CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 235: Practice CISSP Questions - Mastering Security Control Testing (CISSP Domain 6.2)
The collision of artificial intelligence and cybersecurity takes center stage in this episode as we explore how Agentic AI is revolutionizing Security Operations Centers. Moving beyond simple assistant AI or co-pilots, this new generation of autonomous systems proactively investigates alerts, follows structured playbooks, and performs triage at scale—potentially liberating human analysts from the crushing weight of alert fatigue.
For security professionals and organizations struggling with overwhelming SOC alert volumes, this technological advancement offers a glimpse into a future where human expertise can be directed toward high-value analysis while routine investigations happen autonomously. The potential efficiency gains are substantial, though implementation requires careful consideration and perhaps starting with a proof of concept.
Following this forward-looking discussion, we dive deep into CISSP domain 6.2 with fifteen targeted questions covering essential security testing methodologies. From misuse case testing and manual code review to vulnerability assessments and penetration testing, we examine the strengths and limitations of each approach. Learn why manual code review remains superior for detecting race conditions, how behavioral anomaly detection outperforms other methods for identifying lateral movement, and the critical distinctions between various testing approaches.
Whether you're preparing for the CISSP exam or looking to strengthen your organization's security posture, this episode delivers practical insights into both emerging technologies and fundamental security testing principles. Join us to enhance your understanding of how these methodologies can be effectively deployed to protect critical systems and data in increasingly complex environments.
Visit CISSP Cyber Training today to access free practice questions, additional resources, or comprehensive training materials to support your cybersecurity journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go cybersecurity knowledge.
Speaker 2:All right, let's get started. Good morning everybody. It's Sean Gerber with CISSP Cyber Training and hope you all are having a beautiful, blessed day today. Today is CISSP Question Thursday. So, yes, we're excited about getting into the CISSP questions related to 6.2 of the ISC squared CISSP exam. So today that's what we're going to be talking about.
Speaker 2:But before we do, yes, we always have an article about something that I kind of pick up out of the news. That was kind of just my trigger and saw something that was like very interesting as it relates to AI in the SOC or Security Operations Center. This is actually an interesting article. Now, it's not really an article, it's more of a sales pitch, but this is where I see the things going as it relates to AI and its capabilities and this comes out of the Hacker News and it's called Agentic AI in the SOC Dawn of Autonomous Alert Triage. Now, if you all have dealt with the SOC and we talk about this on CISSP Cyber Training quite a bit when you're dealing with your overall security operations center and how are some of the things that you are struggling with, many SOCs struggle with the overall triaging of alerts that are coming in. There are so many alerts and they don't know how to deal with them. And they have analysts that are looking at these alerts, trying to go through each individual one, and a lot of them are just obviously either false positives or they're just overwhelmingly garbage, honestly, and so they really struggle with the alert volumes and what should they do?
Speaker 2:And this is where we all have been thinking about this, that the AI is going to be able to revolutionize in so many different ways. Well, this product from Magentic, they have out that it's basically going to do a lot of the things that a first tier, one analyst, would do. So, one of the aspects that comes in when you're dealing with AI, they have the assistant AI, which is your AKA co-pilots, right? So your Microsoft co-pilot and so forth, and the difference that they are talking about with their agentic AI is that it is separate from what you would do with a co-pilot, so, as a basically a co-pilot or a traditional AI, it would be a powerful assistant, right? It's something there to help you with different contexts, concepts and so forth, and those are really smart, obviously, in helping you, giving you direction on which way to go, but they don't proactively investigate, and I think that's the one aspect of a SOC.
Speaker 2:If you can get something that will proactively investigate Tier 1 alerts, that is going to dramatically reduce the amount of overhead that your SOC analysts are going to have to go through. Now it's nice to have Tier 1 alerts to train your SOC folks on and to kind of have a training plan to give them some understanding of what occurs. But if you have to put everything through your Tier 1, they get overwhelmed. They get to the point of they just they can't do it and they don't want to do it. So the best thing to do is then trying to figure out how to ways to automate this overall process. So when they're they have this scenario out there where they're talking about potential malware and they have the assistant AI versus the agentic AI, and the assistant AI will wait for the prompt from the analyst to start doing queries and then it'll leave an investigation decision up to the human, whereas Agentech will proactively initiate this and begin the complete investigation, which includes investigating logs, quarreling events and so forth.
Speaker 2:Now I'm not saying that Agentech is the one that you all need to go with. I'm just saying that what it's coming down to is this is where I see a really good nexus of the use of cybersecurity and AI in the security operations center, because it's going to give that level of autonomy that you really truly need to be able to save up your people's times and energy and then focus on humans, on the areas that are more high value for the overall organization. So the part that they talk about is instant triage at scale. That is huge. It really truly is. If it works this way they say it does, they have basic enrichment from playbook automation. It'll conduct structured investigations, so it follows that overall path that you have set up. Now the interesting part about playbooks is if you can get real granular with them and if this thing will be able to utilize that deep level of knowledge, it really could be a potential game changer. So I don't know, we'll see how that plays out. If you are interested in a Security Operations Center autonomous AI piece, you may want to go check out Agentic AI and see what they have out there, if it's something that you might be possibly interested in. Else you know what? I would just start keeping your eyes open for this, especially if you are leading and managing a SOC. It is something that you may want to consider in the future and maybe just do a proof of concept around it.
Speaker 2:So, all right, let's move on to the questions for today. Okay, so, as I mentioned earlier, this is over domain 6.2 of the isc squared, cissp certification and this. You can go to cissp cyber training. You get access to all of these questions. Every one of them is available to you if you just go and you purchase the cissp training that's available for it. Uh, and it's I mean seriously. You can get access to all of these questions and you can go through them over and over and over again, and on top of that you have the corresponding video and audio that goes with it as well. So if you were studying for your CISSP, I don't see how you can't go to CISSP Cyber Training and not see the content and be able to utilize it in a way that can help you pass this thing the first time. So I begin. But you can go and get the free stuff that's there and available and take it at your own leisure. It's not a big deal, but it's all available to you at CISSP Cyber Training.
Speaker 2:Question 1. Which of the following best describes the goal of misuse case testing? A To validate that all legitimate use cases are successfully implemented. B To identify business logic flaws from the threat actor's perspective. C to measure the effectiveness of incident response procedures. Or D to determine if the system complies with legal and regulatory requirements. So again, what it best describes the goal of misuse case testing. Now understand misuse case testing. What does it do? It involves modeling on how a system might be exploited by a malicious actor. That's the goal, and the goal is to look for any unintended consequences or potential vulnerabilities that may come up from the legitimate use of the functionality around this specific system. So the answer would be B identify business logic flaws from the threat actor's perspective. Identify business logic flaws from the threat actors perspective.
Speaker 2:Question two which of the, which testing method is most likely to uncover race condition vulnerabilities in an application? In which testing method is most likely to uncover race condition vulnerabilities in an application? A static code analysis. B fuzz testing. C manual code review. Or D dynamic application security testing, otherwise known as DAST. So again, which testing method is most likely to uncover race condition vulnerabilities in an application? And the answer is C manual code review. So now, a race condition will occur when there's two or more operations that will execute out of sequence or potentially even in parallel, leading to outcomes that you're not really planning for, such as two users withdrawing the same funds if you're at a banking site, and something like that. So you want to look for what are different aspects, and this is where the manual code review would come in, where humans are looking at this and they're looking at the overall logical path behind it. Now I would highly recommend that you have. I didn't always have the ability to do manual code review. We had automated code review done and then we had, at the end, we would have individuals look at the actual code itself before it was actually pushed to production. So you have to decide which is best for you and your organization. At the end of the day, the manual code review is a way that you can determine and find the potential race condition that may occur.
Speaker 2:Question three which of the following is a limitation of using automated vulnerability scanning tools in a production environment? So again, which of the following is a limitation of using automated vulnerability scanning tools in a production environment? A they may disrupt system availability. B they generate too many false negatives. C they lack the ability to simulate attacker behavior. Or. D they do not support multi-platform environments. So again, automated vulnerability scanning what could be one of the issues you run into in a production environment? And the answer is A they may disrupt systems availability. Yes, and I have dealt with this myself. Anytime you're doing scans inside your network, you may want to be very careful about doing that. It can cause a lot of challenges within your organization, from system crashes, resource exhaustion, all kinds of different things that can happen, and you want to make sure that if you are doing scans in your network, you're telling somebody about it so that they don't think you're being attacked.
Speaker 2:Question four which of the following best characterizes the purpose of test coverage analysis in a security testing process? Again, which of the following best characterizes the purpose of test coverage analysis in a security testing process? A to determine how much code has been written. B. To identify obsolete code functions. C to measure compliance with coding standards. Or D to evaluate which portions of code were exercised during testing. Again, which of the following best characterizes the purpose of test coverage analysis? And the answer is D to evaluate which portions of the code were executed or exercised during the testing right. So test coverage analysis quantifies how much of the application code is being tested during the run. So this includes functions statements, basically your branch or your path, which way it's going. All of those different areas are tested during the overall security testing process.
Speaker 2:Question five which of the following is the most appropriate technique for validating the effectiveness of layered security controls over time? A static code review, b continuous monitoring, c annual compliance audits or. D red team testing. Again, which of the following is the most appropriate technique for validating the effectiveness of layered security controls over time? And the answer is B continuous monitoring. Right, so if you're going to be, monitoring is a key concept around when you're looking at any sort of concept that is dealing with code reviews, you want to constantly be looking at it and making sure that you have real-time or near real-time risk postures is set up. This includes your network activity logs, firewall logs, alerts All of those things need to be monitored on a real-time risk postures is set up. This includes your network activity logs, firewall logs, alerts All of those things need to be monitored on a real-time or near real-time basis. Again, that's the most. Layered security controls is when you're doing something similar to that, again, when you're dealing with logs. Logs is an important part, but they can be overwhelming, so you need to make sure that you have a good strategic plan related to logs. Don't just throw logs into your SIM and hope and pray that everything works.
Speaker 2:When conducting an internal security assessment, which method would best assess the effectiveness of role-based access controls? So, when conducting an internal security assessment, which method would assess the effectiveness of role-based access controls? A code review, b policy audit, c access control matrix review or D configuration baseline comparison? So, when conducting an internal security assessment, which method would best assess the effectiveness of role-based access controls? And the answer is C access control review, right? So if you're looking at your access control matrix, it's basically maps, users and roles and resources all together and this allows for read, write, delete and so forth. And you want to look that over. That would allow an assessor or someone that's a regulator coming in to verify the permissions that align with the job function, detect privilege creep, identify excessive or missing permissions. All of those things would be done in this matrix.
Speaker 2:Now you might be going oh my gosh, this is just documentation. For the sake of documentation, it is and it isn't. Having the documentation demonstrates that you have thought through this process and you understand the process. So, yes, you may have paper that are sitting on shelves and going. It's not being used. I get it, but it's important that you go through these processes and you understand these various controls. Now it could be done in something as simple as in a spreadsheet, or it could be more complex into an actual application such as SailPoint, but you want to have the ability to understand the various levels of controls within your organization and the various levels of roles within your organization.
Speaker 2:Question seven which of the following security testing techniques is least likely to detect business logic flaws? So which of the following security testing techniques is least likely to detect business logic flaws? So which of the following security testing techniques is least likely to detect business logic flaws? A static code analysis. B manual testing. C red team engagements or. D threat modeling. So, again, which of the following security testing techniques is least likely to detect business logic flaws? And the answer is A static code analysis right. This scans the source code or the different codes, without executing it, looking for known patterns and security weaknesses right. However, it's rule-based and it doesn't understand the intent or context or business logic associated with it. So it's just static, right? So the why behind it? This is where you may run into some actual business logic flaws that may occur because you may not be able to understand exactly what it's looking for. One example is that if you're returning money to a different account other than the one that paid, this may require some level of contextual understanding that the static tools just can't understand. So static code analysis is the least likely to detect business logic flaws.
Speaker 2:Question eight which of the following is a primary objective of a security assessment report and which of the following is a primary objective of a security assessment report A to communicate risk findings to stakeholders. B to provide value of the security team. C to identify root causes of user behavior and then C to evaluate end user satisfaction with the controls. Again, which of the following is a primary objective of a security assessment report? And it is A to communicate risk findings to the stakeholders. You generate a report. You want to have the ability to understand the risk and pass that on to the stakeholders, which is usually your board, your senior leadership. They need to understand what's going on and these reports typically are a non-technical nature. They provide kind of an overview of what's happening. Now you may want to provide some level of context to the report that you provide them rather than just pushing a button and having something just burp out and report. But it's imperative that this is who's going to go to. It's going to go to the stakeholders.
Speaker 2:Question nine In context of penetration testing, what is the primary purpose of the rules of engagement, roe? So you're dealing with penetration testing. What is the primary purpose of having ROE? A to determine the qualifications of the testing team. B to define the compensation for the ethical hackers. C to outline legal restrictions and test boundaries. And D to establish ownership and discover vulnerabilities. Roe is set for. C to outline the legal restrictions and test boundaries. Roe is important because it determines scope, timeframes, tools, techniques. All of those things are an important part of this and you want to define that, especially if you're doing a pen test. Things can go sideways very quickly during a pen test if you have not properly defined your ROE.
Speaker 2:Question 10. Which of the following best demonstrates due care in conducting security assessments? So which of the following best demonstrates due care in conducting security assessments? A Using open source scanning tools. B Limiting scans to non-production systems. C Obfuscating test results to avoid panic or. D documenting and reviewing the test procedures. So which of the following best demonstrates due care in conducting security assessments and it is D documenting and reviewing test procedures. So due care refers to what your actions, what you're doing, that you take to demonstrate responsible behavior and adherence to expected standards in managing risk. They want to make sure you know what you're doing. So if you document and review test procedures, you're showing that you're paying due care. Again, documentation is important. I've dealt with people over and over again saying it's not Well, that's not a value. It's not a value to me, it isn't necessarily a value to you in some cases, but it's a value to others. Documentation is an important piece and having documentation will make your organization and your systems much more mature, and that's what you're obviously looking for.
Speaker 2:Question 11, which of the following would be most likely to be identified during a static application security test SAST but not during a dynamic application security test? So what's most likely to be identified during a static application test versus a dynamic application test? A input validation bypass. B SQL injection vulnerabilities. C insecure cryptographic function usage. Or. D session management flaws. Okay, so if you looked at all the four of those, the one and two for sure would be under the dynamic static. So that would happen, but you're most likely during a static application security testing would be c right, your cryptographic functions. This will look specifically at your source code or compile compiled binaries and then it scans for any unscathed uh coding patterns. But in there you will see if there's a wrong cryptographic function potentially, and that's where it would be identified. Uh, whereas and that's how this the sass would look, most likely. Look for it if you deal with the das. Das is a black box approach which looks at runtime behavior. So it's it's not set up to look for a specific hash. That might be uh, inappropriate at that time. So just kind of something to consider about with that Question 12.
Speaker 2:An organization wants to simulate an attack from a nation state actor to test its detection and response capabilities. Good on them. Which is the most appropriate testing method? A Red team engagement. B Blue team exercise. C Threat hunting or D Security audit. So you're trying to look at a nation state actor and testing if somebody was trying to get in from a nation state. What would you do? And the answer is A red teams Did this for years. Red teams deals with advanced tactics, techniques and procedures and they are focused on how the adversary goes. This is the ones that you would hire if somebody does penetration testing. And yeah, it's good, it's fun, it's exciting.
Speaker 2:Question 13, which of the following best describes the difference between vulnerability assessments and penetration testing? Again, which of the following best describes the difference between vulnerability assessments and penetration testing A. Vulnerability assessments are performed manually. Penetration tests are automated. B Vulnerability assessments identify and exploit weaknesses. Penetration tests only identify them. C Vulnerability assessments are focused only on web applications. Penetration tests target infrastructure or. D. Vulnerability assessments are broader in scope and typically non-intrusive. Penetration tests attempt to actively exploit vulnerabilities. And the answer is D. The best describes is a. Vulnerability assessments are broader in scope and are typically typically air quotes, not intrusive. Penetration tests, on the contrary, attempt to actively exploit vulnerabilities and they go deep and they go hard and that's the ultimate goal of them. They focus specifically on, usually in one niche area. But bottom line is that's the difference.
Speaker 2:Question 14, which of the following would be the most effective in identifying previously undetected lateral movement by an attacker? Again, which of the following would be the most effective in identifying previously undetected lateral movement by an attacker A SIM correlation rules. B antivirus signature updates. C packet capture analysis or D behavioral anomaly detection. So, again, most effective in identifying previously undetected lateral movement. It would be D behavioral anomaly detection right. So if you have not detected it, pcaps and antivirus signatures and SIM correlation rules would not be effective because you haven't detected it yet. But if you're looking for something that the behavioral aspects probably would be your best bet in detecting something that's when someone's moving laterally that has not been detected by your other tools that you have, so again, it's the most effective would be behavioral anomaly detection.
Speaker 2:Question 15, the last melon which testing activity ensures that software security flaws are remediated properly after discovery? A regression testing, b remediation verification testing, c integration testing or D security test, case development. It's a lot of big words. Which testing activity ensures that software security flaws are remediated properly after discovery? And the answer is B remediation verification testing. Okay, this is called retesting in some cases right, and it validates that the identified vulnerabilities have been correctly fixed. It basically re-executes the test cases that were found and it looks to make sure that the flaw is no longer there. This is where you'll find this, particularly in Agile or CICD pipelines where rapid fixes are deployed quickly. So the remediation verification testing process is an important part to make sure that you find out if they've actually been fixed. Okay, so that is all I have for you today. Thanks for joining me today at CISSP Cyber Training.
Speaker 2:Head on over to CISSP Cyber Training. You can do a couple different things. One get access to all of my CISSP questions, or at least to 360 of them. I should say not all of them. You can just by signing up with CISSP Cyber Training, you can get access to 360 questions that will help you with your studying for the CISSP Free 360, nothing about it. You just sign up, boom, you got questions 360 of them. They come into you over a period of a few months, but you get big batches of them to help you study.
Speaker 2:The second thing is just go to CISSP Cyber Training and you can, from there, get access to any free content that I have at the site itself. So there's lots of different videos, there's lots of audio. That's there. All of that, my podcasts, are all tied to CISSP Cyber Training. You can get them there. All of that stuff is available to you.
Speaker 2:And then, finally, if you see there's value in this, stuff is available to you. And then, finally, if you see there's value in this, just purchase a product that I have and you get access to all of the content. Right, I have three tiers, but the most basic tier you can get access to all of my content just by signing up with that. So get three options. One free questions, 360 of them. Option two go to the site, look for some free stuff on the site. Option three go and purchase the CISSP training that's there and it's available for you. One of the three options that gives you the best needs for you and your organization. So again, all check that out at CISSP Cyber Training. Hope you have a wonderful, wonderful day and we will catch you all on the flip side, see ya.
