CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 227: Navigating Domain 1: CISSP Question Thursday Deep Dive
A seemingly simple company restructuring at Eaton triggered a devastating cybersecurity incident when software developer Davis Liu planted a logic bomb on their systems after learning his responsibilities would be reduced. This cautionary tale kicks off our deep dive into CISSP Domain 1 concepts, showing exactly why understanding security governance and risk management principles matters in real-world scenarios.
The logic bomb—crafted in Java code to create infinite loops crashing servers—activated upon Liu's termination, causing global disruption and hundreds of thousands of dollars in damage. Now facing up to 10 years in prison, Liu's poor decision perfectly illustrates why organizations must implement robust controls against insider threats.
Through a series of challenging Domain 1 practice questions, we explore how access controls serve as critical technical safeguards for data privacy, and why establishing risk management programs that incorporate legal, regulatory, and industry standards forms the foundation for aligning security with business objectives. We also tackle the complexities of regulatory compliance across healthcare, financial services, and multinational organizations, emphasizing the value of centralized data protection offices and contractual safeguards for cloud services.
The episode provides practical guidance for security professionals facing common challenges: how to handle budget constraints when addressing high-risk vulnerabilities (prioritize based on business impact), what makes ISO 31000 valuable as a risk management framework (its focus on integrating risk into business processes), and why executive sponsorship represents the most important factor for successful security governance implementation.
For CISSP candidates, we clarify essential concepts including the purpose of information security policies (establishing management's intent), the principle most likely to determine liability after a breach (due care), and the most effective controls against insider threats (least privilege combined with activity monitoring).
Ready to accelerate your CISSP preparation? Visit cissp-cyber-training.com for comprehensive training materials, practice questions, and mentorship options tailored to your certification journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go.
Speaker 2:Cybersecurity knowledge All right, let's get started. Hey all Sean Gerber, with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is CISSP question Thursday, so, yeah, awesome stuff is coming to you today around domain one of the CISSP exam. But before we do, we have an article I wanted to bring to your attention, and this is something that everybody out there we talk about in the CISSP. All the time is around insider threat issues, and this is no different. So this is an article from Bitdefender and it's about a man who was found guilty of planting an infinite loop logic bomb on an ex-employer's system. So who is this person? It's Davis Liu, and Davis Liu is a 55-year-old software developer from Houston, texas Well, yeah, he's my age, guess what?
Speaker 2:He decided to get a little bit frisky and decided to do something that he probably shouldn't have done, and now he's going to spend some time breaking big rocks into little rocks, unfortunately. So he worked at Eaton from 2007 to 2019, and he was facing reduced responsibilities due to the company restructuring, right Downsizing, doing whatever they do in that regard and because of that, he decided to plant a logic bomb. It was basically created out of Java code and it was designed to do infinite loops, basically crashing the servers and making them unresponsive. Okay, so that was the end of it. He implemented a kill switch that locked out all users if his access was ever removed. So this is something that could be very possible and, to be honest, I have seen this happen. I have witnessed it specifically personally, where an employee who is not happy with what happened decided to go out and drop a logic bomb on a network. Bad, bad, bad, bad, bad. Well, what ended up happening is he activated. This was activated upon his termination on September 9th and then it went out and caused all kinds of pandemonium and chaos with Eaton employees globally. So it cost them hundreds of thousands of dollars is what they're saying to fix this issue, and you know that was just a bad idea. So now he pleaded guilty to doing it and he's probably going to face up a maximum of 10 years in prison because of it. So, because he made a poor choice and didn't like the fact that he was getting let go, he's now going to spend 10 years in prison, plus all the money that was spent, probably trying to defend himself. It was just a really bad choice. So, mr Liu, I hate to tell you this? That was a bad idea, and if you're someone out there that is dealing with this, don't do it, just say no.
Speaker 2:But as cybersecurity professionals, you realize that understanding what is happening within your environment and your network is an important factor, and understanding who these people are that could potentially be doing that to your network is also important as well. So you need to make sure you have good processes in place to manage your employees, to keep them from doing these kinds of things, or at least, if they do, it's kind of hard to keep them from doing it. In some cases, you have processes to mitigate the risk if it were to happen within your organization. Again, you're not going to stop everything and your ultimate goal is to create some way to mitigate and manage the situation when it occurs.
Speaker 2:Okay, let's go ahead and get started in what we're going to talk about today in today's CISSP questions over domain one. Okay, so here are the questions we're going to be getting into today. Again, you can get all of these questions at cisspcybertrainingcom. You can get all of them. They're all available to you. I've got hundreds of questions that are available to help you with your CISSP, as well, as I have all the training available to you as well. So you can get all this training for a small fee. You can get access to everything that I have. Or, if you want, you can just listen to the podcast and have all the access you need as well. But, bottom line, if you want to have everything there and if you're getting ready for your CISSP and you need that stuff now, just go ahead and head on over to CISSP, cyber Training, and there's all kinds of content that you can have that's free and available for purchase.
Speaker 2:Okay, so question, let's get started on question one. Which of the following is an example of a technical safeguard for protecting data privacy? A access controls, b security awareness training, c incident response planning or D background checks. Again, which of the following is a technical safeguard for protecting data privacy? And the answer is A access controls. Access controls, again, are a safeguard that can be used to protect your data privacy. They also can put in place to limit access to sensitive data and so forth. So access controls are an important part of any security professional's knowledge and anything you put in place.
Speaker 2:Question two the newly hired CISO wants to implement a governance framework that ensures security aligns with business objectives and compliance requirements. Okay, so you got business objectives, you got a framework, you got compliance requirements. What is the best approach to start this overall process? A develop security policies and procedures independently of the business processes. B implement security controls, first to protect the critical assets and then reduce the risk exposure. C to assign security responsibilities to IT and allow them to define the governance controls. Or D establish a risk management program that incorporates legal, regulatory and industrial standards. Yeah, so you're trying to incorporate everybody. So what should you do? You should do D establish a risk management program that incorporates legal, regulatory and industry standards Industry, not industry, industry Industry standards right, so this will help with your business risk. This helps develop security policies. You then will be able to ensure that your security efforts are meeting the strategic and goals of the organization. It's an important part. So you want to make sure that you establish a risk management program incorporating legal and regulatory options, right?
Speaker 2:Question three a financial institution is facing increasing threat from advanced, persistent threats, otherwise known as APTs. The board of directors asked the security team to ensure compliance with regulations while also improving resilience. What should be the first step in addressing this? Request A implement threat intelligence feeds to track APT. Request A implement threat intelligence feeds to track APT activities. B conduct a business impact analysis to assess the critical operations. C deploy an intrusion detection and prevention system to monitor the threats. Or D establish a cybersecurity governance framework based on regulatory requirements. Again, a financial institution is facing increasing threats from APTs. The board of directors asked the security team to ensure compliance with regulations while improving resilience. Okay, so they want you to have compliance while doing resilience. What should be the first step? And it's D establish a security governance framework based on regulatory requirements. Again, understanding the regulatory requirements for your organization, especially as a financial institution, would fall around GLBA, nydfs again, or PCI DSS Any of those nice acronym soup will help you with your overall plan.
Speaker 2:Next question During the security reviews, a global organization identifies that different business units interpret security policies different. Imagine that this inconsistency increases the risk of noncompliance. What should the CISO do first? Okay, again, during the security review, a global organization identifies that different business units interpret security policies differently. Whoa there, they don't understand it. This inconsistency increases the risk of non-compliance. What should the CISO do first? A conduct a gap analysis to determine inconsistencies in the policy. B perform a single policy framework across all business units. C implement centralized controls to override regional policies. Or. D assign security responsibility to individual business units. So this is a tough one, right? So you could have a single policy framework across all your business units. But the answer actually the correct answer more correct, I should say is A conduct a gap analysis to determine the inconsistencies in your security policy implementation. What does that really mean? You go and talk to people and find out what are they missing on this whole thing, and then you modify your security policy so that everybody is in alignment. That's the ultimate goal, all right.
Speaker 2:Next question the healthcare organization processes large amounts of personal health information. A recent third-party audit found that the organization lacks the formalized security risk assessment process. What is the greatest risk of not having this process in place? So again, they have PHI and they don't have a formalized security risk assessment process. A inability to respond to security incidents in a timely manner. B non-compliance with regulatory frameworks such as HIPAA. C ineffective deployment of security technologies. Or. D increased risk of insider threats. And the greatest risk of not having this process in place is B non-compliance with regulatory frameworks, right? So if you don't do a risk assessment, does everything shut down? No, now will it have gaps? Yes, but in reality, if you don't do the risk assessment because it's mandated, you now are in the situation where you become noncompliant with regulatory frameworks and then that gets real ugly and sticky and just nasty. So you don't want that, you want to be compliant. That gets real ugly and sticky and just nasty. So you don't want that. You want to be compliant and you want to do everything you can to stay and be compliant.
Speaker 2:Next question A multinational organization is required to comply with multiple data privacy regulations across different regions. What is the most effective approach to ensuring compliance, again, across data privacy across multiple regions? A establish a centralized data protection office to oversee compliance across all jurisdictions. B implement a strictest regional regulation globally to cover all compliance requirements. Basically, be as tight as you can. C allow each region to define its own privacy policies based on local laws. Or. D adopt a unified data classification model that applies equally to all business units? And the answer is A establish a centralized data protection office to oversee compliance across all jurisdictions. You'll get this, especially when you come into in the EU, but, depending on the jurisdiction, you may have to have multiple DPOs put in place, depending upon the data privacy requirements of that location.
Speaker 2:Next question A company relies heavily on cloud services to is concerned about regulatory compliance and data sovereignty. What is the best way to address these concerns? A Ensure that the data the cloud provider is ISO 27001 certified. B Encrypt all data before storing it in the cloud. C Require contractual clauses that guarantee data storage within required jurisdictions. Or D conduct regular penetration testing on cloud environments. So, again, a company relies heavily on cloud services and is concerned about regulatory compliance and data sovereignty Big thing to be concerned about. What is the best way to address these concerns? And the answer is C require contractual clauses that guarantee data storage within the required jurisdictions. Again, you want to have the in language, in paper. You want to have some sort of contractual aspects around it because you're being held legally liable for it. So you want to make sure that your contracts are equate to that as well.
Speaker 2:Ran into this multiple times as a CISO. You just you want to. You got to make sure you cross the T's and dot the I's. If you don't know what that means, just make sure it's right. That's bottom line.
Speaker 2:A company is considering adopting a risk management framework. The CISO suggests aligning to ISO 31,000. What is the primary reason for selecting this specific framework? Again, there are companies looking to have a risk management framework put in place. The CISO is looking at ISO 31000. What is the primary reason for why that person wants that framework? A it provides detailed technical security controls for mitigating risks. B it ensures compliance with international cybersecurity regulations. C it focuses on risk governance and integrating risk management into business processes. Or D it eliminates the need for other risk management methodologies. And the answer is C it focuses on risk governance and integrating risk management into the overall business processes. Right, so that's the ultimate point. It has risk management, it aligns your governance and your business strategy and it provides a structured approach to risk assessments, treatment and monitoring. Lots of big words, but it works pretty good.
Speaker 2:Next question the cybersecurity team is tasked with assessing risks related to third-party vendors. What is the most effective method for identifying potential risks? Again, the team is tasked with assessing risks of third-party vendors. What is the most effective method for identifying potential risks? A conduct vulnerability scans on vendor systems. B require vendors to comply with ISO 27001. C implement multi-factor authentication for vendor access. Or. D perform a third-party risk assessment and review contractual agreements. The most effective method for identifying potential risks is D perform a third-party risk assessment and look at the contracts to make sure that everything is matching up that's it right and ensure security expectations are documented. It also evaluates the financial, operational and compliance risks that are associated with it. Or they can be the opposite of savior right, the devil right, I guess that's what it is. So you want to make sure that you take care of your third-party vendors and that you have good due diligence around them.
Speaker 2:Next question a company is implementing an enterprise risk management or ERM program. What is the primary benefit of ERM over traditional IT risk management? So a company is implementing an enterprise risk management program. What is the primary benefit of ERM over traditional IT risk management? A it focuses exclusively on IT-related risks. B it eliminates the need for compliance monitoring. C it only applies to financial risk assessments. Or D it aligns risk management with organizational objectives and strategy. So, again, implementing an enterprise risk program, what is the primary benefit of ERM over traditional IT risk management? And the answer is D it aligns risk management with organizational objectives and strategy. That is it right. So when you do ERM, it's focusing on what is the overall business approach, the holistic, the air quotes I like these big $10 words that people use holistic approach right, by understanding financial, operational, strategic and IT risk not just IT and also aligning risk with business goals and then also enabling risk-informed decision-making. That's the goal of a ERM version, versus just standard IT risk management.
Speaker 2:Next question the security officer is tasked with ensuring that the organization adheres to legal and regulatory requirements regarding data retention. What is the first step in this overall process? Okay, so you're basically the security officer is tasked with ensuring the organization adheres to legal and regulatory requirements regarding data retention. What is the best one? A identify applicable data retention laws and regulations. B implement an automated data archiving solution. C encrypt all stored data to reduce compliance risks. Or. D define an internal data classification schema. And the answer is A you guessed it Identify applicable data retention laws and regulations. It's pretty hard to protect something if you don't really know the laws, so you really need to understand. If you're going to try to adhere to the legal and regulatory requirements, you need to understand the applicable data laws and regulations that are associated with it. So again you got it. We talk about this in CISSP, cyber training, multiple times. Is that you, as a cybersecurity professional, will become the expert in your organization. Obviously, you have others that are very smart and they will do their thing, but you're going to have to come together and coalesce everything so that you can understand and give the best knowledge and direction to your organization.
Speaker 2:Next question A new risk assessment process identifies several high-risk vulnerabilities that require mitigation. However, the IT budget is constrained. Oh no, what should the security team do first? Again, new risk assessment process identifies several high-risk vulnerabilities that require mitigation now, but the IT budget doesn't have any money. What should you do? A Prioritize the remediation based on business impact. B request additional funding from senior management Not a bad idea, but might not work. C implement compensating controls for all vulnerabilities. Or D focus on fixing only the easiest vulnerabilities first. So I'd say C could be an option, right, could be, but the answer is A prioritize remediation based on business impact, right. So you're going to have to figure out what you have to fix and then, based on the impact to your organization, that is what you want to do. The one around all vulnerabilities is the key word is all you implement competency controls for all vulnerabilities. Now you got to focus on risk and business impact. So, as a professional, that is what you need to be doing?
Speaker 2:Next question an organization wants to strengthen its information security governance model. What is the most important factor for success? Again, what is the most important factor for success around strengthening your security governance model? A implementing strict access control measures. B obtaining executive sponsorship and support. C conducting frequent vulnerability scans or. D hiring more security personnel? Again, what's the most important factor for the success when you're related to information security governance model? B obtaining executive sponsorship and support. Without the boss's support, you're not going anywhere or you're going to have limited effectiveness. So you need to make sure that you integrate security into your business decisions, secure necessary funding and you drive organizational culture. They will help you do that.
Speaker 2:Next question A company has detected an increased insider risk or insider threats. Which security measure is most effective in reducing this risk? A company Companies detected an increase in the insider threat. Which security measure is most effective in reducing this risk? A Implementing intrusion detection systems IDSs. B Conducting local or social engineering tests on employees yes, stick them to an electric chair and then turn it on and see what happens. No, don't do that, that's a bad idea. C De deploying firewalls to limit access or. D enforcing least privilege and user activity monitoring. And the answer is D enforcing least privilege and user activity monitoring. Right Least privilege by limiting access to only what is necessary and then monitor what they do. That way, you've got them and you know what's going on.
Speaker 2:Next question A company is sued for negligence after a data breach. Yeah, that's probably going to happen pretty much anytime you get one. Which legal principle will most likely determine a company's liability? A due care, b due diligence, c privacy by design, or D non-repudiation, or it could be to tell no, not to care. What is it no Okay, repudiation? Or it could be to tell no, not to care. What is it no Okay? So, when it comes right down to it the negligence for a data breach what is the most likely determinant of the company If they're liable? It is a do care. Do care refers to acting responsibly to prevent foreseeable harm. So if you fail to do this right, you don't follow best practices, you don't do reasonable security controls, you don't use things to protect the customer data yeah, you're probably going to be hung out to dry. So you want to make sure that you do those things. At the end of end of all this, you probably still will be hung out to dry, but at least at a minimum, you have done your due care around this.
Speaker 2:Next question which of the following is a primary purpose of an information security policy? Again, which of the following is a primary purpose of information security policy? A to define security best practices for employees. B to enforce compliance with technical security controls. C to establish management's intent on security expectations. Or D to protect against all cyber threats. Again, which of the following is the primary purpose of an information security policy? The answer is C to establish management's intent and the security expectations. That's the point of the policy. This is what we're going to do and this is what you should be expected to do. Right, leadership supports the efforts, employees understand the responsibilities and then policies align with legal and compliance needs. Everybody's in alignment, everybody's rowing the boat in the same direction Basically means you are not allowed to take company stuff home on a thumb drive period.
Speaker 2:Dot. Have a nice day, don't stop at. Go Get your $200. I probably said that totally wrong, but it doesn't matter. That was the last question. So guess what that's it. I hope you all have a wonderful day.
Speaker 2:You know, go to CISSP Cyber Training, catch what we've got there. We've got some great stuff. I mean it, totally mean it. There's some really good content that's out there. We got three different tiers for you to purchase. If you want to get access to all my content, if you're getting ready for it, you can get the first tier, the bronze tier. That gives you all of my content, gives you access to all my questions. It is by far the most economical way to do this.
Speaker 2:If you need some mentorship and you need some guidance and you need a little bit of help as far as when you pass the CISSP, you need somebody to help you sign off on all that, the next tier is the next best alternative and that will get you some direct time with me as well as you get all the content.
Speaker 2:If you do feel that you need some cybersecurity mentorship as well as some potential, some advice around security concepts, you can go with the third tier, and the third tier is an option that I use especially for individuals who may need a CISO for some help also, and they're looking for some more dedicated study time that is specifically for with me to help you do that. So, again, there's three tiers for you at CISSP Cyber Training, or, if you want the free tier, just keep listening to the podcast and go there and get all the content that I put out there on my blog. So again, all of it's there and available to you. Just go to CISSP Cyber Training. Hope you all have a wonderful, wonderful day and we will catch you all on the flip side, see ya.
