April 10, 2025 • 23 mins
The collision of artificial intelligence and cybersecurity takes center stage in this episode as we explore how Agentic AI is revolutionizing Security Operations Centers. Moving beyond simple assistant AI or co-pilots, this new generation of autonomous systems proactively investigates alerts, follows structured playbooks, and performs triage at scale—potentially liberating human analysts from the crushing weight of alert fatigue.
For security professionals and organizations struggling with overwhelming SOC alert volumes, this technological advancement offers a glimpse into a future where human expertise can be directed toward high-value analysis while routine investigations happen autonomously. The potential efficiency gains are substantial, though implementation requires careful consideration and perhaps starting with a proof of concept.
Following this forward-looking discussion, we dive deep into CISSP domain 6.2 with fifteen targeted questions covering essential security testing methodologies. From misuse case testing and manual code review to vulnerability assessments and penetration testing, we examine the strengths and limitations of each approach. Learn why manual code review remains superior for detecting race conditions, how behavioral anomaly detection outperforms other methods for identifying lateral movement, and the critical distinctions between various testing approaches.
Whether you're preparing for the CISSP exam or looking to strengthen your organization's security posture, this episode delivers practical insights into both emerging technologies and fundamental security testing principles. Join us to enhance your understanding of how these methodologies can be effectively deployed to protect critical systems and data in increasingly complex environments.
Visit CISSP Cyber Training today to access free practice questions, additional resources, or comprehensive training materials to support your cybersecurity journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started.
Good morning everybody.
It's Sean Gerber with CISSPCyber Training and hope you all
are having a beautiful, blessedday today.
Today is CISSP QuestionThursday.
So, yes, we're excited aboutgetting into the CISSP questions
related to 6.2 of the ISCsquared CISSP exam.
So today that's what we'regoing to be talking about.
But before we do, yes, we alwayshave an article about something
(00:49):
that I kind of pick up out ofthe news.
That was kind of just mytrigger and saw something that
was like very interesting as itrelates to AI in the SOC or
Security Operations Center.
This is actually an interestingarticle.
Now, it's not really an article, it's more of a sales pitch,
but this is where I see thethings going as it relates to AI
(01:09):
and its capabilities and thiscomes out of the Hacker News and
it's called Agentic AI in theSOC Dawn of Autonomous Alert
Triage.
Now, if you all have dealt withthe SOC and we talk about this
on CISSP Cyber Training quite abit when you're dealing with
your overall security operationscenter and how are some of the
things that you are strugglingwith, many SOCs struggle with
the overall triaging of alertsthat are coming in.
(01:31):
There are so many alerts andthey don't know how to deal with
them.
And they have analysts that arelooking at these alerts, trying
to go through each individualone, and a lot of them are just
obviously either false positivesor they're just overwhelmingly
garbage, honestly, and so theyreally struggle with the alert
volumes and what should they do?
(01:54):
And this is where we all havebeen thinking about this, that
the AI is going to be able torevolutionize in so many
different ways.
Well, this product fromMagentic, they have out that
it's basically going to do a lotof the things that a first tier
, one analyst, would do.
So, one of the aspects thatcomes in when you're dealing
with AI, they have the assistantAI, which is your AKA co-pilots
(02:15):
, right?
So your Microsoft co-pilot andso forth, and the difference
that they are talking about withtheir agentic AI is that it is
separate from what you would dowith a co-pilot, so, as a
basically a co-pilot or atraditional AI, it would be a
powerful assistant, right?
It's something there to helpyou with different contexts,
concepts and so forth, and thoseare really smart, obviously, in
helping you, giving youdirection on which way to go,
(02:35):
but they don't proactivelyinvestigate, and I think that's
the one aspect of a SOC.
If you can get something thatwill proactively investigate
Tier 1 alerts, that is going todramatically reduce the amount
of overhead that your SOCanalysts are going to have to go
through.
Now it's nice to have Tier 1alerts to train your SOC folks
on and to kind of have atraining plan to give them some
(02:56):
understanding of what occurs.
But if you have to puteverything through your Tier 1,
they get overwhelmed.
They get to the point of theyjust they can't do it and they
don't want to do it.
So the best thing to do is thentrying to figure out how to
ways to automate this overallprocess.
So when they're they have thisscenario out there where they're
talking about potential malwareand they have the assistant AI
(03:17):
versus the agentic AI, and theassistant AI will wait for the
prompt from the analyst to startdoing queries and then it'll
leave an investigation decisionup to the human, whereas
Agentech will proactivelyinitiate this and begin the
complete investigation, whichincludes investigating logs,
quarreling events and so forth.
Now I'm not saying that Agentechis the one that you all need to
(03:40):
go with.
I'm just saying that what it'scoming down to is this is where
I see a really good nexus of theuse of cybersecurity and AI in
the security operations center,because it's going to give that
level of autonomy that youreally truly need to be able to
save up your people's times andenergy and then focus on humans,
(04:01):
on the areas that are more highvalue for the overall
organization.
So the part that they talkabout is instant triage at scale
.
That is huge.
It really truly is.
If it works this way they sayit does, they have basic
enrichment from playbookautomation.
It'll conduct structuredinvestigations, so it follows
(04:21):
that overall path that you haveset up.
Now the interesting part aboutplaybooks is if you can get real
granular with them and if thisthing will be able to utilize
that deep level of knowledge, itreally could be a potential
game changer.
So I don't know, we'll see howthat plays out.
If you are interested in aSecurity Operations Center
(04:41):
autonomous AI piece, you maywant to go check out Agentic AI
and see what they have out there, if it's something that you
might be possibly interested in.
Else you know what?
I would just start keeping youreyes open for this, especially
if you are leading and managinga SOC.
It is something that you maywant to consider in the future
and maybe just do a proof ofconcept around it.
So, all right, let's move on tothe questions for today.
(05:04):
Okay, so, as I mentionedearlier, this is over domain 6.2
of the isc squared, cisspcertification and this.
You can go to cissp cybertraining.
You get access to all of thesequestions.
Every one of them is availableto you if you just go and you
purchase the cissp trainingthat's available for it.
Uh, and it's I mean seriously.
You can get access to all ofthese questions and you can go
(05:26):
through them over and over andover again, and on top of that
you have the corresponding videoand audio that goes with it as
well.
So if you were studying foryour CISSP, I don't see how you
can't go to CISSP Cyber Trainingand not see the content and be
able to utilize it in a way thatcan help you pass this thing
the first time.
So I begin.
But you can go and get the freestuff that's there and
(05:47):
available and take it at yourown leisure.
It's not a big deal, but it'sall available to you at CISSP
Cyber Training.
Question 1.
Which of the following bestdescribes the goal of misuse
case testing?
A To validate that alllegitimate use cases are
successfully implemented.
B To identify business logicflaws from the threat actor's
perspective.
C to measure the effectivenessof incident response procedures.
(06:10):
Or D to determine if the systemcomplies with legal and
regulatory requirements.
So again, what it bestdescribes the goal of misuse
case testing.
Now understand misuse casetesting.
What does it do?
It involves modeling on how asystem might be exploited by a
malicious actor.
That's the goal, and the goalis to look for any unintended
consequences or potentialvulnerabilities that may come up
(06:32):
from the legitimate use of thefunctionality around this
specific system.
So the answer would be Bidentify business logic flaws
from the threat actor'sperspective.
Identify business logic flawsfrom the threat actors
perspective.
Question two which of the, whichtesting method is most likely
to uncover race conditionvulnerabilities in an
application?
In which testing method is mostlikely to uncover race
(06:55):
condition vulnerabilities in anapplication?
A static code analysis.
B fuzz testing.
C manual code review.
Or D dynamic applicationsecurity testing, otherwise
known as DAST.
So again, which testing methodis most likely to uncover race
condition vulnerabilities in anapplication?
And the answer is C manual codereview.
(07:16):
So now, a race condition willoccur when there's two or more
operations that will execute outof sequence or potentially even
in parallel, leading tooutcomes that you're not really
planning for, such as two userswithdrawing the same funds if
you're at a banking site, andsomething like that.
So you want to look for whatare different aspects, and this
is where the manual code reviewwould come in, where humans are
looking at this and they'relooking at the overall logical
(07:39):
path behind it.
Now I would highly recommendthat you have.
I didn't always have theability to do manual code review
.
We had automated code reviewdone and then we had, at the end
, we would have individuals lookat the actual code itself
before it was actually pushed toproduction.
So you have to decide which isbest for you and your
organization.
At the end of the day, themanual code review is a way that
you can determine and find thepotential race condition that
(08:01):
may occur.
Question three which of thefollowing is a limitation of
using automated vulnerabilityscanning tools in a production
environment?
So again, which of thefollowing is a limitation of
using automated vulnerabilityscanning tools in a production
environment?
A they may disrupt systemavailability.
B they generate too many falsenegatives.
(08:21):
C they lack the ability tosimulate attacker behavior.
Or.
D they do not supportmulti-platform environments.
So again, automatedvulnerability scanning what
could be one of the issues yourun into in a production
environment?
And the answer is A they maydisrupt systems availability.
Yes, and I have dealt with thismyself.
Anytime you're doing scansinside your network, you may
(08:42):
want to be very careful aboutdoing that.
It can cause a lot ofchallenges within your
organization, from systemcrashes, resource exhaustion,
all kinds of different thingsthat can happen, and you want to
make sure that if you are doingscans in your network, you're
telling somebody about it sothat they don't think you're
being attacked.
Question four which of thefollowing best characterizes the
purpose of test coverageanalysis in a security testing
(09:03):
process?
Again, which of the followingbest characterizes the purpose
of test coverage analysis in asecurity testing process?
A to determine how much codehas been written.
B.
To identify obsolete codefunctions.
C to measure compliance withcoding standards.
Or D to evaluate which portionsof code were exercised during
(09:23):
testing.
Again, which of the followingbest characterizes the purpose
of test coverage analysis?
And the answer is D to evaluatewhich portions of the code were
executed or exercised duringthe testing right.
So test coverage analysisquantifies how much of the
application code is being testedduring the run.
So this includes functionsstatements, basically your
(09:44):
branch or your path, which wayit's going.
All of those different areasare tested during the overall
security testing process.
Question five which of thefollowing is the most
appropriate technique forvalidating the effectiveness of
layered security controls overtime?
A static code review, bcontinuous monitoring, c annual
(10:04):
compliance audits or.
D red team testing.
Again, which of the followingis the most appropriate
technique for validating theeffectiveness of layered
security controls over time?
And the answer is B continuousmonitoring.
Right, so if you're going to be, monitoring is a key concept
around when you're looking atany sort of concept that is
dealing with code reviews, youwant to constantly be looking at
(10:25):
it and making sure that youhave real-time or near real-time
risk postures is set up.
This includes your networkactivity logs, firewall logs,
alerts All of those things needto be monitored on a real-time
risk postures is set up.
This includes your networkactivity logs, firewall logs,
alerts All of those things needto be monitored on a real-time
or near real-time basis.
Again, that's the most.
Layered security controls iswhen you're doing something
similar to that, again, whenyou're dealing with logs.
Logs is an important part, butthey can be overwhelming, so you
(10:47):
need to make sure that you havea good strategic plan related
to logs.
Don't just throw logs into yourSIM and hope and pray that
everything works.
When conducting an internalsecurity assessment, which
method would best assess theeffectiveness of role-based
access controls?
So, when conducting an internalsecurity assessment, which
method would assess theeffectiveness of role-based
access controls?
(11:07):
A code review, b policy audit,c access control matrix review
or D configuration baselinecomparison?
So, when conducting an internalsecurity assessment, which
method would best assess theeffectiveness of role-based
access controls?
And the answer is C accesscontrol review, right?
So if you're looking at youraccess control matrix, it's
(11:29):
basically maps, users and rolesand resources all together and
this allows for read, write,delete and so forth.
And you want to look that over.
That would allow an assessor orsomeone that's a regulator
coming in to verify thepermissions that align with the
job function, detect privilegecreep, identify excessive or
missing permissions.
All of those things would bedone in this matrix.
Now you might be going oh mygosh, this is just documentation
(11:51):
.
For the sake of documentation,it is and it isn't.
Having the documentationdemonstrates that you have
thought through this process andyou understand the process.
So, yes, you may have paperthat are sitting on shelves and
going.
It's not being used.
I get it, but it's importantthat you go through these
processes and you understandthese various controls.
Now it could be done insomething as simple as in a
(12:12):
spreadsheet, or it could be morecomplex into an actual
application such as SailPoint,but you want to have the ability
to understand the variouslevels of controls within your
organization and the variouslevels of roles within your
organization.
Question seven which of thefollowing security testing
techniques is least likely todetect business logic flaws?
So which of the followingsecurity testing techniques is
least likely to detect businesslogic flaws?
So which of the followingsecurity testing techniques is
(12:33):
least likely to detect businesslogic flaws?
A static code analysis.
B manual testing.
C red team engagements or.
D threat modeling.
So, again, which of thefollowing security testing
techniques is least likely todetect business logic flaws?
And the answer is A static codeanalysis right.
This scans the source code orthe different codes, without
(12:57):
executing it, looking for knownpatterns and security weaknesses
right.
However, it's rule-based and itdoesn't understand the intent
or context or business logicassociated with it.
So it's just static, right?
So the why behind it?
This is where you may run intosome actual business logic flaws
that may occur because you maynot be able to understand
exactly what it's looking for.
One example is that if you'rereturning money to a different
(13:19):
account other than the one thatpaid, this may require some
level of contextualunderstanding that the static
tools just can't understand.
So static code analysis is theleast likely to detect business
logic flaws.
Question eight which of thefollowing is a primary objective
of a security assessment reportand which of the following is a
primary objective of a securityassessment report A to
(13:41):
communicate risk findings tostakeholders.
B to provide value of thesecurity team.
C to identify root causes ofuser behavior and then C to
evaluate end user satisfactionwith the controls.
Again, which of the followingis a primary objective of a
security assessment report?
And it is A to communicate riskfindings to the stakeholders.
(14:02):
You generate a report.
You want to have the ability tounderstand the risk and pass
that on to the stakeholders,which is usually your board,
your senior leadership.
They need to understand what'sgoing on and these reports
typically are a non-technicalnature.
They provide kind of anoverview of what's happening.
Now you may want to providesome level of context to the
report that you provide themrather than just pushing a
(14:23):
button and having something justburp out and report.
But it's imperative that thisis who's going to go to.
It's going to go to thestakeholders.
Question nine In context ofpenetration testing, what is the
primary purpose of the rules ofengagement, roe?
So you're dealing withpenetration testing.
What is the primary purpose ofhaving ROE?
A to determine thequalifications of the testing
(14:45):
team.
B to define the compensationfor the ethical hackers.
C to outline legal restrictionsand test boundaries.
And D to establish ownershipand discover vulnerabilities.
Roe is set for.
C to outline the legalrestrictions and test boundaries
.
Roe is important because itdetermines scope, timeframes,
tools, techniques.
All of those things are animportant part of this and you
(15:06):
want to define that, especiallyif you're doing a pen test.
Things can go sideways veryquickly during a pen test if you
have not properly defined yourROE.
Question 10.
Which of the following bestdemonstrates due care in
conducting security assessments?
So which of the following bestdemonstrates due care in
conducting security assessments?
A Using open source scanningtools.
B Limiting scans tonon-production systems.
(15:29):
C Obfuscating test results toavoid panic or.
D documenting and reviewing thetest procedures.
So which of the following bestdemonstrates due care in
conducting security assessmentsand it is D documenting and
reviewing test procedures.
So due care refers to what youractions, what you're doing,
that you take to demonstrateresponsible behavior and
adherence to expected standardsin managing risk.
(15:51):
They want to make sure you knowwhat you're doing.
So if you document and reviewtest procedures, you're showing
that you're paying due care.
Again, documentation isimportant.
I've dealt with people over andover again saying it's not Well
, that's not a value.
It's not a value to me, itisn't necessarily a value to you
in some cases, but it's a valueto others.
Documentation is an importantpiece and having documentation
(16:11):
will make your organization andyour systems much more mature,
and that's what you're obviouslylooking for.
Question 11, which of thefollowing would be most likely
to be identified during a staticapplication security test SAST
but not during a dynamicapplication security test?
So what's most likely to beidentified during a static
(16:32):
application test versus adynamic application test?
A input validation bypass.
B SQL injection vulnerabilities.
C insecure cryptographicfunction usage.
Or.
D session management flaws.
Okay, so if you looked at allthe four of those, the one and
two for sure would be under thedynamic static.
So that would happen, butyou're most likely during a
(16:55):
static application securitytesting would be c right, your
cryptographic functions.
This will look specifically atyour source code or compile
compiled binaries and then itscans for any unscathed uh
coding patterns.
But in there you will see ifthere's a wrong cryptographic
function potentially, and that'swhere it would be identified.
Uh, whereas and that's how thisthe sass would look, most
(17:18):
likely.
Look for it if you deal withthe das.
Das is a black box approachwhich looks at runtime behavior.
So it's it's not set up to lookfor a specific hash.
That might be uh, inappropriateat that time.
So just kind of something toconsider about with that
Question 12.
An organization wants tosimulate an attack from a nation
state actor to test itsdetection and response
(17:38):
capabilities.
Good on them.
Which is the most appropriatetesting method?
A Red team engagement.
B Blue team exercise.
C Threat hunting or D Securityaudit.
So you're trying to look at anation state actor and testing
if somebody was trying to get infrom a nation state.
What would you do?
And the answer is A red teamsDid this for years.
Red teams deals with advancedtactics, techniques and
(17:59):
procedures and they are focusedon how the adversary goes.
This is the ones that you wouldhire if somebody does
penetration testing.
And yeah, it's good, it's fun,it's exciting.
Question 13, which of thefollowing best describes the
difference between vulnerabilityassessments and penetration
testing?
Again, which of the followingbest describes the difference
between vulnerabilityassessments and penetration
(18:19):
testing A.
Vulnerability assessments areperformed manually.
Penetration tests are automated.
B Vulnerability assessmentsidentify and exploit weaknesses.
Penetration tests only identifythem.
C Vulnerability assessments arefocused only on web
applications.
Penetration tests targetinfrastructure or.
D.
Vulnerability assessments arebroader in scope and typically
non-intrusive.
(18:39):
Penetration tests attempt toactively exploit vulnerabilities
.
And the answer is D.
The best describes is a.
Vulnerability assessments arebroader in scope and are
typically typically air quotes,not intrusive.
Penetration tests, on thecontrary, attempt to actively
exploit vulnerabilities and theygo deep and they go hard and
that's the ultimate goal of them.
(19:00):
They focus specifically on,usually in one niche area.
But bottom line is that's thedifference.
Question 14, which of thefollowing would be the most
effective in identifyingpreviously undetected lateral
movement by an attacker?
Again, which of the followingwould be the most effective in
identifying previouslyundetected lateral movement by
(19:20):
an attacker A SIM correlationrules.
B antivirus signature updates.
C packet capture analysis or Dbehavioral anomaly detection.
So, again, most effective inidentifying previously
undetected lateral movement.
It would be D behavioralanomaly detection right.
So if you have not detected it,pcaps and antivirus signatures
(19:42):
and SIM correlation rules wouldnot be effective because you
haven't detected it yet.
But if you're looking forsomething that the behavioral
aspects probably would be yourbest bet in detecting something
that's when someone's movinglaterally that has not been
detected by your other toolsthat you have, so again, it's
the most effective would bebehavioral anomaly detection.
(20:03):
Question 15, the last melonwhich testing activity ensures
that software security flaws areremediated properly after
discovery?
A regression testing, bremediation verification testing
, c integration testing or Dsecurity test, case development.
It's a lot of big words.
Which testing activity ensuresthat software security flaws are
(20:23):
remediated properly afterdiscovery?
And the answer is B remediationverification testing.
Okay, this is called retestingin some cases right, and it
validates that the identifiedvulnerabilities have been
correctly fixed.
It basically re-executes thetest cases that were found and
it looks to make sure that theflaw is no longer there.
(20:43):
This is where you'll find this,particularly in Agile or CICD
pipelines where rapid fixes aredeployed quickly.
So the remediation verificationtesting process is an important
part to make sure that you findout if they've actually been
fixed.
Okay, so that is all I have foryou today.
Thanks for joining me today atCISSP Cyber Training.
Head on over to CISSP CyberTraining.
(21:04):
You can do a couple differentthings.
One get access to all of myCISSP questions, or at least to
360 of them.
I should say not all of them.
You can just by signing up withCISSP Cyber Training, you can
get access to 360 questions thatwill help you with your
studying for the CISSP Free 360,nothing about it.
You just sign up, boom, you gotquestions 360 of them.
(21:26):
They come into you over aperiod of a few months, but you
get big batches of them to helpyou study.
The second thing is just go toCISSP Cyber Training and you can
, from there, get access to anyfree content that I have at the
site itself.
So there's lots of differentvideos, there's lots of audio.
That's there.
All of that, my podcasts, areall tied to CISSP Cyber Training
.
You can get them there.
All of that stuff is availableto you.
(21:48):
And then, finally, if you seethere's value in this, stuff is
available to you.
And then, finally, if you seethere's value in this, just
purchase a product that I haveand you get access to all of the
content.
Right, I have three tiers, butthe most basic tier you can get
access to all of my content justby signing up with that.
So get three options.
One free questions, 360 of them.
Option two go to the site, lookfor some free stuff on the site
.
Option three go and purchasethe CISSP training that's there
(22:11):
and it's available for you.
One of the three options thatgives you the best needs for you
and your organization.
So again, all check that out atCISSP Cyber Training.
Hope you have a wonderful,wonderful day and we will catch
you all on the flip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started.
Good morning everybody.
It's Sean Gerber with CISSPCyber Training and hope you all
are having a beautiful, blessedday today.
Today is CISSP QuestionThursday.
So, yes, we're excited aboutgetting into the CISSP questions
related to 6.2 of the ISCsquared CISSP exam.
So today that's what we'regoing to be talking about.
But before we do, yes, we alwayshave an article about something
(00:49):
that I kind of pick up out ofthe news.
That was kind of just mytrigger and saw something that
was like very interesting as itrelates to AI in the SOC or
Security Operations Center.
This is actually an interestingarticle.
Now, it's not really an article, it's more of a sales pitch,
but this is where I see thethings going as it relates to AI
(01:09):
and its capabilities and thiscomes out of the Hacker News and
it's called Agentic AI in theSOC Dawn of Autonomous Alert
Triage.
Now, if you all have dealt withthe SOC and we talk about this
on CISSP Cyber Training quite abit when you're dealing with
your overall security operationscenter and how are some of the
things that you are strugglingwith, many SOCs struggle with
the overall triaging of alertsthat are coming in.
(01:31):
There are so many alerts andthey don't know how to deal with
them.
And they have analysts that arelooking at these alerts, trying
to go through each individualone, and a lot of them are just
obviously either false positivesor they're just overwhelmingly
garbage, honestly, and so theyreally struggle with the alert
volumes and what should they do?
(01:54):
And this is where we all havebeen thinking about this, that
the AI is going to be able torevolutionize in so many
different ways.
Well, this product fromMagentic, they have out that
it's basically going to do a lotof the things that a first tier
, one analyst, would do.
So, one of the aspects thatcomes in when you're dealing
with AI, they have the assistantAI, which is your AKA co-pilots
(02:15):
, right?
So your Microsoft co-pilot andso forth, and the difference
that they are talking about withtheir agentic AI is that it is
separate from what you would dowith a co-pilot, so, as a
basically a co-pilot or atraditional AI, it would be a
powerful assistant, right?
It's something there to helpyou with different contexts,
concepts and so forth, and thoseare really smart, obviously, in
helping you, giving youdirection on which way to go,
(02:35):
but they don't proactivelyinvestigate, and I think that's
the one aspect of a SOC.
If you can get something thatwill proactively investigate
Tier 1 alerts, that is going todramatically reduce the amount
of overhead that your SOCanalysts are going to have to go
through.
Now it's nice to have Tier 1alerts to train your SOC folks
on and to kind of have atraining plan to give them some
(02:56):
understanding of what occurs.
But if you have to puteverything through your Tier 1,
they get overwhelmed.
They get to the point of theyjust they can't do it and they
don't want to do it.
So the best thing to do is thentrying to figure out how to
ways to automate this overallprocess.
So when they're they have thisscenario out there where they're
talking about potential malwareand they have the assistant AI
(03:17):
versus the agentic AI, and theassistant AI will wait for the
prompt from the analyst to startdoing queries and then it'll
leave an investigation decisionup to the human, whereas
Agentech will proactivelyinitiate this and begin the
complete investigation, whichincludes investigating logs,
quarreling events and so forth.
Now I'm not saying that Agentechis the one that you all need to
(03:40):
go with.
I'm just saying that what it'scoming down to is this is where
I see a really good nexus of theuse of cybersecurity and AI in
the security operations center,because it's going to give that
level of autonomy that youreally truly need to be able to
save up your people's times andenergy and then focus on humans,
(04:01):
on the areas that are more highvalue for the overall
organization.
So the part that they talkabout is instant triage at scale
.
That is huge.
It really truly is.
If it works this way they sayit does, they have basic
enrichment from playbookautomation.
It'll conduct structuredinvestigations, so it follows
(04:21):
that overall path that you haveset up.
Now the interesting part aboutplaybooks is if you can get real
granular with them and if thisthing will be able to utilize
that deep level of knowledge, itreally could be a potential
game changer.
So I don't know, we'll see howthat plays out.
If you are interested in aSecurity Operations Center
(04:41):
autonomous AI piece, you maywant to go check out Agentic AI
and see what they have out there, if it's something that you
might be possibly interested in.
Else you know what?
I would just start keeping youreyes open for this, especially
if you are leading and managinga SOC.
It is something that you maywant to consider in the future
and maybe just do a proof ofconcept around it.
So, all right, let's move on tothe questions for today.
(05:04):
Okay, so, as I mentionedearlier, this is over domain 6.2
of the isc squared, cisspcertification and this.
You can go to cissp cybertraining.
You get access to all of thesequestions.
Every one of them is availableto you if you just go and you
purchase the cissp trainingthat's available for it.
Uh, and it's I mean seriously.
You can get access to all ofthese questions and you can go
(05:26):
through them over and over andover again, and on top of that
you have the corresponding videoand audio that goes with it as
well.
So if you were studying foryour CISSP, I don't see how you
can't go to CISSP Cyber Trainingand not see the content and be
able to utilize it in a way thatcan help you pass this thing
the first time.
So I begin.
But you can go and get the freestuff that's there and
(05:47):
available and take it at yourown leisure.
It's not a big deal, but it'sall available to you at CISSP
Cyber Training.
Question 1.
Which of the following bestdescribes the goal of misuse
case testing?
A To validate that alllegitimate use cases are
successfully implemented.
B To identify business logicflaws from the threat actor's
perspective.
C to measure the effectivenessof incident response procedures.
(06:10):
Or D to determine if the systemcomplies with legal and
regulatory requirements.
So again, what it bestdescribes the goal of misuse
case testing.
Now understand misuse casetesting.
What does it do?
It involves modeling on how asystem might be exploited by a
malicious actor.
That's the goal, and the goalis to look for any unintended
consequences or potentialvulnerabilities that may come up
(06:32):
from the legitimate use of thefunctionality around this
specific system.
So the answer would be Bidentify business logic flaws
from the threat actor'sperspective.
Identify business logic flawsfrom the threat actors
perspective.
Question two which of the, whichtesting method is most likely
to uncover race conditionvulnerabilities in an
application?
In which testing method is mostlikely to uncover race
(06:55):
condition vulnerabilities in anapplication?
A static code analysis.
B fuzz testing.
C manual code review.
Or D dynamic applicationsecurity testing, otherwise
known as DAST.
So again, which testing methodis most likely to uncover race
condition vulnerabilities in anapplication?
And the answer is C manual codereview.
(07:16):
So now, a race condition willoccur when there's two or more
operations that will execute outof sequence or potentially even
in parallel, leading tooutcomes that you're not really
planning for, such as two userswithdrawing the same funds if
you're at a banking site, andsomething like that.
So you want to look for whatare different aspects, and this
is where the manual code reviewwould come in, where humans are
looking at this and they'relooking at the overall logical
(07:39):
path behind it.
Now I would highly recommendthat you have.
I didn't always have theability to do manual code review
.
We had automated code reviewdone and then we had, at the end
, we would have individuals lookat the actual code itself
before it was actually pushed toproduction.
So you have to decide which isbest for you and your
organization.
At the end of the day, themanual code review is a way that
you can determine and find thepotential race condition that
(08:01):
may occur.
Question three which of thefollowing is a limitation of
using automated vulnerabilityscanning tools in a production
environment?
So again, which of thefollowing is a limitation of
using automated vulnerabilityscanning tools in a production
environment?
A they may disrupt systemavailability.
B they generate too many falsenegatives.
(08:21):
C they lack the ability tosimulate attacker behavior.
Or.
D they do not supportmulti-platform environments.
So again, automatedvulnerability scanning what
could be one of the issues yourun into in a production
environment?
And the answer is A they maydisrupt systems availability.
Yes, and I have dealt with thismyself.
Anytime you're doing scansinside your network, you may
(08:42):
want to be very careful aboutdoing that.
It can cause a lot ofchallenges within your
organization, from systemcrashes, resource exhaustion,
all kinds of different thingsthat can happen, and you want to
make sure that if you are doingscans in your network, you're
telling somebody about it sothat they don't think you're
being attacked.
Question four which of thefollowing best characterizes the
purpose of test coverageanalysis in a security testing
(09:03):
process?
Again, which of the followingbest characterizes the purpose
of test coverage analysis in asecurity testing process?
A to determine how much codehas been written.
B.
To identify obsolete codefunctions.
C to measure compliance withcoding standards.
Or D to evaluate which portionsof code were exercised during
(09:23):
testing.
Again, which of the followingbest characterizes the purpose
of test coverage analysis?
And the answer is D to evaluatewhich portions of the code were
executed or exercised duringthe testing right.
So test coverage analysisquantifies how much of the
application code is being testedduring the run.
So this includes functionsstatements, basically your
(09:44):
branch or your path, which wayit's going.
All of those different areasare tested during the overall
security testing process.
Question five which of thefollowing is the most
appropriate technique forvalidating the effectiveness of
layered security controls overtime?
A static code review, bcontinuous monitoring, c annual
(10:04):
compliance audits or.
D red team testing.
Again, which of the followingis the most appropriate
technique for validating theeffectiveness of layered
security controls over time?
And the answer is B continuousmonitoring.
Right, so if you're going to be, monitoring is a key concept
around when you're looking atany sort of concept that is
dealing with code reviews, youwant to constantly be looking at
(10:25):
it and making sure that youhave real-time or near real-time
risk postures is set up.
This includes your networkactivity logs, firewall logs,
alerts All of those things needto be monitored on a real-time
risk postures is set up.
This includes your networkactivity logs, firewall logs,
alerts All of those things needto be monitored on a real-time
or near real-time basis.
Again, that's the most.
Layered security controls iswhen you're doing something
similar to that, again, whenyou're dealing with logs.
Logs is an important part, butthey can be overwhelming, so you
(10:47):
need to make sure that you havea good strategic plan related
to logs.
Don't just throw logs into yourSIM and hope and pray that
everything works.
When conducting an internalsecurity assessment, which
method would best assess theeffectiveness of role-based
access controls?
So, when conducting an internalsecurity assessment, which
method would assess theeffectiveness of role-based
access controls?
(11:07):
A code review, b policy audit,c access control matrix review
or D configuration baselinecomparison?
So, when conducting an internalsecurity assessment, which
method would best assess theeffectiveness of role-based
access controls?
And the answer is C accesscontrol review, right?
So if you're looking at youraccess control matrix, it's
(11:29):
basically maps, users and rolesand resources all together and
this allows for read, write,delete and so forth.
And you want to look that over.
That would allow an assessor orsomeone that's a regulator
coming in to verify thepermissions that align with the
job function, detect privilegecreep, identify excessive or
missing permissions.
All of those things would bedone in this matrix.
Now you might be going oh mygosh, this is just documentation
(11:51):
.
For the sake of documentation,it is and it isn't.
Having the documentationdemonstrates that you have
thought through this process andyou understand the process.
So, yes, you may have paperthat are sitting on shelves and
going.
It's not being used.
I get it, but it's importantthat you go through these
processes and you understandthese various controls.
Now it could be done insomething as simple as in a
(12:12):
spreadsheet, or it could be morecomplex into an actual
application such as SailPoint,but you want to have the ability
to understand the variouslevels of controls within your
organization and the variouslevels of roles within your
organization.
Question seven which of thefollowing security testing
techniques is least likely todetect business logic flaws?
So which of the followingsecurity testing techniques is
least likely to detect businesslogic flaws?
So which of the followingsecurity testing techniques is
(12:33):
least likely to detect businesslogic flaws?
A static code analysis.
B manual testing.
C red team engagements or.
D threat modeling.
So, again, which of thefollowing security testing
techniques is least likely todetect business logic flaws?
And the answer is A static codeanalysis right.
This scans the source code orthe different codes, without
(12:57):
executing it, looking for knownpatterns and security weaknesses
right.
However, it's rule-based and itdoesn't understand the intent
or context or business logicassociated with it.
So it's just static, right?
So the why behind it?
This is where you may run intosome actual business logic flaws
that may occur because you maynot be able to understand
exactly what it's looking for.
One example is that if you'rereturning money to a different
(13:19):
account other than the one thatpaid, this may require some
level of contextualunderstanding that the static
tools just can't understand.
So static code analysis is theleast likely to detect business
logic flaws.
Question eight which of thefollowing is a primary objective
of a security assessment reportand which of the following is a
primary objective of a securityassessment report A to
(13:41):
communicate risk findings tostakeholders.
B to provide value of thesecurity team.
C to identify root causes ofuser behavior and then C to
evaluate end user satisfactionwith the controls.
Again, which of the followingis a primary objective of a
security assessment report?
And it is A to communicate riskfindings to the stakeholders.
(14:02):
You generate a report.
You want to have the ability tounderstand the risk and pass
that on to the stakeholders,which is usually your board,
your senior leadership.
They need to understand what'sgoing on and these reports
typically are a non-technicalnature.
They provide kind of anoverview of what's happening.
Now you may want to providesome level of context to the
report that you provide themrather than just pushing a
(14:23):
button and having something justburp out and report.
But it's imperative that thisis who's going to go to.
It's going to go to thestakeholders.
Question nine In context ofpenetration testing, what is the
primary purpose of the rules ofengagement, roe?
So you're dealing withpenetration testing.
What is the primary purpose ofhaving ROE?
A to determine thequalifications of the testing
(14:45):
team.
B to define the compensationfor the ethical hackers.
C to outline legal restrictionsand test boundaries.
And D to establish ownershipand discover vulnerabilities.
Roe is set for.
C to outline the legalrestrictions and test boundaries
.
Roe is important because itdetermines scope, timeframes,
tools, techniques.
All of those things are animportant part of this and you
(15:06):
want to define that, especiallyif you're doing a pen test.
Things can go sideways veryquickly during a pen test if you
have not properly defined yourROE.
Question 10.
Which of the following bestdemonstrates due care in
conducting security assessments?
So which of the following bestdemonstrates due care in
conducting security assessments?
A Using open source scanningtools.
B Limiting scans tonon-production systems.
(15:29):
C Obfuscating test results toavoid panic or.
D documenting and reviewing thetest procedures.
So which of the following bestdemonstrates due care in
conducting security assessmentsand it is D documenting and
reviewing test procedures.
So due care refers to what youractions, what you're doing,
that you take to demonstrateresponsible behavior and
adherence to expected standardsin managing risk.
(15:51):
They want to make sure you knowwhat you're doing.
So if you document and reviewtest procedures, you're showing
that you're paying due care.
Again, documentation isimportant.
I've dealt with people over andover again saying it's not Well
, that's not a value.
It's not a value to me, itisn't necessarily a value to you
in some cases, but it's a valueto others.
Documentation is an importantpiece and having documentation
(16:11):
will make your organization andyour systems much more mature,
and that's what you're obviouslylooking for.
Question 11, which of thefollowing would be most likely
to be identified during a staticapplication security test SAST
but not during a dynamicapplication security test?
So what's most likely to beidentified during a static
(16:32):
application test versus adynamic application test?
A input validation bypass.
B SQL injection vulnerabilities.
C insecure cryptographicfunction usage.
Or.
D session management flaws.
Okay, so if you looked at allthe four of those, the one and
two for sure would be under thedynamic static.
So that would happen, butyou're most likely during a
(16:55):
static application securitytesting would be c right, your
cryptographic functions.
This will look specifically atyour source code or compile
compiled binaries and then itscans for any unscathed uh
coding patterns.
But in there you will see ifthere's a wrong cryptographic
function potentially, and that'swhere it would be identified.
Uh, whereas and that's how thisthe sass would look, most
(17:18):
likely.
Look for it if you deal withthe das.
Das is a black box approachwhich looks at runtime behavior.
So it's it's not set up to lookfor a specific hash.
That might be uh, inappropriateat that time.
So just kind of something toconsider about with that
Question 12.
An organization wants tosimulate an attack from a nation
state actor to test itsdetection and response
(17:38):
capabilities.
Good on them.
Which is the most appropriatetesting method?
A Red team engagement.
B Blue team exercise.
C Threat hunting or D Securityaudit.
So you're trying to look at anation state actor and testing
if somebody was trying to get infrom a nation state.
What would you do?
And the answer is A red teamsDid this for years.
Red teams deals with advancedtactics, techniques and
(17:59):
procedures and they are focusedon how the adversary goes.
This is the ones that you wouldhire if somebody does
penetration testing.
And yeah, it's good, it's fun,it's exciting.
Question 13, which of thefollowing best describes the
difference between vulnerabilityassessments and penetration
testing?
Again, which of the followingbest describes the difference
between vulnerabilityassessments and penetration
(18:19):
testing A.
Vulnerability assessments areperformed manually.
Penetration tests are automated.
B Vulnerability assessmentsidentify and exploit weaknesses.
Penetration tests only identifythem.
C Vulnerability assessments arefocused only on web
applications.
Penetration tests targetinfrastructure or.
D.
Vulnerability assessments arebroader in scope and typically
non-intrusive.
(18:39):
Penetration tests attempt toactively exploit vulnerabilities
.
And the answer is D.
The best describes is a.
Vulnerability assessments arebroader in scope and are
typically typically air quotes,not intrusive.
Penetration tests, on thecontrary, attempt to actively
exploit vulnerabilities and theygo deep and they go hard and
that's the ultimate goal of them.
(19:00):
They focus specifically on,usually in one niche area.
But bottom line is that's thedifference.
Question 14, which of thefollowing would be the most
effective in identifyingpreviously undetected lateral
movement by an attacker?
Again, which of the followingwould be the most effective in
identifying previouslyundetected lateral movement by
(19:20):
an attacker A SIM correlationrules.
B antivirus signature updates.
C packet capture analysis or Dbehavioral anomaly detection.
So, again, most effective inidentifying previously
undetected lateral movement.
It would be D behavioralanomaly detection right.
So if you have not detected it,pcaps and antivirus signatures
(19:42):
and SIM correlation rules wouldnot be effective because you
haven't detected it yet.
But if you're looking forsomething that the behavioral
aspects probably would be yourbest bet in detecting something
that's when someone's movinglaterally that has not been
detected by your other toolsthat you have, so again, it's
the most effective would bebehavioral anomaly detection.
(20:03):
Question 15, the last melonwhich testing activity ensures
that software security flaws areremediated properly after
discovery?
A regression testing, bremediation verification testing
, c integration testing or Dsecurity test, case development.
It's a lot of big words.
Which testing activity ensuresthat software security flaws are
(20:23):
remediated properly afterdiscovery?
And the answer is B remediationverification testing.
Okay, this is called retestingin some cases right, and it
validates that the identifiedvulnerabilities have been
correctly fixed.
It basically re-executes thetest cases that were found and
it looks to make sure that theflaw is no longer there.
(20:43):
This is where you'll find this,particularly in Agile or CICD
pipelines where rapid fixes aredeployed quickly.
So the remediation verificationtesting process is an important
part to make sure that you findout if they've actually been
fixed.
Okay, so that is all I have foryou today.
Thanks for joining me today atCISSP Cyber Training.
Head on over to CISSP CyberTraining.
(21:04):
You can do a couple differentthings.
One get access to all of myCISSP questions, or at least to
360 of them.
I should say not all of them.
You can just by signing up withCISSP Cyber Training, you can
get access to 360 questions thatwill help you with your
studying for the CISSP Free 360,nothing about it.
You just sign up, boom, you gotquestions 360 of them.
(21:26):
They come into you over aperiod of a few months, but you
get big batches of them to helpyou study.
The second thing is just go toCISSP Cyber Training and you can
, from there, get access to anyfree content that I have at the
site itself.
So there's lots of differentvideos, there's lots of audio.
That's there.
All of that, my podcasts, areall tied to CISSP Cyber Training
.
You can get them there.
All of that stuff is availableto you.
(21:48):
And then, finally, if you seethere's value in this, stuff is
available to you.
And then, finally, if you seethere's value in this, just
purchase a product that I haveand you get access to all of the
content.
Right, I have three tiers, butthe most basic tier you can get
access to all of my content justby signing up with that.
So get three options.
One free questions, 360 of them.
Option two go to the site, lookfor some free stuff on the site
.
Option three go and purchasethe CISSP training that's there
(22:11):
and it's available for you.
One of the three options thatgives you the best needs for you
and your organization.
So again, all check that out atCISSP Cyber Training.
Hope you have a wonderful,wonderful day and we will catch
you all on the flip side, see ya.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com