CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 273: Mastering CISSP Exam Questions - Five Challenging Scenarios
Check us out at: https://www.cisspcybertraining.com
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
A catastrophic data loss incident involving South Yorkshire Police serves as a powerful security lesson in today's episode. We examine how 96,174 pieces of body-worn video evidence vanished during an IT upgrade, affecting 126 criminal cases. This real-world security failure highlights the critical importance of proper data management, backups, and third-party oversight—fundamental concepts that directly apply to your CISSP exam preparation.
The heart of this episode tackles five challenging CISSP exam questions spanning multiple security domains. We methodically work through complex scenarios involving encryption algorithm selection, mitigating Single Sign-On risks in healthcare environments, containing Advanced Persistent Threats, addressing cross-border data protection compliance, and handling SQL injection vulnerabilities in government applications.
For each question, I break down the critical thinking process that helps you eliminate incorrect answers and identify the best solution. You'll understand why AES-256 balances security and performance for financial data, how multi-factor authentication strengthens SSO implementations, when network segmentation becomes crucial for APT containment, why Data Loss Prevention systems address insider threats, and the importance of parameterized queries in secure software development.
This episode demonstrates how to approach scenario-based questions methodically, turning what seems overwhelming into manageable decision points. By breaking down complex questions step-by-step, you dramatically improve your chances of success on the CISSP exam while building practical security knowledge that translates directly to real-world challenges.
Visit CISSP Cyber Training for more resources, including 360 free practice questions to accelerate your certification journey. Remember, a methodical approach to security problems is your path to passing the CISSP exam the first time.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.
Speaker 2:Cybersecurity knowledge All right, let's get started. Good morning everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is CISSP Question Thursday and we're going to go over just a few questions that might be a little bit more challenging as it relates to the CISSP exam. The ultimate goal on Thursdays was to provide CISSP questions and then, along with that, on Mondays, we actually provide some training around what we're doing. So Monday is the training, thursday is the questions, and then we just keep on trucking on. That's the plan. Now what we're going to talk about here in just a minute is the five questions that I have, as it relates to all of the CISSP questions or all of the domains, and not I just won't cover them all because there's only five questions, but it's just going to cover some deep questions that may ask and some scenario-based questions that you may have questions about that's question. Saying that word about four times in about one sentence, that's a lot. So, all right, let's get going into what we're going to talk about today.
Speaker 2:Well, before we get started in the questions today, there was an article that I saw in the InfoSecurity magazine and this is around the South Yorkshire police deletes 96,000 pieces of evidence. Now, if you all have known, we've talked about this at CISSP Cyber Training. There's an important part that you have a good plan related to the protection of data within your organization. Now, as you're dealing with police officers, obviously a big factor for them is the digital evidence that's out there, and there is a process by which you will manage the digital evidence of any case that you have, and that's that chain of custody process. Now, the problem that came into in this situation is that some people just didn't understand what they were doing and it caused a huge issue. So, basically, they deleted around 96,174 pieces of body worn video. So it's your video that you have that police officers have when they're going and doing some sort of investigation, and it's all the video that goes with it. Now, as we know, video is extremely intensive, right, it stores up a lot of data, and I can see what ended up happening is potentially this is just the quick look at this is that you know what? Hey, we've got all this stuff just sitting around, nobody's using it. Let's delete it because it's taking up storage space and it costs us money. Now, that's my just a quick thought, and I can see how someone would come to that conclusion, but what it came right down to is an it upgrade in 2023 caused the digital evidence management system stored on a to be stored on a local disk. So they had it from a cloud situation. They put it on local disk.
Speaker 2:A mass deletion occurred on july 26, 2023 during a third-party data transfer to a storage grid platform. So in this case here, it wasn't because someone just said I got space, I want to delete it. It actually was because they were taking a move with it. Now, as we all know, moving data that's related to anything that's important like this. You would want to have a good plan in place on how to deal with it. You'd have your backups, you'd maintain your backups, you would do a data storage move. Then you would verify your backups actually occurred. They couldn't prefer the SYP could not provide definitive explanation for the deletion. They just deleted it.
Speaker 2:So I would say there's a tragedy of errors in this that potentially could be a big factor. One one they probably had an it person that did not totally understand how to move these digital assets from one location to the next. They may have done it with a third party, they may have done it internally, but they didn't truly know how to verify that once the data is in one location, it's moved to the next location, and then how do they validate that the data was actually moved? I think it. It was just a hey, let's just copy paste and then real quickly if any sort of a issue with the data transfer were to occur and the data becomes corrupted. Now you have a bigger situation. Now. This affected about 126 criminal cases, but with only one case potentially impacted at the court stage at this point. But it's 126 criminal cases.
Speaker 2:Now, not everything with the footage is imperative to the business case itself, but it shows a lack of knowledge, potentially, on how this should have occurred. They may not have wanted to pay for someone to actually do this, but yet at the end of the day, they probably should have paid someone to do this. So what does it come right down day? They probably should have paid someone to do this. So what does it come right down to? You need to have failures in data. They had failures in data management, backups and record keeping, obviously because these things happen. So they need to, from an organizational standpoint, need to have a really good plan in place when they're considering any sort of move like this, especially when you're dealing with chain of custody aspects and you're dealing with court cases. So it's an important part.
Speaker 2:The recommendations that came out of the ICO as well as implement adequate storage backup solutions. Shadow third parties that are accessing these systems right. So if there's a third party that's managing it, are you watching what they're doing? You don't just going, hey, yeah, you guys take care of it. No big deal. You're going to need to shadow them as well. Define third-party roles and responsibilities. Conduct risk assessments Big factor is conducting a risk assessment of what you have and then ensure all records are clearly identified and marked. So there's a lot of failures here that occurred. Hopefully I mean unfortunately if you are in the court system, if this body cam's footage was important for your case and you lost it, that would be extremely poor. It would be very bad. So hopefully they can recover some of this or at least it won't be as big of an impact as it potentially could be with their organization. So, again, understanding how your data is stored and transferred is an important part of any organization, whether you're in the police department or whether you're in corporate America.
Speaker 2:Okay, so let's go on and move on to the questions we have for you today. Okay, so you can get all these questions at CISSP Cyber Training. Everything that I have here and available is available to you. This is obviously the free version is available to you. This is obviously the free version is what I do with the podcast, but you can get access to the questions themselves through my paid program that I have. It's available for you. Honestly, it's dirt cheap compared to what you will pay for a boot camp type program. I'm giving you all the content that you need in a boot camp type program available to you, as well as mentorship and availability of myself to you if you see fit. And finally, we have the free versions. I have available the bronze package. I mean honestly that thing. You should be picking that up immediately. The reason I say that is because it's free and if you want to have a self-study that you don't really don't think you need any sort of deep dive or any sort of type of boot camp type activities, the free version is exactly what you need and I would sign up for it immediately because it's free and it doesn't cost you anything.
Speaker 2:So let's move into some of the questions and let's answer these and see where we go from there. Question one scenario OK, you are a security architect at a multinational financial institution. The organization is deploying a new cloud-based application that processes sensitive customer data. The application requires strong encryption for data at rest and in transit. During the design phase, you must select an encryption algorithm that balances security, performance and compliance with FIPS 140-3 standards. The application will handle large volumes of data and performance is a critical factor.
Speaker 2:Which encryption algorithm should you recommend for data at rest to meet FIPS 140-3 and in optimizing the performance? Okay, first question or first answer A AES-256, b RSA-2048, c triple DES, three48, c Triple DES and then Blowfish. Okay, so those are the four options that you have available to you. So which one is it? Which encryption algorithm should you recommend for data at rest to meet FIPS 143 while optimizing performance? So if you look at the questions, you'll go. Well, you know what? I know that Blowfish is a symmetric fight cipher and it's not FIPS approved, so I'd throw that out. Triple Des is an older pro Cypher that's out there and it is significantly slower than others that are on the market. It is a FIPS approved, right, so that's a good thing. Triple Des is FIPS approved, but it is a much slower type of algorithm Cypher, I should say. So if that's the case, I would throw that one out as well. So now you narrow it down to two. You got AES-256 and you got RSA-2048.
Speaker 2:Now RSA2048, that's a relatively new one that's been out and it's an asymmetric encryption algorithm. Okay, and it's used for key exchange or digital signatures. It's not designed for encrypting large volumes of data at rest due to its computational overhead, because it's basically 2048-bit. Now, that being said, can it do it? Yes, should it do it? Not necessarily it should be used for digital signatures because of that situation. So it leaves you to the last one, which is AES-256. This is a standard with 256-bit key and it's a symmetric encryption algorithm that is FIPS 140-3 compliant and it is highly regarded as a secure method for protecting sensitive data. Okay, so it gives you good security and it also helps with the overhead that it isn't having to be computationally too high. So it works really efficiently for the data at rest situation. So the answer would be AES-256.
Speaker 2:Question two A large healthcare organization is implementing a new electronic health record system, or EHR. The system must comply with HIPAA regulations and ensures that not only authorized personnel can access patient records. I mean, actually can ensure only authorized people, sorry. The organization uses a role-based access control, or RBAC, model, and is considered implementing a single sign-on solution to streamline the access across multiple applications. However, there's a concern about the potential for an unauthorized access if an SSO session is compromised. Okay again. So they have RBAC in place, they are going to put in SSO as well, but they're concerned that if an SSO session was compromised, it would. Then, because they're using it for the single sign-on for many applications, you would have access to multiple applications at one time.
Speaker 2:The question what is the best approach to mitigate the risk of unauthorized access in the SSO implementation while maintaining compliance with HIPAA? Okay, so A a longer session timeout period to reduce the user reauthocation, reauthocation authentication I can't speak. I can't speak. B implement multi-factor authentication for all SSO sessions. C disable SSO and require separate logins for each application. Or D encrypt all SSO session tokens with TripleDes Okay.
Speaker 2:So what is the best air quotes best approach to mitigate the risk of unauthorized access in an SSO implementation while maintaining compliance with HIPAA? Okay. So let's knock out a few of these that maybe don't make any sense or aren't the best answer A encrypt all SSO tokens with TripleDes. Okay, so TripleDes session tokens that we just we talked about in the previous question is a less secure and it is older type of product out there, and so therefore it alone would not address the authentication risk. It would just encrypt the overall session, so that in of itself, is not necessarily the best answer. Overall session, so that in of itself, is not necessarily the best answer. Disable SSO and require separate logins for each application. Disabling SSO would not help you, and you're now back to where you were with square one, which is the fact that now everybody has a login for the application and you know they're using password reuse.
Speaker 2:So that would not be a best option either.
Speaker 2:So you've now narrowed it down to two. You use longer session timeout periods to reduce user re-authentication. Well, if you're trying to mitigate the SSO issue, then allowing for a longer re-authentication period would not be a good idea, right? Because that would increase the risk of session hijacking and doesn't really necessarily enhance security at all. So the answer would be B implement multi-factor authentication for all SSO sessions. So again, multi-factor adds an additional layer of security requiring multiple forms of verification, which we've all talked about numerous times on this podcast. It significantly reduced the unauthorized access of an SSO is compromised, so multi-factor is an important part. Now, obviously, you can do different levels of multi-factor, from having an actual authentication application on your phone to just having text sent to you, which we know the text sent to you is not the best option. It is an option, but it's not the best option. So then this question, though the ultimate goal is just implement multi-factor for all SSO sessions.
Speaker 2:Question three your organization has detected a sophisticated, advanced, persistent threat APT targeting its financial systems. Oh no, the incident response team has identified indicators of compromise, including unusual outbound traffic to known malicious IP addresses. The organization uses a SIM, basically, you know, like a Splunk or a ArcSight or something that is used to monitor and correlate the logs, right, but the APT has evaded initial detection by using encrypted channels and low and slowed attack techniques. Very smart of them, it is. So what is the most effective? Stop to contain the APT and prevent further data exfiltration. Okay, obviously there's a lot of steps that have to go into this and not just one, but let's just talk about what we have A block all outbound traffic from the firewall until the threat is fully analyzed. B deploy new antivirus signatures to detect APT's malware. C increase the logging level of all systems to capture more data. Or D implement network segmentation to isolate affected systems.
Speaker 2:Okay, so there's a lot of little things in here you could do, but which one is the best, the most effective that you could actually have happen? So let's start with one Block all outbound traffic at the firewall until the threat is fully analyzed. Okay, that'll work, but you'll get a lot of people mad at you. Basically because by doing this, nobody can move, nobody can do anything within the business, so that would cause drama. Now the APT is probably in your network and they can move laterally within your network. So that would be a little bit of a challenge. But again, if they can't communicate outbound, that would limit to what they can and cannot do. So that's not a bad thing, but, man, there's a lot of implications for doing that. That would not be the most effective. Step B deploy a new antivirus signature for the APTs malware.
Speaker 2:Okay, so, antivirus signatures may not be effective specifically against APTs. Again, if it's a robot type APT activity, maybe, but if it's someone that's actively engaged in your network, probably not, probably won't do much to them at all. Increase the logging levels of all systems and capture more data. That is good. It can be helpful in investigation and it can provide you a little more data. Now, it might be a bit after the fact because you already know they're in your environment, but it's not terrible, it's just. I think you would use that in conjunction with something else.
Speaker 2:And then the last one is implement network segmentation to isolate the affected systems. Yes, okay. So implementation of segmentation would be very good. Outbound traffic, potentially, um, parts of outbound traffic, maybe there's parts that you know where they're at. You may do some sort of segmentation now. Ideally, you would want your architected network to be segmented before you even have this problem, but you may have to start cutting off parts of the body to save the whole body, and that's where the segmentation piece comes into play. So you just have to figure out what is best for you and your organization. But in this situation, the best answer would be D implement network segmentation to isolate affected systems.
Speaker 2:Question four All right, a global manufacturing company is expanding its operations into a new country with the strict data protection laws, including mandatory breach notification within 72 hours, sounds familiar. The company's risk management team isn't conducting a risk assessment to identify potential threats to customers' data stored in the new data center. The assessment identifies high likelihood of insider threats due to inadequate employee training and weak access controls. So what is the best approach to mitigate the insider risk while aligning with the new country's data protection laws? Okay, so the global manufacturer is expanding its operations into a new country and it's got breach notification aspects. What are you going to do? Okay, so let us look at some of the questions and see what's available. Okay so? A conduct a one-time security awareness training for all employees. B outsource all data processing to a third-party vendor. C encrypt all data at rest with proprietary algorithm. Or. D implement a data loss prevention solution to monitor and block sensitive data transfers. Okay, again you're dealing with a different country and you've got data breach laws that you have to work through.
Speaker 1:What do you do?
Speaker 2:So well, let's look at to start taking these one by one. One you conduct a one-time security awareness training for all employees. This is good, it is positive, right, but it's not sufficient for what you're trying to accomplish, right? This will just kind of more or less be a placebo. You're going to need to do training with people, but, at the end of the day, that's not going to stop somebody from getting data outside of your organization and that's not going to really mitigate the risk of an insider risk problem.
Speaker 2:Outsource all data processing to a third-party vendor Okay, this could be some level of protection. However, it does incur new risks, such as third-party vulnerabilities. We talk about this a lot in the CISSP. Is third-party risk management? Do you have a third-party risk management program in place? This does not directly address insider threats specifically within your organization, and so it's not necessarily the best. Encrypt all data at rest with proprietary algorithm. Again, proprietary encryption is risky. I do not recommend it. It's not a good idea. It may not also meet your regulatory standards set up by your country. Stick with what is known. Okay, so that's that one. So I think we pretty much throw those out. Then, when we get to the last one D, implement a data loss prevention solution to monitor and block sensitive data transfers. Now, this is DLP. Is really what you want to do? That is an important factor in all organizations that you have a DLP program in place and that you are watching what's going on within your company. So, dlp, great idea. I would highly recommend it and therefore that would be the right answer in this specific question. So again, unauthorized data transfers by insiders would be addressed specifically by the DLP program that you have in place.
Speaker 2:All right, let's move on to the next one. Okay, the last question, question five A software development company is building a web application for a government client that requires compliance with the Secure Software Development Framework, ssdf. During the code review, the team identified vulnerabilities in the application's input validation that could allow for SQL injection attacks. The development team is under pressure to meet deadlines and is considering bypassing the fix to expedite delivery. What is the best course of action to address the SQL injection vulnerability while adhering to SSDF guidelines? So again, ssdf is the Sec software development framework.
Speaker 2:And when we talk about frameworks, what is frameworks? Frameworks are just like a guide, right, a guide on how you should do step A, b, c and D. They're not the rule, but they are a great way for you to kind of follow along and ensure that you're meeting, at least getting some of the direction that they are requiring or they're asking of you. All right, so let's look at some of these questions. A that they are requiring or they're asking of you. All right, so let's look at some of these questions. A implement parametized queries and conduct a follow-up code review. B deploy the application and patch vulnerabilities in the next release cycle. C use web application firewalls WAFs to block SQL injection attempts. Or. D rewrite the application to a different programming language to avoid the vulnerability.
Speaker 2:Okay, so the question is what is the best course of action to address SQL injection vulnerabilities while adhering to SSDF guidelines? Well, okay, so you got to know what the SSDF guidelines would be, but a lot of the code guidelines would focus around doing code reviews. They also talk about making sure that you have parameterized queries. They want to make sure that you have input line comments that are set up. They want to make sure that you have limited different aspects within the code environment. So we'll get into that in just a second. But the bottom line is is that the framework is going to be very specific around what are some recommendations that you should follow. So, knowing that, knowing that, if you don't really know what the SSDF is, and you go, well, let's just talk about a framework. What is a framework? It's a step-by-step process and it's probably a little bit more granular. Then let's think about that. And then it's dealing specifically with code development. So now we're dealing with a very granular aspect around code development.
Speaker 2:So one of the questions is rewrite the application to a different programming language to avoid the vulnerability. That is just a really bad answer. It's just not that good, it's not practical, right? So rewriting your code, if you've all written it in one level of code, now you're going to write it in something else, that's just, that's not going to work. So I would not do that one. That would be no, don't pick that one. C. Another one was use web application firewalls to block SQL injection attempts. Now, this is good, right, you can block the attempts that are occurring, but it's more of a compensation control. Compensating control. It does not deal with the root cause of the vulnerability itself. It's more of kind of just to cover it. It's a placebo. It's not a placebo, not really. It will help but it's not going to address the overall root cause of the problem.
Speaker 2:Deploy the application and patch vulnerabilities in the next release cycle. Okay, deploying without fixing something will violate any sort of development framework. So just think about that. You have to. If you know there's a problem, you got to fix it. You cannot. When you're dealing with deploying code, when you're doing a code review, and you look at something, you go, oh my goodness, I've got a problem. You do not have the ability to go. Well, hey, you know what, let's just deploy it, not worry about it. Yeah, you can't do that because you know then you're automatically injecting a known risk into your organization. Now, can that happen? Potentially, but this is where you would not do that from your standpoint, from a code review, you would run it up the flagpole. And if the leadership says deploy it, that would be very foolish of them. But if they said just deploy it anyway, we want it to go, it's not your head, it's theirs. So and if after you would recommend going, ah this is not a good idea.
Speaker 2:Bottom line is is you do not have the responsibility to make that call. You do not have the ability to make that call. And if you do and you do make that call, you should not be a developer. And then the last question is implement a parametized queries and conduct follow-up code reviews. Okay, so this is the correct answer. And again, if you don't know, because coding gets a lot of people with the CISSP is secure coding practices are recommended by SFDF to prevent SQL injections by using parameters, and this would be code user inputs. All of these things would help limit the vulnerability in this specific situation. Now, when you're dealing with a follow-up code review, that means that once you have made the fix, you are going back over to ensure that it is properly implemented. You're tracking these things, You're making sure that you're going in and you're testing Before you push to deployment. You're actually testing to make sure that the code is you're not running into issues with these different input validations. So, again, think about each of the questions, take your time, walk through it in your mind, and if you walk through it in your mind, you're going to do much better, because out of those four questions, they look overwhelming if you read them as a whole, but if you start reading them individually, you can probably I know you can break this down into. Like you know what it's out of these two, pretty sure. Or you know what hey, this is a no-brainer, it's this one. Or if it's even down to three, you've increased your chances by going. Well, if it's one of these three, I'm going to guess on one of the three. You now are at least at a 33% chance of getting the right answer, versus a 25% chance if you're just guessing. So again, break down the question, take your time, don't be in a hurry. But again, keep in mind, when you're taking the CISSP, you can't go back. So be in a situation, be fast, but be methodical, think about the question before you actually answer the question. Okay, that's all I have for you today. I hope you guys enjoyed this little bit more of a deep dive in the CISSP questions. The ultimate goal of this is to give you the skills you need to pass the CISSP the first time.
Speaker 2:Head on over to CISSP Cyber Training. Help me out with this. Go out there, pay. You can go and buy my programs that are available for you. I buy my programs that are available for you. I've got free stuff, but I also got the paid products as well. They're all available for you.
Speaker 2:And what do you all got to do? There's not much to it. You just go out there, check it out, see how it can help you in your overall plan. All right, I appreciate all of your guys' time. I hope you all are having a wonderful, wonderful day and we will catch you all on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora or a cornucopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
