CCT 333: Patch Or Get Hacked (iPhones) - CISSP Questions Deep Dive (Domain 2)

Show Notes

A “just visiting a website” iPhone hack is the kind of story that snaps you out of autopilot, and that’s where we start. Dark Sword shows how sophisticated mobile malware can ride on compromised sites and silently pull sensitive data from iOS devices. The fix is refreshingly practical: patch quickly, encourage the people around you to patch, and treat update discipline as real cybersecurity risk management, not a minor inconvenience.

Then I shift into CISSP Domain 2 Asset Security with a set of deep-dive practice questions that mirror how ISC2 likes to test your thinking. We break down what data classification is actually for, how to spot the “primary purpose” in tricky answer choices, and why value drives controls. From there we tackle cloud security responsibility with a healthcare scenario and a misconfigured ACL, clarifying why the organisation and its data owners remain accountable even when a cloud provider runs the infrastructure.

We also navigate a common GRC conflict: legal retention requirements versus security’s desire to reduce breach exposure, and how to land on a defensible data retention policy. Finally, we get hands-on with media sanitisation, including why DOD 5220.22-M overwriting can fail on SSDs under NIST 800-88 guidance, and we close with access governance basics like least privilege and need to know when roles change.

If you’re studying for the CISSP exam or tightening real-world security controls, subscribe, share this with a study partner, and leave a review so more candidates can find the show.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome And The Weekly Format
• 0:44: Dark Sword iPhone Zero Click Threat
• 5:22: CISSP Exam Update And Expectations
• 6:38: Data Classification And Protection Levels
• 12:05: Cloud Breach Responsibility And Ownership
• 16:37: Retention Policy Legal Versus Security
• 21:54: Sanitising Drives When SSD Rules Change
• 26:13: Least Privilege After Role Changes
• 28:59: Mentoring Resources And How To Prepare

Transcript

Welcome And The Weekly Format

SPEAKER_00 0:00

Welcome to the CISSP Cyber Training Podcast. We provide you training and tools you need at the CISP exam first. Hi, my name is Sean Gerbert. I'm your host active informative podcast. Join me each week as I provide the information you need at the CISP exam and grow your cyber sector in knowledge. Alright, let's get started.

Dark Sword iPhone Zero Click Threat

CISSP Exam Update And Expectations

Data Classification And Protection Levels

Cloud Breach Responsibility And Ownership

Retention Policy Legal Versus Security

Sanitising Drives When SSD Rules Change

Least Privilege After Role Changes

Mentoring Resources And How To Prepare

SPEAKER_01 0:25

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is Thursday, and it is CISSP question Thursday. So we are pretty excited about the fact that we're gonna be going over some deep dive questions related to domain two. But before we do, there was an article I wanted to reach out and kind of give you a heads up on that I'm sure you all have seen in the news at some point in shape or other related to iPhones. And this is on Wired magazine. The comment is, or is the title I should say, is a hundred of millions of iPhones can be hacked with a new tool found in the wild. Okay, so what exactly is this? Well, this is the researchers at Google, iVerify, and Lookout revealed the sophisticated iPhone hacking tool called Dark Sword. Now the tool was found embedded in infected websites and can silently, that's a key term there, hack iOS devices who simply just visit the site. There's no clicks, there's no downloads, it's nothing. It's that. Now, they if you update the iOS, you're good. But if you don't update the iOS, this is a bit of a challenge. And so Dark Sword targets devices running iOS 18, and roughly a quarter of all the iPhone users were still on that version at the time when they wrote this article. And you're seeing this everywhere, right? So there's hundreds of millions of devices that potentially could be exposed because of this. And this includes passwords, photos, iMessages, WhatsApp. All of those pieces can be stolen if you go to the site that is vulnerable. So it's an interesting part in all this, and this reason I say that is because in the past there have been very, very few iPhone type hacks that are out there in the world. They're usually reserved for nation-state activities. So it's it's kind of interesting to see this coming out now. So the Russian connection and how this all comes out, as we know, the Russians are deep into this. The Arc Sword was found embedded in legitimate Ukrainian websites, right? This included news, outlets, government agency sites, and it was recently used by the same Russian state sponsored espionage group behind a separate toolkit called Karuna. Okay, so this was just that was revealed a couple weeks ago. So this is a big, big deal. Now, the interesting part in this, they talk about there's a critical blunder that's related to somebody, some Russian hackers accidentally left the complete dark sword code openly accessible on compromised sites, including English language notes explaining how each of the component works. Now, I say this in the way that because being in the intelligence world that I was for so many years, it's it is possible that they left it there on purpose. I mean, I that's my feelings. It could have been an accident. They could have just said, hey, hey, we goofed it up, we left everything there. But the Russians don't do anything unless they have a plan around it. So it's very possible that, you know what, they just left this out there to see how people would react to it and go, oh no, the sky is falling, we are all in trouble. And just to see what kind of propaganda came back. That is possible. It's also possible they goofed up and they deposited it there. And you know what? Some hacker probably lost his job. Or maybe lost his life, heaven forbid that happened. But the point of it comes into is that their information is out there that this code, this dark sword, had the ability to you do nothing other than visit the site and it can compromise all kinds of things. So Reachers is war researchers have warned that this turns into a ready-made kit for any other bad actor to potentially exploit. So now that it's out there, it's available, bad people can grab it and then utilize it. So what is the what is the big picture here? Well, most of a a lot of the phones that are out there in the world utilize iPhone technology. They just do. There's now obviously Android's big factor, and I'm not trying to diss any Android users, but in the past, iPhone has been one of those that's been a rock solid piece of equipment that people can use and not really have to worry about. Well, this is a big deal. So we're highly recommended obviously that you patch your Apple phone and you recommend to your organization that they patch it as well. Because any all the newer iOS updates will fix this situation. But like I know a lot of people that have been that have iPhones, especially people that are maybe a little bit older, like my parents, for example, probably do not update their iPhones as much as they possibly should. So you need to be proactive in talking to people about doing this. And how can you be as a cybersecurity professional helping your organization and your family protect themselves against these kinds of things? So Apple also released an emergency security patch for older devices that cannot upgrade to iOS 26. So, bottom line, update your iOS as much as fast as you can, as quickly as you can, and then help your organization do it as well as you can. So, very interesting things that we see in the news related to cybersecurity. So let's roll into our questions for today. Okay, so this is the deep dive into domain two of the CISSP, ISC Squared exam. Now, as we all know, ISC Square will be updating the exam coming in April. That's the plan. That's when it's going to roll out with new type of uh information that will be utilized for the exam. And so you want to keep your ears to the ground and see what's going to actually happen and what kind of changes you can expect to see. There will be some changes, obviously, within the AI space as well as the GRC space. Now, my question is I get a lot of students that ask me this overall question of saying, hey, is this going to change or do I have a better chance than if I'm going to take the test sometime in the middle of April or the end of April? Am I in trouble for not having this information? And I will tell you that they're going to add questions to it and they're going to increase the volume of what's out there for it. But when it comes right down to it, if you have a really good grasp of the ISC squared CISSP exam, you will do fine. I'm sure you'll do just fine because this they're going to put questions in there that are going to be possibly new and different, but at the same time, you if you go through the thought process, like we're going to be going through in this specific area around domain two, it will be relatively uneventful. That's my expect expectation around it. So let's get into the deep dive around domain two. So global financial organization has classifying its data assets, which is a great idea. The chief information security officer or the CISO wants to ensure that data classification aligns with both regulatory requirements and business value. Which of the following best describes the primary purpose of data classification? So again, you're looking at a CFO or a CSO of a very large financial organization that is global. So there's like some key terms there. And they're going to be getting into data classification. Obviously, they have regulatory requirements and they also want to deal with business value. What is the best describes the primary purpose of data classification? So when they start giving you those words, a couple like best and primary, it's going to be looking for very specific answer. But that also entails that they're going to be giving you a couple of questions that are going to be very similar. So A, determine the appropriate level of protection based on value sensitivity and criticality. B assign ownership and accountability for each of the data assets. C comply with regulatory and legal obligations for data handling. Or D to establish retention schedules and disposal procedures for data assets. Okay, so as we listen to all four of those, we can come back and say they're all very important for data classification and data asset security. So let's go with the ones that are not correct. To establish a retention schedule and disposal procedures for data assets. So when you're establishing uh schedules to dispose of these systems, right, this is an important part. It's something that you would, I would say this is kind of like a master's level type activity, where if you are in the position where you have all of your assets under control, you know which ones you need, and you also have retention schedules built out there and disposal procedures for data assets. That is top tier. And that really is. You are in a really good place from a data classification and data asset standpoint. So that there's good, but is it the best for or the primary purpose for data classification? I would say that's not, right? That's not the primary purpose for it. It is an important part of it, but it is not the primary purpose. Next one that is incorrect is to comply with regulatory and legal obligations for data handling. So you want to comply with regulatory and legal obligations. That is something you must do. You must totally do that. If you don't do that, in many cases, you are in violation, and now it's going to cost you and your company a lot of money. And in some cases, you could be even held legally responsible for not doing it. So it is a very important part of it. However, is it the best? Is it the primary? I would say it's a good one, but it's not the best. Now we'll look at another one to assign ownership and accountability for each data asset. That is extremely important. It's probably above the last two that we have talked about. You need to assign accountability for each data asset. It's an imperative part of this. Uh I've been seen time and again, okay, in my experience, we would have years of working with different types of data assets to not even have an owner. And not having an owner for this data asset makes it extremely challenging. One, to try to get anything done. So if you have problems with it, I don't even know who to talk to. Same kind of concept is here is that if you don't have a person who is ultimately accountable, that is probably what's one of the worst things you can do. But is it the best and is it the primary purpose? The real the correct answer is A to determine the appropriate level of protection based on value, sensitivity, and criticality. Why is that important? Well, so the value of the asset is probably one of the most important things you can do. So when you're looking to protect something, do you want to protect the crown jewels or basically uh I don't know, something that's worth as much as a piece of dust? I'm trying to think of a really good example, but that's a terrible example. The point of it is that if you have something that you're working with that is extremely important and valuable to your organization, you will then put the correct protections on that device in a way that's going to best help it. The sensitivity of it as well. Is it something that you are extremely concerned about and do not want to escape and have everybody have access to it? Obviously, such as since there's an iPhone, right? You have the CEO's iPhone is probably a little bit more sensitive than mine. My my one, mine is not that it's sensitive because there's nothing on it other than pictures of dogs and my wife. So, yeah, that's about it. So the sensitivity is an imperative part. And then the criticality. Does the asset that you have run something that is extremely important? I'll tell you, I had a situation where I worked with a large manufacturing company and many, many years ago, and they we went did a tabletop, and as we did the tabletop, come to find out that there was one device. This one device, and actually it was a very old type device, had access to something that was the most important part of the business. And if it went down, it would be worth millions, millions of dollars a day, and actually tens of millions of dollars a day, just because of this one device. So the criticality and and the sensitivity and the value was through the roof with this one device. So it's an imperative part of this. So again, when you're looking at which bet following is the best describes the primary purpose of a data classification, is to determine the appropriate level protection based on the value, the sensitivity, and the criticality. A healthcare organization stores patient records on a shared cloud platform. The cloud provider manages the physical infrastructure while the organization manages access controls and data encryption. The breach occurs due to a misconfigured access control list, or ACL, who ultimately bears the responsibility for protecting the patient data. Okay, so we have a healthcare organization. Okay, that adds that up. You have patient records, those are sensitive, right? And it's a shared key term cloud platform. So the cloud provider manages the physical infrastructure, so they're the ones that are holding it, so let's just think of it as AWS, while the organization manages access controls and data encryption. All right, so it occurs due to a misconfigured access control list. So somebody goofed up. All right, who bears the ultimate responsibility? So let's break this down. Question A, a cloud provider because they are the data custodian. B, both parties are equally responsible under the shared responsibility model. C, the organization's security team because they misconfigured the ACL. Or D, the organization because data owners are always ultimately responsible for data protection. Okay, so on the onset, this looks relatively easy, but I can see an area, one question where or answer where you may pick off on something different. So A, the cloud provider is incorrect, right? Because they are the data custodian. When it comes right down to it, they are the provider for the system. Now, the system themselves, they're to keep that up and operational. They're not the data custodian. They're they're the manager of the systems that are managing the data. So they are not the custodian around that. So that would be incorrect. However, when you deal with situations, you're going to want to, as a security professional, make sure that whoever you are storing your data with, you have a really good understanding of the legal ramifications behind it. Now, if you get a cloud provider that's trying to just get out there and get in the business of doing this and doesn't do cross their T's and dot their I's, this could be a factor. But in most cases, you as the data owner are going to be responsible for it. So it's not the cloud provider themselves. Next answer both parties share equal responsibility under the shared responsibility model. Not really sure what that shared responsibility model is. Maybe you have something agreed to in your language with your master service agreement, but in reality, that doesn't exist unless it was created for this specific purpose. So both parties do not share equal responsibility because whose data is it? Okay, that's a big factor. Whose data is it? Now, if you had built out a master service agreement where it says both of you are shared responsibility, then yes, that would be a correct answer, but that's not called out in the question. So you got to kind of think about that. Read deeply into it. The organization security team, because they misconfigured the ACL. So this answer also is incorrect. Now, could they be responsible? Yes, they could be responsible for it. Um, and because of the fact is that they did something incorrectly. But because the data owner is ultimately responsible, it would necessarily wouldn't fall on their security team. However, heads do roll downhill. So there's a good chance that if if the security team messed this up, there could be some changes with the security team. But it's one of those that you might want to bite off on if you read the question too quickly. So, but the correct answer is the organization, because the data owners are always ultimately responsible for data protection. So when you're dealing with sensitive data, such as obviously in this case, healthcare records, then you're gonna want to have a data owner that's specifically designed that that person is for those specific records, because they need to be the person that is the one last throat to choke if they made a mistake. And so therefore, the organization as a whole will be ultimately responsible, but the data owner themselves is going to be responsible as well. Now, you may be asking yourself, well, how does the data owner know if the ACL was correctly done? It's not the data owner's responsibility to go back and look at the security team and making sure, did you do that ACL correctly? But the data owner should ask from the security team, walk me through what this ACL means and tell me how it's protected. Walk me through where it's at, and then I need to ask questions about it. So again, you're gonna this the between the CISO, between the data owners, between the actual physical people that are doing the work, there needs to be conversations related to this to ensure you have the best protection in place for you and your company. Question three: an organization is developing a data retention policy. Legal counsel advises that certain contract records must be retained for seven years. While a security team wants to purge all data older than three years to reduce breach exposure, which principle best guides the real resolution of this conflict? So again, you have an organization developing a data retention policy. Council is advising that certain contractual records be retained for a minimum of seven years. While a security team wants to purge all data older than three years to reduce breach exposure. So, bottom line is the lead the lawyers say we got to keep it, and this IT people say we need to get rid of it because we don't want data exposure. I'll tell you from an experience standpoint, um, it isn't always the IT people that would say that might be compliance or HR would want to purge a lot of the data of the records, but there's something for you to think about there. Older than this, so it's again, they wanted anything older than three years to be gone. So which principle best describes or guides the resolution of this conflict? Answer A. The security team's recommendation should prevail because reducing the attack service is core to security principle. Okay. B, legal retention requirements establish the minimum retention period, and data should not be held beyond the legal or business need. C, the longer retention period should always be adopted to ensure compliance with the most stringent requirements. And D, data should be retained indefinitely until a formal litigation hold is released. Okay, so you will deal a lot with legal in your cybersecurity career in many different forms or fashion. Um, and so you need to really be aware of this, you need to understand how do you navigate the minefield of legal. So A, which one is wrong? A, right? The security team's recommendation should prevail. No, it should not, right? It should have a be at an input. It should be imperative that they put it out there and they should explain their position why they would think that it needs to be at three years. And then it needs to go to legal, then they will help you with this situation. Now, that doesn't mean that the legal or come, I should say, IT's position is incorrect. That is not the case. IT's input should be very well listened to and garnered because of the fact that if say you get a brand new legal team who doesn't understand this, and they come down and they go, well, they're just gonna keep everything at seven years. This is where the IT professionals can come in and say, nah, let's talk about that. And let's go down to the path of, you know what, let's get it less than that. And there's in a situation where that has happened to me specifically. So you're gonna want to go and be a this is where that partnership is such an important part of any IT and any sort of security organization. Let's look at the other one that is incorrect. The longer retention period should always be adopted to ensure compliance with the most stringent requirements. So this is a checkbox item. You'll go into it and you may get potentially an auditor that may come in and say, Do you have seven years? Yes, a checkbox. It is done. That is not necessarily the right case. And I'm not saying auditors all will do this. You have a good, there's some really great auditors out there that are not checkbox type of people, and they are very specific and focused on what they're looking for. But you, as a security professional, need to go, you know what, this isn't just about checking a box and making sure that it's covered. You need to have a good reason why you're protecting the stuff for over seven years that should be protected, and you're deleting the things that should not be protected. So it's an important part. You again, this is that relationship. This is that building that trust. This is just key to cybersecurity. The last question that is incorrect is data should be retained indefinitely until a formal litigation hold is released. Now, you all will deal with some sort of legal hold at some form or fashion in the future. And you should not hold those data indefinitely. You'll go to many organizations where I'll tell you they are doing that, they're holding it indefinitely. And it's not because of the fact that they're they're worried about a legal hold or they should somebody should contact them for some sort of legal aspects. It's just because it's just easier that way. It's been it's easier to keep it forever. It just truly is, rather than try to have a good plan around deleting your data and getting rid of it. So uh it's an important part of any organization to have a data retention policy, a data retention plan, and you should really work this out with your legal and compliance teams as a cybersecurity professional with input on what should be the right case. So the correct answer is legal retention requirements, establish the minimum retention period, and data should not be held beyond the legal or business need. So if you're looking at questions and they comes down to and they have that you see this, your first indicator should be legal and it should be business need, right? Your needs, your needs of your organization, your needs of your business, they will outweigh any sort of security needs you have. Now, that doesn't mean that because of the fact that you say, I have this iOS 18 patch that needs to be done, um, and the business goes, we're just not going to do it. That is where obviously you'd have a good conversation around, no, that's not the right answer. Let's get to a good answer on this. Uh, but when it comes right down to it, legal retention requirements establish the minimum retention period and should not be held beyond the legal or business need. So, an important part. All right, so let's go to the next question. A company is decommissioning hard drives that store confidential, classified financial data. The security team proposes. Is using a Department of Defense or DOD 5220.22 multipass overwrite to sanitize the drives. A consultant argues this method is insufficient. Which scenario would most justify the consultant's concerns? Okay, so we are dealing with an overwrite of some drives. So they're decommissioning these drives that are stored confidential data and their financial data. And so they're the def Department of Defense DOD 5220 is dot 22. Multipass overwrite does not work to sanitize these drives. So the consult the consultant, haha Sean, is saying that this is insufficient. Which scenario would most justify the consultant's concerns? Okay, so A, the drives were used in a virtualized environment shared by multiple tenants. B, the financial data is more than five years old and is no longer operationally relevant. D, the drives are solid state drives rather than traditional hard drives or HDDs. And the drives will be reused internally rather than sold or transferred to a third party. Okay, so this is the multipass system, and this is based on DOD standards 5220. So multi-pass override. And how that really basically works is they pass it over and over and over, and they're actually redoing the bits and the bytes on the hard drive to basically zero out anything, the data that might be there. So that's the plan. That's what a what a multipass does. But the consultants say, no, this is not sufficient. This is not gonna work. So why is that? Well, A, the drives are used virtually in a virtualized environment shared by multiple tenants. Well, if they're used in a virtualized environment by multiple tenants, one I guess it comes back to is are they solid state or are they hard drives? Hmm, what is that? Well, if they're used by multiple tenants, overriding that would work. It would work totally fine for that situation, especially if there are a specific hard drive. So that is not correct. Uh that's one of those things. So he wouldn't say, Why would we do that? The financial data is more than five years old and no longer operationally relevant. Again, you would want to do it. There's no reason why you, if you're decommissioning these hard drives, especially if it's got any sort of data in it, even if it's five years old, you want to disc decommission it in a way of the multipass will work just fine with this. Because again, it's it's sensitive data, you're dealing with financial data, big deal. And then the one is drives will be reused internally rather than sold or transferred to a third party. Well, one, that's true. If they are used internally, that's great. You're reusing something, staying green, doing that whole thing. However, when it comes right down to it, though, what's to happen if this financial data, so you have that, and it's used on his hard drive, and someone now opens it up and now has access to it. So now you're dealing with sensitive data potentially that could be viewed by anybody. So, yes, you would want to do a multi-pass on that as well. The big problem is C, right? The drives are solid state drives rather than traditional hard disk drives. So the multi-pass will not work on a solid state drive. Just doesn't do that. It's not meant for that. The best thing to deal with decommissioning solid state drives is a hammer. That's the best thing to deal with a solid state drive. Uh yeah, drills, hammers, anything that you can just beat the dickens out of it. That's the best choice. And then shred it. That's probably even better. Just put it in a shredder and be done with it. But your solid state drives are something that the multipass will not work over. So the multipass was designed for magnetic hard disk drives where data is stored on a spinning platter and can be overwritten sequentially. SSDs you use basically aware leveling algorithms that distribute distribute and write data across memory cells unpredictably. Can all over the place. So the standard overwrite may never reach all the cells, especially with today's uh different SSDs that are in the terabytes. It may never ever actually reach that. So the ultimate goal is NIST 888 specifically states that overriding is generally not effective for SSDs. And it's just, and you're not gonna run out of time. You just truly are. So what you want to do again is pull out a hammer and just destroy it. Have fun with it, get excited, and beat the dickens out of it. Okay, next question. An organization handles data classified at three levels public, internal use, and restricted. Okay, so that's data classification at three levels. Public, internal use, and restricted. A newly hired analyst granted access to all three levels to get up and to speed quickly. Six months later, the analyst role is redefined and requires access only to internal use data. So this analyst had access to all three public, internal, and restricted. But six months later, their role has been redefined, changed, to now where they only have internal use data. The organization does not revoke the additional access. Oh, terrible. Which two asset security principles are most directly violated? Okay, so this person has access to things that they should not. A separation of duties and least privilege. B need to know and data sovereignty. Data minimization and separation of duties, or D least privilege and need to know. Okay, so which two asset security principles are most directly violated? So let's go into the ones that are incorrect. A separation of duties or least privilege. Okay, this isn't a separation of duties aspect. It is a least privilege access problem, but it is not a separation of duties. Their duties were separated, and uh that's not the problem that's actually occurring here. B, the need to know and data sovereignty. Well, this person does not have a need to know problem. They just were given access to areas that were unacceptable that they shouldn't have access to. So they don't need to know those, but they the access was never revoked. Data sovereignty doesn't really deal with anything related to this situation. It's dealing with where's the data, who owns the data, where's the data located, and who owns the actual sovereignty of this data. D, data minimization and separation of duties. Yes, the data minimization is limiting the amount of data that's there. However, the separation of duties still is not a factor in this situation. So the correct answer is D. Least privilege and need to know, right? The analyst holds more access rights than their role requires, right? So access should be accepted or should be scoped so that the minimum necessary amount of access is required for the job duties at hand. Need to know, obviously, the analyst is no longer has a business reason to access restricted data. So therefore, the need to know is granted, has that been granted to them is no longer necessary. So this is where defined, current, and legitimate business needs need to be defined well for each of the roles. So both principles demand access to be revoked when the role changes. Now, this can be done in multiple ways, can be done manually or automatically. It just kind of comes down to you and how you want to do that for you and your organization. Okay, so that is all I have for you today. Head on over to CISSP Cyber Training. You can get access to all my free content out there. It's available to you. Also look at my mentorship. I'm actually gonna be making some changes to the site. I'm looking to look at growing and seeing how we can work with different types of people that want to be consultants working for, working with me in different areas. From GRC to security operations to you name it, we're looking for different ways to do that. If you are wanting to be a security consultant and you're trying to figure out how do I do this for my career, I'm looking out there to help you in mentoring you and what you want to do and what your plans are for you and your future. So this is one of the biggest areas that people struggle with is you get a CISSP, what should you do with it? How can you be successful with it? So again, things to think about as you're related to the CISSP. So go check it out at CISSP Cyber Training, lots of great content to help you pass the exam the first time. All right, have a great day, and we'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.