CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 247: Mastering Access Controls - From Biometrics to Administrative Policies (CISSP Domain 4)
A shocking incident in Spain recently left 60% of the country's power grid dark in less than five seconds. Was it a cyber attack? The jury's still out, but this real-world event perfectly illustrates why understanding access controls and security mechanisms is critical for today's cybersecurity professionals.
Sean Gerber, despite battling a cold that affects his voice, delivers a compelling analysis of the Spanish power grid incident before diving into essential CISSP domain four content. He highlights how smaller electrical providers might have fewer security resources, making them attractive targets, and emphasizes the growing importance of professionals who understand both operational technology and information technology security.
The episode then transitions into practical CISSP exam preparation, exploring various types of access controls through real-world scenarios. Sean expertly distinguishes between preventative, detective, corrective, and deterrent controls, while also clarifying the differences between physical and logical security mechanisms. Particularly valuable is his breakdown of biometric authentication methods, pointing out how voice recognition (ironically demonstrated by his own cold-affected voice) proves less reliable than alternatives like iris scanning or fingerprinting.
Understanding the nuances between Mandatory Access Controls (MAC) and Discretionary Access Controls (DAC), implementing proper identity proofing processes, and recognizing when compensating controls are needed are all critical CISSP concepts covered in this content-rich episode. Whether you're preparing for certification or working to strengthen your organization's security posture, these lessons apply directly to building effective defense-in-depth strategies. Ready to master these concepts and pass your CISSP exam? Visit CISSP Cyber Training for a proven blueprint guaranteed to help you succeed.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.
Speaker 2:Cybersecurity knowledge All right, let's get started. Hey all, it's Sean Gerber with CISSP Cyber Training, and I hope you all are having a beautifully blessed day today. Today is CISSP Question Thursday and we are going to be going over questions related to the CISSP exam that was covered on Monday, so content that was brought up on Monday today, the questions that we go over for that content, and so, if you also notice, I have a really cool voice today. Yeah, I've been struggling with a bit of a cold. First I thought it was allergies, now I actually think it's a cold and I got that while traveling. Yes, I love it, it's wonderful, but we're just going to go through some CISSP questions and you just won't care what I sound like today.
Speaker 2:Now, I don't know if you all saw this in the news or not, but this occurred, I think, april 29th, somewhere right around in there is when the actual incident did occur. April 28th is what it is, and this article is from Financial Times and it goes into a little bit of detail around what they saw and what happened. Now, the biggest issue that came out of this article and think that really comes right down to spain as a whole, um is that this was a temporary blackout, with some of their electricity and their power grip. The interesting part around this was is that it was a roughly 60 percent of spain's electricity. Electricity demand was lost within about under five seconds, so that's a pretty substantial amount, right? So it's like your entire country, two--thirds of it, going dark because of something that occurred, and so, because of this, they have been running to all kinds of ideas of what actually caused it. Now, from a cyber attack, it hasn't necessarily been ruled out that it wasn't a cyber attack. It also hasn't been completely confirmed that it was a cyber attack. They don't really truly know.
Speaker 2:One of the aspects that I thought was interesting is that they've been focusing on the small electric providers. So, in most countries the United States is no different there are multiple electrical providers throughout the country, and each of these folks are businesses that are providing electricity to the grid. Now, some are big, some are small, and the regulations that are tied to that at least in the United States, they throw them all under critical infrastructure. However, they keep a lot of this pretty wide open, as of the protection controls and what you should use, and so, therefore, because these controls are kind of wide open and they let you have some sort of autonomy on putting controls in place. They will vary from company to company, so if it's a large company, they may have the funds and the resources to be able to fully invest in what they need to do to protect their organization. When they're a larger or a smaller company, they may not have the same level of capabilities and so, as a result, they may not have the same protections, and so, therefore, they would be a great place to target if you were a bad guy or girl, and so that's what they're.
Speaker 2:One of the things they're trying to consider is were the smaller electrical companies targets of this, or what actually caused it? I don't know. To lose 60% of your power consumption, you lose it within five seconds. To me, if it isn't a cyber attack, which it might not be, it also shows a lot of weaknesses within your organization or within your overall ecosystem to ensure that this is better protected. So I think it'll be interesting to see where the information is shared. There's lots of different sharing that's going to be occurring through the different ISACs. The industrial side or the electrical side has their own ISAC, and so that just talks about the fragility of the overall ecosystem related to the power grid and so forth. So if you are interested in OT and IT security, I'd highly recommend that you start getting studying up on that. I think it's going to be a big demand for it here in the future, especially as we become more and more connected and more and more tied to this OT environment. We thought it was a big deal back when I first got started in cyber back in the early 2000s, and it hasn't matured to its point yet. So it will be very, very interesting where it goes in the next 15 to 20 years.
Speaker 2:Okay, so let's get started on today's questions. Again, these are questions over domain four of the CISSP exam. Question one which of the following is the most critical initial step in establishing a trustworthy digital identity for a new user within a high security environment? A assigning a temporary password and requiring password changes upon first login. B implementing a multi-factor authentication from the onset? C rigorous identity proofing and verification processes. Or. D granting least privilege access based on their initial role? Again, which of the following is the most critical initial step in establishing a trustworthy digital identity? And it is C rigorous identity proofing and verification processes. Again, this is probably one of the most critical steps you can is ensuring that the person who you have working for you is the person who they say they are, and this can be done especially when you're dealing with a high security environment. This may come down to having various product protocols and processes in place to do background checks and so forth. So the answer is C.
Speaker 2:Question two a security administrator discovers an unauthorized individual attempting to tailgate an authorized employee through a secure data center entrance. Which type of access control best describes a security mechanism that should have prevented this situation? A preventative, b detective, c corrective or D deterrent? And the answer is A a preventative right. So you should have had something in place to stop this from happening A man trap, a turnstile, a guard watching it that would have been put in place to help stop somebody from tailgating into this environment. I've worked through all of those. You can get around them all, but again, they're designed just to slowly stop somebody from, or to slow somebody down from trying to get into a very secure environment. Question three after successful data breach, an organization implements an enhanced logging and monitoring capabilities to identify any future malicious activity. This is an example of which type of access control, again after a successful data breach, an organization implements an enhanced logging and monitoring capability to identify any future malicious activity.
Speaker 2:This is an example of what type of access control and we don't tell you the answer just yet and A preventative, b deterrent, c corrective or D detective?
Speaker 2:And the answer is D detective Detective. Access controls are designed to identify and record events after they have occurred. Again, enhanced logging and monitoring would help detect any sort of situation that would be occurring. Question four an organization mandates that all employees attend annual security awareness training which includes modules on social engineering tactics and password security. This is primarily an example of which type of access control A logical, b, administrative, c, physical or D technical. Okay, again, they're trying to give employees training related to social engineering and password security. And the answer is B administrative Again, administrative controls. They involve the policies, procedures, standards, guidelines and so forth. Their ultimate purpose is to help teach people right, and security awareness will fall into that bucket. So it's administrative.
Speaker 2:Question five implementing mandatory access controls within an operating system. Kernel is an example of which type of access control. Again, implementing mandatory access controls within an operating system. Kernel is an example of what type of access control. Again, implementing mandatory access controls within an operating system. Kernel is an example of what type of access control. So, mac, mandatory access controls a physical, b, administrative, c, detective or d logical again mandatory access controls, otherwise known as mac. Within an operating system, it's kernel. What would? What would it be? And it is D logical, right logical controls. These are technical controls that are used for implementing through hardware, software, and they're designed to control the resources and access to those. So, again, mac is enforced by the operating system and it's a technical mechanism. So therefore, it would be, under logical.
Speaker 2:Question six, placing a security camera at the perimeter of a building serves as two types of access controls. Security cameras at the perimeter are two types. What are they? A, deterrent and detective. C preventative and corrective. C detective and corrective, or D preventative and deterrent. Okay, again, what are the two types of access controls for cameras? They are A, a, deterrent and detective. Okay, so a deterrent you see a camera. You usually think you have to think twice about do I do it or do I not? Also, detective is there's cameras being used. They are probably being monitored and so therefore, they've got some sort of something on you now, something to consider with all of this. We've worked, worked through all these. We talked about this at CISSP Cyber Training multiple times. Cameras are one of those things that you don't know if there's actually a camera in those bubbles or if they're just there to keep you guessing Again. And then most times cameras are after the fact. There's not someone physically watching them at that time. So if you are a bad person and you're trying to get into something and you cover yourself up, odds are probably pretty high. They're not going to catch you going in Now. They may come after you've done it, but by then you may be long gone. So yeah, don't use your powers for good, not evil.
Speaker 2:Question 7. After a server room experiences a power outage, an uninterruptible power supply UPS automatically kicks in to maintain system uptime. This is an example of what type of access control A preventative, b detective, c, corrective or D compensating. Again, the server room has a power outage, ups kicks in. What is this? And the answer is D compensating control. Yes, a compensating control is implemented to mitigate the risk associated with the vulnerability, obviously when the primary control does not work. So that's what ends up happening and the UPS compensates for it because it brings up power to help you do a safe shutdown. Again, upss are not designed for you to run on them all day long. They're a big battery. They're designed for you to help you do a safe shutdown or deal with small intermittent issues.
Speaker 2:Question eight which of the following biometric factors is generally considered the least reliable for high security access control due to its susceptibility to environmental factors and temporary changes? In which biometric factor generally considered least reliable for high security areas because it's susceptibility to environmental factors and temporary changes? A iris scan, b voice recognition, c fingerprint scan or D facial recognition? And the answer is B voice recognition. And guess what? Today you get a perfect example of that. Yes, I can barely talk, and because I can barely talk and my voice sounds really bad, I would have a hard time with voice recognition software, right? So it's just, it's considered less reliable because of this. For high security reasons, because things change. Voice changes, irises do not change, I guess typically. I'm not a doctor, but I can't imagine they change very often.
Speaker 2:Question nine a security policy mandates the use of personal identification cards for physical access to government facility. This is an example of which type of access control. Okay, so you had a personal identification, personal identity verification card. What is that? It would be A logical, b administrative, c physical or D compensating. And you're asked they have to have a physical card, wink, wink, physical. For which type of access control? And the answer is C. Physical tokens are used for control access to physical locations, again maintaining the use for their administrative control. But the actual card of the door reader is a physical access control mechanism. So when you're using a beep beep, that's what it's for. Again, we've talked about beep beeps before on the podcast and how well they work.
Speaker 2:Question 10. Implementing a data loss prevention software that monitors and prevents sensitive data from leaving the organization's network is primarily an example of which type of access control. Again, implementing DLP software that monitors and prevents sensitive data from leaving your organization's network is what type of access control? A logical, b, physical, c, administrative, d, detective. Okay, so which one? Is it for DLP? And the answer is A logical, right. Dlp software operates at the data and network layers, using technical mechanisms to control and prevent unauthorized data exfiltration, right. So this falls in the category of logical or technical access controls. So those are one of the aspects, because you're putting something in place from a technical perspective to keep people at bay.
Speaker 2:Question 11. An organization implements a policy requiring users to change their passwords every 60 days. This is an example of what type of access control A Preventative, b, detective, c, corrective or D Administrative. So, again, an organization implements a policy requiring users to change their passwords every six days. What type of access control is this? Okay, so which one could it be? Could it be administrative or could it be preventative? Oh, it is preventative, right, because, again, the policy's in place, but what's actually occurring is that the fact is that you have a you want to force people to change their password because of a password potentially been compromised, so therefore they would put in a preventative control. Again, this is a force. This regulated changes your effectiveness and potential compromised credentials. So it's an important part.
Speaker 2:Question 12 which of the following is a key difference between discretionary access controls DAC and mandatory access controls MAC? Okay, so A DAC is centrally administrated, while MAC is controlled by the individual user. B MAC relies on security labels, while DAC is controlled by the individual user, is based on user identities and group memberships. C DAC is generally more flexible and easier to implement than MAC. Or D. Mac focuses on preventing unauthorized access, while DAC focuses on detecting it. So which of the following is the key difference between DAC and MAC? And the answer is B MAC relies on security labels, while DAC uses user identities and group memberships. Right? So again, these are all done. Comparing labels is assigned to each of the subjects and objects and then a DAC, typically assigned, is typically granted based on the owner's discretion and their group memberships.
Speaker 2:Question 13, implementing a security guard at the entrance of a building who checks identification badges is an example of which two types of access controls. Again, you put a security guard at the gate when you walk in. So which two types of access controls are they A logical and physical, b preventive and detective, c physical and preventive, and D deterrent and corrective. So which two types of having a security guard at the entrance? It is C physical and preventive right. The security guard is the entrance. It is c physical and preventive right. The security guard is a physical presence and then by having them present their ids, it is also intended to prevent unauthorized access of people trying to gain access to your environment. One thing that's really good is, if you have those, is to put your um security guard, not have them there all the time, just have them kind of pop in, pop out kind of thing. So it's kind of cool.
Speaker 2:Question 14 after successful brute force attack and on a user account, the security team implements account lockout policies after a certain number of failed login attempts. This is an example of which type of access control? Again, after successful brute force attacks on a user account, the team finally puts in a lockout policy. What would that be? A preventative, d Detective, c Deterrent, D Corrective? And the answer is D Corrective, right. The lockout policies aim to damage or limit any further access from an unauthorized user. Therefore, you put in the corrective action to stop this from occurring.
Speaker 2:Last question which of the following best describes a purpose of proofing the context of the identity management? Again, which of the following best describes the purpose of proofing in the context of identity management A assigning specific access rights and permissions to a newly established identity. B verifying the individual presenting the identity is genuinely associated with that specific identity. C Establishing unique identifiers for a user within the system. Or. D Implementing strong authentication mechanisms to protect the established identity? Again, which of the following best describes the purpose of air quotes? Proofing the context of the identity management? And the answer is B Verifying the individual presenting the data is generally associated with the identity.
Speaker 2:What does it mean when you proof it? You got to have driver's license, birth certificate, those types of things to prove that Sean is who he says he is. He's not just somebody, that just random showing up, and now that can all these things be forged? Sure, do people HR people and them look at these in a depth. Maybe, maybe not, but, that being said, it does have something that you can use. I mean something you can use Anyway. So that's all we've got for today. Hope you guys have a wonderful day.
Speaker 2:Go to CISSP Cyber Training. Check out what we have. A lot of free stuff. A lot of free stuff. Also, I have the ability for you to gain access to all of my blueprint. My blueprint will help you pass the CISSP. Guaranteed, I guarantee you it will do it. You follow the blueprint and you go through what it tells you to do. You will pass the CISSP. So all this stuff is put out there for you guys. All this content is available to you. Again, the only thing holding you back from your CISSP is you. Again, go check out CISSP Cyber Training. You'll love it, I guarantee it. It's amazing. I get lots of people that really give good reviews of what we provided, and the ultimate point is just to help you pass that doggone test. We really want you to pass the test we do. All right, have a wonderful day and we will catch you all on the flip side, see you.
