CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 287: Practice CISSP Questions - Deep Dive (Domain 5)
Leadership churn is reshaping security from the top down. We open the door on why CISO tenures are shrinking to 18–26 months and what that says about pressure, culture, compensation, and board-level risk literacy. From startups that stretch leaders thin to enterprises that treat security as a cost center until the breach, we map the real incentives behind the “revolving door”—and share what actually extends tenure: clear mandates, aligned executives, and measurable outcomes.
Then we flip to hands-on security with a crisp CISSP Domain 5 deep dive. You’ll hear real-world IAM scenarios and how to reason through them: federated identity where users authenticate but can’t access apps (hint: attribute-to-role mapping at the service provider), RBAC implementations that quietly violate least privilege, and when mandatory access control beats RBAC or ABAC for classified environments. We also dissect deprovisioning gaps that leave terminated users active in SaaS platforms and outline the operational fixes—source-of-truth integration, event-driven provisioning, and reconciliation from the SaaS side. To cap it off, we tackle a red-team classic: static admin creds in scripts. The modern answer isn’t longer passwords; it’s just-in-time privilege through PAM and secret vaulting so nothing sensitive sits on disk.
If you’re a senior technologist eyeing the CISO seat—or a CISO seeking sustainability—you’ll get a blueprint for aligning authority, resources, and risk. And if you’re prepping for the CISSP exam, these identity and access patterns will sharpen your instincts for both test day and production. Enjoy the conversation, and if it helps, subscribe, share it with a teammate, and leave a quick review so others can find it too.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerbert. I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning everyone. This is Chon Gerbert with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is CISSP Question Thursday, and we are planning to discuss a deep dive related to the questions on the CISSP domain 5. So we're pretty excited about that. But before we do, we are going to be talking about an article that I just saw in the CSO magazine. I've been actually sitting in my camper, I'm on my mobile command post recording this podcast as we speak, uh, just having a little bit of extra time as I'm out seeing my grandbabies. So saw this article while I was just kind of looking around and thought, oh, this is pretty interesting. And wow, it actually relates. So the question, or should say, the article states is Is the CISO chair becoming a revolving door? And this is by Amy Chatterdevong. I can't say her name very well, but she's a contributing writer to CSO magazine. Go check it out. It's pretty good, actually. But here are the basic nuts and bolts of it. And you know what? I will pretty much attest to it because it fit me like a glove. So they're they're saying now the typical CISO is lasting about 18 to 26 months, and it's far lower than the broader C-suite for most organizations. I was with my company much longer than that, but I would say most of the people I talk to in this world from a CISO standpoint, they are relatively short timelines. They are pretty much 18 to 26 months. Some are a little bit longer than that, but for the most part, they seem to kind of rotate in and rotate out, especially if they've been brought in from an outside entity. If they've grown up from inside the organization and the culture, they tend to last a bit longer. That's kind of what happened with me. Uh, I'd say the ultimate point of all that, though, is a lot of things we're going to go into here real quick. And the reason I'm telling you all this is because you all are in uh most of the folks that listen to this podcast are senior IT folks that are working on their CEI SSP, or there are folks that have a good enough experience that they're maybe aspiring to be a CISO at some at one point in the future. So a lot of things have to change for the CISO area uh for it to become a little bit better for much more tenure. And realistically, 18 to 26 months is not a long time for any CISO to be in the seat. Uh, it usually takes about six months just to get your feet underneath you for any organization. But some of the driving factors that the article brings up is the high stakes pressure and the blame environment. Yeah, one single situation and the CISO is basically all the fingers are pointing at him or her. So they're held responsible when things go wrong. And in some cases, they should be held responsible. But in other cases, as we'll talk about here in just a minute, it a lot of it comes down to the culture of the organization as well. So they they have to deal with very complex cyber environments, and they're trying to make these secured and protected can be very challenging. The startup versus the dynamic of the enterprise, uh, one thing the CISOs are often stretched into multiple roles on the startup. I'm dealing with a startup right now that I'm working with, and there are lots of different aspects tied to it. So it's it can be a very daunting task. Uh, but larger organizations tend to retain their CISOs longer given they have a broader scope and more teams and ongoing complexity. But that is not necessarily true either. Uh a couple very large organizations I've been working with here in the not too distant past, uh, both of their CISOs have moved on. And uh it's one was because they wanted to, the other one was uh you don't really know. But could be one that they were not happy with him. Motivations and career path evolution. Some CISOs say they move on because they reach the business as usual mindset, uh, and their role stops challenging them, and they also don't have opportunities outside of what that role is for them. So they basically kind of shift towards more of a fractional or consulting roles, mentoring or vendorship leadership, basically seeking the balance and the issues that go along with that. Hence that is what happened to me. Just to kind of put it in perspective, uh, I was told what over before Christmas, about this time last year, or not last year, a few years ago, uh, when I talked to my senior leadership, and they said I asked if I could work from home based on my um my kids' schedule, and they were doing a big push for well basically coming back to work kind of thought process. They were back to work for a while from the office standpoint, but there was a big push to not do any work from home, and I just made asked the question, hey, do you mind if I work from home for a couple weeks while my grandkids are in town? And that was all I needed for the dear lord to push me in the direction of going, no, you need to leave, because they came back and said, No, I'm sorry, but you need to work in the office. And I was like, Are you kidding me? We just went through COVID and all I'm asking for is two weeks to work from home. And uh so after that, that was all it took for me. But uh, bottom line is that you need to kind of figure out what is going to be best for you. Liability versus compensation imbalance. Uh CISAs often have to deal with a lot of risk and exposure to lack that is commensurate with the authority, resources, and the rewards. Uh, that is very true. Uh, my income was not that of many of my peers, and that not that that was a huge factor, but it does play into all of this because you start going, well, is the grass greener on the other side of the fence? I will warn you, it's never greener on the other side of the fence. Uh, there's other organizations, basically, the implications for ideas around this, one of the things you want to have to help fix this problem is that you really need to have a you really need to support your CISOs from a well-defined role standpoint and executive alignment. I've seen this and lived it where the executives are not fully aligned with the cybersecurity plan for the organization, and therefore you become relegated as just kind of, yeah, go sit in the corner and don't worry about it. Uh that then when something bad happens, guess what? You're on the your neck is on the line. I had a situation that occurred that I was treated much, very much like that, where you just go sit in the corner, uh, you do your cyber stuff, we'll call you, don't call us, kind of thing. And they're very good. And I'm not saying this is a bad thing on any of the organizations I've been with. That is just kind of the mindset, and it's understandably why, because they want to make money. Cyber is a cost uh center, and it just kind of ends up being more and more money. However, until the hack occurs, and then they look at you and they go, What did you do? How did you fix this? And yeah, I felt very a lot of pressure to the fact that if I hadn't had a good plan in place, um, I definitely would no longer be with the organization. So, again, that's one of those things where you really got to plan for it. Emphasizing communication, stakeholder management, and board level risk literacy, an important part of that. You also need to recognize when the CISO's mission has matured or when new challenges are needed. If they've matured, what do you do beyond that? How do you help this person when they're in a cybersecurity standpoint? What is their next step in their next role? So it's a big factor there. And then the rise of the fractional or hybrid uh CISO models. This is partly responsible for the intense demand as well, because if you know, I I personally look at myself, I do not want a full-time CISO role. I do not want that. My quality of life is much better with what I have now. Do I make as much money? No. Do I need as much money? No. And what I've learned is that the more money you make, the more you pay in taxes, and you really just end up working for the tax man. So you gotta kind of weigh out what does it work for you. If the compensation was substantially higher, well, then you would think twice about it. But when the the compensation is that of probably some high managers, then you start questioning, is it really worth the effort? So, something to kind of consider. Again, great article from CSO magazine. Is the CISO chair becoming a revolving door? Okay, so let's move into our deep dive questions. Okay, so you can get all of this at CISSP Cyber Training. You just sign up for my free content. You can get all kinds of free stuff that's available. I've got about 360 free questions. They're all available at you for you at CISSP Cyber Training. This questions, the deep dive questions, and I'm actually in the process of building out a test, a 250 question test that you will be able to test your knowledge at the end of going through my content. Uh, that's all gonna be available through you some through my paid products. I have three different paid products that are available for you to check out. Go check those out at CISSP Cyber Training. I'll tell you bluntly, it's the cheapest you'll ever spend on the CISSP training, and it's all there laid out for you. If you go through this training, you will pass the CISSP exam. But you gotta go through the training, you gotta follow the blueprints, and you've got to be able to do all that. But these questions are all there for you at CISSP Cyber Training. It's great, great products that are out there, if I do say so myself. So this is domain five, deep dive questions. Let's go into these questions to give you an idea of what you need to kind of expect for the CISSP exam. Again, disclaimer, these are not questions you will see verbatim on the test. They're just not. These are ones that were created by myself. But the point of this is is just to kind of give you an idea of what is out there and how you should start thinking about the different test questions. Question one. A multinational organization is integrating with several cloud service providers using federated identity models. During testing, users are able to authenticate but cannot access specific cloud applications even though authorization tokens are successfully issued. What is the most likely cause of this issue? A identity identity providers are not signing SAML assertions properly. B the service provider is not mapping SAML attributes to the local roles correctly. C, OAuth 2.0 tokens have expired due to the short token lifespan or lifetime configurations. Or D the IDP clock is out of sync with the SP, causing the assertions and validation failures. Okay, so let's walk through each of these. So when it comes down to it, with A, the identity provider is not signing SAML assertions properly. Incorrect signatures would prevent login entirely. So if you didn't have that, if you didn't have the right signatures in place or the assertions in place, then you wouldn't even be able to log in at all. With Skilkit C with OAuth 2.0 tokens have expired due to short token lifetime configurations. Okay, the token lifetime issues would cause session timeouts and not immediate access denial. So that wouldn't be the issue as well. And then let's look at D. The IDP clock is out of sync with the service provider causing assertion time validation failures. So clock skew basically causes failed assertions, not partial access failures. So this is a partial access failure, and so what could that possibly be? So it really comes down to authentication, basically users that are being logged in, they're able to be logged in, but the authorization fails. This is the point where the role or the attribute mapping issue between the IDP and the SESP, the service provider. So this is between your identity provider and this is also between your service provider. The service provider must translate identity attributes and thus this for into local permissions, and then if this fails, the users are authenticated but denied access. So in this situation, the service provider is not mapping SAML attributes to the local roles correctly. Question two: a financial institution implements role-based access controls or RBAC. However, the auditors find that users in multiple departments share the same role, but have different access needs. What security principle has the organization most likely violated? Okay, so they have roles, but they are all basically everybody's lumped into a bunch of roles. Okay, A. Separation of duties. B least privilege. C need to know. Or D accountability. Okay, so let's talk about this a little bit. A separation of duties. Separation of duty incurs that no single user will have the ability to have a specific information, and it's not really based around role structure. So therefore, it really wouldn't be something that would be tied to a role. Need to know is a focus on access for specific information, not general role structure. So you just need to know that information. That doesn't really match with our R back, which is your role-based access controls. Or D, accountability, it basically deals with the traceability of actions, not a specific role assignment. So again, A doesn't sound right, C doesn't sound right, D doesn't sound right, it is right. Of course, B least privilege, right? So least privilege is what you'd be looking at from an R back standpoint. These roles grant only the minimum permissions necessary for users to perform the specific job duties. So you want them to have the least amount of privileges for the specific role. Now, if people are all thrown into a bucket, what ends up happening? Well, now everybody has the same level of privileges. So you're not doing the you're not breaking people's roles out, you're just making everybody have the same level of access. And so what would end up happening is I ideally that role that is there probably has a significant amount of capability within it. So interesting part about question two, but the answer the correct answer is least privilege. Question three An organization handling classified data needs to prevent users with lower clearance levels from accessing higher classification data and also prevent high level users from writing to lower levels. Which access control model should be implemented? Okay, so we've got a discretionary access controls or DAC. B role-based access controls or RBAC. C mandatory access controls MAC or D attribute-based access controls, ABAC. Okay, so let's walk through these. A, let's look at that one. DAC allows owners to modify permissions unsuitable for a classified data. So that's your discretionary piece of this. And that would probably be incorrect because you're looking for some level of mandatory access controls. So let's look at why role-based access is not the important proper one. It's role driven, it's not classification driven. So again, you're dealing with classification, so it would focus on mandatory access controls because those are the classification levels in which you're going to be mandatory requiring them. ABAC, attribute-based, is more dynamic and policy-based, but not used for strict government classifications. I say that it can be used for government uh aspects, but it's when you're dealing with it in a more dynamic environment, attribute-based makes it a little bit more challenging. When you're dealing with just only a couple tiers, uh such as classified top secret, secret, and so forth, mandatory access controls based on your specific capability is really what you'd want to focus on. This implements when you're dealing with that, so Mac will enforce the security labels such as confidential secret, top secret, and so forth, as well as the various clearance levels that are associated to it. It implements the Bella Puta model, which prevents read up and write down, maintaining confidentiality in the area that you have access to. So again, you can't, when you're in that bucket, you're in the classified bucket, you cannot read up and you cannot write down. So now I will say that if you are in a top secret, you can write, you can read down if you're a top secret into the carrier various aspects of the secret environment. But if you're in secret, you can't read up, but you can read down into the unclassified environment. So again, that when you're dealing with classification levels, the answer would be C, mandatory access controls. Question four. A global enterprise recently developed an identity governance solution to automate provisioning and deprovisioning. During the review, security discovers several terminated users still have access to third-party SaaS platforms. That's software as a service. Which of the m which is most likely reason for this specific issue. Okay, so let's walk through each of these. A a privilege account were excluded from periodic certification reviews. B. The deprovisioning process is not integrated with the external identity stores. C, multi-factor authentication was not enforced on SaaS platforms, or D. Federation metadata between IDP and the SP has expired. Okay, so let's break this down. A privileged accounts were excluded from the periodic certification reviews. Now, what privileged accounts are a risk, but the issue affects all terminated users. It does not affect the privileged ones. So therefore, this is not something that would be correct answer. When you deal with C, MFA doesn't handle access removal. So your multiple multiple multi-factor is basically focused specifically around their additional access control. Now, D is your expired metadata would break authentication, not cause excessive access retention. Question four A global enterprise recently implemented identity governance solution to automate provisioning and deprovisioning. During the review, security discovers several terminated users still have access to third-party SaaS platforms. What is most likely reason for the issue? A privilege accounts were excluded from periodic certification reviews. B. The deprovisioning process is not integrated with external identity stores. C. Multifactor authentication, or MFA, was not enforced on the SaaS platforms, and then the federated metadata between the IDP and the service provider has expired. Okay, so let's look at some of these and which are the correct answers. Okay, so A, let's look at that. Privileged accounts were excluded from periodic certification reviews. Now, privileged accounts are a risk, but they this issue just only affects terminated users. It isn't affecting privileged accounts. So you could throw that one out. C, which is dealing with multi-factor authentication, okay, this multi-factor doesn't handle access removal. Now you may pull their multi-factor once they have terminated, but multi-factor is not involved with access removal. So think about that in the chain of when MFA is used. If you're not real sure, going, well, MFA isn't tied to terminations. Now the federation of metadata between the IDP and the service provider has expired. Metadata would break authentication. So that's that's an important part. Not cause excessive access retention. So you'd one of the things to consider is that if you have the metadata, it would break your authentication piece of this. But if you look at the question it's asking about it, they discovered that several terminal users still have access to third-party SaaS platforms, that wouldn't be a problem because, right, if your metadata would break your access, it wouldn't allow you, it wouldn't give you more access. So then the right answer is B. A deprovisioning process is not integrated with external identity stores. So how does this all play out? Well, access lingering on third-party SaaS apps will indicate a lack of integration between the enterprise IDP and the external service providers. So again, if you're not, if it's not connecting between them, uh then you're gonna have a problem. I've seen this happen many times with products that are like the um the ones that you sign, or what do you call it? I can't think of the name of it, but you actually will sign it for any sort of signatures and their DocuSign, that's it. Like DocuSign has in the past, and I think they've fixed that since then, they've had integration challenges. So if you don't have a good integration between you and your IDP your IDP and your service provider, you can end up having a lot of challenges. Uh so that and it can end up having access that you don't want people to have. If it connects or through APIs and they don't propagate the deprovisioning commands, the users also can retain their access for post-termination. So APIs are very useful, but they also can be very challenging. Alright, last question. During a red team exercise, testers successfully escalate a privilege escalated privileges using stored administrative credentials found in a script within a production server. Not good. Which control would most effectively prevent this in the future? A implement session recording for privileged users. Require dual approval for privileged account creation. C. Rotate administrative passwords every 30 days, or D. Enforce just in time privilege elevation through a PAM solution. So let's talk about this. A implement session recording for privileged users. Session recording aids in forensics, not prevention, right? This would not stop this from occurring. Okay, require dual approval for privileged account creation. So dual approval will prevent misuse of creation, but not the overall credential exposure. The credentials are already there. They're already in the open, they're in the wild, but this would not stop that. They're already doing their thing. Password rotation, right? So if we deal with uh rotate administrative passwords every 30 days, so password rotation will help, obviously, but it does not eliminate credential storage issues. So what ends up happening in many cases is these credentials will not be moved from where they're at. So therefore, what ends up happening is they just get stored there for forever and they never get changed. So again, not good. Okay, that is all I have for you today. I hope you enjoyed this. Go check me out at CISSP Cyber Training. We're excited to work with you guys at CISSP Cyber Training. All the CISSP questions you need, all the training is there for you. I've got a plethora of free content. Go check it out. And if you just really want to study for your CISP and really feel confident that you are gonna pass, go check out my paid products. They are there, they are so inexpensive for what you get in related to passing the CISSP exam. I guarantee you, I do. There's some great, great content. And the amount of money that you spend, just save yourself a few Starbucks uh lattes, and you will pay for it. It's not that terribly expensive, and it's there for you to be successful in the CISSP. Okay, thank you so very much, and hope you have a wonderful, wonderful day, and we will catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
