Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
Alright , let's get started . Let's go . Cybersecurity knowledge All right , let's get started . Good morning it's Sean Gerber with CISSP Cyber Training and I hope you all are having a beautiful day today . Today is the wonderful Thursday and Thursday is CISSP Question Thursday . So we are going to be getting into some really great questions as it relates to domain 1.5 .
And this comes on to breach notification , it comes into data transfer and so forth . So it is going to be amazing . But before we do get started , one thing I want to kind of go over was there was an article out just out recently from a security intelligence and it's about the cybersecurity workforce that can be expected in 2024 .
We talk about on this program , the CISSP cyber training , a lot about the cybersecurity workforce and how important it is for the various companies out there . They need folks .
But an interesting concept was this article talks about the change that's been happening in the cybersecurity space itself , a lot of it due to layoffs and downsizing , and I've seen this as well with the individuals that have been wanting to get full-time roles .
Out there in the world there's actually , it appears to be , maybe a little bit less of a full-time opportunity and maybe more of a contractor type opportunity , so that's kind of looking that's floating out there in the ether .
But one of the things about this article that's kind of interesting is that they're saying that there's going to be about 5.5 million jobs that are going to go unfilled and though we have talked about this before in the past that I said it was like around three and a half million well , they're saying 5.5 million .
This is off the 2023 ISC squared global workforce study and they're saying that the workforce will need to grow at a rate of 12.6% per year just to keep up , and they're saying that they basically grew at only 8.7% . So the interesting thing is is this is why getting your CISSP is important , because we obviously need you .
One of the parts that they're saying that employees are looking for what they're looking for with employees to get hired , what various companies are looking for scripting , intrusion , threat protection , threat analysis . I thought the one that was really good at the bottom it's really interesting is communication and critical thinking skills .
I will tell you that you can give me the smartest guy in the world that understands security , and if he or she does not have the critical communication , the critical thinking skills and the communication skills , it makes it extremely challenging for me to be able to put them in front of somebody and try to explain what exactly is going on .
The other part that they stressed is around . Obviously , the CISSP Security Plus and the security auditor certifications are a key factor . So if you're listening to this podcast , you definitely are in the right place . We here at CISSP Cyber Training are going to teach you what you need to know to be successful .
Here at CISP Cyber Training are gonna teach you what you need to know to be successful . But beyond just passing the test , we are here to help you with your cybersecurity journey , because it really is a big thing that we need to do to protect our country and to protect our various countries out there from this existential threat , as they would say .
The one other thing they talk about is upskilling workers .
That basically means I've done this multiple times where you have an individual who shows that they have the aptitude for security , then what can you do to put them in a position to win , in that you give them the training and education they need to be successful in security and upskill them into their position . That's a really good opportunity there .
I know CISA the Cybersecurity Infrastructure Security Agency they mentioned and ISC Squared offer training options . They are both very good . Some of them are free that you get . I don't know ISC Squared . They do have some free options available .
I think CISA definitely does and they're trying to get people that are understanding the security space and getting them out there in this world . But bottom line , the last bullet on this , is again don't forget the soft skills . I will tell you that that is like I mentioned earlier .
That is probably one of the hardest things to teach and it's probably one of the most valuable to a person and to an organization . So if you have all the IT stuff , then there's probably some other really good books to read , like how to Influence Friends and Influence People by Dale Carnegie Old book but very , very valuable .
And then there's also another one called Skill with People by Les Giblin Very good book on how to deal with individuals . So the soft skills are valuable and they will make you money . I highly recommend that you focus on some of that too while you're studying for your CISSP .
Okay , so let's get started into the overall training today and let's talk about some CISSP questions . Okay , so this is going to be over group seven . If you go to my CISSP cyber training there is .
We have this broken down into CISSP questions and they're based on domain domain one through eight and with those different domains , what I do is I put these podcasts in there with many of the questions that I have and so you can be able to listen to it and you can actually be able to go and take the test themselves .
So they're designed there to help you kind of get both levels of training when you're trying to understand and pass the CISSP exam .
Question one a multinational corporation with offices in the United States and the EU transfers customer data between two locations , which is the most significant legal constraint they need to consider A HIPAA regulations due to the presence of healthcare data . B PCI DSS requirements , as some customers use credit cards .
C GDPR compliance because it involves EU citizens data . Or D Sarbanes-Oxley , as a financial transactions are involved . And the answer . Let me come back to it real quick before I answer it . When it comes down to US and EU transfers , which is the most significant legal constraint they need to consider ? And the answer is C .
Obviously , you guys are all probably connected with GDPR . This does hold the highest potential for penalties , even though all of them may be impacted and therefore it does concern EU citizens' data . Question number two your company uses anonymization techniques to protect sensitive data during trans-border data flows .
However , a recent security audit revealed that attackers managed to re-identify individuals from the anonymized data . What most likely went wrong ? Again , a company anonymizes your data , which is called out with GDPR during this trans-border data flow out with GDPR during this transborder data flow .
However , a recent security audit reveals attackers managed to re-identify individuals from anonymized data . Which most likely went wrong A insufficient level of anonymization . Basically use K anonymity instead of I diversity . B is a lack of encryption for the data at rest . C inadequate access controls for receiving the data . Or .
D failure to monitor for unauthorized data access attempts . Okay , so what basically happened ? How did they re-identify the data ? And it basically came down to A . That's what most likely went wrong insufficient level of anonymization . Likely went wrong , insufficient level of anonymization .
So when they didn't do that , they basically , when you don't have enough level of anonymity , they can reattach the anonymized data and then be able to connect the two . So you need to choose a stronger anonymization technique that improves the indistinguishable points between the individuals and is crucial to prevent re-identification attacks .
Question three you must implement a data loss prevention solution to control trans-border data flows . Which DLP feature would be most effective in preventing unauthorized data transfers of intellectual property documents ? Again , you have a data loss prevention solution and it needs to control the trans-border data flows .
Which would be most effective in preventing an unauthorized data transfer of intellectual property documents ? It's 4.30 in the morning , I'm struggling to speak , sorry . Content filtering based on keywords and patterns . B the activity monitoring and anomaly detection . C network traffic inspection and data fingerprinting . Or D endpoint encryption and data classification .
Again , for DLP , which DLP feature would be most effective in preventing unauthorized data transfers ? And that would be D endpoint encryption and data classification . So you're probably going hmm , how is that the case ? While other features help detect these activities , encryption and obviously classification will help it from being leaked .
If it is leaked , it helps it from being exposed even more . So classifying your documents with a confidential and then encrypting them would be a great way to move forward and to ensure that the data is not discoverable when it is transferred .
Question four your company faces pressure from the Chinese government to store all data generated within China on local servers . However , your organization also operates under GDPR compliance requirements . How would you respond to this pressure ? Again , your company faces pressure from the Chinese government to store all data within the China local servers .
However , your organization operates under GDPR . And then how would you respond to this pressure from the Chinese government ? A agree to store all data locally to avoid legal trouble with China . B explain GDPR compliance issues and propose alternate solutions like data anonymization before transfer . B refuse to request outright citing potential GDPR violations .
That probably won't work . And then D negotiate a data residency agreement with specific privacy and security safeguards . Okay , so if you think about it , there's probably really only two that would stand out to you and you took to really narrow it down . And the answer is D negotiate a data residency agreement with specific privacy and security standards .
Basically , you can't refuse business operations right , that's just not going to happen and full compliance to conflict , because that would conflict with the GDPR requirements as well . You can agree with a negotiation around data storage in China while ensuring GDPR compliance .
The other thing you can think of , as well as data localization , is if you have individuals that are not EU citizens and you know that and they live in China , then you would separate the data and just keep the EU data in one location and keep the China data in another .
So there's multiple options , but the bottom line of that question is trying to get from you is yeah , you can't say no and your business has to operate , but you have to come up with alternative solutions . That's basically what it comes down to .
Question five the cyber attack compromises your organization's network , potentially exposing customer data stored in a cloud server located in another country . Which action should you take first ? If you have a cyber attack and it's potentially exposing customer data stored in a cloud server in another country , what do you do ? A notify the subjects affected .
B investigate the extent of the breach and identify the compromised data . C disable network access in the cloud server to prevent further data loss . Or . D contact the cloud service provider and report the incident . And the answer the best answer , because all those are probably not all those are good , but they're all relatively decent .
They all follow the same path . You want to contact the cloud service provider and report the incident again . You don't know exactly what has . It just appears to be . So contacting the cloud service provider is the best option so they can work with you to help mitigate the issue if it's ongoing . And then what are the remediation steps going forward ?
Question six your organization implements a multi-factor authentication for remote access to internal systems across borders . However , some users complain about the inconvenience of using hardware tokens . Okay , they got a little fob . Which alternative MFA method would most be most secure while retaining some of the user convenience ?
Again , convenience versus security , sometimes that comes up A SMS one-time passwords , b email verification codes . C mobile app push notifications or D security questions and answers . Okay , so when we talk about hardware tokens , they are the most secure , right ? So we really want to have something like that . But which one of these would be the best ?
Next alternative now it would be c mobile app push notifications . Now , when you get your , your email verification codes , those are not nearly as secure . Your sms one-time passwords ? They , they can be , but they're in sms , which is open text .
The mobile app push notifications they are a bit more secure just in the fact that you have to have the mobile app , and by having the mobile app it's the same concept as the SMS , but you actually have to have the app itself . So it's a better solution than just the overall hardware token .
Question seven you discover a potential data breach involving unauthorized access to customer records from a vendor located in a country . What is your best course of action as a CISSP professional ? Again , you discover potential data breach involving unauthorized access to your customer records from a vendor located in another country .
What is your best course of action as a professional in the CISSP certification ? A immediately terminate the contract with the vendor . C independently investigate the breach without notifying the vendor . C contact the vendor and collaborate on investigating the incident . Or D report the breach directly to legal authorities in both countries .
Okay , so some of those have longer ramifications and some of them are good , some of them maybe not so good . And the answer is C contact the vendor and collaborate on investigating the incident .
If you can work with the vendor , it's a whole lot easier to deal with this challenge than trying to just go and say well , I'm going to throw you under the bus and tell the legal authorities about the issue . That's just usually not the best option . It is an option , but it's not the best option .
Now , if the vendor isn't responding to what you've said , well then that's a different story . But work with the vendor to try to figure out the problem . I've done that multiple , multiple times . Question eight your company uses cloud service hosted in a country with weaker data privacy laws than you own .
How can you mitigate the risks associated with this arrangement ? So your company uses cloud services hosted in a country with weaker data privacy laws than your own . You can mitigate these risks associated in this . How can you mitigate the risk associated with this arrangement ? A encrypt all the data before uploading it to the cloud platform .
B implement contractual data residency agreements with the cloud provider . C conduct regular penetration testing of the cloud environment . So encrypt all data , implement contracts and conduct penetration tests , or all of the above ? And the answer is all of the above , right ?
All of those are really good things to mitigate the risk associated with this type of arrangement . It's always good to do these things . Now you just have to weigh out is it worth spending the money ? That's the question and opportunity costs .
Question nine an employee working remotely and in a different country , reports receiving phishing emails targeting company credentials . What should be your immediate action as a security professional ? Okay , so you have employees working remotely and they're receiving phishing emails targeting them with company credentials .
Targeting their company credentials a block the phishing domain . B reset the employee's account credentials immediately . C educate the employees on phish awareness and best practices and then investigate the email source and immediately determine the attacks in nature . Okay , so a is the domain , b is reset the employee's account .
C educate the employee on a phishing awareness . Or . D investigate the email source and determine the attacks nature . So all of those are good , right , they all have a place in this overall process , but the immediate action would be investigate the email source and determine the attacks nature .
By doing that , you get a better understanding of what exactly is going on . It also the email source and determine the attack's nature . By doing that , you get a better understanding of what exactly is going on . It also can allow you to determine what are the best mechanisms to put in place to stop this attack .
However , all those are good , they all are valuable , but which one is the most immediate ? And those are the kind of questions you will see on the CISSP . Question 10 , a government agency demands access to your company's customer data stored in a foreign country cloud server . What should you do before complying with this request ?
A provide agency with full access to your data without delay . B consult legal counsel and assess the compliance obligations . C negotiate limitations on agency's access and data types . Or . D deny the request outright and cite data privacy regulations . All those are good , right , they all have issues , but yeah , the one that's a big issue .
Obviously , when you start doing these things , you want to really make sure you focus on getting legal counsel and assess the compliance obligations . We've talked about this numerous times . Especially when it comes to this stuff , you really got to have legal and compliance involved . Again , I'm not giving you legal counsel .
I got in trouble from a lawyer friend of mine that made a comment that thought I was telling too much information on a podcast and I'm like no , I'm not , because I'm not a lawyer and nor should you take any advice that I give you as legal advice . That would be really bad .
If you did that , then you might be getting yourself in some serious trouble and I don't want to be in trouble . So don't use my advice as legal advice . Question 11 . Your organization operates in multiple countries in varying cybersecurity maturity levels . How can you implement a consistent security posture across these diverse environments ? A .
Enforce rigid , centralized security policies for all locations . B . Develop a risk-based approach , tailoring security controls to each region's needs . C implement the highest security standards across all locations , regardless of local vulnerabilities . Or . D focus on security awareness training and improve the user's security behavior in all regions .
Okay , what do you want to do ? There's a lot of words in this one , but you really bottom line when you're dealing with multiple countries . You want to develop a risk-based approach , tailoring security controls that each region needs .
Each region has its own separate needs and you have various legal requirements in those regions , so you better make sure that you meet those needs specifically , obviously , gdpr in China . Two good examples of that . Question 12, . You discover a vulnerability in a critical server software used by your global operations .
However , patching the software immediately would most likely disrupt essential business functions in some of the regions . What is your most strategic course of action ? Okay , you got security flaws and you need to patch them immediately , and you are in a global business .
But what should you do first A deploy the patch immediately on all systems , regardless of disruption . B inform the effective regions and postpone patching until a convenient time for all . C develop a mitigation strategy to temporarily address the vulnerability until patching is feasible . Or . D prioritize patching high-risk regions and implement temporary controls for others .
Okay again , what is the most strategic course of action ? You got a critical vulnerability . Prioritize the high-risk regions right . You want to make sure you do that as best you can and you want to have a sense of urgency around doing that .
You can't do it all and you definitely don't want to put it off and you don't want to make sure it's convenient for everyone , because it's never going to be convenient for everyone . You just have to go do it . Question 13 . A new international treaty imposes stricter data privacy regulations on your organization's cross-border data flows .
How should you adapt your existing security framework to comply with these new regulations ? Okay , so private data privacy regulations on data cross-border data flows . What should you do ? A modify the data classification schema to align with the treaty's data categories . That would be not the best option . You could do it , but it wouldn't be best .
B update incident response procedures to include notification requirements under the treaty . C or C conduct privacy assessments for data processing and activities involving cross-border data flows . Okay , so I said the first one wouldn't be the best . Why ? Well , because your treaties may change .
They may not have that level of detail , but when you listen to all three of those , you're going hmm , they all are kind of good . Should I do ? Oh wait , there's one more answer . All of the above . That's when you would pick up on all the above .
So I don't automatically just go out and cross one off because it doesn't make a lot of sense or it may not be the best option option , but all of the above would be valuable . I do when you try to tie something to a legal document now or to a treaty . There's nothing wrong with that . But things tend to change , especially legislation .
So you'd want to try to understand the overall breadth of what the legislation is trying to accomplish and if you can tie it to that legislation , that would be good . But if it gets really ambiguous , you may have to make a judgment call .
If you do make a judgment call , you're going to want to make sure you document why you made that decision , because you will someday get on to a new job as a CISO of a large multinational that makes gazillions of dollars every day and some poor person will come up behind you and go what was this person thinking ? So , yes , make sure you document it all .
Question 14 your organization plans to launch a new cloud-based service accessible from different countries . Which aspects of the CISSP domain should you prioritize during your security design phase ? A cryptography , cryptography and access controls . B security architecture and risk management . C application security and business continuity to ensure that they're resilient .
Or D all of the above ? Okay , which aspects of the CISSP domains should you prioritize during your security design phase ? And when you're doing security design , you need to look at all of them . Yes , all of the above . You need to consider a holistic approach when you're dealing with this , from cryptography to security architecture to down to application .
Security needs to be a holistic approach to this process . Last question the last melon , the last melon . Last question , the last melon , the last melon . Question 15 , you face criticism from colleagues claiming your focus on international legal and regulatory compliance slows down business expansion . Yeah , I hear that a lot .
How would you defend your security approach and explain its long-term benefits ? Okay , so you're claiming that international legal and regulatory compliance slows everything down . What should you do ? A emphasize the financial penalties and reputational damage from compliance . That's true .
B highlight the improved security posture and reduced attack services by adhering to regulations . That is true too . Showcase how proactive compliance can build trust with customers and regulatory agencies , most definitely . And the answer and then there's D is all of the above . Yeah , imagine that it's all of the above . So , yes , there's all of the above .
Ones are nice . They're not always that way . Okay on the test , but in this situation for CISSP cyber training , they are all of the above , at least in this specific situation . Again , that's the one thing is there are multifaceted benefits .
When you're dealing with compliance , obviously you want to avoid the penalties , you want to highlight the posture and you want to build trust . Your job as a security professional is around influencing others to help you do your job , and you build trust by helping others get what they want and you get what you want . So it works out well together .
All right , that's all I've got for today . It is a lot of great questions . Go to cisspcybertrainingcom . You can check it out . There's some really good stuff out there . I mean , these questions are just part of that . It's just one little aspect of what you can have at CISSP Cyber Training .
I'm here to help you with this whole process as we are moving forward , and I want you to help you , the CISSP , because the world needs you , they need you out there and they need you being successful as a security professional . More and more . You see it all the time , so let's get this done , all right . Thanks so much for joining me today .
You all have a wonderful , wonderful day and we will catch you on the flip side , see ya .