Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Let's go .
Cybersecurity knowledge All right , let's get started . Hey , I'm Sean Gerber with CISSP Cyber Training , and hope you all are having a beautifully blessed day today . Yeah , man , it's awesome . Today we're getting closer to Christmas . It's awesome , it's awesome , can't wait .
I know my grandkids are like freaking out excited about that , because I remember as a kid growing up , christmas was everything . So , yes , it's getting close , but we're not here to talk about old St Nick . You are here to learn about CISSP stuff .
So we're going to get into domain five today of the CISSP , but before we do , obviously we're going to get into an article that I saw recently . It is talking about three quarters of security leaders admit gaps in hardware knowledge .
Now I will tell you that , as working as a CISO , then also working as an architect and so forth , and then having to go up through the ranks of being in the red teams , I learned we started off with the A-plus certification for hardware and if you've dealt with A-plus at all , it focused on the hardware aspects of it , from down to BIOS , to chips , you name
it , all those little nuances .
Well , as we move into this SaaS world that we have , I think there's less emphasis on this and this article kind of talks about that and as a security professional , you're going to be responsible for a lot of the security related to your hardware within your organization and hardware is still out there it's not all in a SaaS environment .
So it's going to be important that you kind of understand what does that entail ? And also , when you hire people , you need to kind of ask some key questions around hardware security as well . It's just kind of an important part .
But this article kind of gets into the fact that three quarters or they say in three quarters , but it's about 80% of IT and security decision makers admit to major gaps in hardware and firmware knowledge , and I know this is definitely the case , especially if you get in the manufacturing space specifically , there is a lot of gap between the hardware knowledge because
a lot of the hardware they're using is still circa 1980s , 1990s and that it's very hardware intensive versus in today's world of being a more of a sas environment . So one of the things they said in here is that most of these folks do not collaborate with it and the security and also the , the suppliers and the hardware people don't necessarily talk together .
They also made a comment that it's around 53 of them said bios passwords are shared .
Now , if you're dealing with a bios password many times , your ultimate goal is that you should go in and change those to something that is more appropriate for your organization and to have those passwords so that they're not easily guessable or maybe , dependent upon the type of hardware . They could be a standard type of password .
So obviously one of the best practices is to go out and reduce those and remediate those . Well , here they're saying that many people share them , and I can see that happening , especially in a large organization .
If there is a mandate to go and change BIOS passwords within your organization , I can see where somebody would actually copy those down , put them in a location and then share them amongst others .
Now , if you had to do something like that , one of the considerations you may want to think about is the fact that you could put it in a product like CyberArk , some sort of management solution , password management solution . That would be a way that you could do that .
Ideally , you wouldn't want to put them in some sort of location where they're shared amongst everyone , but there might be times when you have to share them . Therefore , you should consider the proper ways to do that .
They also made a comment that more than one in 10 employees are frustrated with the slow pace of maintenance and I guess in today's world a lot of the maintenance comes down to is they don't really even try to fix it , they just buy something new .
I was talking to a guy on one of my contracts recently and he just has a TV and he's trying to make some changes to his TV . That is , he's got some capacitor issue and so he wanted to go and get that fixed . The question is we came back to is in most cases , people just go and throw it away . They don't actually try to go out and fix it .
So because of that , there's a lack of knowledge around how to actually fix some of the hardware that goes along with it , which then rolls into the next comment around e-waste , and they call it an e-waste fail , and it's because they're saying that a lot of equipment that is just thrown away and could be potentially repurposed .
Now we've talked about this in the past on cisp cyber training that repurposing hardware is an important part of helping one , you don't want to put it in the landfills and two , some other people could potentially benefit from it .
That being said , it's important that you don't store sensitive data on these different types of e-waste that you're potentially giving away .
So one of the things to consider is , if you're going to give the they call it the kit , but basically your computer , you're going to give that away , you want to make sure that you do remove any of the hardware that is related to data storage in there Obviously , not the chips themselves , but any hard drives of some sort , whether they're physical or whether
they're an SSD . You'll want to get rid of those . But , that being said , it's one of those aspects that you want to consider .
If you are going to be going through and purging a lot of equipment within your organization , are there ways that you can repurpose it and give it to maybe some non-profits , somebody that could use it a little bit better , and or use it versus having it thrown away ? So just something to consider .
Again , this is an article out there by InfoSec Security Magazine and it's talking about security leaders . Admit there's a gap in hardware knowledge . Okay , so let's get started on today's questions . So again , today's questions . You get all these questions at CISSP Cyber Training .
You get access to them at any time , all the access that you get there at CISSP Cyber Training . These questions are there and available to you . You just got to go check them out . We will also be putting this up on the blog . You'll have access to it . I'm a few sessions behind , I think , on that , but it'll be coming out here soon .
I've been in the process of trying to . We bought a Verbo and I was in the process of getting that ready . So , needless to say , I have been a little consumed with my wife's activities at this point . But we're here , group eight , and we're in domain five , so let's get going .
So question one which of the following is the primary purpose of a privilege management in an identity and access management system ? Okay , so which of the following is the primary purpose of a privilege management in an identity and access management system ? A to enforce least privilege by controlling access to sensitive data .
B to manage user lifecycle and permissions throughout their employment . C to provide non-repudiation of the user's actions . Or D to ensure compliance with data retention regulations . And the answer is A to enforce least privilege by controlling access to sensitive data . Question two which of the following describes the principle of least privilege ?
Again , which following describes the principle of least privilege ? A granting users the highest level of access to ensure that they can perform their job functions . B allowing users to access only the information necessary for their specific tasks . Or C allowing users to perform administrative tasks on any system they use .
Or D providing users with read and write access to all system resources . Again , which of the following describes principle of least privilege ? And the answer is B allowing users to access the information necessary for their specific task . Again , least privilege .
You should be granted with the minimum level of access required to perform your job duties , and that's what we talk about least privilege . You don't want to give them any more than they absolutely must have to do their job . Now it does add for some delays potentially .
I've run into this myself when you're giving somebody access and you realize , oh no , I don't have the access . Myself had that happen a couple times .
So something to consider when you're giving lease privilege is it's going to add a little bit more drama at the beginning , but once you figure out what their access should be , it will be much more easier to provision those accounts as time goes on . Question three which of the following best describes role-based access controls or otherwise known as RBAC ?
Which of the following best describes role-based access controls , or otherwise known as RBAC . Which of the following best describes role-based access controls ? A access is granted based on the user's specific identity . B access is granted based on the user's role within the organization . C access is granted based on the sensitivity of the data . Or .
D access is granted based on the time of day of the request is made . Again , rbac , role-based access controls . Hmm , what is that ? Rbac is basically B access granted based on the user's role within the organization . Now , it's a policy used to assign permissions based on the role air quotes rather than the individual user .
Now , this requires you to have a defined role for the individual and not just lob everybody into one big bucket . So , again , they're assigned by job functions and the users are assigned the roles to provide them the access to the resources they need . Question four which of the following authentication methods provides two-factor authentication ?
Again , which one provides two-factor authentication ? A username and password . B smart card and PIN . C biometrics only or D CAPTCHA . Okay , k-a-p-t-c-h-a , which you all know , but it's CAPTCHA . Which of the following authentication methods provides two-factor authentication ? And the answer is B . It is smart card and PIN . Right , it requires two different types of factors .
The smart card provides something you have and the PIN is something you know , so therefore it is . That's what your multi-factor piece of this is , so you'll get a lot of the smart cards and the PINs .
Obviously , when you're dealing with your credit cards , have that A lot of different CAC cards , like the military does a CAC card , or it's a close access card I think that's what they call that , but it's a CAC C-A-C , so different types of authentication methods for multi-factor . What does the identify ?
Question five what does the identity federation allow an organization to do ? Again , what does an identity federation allow an organization to do ? A to enable the use of single authentication system across different platforms and organizations . B to establish a single set of policies for managing user passwords .
C to define a common encryption standard for data across organizational boundaries . Or D control which services a user can access based on the geographic location . Again , what does Identity Federation allow for organizations to do ? And it is A enable the use of a single authentication system across different platforms and organizations .
Again , the Federation is a different organization . They share and trust data between them identity data between them and allows for authentication once they gain access . Now , this is usually achieved through SAML , oauth or OpenID Connect . Those are different types of access , to be able to or different types of mechanisms to be able to share that data .
Question six which of the following is a primary goal of single sign-on or SSO ? Again , what is the primary goal of single sign-on , or otherwise known as SOS ? No , not save our ship , it's SSO , right ? Single sign-on A to provide a centralized system for managing user passwords .
B to allow users to log in once and gain access to multiple applications without re-authenticating . C to enable multiple users to share a single account securely . Or D to enforce stronger authentication mechanisms across the systems . Again , which of the following is a primary goal of single sign-on ? And it is B to allow users to log in once , one time only .
One ping , one ping only to allow the users to log in once and gain access to multiple applications without re-authenticating . If you know the movie , let me know . Yes , I know the movie . Yes , yeah , one ping , one ping only . All right . Sso is designed to streamline the authentication process , right ?
So user logs in once and then they can access multiple applications . That's the ultimate goal of SSO . Question seven In a multi-factor authentication scheme MFA which of the following is a typical consideration the most secure factor , which is typically considered ? That's better . Okay , typically considered the most secure factor .
That didn't make sense when I first said it . A something you know a password . B something you have a smart card . C something you are biometrics . Or D something you do behavioral biometrics . Okay , in the two-factor authentication scheme , which of the following is typically considered the most secure ?
And it is C something you are based on biometrics right , because that's usually something that , if your eyeball is usually pretty unique to just you , so therefore it's fingerprints , retina scans , facial recognition all those aspects are very unique to individuals .
That being said , when the facial recognition first came out , my wife and my daughter could actually open each other's phones , but that has now since changed . But there's actually it comes right down to biometrics is one of your more secure options .
Okay , question eight which of the following is an example of identity proofing process during the onboarding of a new employee ? The identity proofing process of an onboarding new employee . Again , what is that ? All right , what's an example of that ? A asking for a password to access the system . B to sending a one-time passcode to SMS or texting .
C verify with a government-issued ID . Or D assigning a role and granting access permissions . Again , what is an example of identity proofing process during an onboarding of a new employee . So Billy Bob starts up . How do you identity proof him ? And it is C verifying with a government issued ID .
Again , that's one thing we want to use is use that to help them grant access . They're going yes , sean is who he says he is . He is not Jessica . However , I have , in using my powers for good , I have copied many , many government issued IDs and have gotten away with it .
So , that being said , you need to make sure that if you are in a secret location somewhere , you do a much better job of checking IDs than people did on me . Question nine which is the primary purpose of a separation of duties policy in identity and access management ?
What is the primary purpose of a separation of duties policy in identity and access management ? A to prevent users from performing critical actions that may lead to fraud or error . B to limit the number of access controls that need to be managed . C to simplify auditing and logging processes .
Or D to provide users with temporary elevated privileges for urgent situations . Okay , so what is the primary purpose of separation of duties policy in identity and access management ? And the answer is A to prevent users from performing critical actions that may lead to fraud or error .
Again , separation of duties requires that no individual has the ability to perform the conflicting actions right . As an example would be approving financial transactions . Again , that would be bad right . So you can do say , hey , I want to give myself a $30,000 pay raise and you do that . That would be bad right .
That's what you want to have separation of duties , duties and you want to have other people that are watching what you are doing . Question 10 , which of the following methods is most commonly used for authentication in cloud environments ? Again , what is most commonly used for authentication in cloud environments ?
That's your Azure , your Amazon , aws , all those kind of things , right , and the A Kerberos , b username and password , c PKI , public Key Infrastructure . Or D OAuth and OpenID Connect . Again , which is the most commonly used for authentication in cloud environments , which is most everything it seems like today ? And the answer is D OAuth and OpenID Connect .
Again , these are modern , widely used standards for authentication in cloud environments . They do provide secure , token-based authentication and authorization . They enable you to be able to authenticate across different cloud environments , whether it's AWS , Azure or whatever it might be . So they're helping you do that .
Question 11 , which of the following is a key advantage of attribute-based control compared to role-based access controls ? And which of the following is a key advantage of attribute-based access controls ? Forgot the access the first time . And compared to role-based access controls , so ABAC versus RBAC ? Okay , and ABAC A , a letter A , number one , that's it .
A ABAC is a simpler to manage because it does not require role assignments . B ABAC allows you to have more granular access decisions based on the whole wide range of attributes . C ABAC is easier to integrate with legacy systems . Or D ABAC relies on fixed rules that do not change over time . Okay . So attribute-based access controls ?
And the answer is B ABAC access-based access controls allows you to do more granular access decisions based on the wide range of attributes of the person , right ? So that's what you want to do Characteristics , environmental factors , resource types and so forth .
Rbacs are designed for submission based on fixed roles , whereas the ABAC deals with attribute-based access , which is for complex environments where decisions need to be made based on multiple pieces of criteria . Much more sensitive locations would have an ABAC type of access control . Question 12 .
Which of the following access control models is most suitable for environments where access decisions need to be based on a set of policies and regulations , such as in the healthcare industry . Okay , again , what following access control models is most suitable ?
Most suitable for environments where decisions need to be made based on policies and regulations , such as in the air quotes , healthcare industry A discretionary access controls . B mandatory access controls or MAC DAC is discretionary access controls .
C role-based access controls or D attribute-based access controls or MAC DAC is discretionary access controls , c role-based access controls or D attribute-based access controls ? And the answer is B mandatory access controls are used highly in regulated environments and this is where policy and regulations such as in healthcare , government , military dictate these access controls .
Again , they're determined by system-enforced policies rather than the user's discretion . So that's mandatory access , that they have to have to gain access to these things , or they're limited to what they have access to . Question 13 , which of the following should not be a benefit of using identity governance and administration solutions ?
So again , identity governance and administration solutions , otherwise known as IGA , that's India Gulf Alpha Okay , a an improved regulatory compliance and audit readiness . B simplifies user access requests and approvals . C improved security through continuous monitoring and user activities . Or D increased user productivity by allowing instant access to all resources .
That's a lot of words , okay . So which of the following is not benefit of identity , not be a benefit , not be , not be , not benefit , but not be a benefit of IGA ? And the answer is D increased user productivity by allowing instant access to all resources . Yeah right , that's not going to work . If you went through all of those , you'd go .
Yeah , that makes no sense at all . You don't want to be increasing user productivity by allowing access . Right , you can get productivity . But at this end , what happens when you allow too much access ? Yes , the wolf runs away with a chicken coop and we probably don't know what that means , but basically , I don't even know what that means .
Anyway , the chickens all run away . That's what ends up happening . But it's helping . Igas help to identify user identifies , enforce policies and provide visibility into access controls , such as improving the compliance and security right . They provide unrestricted access .
You know , if you're trying to increase productivity with unrestricted access , you're just asking for trouble , so just don't do that . Question 14 , which of the following access management practices helps to ensure that only authorized individuals can use a specific system ?
Again , which of the following access management practices helps ensure that only authorized individuals can use a specific system ? A password complexity and policies . B session timeouts . C regular review of user access permissions . Or D encryption of sensitive data at rest .
Again , which of the following access practices helps ensure that only authorized individuals can use a system ? And the answer is C regular review of user access permissions . Again , this reviewing of these access permissions ensures that only authorized individuals have access to sensitive resources and that privileges are complete and up-to-date .
Again , managing these is an important part of any sort of organization , especially when you're dealing with a very dynamic organization . Question 15 , the last question , the last melon , which is a major disadvantage of password-based authentication ? Again , which is a major disadvantage of password-based authentication ? A it can easily be integrated with existing systems .
B it requires users to remember complex passwords . C it provides strong multi-factor authentication . Or , d , it's highly resistant to phishing attacks . Again , what is the major disadvantage ? And again , it requires B requires people to remember complex passwords , which what ends up happening ? People copy them down .
They either make the passwords very weak and dilute them , or they copy them down and then send them out to all their friends . So , no , they don't send them to their friends , but they leave them on their computer and therefore they have problems . Again , that is the last question , so I hope you guys enjoyed it Again .
Go out to CISSP Cyber Trading and check it out . If you are looking for a security person and you need some assistance , go to ReduceCyberRiskcom . You also can check me out there and that provides you with cybersecurity resources for you and your organization .
But bottom line is go to CISSP Cyber Training and get access to all of my questions and all of my content . You can get it . All right , psp Cyber Training and get access to all of my questions and all of my content . You can get it . No-transcript .