CCT 323: Practice CISSP Questions - Generating Reports - Domain 6

Show Notes

Alarms go off, dashboards turn red, and leadership wants everything fixed yesterday—sound familiar? We dig into the real craft of vulnerability management: deciding what truly matters, when to defer safely, and how to protect customers while keeping the business moving. Along the way, we unpack the forces shaping 2025 security: AI-fueled threats, smarter cyber insurance, the edge of quantum risk, stricter privacy laws, and the rising stakes of DevOps security.

We share a practical triage framework that goes beyond CVSS. Learn how to validate scanner noise, confirm versions, and use a second tool when the data looks off. When patching collides with uptime or legacy systems, we outline compensating controls that actually reduce exploitability—segmentation, allow-lists, credential tightening, and targeted monitoring—plus the documentation and triggers that prevent “temporary” exceptions from turning permanent. You’ll hear how to communicate residual risk with time-bound plans and metrics leaders understand, from blast radius to downtime cost and insurance obligations.

Ethical disclosure gets real, too. When a researcher’s 30-day clock clashes with a 45-day fix, coordination beats confrontation. We talk through private progress updates, revised timelines, and interim mitigations that put users first. For vendors and open source, we highlight respectful escalation paths, legal prep, and why responsible disclosure typically reduces harm better than full, premature detail drops. In complex multi-cloud setups, we recommend assigning a cross-team coordinator who aligns priorities, patches the most exposed services first, and bakes checks into CI/CD so the next fix is faster.

Subscribe for more CISSP-ready breakdowns, share this with a teammate who lives in the patch queue, and leave a review with your toughest triage scenario—we might feature it next.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Holiday Check-In And Show Setup
• 1:29: 2025 Cybersecurity Trends Overview
• 3:38: AI Threats And Insurance Shifts
• 6:03: Quantum, Regulations, And DevOps Security
• 9:57: Funding, Policy, And Zero Trust
• 12:27: Listener CISSP Scenario Questions Begin
• 13:03: Context-Driven Vulnerability Management
• 17:20: Exceptions, Compensating Controls, And Timelines
• 20:39: Coordinated Disclosure With Researchers
• 24:04: Internal Criticals And Risk-Based Deferral
• 26:20: Vendor Ethics And Escalation Paths

Transcript

SPEAKER_00: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber, and I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

SPEAKER_01: 0:25

Hey y'all, Sean Gerber with CISSP Cyber Training, and hope you all are having a beautiful day today. Yes, yes, awesomeness day today. We're getting close to the holidays, and you know, it's always this fun time of year. It like gets to be a vibration. It's exciting. It's awesome. I know my kids, now we have the grandkids, and everybody else just loves it. So we got family coming in out of town, which is gonna be great to see them. Uh we have a couple of my son and his daughter, uh, or my daughter-in-law are moving in. Uh, so we're excited about that. They're bringing a puppy, which will be interesting, but it's all good. It's all good. We'll be happy to have everybody here and enjoying the Christmas holidays and uh having some time together. So it's positive. So hopefully you all are gonna get the opportunity to do that, especially as we get into the overall piece of this time off where a lot of people are taking time off. Uh, but uh, if you are taking some time off, hopefully you are studying and cramming for your CISSP. So today we are gonna be getting into the uh questions that are associated with the podcast that we had on Monday. So we're gonna dig into that a little bit. But before we do, kind of wanted to quickly talk about this article from Information Security Buzz around cybersecurity in 2025. So as we get close to moving into the new year, how is that going to change for 2025? I thought 2024 was going to be busy. Well, it looks like 25 will be just as busy, if not more so. And a lot of the challenges come into is the fact that the technology is changing at such a quick pace. It's really hard for, as we've mentioned before, time and again, it's hard for people to keep up with all of the change. So the article kind of really gets into it. Just some main topics I wanted to roll over is one is the AI-driven threats. And as we know, there's going to be much more opportunity for artificial intelligence threats and people to utilize that technology to attack individuals and to attack corporations. So that is going to be a big factor, especially in the financial sector, e-commerce, and so forth. Uh, there's big factors as it related to the incidents that happened with solar winds, and then also their vetting and continuous monitoring piece of this. Uh, they they mentioned that through the article as well. I would say one of the things that's to consider is as you are looking to put uh security within your organization, consider that, and I know the vendors are working very hard at this to try to come up with utilizing AI-driven technologies to help find the bad guys and girls. So that's an important part of all of that. Another thing they mentioned in here that I thought was really interesting was the evolving cybersecurity or cyber insurance model. Um, they're gonna be wanting the insurance companies have really just kind of relied on people in the past to tell them what is going on with their organization, but they're gonna be using now some AI-driven risk assessments, which I think is a valuable part. Uh, people like me uh that were utilizing uh contractors, I should say, we're utilizing doing risk assessment assessments for companies, may be impacted a bit by this, but I also feel that maybe an initial risk assessment by AI will actually help with giving an overall understanding of the organization. I also feel that uh in many cases, if you could start that off, a security person coming in can then utilize those skills that they have to help dig deeper into the organization and really to add an extra level of security versus it being more of a checklist-driven type of activity. So that's that's the part where they bring that in. Uh quantum resilient encryption, we're already starting to see levels of encryption, or I should say, quantum leaps, uh, and that is not a pawn or a pan or uh whatever they a pun off of the old movie or TV show Quantum Leap, but it's it is the quantum is leaping very quickly and now to the point where their Google has chips that are have quantum technology in them that they are you deploying to um or will be begin deploying into computers around the world. So that's gonna be an interesting part on how that's going to overall work, um, especially when you're dealing with the state privacy laws in countries such as China and Europe. And I you're gonna get more of that, and that's one of the key other things they talk about here is more regulations that are gonna be coming out because of the technology changes that are occurring. Uh generative AI risks, obviously that's another part that can be a big factor, automation and DevOps security. I'd say this is probably one that is gonna become even a bigger factor in the next year is DevOps security. And the reason is is because we all know as we study in the CISSP, a lot of my students struggle with this part because they don't, they've really never dealt with a DevOps piece of it. Uh so and as we become more and more reliant on technology and the development of this tech technology, the Sec DevOps is going to be a really important part of your overall security plan. And then obviously focusing on zero trust, nation-state cyber warfare, all of those are key factors that are going to be a big player in 2025. So I I just I also saw an article in Wired about uh how they're saying the folks of i i in the inn, right, are saying doje, dodge or whatever it is, the the group that's gonna help with government efficiency, they're worried that they're gonna r take away cybersecurity funds for companies because they're trying to streamline things. And that is possible, right? But I think it also at the same time, the U.S. government, especially, has got so much bloat that they there needs to be some way of fixing that. Now, the question is is will the pendulum swing too far the other direction? Probably. Uh, and then we'll be picking up the pieces after that. So it should be really quite an interesting year for 2025. All I can say is let's let us all hang on, uh, wear our tinfoil hats, and just get ready for the fun times, especially if you've got drones flying over your head everywhere. Yes, it'll be fun. It'll be a good time. Okay, well, let us get into the overall question. Again, before we get going on that, though, again, go to cybersecurity in 2025, a new air of complexity. You'll be able to check all that out. Uh, again, that's in informationsecuritybuzz.com. Okay, so let us roll into the questions. Okay, question one. You are reviewing the results of a vulnerability scan that has reported multiple high severity vulnerabilities within a critical system. After validating the findings, you notice that the vulnerabilities appear to be outdated and unlikely to be exploited in your environment. What is the best course of action to address the situation? Okay, so you got lots of issues, but they mean they probably aren't effective for you. One, remediate all findings as quickly as possible to mitigate any potential risk. B, to document the vulnerabilities and false positives and disregard them. C. Update the vulnerability scanner database to improve accuracy and rescan to confirm results. Or D evaluate the context of the vulnerabilities, such as exploitability within your environment, and defer the remediation while implementing compensating controls. And the answer is D, right? So the ultimate goal though is you want to you want to document this, you want to understand the context of these vulnerabilities, and you may want to defer the remediation. Now, removing them and deleting them doesn't really help you because they're going to come back up, and deleting anything, it's just usually not good. However, you need to document why you're not going to remediate them, and then you want to understand where they're at and potentially implement some level of compensating control. Question two: your organization faces a situation where an important system cannot be patched due to the operational constraints. A business critical application relies on an old version of software that no longer receives security updates. A hop in there, done that, got the t-shirt. How should you justify them and manage this exception? Considering both the technical and the business risks within your own your company and your organization. So again, you face a situation where they cannot be patched due to operational constraints. You are going to run into this, guaranteed. A, apply compensating controls and document the exception with clear time bound remediation plans and risk mitigation measures. B, notify stakeholders in the vulnerability will be ignored due to the business impact and delay patch indefinitely. B or C, ignore the issue temporarily and proceed with regular scans until the next major system upgrade. D, remove all effective systems from the network and reduce exposure. Okay, well, these couple of those in there make no sense, right? A couple of them are like, oh, I don't know what to do. And the answer is A, right? Apply compensating controls and document the exception with clear time-bound remediation plans. Time-bound means within six to eight months, twelve months, whatever that is, you are going to then address it. And the benefit of that is that when you can talk to the senior leaders, you say, hey, we got a problem, we're going to address it. It's going to take six to twelve months before we'll get to it. However, that being said, be ready. Hang on, buddy, we're going to get this fixed. And then you're going to have to go and address the problem. Question three, a researcher discovers a zero-day vulnerability with your publicly available API. Okay, that could potentially expose sensitive user data. So, aha, you APIs, they're everywhere. The researcher had contacted you through a public channel and demanded public disclosure within 30 days. You have a validated vulnerability and are working on the patch but need more time to implement the fix. What is the most reasonable approach to handle this ethical dilemma? A publicly release the vulnerability details after the 30-day period to meet the researcher's demand for it despite the lack of the fix. B. Coordinate with the researcher to extend the disclosure timeline with privately shared progress on the patch development. C. Ignore the research demand and release the patch without publicly acknowledging the vulnerability, or D. Deny the researcher's request for disclosure and keep the vulnerability private to prevent the pro to prevent reputational damage. Okay, well, this is where your security skills come into play. You want to coordinate B with the researcher and come up with a game plan on how to address the issue. So again, yeah, it's you need to work with people. And you go to them, say, hey, this is the problem, we're running behind, here's where we're at, this is what's going on. Can you please wait with before releasing it? Now, that being said, you better come with some ideas on how long you need. Coming back and saying, I need six more months, yeah, that's not gonna work. So you better say, hey, I need an extra 15 days. Again, people in most cases are accommodating, but you better be showing progress on what you're trying to accomplish. Question four, a critical vulnerability is identified in an internal system that is not currently exposed to the internet. Okay, so an internal system not exposed to the internet, but it is connected to sensitive data repositories. After validating the finding, you determine that the risk of the exploitation is minimal due to the strong internal controls and limited access. What should be your next step when managing this vulnerability? Okay, so now you know that there's a problem. It's currently exposed, but it's not exposed to the internet. What are you gonna do? Okay, a mark the vulnerability as non-actionable and move to other findings. B. Document the exception and implement additional compensating controls and reassess periodically for changes in the system. C. Automatically escalate the issue to a senior management for immediate remediation. Or D disconnect the system from the network and eliminate any possible threat. Okay, so it's a critical vulnerability with an internal system and it has access to sensitive data. And you should B. Document the exception, implement additional compensating controls, and reassess the periodically for changes in the system. Question five. You are working as a security consultant for a vendor, and you discover a critical vulnerability in one of their widely used products. You believe it could lead to a significant data breach if it is exploited. The vendor is unwilling to publicly acknowledge the vulnerability to provide a fix. What would be the most ethical action to take in this specific situation? So you're a vendor, okay, you discover a critical vulnerability and you're like, uh dude, you got a problem, and dude's like, no, I don't have a problem, I'm okay. So what are you gonna do? Well, A, you're gonna wait for the vendor to address the vulnerability and do nothing until they take action. B, you disclose the vulnerability publicly to and warn the user community, risking potential reputational damage from the vet for the vendor. C, you continue working with the vendor in private and provide a timeline for a fix and inform the affected users directly if the vendor delays further actions. Or D, you exploit the vulnerability and determine the severity of the vendor and force them to act. Okay, well, those that that one's not good, obviously. That goes bad, period. Again, you want to work with people. Continue to work with the vendor in a private to provide a timeline for a fix, it's important that you do that. And if it doesn't work, you raise it up to senior leadership. And you just keep bringing that up to senior leadership. I I hate to tell you this, but sometimes you may have to go above and beyond where you're at to get what you want done. But you have to do this in a way that's ethical, but you also have to do it in a way that is taking into account people's thought process. There might be a specifically perfect reason why they don't want to do it that you may not be privy to. So you need to walk care walk carefully in this situation. Tread carefully, that's a better word. Okay, question six. After conducting a vulnerability scan, you notice that several critical vulnerabilities are flagged on multiple systems. However, after discloser inspection, you determine that the vulnerabilities are being reported due to the misconfigurations in the scanning tool. Ha ha, the scanning tool's got problems. What is the most efficient way to resolve the issue and ensure future scans are accurate? A. Ignore the false positives and focus only on the remaining vulnerabilities. B. Conduct manual penetration tests on all flag systems to confirm vulnerabilities exist. C. Notify management of the false positives but proceed with remediation of the flag vulnerabilities anyway. Or D. Adjust the scanning configuration or use an alternative tool to ensure that you have accurate results. And the answer is D. Use an alternate tool and to ensure that you have accurate results. That being said, you may want to conduct some have if you have a red team involved, you may want to do some level of penetration tests on the flag systems if they are critical to your organization. So something that you it may be a combination of both of those. But keep in mind, again, thinking of like a leader, how do you deal with the issue immediately? How do you deal with it swiftly, but also in one that is focused on and is targeting the overall risk that you have to deal with? Question seven, your organization has a vulnerability in an outdated application that processes sensitive to customer data. Due to the budget constraints, oh, that's never good, the upgrade of patching to the system will take at least six months. You are asked with managing this exception. Or you are asked, you are tasked, not asked, you are tasked with managing this exception. How should you communicate the risks of this exception to the stakeholders? Okay, so the stakeholders are it could be your CIO, could be your CISO, it could be whoever, but you're you're going who are the main people that are responsible for it. So due to the budget constraints, one, you maybe you need to find more money, two, you need to figure out where's the money coming from, why is this a problem? What should you do? Well, A, explain the risks provided to the provided a detailed mitigation strategy and set clear expectations for continuous monitoring and reassessment during the six months. So explain the risks, set up a mitigation strategy, and how do you gonna watch it for the next six months while you get it addressed? Or you try to find more money. That's another option as well. B, emphasize a low risk and recommend that no additional actions are necessary until the system is patched. C. Suggest that the system be removed from use completely until the patch is applied. Or D disregard the business constraints and escalate the issue to the highest levels of management for immediate remediation. Okay, the last one is depends what kind of sword you want to fall on. If you want to fall on your sword, great, but be careful, you do that, you will burn some serious bridges and you may not have the opportunity to do it ever again. So the answer is A, right? Explain the risks, provide a detailed mitigation strategy, set clear expectations for monitoring and reassess in six months. Or find more money. Or find more people. It depends on what the money problem is, right? There's always options. You just got to come up with thinking about what are your options and how do you address those options. Question A, you discovered a serious vulnerability in the software product used by thousands of organizations. The vendor acknowledges the vulnerability but asks you to delay the disclosure so they can patch it in the next release cycle, which is several months away. As a researcher, what is the most ethical course of action? So you're a researcher. A accept the vendor's request and delay disclosure. Understanding the patch will mitigate the issue soon. B disclose the vulnerability immediately to the public. Go for it. Ensuring that effective organizations can take action before the vendor releases a fix. Yeah, go for it. Stir that pot. C. Wait until the vulnerability is patched, then disclose after all the risks have been eliminated. Or D inform the affected organization directly and privately, allowing them to patch the vulnerability before public disclosure. That's a good one. So you know it's gonna affect a lot of people, but you're working with a specific organization that you're aware of. Maybe contact them directly and say, hey, the patch is in, it's gonna get fixed, but you may want to take a look at this right now and uh wait until the patch is actually fixed. Now, depending upon disclosure agreements you may have, that may or may not be feasible. Just you're gonna have to work through that. That's the legal stuff you gotta work through. Question nine, you are tracking vulnerability trends over the past six months, and the number of vulnerabilities flagged in internal systems is decreasing. However, there is no significant decrease in the number of high severity vulnerabilities. What does this trend most likely indicate? Okay, so you're tracking vulnerability trends over the past six months. The vulnerabilities flagged in the internal systems are decreasing. However, there's no decrease in the number of high severity vulnerabilities. What does this likely indicate? A the organization is improving in addressing low severity vulnerabilities, but is neglecting neglecting means that they're being bad. High severity ones. B, the vulnerability scanning tool is increasingly reporting fewer false positives. C, systems are being decommissioned, leading to fewer vulnerabilities being discovered. Or D, the vulnerability management process is ineffective. Get rid of it, and more remediation resources should be allocated. And the answer is A. Okay, the organization is improving in addressing low severity vulnerabilities, easy low hanging fruit, as that analogy is, which is really annoying, but is neglecting high severity ones. Question 10. Yeah, this one's these questions are a lot because there's a lot of talking. So sorry, it's these were kind of some good scenario questions that I thought you guys might enjoy. Question 10 A vulnerability is identified in an application running in a highly complex, dynamic, multi-cloud environment with various service providers. The vulnerability is significant, but patching or mitigating it would require coordinated effort across several teams, each with different priorities and workflows. What is the most effective approach to handle this vulnerability? Okay, so it's identified an application running high, complex, and dynamic multi-cloud environments with various system providers, various service providers. Okay, so it's super complex. What are you gonna do? A assign a dedicated team to work across all teams to coordinate patching efforts and ensure alignment. B, patch the vulnerability on the most critical system first and defer remediation to the less critical ones. C immediately escalate the vulnerability to senior management and force a decision, then implement patching as soon as possible. Or D. Ignore the vulnerability on less critical systems and focus on resources on systems with the most direct impact, business impact.

SPEAKER_00: 19:40

Okay, a lot of words there.

SPEAKER_01: 19:42

A. Assign a direct team to work across all teams in a coordinate with the patching efforts to ensure alignment. Yes, you want to make sure that you work across all the different groups while you're trying to patch this issue. Again, work with people. Okay, it's the part that cybersecurity people sometimes have a challenge with. You have to have people skills and you have to work with people. Question eleven. It's pretty much with all IT people. I mean, we all kind of struggle with that. Question eleven. After conducting a vulnerability scan, you discover that a critical system has a vulnerability that cannot be patched within the required time frame due to operational constraints. What would be the most effective and compensating control to mitigate the risk associated with this unpatched vulnerability? Okay, so you have a vulnerability scan, discover critical systems have a vulnerability that cannot be patched. What should you do? A. Move the affected system to an isolated network segment and restrict access to only essential users. Oh, that sounds really good. B, temporarily discuss disconnect the affected system from the network until a patch can be applied. It can't really do that because it's critical. Increased logging and monitoring of the system, but do not apply any additional controls. Okay, well maybe, maybe not. Implement additional security tools and monitor for exploit attempts, but leave the system unchanged. Otherwise, you guys can kind of figure this out through all these questions we've gone through. It's A. Move the affected system to an isolated network segment and restrict access to only essential users. Sometimes you have to do that, especially when you're dealing with stuff that is really old or there's just no good way to patch it. Question 12. A security researcher discovers a critical vulnerability in a popular open source project. Woo-hoo, open source. The vulnerability is easy to exploit and could cause significant harm if exploited. However, the researcher is unsure about the legal ramifications of disclosing the vulnerability publicly. What would be the best course of action for the researcher to take? A. Disclose a vulnerability publicly without consulting the product project maintainers to ensure immediate attention. B. Contact the project maintainers privately first to give them the time to fix the problem. C to seek legal advice to consult about ethics or consult with an ethics board to determine whether disclosure is legally or ethically appropriate. Or D wait until a vulnerability is actively exploited and then disclose publicly to say, aha, see, told you so. No, don't do that one. That's probably not the best. So the answer is C. Yes. Seek legal advice and consult with the ethics board if you have one or something in something. In compliance and ethics to determine whether you should legally or ethically disclose this thing. Now, I will tell you right now, the moment you do this, unless you have a good plan in place, you ain't going anywhere with it. So, my recommendation is in the min in the meantime, before you have if you have a bunch of researchers or you have developers that may come across vulnerabilities, what you may want to do is get with your legal teams and your compliance and ethics teams now and see what they have to say. You may come back and they say, you know what, if you start putting this to put in place and then all of a sudden, bing, something pops up, it's much easier to flow through than if you try to come to them ad hoc and say, Hey, I want you to fix this, they're gonna go, uh no. They're gonna go, well, no, we need to talk to another lawyer and another lawyer and another lawyer and outside counsel and all these other people. And next thing you know, six months later, they'll finally come back to you with a say and say, No, we're not going to. But by then, it had already been out. So if you have this in your environment and you are gonna be dealing with ethical disclosures potentially, start talking to your legal teams and compliance teams now. Question 13 A vulnerability in a popular CMS platform is discovered, which allows attackers to escalate privileges and access sensitive data. You're debating whether you use a full disclosure model or a responsible disclosure model. What is the primary risk of associated with using a full disclosure in this scenario? So again, what's the risk for doing full disclosure of what's going on? A, full disclosure will delay the patching process because the vendor will spend too much time addressing the public disclosure. B, the full disclosure will ensure the quicker patch process as vendors will be forced to respond quickly. C. Full disclosure will minimize the risk of exploitation by providing public guidance on how to protect against the vulnerability. Or D. Full disclosure will allow attackers to exploit the vulnerability before the vendor can provide a fix, increasing the risk for users. Or to users, as I should say. And the answer is D. Full disclosure will allow attackers to exploit the vulnerability before the vendor can provide a fix, increasing the risk to users. Yes, by doing that. And then you also potentially open yourself up to legal challenges. Yes, you could get sued. Question 14, the vulnerability scanner reports high severity vulnerability in systems that was recently updated. Question 14, a vulnerability scanner reports a high severity vulnerability in a system that was recently updated. However, a patch was applied to fix this issue, and the vulnerability should have been resolved. Upon investigating further, you find that a scanner flagged the vulnerability due to incorrect version detection. What is the most appropriate course of action for this scenario? Okay, so we got incorrect version detection. Alright, what do you do? How do we fix this issue? A continue with patching process to ensure the vulnerability is fully mitigated. B. Ignore the scanner results since the patch was applied and the system is now secure. C. Manage and verify the patch status on all effective systems to ensure that there's compliance and update the scanner's configuration. Or D. Notify management of the false positives and wait for a new scanner version to address the issue. Okay, so what are you gonna do? What is the most appropriate course of action? It is C. Manually verify the patch status on all effective systems and ensure that compliance and update the scanner's configuration. Last melon. Question 15. What are we gonna do here? Okay, the word salad is almost over. Okay, question 15. An organization's senior leadership is concerned that the cost of patching critical vulnerabilities in legacy system is much too high and is delaying business projects because of it. Okay, so it costs too much money and you're delaying my projects because you want to keep patching stuff. How can the security team effectively communicate the long-term risks associated with not addressing the vulnerabilities? So you gotta express the risk by not addressing the vulnerabilities without undermining business objectives. So the business still has to make money. So security people still gotta make money. You can't just shut everything down. What are you gonna do? Alright, so emphasize A, emphasize the potential financial loss of an event of a breach, even though no breaches have occurred. I think that's an important part. That's not the answer, but it's important. Present a risk management approach that balances the cost of remediation with potential impact of an exploit. Aha, that sounds much better. C, advise leadership to delay remediation and definitely to avoid disruption, suggesting that vulnerabilities are a low priority. That's not the right answer. And then D, suggest vulnerabilities be patched only if they are exploited in a cyber attack. Yeah, that's kind of an after-the-fact thing, which probably isn't the right answer either. So one could be close, right? Okay, even though you're emphasizing potential for impact. But where it really comes to be better is you present a risk management approach based on risk that balances the cost of remediation with the potential impact of an exploit. So again, you you gotta put all the numbers in front of the senior leaders, help them make a decision the right way. If you do that, then your odds of success go up dramatically. Doesn't mean it's going to happen, but it your chances of success go up substantially. So, again, that is all of the questions for today. Again, go to CISSP Cybertraining.com and you can get access to all of these questions, all of the content that I've been put out there for many, many years now. It's all available to you to help you pass and start or study and pass for the CISSP exam. So we're pretty excited about that. Also, if you are looking for any sort of cybersecurity assistance, because I know that a lot of the folks that listen to this podcast are, in many cases, senior folks that are that are looking for some sort of cybersecurity piece. Go to reduce cyber risk, and you can get access to any sort of access that you may need to help you with your organization from a reduced cyber risk standpoint. I got consultants that can help you. All right, that is all I have for you today. I hope you guys have a wonderful, wonderful day, and we will catch you all on the flip side. See ya.