CCT 325: Hackers Can Use Grok/Copilot And Beating The CISSP Failure Traps

Show Notes

Half of CISSP candidates fail not because they lack knowledge, but because they answer like technicians when the exam demands a manager’s mindset. We dig into the three traps that derail smart people—technical heroism, perfect security fantasies, and the confusion of multiple “right” answers—and replace them with clear mental models that work under pressure. You’ll learn how to pick process over panic, see risk through the business lens, and choose the action that enables everything else.

We also dive into a timely security development: researchers demonstrate how permissive AI assistants with web browsing can act as covert command and control channels. If your network blocks known C2 nodes but allows AI egress, malware can route requests through an assistant to fetch malicious URLs—slipping past controls you trust. We talk through practical countermeasures: AI governance on par with high‑risk SaaS, disciplined inventory and policy control, enterprise logging and audit features, and the hard realities of traffic inspection and packet decryption without crushing reliability.

From there, we translate exam strategy into daily leadership. We outline the executive lens: decide who you are (risk manager), fix what the business cares about (continuity within risk appetite), and follow procedural DNA (assess, plan, execute). When a question asks what to do first, look for “assess the situation” or “consult the policy.” When choices seem equally solid, use a strict priority: life safety, legal and regulatory, business continuity, then assets and tech. And when tempted by the strongest control, match cost to value with proportional safeguards like full disk encryption and remote wipe for low-risk laptops.

If you’re ready to pass the CISSP and lead with clarity in an AI-shaped threat landscape, this conversation gives you the mindset, examples, and filters to get there. If it helped, follow the show, share it with a colleague, and leave a quick review—what trap do you see most often?

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome & Episode Setup
• 0:33: Why 50% Fail The CISSP
• 1:22: AI As Covert C2 Channel
• 3:41: Governance And Monitoring For AI
• 6:22: Traffic Inspection And Decryption Realities
• 8:38: Career Angle: AI Skills For CISSPs
• 9:51: Host Background & Credibility
• 11:35: Trap 1: The Technical Hero
• 14:23: Process Over Fix: IR First
• 16:10: Trap 2: The Perfect Security Fallacy
• 19:03: Proportional Controls And Cost
• 21:08: Trap 3: Multiple Right Answers
• 23:05: The Executive Lens: Think Like Management

Transcript

Welcome & Episode Setup

SPEAKER_00 0:00

Welcome to the CISP Cyber Training. We training and the CISP exam. Hi, my name is Sean Gerber. I'm your host. Join me each week as I provide the information you need. CISP exam. And grow your cyber checker in the light. Alright.

Why 50% Fail The CISSP

AI As Covert C2 Channel

Governance And Monitoring For AI

Traffic Inspection And Decryption Realities

Career Angle: AI Skills For CISSPs

Host Background & Credibility

Trap 1: The Technical Hero

Process Over Fix: IR First

Trap 2: The Perfect Security Fallacy

Proportional Controls And Cost

Trap 3: Multiple Right Answers

The Executive Lens: Think Like Management

SPEAKER_01 0:26

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is CISSP question Thursday. But today we're going to be changing it up just a little bit. We're going to be focused on some, I did a video for YouTube and for my uh site a while ago, probably about actually a week ago. And I wanted to get this out to you, the audio version of it. And it's actually really good and it's it's kind of enlightening as it relates to CISSPs and when you're studying for the test. And it's the comment is why 50% of CISSPs candidates fail. And it's really how smart people, which you all are probably very, very bright, I'm sure you are, if you're especially if you're studying for the CISSP, but why they fail. And so it's a really good kind of video, a walk through that. Um so I've got the audio part of this is going to be on this podcast today, so it's really, really good. Uh if you want the video, head on over to CISSP Cyber Training, it'll be there, it'll be available to you as well. But before we get started into that, I wanted to uh bring out an article that I saw in CSO magazine. And this is actually very telling. Um I will tell you that as a consultant, I am getting lots of information and I'm actually getting lots of requests around AI. And there's some different aspects related to it, and it's this AI tool is very useful, but it also comes with some potential frauds with challenges. And I know we've talked about it, but here's another attack vector that actually hasn't been seen in the wild yet, but they have tested it with them, researchers have, and it works. So it's very interesting, and I think it's brilliant personally. If they can make this happen, uh it's pretty smart. And I would do this if I was them, if I, especially if I was a bad guy or girl. But one of the things is this comes out of the CSO magazine, and it says hackers can turn Gronk Copilot into covert command and control channels, researchers warn. So what it is is it's permissive AI. And this was done through checkpoint research, and they identified an interesting threat vector uh that where they use the AI assistance with web browsing or URL fetching. So it can be used to basically use hidden command and control channels in malware. Now, how does this work? Well, I'll I'll kind of go through this. They use AI as a C2 proxy, but how it's set up is you you have to go with the known establishment that you have a uh site, your your place of work where you have your network is compromised. But it allows AI communication out. And it doesn't have to have any sort of registered API keys or any sort of accounts. And what it does is it has you and you have AI. And then you go and you call, or the the robot or the malware will call the AI assistant to go fetch, to go get the URLs that have malicious content. So traditionally the way this would work is if you have a device that is sitting on your network, it will reach out to the command and control uh node that's sitting out there, and these are known bad, right? So in many cases, they were they were known for a while that they're bad, and so they've been blocked by certain tools. It's the cat and mouse game, right? So what ends up happening is then all of these security tools will come in and they will then turn, know where these known bad C2 channels are, and they would block them. And so that's this cat and mouse game. New ones stand up, they get blocked. New ones stand up, they get blocked. Well, now what's happening is you're going to have the situation where you have your the malware sitting at your facility and your location is going to be communicating back up to AI, which is what you want, right? Because you want to be able to use AI to give you all of these great things. But what happens then is the AI will reach to these bad URLs that are the command and control things that are normally getting blocked, and it will allow the data through. And so why is it allowing the data through? Well, it's allowing it through because what ends up happening is that AI channel is allowed to occur within your organization. So it's really, really cool. I think it's awesome. I mean, what they're doing, it's it's pretty amazing. So if the researchers were able to get this done with Gronk and with uh Copilot, then it can only be set to reason that this is going to be able to be affecting multiple people. So I would tell you that if you're gonna have AI within your organization, there's a lot of things you're gonna really need to do. And turning it on uh is a is kind of a it can be very scary and it can be very challenging if you don't have a good plan around this. So what I would highly recommend and highly stress to you all, and this is probably gonna be coming out in the April 2024 CISSP, ISC Squared um certification, is governance is gonna be a huge factor for AI. So you're gonna need to ensure that you have AI governance and monitoring similar to those other high-risk software as a service platforms that you have. And you're gonna want to understand that. You're also gonna want to have an ability to inventory and policy control any AI tool usage. So, as an example, I know right now uh Claude has got their Teams version and then they have the Enterprise version. The Team version gives you the ability to kind of start playing around with stuff. The enterprise version gives you more of the audit and logging capability. You're gonna want that. You really truly are, because you're gonna need to have some level of traffic inspection and auditing and monitoring of all of your AI traffic coming into from your location. And it's also gonna put people that are on the that provide security services, they're gonna have to think about this. It's also gonna be, as I'm thinking through this as I'm going through it in my head, you're gonna have to do some level of packet decryption. So if you're gonna have a communication path between you and your AI platform, then it's encrypted, right? Well, are you inspecting that traffic? So that's gonna add another level of complexity to most environments because packet level decryption is not an easy task. I ended deploying this with a company, a healthcare company, and it is not an easy endeavor. It works, but it does it takes a lot to do it. So that again, you're gonna want to really think hard about deploying AI within your environment. And there's some three big things, again, apply AI governance and monitoring, similar to the similar to what you do with us, your SaaS solutions, inventory and policy control, your AI tool usage, which basically means have a policy in place, what they're allowed to do, and limit what they can do. Again, this is not limiting what your people can do, but limiting what these things can potentially go out and reach. And then from there, you may have to put some guardrails in place. And then implement some level of traffic inspection and anomaly detection around your service communications with your AI. So again, this is wrapping around a whole new envelope, or I should say opening up a whole new envelope of things we did not anticipate with AI, and it's going to be very, very interesting in the future. So if you haven't, I I've got a video on YouTube and I've got one on my website that I've talked about how important it is that there are different categories for you as a CISSP, some areas you need to go ahead and potentially be a neat niche in. Get focus your attentions on, and AI is one of them. The more you can get knowledge around AI, the better you're gonna position yourself for future profit and future uh job sustainability and satisfaction. So again, go check it out. Again, it's CSO magazine. Hackers turn Gronk and Copilot into convert command and control channels. Okay, so let's get started about what we're gonna talk about today. Why 50% of CISSP candidates fail and how not to be one. Hi, my name is Sean Gerber, and I'm putting forward some training around CISSP and what you need to know to be successful so you are not one of those that fails the CISSP exam, especially the first time like myself. Yeah, I did. I failed it hard the first time. And after that, I realized you know what, I need to do something different. And then thus I came up with CISSP cyber training. But let me give you a little bit of background about myself because I missed maybe the first video that you're seeing related to CISSP. So, my background, I actually am a military aviator. I went to school to be a pilot. I grew up being a pilot. That was my ultimate goal. I taught people how to fly airplanes, and then I ended up being flying the B-1 bomber. So, yes, life was amazing, but then life took a turn, and the dear Lord made something different in my life, and I ended up going down the path of IT. But you can see I've been a red team commander, a senior architect, a security operations manager, a chief information officer for a very large multinational, an adjunct professor, and I'm a fractional CISO slash cybersecurity consultant. So as I throw out my resume to go, oh Yan, it's yeah, whatever. Yeah, the point I'm trying to make is you know what? I can help you pass the CISSP exam. And these are some traps that I'm gonna talk about real quick that I've noticed, one from the years of teaching the CISSP, as well as on all the different IT aspects around what I've been dealing for the past 20 plus years. So let's roll into what are these key traps. Trap one, the technical hero trap. Right now, I see this a lot. I mean a lot, especially with technical folks. I didn't come from a technical background, so guess what? I'm not technical, at least not from a hands-on keyboard standpoint, but I see these folks everywhere, and what is it? They know so much, they want to use it. And with the CISSP, yeah, that isn't always a good thing. So let's kind of walk through a scenario and how this could happen. So the scenario is the exam presents a critical technical failure. Basically, a server's down or a breach is in active mode, right? So the answer, the choice of this is that it involves fixing the problem. Okay, so if technical people see this, they go, well, I need to reset the router. I'll basically reboot it. I need to patch the server, I need to update the firewall rules. That's a technical thing. And what you'll find out is with the CISSP, it's not about the technical aspects, it's about the mental aspects. So when you think about those lines, these folks, especially many of the individuals that have been in my coursework courses and that have dealt with over the years, they come from a very strong technical background. And they, when they go to take the CISSP, they can't let it go. And you're gonna have to let it go. You've got to think like a manager. You want manager money, you want manager responsibility. Well, then you've got to think like a manager, not like a technician. So, as the reality is, the CISSP, you are a risk manager. That is all what it comes down to, and everything that I deal with related to cybersecurity in my position and what I've gone through the years is about risk: mitigating, transferring, controlling the risk to your organization. So the fix, before you go and you fix, you must assess the situation. So you need to look for answers that involve process, policies, or permissions. Again, process, policies, or permissions. The the key thing to take away from this part is don't fix the server, fix the process that allowed the server to fail. One of the key things, I deal with this all the time as a consultant. People go in and they're technically they're fixing everything up and it's looking good. But when I ask where's the documentation, yeah, it's crickets. Nobody knows. Nobody knows their documentation, nobody's put anything on paper. If they're lucky, it's on a Barnac with a next to a sticky note. So again, the fix is you've got to make sure you have the process right before you try to go and fix the specific server. So let's go through a question, right? So this is the technical trap hero question. An administrator discovers that a web server is currently being targeted by a brute force attack. Ho ho. Which of the following should be the first first action you take? A shut down the server immediately to prevent the breach. B, block the source IP address on the corporate firewall. C, follow the established incident response plan, or D reset all administrative passwords for that web server. So as you can see, A, B, and D are very hands-on. But C is more of a process base, right? So most people will pick, like it says right down there, you pick B. Is that kind of the key that people would go after? Because, well, I'll just block the server. Not a big deal. We'll go ahead and block it at the firewall. Good to go. Not a problem. The problem is, though, is that the policy needs to be what you're following, and that is your incident response process. It'll still maybe come back to you're gonna block the IP at the firewall, but you ran through the process to make sure that everything is cohesive and together. It is your plan. So that's again, scenario one, the technical trap hero. Trap number two, right? Dose, the perfect security trap. So now this is where a question will ask for the best way to secure the asset or handle a new threat. So, what is the bait? What do you go after? Well, the answer that is technically impenetrable, but is incredibly expensive will slow down your business, such as implementing a second factor biometric authentication for low-level employees. So you're basically throwing in, I've got to have you scan your eyeball on something that is not high risk, but in the process of doing that, I am stopping the bad guys and girls from gaining access to my environment. Yeah, you're right, you did, but you also broke your business. And when it comes right down to it, the business has to make money to pay for you. So therefore, it's important that you don't try to over-engineer or overcomplicate this piece. Security must support the business goals. There have been times when I have dialed back security because the business needed it to be dialed back. They were willing to take the risk. Now, that being said, I documented the risk. I let them know the risk. I let them know the chances of this happening, the likelihood, and then at the end of it, the business made the call. So you're going to have to work through that when you're reading questions. Again, it comes down to your overall business goals because the business is what makes the money that pays the bills. You got it, if you if you shut everything down and you can't make any money, well, then everybody just goes home. So the fix, the correct answer is often the one that balances security with cost-benefit analysis. So if a solution costs$10,000 to protect a$5,000 asset, yeah, that's not the right answer. Now, there might be times when you feel that that might be necessary, but in reality, that's probably not the right answer you want to go after. So this comes down to the test. ISC Squared was going to want you to know that I don't want to spend all this money to protect an asset that's not worth that much. So just think about it. Also, the key thing you need to bang on the drum here is the risk is never eliminated. It is managed to an acceptable level. The level that is defined by the business. Again, the risk has to be, it's never eliminated, but it will be it will be monitored or controlled based on the fact of how much you the value of the business is to the organization. So again, you may put lots of controls in place because this thing is super important. Or you may go, well, it's important, but not that important. So then you dial back the controls and dial back some of the capability. So let's look at some of the scenarios as a question. Scenario two, the perfect security trap. So a small startup is concerned about the theft of laptops containing non-sensitive marketing materials. Keep term. Which solution best provides protection while maintaining business alignment? A. Deploying armed guards at all office exits to search bags. That's a little overkill. B. Implementing full disk encryption with remote wipe capabilities. C requiring all employees to store laptops in grade A, high security vaults overnight. Or D air gap all laptops, forbidding them to leave the premises. Now, listen to this, your guys are going, oh my goodness, this is very just draconian slash it makes total sense, which is the right one. I get it. But you're gonna want to make sure that you don't overthink these questions. When these questions come in, they're gonna at you ask them. You have a very small time window to be able to answer them. Do not overthink them, right? So the answer is full disk encryption, right? You want to have the ability, and it comes back to remote wipe. So it's encrypted, and if you can remote wipe it, yeah, baby, we're in business. So AC and D are the most secure, but they are ridiculous for any sort of startup, right? That's the whole purpose. A startup doesn't have the cash to do it. As a CISSP, you've got to be able to recognize this and be able to put in the proportional level of asset or the proportional level of controls based on the asset's value. So again, think about this from a standpoint of who you're working with, small startup, nonsensitive marketing materials. Right there, it tells you the risk is relatively low. So don't over-engineer it, don't make it bigger than what it really is. Trap number three. Right? The multiple right answers trap. So when you're dealing with a most or least type question where all four options are actually considered good security practices. So what is the bait? The bait comes into is you see one typically, the first one that's there that looks the best, you're like, oh, that's the correct, that's the most correct. Grab it, go. And you actually bite off on something that isn't correct. So look at the hierarchy of importance test. And what is that? That is where you apply the life safety first rule. If it involves a human, human lives, server rooms die. That's where it comes into. Always comes back to the human. Protect the human. If there's any doubt, protect the human. Now, if it doesn't involve the person, if the safety aspect isn't involved, look for the root action. What does that mean? So updating a security policy is more CISSP correct than telling your employees to change the password. Now you're going to do hand in hand changing passwords and probably updating your security policy, but again, this is a management-based test. You are going to be using your cranium to help get the security things in place. So focus on CISSP perts that are related specifically to around management and policies. So again, which of these answers makes the others three possible? That is what you need to consider when you're trying to figure out the multiple right answers trap. So here's a scenario, right? Again, the multiple right answers scenario. During the fire at data center, the halon suppression system fails to trigger. Not good. What is the most important priority of the security manager? So again, fire, bad thing. Data center and halon, bad thing. And then what is the most important priority? A. Activate the offsite disaster recovery center. Okay, click open, lift the bat phone and start calling. B. Ensuring all personnel have evacuated the building. C. Manually triggering fire suppression to save the hardware. D. Encrypting the backup tapes before leaving the site. Okay, so which one is it? Safety, safety, safety. Ensuring all personnel have evacuated the building. So again, this is the easiest trap to fall into if you are stressed. Everything is listed as good for a business, but the life safety is the absolute non-negotiable priority in every CISSP domain. So now we're going to run into the executive lens, right? This is a three-step filter. When you're looking at questions, what should you do? So step one, the identity shift. Who am I? So before reading any of the four answers, you must consciously decide what is your what is your character. You have to go into character like an actor. What are you playing? So thinking about are the are you a subject matter expert who fixes things, who loves tools, or who is hands-on? Are you doing that? Again, that's not what the CISSP is about. You need to not have that mindset on. You are a risk consultant hired by the board to fix the problem. And use as that, you are going to focus on policies, procedures, standards, right? You are not going to use the screwdriver or any sort of technical thing to fix the problem. Now, when you're dealing with configuring, typing, or cabling, if you see those words, they're likely distractor type words that are going to pull you off because they know you have to have the requirements to be a CISSP of all these years of experience. Well, you're going to be most likely a technical person. So what are you going to do? Bamboo, roll right into the technical piece. So the logic here is that management delegates the work, but they own the responsibility. You are looking for the answer that provides oversight and direction. Again, step two of our three-step filter, the North Star. What is your overall goal? So every question has a hidden objective. You need to filter the answers based on what the business actually cares about. Again, focusing on what the business wants. I can't tell you enough as a security professional, working with lots of security people going, they lose sight of that. We actually require people that if you're going to go work in security, you need to go spend some time in the business. You need to work in the business to understand what is their things that make them money and what makes them lose money. If you do that, you actually come to the table with a lot of influence and you can do a lot to really help your company and your organization. Again, maximum security is the trap. Make it super secure. But that is not important. The goal is business continuity and risk appetite. That is what you're looking for as your overall North Star. It has to be able to make money while staying within legal and regulatory bounds. That is it. Okay, perfect security does not exist. And anything that deals with that is the wrong answer, right? So focus on this. Some key Words feasible, appropriate, alignment, and cost effective. These are North Star words for the exam. So focus on those. Now, step three of the third step filter, procedural DNA. What actually comes first? So this is the most important filter for most and first type questions. It tests your understanding of the security lifecycle. What does that mean, the security lifecycle? So it's taking action, right? The trap is that you take action before you actually know what needs to be done. But the right thing to do is have an assessment, put in place the policy that you got out of that assessment, and then have the action that goes with it. So what does that mean? So you perform some level of a risk assessment, audit, or gap analysis, and then you develop a plan with your policy, standards, or procedures that then build in, they put foundational aspects and they make this really beefy and strong. And it can stand on the fact that if someone was to leave the organization, they can pick up and it keeps a level playing field of what you should know. And someone can take it and run with it. Once that's done, then you can implement a technical control or execute that in phase three. So those again, assess, plan, execute. So there's a key secret here, right? If the question asks what to do first, and one of the answers is assess the situation or consult the policy, that answer is going to be 90 per correct 90% of the time. So again, focusing on that. Assess the situation, consult the policy. Think about that. Take a step back. Do not be quick to rush into something. They want you to think about the overall process before you actually do it. Okay, so this covers it. Why 50% of CISSP candidates fail the first time? As you can see, if you follow these traps, these different things in there, avoid the traps, follow the different aspects. You will be successful in passing your CISSP the first time. Not like me, you can do it the first time. Again, go check out CISSP cyber training. Lots of great stuff is there and available for you. Lots of free stuff to help you in this overall process. The goal of this video is to help get you guided and directed on the right place and the right time to be able to pass the CISSP exam. All right, we'll talk to you all later and catch you on the flip side. See ya.