Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Let's go cybersecurity knowledge .
All right , let's get started . Hey , I'm Sean Gerber with CISSP , cyber Training , and hope you all are having a beautiful day today . Yes , yes , awesomeness day today . We're getting close to the holidays and you know it's always this fun time of year it like gets to be a vibration . It's exciting , it's awesome .
I know my kids now we have the grandkids and everybody else just loves it . So we got family coming in out of town , which is going to be great to see them . We have a couple my son and his daughter , or my daughter-in-law are moving in , so we're excited about that . They're bringing a puppy , which will be interesting , but it's all good , it's all good .
We'll be happy to have everybody here and enjoying the Christmas holidays and having some time together , so it's positive . So hopefully you all are going to get the opportunity to do that , especially as we get into the overall piece of this time off , where a lot of people are taking time off .
But if you are taking some time off , hopefully you are studying and cramming for your CISSP . So today we are going to be getting into the questions that are associated with the podcast that we had on Monday .
So we're going to dig into that a little bit but before we do kind of wanted to quickly talk about this article from Information Security Buzz around cybersecurity in 2025 . So , as we get close to moving into the new year , how is that going to change for 2025 ? I thought 2024 was going to be busy .
Well , it looks like 2025 will be just as busy , if not more so . And a lot of the challenges come into is the fact that the technology is changing at such a quick pace . It's really hard for , as we've mentioned before time and again , it's hard for people to keep up with all of the change .
So the article kind of really gets into just some main topics I wanted to roll over is one is AI driven threats and , as we know , there's going to be much more opportunity for artificial intelligence threats and people to utilize that technology to attack individuals and to attack corporations .
So that is going to be a big factor , especially in the financial sector , e-commerce and so forth . There's big factors as it related to the incidents that happened with SolarWinds and then also their vetting and continuous monitoring piece of this . They mentioned that through the article as well .
I would say one thing to consider is , as you are looking to put security within your organization . Consider that , and I know that vendors are working very hard at this this to try to come up with utilizing AI-driven technologies to help find the bad guys and girls . So that's an important part of all of that .
Another thing they mentioned in here that I thought was really interesting was the evolving cyber security or cyber insurance model they're going to be wanting . The insurance companies have really just kind of relied on people in the past to tell them what is going on with their organization .
I've really just kind of relied on people in the past to tell them what is going on with their organization , but they're going to be using now some AI-driven risk assessments , which I think is a valuable part .
People like me that were utilizing contractors , I should say , were utilizing doing risk assessments for companies , may be impacted a bit by this , but I also feel that maybe an initial risk assessment by AI will actually help with giving an overall understanding of the organization .
I also feel that in many cases , if you could start that off , a security person coming in can then utilize those skills that they have to help dig deeper into the organization and really to add an extra level of security versus it being more of a checklist-driven type of activity . So that's the part where they bring that in Quantum resilient encryption .
We're already starting to see levels of encryption , or I should say , quantum leaps , and that is not a pawn or a pan or whatever a pun off of the old movie or TV show Quantum Leap , but it is Quantum , is leaping very quickly .
And now to the point where Google has chips that have quantum technology in them that they are deploying to or will begin deploying into computers around the world .
So that's going to be an interesting part on how that's going to overall work , especially when you're dealing with the state privacy laws in countries such as China and Europe , and you're going to get more of that .
And that's one of the key other things they talk about here is more regulations that are going to be coming out because of the technology changes that are occurring . Generative AI risks obviously that's another part that can be a big factor .
Automation and DevOps security I'd say this is probably one that is going to become even a bigger factor in the next year is DevOps security , and the reason is is because we all know , as we're studying the CISSP , a lot of my students struggle with this part because they don't ? They've really never dealt with a DevOps piece of it .
So , and as we become more and more reliant on technology and the development of this technology , the SecDevOps is going to be a really important part of your overall security plan . And then , obviously , focusing on zero trust , nation state cyber warfare all of those are key factors that are going to be a big player in 2025 .
So I just I also saw an article in Wired about how they're saying the folks in the inn are saying Doge Dodge or whatever it is the group that's going to help with government efficiency they're worried that they're going to take away cybersecurity funds for companies because they're trying to streamline things .
And that is possible , right , but I think also , at the same time , the US government , especially , has got so much bloat that there needs to be some way of fixing that . Now the question is , will the pendulum swing too far in the other direction ? Probably , and then we'll be picking up the pieces after that .
So it should be really quite an interesting year for 2025 . All I can say is let us all hang on , wear our tinfoil hats and just get ready for the fun times , especially if you've got drones flying over your head everywhere . Yes , it'll be fun , it'll be a good time , okay . Well , let us get into the overall question Again .
Before we get going on that , though , again go to cybersecurity in 2025 , a new era of complexity . You'll be able to check all that out Again . That's in informationsecuritybuzzcom . Okay , so let us roll into the questions .
Okay , question one you are reviewing the results of a vulnerability scan that has reported multiple high severity vulnerabilities within a critical system . After validating the findings , you notice that the vulnerabilities appear to be outdated and unlikely to be exploited in your environment . What is the best course of action to address the situation ?
Okay , so you've got lots of issues , but they probably aren't effective for you . One remediate all findings as quickly as possible to mitigate any potential risk . B to document the vulnerabilities and false positives and disregard them . C update the vulnerability scanner database to improve accuracy and re-scan to confirm results .
Or D evaluate the context of the vulnerabilities , such as exploitability within your environment , and defer the remediation while implementing compensating controls . And the answer is D , right . So the ultimate goal , though , is you want to document this , you want to understand the context of these vulnerabilities , and you may want to defer the remediation Now .
Removing them and deleting them doesn't really help you because they're going to come back up , and deleting anything is usually not good . However , you need to document why you're not going to remediate them and then you want to understand where they're at and potentially implement some level of compensating control .
Question two your organization faces a situation where an important system cannot be patched due to the operational constraints . A business critical application relies on the old version of software that no longer receives security updates . Hop in there , done that , got the t-shirt .
How should you justify and manage this exception , considering both the technical and the business risks within your company and your organization ? So , again , he faces a situation where they cannot be patched due to operational constraints . You are going to run into this guaranteed .
A apply compensating controls and document the exception with clear , time bound remediation plans and risk mitigation measures . B notify stakeholders and the vulnerability will be ignored due to the business impact and delay patch indefinitely . And delay the patch indefinitely .
B or C ignore the issue temporarily and proceed with regular scans until the next major system upgrade . D remove all effective systems from the network and reduce exposure . Okay , well , there's a couple of those in there . Make no sense , right ? A couple of them are like I don't know what to do .
And the answer is a right apply compensating controls and document the exception with clear time-bound remediation plans . Time bound means within six to eight months , 12 months , whatever that is .
You are going to then address it , and the benefit of that is is that when you can talk to the senior leaders , you say hey , we got a problem , we're going to address it . It's going to take six to 12 months before we'll get to it .
However , that being said , be ready , hang on , buddy , we're going to get this fixed and then you're going to have to go and address the problem . Question three a researcher discovers a zero-day vulnerability with your publicly available API . Okay , that could potentially expose sensitive user data . So aha APIs , they're everywhere .
The researcher had contacted you through a public channel and demanded public disclosure within 30 days . You have a validated vulnerability and are working on the patch , but need more time to implement the fix . What is the most reasonable approach to handle this ethical dilemma ?
A publicly release the vulnerability details after the 30-day period to meet the researcher's demand for it , despite the lack of the fix . B coordinate with the researcher to extend the disclosure timeline with privately shared progress on the patch development . C ignore the researcher's demand and release the patch without publicly acknowledging the vulnerability .
Or D deny the researcher's request for disclosure and keep the vulnerability private to prevent the , to prevent reputational damage , okay . Well , this is where your security skills come into play . You want to coordinate , be with the , with the researcher and come up with a game plan on how to address the issue .
So again , yeah , it's , you need to work with people and you go to them say , hey , this is the problem we're running behind . Here's where we're at . This is what's going on . Can you please wait before releasing it Now ?
That being said , you better come with some ideas on how long you need Coming back and saying I need six more months , yeah , that's not going to work . So you better say , hey , I need an extra 15 days . People , in most cases , are accommodating , but you better be showing progress on what you're trying to accomplish .
Question four a critical vulnerability is identified in an internal system that is not currently exposed to the internet . Okay , so , an internal system not exposed to the internet , but it is connected to sensitive data repositories .
After validating the finding , you determine that the risk of the exploitation is minimal due to the strong internal controls and limited access . What should be your next step when managing this vulnerability ? Okay , so now you know that there's a problem , it's currently exposed , but it's not exposed to the internet .
What are you going to do , okay , a mark the vulnerability as non-actionable and move to other findings . B document the exception and implement additional compensating controls and reassess periodically for changes in the system . C automatically escalate the issue to a senior management for immediate remediation .
Or D disconnect the system from the network and eliminate any possible threat . Okay , so it's a critical vulnerability with an internal system and it has access to sensitive data , and you should B document the exception , implement additional compensating controls and reassess the periodically for changes in the system .
Question five you are working as a security consultant for a vendor and you discover a critical vulnerability in one of their widely used products . You believe it could lead to a significant data breach if it is exploited . The vendor is unwilling to publicly acknowledge the vulnerability . To provide a fix .
What would be the most ethical action to take in this specific situation ? So you're a vendor , okay , you discover a critical vulnerability and you're like dude , you got a problem , and dude's like no , I don't have a problem , I'm okay . So what are you going to do Well ?
A you're going to wait for the vendor to address the vulnerability and do nothing until they take action . B you disclose the vulnerability publicly to warn the user community , risking potential reputational damage for the vendor .
C you continue working with the vendor in private and provide a timeline for a fix and inform the affected users directly if the vendor delays further actions . Or , d you exploit the vulnerability and determine the severity of the vendor and force them to act . Okay , well , that one's not good .
Obviously that goes bad period Again you want to work with people , continue to work with the vendor in a private to provide a timeline for a fix . It's important that you do that . And if it doesn't work , you raise it up to senior leadership and you just keep bringing that up to senior leadership .
I hate to tell you this , but sometimes you may have to go above and beyond where you're at to get what you want done . But you have to do this in a way that's ethical . But you also have to do it in a way that is taking into account people's thought process .
There might be a specifically perfect reason why they don't want to do it that you may not be privy to . So you need to walk carefully in this situation . Tread carefully , that's a better word . Okay . Question six After conducting a vulnerability scan , you notice that several critical vulnerabilities are flagged on multiple systems .
However , after a closer inspection , you determine that the vulnerabilities are being reported due to the misconfigurations in the scanning tool . Haha , the scanning tool's got problems . What is the most efficient way to resolve the issue and ensure future scans are accurate ? A ignore the false positives and focus only on the remaining vulnerabilities .
B conduct manual penetration tests on all flag systems to confirm vulnerabilities exist . C notify management of the false positives but proceed with remediation of the flag vulnerabilities anyway . Or D adjust the scanning configuration or use an alternative tool to ensure that you have accurate results .
And the answer is D use an alternate tool to ensure that you have accurate results . That being said , you may want to conduct some . If you have a red team involved . You may want to do some level of penetration tests on the flag systems if they are critical to your organization .
So something that you it may be a combination of both of those , but keep in mind again , thinking like a leader , how do you deal with the issue immediately ? How do you deal with it swiftly , but also in one that is focused on and is targeting , the overall risk that you have to deal with .
Question seven your organization has a vulnerability in an outdated application that processes sensitive customer data . Due to the budget constraints , that's never good . The upgrade of patching to the system will take at least six months . You are asked with managing this exception . You are asked , you are tasked , not asked . You are tasked with managing this exception .
How should you communicate the risks of this exception to the stakeholders ? Okay , so the stakeholders are . Could be your CIO , could be your CISO , could be whoever , but you're going . Who are the main people that are responsible for it ? So , due to the budget constraints one , maybe you need to find more money .
Two , you need to figure out where's the money coming from . Why is this a problem ? What should you do ? Well , a , explain the risks , provided a detailed mitigation strategy and set clear expectations for continuous monitoring and reassessment during the six months . So , and set clear expectations for continuous monitoring and reassessment during the six months .
So , explain the risks , set up a mitigation strategy and how are you going to watch it for the next six months while you get it addressed or you try to find more money . That's another option as well . B emphasize the low risk and recommend that no additional actions are necessary until the system is patched .
C suggest that the system be removed from use completely until the patch is applied . Or D disregard the business constraints and escalate the issue to the highest levels of management for immediate remediation . Okay ? The last one is depends what kind of sword you want to fall on . If you want to fall on your sword , great , but be careful .
You do that , you will burn some serious bridges and you may not have the opportunity to do it ever again . So the answer is A right Explain the risks , provide a detailed mitigation strategy , set clear expectations for monitoring and reassess in six months , or Find more money or find more people . It depends on what the money problem is .
Right , there's always options . You just got to come up with thinking about what are your options and how do you address those options . Question eight you discovered a serious vulnerability in the software product used by thousands of organizations .
The vendor acknowledges the vulnerability , but asks you to delay the disclosure so they can patch it in the next release cycle , which is several months away . As a researcher , what is the most ethical course of action ? So you're a researcher . A accept the vendor's request and delay disclosure . Understanding the patch will mitigate the issue soon .
B disclose the vulnerability immediately to the public . Go for it . Ensuring that effective organizations can take action before the vendor releases a fix . Yeah , go for it . Stir that pot . C wait until the vulnerability is patched , then disclose after all the risks have been eliminated . Or .
D inform the affected organization directly and privately , allowing them to patch the vulnerability before public disclosure . That's a good one . So you know it's going to affect a lot of people , but you're working with a specific organization that you're aware of .
Maybe contact them directly and say , hey , the patch is in , it's going to get fixed , but you may want to take a look at this right now and wait until the patch is actually fixed . Now , depending upon disclosure agreements you may have , that may or may not be feasible . Just , you're going to have to work through that .
That's the legal stuff you got to work through . Question nine you are tracking vulnerability trends over the past six months and the number of vulnerabilities flagged in internal systems is decreasing . However , there is no significant decrease in the number of high severity vulnerabilities . What does this trend most likely indicate ?
Okay , so you're tracking vulnerability trends over the past six months , the vulnerabilities flagged in the internal systems are decreasing . However , there's no decrease in the number of high severity vulnerabilities . What does this likely indicate ? A the organization is improving and addressing low severity vulnerabilities , but is neglecting .
Neglecting means that they're being bad high severity ones . B the vulnerability scanning tool is increasingly reporting fewer false positives . C systems are being decommissioned , leading to fewer vulnerabilities being discovered . Or D the vulnerability management process is ineffective Get rid of it and more remediation resources should be allocated .
And the answer is A Okay , the organization's improving and addressing low severity vulnerabilities easy low-hanging fruit , as that analogy is , which is really annoying but is neglecting high severity ones . Question 10 . Yeah , are a lot because there's a lot of talking . So , sorry , these were kind of some good scenario questions that I thought you guys might enjoy .
Question 10 . A vulnerability is identified in an application running in a highly complex , dynamic , multi-cloud environment with various service providers . The vulnerability is significant , but patching or mitigating it would require a coordinated effort across several teams , each with different priorities and workflows .
What is the most effective approach to handle this vulnerability ? Okay , so it's identified an application running high , complex and dynamic multi-cloud environments with various system providers , various service providers Okay , so it's super complex . What are you going to do ?
A assign a dedicated team to work across all teams to coordinate patching efforts and ensure alignment . B patch the vulnerability on the most critical system first and defer remediation to the less critical ones . C immediately escalate the vulnerability to senior management and force a decision , then implement patching as soon as possible . Or .
D ignore the vulnerability on less critical systems and focus on resources on systems with the most direct impact business impact Okay a lot of words there A assign a direct team to work across all teams and coordinate with the patching efforts to ensure alignment .
Yes , you want to make sure that you work across all the different groups while you're trying to patch this issue . Again , work with people . Okay , it's the part that cybersecurity people sometimes have a challenge with . You have to have people skills and you have to work with people .
Question 11 .
It's pretty much with all IT people . We all kind of struggle with that . Question 11 . After conducting a vulnerability scan , you discover that a critical system has a vulnerability that cannot be patched within the required time frame due to operational constraints .
What would be the most effective and compensating control to mitigate the risk associated with this unpatched vulnerability ? Okay , so you have a vulnerability scan , discover critical systems have a vulnerability that cannot be patched . What should you do ?
A move the affected system to an isolated network segment and restrict access to only essential users oh , that sounds really good . B temporarily disconnect the affected system from the network until a patch can be applied . You can't really do that because it's critical . Increase logging and monitoring of the system , but do not apply any additional controls .
Okay , well , maybe , maybe not Implement additional security tools and monitor for exploit attempts , but leave the system unchanged . Otherwise , you guys can kind of figure this out through all these questions we've gone through . It's A move the affected system to an isolated network segment and restrict access to only essential users .
Sometimes you have to do that , especially when you're dealing with stuff that is really old or there's just no good way to patch it . Question 12 . A security researcher discovers a critical vulnerability in a popular open source project Woohoo open source . The vulnerability is easy to exploit and could cause significant harm if exploited .
However , the researcher is unsure about the legal ramifications of disclosing the vulnerability publicly . What would be the best course of action for the researcher to take ? A Disclose the vulnerability publicly without consulting the project maintainers to ensure immediate attention . B Contact the project maintainers privately first to give them the time to fix the problem .
Contact the project maintainers privately first to give them the time to fix the problem . C seek legal advice to consult with an ethics board to determine whether disclosure is legally or ethically appropriate . Or . D wait until the vulnerability is actively exploited and then disclose publicly to say , aha , see , told you so no , don't do that one .
That's probably not the best . So the answer is C yes , seek legal advice and consult with the ethics board if you have one , or somebody in compliance and ethics , to determine whether you should legally or ethically disclose this thing . Now . I will tell you right now , the moment you do this .
Unless you have a good plan in place , you ain't going anywhere with it . So my recommendation is in the meantime , if you have a bunch of researchers or you have developers that may come across vulnerabilities . What you may want to do is get with your legal teams and your compliance and ethics teams now and see what they have to say .
You may come back and they say you know what , if you start putting this in place and then all of a sudden , bing , something pops up , it's much easier to flow through than if you try to come to them ad hoc and say , hey , I want you to fix this , they're going to go . No , they're going to go .
Well , no , we need to talk to another lawyer and another lawyer and another lawyer and outside counsel and all these other people . And next thing you know , six months later they'll finally come back to you and say , no , we're not going to . But by then they've already been out .
So if you have this in your environment and you are going to be dealing with ethical disclosures , potentially , start talking to your legal teams and compliance teams now . Question 13 . A vulnerability in a popular CMS platform is discovered which allows attackers to escalate privileges and access sensitive data .
You're debating whether to use a full disclosure model or a responsible disclosure model . What is the primary risk associated with using a full disclosure in this scenario ? So again , what's the risk for doing full disclosure of what's going on ? A full disclosure will delay the patching process because the vendor will spend too much time addressing the public disclosure .
B the full disclosure will ensure the quicker patch process as vendors will be forced to respond quickly . C full disclosure will minimize the risk of exploitation by providing public guidance on how to protect against the vulnerability .
Or D full disclosure will allow attackers to exploit the vulnerability before the vendor can provide a fix , increasing the risk for users or to users ? I should say and the answer is D full disclosure will allow attackers to exploit the vulnerability before the vendor can provide a fix , increasing the risk to users . Yes , by doing that .
And then you also potentially open yourself up to legal challenges . Yes , you could get sued . Question 14 . A vulnerability scanner reports a high severity vulnerability in systems that was recently updated . Question 14 . A vulnerability scanner reports a high severity vulnerability in a system that was recently updated .
However , a patch was applied to fix this issue and the vulnerability should have been resolved . Upon investigating further , you find that a scanner flagged the vulnerability due to incorrect version detection . What is the most appropriate course of action for this scenario ? Okay , so we got incorrect version detection . All right , what do you do ?
How do we fix this issue ? A continue with patching process to ensure the vulnerability is fully mitigated . B ignore the scanner results since the patch was applied and the system is now secure . C manage and verify the patch status on all effective systems to ensure that there's compliance and update the scanner's configuration . Or .
D notify management of the false positives and wait for a new scanner version to address the issue . Okay , so what are you going to do ? What is the most appropriate course of action ? It is C manually verify the patch status on all effective systems and ensure that compliance and update the scanner's configuration . Last melon , question 15 .
What are we going to do here ? Okay , the word salad is almost over . Okay , question 15 . An organization's senior leadership is concerned that the cost of patching critical vulnerabilities in legacy system is much too high and is delaying business projects because of it .
Okay , so it costs too much money and you're delaying my projects because you want to keep patching stuff . How can the security team effectively communicate the long-term risks associated with not addressing the vulnerabilities ? So you've got to express the risk by not addressing the vulnerabilities without undermining business objectives .
So the business still has to make money . So security people still got to make money . You can't just shut everything down . What are you going to do ? All right ? So emphasize A , emphasize the potential financial loss of an event of a breach , even though no breaches have occurred . I think that's an important part . That's not the answer , but it's important .
Present a risk management approach that balances the cost of remediation with potential impact of an exploit . Aha , that sounds much better . C advise leadership to delay remediation and definitely to avoid disruption , suggesting that vulnerabilities are a low priority . That's not the right answer .
And then D suggest vulnerabilities be patched only if they are exploited in a cyber attack . Yeah , that's kind of an after the fact thing , which probably isn't the right answer either . So one could be close right . Okay , even if you're emphasizing potential impact .
But where it really comes to be better is you present a risk management approach based on risk that balances the cost of remediation with the potential impact of an exploit . So again , you've got to put all the numbers in front of the senior leaders . Help them make a decision the right way . If you do that , then your odds of success go up dramatically .
It doesn't mean it's going to happen , but your chances of success go up substantially . So , again , that is all of the questions for today . Again , go to cisspsybertrainingcom and you can get access to all of these questions , all of the content that I've been putting out there for many , many years now .
It's all available to you to help you pass and study and pass for the CISSP exam . So we're pretty excited about that .
Also , if you are looking for any sort of cybersecurity assistance because I know that a lot of the folks that listen to this podcast are , in many cases , senior folks that are looking for some sort of cybersecurity piece go to Reduce Cyber Risk and you can get access to any sort of access that you may need to help you with your organization from a reduce cyber
risk standpoint . I got consultants that can help you . All right , that is all I have for you today . I hope you guys have a wonderful , wonderful day and we will catch you all on the flip side , see ya .