CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 281: Practice CISSP Questions - Deep Dive - Identity and Access Provisioning Lifecycle (Domain 5.5)
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
The cybersecurity landscape is evolving rapidly with AI development creating unprecedented challenges for organizations, security professionals, and insurance providers alike. How do we manage these emerging risks while maintaining fundamental security governance principles?
Sean Gerber tackles this question head-on by examining why liability insurance alone won't solve the AI security equation. Drawing from a fascinating Lawfare article, he unpacks how cyber insurance has failed to drive meaningful security improvements due to poor data collection, shallow assessments, and inadequate risk measurement. As AI systems increasingly generate their own code, determining liability becomes extraordinarily complex. Insurance companies may soon require more rigorous security evaluations before providing coverage for AI implementations, placing additional burden on businesses to demonstrate robust security practices.
Moving from theory to practice, Sean delivers five deep-dive questions on CISSP Domain 5.5 that demonstrate how security professionals must "think like managers" rather than just memorizing answers. Each scenario—from dealing with orphaned accounts after mergers to implementing role-based access controls in healthcare—illustrates the critical importance of governance, proper access management, and security process improvement. The questions challenge listeners to move beyond tactical thinking and embrace strategic security management approaches that balance business needs with risk mitigation.
The episode also unveils Sean's upcoming 7-day and 14-day CISSP bootcamp blueprints—intensive training plans designed for candidates who need to prepare efficiently without spending thousands on traditional bootcamps. These structured approaches provide a cost-effective alternative while still covering the comprehensive knowledge required to pass the challenging CISSP exam.
Ready to strengthen your CISSP preparation? Visit CISSPCyberTraining.com for free practice questions, video content, and specialized training materials designed to help you pass the exam on your first attempt. The combination of conceptual understanding and practical application demonstrated in this episode is exactly what distinguishes successful CISSP candidates from those who merely memorize practice tests.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go. Cybersecurity knowledge.
Speaker 2:All right, let's get started. Hey, lashawn Gerber, with CISSP Cyber Training and hope you all are having a beautifully blessed day. Today is CISSP Question Thursday and we are going to be going over five deep dive questions related to Domain 5.5. So we're pretty excited about that and I definitely think you're going to enjoy these questions because, like we talk about, we can go through gobs and gobs of questions for the CISSP but you can't really memorize them, and the reason is is because they want you to think like a manager, not necessarily just memorizing questions so you can pass the test, and so therefore, we highly recommend at CISSP Cyber Training and most folks that are out there on the internet that actually have a CISSP and understand cyber, they recommend that you understand the question before you just try to memorize the actual answers. So we're going to get into some of those here in just a minute, but before we do, we have a couple of questions or actually an article I wanted to bring forward and show you and talk to you about that I thought was extremely interesting.
Speaker 2:So this came from a friend of mine that one of my partners at Nextpeak, stephen Bartolone, and he actually saw this article out there. That was really very interesting and it relates to AI and the overall insurance risk air quotes that's out there that they have to deal with. So this article comes from Lawfare and it's like why liability insurance won't save AI. Lessons from cyber insurance and the one thing we've learned with AI is the fact that there's developers creating this code, but in many cases, ai is creating its own code. So there's some aspects of this is like okay, who's going to be responsible if something were to happen in this space? And their point was is that liability and insurance alone will not make AI safe. Many people think that well, we'll just know what, we'll throw rules against it, we'll charge you a fortune or we'll put you in jail if you can't make AI safe. And cyber insurance does show that these mechanisms often fail to drive any sort of strong security improvements. There's a couple key quotes in here that just kind of shocked me a little bit in the fact that cyber insurance, I should say there'll be cyber insurance companies that may actually drop you or won't even take you on, depending upon the type of AI risk that you may incur.
Speaker 2:So some of the key problems obviously with cyber insurance are poor data, the incidents are underreported and loss of data is quickly outdated. Lost data is basically quickly outdated. So the point of it is that they don't really know right. So the incidents are people don't report these. In a lot of cases they'll pay the ransom and nobody says anything about it. It's also extremely hard to measure the risk right. Safety security assessments they rely on shallow questionnaires, not a deep verification. We've all done those and they're designed more or less to be kind of a placebo to go check, yeah, check, yeah, we're good, we're good. But in reality they need to have a deeper level of understanding of these networks and some of the questions they're asking on these security assessments. Weak incentives, obviously, premiums based on company size, sector, that's not really based on their safety efforts. What are they doing to try to reduce the risk and so the premiums? If you're a small company and you're trying to make these implementations, they may not be enough to justify the expense that you have to go through to try to make it air quotes secure.
Speaker 2:The other one is catastrophic risk. You know one failure can impact many users, obviously between the shared models and the various infrastructures, and so that can cascade. Some of that's a big problem with the overall insurance plan is what are those catastrophic risks and what is that cascading effect? A lot of times, third parties that are connected into businesses. You don't even always know the level of risk that you're incurring by a third party connecting in and same with a third party that's actually connecting into an organization. You may not even know that yourself. So it's just, it's a very squishy, very squishy situation. And then there's exclusions and there's caps, right, insurers will avoid high-risk scenarios, leaving gaps in coverage. And then who's holding the bag? The businesses. So, when it comes to AI specific challenges, you know that's part of it. Just dealing with insurance of itself is that many of the situations that occur in AI could be accidental, right, and they could spread across multiple industries and be harder to actually understand the overall models themselves. So it's a very weird spot we're going to be in and it's going to be interesting to see what insurance companies will actually put a risk against AI and willing to cover it.
Speaker 2:I just don't know myself if I was an insurance company. It's hard to understand, because some companies see this as a really good opportunity to really tighten down and avoid the risk of their AI language models that they're deploying. Other companies are like, hey, this is awesome, let's just throw it in place and let's go, and so that's a really tough spot for insurance companies and we'll see how they play with it, because I just, yeah, I don't know what to. Whatever I say is probably going to be the opposite, but to me it would be. Unless a person has a really strong security assessment they know the network I think it's all these the insurance companies are going to require, not these little.
Speaker 2:I think it's all these the insurance companies are going to require, not these little placebo type, just checkbox options. They're going to require some deep level of assessments that are going to have to occur before they're going to provide coverage. So it's just something to kind of consider, is all is. I don't really even actually know. So bottom line is you can see that these, these insurance companies are going to require audits, incident reporting and safety standards are all going to have to be put in place, especially as it relates to AI, and they're going to require to see them. And it's going to be one of those aspects that there's going to be more burden put on the businesses to pay for these audits and these additional security assessments.
Speaker 2:So, again, if you're a senior leader and you're listening to this podcast going yeah, I don't really know how I'm going to deal with it. You get your work cut out for you. I would say one thing, and again, it's obviously a shameful plug, but at Nextpeak we do have a good AI risk assessment strategy that can help you dramatically, and it is it's based, especially if you're a financial institution. We have some really good tools to help you in that regard. But bottom line is you're going to have to think about it and you're going to really have to understand the risk to your organization and you're going to have to communicate that to one your shareholders and two to the overall auditors. So really good article. As from Lawfare, it was actually caused me to really think pretty hard about all of this and kind of get a deeper understanding of it as well. So, all right, so that's all I've got for that.
Speaker 2:Let's move into what we're going to talk about today. Okay, so before we get started in the questions, I wanted to let you know that I'm just coming up with a new bootcamp idea. That's going to be a seven day and a 14 day bootcamp that you can go through at CISSP, cyber Training, and it'll walk you through. It's a blueprint that'll walk you through the training that's available to you and what you need to do. I'm not going to sugarcoat it. It's going to be a challenge. You're going to have to really, really focus on this information to be able to go through seven to 14 days of information. Now you can go out and spend thousands and thousands of dollars on a bootcamp, and if that's what you want to do, I highly recommend you go do that.
Speaker 2:This is for the folks that can't really go out and spend that kind of money. Here is a bootcamp with all the content you need to pass the CISSP, but I'm going to give it to you in a seven day and a 14 day package. You can, obviously, if you want to go longer, because we have the three, the four and the five month plans that are out there. But I've been getting aspects of people asking hey, what is the plan? If I want to get this done in the next 10 to 15 days, what do I need to do? So you're going to get two options. You're going to get a seven day and you can kind of figure out how you want to go about it. That will be coming out soon. You'll be able to go to CISSP Cyber Training and you'll be able to get access to that through the paid products that we have out there. On CISSP Cyber Training, again, go check it out CISSP Cyber Training. We have a lot of free stuff that's there. We also have a lot of paid stuff that's available to you as well. One of this will be that 7 and 14 day plan will be part of the paid product. But, that being said, if you want the free stuff, there's plenty of free stuff that's there that'll help get you on the way to being able to study for the CISSP. So let's get started in these deep dive questions over domain 5.5. Okay, question one During a quarterly access review, the security team noticed that multiple users still have privileged access to a database that was decommissioned two months ago.
Speaker 2:Which of the following represents the best air quotes best action to take to mitigate this risk? Again. So, during a quarterly review access review the security team noticed that multiple users still have privilege. That's another key term. When you're reading through these questions, focus on key words. Privilege would be one that was decommissioned two months ago. Which of the following represents the best? Another key word best action to take to mitigate this risk A immediately disable the database accounts to prevent unauthorized access. That's an option. B notify the systems owner to request account removals during the next quarterly review cycle.
Speaker 2:C implement an automated control that disables unused accounts after a set period of activity. Or D perform a root cause analysis to determine why the decommission process did not make the revoked access and update that overall process. So each of those are right in their own way. Which one is air quotes best? And the answer is D Perform a root cause analysis to determine why the decommissioning process did not revoke access and update the process. So bottom line is like immediate disabit or disabling the database to accounts from any unauthorized access. Good idea, but it's probably a little bit more draconian. Notify the system owner to request an account removals during the next quarterly review. That is a correct thing. It's a good plan to do. But again, they mentioned privileged. So if it's privileged, you wouldn't want to wait to the next quarterly review cycle.
Speaker 2:C implement an automated control that disables unused accounts after a set period of activity. Well, that may be what's in place, but for some reason it didn't occur. So therefore, performing the root cause analysis would be the better choice, because you just don't know, and you need to figure out why it didn't do what it was supposed to do. So improvements in governance is a key factor when you're dealing with the CISSP and how important it is. So you just kind of have to plan for this, that you need to think strongly about as you're walking through these questions which one is the best answer, which one is not the best answer and then make your choices accordingly.
Speaker 2:Question two a large enterprise recently automated its HR-driven provisioning process. However, there's a concern that terminated users may retain access for several hours until the next scheduled sync occurs. Seen this happen, which of the following controls is the most effective to address this risk? So again, someone gets let go and then they have a sync and that will then remove the access. So it could go hours. What to define what hours is? You know hours could be six hours, four hours, could be 24 hours, could be 72 hours. So the question you have to ask yourself is what level of risk are you willing to accept for your organization? And it may not be you that makes that decision, it may be your board, maybe your CEO, whoever but you're going to have to have a plan of how much risk is your organization willing to accept during this process?
Speaker 2:So, a reduce the synchronization interval between HR and the IAM systems to near real time Okay, that's a possibility. B require managers to manually submit termination tickets immediately after the employee departs Manual can be a problem. C implement a quarterly audit to ensure that terminated users are no longer have system access. You say quarterly audit, that's good, but that doesn't deal with the issue at hand right now. And then D configure applications to lock accounts automatically after a defined number of failed login attempts. Okay, so that's an important part, but that doesn't really address the overall problem that we're dealing with here. And then one the best answer would be A reduce the synchronization interval between HR and the IAM the basically identity and access management systems to near real time. Now, that may be, may not be possible. So the question when they say near real time is depends on your situation and your company's willing to accept risk. So something to guys kind of consider there Managers manually submitting termination tickets, that's just not going to work right. They're going to fail. Quarterly audits, like we mentioned, are good, but it's quarterly. That doesn't really help you a whole lot in this situation. And then deconfiguring the lockout? Yeah, that's fine, but you're assuming that the person who gets access will lock themselves out. They may not, so that doesn't really help you a whole lot.
Speaker 2:Question three you are implementing a role-based access, or RBAC, in a healthcare environment. The challenge is balancing the principle of least privilege while minimizing administrative overhead. Always a problem which approach best satisfies both objectives. And the objectives is, again, least privilege, also having reducing or minimizing administrative overhead. A create a unique role for each user based on their specific job duties. B develop broad roles with extensive privileges to reduce the number of roles to manage. C define roles based on job functions, ie nurse, doctor, billing, so on and so forth, and grant the minimum required permissions. And then D use discretionary access controls or DAC to allow users to share data as needed.
Speaker 2:So again, challenge of balancing the principle of least privilege while minimizing administrative overhead. So basically means less roles. Administrative overhead you want less of those, but you also have to have some level of control. Administrative overhead you want less of those, but you also have to have some level of control. So creating a unique role for each user based on their specific job duties is not reducing administrative overhead, it's increasing it. So it's a good thing, I mean as far as RBAC goes.
Speaker 2:But that makes it much more complicated. Developing a broad roles with extensive privileges to reduce the number of roles to manage, that does not fly in the face, or that flies in the face of least privilege, which you want to have less privileges, not more privileges, so that one would be thrown out as well. Let's go down to the right answer. C, but let's go down to D Use discretionary access controls to allow users to share data as needed. So you're putting a discretionary access control in place. That is a very tactical type of situation and to do something like that would make it, would give you the ability to have some.
Speaker 2:It really kind of throws out role-based access controls because you're not dealing with a role, and it makes it much more complicated from a managerial or overhead standpoint. Will it work? Yes, but is it complicate things? Yes, and it doesn't meet those two objectives that they were trying to accomplish. C the correct answer is define roles based on job functions ie nurse, doctor, billing clerk and grant the minimum required permissions. So again, it's reducing our overhead because you are having it specifically to specific positions. Now you may change that and go. The billing clerk may have very specific, but maybe it is administration and you have one role specifically set up for administration and that's everybody outside of nurse, doctor, clerk, et cetera, and so that would reduce some of the administrative overhead. But it also does both role-based access based on the overall role that they have. So you just need to kind of decide which is that is.
Speaker 2:But if you go through each, all four of those questions, the best one is number or number is C right? Define roles based on a job function and grant the minimum required permissions as necessary. Question four an attacker gains access to a low privilege service account that has local admin rights on several servers. What is the best long-term mitigation strategy to prevent the similar privilege escalation risks? Again, they have a low privilege service account that has local admin on several servers. So the reduced privileges are on the service account, which is good, but it has local admin rights on several servers. That's bad. Okay, so let's talk about this. The best long-term mitigation plan A rotate service account passwords on a regular schedule.
Speaker 2:That's not a bad thing. B remove unnecessary admin rights from the service accounts and implement least privilege. That's probably a better thing. C is configure alerts for all logins of service accounts. Or? D increase the complexity of the service account password to 30 plus characters. So there's a lot of things that are going on here and there's some different kind of strategies, but there's a long term strategy and a short term strategy, okay.
Speaker 2:So rotating service account passwords on a regular schedule is a valuable thing and it's something that would be useful. However, depends on what that schedule is going to be. If it's daily, well, that's amazing. If it's weekly okay, that's really good. If it is daily or if it is like every quarter, okay, I'll take that. If it's once a year, yeah, it's not so good. And then if it's never done, well, obviously, that's not good at all. So you just need to determine what you're going to do in that space Remove unnecessary administrative rights from the service accounts and implement least privilege.
Speaker 2:We'll come back to that, because that is the correct answer. Configure alerts for all logins and service accounts so that's good, we should have that in place, but that will not stop the long-term mitigation strategy. That's just basically a tactical decision. D increase the complexity of the service account passwords to 30 plus characters. Well, that would be good. You do a password reset and you would force it to 30 characters, which is awesome. However, depending on where these folks are at within your network, that may or may not deter them from getting access to all of your data. So the right answer, the most correct answer, the best long-term mitigation strategy is B remove unnecessary administrative rights from the service accounts, which should be a no-brainer, and implement lease privilege. So all service accounts should have any sort of administrative rights removed, unless they are specifically designated and they need to have it. And if they do need to have it, those need to be monitored and on an ongoing basis, to make sure they don't do something they shouldn't do. So again, lots of nuances here, and I know we spent some time on it, but the point of it is is that you need to always look at removing these unnecessary admin rights from any account that you have, and again, the key term is unnecessary. If it's necessary, well then, obviously you got to keep it, but anything that is just kind of yeah, we didn't really know what to do with it, so we gave it access, that's a bad idea.
Speaker 2:Question five following a merger, an organization discovers hundreds of orphaned accounts that were never deprovisioned from the acquired company's directory. Oh, shocker there. Yeah, that's if you've done any sort of M&A, you'll find that like, oh yeah, it's scary. Which control would best prevent the situation from reoccurring after future mergers to the organizational changes or organizational changes? So, ok, we found it, we addressed it.
Speaker 2:How do we, what do we put in place to stop it from the future? A conduct a one time cleanup of the orphaned accounts and move on. Ok, well, that, yeah, that's good, but not good enough. B implement periodic account recertification with business unit owners. That looks promising. C require users to reauthenticate every 30 days of their account or their accounts are disabled. That's not terrible. That's a good idea. It just adds a lot of complexity, but we'll get to that and then rely on HR notifications to manually disable accounts when employees leave. Okay, so kind of hinted to it. B is the most correct answer. And implement periodic account recertification with business unit owners, and we'll come back to what that means here in just a second.
Speaker 2:So, conducting a one-time cleanup of orphaned accounts. What does that mean? Well, that's great. That addresses the problem here and now, but it does not address the bigger problem, as a question that ask is what do you do in the future mergers and organizational changes? How are you going to deal with that. So that's the big challenge and that one just kind of throws out the window. Okay, c require users to reauthenticate every 30 days or their account is disabled. Now, that is a great idea. That's awesome.
Speaker 2:The problem is is you're now going to get a lot of people that are going to be ticked at you because they got to recertify every 30 days, and it will make them very unhappy. It will make them very moody and they will want they'll have pitchforks and flaming candles flying at you candles or pitchforks or whatever those things. Whenever you've seen a movie where folks have got pitchforks and torches, yeah, that's what'll happen to you if they do that. D rely on HR notifications to air quotes. Manually disable accounts as employees leave. Okay, manually of anything in the IT space is not good. Yeah, just, you don't have time and things will get missed. So that's when you just go throw that out the window Then.
Speaker 2:So the right answer we talk about is B implement periodic account recertification with business unit owners. So the point of this is is that when you're doing these accounts, you need to make sure that the business units actually understand what the heck you even have. There's been plenty of times where I've had accounts numerous accounts with that are tied to the business and the business says, yes, we must have this. It has been going on like this forever, we got to keep it. But then when you start showing them what it does and where it's at and the risk that it incurs, they sometimes will change their mind. So the point is that you need to get your business unit owners involved in all of these types of discussions because at the end of it it's on them, not necessarily completely on you Now it might be on you, but the goal is you need more people involved in this overall decision-making process. So that is all I have for you today.
Speaker 2:Again, we just the deep dive. We just go over about four to five to six questions, kind of dig deep into those, and the goal again is to just kind of walk you through a question and the thought process that goes into it. These questions are not questions that you will see on the CISSP exam, but they are a revelation. No, it's not even it. They're a reflection yes, a reflection of domain 5.5. So if you understand 5.5 domain the CISSP domain 5.5, and you understand many of the different topics within that, then these types of questions will be very easy for you because you'll go through and you'll just start being able to whittle them out. So, again, I highly recommend if you're interested in it.
Speaker 2:I've got it. I'm going to be having. You'll see it soon. If you're part of my program, I'll send out an email to everybody. Sign up for my free stuff You'll get.
Speaker 2:By doing that, you will get access to anything that's new that's coming out within my, within my site, and I will send you out any notifications on the seven and 10 day blueprint. That will help you with the bootcamp and get you done. I highly recommend that you do it. It'll be awesome. I totally recommend that. If you're going to be getting the seven or 10 days, my bootcamp will help you do that. Okay, that's all I've got for you. I hope you have a great day and we will catch you all on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora or a cornucopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
