now you can put controls in place to have a limit screenshots to do data not leaving through email .
But if the employees need to use the data , they've got to use the data , so sometimes they will send the data home . Question seven what is the primary purpose of a cloud access security broker , a CASB , cloud access security broker ? What's the purpose of it ? A to encrypt data at rest . B to provide secure access to cloud services . C to detect data breaches .
Or D to prevent data loss ? Again , what is the primary purpose of a cloud access security broker , casb ? And the answer is B to provide secure access to cloud services . And a CASB is used to provide secure access by enforcing security policies and monitoring cloud usage .
And a CASB is used to provide secure access by enforcing security policies and monitoring cloud usage . Question eight which of the following is a key consideration when selecting a DLP solution ? What should you consider when selecting a DLP solution ? What is a key consideration ? Key , not the best , but a key consideration A integration of existing systems .
B cost effectiveness . C scalability or D ease of use . Which of the following is a key consideration of a DLP ? And it is B cost effectiveness . Again , cost effectiveness is a key consideration because you must balance the cost of the solution with the benefits that you're trying to achieve with the product in place .
Question nine which of the following is a common challenge in implementing drm ? Which of the following is a common challenge in implementing drm ? A technical complexity , b user resistance . C compatibility with different devices and platforms , or d legal issues , legal issues A common challenge to implementing DRM , and again , drm is very use-specific .
It is also very specific in what it's trying to protect , and it would be compatibility with different devices and platforms . As an example , microsoft products do not work well with . They work well with Microsoft , but you really can't use them with other types of products . Adobe and Microsoft . They don't play well together .
To give you an example Adobe has its own product , microsoft has its product and so , therefore , they are an interesting duck . They do . They're different devices , different platforms can have issues , and I say this with Microsoft , with DLP , and that's the same with DLP and DRM . They do struggle a bit .
The other thing with DRM , that's the digital rights management piece of this is sometimes , if you're using some level of protection on IP , it won't talk to another type of product that wants to uninstall it or , I should say , utilize it , and Adobe and Microsoft are a good example of that too . But they don't work well . That's just a key thing .
Dlp and DRM , they just don't work well together . Which of the following is a key benefit of using CASB ? What is a key benefit of using CASB ? A improve visibility and cloud usage . B reducing risk of data breaches . C simplify compliance management or D enhance data security . Again , which of the following is a key benefit of using a CASB ?
And the answer is D enhanced data security . Enhanced data security is a key advantage of utilizing the CASBs because they help you protect the stored data that's in the cloud .
Utilizing security policies , monitoring and cloud usage of going data going up and data coming down can be a very effective tool when you're trying to figure out budgeting with cloud utilization . Cloud utilization can be very expensive and or using the cloud can be , so you need to have a good plan of how you're going to put data up there and take it down .
In many cases , putting data into the cloud is less expensive , obviously , than pulling it out , because once it's in there , they got you . So just consider your data usage when you're dealing with cloud activities . Which of the following is a common method for classifying data ? A sensitivity labels , b business impact analysis , c data owners or D risk assessments .
So which of the following is a common method for classifying data ? And the answer is B business impact analysis . An impact analysis is a common method by which you can assess potential impact of data breaches on the organization , and that's an important part , right ?
Like we talked about before , understanding where your critical data resides and your critical systems is a very important part to your company . Question 12 , which of the following is a key principle of data sovereignty ? Data must be stored and processed within a , b , c . Data must be accessed by all authorized users , or D data must be regularly backed up .
So which of the following is the key principle in data sovereignty ? So think of the word sovereignty . What does that mean ? It means what you own right or it's location , kind of thinking sovereign .
Well , when you're dealing with sovereignty A , the data must be stored and processed in a specific jurisdiction , and a specific jurisdiction has a key principle around data sovereignty and addresses the concerns of data privacy and compliance . I had to deal with this . When you're dealing with stuff in Europe , they have data privacy aspects or sovereignty aspects .
China has it as well . If you transfer the data out of the country , then you have to utilize certain levels of security controls , ie data masking , you have to be able to obfuscate the data and so forth . So there are certain key principles around data sovereignty . Question 13 , which of the following is a common challenge in implementing data minimization ?
What is a common challenge in implementing data minimization ? A identify unnecessary data . B resistance from users . C technical limitations or D lack of clear guidelines . So which of the following is a common challenge when implementing data minimization ? And that is , lack of clear guidelines will be a problem , right ?
So if you don't have clear guidelines in implementing data minimization , your people won't know what to do , and this includes policies and procedures for basically identifying and deleting unnecessary data . Question 14 . Which of the following is a key consideration when selecting a CASB A Integration of existing security controls or tools .
B Support for multiple cloud platforms . C Cost-effectiveness or D Scalability . So which of the following is a key consideration when selecting a CASB ? And the answer is C cost-effectiveness . That is one of the key considerations . Again , we talked about this . With data going in and coming out , you need to understand what is the overall cost to your organization .
And finally , question 15 . Which of the following is a key benefit of using sensitivity labels for data classification ? What is a key benefit for using sensitivity labels for data classification ? A Improved governance . B Improved access controls . C Simplified compliance management or D Enhanced data protection .
So which of the following is a key benefit of using sensitivity labels for data classification ? And the answer is A improved data governance . Again , this is around . Improved governance is a key advantage where sensitivity labels can help organizations establish clear policies and procedures , handling and of protecting of the data .
So , again , there's lots of options there for you to consider . When the key benefit around sensitivity labels , I would recommend using them because governance around labels is an important factor . If you don't have a good handle on that before you roll them out , you will have some challenges on your hands . Okay , that is all I have for you today .
This is CISSP Cyber Training . Head on over to CISSP Cyber Training and get access to all of my content . There's a lot of great stuff out there for you . You can check out my website , on my blog . The videos will be posted out there as well , and you know , if you purchase anything from CISSP Cyber Training , it does go to my nonprofit for adoptive parents .
Again , this is the Good Shepherd is going to be the name of it , and so that's where all of the proceeds from our sales of my cyber stuff goes to . All right , thank you all for listening . I really do appreciate it . Head on over to iTunes . Please rate me on iTunes or any of those other places . That would be awesome . I'd greatly appreciate it .
Even send me a note , send me how things are going for you , email me , let me know what's going on . You can do that at contact at CISSP Cyber Training .
I'm happy to respond to you as well , but again , reach out to me anytime and I'm really excited to see how you've passed the CISSP and moving on , have a wonderful day and we will catch you on the flip side , see ya .