CISSP Cyber Training Podcast - CISSP Training Program

CCT 321: From BIOS Passwords To ABAC - Practice CISSP Questions

Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur Season 3 Episode 321

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 22:24

Send a text

A surprising number of security leaders admit they’re flying blind on hardware and firmware. We start by exposing how shared BIOS passwords, slow maintenance cycles, and careless e‑waste practices create avoidable risk, then lay out the fixes: privileged vaulting, disciplined asset disposition, and practical ways to repurpose gear without leaking data. That real-world foundation sets the stage for a focused tour through CISSP Domain 5—Identity and Access Management—built for practitioners who want clarity over jargon.

We break down least privilege in plain terms and show how to reduce the initial friction with cleanly defined roles and entitlement catalogs. From there, we compare RBAC and ABAC: when baseline roles are enough, and when context-aware attributes like device, location, and data sensitivity should drive policy. Authentication gets the same treatment. Multi-factor authentication, biometrics, and phishing-resistant methods raise the bar, while single sign-on and identity federation streamline access across cloud apps using standards like OAuth, OpenID Connect, and SAML. In modern cloud environments, token-based models win for scalability and security, and we explain why.

Governance ties it all together. We walk through identity proofing for solid onboarding, separation of duties to curb fraud, and IGA workflows that make approvals, recertifications, and audits far less painful. Regular access reviews emerge as the unsung hero that prevents privilege creep before it becomes an incident. If you’re prepping for the CISSP—or just tightening your IAM program—this episode gives you the why behind the what, with steps you can apply today.

Enjoyed the conversation and want more deep dives? Subscribe, share with a teammate who needs a quick IAM refresher, and leave a review to help others find the show.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Welcome And Show Setup

SPEAKER_00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber. I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

Hardware And Firmware Knowledge Gaps

BIOS Passwords And Secure Sharing

Maintenance Friction And E‑Waste Risks

Repurposing Gear Without Leaking Data

Domain 5 Quiz Setup

Least Privilege And RBAC Basics

MFA, SSO, And Federation Essentials

ABAC vs RBAC And MAC In Regulated Orgs

IGA, Access Reviews, And Password Limits

Closing And Resources

SPEAKER_01

Hey I'll Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Yeah, man, it's awesome. Today we're getting closer to Christmas. It's awesome, it's awesome. Can't wait. I know my grandkids are like freaking out excited about that because I remember as a kid growing up, Christmas was everything. So yes, it's getting close. But uh we're not here to talk about old Saint Nick. You are here to learn about CISSP stuff. So we're gonna get into domain five today of the CISSP. But before we do, obviously we're gonna get into an article that I saw recently. Um, it is talking about three-quarters of security leaders admit gaps in hardware knowledge. Now, I will tell you that as uh working as a CISO, then also working as an architect and so forth, and then having to go up through the ranks of being in the red teams, I learned we started off with the A Plus certification for hardware. And if you've dealt with A Plus at all, it focused on the hardware aspects of it from down to BIOS to chips, you name it, all those little nuances. Well, as we move into this SaaS world that we have, uh I think there's less emphasis on this. And this article kind of talks about that. And as a security professional, you're gonna be responsible for a lot of the security related to your hardware within your organization. And hardware is still out there, it's not all in a SaaS environment. So it's gonna be important that you kind of understand what that entails. And also when you hire people, you need to kind of ask some key questions around hardware security as well. It's just kind of an important part. But this article kind of gets into the fact that at three-quarters, or they say in three-quarters, but it's about 80% of IT and security decision makers admit to major gaps in hardware and firmware knowledge. And I know this is definitely the case, uh, especially if you get in the manufacturing space specifically, there is a lot of gap between the hardware and knowledge because a lot of the hardware they're using is still 19, circa 1980s, 1990s. And so if that it's very hardware intensive versus in today's world of being it's more of a uh SaaS environment. So, one of the things they said in here is that most of these folks do not collaborate with IT and the security, and also the the suppliers and the hardware people don't necessarily talk together. Um, they also made a comment that it's around 53% of them said BIOS passwords are shared. Now, if you're dealing with a BIOS password, many times your ultimate goal is that you should go in and change those to something that is more appropriate for your organization and to have those passwords so that they're not easily guessable or maybe dependent upon the type of hardware, they could be a standard type of password. So you obviously one of the best practices is to go out and reduce those and re uh remediate those. Well, here they're saying that they have many people share them. And I can see that happening, especially in a large organization, if there is a mandate to go and change BIOS passwords within your organization. I can see where somebody would actually copy those down, put them in a location, and then share them amongst others. Now, if you had to do something like that, one of the considerations you may want to think about is the fact that you could put it in a product like CyberArc, in some sort of management solution, password management solution. That would be a way that you could do that. Ideally, you wouldn't want to put them in some sort of uh location where they're shared amongst everyone, but there might be times when you have to share them, therefore you should consider the proper ways to do that. They also made a comment that uh more than one in ten employees are frustrated with the slow pace of maintenance. And I guess in today's world, a lot of the maintenance comes down to is they don't really even try to fix it, they just buy something new. I was talking to a guy at one of my contracts recently, and he just has a TV and he's been trying to make some changes to his TV that is he's got some capacitor issue. And so he wanted to go and and get that fixed. The question is, we came back to is in most cases, people just go and throw it away. They don't actually try to go out and fix it. So, because of that, there's a lack of knowledge around how to actually fix some of the hardware that goes along with it, which then rolls into the next comment around e-waste, and they call it an e-waste fail. And it's because they're saying that a lot of equipment that is just thrown away and could be potentially repurposed. Now, we've talked about this in the past on CISSP cyber training, that repurposing hardware is an important part of you know, helping one, you don't want to put it in the landfills, and two, some other people could potentially benefit from it. That being said, it's important that you don't store sensitive data on these different types of e-waste that you're you're potentially giving away. So one of the things to consider is if you're gonna give the the, they call it the kit, but basically your computer, you're gonna give that away, you want to make sure that you do remove any of the hardware that is related to data storage in there. Obviously not the chips themselves, but any hard drives of some sort, whether they're physical or whether they're an SSD, you'll want to get rid of those. But that being said, it's one of those aspects that you want to consider if you are going to be going through and purging a lot of equipment within your organization. Are there ways that you can repurpose it and give it to maybe some nonprofits, somebody that could use it a little bit better and or use it versus having it thrown away? So just something to consider. Again, this is an article out there by InfoSec Security Magazine, and it's talking about uh security leaders admit there's a gap in hardware knowledge. Okay, so let's get started on today's questions. So again, today's questions, you get all these questions at CISSP Cyber Training, get access to them at any time. All the active that you get all the access that you get there at CISSP Cyber Training, these questions are there and available to you. You just gotta go check them out. Uh, we will also be putting this up on the blog. You'll have access to it. I'm a few sessions behind, I think, on that, but there'll be uh it'll be coming out here soon. I've been in the process of trying to, uh we we bought a verbo and I was in the process of getting that ready. So needless to say, I have been a little consumed with my wife's activities at this point. But we're here, group eight, and we're done domain five. So let's get going. So, question one which of the following is the primary purpose of a privilege management in an identity and access management system? Okay, so which of the following is the primary purpose of a privilege management in an identity and access management system? A to enforce least privilege by controlling access to sensitive data, B to manage user lifecycle and permissions throughout or throughout their employment, C to provide non repudiation of the user's actions, or D to ensure compliance with data retention regulations. And the answer is A to enforce least privilege by controlling access to sensitive data. Question two Which of the following describes the principle of least privilege? Again, which is the which following describes the principle of least privilege? A granting users the highest level of access to ensure that they can perform their job functions. B allowing users to access only the information necessary for their specific tasks. Or C allowing users to perform administrative tasks on any system they use. Or D providing users with read and write access to all system resources. Again, which problem which of the following describes principle of least privilege? And the answer is B, allowing users to access the information necessary for their specific task. Again, least privilege you should be granted with the minimum level of access required to perform your job duties. And that's what we talk about least privilege. You don't want to give them any more than they absolutely must have to do their job. Now it does add for some conf for some delays potentially. I've run into this myself when you're giving somebody access and you realize, oh no, I don't have the access myself. Had that happen a couple times. So something to consider when you're giving least privilege is it's gonna add a little bit more drama at the beginning. But once you figure out what those access should be, it will be much more easier to provision those accounts as time goes on. Question three, which of the following best describes role-based access controls, or otherwise known as RBAC? Which of the following best describes role-based access controls? A, access is granted based on the user's specific identity. B, access is granted based on the user's role within the organization. C, access is granted based on the sensitivity of the data. Or D, access is granted based on the time of day of the request is made. Again, RBAC, role-based access controls. Hmm, what is that? RBAC is basically B access granted based on the user's role within the organization. Now it's a policy used to assign permissions based on the role, air quotes, rather than the individual user. Now that's diff this requires you to have a defined role for the individual and not just lob everybody into one big bucket. So again, they're sought they're assigned by job functions and the users are assigned the roles to provide them the access to the resources they need. Question four, which of the following authentication methods provides two-factor authentication? Again, which one provides two-factor authentication? A a username and password. B smart card and pin. C, biometrics only, or D CapCha. Okay, K-A-P-T-C-H-A, which you all know, but it's CAPCHA. Which of the following authentication methods provides two-factor authentication? And the answer is B. It is smart card and pin, right? It requires two different types of factors. A smart card provides something you have, and the pin is something you know. So therefore, it is that's what your multi-factor piece of this is. So you'll get a lot of the smart cards and the pins. Obviously, when you're dealing with your credit cards, have that. A lot of different CAC cards, like a um the military does a CAT card, or it's like a close access card, I think that's what they call that. But it's a CAC, CIC. So different types of authentication methods for multi-factor. What does the identification question five? What does the identificate identity federation allow an organization to do? Again, what does an identity federation allow an organization to do? A to enable the use of single authentication system across different platforms and organizations. B to establish a single set of policies for managing user passwords. C to define a common encryption standard for data across organizational boundaries, or D control which services a user can access based on the geographic location. Again, what does Identity Federation allow for organizations to do? And it is A enable the use of a single authentication system across different platforms and organizations. Again, the federation is a different organization they share and trust data between them, identity data between them, and allows for authentication once they gain access. Now, this is usually achieved through SAML, OAuth, or OpenID Connect. Those are different types of access to be able to, or different types of mechanisms to be able to share that data. Question six, which of the following is a primary goal of single sign-on-on or SSO? Again, what is the primary goal? Primary goal of single sign-on or no, otherwise known as SOS SOS. No, not save our ship. It's SSO, right? Single sign-on. A to provide a centralized system for managing user passwords. B to allow users to log in once and gain access to multiple applications without reauthenticating. C to enable multiple users to share a single account securely, or D to enforce stronger authentication mechanisms across the systems. Again, which of the following is a primary goal of single sign-on? And it is B to allow users to log in once, one time only. I think it's Falsetti. Yeah. One ping, one ping only. To allow the users to log in once and gain access to multiple applications without re-authenticating. If you know the movie, let me know. Yes, I know the movie. Yes. Yeah. One ping. One ping only. All right. SSO is designed to streamline the authentication process, right? So user logs in once and then they can access multiple applications. That's the ultimate goal of SSO. Question seven. In a multi-factor authentication scheme, MFA, which of the following is a typical consideration, the most secure factor? Which is typically considered, that's better. Okay, typically considered the most secure factor. That didn't make sense when I first said it. A, something you know, a password. B, something you have, a smart card. C something you are, biometrics, or D, something you do, behavioral biometrics. Okay, in the two-factor authentication scheme, which of the following is typically considered the most secure? And it is C, something you are based on biometrics, right? Because that's usually something that, if your eyeball is usually pretty unique to just you. So therefore, it's fingerprints, retina scans, facial recognition, all those aspects are unique, very unique to individuals. That being said, when the facial recognition first came out, my wife and my daughter could actually open each other's phones. Uh, but that has now since changed. But there's there's that actually comes right down to it, biometrics is one of your more favor or more secure options. Okay, question eight. Which of the following is an example of identity proofing process during the onboarding of a new employee? The identity proofing process of an onboarding new employee. Again, what is that? All right, what is an example of that? A asking for a password to access the system. B to sending a one-time passcode to SMS or texting. C, verify with a government issued ID, or D assigning a role and granting access permissions. Again, what is an example of identity proofing process during an onboarding of a new employee? So Billy Bob starts up. How do you identity proof him? And it is C verifying with a government-issued ID. Again, that's a one thing we want to use is use that to help them grant access. They're going, yes, Sean is who he says he is. He is not Jessica. However, I have in using my powers for good, I have copied many, many government-issued IDs and have gotten away with it. So that being said, um, you need to make sure that if you are in a secret location somewhere, you do a much better job of checking IDs than people did on me. Question nine, which is the f which is the primary purpose of a separation of duties policy in identity and access management? What is the primary purpose of a separation of duties policy in identity and access management? A to prevent users from performing critical actions that may lead to fraud or error. B to limit the number of access controls that need to be managed. C to simplify auditing and logging processes, or D to provide users with temporary elevated privileges for urgent situations. Okay, so what is the primary purpose of separation of duties policy in identity and access management? And the answer is A. To prevent users from performing critical actions that may lead to fraud or error. Again, separation of duties requires that no individuals has the ability to perform the conflicting actions, right? An approving, as an example, would be approving financial transactions. Again, that would be bad, right? So you can do say, hey, I want to give myself a$30,000 pay raise, and you do that. That would be bad, right? That's what you want to have separation of duties, and you want to have other people that are watching what you are doing. Question 10. Which of the following methods is most commonly used for authentication in cloud environments? Again, what is most commonly used for authentication in cloud environments? That's your Azure, your Amazon AWS, all those kind of things, right? And the A, Kerberos, B, username and password, C, PKI, public key infrastructure, or D OAuth and OpenID Connect. Again, which is the most commonly used for authentication in cloud environments, which is most everything, it seems like today. And the answer is D. OAuth and OpenID Connect. Again, these are modern, widely used standards for authentication in cloud environments. They do provide a secure token-based authentication and authorization, right? They enable you to be able to authenticate across different cloud environments, whether it's AWS, Azure, whatever it might be. So they're helping you do that. Question 11. Which of the following is a key advantage of attribute-based control compared to role-based access controls? And which of the following is a key advantage of attribute attribute-based access controls? I forgot to access the first time. And compared to role-based access controls. So ABAC versus RBAC. Okay, and ABAC, A, A, letter A, number one. That's it. A. A. ABAC is a simpler to manage because it does not require role assignments. B ABAC allows you to have more granular access decisions based on the whole wide range of attributes. C, ABAC is easier to integrate with legacy systems, or D, ABAC relies on fixed rules that do not change over time. Okay, so attribute-based access controls. And the answer is B. ABAC, access-based access controls, allows you more granular access decisions based on the wide range of attributes of the person, right? So that's what you want to do. Characteristics, environmental factors, resource types, and so forth. RBACs are designed permission based on fixed roles, whereas the ABAC deals with attribute-based access, which is for complex environments where decisions need to be made based on multiple pieces of criteria. Much more sensitive locations would have an ABAC type of access control. Question 12, which of the following access control models is most suitable for environments where access decisions need to be based on a set of policies and regulations, such as in the healthcare industry. Okay, again, what's is what following access control models is most suitable, most suitable for environments where decisions need to be made based on policies and regulations, such as in the air quotes healthcare industry. A discretionary access controls. B mandatory access controls, or MAC. DAC is discretionary access controls. C role-based access controls, or D attribute-based access controls. And the answer is B. Mandatory access controls are used highly in regulated environments. This is where policy and regulations, such as in healthcare, government, military, dictate these access controls. Again, they're determined by system enforced policies rather than the user's discretion. So that's mandatory access that they have to have to gain access to these things, or they're limited to what they have access to. Question 13. Which of the following should not be a benefit of using identity governance, governance and administration solutions? So again, identity governance and administration solutions, otherwise known as IGA. That's India Gulf Alpha. Okay, a an improved regulation, improved regulatory compliance and audit readiness. B simplifies user access requests and approvals. C improved security through continuous monitoring and user activities, or D increased user productivity by allowing instant access to all resources. That's a lot of words. Okay, so which of the following was not benefit of identity, not be a benefit, not be, not be not benefit, but not be a benefit of IGA. And the answer is D. Increased user productivity by allowing instant access to all resources. Yeah, right. Now that's not gonna work. If you went through all of those, you'd go, yeah, that makes no sense at all. You don't want to be increasing user productivity by allowing access, right? You can get productivity, but at this end, what happens when you allow too much access? Yes, the uh the wolf runs away with a chicken coop. And they well, you probably don't know what that means, but basically, I don't even know what that means. Anyway, the the chickens all run away. That's what ends up happening. But it's helping IGAs help to identify user identifies, enforce policies, and provide visibility into access controls, such as improving the compliance and security, right? They provide unrestricted access. You know, if you're trying to increase productivity with unrestricted unrestricted access, you're just asking for trouble. So just don't do that. Question 14 Which of the following access management practices helps to ensure that only authorized individuals can use a specific system? Again, which of the following access management practices helps ensure that only authorized individuals can use a specific system? A password complexity and policies, B session timeouts, C, regular review of user access permissions, or D encryption of sensitive data at rest. Again, which of the following access practices helps ensure that only authorized individuals can use a system? And the answer is C. Regular review of user access permissions. Again, this reviewing of these access permissions ensures that only authorized individuals have access to sensitive resources and that privileges are complete and up to date. Again, managing these is an important part of any sort of organization. And uh especially when you're dealing with a very dynamic organization. Question 15, the last question, the last melon. Which is a major disadvantage of password-based authentication? Again, which is the major disadvantage of password-based authentication? A, it can easily be integrated with existing systems. B, it is requires users to remember complex passwords. C, it provides strong multi-factor authentication, or D, it's highly resistant to phishing attacks. So again, what is the major disadvantage? And again, it requires B requires people to remember complex passwords, which what ends up happening? People copy them down. They either make the passwords very weak and dilute them, or they copy them down and then send them out to all their friends. So, no, they don't send them to their friends, but they leave them on their computer and therefore they have problems. Again, that is the last question. So I hope you guys enjoyed it. Again, go out to see ISSP Cyber Trading and Check it out. If you are looking for a security person and you need some assistance, go to reduce cyberrisk.com. You also can check me out there, and that's we can provide you with cybersecurity resources for you and your organization. But bottom line is go to CISSB Cyber Training and get access to all of my questions and all of my content. You can get it. All right. I hope you all have a wonderful day, and we will catch you all on the flip side. See ya.

Contributor

Shon Gerber

Host