April 24, 2025 • 28 mins
Cybersecurity isn't just for enterprises—small and medium businesses face increasingly sophisticated threats with fewer resources to combat them. In this information-packed episode, Shon Gerber explores why cybersecurity matters critically for SMBs while delivering practical CISSP exam questions focused on Domain 8.3.
Shon begins by examining how even non-tech businesses rely heavily on digital systems, making them vulnerable to attacks that could devastate operations. A ransomware incident targeting inventory management or employee scheduling could cripple a small business just as effectively as one targeting a financial institution. Business continuity planning—often overlooked until disaster strikes—becomes a critical safeguard that many small businesses simply don't consider until it's too late.
The economic reality of cybersecurity for small businesses creates a challenging landscape. While virtual CISO services and managed security operations centers offer potential solutions, many remain financially out of reach for smaller organizations. This creates a significant vulnerability gap in our business ecosystem that security professionals must work to address.
The episode then transitions into fifteen carefully crafted CISSP practice questions focusing on Domain 8.3, covering essential concepts like API security, content security policies, message queue poisoning, and the principle of least privilege in containerized environments. Each question explores real-world vulnerabilities while providing clear explanations about proper security approaches.
Whether you're studying for the CISSP exam or working to improve your organization's security posture, this episode delivers actionable insights on identifying and mitigating common application security vulnerabilities. Subscribe to the CISSP Cyber Training podcast for weekly deep dives into cybersecurity concepts that will help you pass your certification exam and become a more effective security professional.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:23):
Cybersecurity knowledge All right, let's get
started.
Good morning everybody.
It's Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifullyblessed day today.
Today is CISSP QuestionThursday.
So, yes, we are going to begoing over CISSP questions
related to Domain 8.3, which waspart of the podcast that we
(00:44):
provided to you all on Monday.
So, as you guys are allfamiliar or maybe you're not
familiar is, on Mondays weprovide the overall training,
that which you can also see onCISSP Cyber Training, but you
can see the content that's thereas well, as we kind of go over
some of the potential questionsyou may deal with.
But on Thursday we specificallygo over questions tied to the
(01:07):
information that we talked abouton Monday.
Again, it's a reiteration slash, reinforcement approach with
the goal that when you take thetest, you will pass it the first
time.
Right, that is the ultimategoal.
So you can go to CISSP CyberTraining head on over there and
you can get access to all of mycontent.
I have a bunch of free stuffout there, but the paid stuff,
just to be honest, if you'retrying to get your CISSP done,
(01:27):
the paid stuff will help you getit done in a much quicker
timeframe.
The free stuff is great.
It does its free right.
But at the end of the day, ifyou're trying to get this thing
accomplished in a timeframe thatmeets your goals, the paid
program is a much better optionfor you.
But again, it's available toyou either way.
You just have to choose whichway you want to go.
But before we get started, Iwanted to talk about an article
(01:50):
that I saw in Computer World andit's related to why
cybersecurity matters for smalland medium businesses, and we've
talked about this numeroustimes on this podcast and in
through my training.
It's really an important partand I kind of have an affinity
towards the small and mediumbusinesses because in many cases
I mean, I own a small businessNow we don't deal primarily with
(02:12):
the overall IT functions in theworld.
I mean, it's a shaved ice truckand it's also a coffee truck,
so it's not much in the IT space.
However, all of my planning, myintegration with my employees,
purchasing for my product allthat stuff is done online and if
it were to go get shut downbecause of a ransomware attack,
(02:32):
it wouldn't kill my business,but it would dramatically impact
it and it would be very painful, honestly, because we've become
very reliant on this stuff, andmany small and medium
businesses are in the same boatas me.
Many more of them are much morereliant on IT than myself.
So one of the things that thisarticle kind of brings up is
that cybersecurity is crucialfor all SMBs, and it's again
(02:56):
basically due to the fact thatthere's online threats, but also
that people are moreinterconnected with their small
and medium businesses, with theonline world, that they were
before.
The other thing they mentionedin this article is the
importance of understanding andhaving business continuity plans
for small and medium businesses.
Now, as I'm working as aconsultant with very large firms
, in some cases they don't evenhave very good business
(03:19):
continuity plans.
So it depends upon the approach, but it's something that people
just don't think about, andthey really don't think about it
until it's probably too late.
So the ultimate point is thatit's imperative that you do
consider this, and if you guysare studying for your CISSP, you
might be brought into a smallbusiness and you may have to
talk to them about how do theyimplement a business continuity
(03:42):
plan for themselves.
You just don't know, and it'simperative that you have some
thought process that's been doneto it.
Regulatory penalties obviouslyare a risk, especially if you
have poor cybersecurity.
And now in the United States,with the CMMC, which a friend of
mine at PsychX actually theycall it PhysX, but his company
deals with red teaming and pentesting and so forth and he's
(04:05):
getting big into the CMMC partof this and if you're a company
that has government contracts,cmmc is a big factor that you're
going to have to work through.
You want to partner withcybersecurity providers where
they can help you with yourresiliency and then also help
SMBs.
You need to really embrace theinnovation space and security.
I think I've talked to manypeople that provide security
(04:28):
services and they don't reallygo after the SMBs because,
unfortunately, there's just nota lot of money in it, and so I
think the virtual CISO and thetype of the managed SOC are a
really good play for many smallbusinesses just because the
costs aren't terribly expensive.
But again, you're still goingto have to be a really good play
for many small businesses justbecause the costs aren't
terribly expensive.
But again, you're still gonnahave to be a pretty good size
small business to be able toafford someone like me, even on
(04:51):
a temporary basis, and it'simportant that you get the
protections you need.
I'm just trying to figure outhow to help best protect small
businesses.
Realistically, it's gonna be achallenge.
It really truly is, so it'sgonna be up to somebody that's
like taking this course.
That is maybe an IT that canprovide both security and IT
(05:11):
functions as well for a smallcompany.
So it's a very interesting time, especially if you're a small
business and you need to makesure that you do whatever you
can to help protect your company.
You need to think about all thedifferent options.
So, again, good article.
It's pretty quick, easy readabout three and a half, four
minutes and this is whycybersecurity matters for small
(05:32):
and medium-sized businesses.
Okay, so let's move on to thequestions for today.
Okay, so, if you go to CISSPCyber Training, you'll have
access to this.
You can just go click on thelinks, get access to my
questions.
I've got probably close toaround well, man, probably close
to about 1,500 questions thatare available to you on CISSP
Cyber Training.
Many of them have majority ofthem have audio that are
associated with them as well.
(05:52):
So the goal, though, is is notjust to study questions and
think you're going to pass thetest with the questions.
The questions are designed tohelp you understand the mindset
of this role and it's a hardtest.
It's a really tough one and Ijust got on with a friend of
mine that took my course and hepassed it.
He's super excited, he's elated, he's over the moon and which
he should be, because it's beena bit of a nemesis for him for a
(06:14):
while.
And it's also the other part ofthis that people don't think
about is knowing the book.
Smart is one thing, butsometimes the test anxiety can
get to people too.
So it's imperative that if youhave a good understanding of
this content and you feelconfident going into it and
you've done your homework, thatcan help reduce those types of
anxieties that you may get.
So it's just interesting if youguys hear a creaking noise in
(06:37):
the back when I'm recording.
As I'm recording this podcast,I'm sitting on a chair.
It's very creaky.
I'm in a hotel room recordingthis.
So, yeah, I apologize for thecreaky noise if it's there, all
right.
So let's get into the questionsfor today.
Again, this is question one andwe're dealing over domain 8.3.
Okay, question one Adevelopment team is utilizing a
(06:57):
third-party library within acritical application.
A recent security advisoryindicated that a high severity
vulnerability exists within thislibrary.
Which of the following is themost effective action a security
professional should recommend AIsolate the application from
the network until the librarycan be updated.
B Immediately replace thethird-party library with an
(07:19):
internally developed alternative.
D or C analyze theapplication's usage of the
vulnerable library and thenfunction and whether it's going
to be worth it or not.
And then, d notify the vendorof the third-party library and
request an immediate patch.
Okay, so what is the mosteffective action for a security
professional to do in the eventthat they find this library that
(07:40):
has got issues?
C analyze the application'susage of the vulnerable library
and assess the functions of itto make sure that it's not going
to be bad.
So the ultimate point is thelibrary itself.
So if the library is not usedreally very well and it's not in
a very good it's not somethingthat gets tapped a lot and it's
got issues right you need toverify that it's actually going
(08:02):
to cause some sort of drama toyour program.
It could be a library that'snot used very often and so
therefore it may be somethingyou may want to accept the risk
on at that time.
Again, you need to kind ofunderstand the overall threat.
Is the application behind thefirewall Is the application
internet, facing Lots ofdifferent nuances to it, but
analyzing the application'slibrary is a good first step.
(08:24):
During a penetration test, thetester identifies a client side
vulnerability that allows forexecution of arbitrary
JavaScript code within theuser's browser and when they
interact with a specific webpage.
Which of the followingmitigation strategies would
provide the most comprehensiveprotection against this type of
vulnerability?
So again, pen test happens.
(08:44):
Client-side vulnerabilityallows for execution of
arbitrary JavaScript, basicallyarbitrary code, within the
user's web browser when theyinteract with a specific part of
the web page.
What's the most comprehensiveprotection against this type of
vulnerability?
A implement a content securitypolicy with basically very
strict directives.
B implementing a strong inputvalidation on a server-side form
(09:08):
submission.
C utilizing web applicationfirewall with rules designed to
detect and block maliciousscripts.
Or D regularly scan theclient-side code for known
JavaScript vulnerabilities.
Okay, so what is the mostcomprehensive protection against
this type of vulnerability?
So you really could easily goto one and A and B on this one
right, but what it comes down tois the answer is A implement
(09:29):
content security policy withstrict directives.
Okay, so the content securitypolicy is a browser security
mechanism that allows you todefine the trusted sources and
the resources that can connectto it Scripts, styles, images,
all of those things.
Now, by setting thesedirectives, you could
potentially prevent the browserfrom taking this information.
(09:50):
You would potentially bite offon the implementing strong input
validation on all server formsubmissions.
That would be a potentialoption, but it's not the most
comprehensive protection.
The most comprehensive isspecifically setting the policy
on the web browser itself.
Question three a securityarchitect is reviewing the
security of a newly developedAPI.
(10:11):
They observe that the APIrelies solely on the client side
input validation to preventmalicious data from being
processed by the backend.
So basically, API is connectingin, it's going to push it out
the back end, but they'rerelying on the input validation
on the front end.
Which of the following securityprinciples is most directly
violated by this design?
(10:32):
A defense in depth.
B least privilege.
C separation of duties or Dfail-safe defaults.
So most directly violated.
Which basically means there'sonly really one way that you can
stop it and it's on the clientside.
And it would be defense indepth.
And the reason is it's A it'sbecause you are not.
There's not multiple layers inthere.
(10:53):
Once they get past the clientside and they're assuming that
the client side input validationis correct, they get free
access into the environmentbecause of the API.
So again, I love APIs.
They're wonderful, they'regreat, but they also can be the
entrance to Hades.
I mean, they can cause you life, all kinds of pain.
So make sure you understandthat.
(11:14):
Question four during a codereview, the security analyst
identifies a section of codethat uses a format string
directly from the user's inputon a specific logging server.
Which of the following is themost significant security risk
associated with this practice?
A denial of service attack.
B information disclosurethrough logging of sensitive
data.
C cross-site scripting or xssattacks affecting the log
(11:38):
viewers or the blog views, andthen the arbitrary code
execution on the logging server.
Again, what is the mostsignificant risk associated with
the part that there's a sectionof code that uses a formatted
string directly from the user'sinput, and that would be D
arbitrary code execution on thelogging server.
Again, arbitrary code couldoccur again when they have
(12:00):
directly access to it and theycan end up putting some sort of
string into there.
It could cause some level ofaccess issues or potentially
cause you gain access to theserver itself, and this is on
the logging server.
So this would be question D.
Question five a security team isinvestigating a series of
escalating privilege exploits ina legacy application.
They discover that the specificapi endpoint again I love apis
(12:25):
intended for theadministration's users, does not
adequately verify the user'srole on the server side before
processing sensitive commands.
Which of the following is avulnerability?
Vulnerability categories bestdescribes this specific issue?
Okay, so, again, api it'tvalidate adequately verify the
user's role on the server side.
(12:45):
What is it?
So one of the questions, or Ishould say one of the answers,
is A cross-site script requestforgery, csrf.
B insecure direct objectreference.
C injection flaws.
Or D broken access controls.
Again, what's the best one thatdescribes this specific issue?
(13:05):
And the answer is D brokenaccess control.
Okay, so the vulnerability itcan directly access the failure
to properly enforce theauthorization right.
So the API endpoint should beverifying the user's role within
the company or within theactual, not the company itself,
but within the server itself,and it should do this before it
(13:27):
allows any sort of access to itscapabilities.
So it's important that you dothis, that you understand that
broken access control in thisspecific question is how the API
would gain access.
Question six during the securityassessment of a mobile
application, a tester discoversthat sensitive user data,
including API keys and sessiontokens, are being stored in the
(13:47):
application's local file system,and then it doesn't have any
encryption on it on top of that.
Not a good spot.
So if an attacker gains aphysical access to the device,
what is the most likelyimmediate impact?
Api keys, session tokensthey're all stored on the local
file system without encryption.
A attacker can interrupt thenetwork communication initiated
(14:08):
by the application.
B the attacker can directlyaccess sensitive data and the
accounts and perform actions ontheir behalf.
C the attacker can bypassmulti-factor authentication
mechanisms with the application.
Or, d the attacker can injectmalicious code into the
application's runtimeenvironment.
Okay, so in this situation,like we talked about, access to
sensitive data is sittingunencrypted on the file shares
(14:31):
or file store.
And the answer is B theattacker can have direct access
to the sensitive user accountsand perform actions, potentially
on their behalf.
That is what would happen ifthey had physical access to it.
Again, strong API keys andsession tokens being unencrypted
is not a good option.
You want to make sure that youhave some level of encryption on
this data, especially as we'redealing with APIs.
(14:53):
Question seven a web applicationutilizes a complex series of
chained microservices to fulfilluser requests.
A vulnerability in one of thelower level microservices allows
an attacker to inject arbitrarydata into a message queue used
for inter-service communications.
This injection data can be thenprocessed by subsequent
microservices, leading tounintended behavior and
(15:15):
potential security breaches.
Which of the following attackvectors best describes this
scenario?
So again, message queuing iswhere you're at.
Vulnerability in one of themicroservices allows for you to
inject arbitrary data into thismessage queue.
So that'd be a key term to keepin mind.
A server-side request forgery,ssrf.
B message queue poisoning.
(15:36):
C cross origin, resourcesharing, misconfiguration that's
a bunch of big $10 wordsC-O-R-S and then D XML external
entity injection Okay.
So Bess describes a scenario itwould be message queue
poisoning.
Okay.
This describes a scenario wherethe attacker injects malicious
data into a message queue.
(15:57):
This poison message is thenconsumed and processed by the
other services within the chain,again potentially leading to
some sort of exploitation.
So the message queue poisoning.
Question eight A securityanalyst is reviewing the
deployment of a pipeline for acritical web application.
They notice that the staticcode analysis is performed and
(16:18):
the results are notsystematically reviewed or acted
upon before code is beingdeployed into production.
Ah, not good.
Which of the following bestdescribes the security
implication of this practice.
So again, the security analystreviewing the deployment
pipeline, which is usually for aCICD type pipeline for a
critical web application, theynotice that the static code
analysis, or SAST, is performed,but the results are not
(16:41):
systematically reviewed or actedupon before the code is
deployed.
What does that mean?
Well, a reduced effectivenessof the static code analysis in
the tool mitigating securityrisks.
So basically saying that theSAST is not helping people
reduce the risk of your securityissues.
B increased supply chainattacks due to unaddressed
vulnerabilities in dependencies.
B potential for the denial ofservice attacks due to
(17:04):
performance issues.
Or D higher likelihood ofintroducing vulnerabilities due
to the lack of automatedsecurity testing in their later
stages.
Okay, there's a lot of wordsthere, but bottom line the
answer is A reducedeffectiveness for a static code
analysis tool in mitigatingsecurity risks.
Okay, it's happening right.
So the tool is monitoring it.
The problem is that it's notbeing systematically reviewed,
(17:27):
either through automation orthrough eyes on keyboard.
So your vulnerabilities, you'regetting some risks that are
getting pushed and passed on.
To Question nine a developmentteam is implementing a feature
that requires the application tointeract with an external
payment gateway.
The security architectrecommends using a client-side
integration method where theuser's payment details are
(17:49):
directly submitted to thegateway from the user's browser.
Which of the following is themost significant security
concern associated with thisapproach?
So, again, they're implementinga feature that requires
application to interact withexternal payment gateway.
Okay, so, money's trading hands.
The security architectrecommends using a client-side
integration method where theuser's payment details are
(18:10):
directly submitted to thegateway.
Hmm, that could be bad.
I mean, it's not terrible, butthere's things that could happen
with this.
Right, it's not the bestapproach.
So what is the most significantsecurity concern associated
with this approach?
A increased server load due tohandling sensitive payment data.
B difficulty in implementingrobust fraud detection
mechanisms on the server side.
(18:31):
C potential exposures topayment details due to a
man-in-the-middle attacks withmalicious JavaScript.
And then D incompatibility withcertain regulatory compliance
standards like PCI DSS.
Okay, so, again, this ishappening on the client side.
What is the most securityconcern, the most significant
security concern with thisapproach?
And the answer is C potentialexposure of payment details to a
(18:54):
man in the middle, attack andmalicious JavaScript.
Right, so it's all on theclient side, while the client
side integrations can offer someperformance benefits.
Right, because now that all theprocessing is happening at the
client, they do introducesignificant security risks.
And again, this can happenwhere, if there's using some not
properly secured gateway orconnection between the client
(19:15):
side and the gateway obviouslyusing strong TLS or something
like that they can get into somelevel of man-in-the-middle
attacks which could thenbasically compromise their
credentials and any sensitivedata.
So it's not the best approach.
Question 10.
During a forensicsinvestigation of a compromised
server, analysts discoverevidence of a vulnerability
where the attacker was able tomanipulate the arguments passed
(19:38):
to the operating system via acommand line and then they can
execute them by their webapplication.
The result in the attackergaining unauthorized access to
the file system.
Which of the followingvulnerabilities best describes
this scenario?
Okay, so again an attacker.
That's a really run-on, longsentence.
But the attacker was able tomanipulate arguments passed to
the operating system via commandline, so he or she can push
(20:01):
them that way.
This results in the attackergaining unauthorized access to a
file system.
Specifically, so what is thebest scenario or what
vulnerability is best describedin this scenario?
I can't speak, sorry, it's abit early this morning.
A directory traversal.
B command line injection.
C local file inclusion or Dremote file inclusion.
(20:22):
So again, what is the best onehere?
That describes a situation, andit would be B command line
injection, command injectionthis is where you occurs.
Obviously, the applicationpasses unfiltered user supply
data directly to the operatingsystem via a shell for execution
and this then can, bymanipulating the arguments, the
attacker was able to alter theintended command and execute
(20:46):
arbitrary commands.
So you can use those.
Command line is a typical usefor many attackers and if they
can do that, then they can gainaccess to different types of
systems.
You try to turn that off if youcan.
If there's some way of makingthat happen within your server
side, you want to make sure youturn those things off.
Question 11, a securityarchitect is designing a secure
software development lifecycleSSDLC for a new cloud native
(21:09):
application.
They want to incorporatesecurity testing early and
frequently in the developmentprocess.
Which of the followingpractices would be most
effective in achieving this goal?
So again, ssdlc or SDLC,depending on who you talk to for
a new cloud-native application.
So they want to incorporatesecurity testing early and
frequently in the developmentprocess.
So what is the most effectiveway of achieving this?
(21:32):
A integrating static applicationsecurity testing tools in the
CI-CD pipeline to analyze codechanges automatically.
B implement a weeklypenetration test scheduled and
develop in the developmentenvironment.
So basically, do pen tests allthe time.
C conducting a comprehensivesecurity code review only before
each major release.
Or D relying primarily ondynamic application security
(21:54):
testing in the stagingenvironment.
So again, the best, the mosteffective in achieving this goal
.
Ideally, if you couldincorporate SAST and DAST in
this would be great, but thequestions aren't saying that.
So you want to integrate staticapplication security testing
into the CICD pipeline toanalyze code changes
automatically.
You want to have SAST running,and the reason that the last one
(22:17):
isn't good is because you'rerelying primarily on das.
You don't want to relyprimarily on das because that's
the dynamics part of this.
You want the static codeanalysis to occur, probably more
important than the dynamic, andso it's it's imperative that
you doing.
Both is what would ideal, butif you had to pick one, the
answer would be a question 12.
A legacy application uses customauthentication mechanisms.
(22:40):
Question 12, a legacyapplication uses custom
authentication mechanism thatrelies on reversible encryption
algorithm to store userpasswords in its database.
Which of the following is themost critical security weakness
of this approach?
Following is the most criticalsecurity weakness of this
(23:00):
approach?
So again, legacy applicationusing custom authentication
mechanisms that relies onreversible encryption algorithm.
It's unique to store userpasswords in a database, which
is the most critical securityweakness in this approach A
increased computational overheaddue to the authentication
process.
B potential for dictionaryattacks will easily crack the
encrypted passwords.
(23:21):
C difficulty in integratingwith modern multi-factor
authentication systems.
Or D risk of complete passworddisclosure if the encryption key
is compromised.
And the answer is D risk ofcomplete password disclosure if
the encryption key iscompromised.
Obviously, storing this dataand having the algorithm
available to potentiallyre-engineer it or to decrypt the
(23:45):
potential algorithm orutilizing the algorithm is a bad
thing.
So you want to avoid that atall costs.
Question 13, a security teamdiscovered that a web
application is vulnerable toserver-side request forgery SSRF
attack.
The attacker can manipulate theapplication to make requests to
internal resources that are notpublicly accessible.
That's not good.
Which of the followingmitigation strategies would be
(24:07):
most effective in preventingfuture SSRF attacks?
Okay, server-side requestforgery.
So A implement strict networksegmentation to isolate internal
resources.
B whitelisting alloweddestination hosts and ports for
outbound requests.
C disabling all externalnetwork connectivity from the
web server.
Or D implementing strong inputvalidations on all user-supplied
(24:30):
URLs.
So again, we're dealing with aserver-side forgery attack.
They want to manipulate theapplication to make requests to
internal resources that are notpublicly accessible, and what
you would do is you would bewhitelist the allowed
destination hosts and ports foroutbound requests.
That would be the mosteffective by doing this, and so
the network segmentation thatyou put is a good thing, right,
(24:52):
but by whitelisting it providesmore specific and effective
controls against SSRF, and then,by defining these specifically,
you can allow legitimateexternal resources that the
application needs to access, andthen any attempts outside of
that would be denied.
So again, disabling allexternal connectivity might be a
bit too restrictive andpotentially break the
functionality of it.
(25:13):
So you want to think about thatas well.
Question 14.
During penetration tests, thetester successfully exploited
XML external entityvulnerability with an
application that processes XMLdata.
Which of the following outcomesis a potential consequence of a
successful XXE attack or XMLexternal entity attack?
A Unauthorized access to localfiles on a server hosting the
(25:36):
application.
B Cross-site scripting attacksagainst other users of the
application.
C denial of service due toexcessive resource consumption
on the client side.
Or.
D SQL injection attacks againstthe backend database.
Again during a penetration test, a tester successfully
exploited XML external entityvulnerability, and which of the
following is a potentialconsequence of a successful XXE?
(25:59):
And the answer is Aunauthorized access to local
files on the server hosting theapplication.
So again, that is the answer.
Question 15, the last melon.
A security analyst is reviewingthe security of a containerized
application deployed usingKubernetes.
They observe that theapplication containers are
running with root privilegeswithin their pods Not a good
(26:21):
option.
Which of the following securityprinciples is the most directly
violated by this configuration?
So again, kubernetes,application, and they're running
with root A principle of leastprivilege.
B defense in depth.
C separation of duties.
D failsafe defaults Again, themost security principles that
are most directly violated withthis configuration?
(26:43):
And the answer is A principleof least privilege.
Right, so you want to have theprinciple of least privilege,
especially with these clusters,and by giving them root, you are
not doing least privilege,you're giving them more
privileges and you are giving.
That's not good, so we want toavoid that.
So that's the most violatedpart of all this of the security
principles is the principle ofleast privilege.
(27:04):
Okay, that is it.
That's all we have for youtoday.
Head on over to CISSP CyberTraining.
Get access to all of my content.
You can do it.
There's a lot of free stuff outthere, but, like I said,
mentioned before, the paid stuffis what's going to help you get
the test done in the timeframethat you want to do, when the
free stuff do it, sure, but itwon't be able to help you in the
time that you potentially need.
If you're trying to get thisthing done quickly, look at the
(27:25):
content that I have, look at thedifferent packages that are
available to you, and all ofthat can be given to you.
Just all you got to do ispurchase it.
So, have a wonderful, wonderfulday and we will catch you.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:23):
Cybersecurity knowledge All right, let's get
started.
Good morning everybody.
It's Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifullyblessed day today.
Today is CISSP QuestionThursday.
So, yes, we are going to begoing over CISSP questions
related to Domain 8.3, which waspart of the podcast that we
(00:44):
provided to you all on Monday.
So, as you guys are allfamiliar or maybe you're not
familiar is, on Mondays weprovide the overall training,
that which you can also see onCISSP Cyber Training, but you
can see the content that's thereas well, as we kind of go over
some of the potential questionsyou may deal with.
But on Thursday we specificallygo over questions tied to the
(01:07):
information that we talked abouton Monday.
Again, it's a reiteration slash, reinforcement approach with
the goal that when you take thetest, you will pass it the first
time.
Right, that is the ultimategoal.
So you can go to CISSP CyberTraining head on over there and
you can get access to all of mycontent.
I have a bunch of free stuffout there, but the paid stuff,
just to be honest, if you'retrying to get your CISSP done,
(01:27):
the paid stuff will help you getit done in a much quicker
timeframe.
The free stuff is great.
It does its free right.
But at the end of the day, ifyou're trying to get this thing
accomplished in a timeframe thatmeets your goals, the paid
program is a much better optionfor you.
But again, it's available toyou either way.
You just have to choose whichway you want to go.
But before we get started, Iwanted to talk about an article
(01:50):
that I saw in Computer World andit's related to why
cybersecurity matters for smalland medium businesses, and we've
talked about this numeroustimes on this podcast and in
through my training.
It's really an important partand I kind of have an affinity
towards the small and mediumbusinesses because in many cases
I mean, I own a small businessNow we don't deal primarily with
(02:12):
the overall IT functions in theworld.
I mean, it's a shaved ice truckand it's also a coffee truck,
so it's not much in the IT space.
However, all of my planning, myintegration with my employees,
purchasing for my product allthat stuff is done online and if
it were to go get shut downbecause of a ransomware attack,
(02:32):
it wouldn't kill my business,but it would dramatically impact
it and it would be very painful, honestly, because we've become
very reliant on this stuff, andmany small and medium
businesses are in the same boatas me.
Many more of them are much morereliant on IT than myself.
So one of the things that thisarticle kind of brings up is
that cybersecurity is crucialfor all SMBs, and it's again
(02:56):
basically due to the fact thatthere's online threats, but also
that people are moreinterconnected with their small
and medium businesses, with theonline world, that they were
before.
The other thing they mentionedin this article is the
importance of understanding andhaving business continuity plans
for small and medium businesses.
Now, as I'm working as aconsultant with very large firms
, in some cases they don't evenhave very good business
(03:19):
continuity plans.
So it depends upon the approach, but it's something that people
just don't think about, andthey really don't think about it
until it's probably too late.
So the ultimate point is thatit's imperative that you do
consider this, and if you guysare studying for your CISSP, you
might be brought into a smallbusiness and you may have to
talk to them about how do theyimplement a business continuity
(03:42):
plan for themselves.
You just don't know, and it'simperative that you have some
thought process that's been doneto it.
Regulatory penalties obviouslyare a risk, especially if you
have poor cybersecurity.
And now in the United States,with the CMMC, which a friend of
mine at PsychX actually theycall it PhysX, but his company
deals with red teaming and pentesting and so forth and he's
(04:05):
getting big into the CMMC partof this and if you're a company
that has government contracts,cmmc is a big factor that you're
going to have to work through.
You want to partner withcybersecurity providers where
they can help you with yourresiliency and then also help
SMBs.
You need to really embrace theinnovation space and security.
I think I've talked to manypeople that provide security
(04:28):
services and they don't reallygo after the SMBs because,
unfortunately, there's just nota lot of money in it, and so I
think the virtual CISO and thetype of the managed SOC are a
really good play for many smallbusinesses just because the
costs aren't terribly expensive.
But again, you're still goingto have to be a really good play
for many small businesses justbecause the costs aren't
terribly expensive.
But again, you're still gonnahave to be a pretty good size
small business to be able toafford someone like me, even on
(04:51):
a temporary basis, and it'simportant that you get the
protections you need.
I'm just trying to figure outhow to help best protect small
businesses.
Realistically, it's gonna be achallenge.
It really truly is, so it'sgonna be up to somebody that's
like taking this course.
That is maybe an IT that canprovide both security and IT
(05:11):
functions as well for a smallcompany.
So it's a very interesting time, especially if you're a small
business and you need to makesure that you do whatever you
can to help protect your company.
You need to think about all thedifferent options.
So, again, good article.
It's pretty quick, easy readabout three and a half, four
minutes and this is whycybersecurity matters for small
(05:32):
and medium-sized businesses.
Okay, so let's move on to thequestions for today.
Okay, so, if you go to CISSPCyber Training, you'll have
access to this.
You can just go click on thelinks, get access to my
questions.
I've got probably close toaround well, man, probably close
to about 1,500 questions thatare available to you on CISSP
Cyber Training.
Many of them have majority ofthem have audio that are
associated with them as well.
(05:52):
So the goal, though, is is notjust to study questions and
think you're going to pass thetest with the questions.
The questions are designed tohelp you understand the mindset
of this role and it's a hardtest.
It's a really tough one and Ijust got on with a friend of
mine that took my course and hepassed it.
He's super excited, he's elated, he's over the moon and which
he should be, because it's beena bit of a nemesis for him for a
(06:14):
while.
And it's also the other part ofthis that people don't think
about is knowing the book.
Smart is one thing, butsometimes the test anxiety can
get to people too.
So it's imperative that if youhave a good understanding of
this content and you feelconfident going into it and
you've done your homework, thatcan help reduce those types of
anxieties that you may get.
So it's just interesting if youguys hear a creaking noise in
(06:37):
the back when I'm recording.
As I'm recording this podcast,I'm sitting on a chair.
It's very creaky.
I'm in a hotel room recordingthis.
So, yeah, I apologize for thecreaky noise if it's there, all
right.
So let's get into the questionsfor today.
Again, this is question one andwe're dealing over domain 8.3.
Okay, question one Adevelopment team is utilizing a
(06:57):
third-party library within acritical application.
A recent security advisoryindicated that a high severity
vulnerability exists within thislibrary.
Which of the following is themost effective action a security
professional should recommend AIsolate the application from
the network until the librarycan be updated.
B Immediately replace thethird-party library with an
(07:19):
internally developed alternative.
D or C analyze theapplication's usage of the
vulnerable library and thenfunction and whether it's going
to be worth it or not.
And then, d notify the vendorof the third-party library and
request an immediate patch.
Okay, so what is the mosteffective action for a security
professional to do in the eventthat they find this library that
(07:40):
has got issues?
C analyze the application'susage of the vulnerable library
and assess the functions of itto make sure that it's not going
to be bad.
So the ultimate point is thelibrary itself.
So if the library is not usedreally very well and it's not in
a very good it's not somethingthat gets tapped a lot and it's
got issues right you need toverify that it's actually going
(08:02):
to cause some sort of drama toyour program.
It could be a library that'snot used very often and so
therefore it may be somethingyou may want to accept the risk
on at that time.
Again, you need to kind ofunderstand the overall threat.
Is the application behind thefirewall Is the application
internet, facing Lots ofdifferent nuances to it, but
analyzing the application'slibrary is a good first step.
(08:24):
During a penetration test, thetester identifies a client side
vulnerability that allows forexecution of arbitrary
JavaScript code within theuser's browser and when they
interact with a specific webpage.
Which of the followingmitigation strategies would
provide the most comprehensiveprotection against this type of
vulnerability?
So again, pen test happens.
(08:44):
Client-side vulnerabilityallows for execution of
arbitrary JavaScript, basicallyarbitrary code, within the
user's web browser when theyinteract with a specific part of
the web page.
What's the most comprehensiveprotection against this type of
vulnerability?
A implement a content securitypolicy with basically very
strict directives.
B implementing a strong inputvalidation on a server-side form
(09:08):
submission.
C utilizing web applicationfirewall with rules designed to
detect and block maliciousscripts.
Or D regularly scan theclient-side code for known
JavaScript vulnerabilities.
Okay, so what is the mostcomprehensive protection against
this type of vulnerability?
So you really could easily goto one and A and B on this one
right, but what it comes down tois the answer is A implement
(09:29):
content security policy withstrict directives.
Okay, so the content securitypolicy is a browser security
mechanism that allows you todefine the trusted sources and
the resources that can connectto it Scripts, styles, images,
all of those things.
Now, by setting thesedirectives, you could
potentially prevent the browserfrom taking this information.
(09:50):
You would potentially bite offon the implementing strong input
validation on all server formsubmissions.
That would be a potentialoption, but it's not the most
comprehensive protection.
The most comprehensive isspecifically setting the policy
on the web browser itself.
Question three a securityarchitect is reviewing the
security of a newly developedAPI.
(10:11):
They observe that the APIrelies solely on the client side
input validation to preventmalicious data from being
processed by the backend.
So basically, API is connectingin, it's going to push it out
the back end, but they'rerelying on the input validation
on the front end.
Which of the following securityprinciples is most directly
violated by this design?
(10:32):
A defense in depth.
B least privilege.
C separation of duties or Dfail-safe defaults.
So most directly violated.
Which basically means there'sonly really one way that you can
stop it and it's on the clientside.
And it would be defense indepth.
And the reason is it's A it'sbecause you are not.
There's not multiple layers inthere.
(10:53):
Once they get past the clientside and they're assuming that
the client side input validationis correct, they get free
access into the environmentbecause of the API.
So again, I love APIs.
They're wonderful, they'regreat, but they also can be the
entrance to Hades.
I mean, they can cause you life, all kinds of pain.
So make sure you understandthat.
(11:14):
Question four during a codereview, the security analyst
identifies a section of codethat uses a format string
directly from the user's inputon a specific logging server.
Which of the following is themost significant security risk
associated with this practice?
A denial of service attack.
B information disclosurethrough logging of sensitive
data.
C cross-site scripting or xssattacks affecting the log
(11:38):
viewers or the blog views, andthen the arbitrary code
execution on the logging server.
Again, what is the mostsignificant risk associated with
the part that there's a sectionof code that uses a formatted
string directly from the user'sinput, and that would be D
arbitrary code execution on thelogging server.
Again, arbitrary code couldoccur again when they have
(12:00):
directly access to it and theycan end up putting some sort of
string into there.
It could cause some level ofaccess issues or potentially
cause you gain access to theserver itself, and this is on
the logging server.
So this would be question D.
Question five a security team isinvestigating a series of
escalating privilege exploits ina legacy application.
They discover that the specificapi endpoint again I love apis
(12:25):
intended for theadministration's users, does not
adequately verify the user'srole on the server side before
processing sensitive commands.
Which of the following is avulnerability?
Vulnerability categories bestdescribes this specific issue?
Okay, so, again, api it'tvalidate adequately verify the
user's role on the server side.
(12:45):
What is it?
So one of the questions, or Ishould say one of the answers,
is A cross-site script requestforgery, csrf.
B insecure direct objectreference.
C injection flaws.
Or D broken access controls.
Again, what's the best one thatdescribes this specific issue?
(13:05):
And the answer is D brokenaccess control.
Okay, so the vulnerability itcan directly access the failure
to properly enforce theauthorization right.
So the API endpoint should beverifying the user's role within
the company or within theactual, not the company itself,
but within the server itself,and it should do this before it
(13:27):
allows any sort of access to itscapabilities.
So it's important that you dothis, that you understand that
broken access control in thisspecific question is how the API
would gain access.
Question six during the securityassessment of a mobile
application, a tester discoversthat sensitive user data,
including API keys and sessiontokens, are being stored in the
(13:47):
application's local file system,and then it doesn't have any
encryption on it on top of that.
Not a good spot.
So if an attacker gains aphysical access to the device,
what is the most likelyimmediate impact?
Api keys, session tokensthey're all stored on the local
file system without encryption.
A attacker can interrupt thenetwork communication initiated
(14:08):
by the application.
B the attacker can directlyaccess sensitive data and the
accounts and perform actions ontheir behalf.
C the attacker can bypassmulti-factor authentication
mechanisms with the application.
Or, d the attacker can injectmalicious code into the
application's runtimeenvironment.
Okay, so in this situation,like we talked about, access to
sensitive data is sittingunencrypted on the file shares
(14:31):
or file store.
And the answer is B theattacker can have direct access
to the sensitive user accountsand perform actions, potentially
on their behalf.
That is what would happen ifthey had physical access to it.
Again, strong API keys andsession tokens being unencrypted
is not a good option.
You want to make sure that youhave some level of encryption on
this data, especially as we'redealing with APIs.
(14:53):
Question seven a web applicationutilizes a complex series of
chained microservices to fulfilluser requests.
A vulnerability in one of thelower level microservices allows
an attacker to inject arbitrarydata into a message queue used
for inter-service communications.
This injection data can be thenprocessed by subsequent
microservices, leading tounintended behavior and
(15:15):
potential security breaches.
Which of the following attackvectors best describes this
scenario?
So again, message queuing iswhere you're at.
Vulnerability in one of themicroservices allows for you to
inject arbitrary data into thismessage queue.
So that'd be a key term to keepin mind.
A server-side request forgery,ssrf.
B message queue poisoning.
(15:36):
C cross origin, resourcesharing, misconfiguration that's
a bunch of big $10 wordsC-O-R-S and then D XML external
entity injection Okay.
So Bess describes a scenario itwould be message queue
poisoning.
Okay.
This describes a scenario wherethe attacker injects malicious
data into a message queue.
(15:57):
This poison message is thenconsumed and processed by the
other services within the chain,again potentially leading to
some sort of exploitation.
So the message queue poisoning.
Question eight A securityanalyst is reviewing the
deployment of a pipeline for acritical web application.
They notice that the staticcode analysis is performed and
(16:18):
the results are notsystematically reviewed or acted
upon before code is beingdeployed into production.
Ah, not good.
Which of the following bestdescribes the security
implication of this practice.
So again, the security analystreviewing the deployment
pipeline, which is usually for aCICD type pipeline for a
critical web application, theynotice that the static code
analysis, or SAST, is performed,but the results are not
(16:41):
systematically reviewed or actedupon before the code is
deployed.
What does that mean?
Well, a reduced effectivenessof the static code analysis in
the tool mitigating securityrisks.
So basically saying that theSAST is not helping people
reduce the risk of your securityissues.
B increased supply chainattacks due to unaddressed
vulnerabilities in dependencies.
B potential for the denial ofservice attacks due to
(17:04):
performance issues.
Or D higher likelihood ofintroducing vulnerabilities due
to the lack of automatedsecurity testing in their later
stages.
Okay, there's a lot of wordsthere, but bottom line the
answer is A reducedeffectiveness for a static code
analysis tool in mitigatingsecurity risks.
Okay, it's happening right.
So the tool is monitoring it.
The problem is that it's notbeing systematically reviewed,
(17:27):
either through automation orthrough eyes on keyboard.
So your vulnerabilities, you'regetting some risks that are
getting pushed and passed on.
To Question nine a developmentteam is implementing a feature
that requires the application tointeract with an external
payment gateway.
The security architectrecommends using a client-side
integration method where theuser's payment details are
(17:49):
directly submitted to thegateway from the user's browser.
Which of the following is themost significant security
concern associated with thisapproach?
So, again, they're implementinga feature that requires
application to interact withexternal payment gateway.
Okay, so, money's trading hands.
The security architectrecommends using a client-side
integration method where theuser's payment details are
(18:10):
directly submitted to thegateway.
Hmm, that could be bad.
I mean, it's not terrible, butthere's things that could happen
with this.
Right, it's not the bestapproach.
So what is the most significantsecurity concern associated
with this approach?
A increased server load due tohandling sensitive payment data.
B difficulty in implementingrobust fraud detection
mechanisms on the server side.
(18:31):
C potential exposures topayment details due to a
man-in-the-middle attacks withmalicious JavaScript.
And then D incompatibility withcertain regulatory compliance
standards like PCI DSS.
Okay, so, again, this ishappening on the client side.
What is the most securityconcern, the most significant
security concern with thisapproach?
And the answer is C potentialexposure of payment details to a
(18:54):
man in the middle, attack andmalicious JavaScript.
Right, so it's all on theclient side, while the client
side integrations can offer someperformance benefits.
Right, because now that all theprocessing is happening at the
client, they do introducesignificant security risks.
And again, this can happenwhere, if there's using some not
properly secured gateway orconnection between the client
(19:15):
side and the gateway obviouslyusing strong TLS or something
like that they can get into somelevel of man-in-the-middle
attacks which could thenbasically compromise their
credentials and any sensitivedata.
So it's not the best approach.
Question 10.
During a forensicsinvestigation of a compromised
server, analysts discoverevidence of a vulnerability
where the attacker was able tomanipulate the arguments passed
(19:38):
to the operating system via acommand line and then they can
execute them by their webapplication.
The result in the attackergaining unauthorized access to
the file system.
Which of the followingvulnerabilities best describes
this scenario?
Okay, so again an attacker.
That's a really run-on, longsentence.
But the attacker was able tomanipulate arguments passed to
the operating system via commandline, so he or she can push
(20:01):
them that way.
This results in the attackergaining unauthorized access to a
file system.
Specifically, so what is thebest scenario or what
vulnerability is best describedin this scenario?
I can't speak, sorry, it's abit early this morning.
A directory traversal.
B command line injection.
C local file inclusion or Dremote file inclusion.
(20:22):
So again, what is the best onehere?
That describes a situation, andit would be B command line
injection, command injectionthis is where you occurs.
Obviously, the applicationpasses unfiltered user supply
data directly to the operatingsystem via a shell for execution
and this then can, bymanipulating the arguments, the
attacker was able to alter theintended command and execute
(20:46):
arbitrary commands.
So you can use those.
Command line is a typical usefor many attackers and if they
can do that, then they can gainaccess to different types of
systems.
You try to turn that off if youcan.
If there's some way of makingthat happen within your server
side, you want to make sure youturn those things off.
Question 11, a securityarchitect is designing a secure
software development lifecycleSSDLC for a new cloud native
(21:09):
application.
They want to incorporatesecurity testing early and
frequently in the developmentprocess.
Which of the followingpractices would be most
effective in achieving this goal?
So again, ssdlc or SDLC,depending on who you talk to for
a new cloud-native application.
So they want to incorporatesecurity testing early and
frequently in the developmentprocess.
So what is the most effectiveway of achieving this?
(21:32):
A integrating static applicationsecurity testing tools in the
CI-CD pipeline to analyze codechanges automatically.
B implement a weeklypenetration test scheduled and
develop in the developmentenvironment.
So basically, do pen tests allthe time.
C conducting a comprehensivesecurity code review only before
each major release.
Or D relying primarily ondynamic application security
(21:54):
testing in the stagingenvironment.
So again, the best, the mosteffective in achieving this goal
.
Ideally, if you couldincorporate SAST and DAST in
this would be great, but thequestions aren't saying that.
So you want to integrate staticapplication security testing
into the CICD pipeline toanalyze code changes
automatically.
You want to have SAST running,and the reason that the last one
(22:17):
isn't good is because you'rerelying primarily on das.
You don't want to relyprimarily on das because that's
the dynamics part of this.
You want the static codeanalysis to occur, probably more
important than the dynamic, andso it's it's imperative that
you doing.
Both is what would ideal, butif you had to pick one, the
answer would be a question 12.
A legacy application uses customauthentication mechanisms.
(22:40):
Question 12, a legacyapplication uses custom
authentication mechanism thatrelies on reversible encryption
algorithm to store userpasswords in its database.
Which of the following is themost critical security weakness
of this approach?
Following is the most criticalsecurity weakness of this
(23:00):
approach?
So again, legacy applicationusing custom authentication
mechanisms that relies onreversible encryption algorithm.
It's unique to store userpasswords in a database, which
is the most critical securityweakness in this approach A
increased computational overheaddue to the authentication
process.
B potential for dictionaryattacks will easily crack the
encrypted passwords.
(23:21):
C difficulty in integratingwith modern multi-factor
authentication systems.
Or D risk of complete passworddisclosure if the encryption key
is compromised.
And the answer is D risk ofcomplete password disclosure if
the encryption key iscompromised.
Obviously, storing this dataand having the algorithm
available to potentiallyre-engineer it or to decrypt the
(23:45):
potential algorithm orutilizing the algorithm is a bad
thing.
So you want to avoid that atall costs.
Question 13, a security teamdiscovered that a web
application is vulnerable toserver-side request forgery SSRF
attack.
The attacker can manipulate theapplication to make requests to
internal resources that are notpublicly accessible.
That's not good.
Which of the followingmitigation strategies would be
(24:07):
most effective in preventingfuture SSRF attacks?
Okay, server-side requestforgery.
So A implement strict networksegmentation to isolate internal
resources.
B whitelisting alloweddestination hosts and ports for
outbound requests.
C disabling all externalnetwork connectivity from the
web server.
Or D implementing strong inputvalidations on all user-supplied
(24:30):
URLs.
So again, we're dealing with aserver-side forgery attack.
They want to manipulate theapplication to make requests to
internal resources that are notpublicly accessible, and what
you would do is you would bewhitelist the allowed
destination hosts and ports foroutbound requests.
That would be the mosteffective by doing this, and so
the network segmentation thatyou put is a good thing, right,
(24:52):
but by whitelisting it providesmore specific and effective
controls against SSRF, and then,by defining these specifically,
you can allow legitimateexternal resources that the
application needs to access, andthen any attempts outside of
that would be denied.
So again, disabling allexternal connectivity might be a
bit too restrictive andpotentially break the
functionality of it.
(25:13):
So you want to think about thatas well.
Question 14.
During penetration tests, thetester successfully exploited
XML external entityvulnerability with an
application that processes XMLdata.
Which of the following outcomesis a potential consequence of a
successful XXE attack or XMLexternal entity attack?
A Unauthorized access to localfiles on a server hosting the
(25:36):
application.
B Cross-site scripting attacksagainst other users of the
application.
C denial of service due toexcessive resource consumption
on the client side.
Or.
D SQL injection attacks againstthe backend database.
Again during a penetration test, a tester successfully
exploited XML external entityvulnerability, and which of the
following is a potentialconsequence of a successful XXE?
(25:59):
And the answer is Aunauthorized access to local
files on the server hosting theapplication.
So again, that is the answer.
Question 15, the last melon.
A security analyst is reviewingthe security of a containerized
application deployed usingKubernetes.
They observe that theapplication containers are
running with root privilegeswithin their pods Not a good
(26:21):
option.
Which of the following securityprinciples is the most directly
violated by this configuration?
So again, kubernetes,application, and they're running
with root A principle of leastprivilege.
B defense in depth.
C separation of duties.
D failsafe defaults Again, themost security principles that
are most directly violated withthis configuration?
(26:43):
And the answer is A principleof least privilege.
Right, so you want to have theprinciple of least privilege,
especially with these clusters,and by giving them root, you are
not doing least privilege,you're giving them more
privileges and you are giving.
That's not good, so we want toavoid that.
So that's the most violatedpart of all this of the security
principles is the principle ofleast privilege.
(27:04):
Okay, that is it.
That's all we have for youtoday.
Head on over to CISSP CyberTraining.
Get access to all of my content.
You can do it.
There's a lot of free stuff outthere, but, like I said,
mentioned before, the paid stuffis what's going to help you get
the test done in the timeframethat you want to do, when the
free stuff do it, sure, but itwon't be able to help you in the
time that you potentially need.
If you're trying to get thisthing done quickly, look at the
(27:25):
content that I have, look at thedifferent packages that are
available to you, and all ofthat can be given to you.
Just all you got to do ispurchase it.
So, have a wonderful, wonderfulday and we will catch you.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com