CCT 349: FOXCONN Hack and Domain 7 CISSP Questions

Show Notes

Eight terabytes of stolen schematics is not just a scary number, it is a reminder that cyber risk becomes business risk fast. We start with the Wired report on the Foxconn ransomware attack and unpack what a claim like that could mean in the real world: intellectual property exposure, supply chain disruption, customer impact, and the uncomfortable truth that recovery is only one part of the story when data walks out the door.

From there, we switch into CISSP Domain 7 Security Operations mode and work through practical exam-style questions with the “how would this hold up at work” mindset. We break down why live forensics imaging can be the right call during an insider threat investigation, using the order of volatility and the kinds of RAM artifacts that disappear the moment you shut a machine down. We also tackle a Patch Tuesday nightmare scenario where a CVSS 9.8 vulnerability is already being exploited but the change advisory board will not meet for ten days, and we explain why an emergency change process plus compensating controls is the mature security operations answer.

We also cover a common privileged access failure where a domain admin uses an elevated account for email and browsing, and how least privilege plus a privileged access workstation (PAW) architecture can prevent a single phish from becoming domain compromise. Finally, we sharpen the fundamentals with an RTO/RPO recovery timeline question and a SIEM brute force threshold miss that illustrates false negatives and the need for better tuning and behavioural baselines.

Subscribe for weekly CISSP training, share this with a study partner, and leave a review so more security pros can find the show. What topic do you want me to turn into practice questions next?

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome And What We Cover
• 1:18: Foxconn Ransomware And IP Fallout
• 6:19: Domain 7 Study Resources And Cohort
• 7:24: Live Forensics And Volatile Evidence
• 11:44: Critical Patch With No CAB Meeting
• 16:23: Domain Admin Misuse And PAWs
• 20:16: RTO And RPO Explained Fast
• 23:09: SIEM Thresholds And False Negatives
• 27:20: Wrap Up And Next Steps

Transcript

Welcome And What We Cover

SPEAKER_00 0:00

Welcome to the CISSP Cyber Training Podcast. We provide you the training and tools you need to pass the CISSP exam first time. Hi, my name is Sean Gerber. I'm your host, podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cyber checker in the light. All right, let's get started.

Foxconn Ransomware And IP Fallout

Domain 7 Study Resources And Cohort

Live Forensics And Volatile Evidence

Critical Patch With No CAB Meeting

Domain Admin Misuse And PAWs

RTO And RPO Explained Fast

SIEM Thresholds And False Negatives

Wrap Up And Next Steps

SPEAKER_01 0:25

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today's Thursday, and we are going to be getting into CISSP questions for the CISSP exam. We're going to be focused around domain seven for today. So the quick great questions that are coming out, I'm just super excited about that. And, you know, it's just it's amazing how the world is changing around us. Seeing more and more articles that make me believe Armageddon is upon us. I mean, I don't mean that in a literal sense. I mean maybe, but when it comes right down to it, the uh the things that I'm seeing coming out of what AI is doing and where it's going, it's actually quite interesting. So I just the world seems like there's never a dull moment anymore. There's always something going on. Well, and there's today's article that we're going to talk about is no different. Yeah, no, it's no different at all. This is an article that I got out of Wired, and it's Foxconn Ransomware Attack shows nothing is safe forever. And this is on Wired magazine and uh by Lily Hay Newman. So I'm not sure if you're all aware, but Foxconn is a major electronics manufacturer that is global, right? They're here in the United States, they're also all over there in China, they're everywhere. And they make stuff for Apple, Dell, Google, and NVIDIA. So they are obviously a targeted entity, you would think, in most cases. Uh when I worked as a CISO for a very large multinational that was in a chemical manufacturing facilities and manufacturing business, uh, we were targeted on a routine basis, but we were never targeted to this the level that Foxconn, you can anticipate, is. So what's the basis of this? And this was again out of Wired magazine, is that this ransomware group called Nitrogen claims to have stolen around eight terabytes of data, including schematics and project details. Now, coming from a red teaming background, that is a huge deal. It's a monster deal. So it's pretty interesting to see if that actually occurred or uh if it if it I'm assuming it did, and if it did, that is I would be very subs uh upset if I was in the Foxconn shoes. So the company's response is Foxconn's confirmed that the cyber attack affected some North American factories, but production is resuming, and they haven't confirmed the full scale or validity of the data theft. I would say that if it's anything related to their business operations, they probably will not tell you how much data was actually stolen. The only time they have to get into the disclosure is how much it deals with uh employees or personal data. At that point in time, they would have to disclose what has actually occurred. So again, they've got our IP, they have it was a supply chain impact disrupting Foxconn uh across their global manufacturing areas. So it did, they said it only affected the US-based stuff. However, because they everything is tied together from a supply chain standpoint, they actually have impact around the globe. So, what is a little bit about this nitrogen group? Who are these folks? So they've been active since 2023 and they've had a little bit more noticeable activity in 2024. They've been targeting North America and Western Europe, focusing on manufacturing technology and retail. So, again, space I'm very well familiar with, and I have never heard of the nitrogen group, but these guys are in many cases spin-offs of other mercenary groups that are out there. So their main modus of operandi is data extortion and then traditional ransomware. Obviously, they're trying to make a payout. Um, I don't know if they have they take this data and sell it to the highest bidder. I would say that's probably one of their aspects as well, uh, especially if somebody does not pay up, they will take this information and sell it to the highest bidder. And in many cases, especially like such as Foxconn, that would could be extremely painful and cost a lot of money and a lot of information lost to the company if they did that. So it's it's interesting. Again, I always say these things are interesting because they are. They, if you really kind of peel everything back, all of these attacks can cause some level of drama, right? But it's not just the fact that what are the cascading impacts of each of these attacks? Not just what happens to you and your bottom line is your business. How does it affect the overall global world economy in many ways? So, some of the implications around this is Foxconn, even if production resumes, the stolen schematics and project data could compromise their IP, delay projects, and create liability issues. And that from a CICSP standpoint is something you would want to be well aware and well-versed of is your IP protection. For customers, obviously, such as Apple and Dell, these kind of sensitive designs could be exposed and open them up to kinds of IP loss or even competitive advantage loss. Uh, if depending upon, I'll give you an example with when the launch of the FireWire connector for Apple was out there. I was working with a company, and Molex is the company that was worth working with uh that with they were creating the connector for it. And they had very tight restrictions on when they could actually create this connector. They had very tight timelines on when they could uh produce it and release it because they knew as soon as they released it, it was going to get copied. So there's lots of different things that are gonna be out there that are gonna cause concerns with the apples and Dells of the world. Uh for cybersecurity, obviously this highlights the need for stronger defenses and monitoring, but mainly when it comes right down to it, we talk about this a lot at CISSP cyber training. It is about handling the incident when it happens. It's not a matter of if, it's a matter of when. And having a good incident response plan and process to deal with these issues is imperative for any organization, even if it's Foxconn. So again, this is the article out of Wired magazine from Lily Hay Newman. Foxconn ransomware attacks show nothing is safe forever. I don't know if that really shows that, but because of the fact is we know nothing is safe forever. But hey, it's a good title and it grabs your attention. All right, let's roll into what we're going to talk about today. All right, so we are getting into domain seven of the CISSP exam. So all these questions are available to you at CISSP Cyber Training. You can get access to these questions as well as the recordings around them. So it's a great resource for you to be able to watch and listen and learn around the CISSP and use that mindset for it. In addition, as far as CISSP is concerned, we have aspects for you to be able to get your CPEs, to be able to work with a cohort. If you're working on your CISSP right now and you feel that you have like two months to study for it, I have a cohort that is starting on July 7th. And on July 7th, we're gonna be doing this cohort and it's going to be set up so that in eight weeks from the time we start, you will be ready to sit for the CISSP exam. And the best part about all this is that it's going to be, it's gonna, it's like a boot camp, but it's gonna keep it small and work within your schedule. So it's not something that you have to spend tens of thousands of dollars in making happen. It is relatively, I mean, for the amount of what you're getting, it's it is cheap. It really truly is. Go check it out. It's the cohort at CISSP Cyber Training. Question one. During this forensics investigation, a suspected insider threat, the security team images a running workstation without shutting it down. The lead investigator is challenged by legal counsel who argues the team should have powered off the machine to preserve the clean disk image. Which response best defends the investigator's decision? So the investigator didn't shut down the machine. Their lawyer is telling him you should have shut it down to preserve a clean disk image. And what does that clean disk image basically mean? Well, is there any sort of volatile information that's potentially in there? And should they save it? If they're shutting it down, why not? Well, so this is the part where it comes into play. This is where you as a cybersecurity professional are gonna have to use your tact, and you're gonna have to this the communication aspects that we talk so much about on CISSP cyber training that you have to be prepared to deal with the communication aspects. So you got a lawyer and you got you in the room. What are you gonna do? So A, power off the machine would have triggered a full disk encryption lock, making the drive unreadable. B, a live image always admissible in court, whereas the powered off image requires a hash verification chain. C, live acquisition, live acquisition preserves volatile memory artifacts, running processes, network connections, and decrypted data in RAM. That would be permanently lost upon shutdown, and the order of volatility prioritizes this data. Or D, shutting down the machine would have violated the chain of custody by introducing a state change to the evidence. Okay, so which one of these best defends the investigator's decision? So let's go into ones that are not correct first. Powering off the machine would have triggered a full disk encryption lock, making the drive unreadable. That's not true, right? We we know that if they had access to it, and IT professionals do, they have the ability, probably did encrypt it, it probably would, but you have the ability to unencrypt because you are God on that machine, right? You have your IT professional. So that would not be the case unless that machine, it didn't talk about in there, was specifically owned by the individual. If it was owned by the individual, not managed by IT, yes, then shutting it down would potentially cause you a big problem. Uh, B, the live image is always admissible in court, whereas a powered off machine requires a hash verification chain. Now, the thing is, is you wouldn't want that necessarily having a live image as admissible in court, and that's the key term is always admissible in court. That you when you see something like that, that is usually a red herring that's saying, hey, you should do that, but no, it's really not the right answer. So B is not correct. And then C, shutting down the machine would have violated chain of custody by introducing a state change to the evidence. Now it wouldn't do a state change, that is correct, and it would have not necessarily violated chain of custody, but it would cause a state change around that. So the chain of custody is that you actually having access to that system in itself. The big issue is that by turning it off, it causes problems with your volatile memory, right? You have stuff that's in RAM. So let's just say, for instance, the individual went and did all of these different things, and then they uploaded it, they sent it where they were going to send it, and then they went in and they deleted everything and it was gone. Uh, this, you wouldn't have that if you shut that down. You wouldn't be able to potentially trace that back with that's within RAM. So it's important that you understand the order of volatility. And this is RFC 3227, which establishes that forensics responders must collect the most transient evidence first. So again, when you're dealing with forensics aspects, here's the other question you're gonna need to do. If you now that you guys have AI with you, now again, you can't rely on it completely, but now that you have that, before you do anything with any of these systems, maybe run it by AI, not with the IP information that you're saying, but these hyperbole questions and see what it comes back with. So before you start doing anything, it's always better to slow down, make sure you have everything before you actually do it. All right, so again, RAM contains decrypted file system data, active session tokens. It runs if it's running malware and memory, that would be something that you would see. Uh, open network sockets, all these things are in RAM memory and they're all volatile memory. So the moment you shut this thing down, it all goes away. So again, that's the best answer is live acquisition preserves volatile memory artifacts, running processes, network connections, and decrypted data in RAM. So again, that's something to consider when you're dealing with forensics. Next question: a patch for a critical vulnerability is released on Tuesday. Yay, patch Tuesday. The vulnerability has a CVSS base score of 9.8, and public exploit code is already circulating. Not good. Not a good place to be. The change advisory board, your your cab, so it's the people that within your company, your cab, is not scheduled to meet for 10 days. Oh no, mother. Which action is the most consistent with a mature security operations program? Okay, so you're dealing with something that's out there that has to be addressed immediately. Your cab board, which allows you to have change management to occur, is not meaning getting together for 10 days. So, because they typically a change management board will get together maybe once a month, maybe once every two weeks, uh, but they don't always get together weekly. So, what is the most consistent with the mature, again, a mature security operations program, what should you do? All right, so A, wait for the scheduled cab meeting to maintain compliance with change management processes. B, invoke an emergency change or prop change process, implement compensating controls immediately, and fast track the patch approval process available to cab members for an emergency change authority. That's a lot of words, but yeah, basically fast track it and go through an emergency change. C, deploy the patch directly to production without cab approval because the risk of delay outweighs the process compliance, or D, notify executive leadership and defer the decision to them. Using a CVSS 9.8 vulnerability requires senior authorization. Okay, so there's a lot going on in here. And as a security professional, you need to know every one of these. Yes, they are important. And this comes down to the management thought process that is so inherently strong in the CISSP as well as the CISM. You need to make sure that you understand all of these thought processes. So we we talk about high risk score, we talk about the change management or change board, right? The change advisory board, which is most consistent with a mature security operations program. Okay, so the ones that are incorrect, wait for the scheduled cab meeting to maintain compliance with the change management process. Okay, so if your house is burning down, you don't want to wait for the, and say you've got a hose right there available, you're not just gonna say, well, let's just watch it burn. I'm gonna go ahead and just put my hose on it. I'm not gonna put my hose on it, I'm just gonna watch it. That is not something you want to do. You would obviously want to pull out your hose and start, you know, trying to put the fire out. Now, that being said, if your house is totally engulfed in flames, yeah, your hose is not gonna do much good. But if it just started, the hose is a good option. Okay, that's probably a really terrible analogy, but it's the one I can think of at the time. D, let's go to the next one that's not correct. Deploy the patch directly to production without cab approval because the risk of delay outweighs the process of compliance. Yeah, so that's just you're shooting from the hip and you're just gonna deploy it. Okay, that's not a good idea either. Uh, the reason is because there's processes in place for a reason, and you need to follow those processes. Now, I would say that there's a process in there to deal with this situation specifically. Because if, and if it doesn't, if your organization does not have a process to deal with this type of situation, then you need to build one. And you could be the hero. You could come in and say, this is what I recommend, and they can go, oh, you're amazing. And then they'll promote you to CISO and you'll make gazillions of dollars. Uh we know that's a lie, but that's hey, it's worth a shot. Then D, notify executive leadership and defer the decision to them since the CVSS 9.8 vulnerability requires senior authors' authorization. Okay, so this is what we talk about with influence, right? So you're gonna defer this to the executive leaders, and you are the the security person gonna come in with your uh tape on your glasses and your pocket protector going, we must wait. We must, we have 9.8, you must deal with it, not me. Okay, you do that, you're you're gonna not be in the room very long, right? They're gonna they they want you to come to them as the senior professional to tell them what you should do. So you would not defer to say executive leadership. You would come to them with a recommendation. Now, they may make a decision on something that may be contrary to what you want, but you need to be prepared. Now, in this situation, you wouldn't even go to executive leadership because it the the house is burning. You have to deal with it. They've empowered you, or at least we hope, with that ability to take care of that. So you would do B invoke an emergency change process, implement compensating controls immediately, and fast track patch approval through the CAB members or an emergency change authority. So you should have an emergency change process in place, and that would be you would fast track these approvals through the cab saying, hey, I've got an emergency change, these are the details behind it, you send it to them saying, I need approval. Um, and if that doesn't work, then there's always a fact that you can then go to it and deploy it anyway. But you need to go through the change access or change management process as it is defined within your organization. Next question: a systems administrator with domain admin privileges uses their privilege account as their daily driver for email, web browsing, and general productivity tasks. Oh, that's a great idea. Uh the target of phishing email delivers a malicious macro that executes under the administrator's context. Yes, because that's what they use it in. Which security principle is most directly violated, and what architecture would have prevented this outcome? Okay, so the admin is doing stuff using his admin account to do stuff he shouldn't on a daily basis, right? So going visiting websites, doing his normal activities, whatever that might be. And then he gets hit with malicious software and they take, they own him. Okay, so let's go through the answers. The least privilege, uh, A, least privilege, the administrator should maintain separate accounts, standard user account for daily tasks, and privileged accounts only for administrative functions via a privileged access workstation or a PAW. C or B, separation of duties, dual control approval for administrative actions, which would prevent the malware from executing. C, need to know restricting the administrator's access to sensitive data repositories would have limited the malware's lateral movement. Or D, defense in depth. A properly configured endpoint detection and response tool would have been the primary preventative control. Okay, so again, they're asking the question which security principle most directly was most directly violated. So that's question one, and what architecture would have prevented this outcome? Okay, so they're saying we gotta so you can narrow this down. There's actually actually two questions here. Which one was most directly violated and which architecture would have prevented this outcome? So let's go to the questions that are wrong or the answers that are wrong. D, defense in depth. Properly configured endpoint detection and response would have been primarily prevented the control. Okay, so this has nothing to do with defense in depth. This deals with privilege, right? So we know that it defense in depth is it. So you could throw defense in depth out the window right away, just because of the fact that this is dealing with administrative access. It's dealing that's that's why it's not a defense in depth issue. Next one, need to know. Restricting administrator access to sensitive data repositories would have limited the malware's lateral movement. Okay, so this is more of a process piece, so that you would limit this person to have need-to-know access. So therefore, the access that they have within their account would not have the ability to get proliferated throughout the organization. Um that really is you you could glob onto that a little bit, but the need-to-know is not something you would push go down this path with an administrator. Because administrators, in the most part, they are designed to have access across a wide-ranging area within their organization. So typically, administrators do not have very tailored access unless it's a very specific organization that has like IP and you have very limited uh fields that they can get access to. The next one is separation of duties. Do a control approval for administrative action controls would have prevented the malware from executing. That would have not stopped the malware from executing, even having separation of duties, because it's basically saying you have an approval that if I'm going to do something, I'm now have to have my supervisor approve it. And they have, once they approve it, then once they click approve, if they don't click approve, it won't, malware will not work. That it really doesn't work here. The brilliant it comes down to is at least privilege, right? You get the least amount of privilege you have to gain access to these systems. And this is where it's the where they have to deal with the separate accounts and they have to go specifically around privilege identity from a daily use activities to an administrative activity. They have to be separated. So when a domain admin uses their elevated account for routine tasks such as email and browsing and all those different areas, it can potentially compromise the session, grants the attacker domain level access immediately. And we always focused on those people that had God credentials and were using them on a daily basis. As a hacker, that's was like the sweet spot. Once you did that, you did the happy dance because then life was much easier for you. And you could do it in many cases 24-7 because they didn't even know it. So yeah, it's fun like that. Okay, next question: an organization's RTO, or so recovery time objective for its core transaction process system is four hours. And its RPO is 15 minutes. A disaster occurs at 2 p.m. The last successful backup was completed at 1 50 p.m. Okay, so it's happened. Last backup was 10 minutes prior. Recovery operations restore the system and bring it back online at 5 45. So basically three hours, almost four hours, just shy of four hours. Which statement accurately characterizes the recovery outcome? Okay, A, both RTO and RPO were met. The system was restored within four hours, and the backup was within 15 minutes of the disaster. B RPO was violated, RTO was met. The 10-minute window gap exceeds the 15-minute RPO threshold. C, both RTO and RPO were violated. The 15-minute RPO requires real-time replication, which was not in place. And then D, RTO was violated, RPO was met. The system took three hours and 45 minutes to restore, but the data loss window was only 10 minutes. Okay, so let's look at the ones that are incorrect. RTO was violated, RPO was met. The system took three hours and 45 minutes to restore, but the data loss window was only 10 minutes. Okay, so we know that the RTO was four hours. So the recovery time objective, and it was done within four hours, three hours and 45 minutes. So the RTO was not violated, it actually was met. And the RPO is 15 minutes, which was also met because it recovered within 10 minutes. So that is not a correct answer. Correct uh the next one both RTO and RPO were violated. A 15 minute RPO requires a real time replication, which was not in place. So they both, we just discussed just a second ago, they both were uh met. So that one is incorrect. And then the next one, RPO is violated, RTO was met. The 10-minute gap exceeds the 15-minute RPO threshold. So we know that RPO is 15 minutes. It did not exceed. The 10 minutes did not exceed the RPO threshold. So what does all this mean? It means they both were met, right? It did it within the RTO was four hours. The recovery time objective, they did it within three hours and 45 minutes. The RPO objective, so recovery point objective is 15 minutes and they did it within 10. So yes, it's a lot going on, but you need to break this down. This question here, the thing to make this thing successful is break down what your RPOs are as four hours. RPOs 15 minutes. You know those going into it. Your recovery time objective and your recovery point objective. Then break down your time. So once you put all that down on a piece of paper, once you get that, you go, okay, yeah, it was met. It was met. It was met. Good. We're good to go. And real quickly, you can burn through that question really quick. Once you know that the both RTO and RPO are met, you can then go, yep, that's it. It makes sense. Read it. We're good. Click the button. Right. So that's the whole piece on that. Last question. A sim analyst notices a single workstation generating 47 failed authentication attempts against various internal servers over a six-minute window. So a lot of failed attempts over a small period. Followed by one successful authentication. Oh no, that's not good. No alerts fired during this period, specifically since they were in. After the investigation, the analyst discovered that the SIM threshold for brute force alerting was set to 50 failed attempts within 10 minutes from a single source. Which concept does this scenario most directly illustrate? And what is the recommended remediation? Okay, so you got it's 47 failed authentication attempts against an internal server's over a six-minute window, followed by one successful attempt or authentication. No alerts fired during this period. So why did that why did they not fire, right? Well, this basically says that for the SIM has a brute force alerting is set to 50 failed attempts within 10 minutes from a single source. So 50 is the is the base. It's the floor, right? So which concept does this scenario most directly illustrate? Okay, so A, a false negative caused by improperly tuned detection threshold remediated by lowering the failed attempt threshold and incorporating behavioral baselines to detect slow and low attacks. Lots of words. Lots of words. You'll have to read through that one really carefully. B, a false positive suppression rule that masks the alert, remediate by reviewing and removing overly broad suppression logic. C, a gap in log aggregation causing event loss before sim ingestion. Remediate by auditing the log forwarding pipeline of dropped events. Or D a signature-based detection failure. Remediate by switching to an anomaly-based detection failure engine. Okay, so big words, lots of them. What does all this mean? Okay, so you can break this down, right? Put it in paper, six-minute window, okay, 50, 47 attempts, and then it was one successful. So you know somebody got in, right? But nothing flagged in your SIM. And because your SIM is set at 50 failed attempts within 10 minutes. So it was within the 10 minute window, but it was under the 50-minute threshold or the 50 failed attempt threshold. So let's go break this down into the ones that are not correct. A signature-based detection failure remediated by switching to anomaly-based detection engine. This was not a signature-based detection failure at all, because it was just failed attempts. It was authentication attempts that were trying to occur. So it's not signature-based. Throw it out the window. A gap in log aggregation caused by event loss before the SIM ingestion. Remediate by auditing the log forwarding pipeline. So what they're basically saying on this situation is that you your logs weren't sent to your SIM in time. They were not correct. And there's your basically your syslog that forwards logs didn't do its job. We'd have nothing in here to say that that's the case. This was about failed attempts and a threshold of 47 and 50. And then C, a false positive aggression suppression rule that masked the alert, and then remediate by reviewing and removing overly broad suppression logic. So nothing was suppressed. Okay, right, because it was it hit the threshold of 47 before it got logged in. 50 was the threshold, the base, it was the floor. So the problem is it's a false negative caused by improperly tuned detection threshold, right? So your improperly tuned to detection threshold was 50. It needed to be lower. And it also needed to remediate by lowering that attempt threshold and incorporating behavioral baselines to detect slow and low attacks. So someone going just trying it a little bit at a time. Again, if they're going, let's say, for instance, they know that it's going to start alerting at uh let's say 30 is a number, but it is it's hitting like, okay, I do two every minute or every, yeah, I don't know, two every one minute, and then two every three minutes, and then 10 every so you're doing it slower and lower, right? You're just do you're doing it like that. Uh then that would end up you'd want to have some sort of anomaly detection around that. So again, the you want to look at considering the lowering the threshold of maybe between 20 and 30, incorporate behavioral baselining, all of those aspects would be an important part in this specific situation that would help you pass and actually get alerts within your SIM concept and your SIM platform. Okay, that's all I have for you today. Go head on over to CISSP Cyber Training, check it out. It's awesome stuff there, lots of great stuff for you. Uh go look at it, see if there's anything there that can help you with your CISSP journey. But bottom line is CISSP Cyber Training is here for you to help you pass the exam the first time. All right, thank you so much for joining me. We'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube, and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.