CCT 297: Practice CISSP Questions - Investigation Types (Domain 1.6)

Show Notes

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

A single compromised API key can undo months of hard work. We open with a clear-eyed look at a reported Treasury-related incident tied to a privileged access platform and use it to expose a bigger problem: API governance that lags behind development speed. If an API is a doorway into your environment, why do so many teams leave it unlocked, unlogged, and unmanaged? We share a practical blueprint for centralizing API traffic through gateways, tightening authentication, rotating keys, and getting real visibility into what flows in and out.

From there, we dive into CISSP Domain 1.6 with crisp, exam-style questions that double as leadership lessons. We compare civil and criminal standards of proof, explain where regulatory investigations fit, and show how penalties differ across case types. You’ll hear why chain of custody can make or break a criminal data theft case, how direct and circumstantial evidence complement each other, and what lawful collection requires under search and seizure laws. Along the way, we clarify GDPR’s reach, the role of the SEC in insider trading probes, and how ECPA, CFAA, and FISMA divide responsibilities across privacy, computer crime, and federal system security.

We also make the case for forensic readiness as a standing control, not a post-breach scramble. Centralized logging, synchronized time, packet capture on critical paths, immutable storage, and clear retention policies give you faster answers and stronger footing with regulators. Inside the organization, administrative investigations live or die by policy clarity, and whistleblower protections keep truth-tellers safe enough to speak. By the end, you’ll have tangible steps to harden APIs, gather admissible evidence, and navigate the maze of legal and regulatory expectations with confidence.

If this helped sharpen your thinking, follow the show, share it with a teammate who owns APIs or incident response, and leave a quick review so others can find us. Your feedback guides what we tackle next.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome And Exam Focus
• 1:08: Treasury Breach And API Risk
• 3:20: Why API Gateways Matter
• 4:53: CVE Severity And Federal Impact
• 4:58: Transition To Domain 1.6 Questions
• 5:00: Evidence Standards And Case Types
• 7:41: Chain Of Custody Essentials
• 8:47: Direct vs Circumstantial Evidence
• 10:04: Administrative Investigations First Steps
• 11:09: Search And Seizure Fundamentals
• 12:06: GDPR And Regulatory Scope
• 13:18: Administrative vs Civil Matters
• 14:07: Penalties In Civil And Criminal
• 15:01: Insider Trading And Regulators
• 15:49: ECPA And Related Laws
• 17:01: Forensic Readiness And Logging
• 18:18: Whistleblowers And Retaliation
• 19:00: Closing And Study Resources

Transcript

SPEAKER_00: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber, and I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started.

SPEAKER_01: 0:25

Good morning, everybody. This is Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is CISSP question Thursday. So, yes, we are going to be getting into the questions related to domain 1.6 as it relates to the content that we provided on Monday's podcast. So that's the ultimate goal of this Thursday is to provide you information you need to pass the CISSP through some of the questions and potential questions you may see on the CISSP exam. Again, these questions are not questions that were pulled from ISC Squared by any stretch of the imagination. These are ones just to get you thinking and to think about how domain 1.6, I thought the questions could be asked of you of that. But before we get started, I had an article I wanted to kind of just briefly bring up to you, and it is around the recent breach that occurred with the Department of Treasury. And this is defined as an attack that would occur from the Chinese government, supposedly. Again, I don't know those information, just re-reporting what they have here in the news. But the bottom line is that there was an issue that occurred um later this week, or I should say earlier this week, related to the Department of Treasury and how they had a major air quotes security incident involving Beyond Trust, which is a cloud-based service. And the point of Beyond Trust is it gives you a lot of different kinds of credentials. It acts as a PAM solution. And so, yes, it would be a great target for someone to attack. One of the things that they said was, they're bringing up in this article is that no other agencies within the U.S. government were affected by this situation. Okay, I love how these articles come out. And I'm just gonna just be very transparent. I'm not, I have no idea if there were more people or more agencies affected by this by any stretch, but what I would ask or bring up is how this attack occurred. You might want to think about how is it affecting other agencies within the U.S. government. And this attack occurred because of a compromised API key for remote management services from Beyond Trust. Now, that whole hole between Beyond Trust and the API key for the Department of Tech Treasury, those specific key points, is probably covered. Yeah, it's probably good. There's probably no issues there whatsoever. That being said, if you are the federal government, they are working with other companies as well. And they also use APIs and they use API remote management services. So the question really comes down to is what kind of control do they have over their API infrastructure? I've been saying this for a long time on CISSP Cyber Training, and anybody that'll listen to me is the APIs, in my mind, are one of the biggest vulnerabilities we have within the security space. And the reason I say that is because in most cases they are unmanaged. They're allowing people to make a connection into your environment. And the goal is that you have control, tight controls over it, allowing what comes in, what goes out. But because they're so easy to establish, it can be very tempting for an individual to go and start up an API connection and go, aha, it works, life is good. And yeah, it does work. Unfortunately, it could, if it's not configured correctly, will create a nice little back door for people to get into your environment. So again, in this article, they're saying that in this at this time, there's no indication of any other federal agencies that have been impacted by this air quotes incident. So if you are a cybersecurity professional or an IT professional of any kind and you have APIs within your environment, you may want to look at this pretty hard on how you are managing your APIs. We talked about this. They need to go through a gateway of some kind. You need to route all of your APIs through one central spot. One, at a minimum, it gives you a level of visibility into these API connections. And two, it gives you some security controls over what's occurring. You should not allow just anybody to willy-nilly add APIs to your organization. So, again, I bring this up to the point of the fact that if you have this situation, or at least in the case of the Department of Treasury, there's probably other holes within their environment that they truly need to look at. Again, the CVE score on this was a 9.8, which is about as high as you can get. Um, and if this is one situation that occurred, well, you can expect there are probably more. So, again, this is an article from Security Week, and this is the CISA. No federal agency beyond the treasury was impacted by the air quotes Beyond Trust Beyond Trust incident. Yeah, go check out your APIs. Don't wait for it. All right, let's move in to the questions for today. Okay, so again, this is over domain one dot six. Question one Which type of investigation is most likely to involve preponderance of the evidence as a standard of proof? Again, in this type of investigation, which type of investigation I should say, is most likely to involve a air quotes preponderance of evidence as the standard of proof? A criminal. B civil. C regulatory or D administrative. And the answer is B civil, right? The preponderance of evidence is a civil matter. That's what it means that the evidence must show that there is more likely than not that the claim is true. Okay, the lower standard than that is beyond a reasonable doubt, which is used in criminal investigations. And so that the point of it is as you again, preponderance is civil. Question number two What is the primary purpose of a regulatory investigation? Again, what is the primary purpose of a regulatory investigation? A to enforce internal organizational policies, B to resolve disputes between private parties. C to ensure compliance with legal and industry regulations, or D to collect evidence of criminal prosecution. For criminal prosecution, I should say. So what is the primary purpose of regulatory investigations? The answer is C to ensure compliance with legal and industry regulations. Again, the ultimate goal is that you have many masters in the cybersecurity space, and one of those is the industry or is your local regulations between your local and also your federal, depending upon where you are at. So you need to make sure that if you fall under those guidelines of regulations determined by your local or federal agencies, you need to make sure that you follow them. Question three, which in which scenario would chain of custody documentation be most critical? Again, in which scenario would chain of custody documentation be most critical? A administrative investigations for policy violations. B internal audit for process improvement. C regulatory investigation for noncompliance, or D criminal investigations for data theft. In which scenario would a chain of custody documentation be most critical? And the answer is D. Criminal investigation for data theft. So again, chain of custody refers to the documentation and handling of the specific evidence to ensure that its integrity is maintained throughout the entire process. In a criminal investigation, it will be essential to document all of this. Question four, which of the following is best example of direct evidence in a criminal investigation? Again, which of the following is a best example of direct evidence in a criminal investigation? A a witness statement about observing the theft. B a log file showing unauthorized access to a server. C circumstantial evidence thinking a suspect linking a suspect to the crime, or D forensics analysis report of a compromised system. So which of the following is a best example of direct evidence in a criminal investigation? And the answer is A. A witness statement about observing the theft. Again, so you have somebody, a direct person, a witness seeing that they saw you lift it off of this USB drive would be a direct evidence and that would be admissible in court, right? So you'd be brought in and you would be used to answer what you saw. This is a in contrast, you know, a log file or a forensics report would be considered a digital evidence or circumstantial evidence. If I have somebody that has eyeballs on it, is a direct evidence. If I have something that's a little bit tangential on the side, it would be something that is more along the lines of digital evidence or circumstantial evidence. Question five. When conducting an internal assess administrative investigation, what is the most important first step? So when conducting an internal administrative investigation, what is the most important first step? A alerting law enforcement. B notifying all employees of the investigation. C. Reviewing the organization's policies and procedures, or D collecting all available digital evidence. Again, when conducting internal administrative investigations, what is the most important first step? And it is C reviewing the organization's policies and procedures. That's the ultimate goal when you're dealing your important most important first step because if you don't have those in place and you're trying to do an administrative investigation and the person did something that's outside of what your policies and procedures are, that are outside of what they define, then you could run the risk of, you know what, you really don't have a case here and you just might want to let that sleeping dog lie. It also will maybe make you go, you know what, I need to make some changes to our overall policy structure. Question six, what legal principle must be followed to avoid evidence exclusion in a criminal trial due to unlawful seizure? What legal principle must be followed to avoid evidence exclusion in a criminal trial due to unlawful seizure? A search and seizure laws, B chain of custody, C subpoena authority, or D incident response guidelines. So what's the legal principle must be followed to avoid evidence exclusion in a criminal trial, which means you can't submit the evidence due to unlawful seizure? And it would be A. Search and seizure laws. Again, these laws are set up to govern how evidence can be collected legally. In the United States, the Fourth Amendment protects against unreasonable searches and seizures. And this came out, actually, this is a little bit of trivia, came from during the Revolutionary War. Uh the there was one of the big issues they had was around the British being able to just go in and seize whatever they want. So the U.S. created these laws to help help put the guardrails upon this and uh dictate what would be unreasonable searches and seizures. So again, if it's un if it's obtained unlawfully, then it may be excluded from the trial. Question seven. Which regulatory framework specifically addresses data protection and privacy for European Union residents? Which regulatory framework specifically addresses data protection and privacy for European Union residents, EU residents? Okay, A. SOX, B, GDPR, C, PCI, D S S, or D C C P A? And the answer is B. Yeah, General Data Protection Regulation, GDPR, aka. It's a comprehensive data protection plan that was put into place many years ago. There was another one that was set up, I can't remember, it was Data, oh, I can't remember, Data Shield or something like that. But this GDPR was designed as an overarching kind of protection. And if you fail to meet what GDPR asked for, it is expensive. So people put a lot of time and money into being compliant with GDPR. Question eight, a company's internal investigations reveal that an employee is violating a non-compete clause. This type of investigation falls under which category? So non-compete, an employees violating it. A regulatory, B civil, C criminal, or D administrative. Okay, then an employee violating non-compete laws and it would be D administrative. So internal investigations into non-compete clauses would typically be an administrative type of investigation in nature. And they they all more or less come down to you want to enforce the company's policies. So that would be an administrative. Question nine, what distinguishes civil investigations from criminal investigations in terms of penalties? Again, what distinguishes a civil investigation from a criminal investigation in terms of penalties? A criminal investigations focus on financial or injunctive relief. B. Criminal investigations can result in imprisonment. C. Criminal investigations only result in financial restitution, or D. Criminal investigations are always initiated by private entities. Okay, what's the difference between civil and criminal? A civil investigations focus on financial or injunctive relief, right? That's the main point of them. They put injunctions in place to prevent certain actions rather than punitive measures like imprisonment. That's the ultimate point. But again, that comes back to with civil and criminal, the differences in what is defined and needed for evidence beyond a reasonable doubt is criminal. And so therefore the evidence aspect falls into that category. Question ten. Which of the following best describes circumstantial evidence? Question ten is which of the following best describes circumstantial evidence? A the direct observation of a criminal act. B evidence that implies a fact but does not directly prove it. C. Evidence that is inadmissible in court, or D evidence obtained through direct forensic analysis. So again, what best describes circumstantial evidence? It is B evidence that implies, air quotes, a fact but does not directly improve it. So if you see something that isn't directly corroborates that there was an issue, it will then be circumstantial evidence. So again, finding a suspect's fingerprints on a door does not necessarily prove that they committed the burglary, but implies they were present. Or maybe they showed up earlier or later. Again, that's just kind of bringing all this little story together that the circumstantial piece of it. When you're dealing with IT, did the guy actually have USB access? Did the person log in that day? Did the person use their USB access? So on and so forth. Question 11 An investigation into insider trading is likely conducted by which type of authority? So insider trading, who would be doing that? A criminal law enforcement. B administrative review committee. C, primary a private arbitration panel, or D, financial regulatory body. So an investigation into insider trading is conducted by which type of authority? And it would most likely be the D, the financial regulatory body. Now, insider trading, again, buying and selling securities based on non-public information. If you do that, that violates what the SEC has out there, and so they're highly likely that they would get involved when you're dealing with insider trading. That being said, you can also say that there would probably be other people involved in this as well, but the financial regulatory body would take lead on these types of situations. Doesn't mean they won't come back after you for criminal aspects, aka Martha Stewart. That's where she ended up dealing with that. Question 12, which type of what which concept ensures that every individual who handles evidence is recorded? Which concept ensures that every individual who handles evidence is recorded? A evidence integrity. B chain of custody. C forensics readiness or Digital Signature. Again, which concept that every individual who handles, touches, deals with it any way, is recorded? And the answer is B. Chain of Custody. Again, chain of custody tracks the evidence from its collection to the presentation in court, ensuring that everybody who touches it has access that is supposed to have access to it. It is there's a record of who touched it, when they touched it, and so forth. Question 13. Which act governs electronic communication privacy in the United States? A. Sarbanes Oxley. Or B Computer Fraud and Abuse Act. C. Electronic Communications and Privacy Act, or D. Federal Information Security Management Act, or FISMA. And the answer is C. Electronic Communications Privacy Act, otherwise known as ECPA. This basically is an act that was put in place for electronic communications and how they can be accessed and intercepted in the United States. Okay, so that's a key factor around that. When you're dealing with SOCs, you know, that focuses on financial practices, Computer Fraud and Abuse Act at C FAA, CFAA, this deals with computer related crimes, and FISMA is focused on the Federal Information System Security. So you gotta know the differences. If you're gonna whittle them down, the Electronic Communications Privacy Act, at least at a minimum, has it in the name. Question 14 Which of the following is a primary objective for forensic readiness? A. Ensuring regulatory compliance. B reducing investigation time. C enhancing user privacy, or D. Preparing systems for collection and preserving evidence. It is A. Ensuring regulatory compliance. So forensic readiness involves configuring and managing systems so that the evidence can be efficiently collected and preserved. So the ultimate goal is you're ready for it, right? This can occur because maybe you have it in your organization you have uh taps within your organization's network so that you're collecting packet captures, PCAPs, and that is then sent to another location where it is stored. So you are then being primarily ready for the event that you may have to have some sort of forensics capability. And this is all these log files are being sent to a certain spot. Again, this is a strategic kind of thought process that you need to plan for if this is something that's important to your organization. Question 15. A whistleblower protection policy primarily addresses which investigation related concern. Again, a whistleblower protection policy primarily addresses which investigation investigation related concern. A evidence handling. B investigator bias. C protection from retaliation, or D preservation of chain of custody. So whistleblower protection policy addresses which investigation related concern, primarily, right? And the answer is C, protection from retaliation. Whistleblower protections are designed to protect the individuals who report potentially unethical or illegal activities, right? It's to help them. It's helped to encourage people to come forward and without having to be worrying that someone's gonna throw you under the bus. So that again, that's the ultimate goal is that the whistleblower piece is protection from retaliation. If you violate that, that can go ugly for everybody. So you want to make sure that if you do have that within your organization, you are watching it very closely and you have a good plan in place to deal with whistleblowers. Because yeah, if it comes across that you are not doing well to protect them, uh you got a lot bigger issues you're gonna be fighting. So they're just a piece of advice. Again, not a lawyer, just telling you some stuff from experience. Okay, that is all I have for you today. Head on over to CISSP Cyber Training, go there. You'll enjoy it. I guarantee it. You'll love it. It's awesome. It's got everything you need to pass the CISSP exam. It's all there. No reason to go around checking out other places, watching videos and other things. It's got it all available for you to include an overall plan for get passing the CISSP. Now, again, it's there's a I have a blueprint that's within the CISSP network in there in the overall product plan. And that plan, that blueprint will help you step by step by step on what you should study to get ready for the CISSP. There's a lot of people out there that can go and cram for this thing, pass it, and move on. Well, that's great. But the the nice part about what I have with the blueprint is the blueprint will step you through, help you learn the information so that when you move on to the next role, you actually understand what they're asking of you. And to be honest, if you want more money, there's a lot of different companies out there that will promote, hey, we can help you get more money. The way you're gonna get more money in cyber is you understand the content. You ain't gonna be able to get it, it's just by winging it. Because you might wing it for a little while, but then they'll find out and you'll be fired. So the ultimate goal, or you'll get hacked and then you'll be fired. The ultimate goal is again to learn this information so that you can then help your company, protect your company from the evil hacker horde. Now, the last thing is is go to also reduce cyberrisk.com and you can go there and you can, if you're looking for a consultant, I can help you with that. I've got a lot of partners that I'm working with, and we can help you with your needs from virtual SISOs down to individual security, uh uh pen testing, you name it, it's available to you at reducedcyberrisk.com. So again, CISSP set.com or CISP cybertraining.com and reduce cyberrisk.com. Head to those, check them out, a lot of great stuff for you. Have a wonderful, wonderful day, and we will catch you all on the flip side. See ya.