March 20, 2025 • 17 mins
Today's cybersecurity landscape demands vigilance on multiple fronts, something Sean Gerber demonstrates masterfully in this information-packed episode focused on CISSP Domain 3 security principles.
The episode opens with a critical security alert regarding Cox modems—a vulnerability potentially affecting millions of American households and businesses. While quickly patched by the company, this real-world example perfectly illustrates one of Gerber's key points: exposed APIs represent a massive blind spot in organizational security posture. "Many organizations truly do not understand how many API connections they have leaving their organization," Gerber warns, identifying this as a primary vector for data exfiltration.
Moving into the heart of the episode, Gerber walks listeners through fifteen challenging CISSP exam questions covering encryption standards, security principles, and practical implementation scenarios. Each question reveals essential security concepts—from why AES-256 should be prioritized over proprietary encryption algorithms to how abstraction and access controls function together in database security. The explanations break down complex topics into digestible, exam-ready knowledge while providing practical context for real-world application.
Perhaps most valuable is Gerber's focus on security principles working in concert rather than isolation. Defense-in-depth, secure defaults, data hiding, and integrity verification through hashing are explained through scenarios security professionals encounter daily. Whether you're preparing for the CISSP exam or looking to strengthen your organization's security posture, this episode delivers actionable insights and critical thinking frameworks to elevate your cybersecurity approach. Visit cissp cyber training.com to access these questions and additional resources that will help you pass the CISSP exam on your first attempt.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Speaker 2 (00:25):
Good morning.
It's Sean Gerber with CISSPCyber Training.
Hope you all are having awonderfully blessed day today.
Today's an amazing day.
Why is it today amazing?
Well, because it's CISSPQuestion Thursday.
Yes, and we are going to begetting into some questions as
it relates to domain 3.1.2 and3.1.3.
But there's some variousquestions that we'll have that
(00:48):
you can gain access to directlythrough cisspcybertrainingcom.
Go ahead there and you can getthem immediately.
Yes, you can, all right, butbefore we get started, we want
to talk about one little articleI saw come out today and if you
deal in the United States, youdeal with a company called Cox
C-O-X.
Cox has a situation set upwhere they're potentially
(01:11):
they're supposedly a authorizedbypass that are issued that's
dealing with the Cox modems.
Now, I don't know if you allhave dealt with Cox as your
service provider.
So I have ISPs.
Cox is one of them.
There's many other ISPs outthere, but Cox is a very large
company within the United Statesand they are an internet
service provider that provides,obviously, your bandwidth to
(01:34):
many, many residential locations.
Well, supposedly there is apotential challenge with the Cox
modems that could be abused andit could provide unauthorized
access to devices to runmalicious commands.
Now, this came out of theHacker News, and you can
actually be able to see this inthe show notes.
(01:55):
It's Researcher-Uncovers-Flawsin Cox Modems and the Hacker
News.
An interesting part about this,though, is I don't know if you
all are aware, but many, manypeople in the country have COX
available to them, and they'rebasically these issues were
addressed by the broadbandprovider within about 24 hours,
so they did say that they wereable to get this issue resolved
(02:18):
very quickly.
However, they can't confirm ifit's been abused over the past.
Now, one thing that it'sinteresting about this and I
mentioned this in the podcast onMonday was around the fact of
exposed APIs, and I say thisexposed APIs, I feel, are
probably one of the largest dataexfiltration points within an
organization, because, in manycases, organizations really
(02:40):
truly do not understand how manyAPI connections they have
leaving their organization orconnected into their
organization, and so, if you'renot familiar, an API is a
connection that will allow forstandard protocols between.
It's basically an applicationprogramming interface is what
they call it, but it's basicallya standard protocol that allows
you to communicate with trafficback and forth between
(03:02):
applications, and it worksreally well because it allows
for the streamline of datatransfers versus having to have
gateways in between or justhaving just communication
challenges, so it makes a reallygood, easy way to communicate.
Well, because of that, though,many people stand them up, and
if they stand them up, theydon't always know that they
exist, and so there was asituation where, supposedly,
(03:23):
some external APIs were set upwith these Cox systems.
Now, again, no one canguarantee or can say that this
was actually manipulated bypeople, but the interesting part
is that this is a lot ofdifferent organizations that
have Cox, as well as a lot ofhomeowners that have it, so I
(03:43):
will say that I've never beenreal impressed with the Cox
modems as themselves.
They seem a little janky andthey don't really give you the
ability to do a whole lot withthem, which I'm not a big fan of
.
But, again, something to checkout if, supposedly, they have
fixed this issue as it relatesto Cox, but you may want to ask
them a little bit about that.
All right, so let's get started, as it relates to our questions
(04:07):
for today.
So, again, a CISSP cybertraining.
You can go there.
You can get access to all thesequestions and many, many more,
as it relates to the CISSP exam.
This is going to be again overdomain 3.1.2 and 3.
So question one a company ismigrating its data storage to a
cloud platform.
The cloud provider offersmultiple encryption options,
(04:28):
including AES-128, 256, andproprietary encryption algorithm
.
Which encryption standardsshould the company prioritize
for maximum security?
Okay, so, basically they'removing to a cloud platform and
they have different versions 128, 256, 256 and a proprietary
encryption algorithm.
When you hear proprietary, getvery squeamish.
(04:49):
A aes128 is faster and moreefficient.
B AES-256.
It offers stronger encryptionkey length.
C the proprietary encryptionalgorithm for vendor-specific
benefits.
And then D it doesn't matter.
All options provide sufficientsecurity.
Well, the answer is B 256,right?
(05:09):
So while both 256 and 128 areconsidered secure, it does offer
a longer key length that's 256,making it much more resistant
to brute force type attacks.
So you would go with that one.
Question two a company utilizesdatabase with a complex data
schema.
Developers interact with thedatabase through custom APIs
that expose only specific dataelements relevant to their tasks
(05:32):
.
That's a good thing.
What security principle isdemonstrated here?
A data hiding, as sensitivedata elements are concealed from
developers.
B abstraction, as the APIsimplifies the database
interaction for developers.
Or C access control, as the APIrestricts developer access to
certain data.
Okay, so again, let's thinkabout that for just a second.
(05:53):
The company's database with acomplex data schema.
Developers interact with thedatabase through custom APIs
that expose only specific dataelements relevant to their tasks
.
Which security principle isdemonstrated?
And the answer is D, both B andC abstraction and access
controls.
Again, that's the big factoraround, that is, we use the
abstraction layer, hiding thedatabase complexity and exposing
(06:16):
only necessary functionality,whereas it also enforces access
controls by limiting theirabilities of the developers.
Question three a company embedssecret message within an image
to conceal its existence.
This technique is most closelyrelated to A stenography, as it
hides data within another file.
B encryption, as it scramblesdata and message confidentiality
(06:38):
.
C data hiding, as it preventsunauthorized access to the
message.
Or D hashing, as it creates aunique fingerprint to verify
data integrity.
And the answer is A stenography.
We talked about that in thepodcast.
It's basically hiding filesinside of another file and you
want to watch the size of that,but then you have to understand
what size is the file supposedto actually be?
(07:00):
Question four a companyimplements access control list
on a file server, allowing forspecific users read-only access
to certain files.
Additionally, some highlysensitive files are renamed with
generic names, making them lessconspicuous.
Which security principle are isat play here?
Principles are at play.
So a company implements aaccess control list on a file
(07:22):
server, allowing specific usersread only access to certain
files.
Additionally, some highlysensitive files were renamed
with generic names.
Which security principle isworking here?
A defense in depth and datahiding are both employed.
Abstraction simplifies it forusers and access controls
enforce control.
C encryption protects the dataand ACLs restrict access
(07:43):
permissions.
Or D stenography hides the datawithin other files and ACL
controls access.
And the answer is A defense indepth for data hiding are both
employed.
So basically, you've got itthrough access controls are in
place, as well as your datahiding piece with your
tokenization.
It through access controls arein place as well as your data
hiding piece with yourtokenization.
(08:05):
Question five a company needs toencrypt the data at rest on its
servers.
Which of the following is mostrelevant factor when deciding
between symmetric and asymmetricencryption?
So a company needs to encryptdata at rest on its servers.
Which the most.
Which of the following is themost relevant factor when
deciding between the symmetricand asymmetric encryption?
A Processing power required forencryption and decryption.
B the need for secure keydistribution and management.
(08:28):
C.
Scalability of encryptionsolutions for large datasets.
And.
D.
All of the above are importantand the most relevant factor is
D.
All of the above are importantand the most relevant factor is
D.
All of the above are important,both processing power, key
distribution and scalability ofthe encryption solution.
Question six A companyimplements a new operating
system with pre-configuredsettings that disable
(08:51):
unnecessary services and enforcestrong password policies.
How does this demonstrate asecurity principle?
Which one is it?
A Data hiding, as sensitiveinformation is concealed from
users.
B encryption, as data isscrambled for confidentiality.
C data are secure defaults, asthe system is pre-configured
(09:12):
with a more secure state.
Or D abstraction, as acomplexity of the security
settings is hidden from users.
So again, we're talking disableunnecessary services and strong
password policies.
It would be C secure defaults,as they're pre-configured to be
a more secure state.
Question seven a companysegments its network, placing
(09:33):
the development environment in aseparate zone from the
production environment.
How does this contribute todata hiding?
Okay, they segment theirnetwork from separate zones in
the production environment.
How does this contribute todata hiding?
A it hides the data context,making it invisible.
B it restricts access todevelopment data, hindering
(09:54):
unauthorized viewing.
C it conceals the existence ofdevelopment environment
altogether.
Or D it doesn't directlycontribute to data hiding, but
improves security.
So what does this contribute?
It B it restricts access todevelopment data, hindering
unauthorized viewing.
Question eight a companyencrypts its data at rest, in
transit and in use.
(10:15):
How does this exemplify DEMPdefense in depth?
A Encryption places the needfor other security controls or
replaces the need for othersecurity controls?
B it protects the data inmultiple states, adding layers
of security.
C Strong encryption algorithmsensure data remains unreadable.
Or D Encryption simplifiesaccess controls for authorized
(10:36):
users.
Simplifies access controls forauthorized users.
And the answer is b it protectsthe data in multiple states.
States adding layers ofsecurity, like we talk about
again defense in depth.
You want to have multiplelayers to one stop them and two
to also trip them up.
Question nine a security analystconfigures a secure boot on a
laptop.
How does this relate to theconcept of abstraction,
(10:58):
abstraction and secure boot?
A Secure boot hides theunderlying boot process
complexity from the users.
B it prevents unauthorizedmodification of the boot
settings and simplifies themanagement.
C Encryption is applied to theboot process, making it more
secure.
Or D Secure boot doesn'tdirectly relate to any sort of
concept of abstraction, and theanswer is A Secure boot hides
(11:21):
the underlying boot processes.
Complexity from the users,again forcing them to have
unauthorized modifications at adeeper level, while the users
interact with the operatingsystem as they typically would.
Question 10.
A company encrypts sensitivedata with strong encryption
algorithm.
However, all encryption keysare stored on a single server
with minimal security controlNot good.
(11:43):
What is the biggest securityrisk in this scenario?
Okay, well, let's see what youall think.
A the encryption algorithmitself might be weak and easily
broken.
B the encryption might be slowin data processes, which affects
access times.
C the lack of access controlsin the server storing the
encryption keys.
Yeah, ding, ding, ding, dingding.
(12:04):
Or D the users might not betrained on how to properly use
the encryption software.
Yeah, that's.
C you put all this stuff in onebasket and you don't take care
of it.
You're going to have problemswith that.
Encryption keys are compromised.
Then it's a jackpot for the badguys and girls.
Question 11, a company uses ahashing algorithm to verify the
integrity of downloaded softwarefiles.
(12:25):
An attacker modifies thesoftware before uploading it.
How will this impact theverification process?
Okay, they're using a hashingalgorithm to verify the
integrity of the downloadedsoftware, so integrity of
software.
Attacker modifies the softwarebefore uploading it.
How will this impact theverification process?
A the hash value remainunchanged, along for compromised
(12:46):
software to pass verification.
B the hash value will bedifferent, raising red flags
about the file's integrity.
C the encryption would be moreeffective solution for verifying
the software integrity.
Or D hashing only ensuresconfidentiality, not data
integrity.
So again, the hashing providesa unique fingerprint.
That's the key right.
And the answer is B Anymodification of the data will
(13:07):
result ina different hash value.
This alerts would be in thecase.
So you'd want to make sure thatif you're going to be doing
hashing algorithm is theintegrity of the downloaded
files.
You'd want to make sure that ifthey're making changes to the
file, okay, you want to makesure that that has been
double-checked and modified.
So it would make sure that thehashing algorithm matches with
(13:29):
what the file should be.
Question 12.
A company utilizes sandboxenvironment to test untrusted
code.
How does this approachdemonstrate the concept of
abstraction?
A Sandboxing simplifies thetesting process by isolating the
code.
B it hides the complexity ofthe underlying system from the
tester.
C Sandboxing restricts codeaccess and resources and
(13:50):
prevents harm?
Are both B and C are correct?
Which hiding and sandboxingrestricts?
And the answer is D Both B andC are correct.
It hides the complexity of theunderlying system and it
restricts the code's access toresources and prevents harm.
Question 13.
A company implements DLP toprevent unauthorized data
(14:10):
exfiltration.
How does this relate to theconcept of access controls?
A DLP complements the accesscontrols by monitoring the data
movement and identifyingsuspicious activity.
Dlp focuses on data in transit,while accessing controls
restricts access to data at rest.
B dlp replaces the need foraccess controls altogether.
(14:33):
C dop forces the data outencryption, making it invisible
for exfiltration attempts.
And the answer is DLPcomplements the access controls
by monitoring data movements andidentifying suspicious activity
.
Question 14, the security teammonitors various security
metrics, such as firewall logsand intrusion detection alerts.
(14:56):
How does this contribute to thedefense in depth?
Again, they monitor variousthings and how does this
contribute to defense in depth?
A security metrics provide aclear picture of the overall
security posture.
B monitoring allows for earlydetection and potential security
incidents.
C analyzing metrics helpsidentify weaknesses in existing
(15:17):
security controls.
D all of the above contributeto defense in depth.
And the answer is all of theabove right Security metrics.
Monitoring and analyzing themall help around defense in depth
.
Question 15.
A company implements a strictpatch management process to
ensure all systems are updatedwith the latest security patches
.
How does this relate to theconcept of secure defaults?
(15:39):
Defaults Again, they have astrict patch management process.
How does this relate to securedefaults?
A patching vulnerabilitystrengths existing security
configurations.
C secure defaults eliminate theneed for regular patching
altogether.
C patching might introduce newvulnerabilities or compatibility
(15:59):
issues.
Or D both A and C are correct.
And the answer is D both A andC are correct.
Patching vulnerabilitystrengthens existing security
controls and patching mightintroduce new vulnerabilities
for compatibility issues.
So, again, those are allsituations that they have to
work through.
Okay, that's all I've got foryou today on CISSP Cyber
(16:21):
Training.
Hope you guys have a wonderfulday.
Head on over tocisspcybertrainingcom for this
video, for access to my content.
You will love it, guaranteed.
I guarantee you Get on my emaillist and we will be getting
updates on a regular basis onall great things that are
happening at CISSP CyberTraining.
Have a wonderful day, everyone,and we will catch you on the
(16:42):
flip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Speaker 2 (00:25):
Good morning.
It's Sean Gerber with CISSPCyber Training.
Hope you all are having awonderfully blessed day today.
Today's an amazing day.
Why is it today amazing?
Well, because it's CISSPQuestion Thursday.
Yes, and we are going to begetting into some questions as
it relates to domain 3.1.2 and3.1.3.
But there's some variousquestions that we'll have that
(00:48):
you can gain access to directlythrough cisspcybertrainingcom.
Go ahead there and you can getthem immediately.
Yes, you can, all right, butbefore we get started, we want
to talk about one little articleI saw come out today and if you
deal in the United States, youdeal with a company called Cox
C-O-X.
Cox has a situation set upwhere they're potentially
(01:11):
they're supposedly a authorizedbypass that are issued that's
dealing with the Cox modems.
Now, I don't know if you allhave dealt with Cox as your
service provider.
So I have ISPs.
Cox is one of them.
There's many other ISPs outthere, but Cox is a very large
company within the United Statesand they are an internet
service provider that provides,obviously, your bandwidth to
(01:34):
many, many residential locations.
Well, supposedly there is apotential challenge with the Cox
modems that could be abused andit could provide unauthorized
access to devices to runmalicious commands.
Now, this came out of theHacker News, and you can
actually be able to see this inthe show notes.
(01:55):
It's Researcher-Uncovers-Flawsin Cox Modems and the Hacker
News.
An interesting part about this,though, is I don't know if you
all are aware, but many, manypeople in the country have COX
available to them, and they'rebasically these issues were
addressed by the broadbandprovider within about 24 hours,
so they did say that they wereable to get this issue resolved
(02:18):
very quickly.
However, they can't confirm ifit's been abused over the past.
Now, one thing that it'sinteresting about this and I
mentioned this in the podcast onMonday was around the fact of
exposed APIs, and I say thisexposed APIs, I feel, are
probably one of the largest dataexfiltration points within an
organization, because, in manycases, organizations really
(02:40):
truly do not understand how manyAPI connections they have
leaving their organization orconnected into their
organization, and so, if you'renot familiar, an API is a
connection that will allow forstandard protocols between.
It's basically an applicationprogramming interface is what
they call it, but it's basicallya standard protocol that allows
you to communicate with trafficback and forth between
(03:02):
applications, and it worksreally well because it allows
for the streamline of datatransfers versus having to have
gateways in between or justhaving just communication
challenges, so it makes a reallygood, easy way to communicate.
Well, because of that, though,many people stand them up, and
if they stand them up, theydon't always know that they
exist, and so there was asituation where, supposedly,
(03:23):
some external APIs were set upwith these Cox systems.
Now, again, no one canguarantee or can say that this
was actually manipulated bypeople, but the interesting part
is that this is a lot ofdifferent organizations that
have Cox, as well as a lot ofhomeowners that have it, so I
(03:43):
will say that I've never beenreal impressed with the Cox
modems as themselves.
They seem a little janky andthey don't really give you the
ability to do a whole lot withthem, which I'm not a big fan of
.
But, again, something to checkout if, supposedly, they have
fixed this issue as it relatesto Cox, but you may want to ask
them a little bit about that.
All right, so let's get started, as it relates to our questions
(04:07):
for today.
So, again, a CISSP cybertraining.
You can go there.
You can get access to all thesequestions and many, many more,
as it relates to the CISSP exam.
This is going to be again overdomain 3.1.2 and 3.
So question one a company ismigrating its data storage to a
cloud platform.
The cloud provider offersmultiple encryption options,
(04:28):
including AES-128, 256, andproprietary encryption algorithm
.
Which encryption standardsshould the company prioritize
for maximum security?
Okay, so, basically they'removing to a cloud platform and
they have different versions 128, 256, 256 and a proprietary
encryption algorithm.
When you hear proprietary, getvery squeamish.
(04:49):
A aes128 is faster and moreefficient.
B AES-256.
It offers stronger encryptionkey length.
C the proprietary encryptionalgorithm for vendor-specific
benefits.
And then D it doesn't matter.
All options provide sufficientsecurity.
Well, the answer is B 256,right?
(05:09):
So while both 256 and 128 areconsidered secure, it does offer
a longer key length that's 256,making it much more resistant
to brute force type attacks.
So you would go with that one.
Question two a company utilizesdatabase with a complex data
schema.
Developers interact with thedatabase through custom APIs
that expose only specific dataelements relevant to their tasks
(05:32):
.
That's a good thing.
What security principle isdemonstrated here?
A data hiding, as sensitivedata elements are concealed from
developers.
B abstraction, as the APIsimplifies the database
interaction for developers.
Or C access control, as the APIrestricts developer access to
certain data.
Okay, so again, let's thinkabout that for just a second.
(05:53):
The company's database with acomplex data schema.
Developers interact with thedatabase through custom APIs
that expose only specific dataelements relevant to their tasks
.
Which security principle isdemonstrated?
And the answer is D, both B andC abstraction and access
controls.
Again, that's the big factoraround, that is, we use the
abstraction layer, hiding thedatabase complexity and exposing
(06:16):
only necessary functionality,whereas it also enforces access
controls by limiting theirabilities of the developers.
Question three a company embedssecret message within an image
to conceal its existence.
This technique is most closelyrelated to A stenography, as it
hides data within another file.
B encryption, as it scramblesdata and message confidentiality
(06:38):
.
C data hiding, as it preventsunauthorized access to the
message.
Or D hashing, as it creates aunique fingerprint to verify
data integrity.
And the answer is A stenography.
We talked about that in thepodcast.
It's basically hiding filesinside of another file and you
want to watch the size of that,but then you have to understand
what size is the file supposedto actually be?
(07:00):
Question four a companyimplements access control list
on a file server, allowing forspecific users read-only access
to certain files.
Additionally, some highlysensitive files are renamed with
generic names, making them lessconspicuous.
Which security principle are isat play here?
Principles are at play.
So a company implements aaccess control list on a file
(07:22):
server, allowing specific usersread only access to certain
files.
Additionally, some highlysensitive files were renamed
with generic names.
Which security principle isworking here?
A defense in depth and datahiding are both employed.
Abstraction simplifies it forusers and access controls
enforce control.
C encryption protects the dataand ACLs restrict access
(07:43):
permissions.
Or D stenography hides the datawithin other files and ACL
controls access.
And the answer is A defense indepth for data hiding are both
employed.
So basically, you've got itthrough access controls are in
place, as well as your datahiding piece with your
tokenization.
It through access controls arein place as well as your data
hiding piece with yourtokenization.
(08:05):
Question five a company needs toencrypt the data at rest on its
servers.
Which of the following is mostrelevant factor when deciding
between symmetric and asymmetricencryption?
So a company needs to encryptdata at rest on its servers.
Which the most.
Which of the following is themost relevant factor when
deciding between the symmetricand asymmetric encryption?
A Processing power required forencryption and decryption.
B the need for secure keydistribution and management.
(08:28):
C.
Scalability of encryptionsolutions for large datasets.
And.
D.
All of the above are importantand the most relevant factor is
D.
All of the above are importantand the most relevant factor is
D.
All of the above are important,both processing power, key
distribution and scalability ofthe encryption solution.
Question six A companyimplements a new operating
system with pre-configuredsettings that disable
(08:51):
unnecessary services and enforcestrong password policies.
How does this demonstrate asecurity principle?
Which one is it?
A Data hiding, as sensitiveinformation is concealed from
users.
B encryption, as data isscrambled for confidentiality.
C data are secure defaults, asthe system is pre-configured
(09:12):
with a more secure state.
Or D abstraction, as acomplexity of the security
settings is hidden from users.
So again, we're talking disableunnecessary services and strong
password policies.
It would be C secure defaults,as they're pre-configured to be
a more secure state.
Question seven a companysegments its network, placing
(09:33):
the development environment in aseparate zone from the
production environment.
How does this contribute todata hiding?
Okay, they segment theirnetwork from separate zones in
the production environment.
How does this contribute todata hiding?
A it hides the data context,making it invisible.
B it restricts access todevelopment data, hindering
(09:54):
unauthorized viewing.
C it conceals the existence ofdevelopment environment
altogether.
Or D it doesn't directlycontribute to data hiding, but
improves security.
So what does this contribute?
It B it restricts access todevelopment data, hindering
unauthorized viewing.
Question eight a companyencrypts its data at rest, in
transit and in use.
(10:15):
How does this exemplify DEMPdefense in depth?
A Encryption places the needfor other security controls or
replaces the need for othersecurity controls?
B it protects the data inmultiple states, adding layers
of security.
C Strong encryption algorithmsensure data remains unreadable.
Or D Encryption simplifiesaccess controls for authorized
(10:36):
users.
Simplifies access controls forauthorized users.
And the answer is b it protectsthe data in multiple states.
States adding layers ofsecurity, like we talk about
again defense in depth.
You want to have multiplelayers to one stop them and two
to also trip them up.
Question nine a security analystconfigures a secure boot on a
laptop.
How does this relate to theconcept of abstraction,
(10:58):
abstraction and secure boot?
A Secure boot hides theunderlying boot process
complexity from the users.
B it prevents unauthorizedmodification of the boot
settings and simplifies themanagement.
C Encryption is applied to theboot process, making it more
secure.
Or D Secure boot doesn'tdirectly relate to any sort of
concept of abstraction, and theanswer is A Secure boot hides
(11:21):
the underlying boot processes.
Complexity from the users,again forcing them to have
unauthorized modifications at adeeper level, while the users
interact with the operatingsystem as they typically would.
Question 10.
A company encrypts sensitivedata with strong encryption
algorithm.
However, all encryption keysare stored on a single server
with minimal security controlNot good.
(11:43):
What is the biggest securityrisk in this scenario?
Okay, well, let's see what youall think.
A the encryption algorithmitself might be weak and easily
broken.
B the encryption might be slowin data processes, which affects
access times.
C the lack of access controlsin the server storing the
encryption keys.
Yeah, ding, ding, ding, dingding.
(12:04):
Or D the users might not betrained on how to properly use
the encryption software.
Yeah, that's.
C you put all this stuff in onebasket and you don't take care
of it.
You're going to have problemswith that.
Encryption keys are compromised.
Then it's a jackpot for the badguys and girls.
Question 11, a company uses ahashing algorithm to verify the
integrity of downloaded softwarefiles.
(12:25):
An attacker modifies thesoftware before uploading it.
How will this impact theverification process?
Okay, they're using a hashingalgorithm to verify the
integrity of the downloadedsoftware, so integrity of
software.
Attacker modifies the softwarebefore uploading it.
How will this impact theverification process?
A the hash value remainunchanged, along for compromised
(12:46):
software to pass verification.
B the hash value will bedifferent, raising red flags
about the file's integrity.
C the encryption would be moreeffective solution for verifying
the software integrity.
Or D hashing only ensuresconfidentiality, not data
integrity.
So again, the hashing providesa unique fingerprint.
That's the key right.
And the answer is B Anymodification of the data will
(13:07):
result ina different hash value.
This alerts would be in thecase.
So you'd want to make sure thatif you're going to be doing
hashing algorithm is theintegrity of the downloaded
files.
You'd want to make sure that ifthey're making changes to the
file, okay, you want to makesure that that has been
double-checked and modified.
So it would make sure that thehashing algorithm matches with
(13:29):
what the file should be.
Question 12.
A company utilizes sandboxenvironment to test untrusted
code.
How does this approachdemonstrate the concept of
abstraction?
A Sandboxing simplifies thetesting process by isolating the
code.
B it hides the complexity ofthe underlying system from the
tester.
C Sandboxing restricts codeaccess and resources and
(13:50):
prevents harm?
Are both B and C are correct?
Which hiding and sandboxingrestricts?
And the answer is D Both B andC are correct.
It hides the complexity of theunderlying system and it
restricts the code's access toresources and prevents harm.
Question 13.
A company implements DLP toprevent unauthorized data
(14:10):
exfiltration.
How does this relate to theconcept of access controls?
A DLP complements the accesscontrols by monitoring the data
movement and identifyingsuspicious activity.
Dlp focuses on data in transit,while accessing controls
restricts access to data at rest.
B dlp replaces the need foraccess controls altogether.
(14:33):
C dop forces the data outencryption, making it invisible
for exfiltration attempts.
And the answer is DLPcomplements the access controls
by monitoring data movements andidentifying suspicious activity
.
Question 14, the security teammonitors various security
metrics, such as firewall logsand intrusion detection alerts.
(14:56):
How does this contribute to thedefense in depth?
Again, they monitor variousthings and how does this
contribute to defense in depth?
A security metrics provide aclear picture of the overall
security posture.
B monitoring allows for earlydetection and potential security
incidents.
C analyzing metrics helpsidentify weaknesses in existing
(15:17):
security controls.
D all of the above contributeto defense in depth.
And the answer is all of theabove right Security metrics.
Monitoring and analyzing themall help around defense in depth
.
Question 15.
A company implements a strictpatch management process to
ensure all systems are updatedwith the latest security patches
.
How does this relate to theconcept of secure defaults?
(15:39):
Defaults Again, they have astrict patch management process.
How does this relate to securedefaults?
A patching vulnerabilitystrengths existing security
configurations.
C secure defaults eliminate theneed for regular patching
altogether.
C patching might introduce newvulnerabilities or compatibility
(15:59):
issues.
Or D both A and C are correct.
And the answer is D both A andC are correct.
Patching vulnerabilitystrengthens existing security
controls and patching mightintroduce new vulnerabilities
for compatibility issues.
So, again, those are allsituations that they have to
work through.
Okay, that's all I've got foryou today on CISSP Cyber
(16:21):
Training.
Hope you guys have a wonderfulday.
Head on over tocisspcybertrainingcom for this
video, for access to my content.
You will love it, guaranteed.
I guarantee you Get on my emaillist and we will be getting
updates on a regular basis onall great things that are
happening at CISSP CyberTraining.
Have a wonderful day, everyone,and we will catch you on the
(16:42):
flip side, see ya.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com