A shocking incident in Spain recently left 60% of the country's power grid dark in less than five seconds. Was it a cyber attack? The jury's still out, but this real-world event perfectly illustrates why understanding access controls and security mechanisms is critical for today's cybersecurity professionals.
Sean Gerber, despite battling a cold that affects his voice, delivers a compelling analysis of the Spanish power grid incident before diving into essential CISSP domain four content. He highlights how smaller electrical providers might have fewer security resources, making them attractive targets, and emphasizes the growing importance of professionals who understand both operational technology and information technology security.
The episode then transitions into practical CISSP exam preparation, exploring various types of access controls through real-world scenarios. Sean expertly distinguishes between preventative, detective, corrective, and deterrent controls, while also clarifying the differences between physical and logical security mechanisms. Particularly valuable is his breakdown of biometric authentication methods, pointing out how voice recognition (ironically demonstrated by his own cold-affected voice) proves less reliable than alternatives like iris scanning or fingerprinting.
Understanding the nuances between Mandatory Access Controls (MAC) and Discretionary Access Controls (DAC), implementing proper identity proofing processes, and recognizing when compensating controls are needed are all critical CISSP concepts covered in this content-rich episode. Whether you're preparing for certification or working to strengthen your organization's security posture, these lessons apply directly to building effective defense-in-depth strategies. Ready to master these concepts and pass your CISSP exam? Visit CISSP Cyber Training for a proven blueprint guaranteed to help you succeed.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey all, it's Sean Gerber withCISSP Cyber Training, and I hope
you all are having abeautifully blessed day today.
Today is CISSP QuestionThursday and we are going to be
going over questions related tothe CISSP exam that was covered
on Monday, so content that wasbrought up on Monday today, the
(00:43):
questions that we go over forthat content, and so, if you
also notice, I have a reallycool voice today.
Yeah, I've been struggling witha bit of a cold.
First I thought it wasallergies, now I actually think
it's a cold and I got that whiletraveling.
Yes, I love it, it's wonderful,but we're just going to go
through some CISSP questions andyou just won't care what I
sound like today.
(01:04):
Now, I don't know if you all sawthis in the news or not, but
this occurred, I think, april29th, somewhere right around in
there is when the actualincident did occur.
April 28th is what it is, andthis article is from Financial
Times and it goes into a littlebit of detail around what they
saw and what happened.
Now, the biggest issue thatcame out of this article and
think that really comes rightdown to spain as a whole, um is
(01:26):
that this was a temporaryblackout, with some of their
electricity and their power grip.
The interesting part aroundthis was is that it was a
roughly 60 percent of spain'selectricity.
Electricity demand was lostwithin about under five seconds,
so that's a pretty substantialamount, right?
So it's like your entirecountry, two--thirds of it,
going dark because of somethingthat occurred, and so, because
(01:48):
of this, they have been runningto all kinds of ideas of what
actually caused it.
Now, from a cyber attack, ithasn't necessarily been ruled
out that it wasn't a cyberattack.
It also hasn't been completelyconfirmed that it was a cyber
attack.
They don't really truly know.
One of the aspects that Ithought was interesting is that
they've been focusing on thesmall electric providers.
(02:09):
So, in most countries theUnited States is no different
there are multiple electricalproviders throughout the country
, and each of these folks arebusinesses that are providing
electricity to the grid.
Now, some are big, some aresmall, and the regulations that
are tied to that at least in theUnited States, they throw them
all under criticalinfrastructure.
However, they keep a lot ofthis pretty wide open, as of the
(02:34):
protection controls and whatyou should use, and so,
therefore, because thesecontrols are kind of wide open
and they let you have some sortof autonomy on putting controls
in place.
They will vary from company tocompany, so if it's a large
company, they may have the fundsand the resources to be able to
fully invest in what they needto do to protect their
organization.
When they're a larger or asmaller company, they may not
(02:55):
have the same level ofcapabilities and so, as a result
, they may not have the sameprotections, and so, therefore,
they would be a great place totarget if you were a bad guy or
girl, and so that's what they're.
One of the things they're tryingto consider is were the smaller
electrical companies targets ofthis, or what actually caused
(03:15):
it?
I don't know.
To lose 60% of your powerconsumption, you lose it within
five seconds.
To me, if it isn't a cyberattack, which it might not be,
it also shows a lot ofweaknesses within your
organization or within youroverall ecosystem to ensure that
this is better protected.
So I think it'll be interestingto see where the information is
(03:37):
shared.
There's lots of differentsharing that's going to be
occurring through the differentISACs.
The industrial side or theelectrical side has their own
ISAC, and so that just talksabout the fragility of the
overall ecosystem related to thepower grid and so forth.
So if you are interested in OTand IT security, I'd highly
recommend that you start gettingstudying up on that.
(03:58):
I think it's going to be a bigdemand for it here in the future
, especially as we become moreand more connected and more and
more tied to this OT environment.
We thought it was a big dealback when I first got started in
cyber back in the early 2000s,and it hasn't matured to its
point yet.
So it will be very, veryinteresting where it goes in the
(04:18):
next 15 to 20 years.
Okay, so let's get started ontoday's questions.
Again, these are questions overdomain four of the CISSP exam.
Question one which of thefollowing is the most critical
initial step in establishing atrustworthy digital identity for
a new user within a highsecurity environment?
A assigning a temporarypassword and requiring password
(04:39):
changes upon first login.
B implementing a multi-factorauthentication from the onset?
C rigorous identity proofingand verification processes.
Or.
D granting least privilegeaccess based on their initial
role?
Again, which of the followingis the most critical initial
step in establishing atrustworthy digital identity?
And it is C rigorous identityproofing and verification
(05:01):
processes.
Again, this is probably one ofthe most critical steps you can
is ensuring that the person whoyou have working for you is the
person who they say they are,and this can be done especially
when you're dealing with a highsecurity environment.
This may come down to havingvarious product protocols and
processes in place to dobackground checks and so forth.
So the answer is C.
(05:24):
Question two a securityadministrator discovers an
unauthorized individualattempting to tailgate an
authorized employee through asecure data center entrance.
Which type of access controlbest describes a security
mechanism that should haveprevented this situation?
A preventative, b detective, ccorrective or D deterrent?
And the answer is A apreventative right.
(05:44):
So you should have hadsomething in place to stop this
from happening A man trap, aturnstile, a guard watching it
that would have been put inplace to help stop somebody from
tailgating into thisenvironment.
I've worked through all ofthose.
You can get around them all,but again, they're designed just
to slowly stop somebody from,or to slow somebody down from
trying to get into a very secureenvironment.
(06:05):
Question three after successfuldata breach, an organization
implements an enhanced loggingand monitoring capabilities to
identify any future maliciousactivity.
This is an example of whichtype of access control, again
after a successful data breach,an organization implements an
enhanced logging and monitoringcapability to identify any
future malicious activity.
(06:25):
This is an example of what typeof access control and we don't
tell you the answer just yet andA preventative, b deterrent, c
corrective or D detective?
And the answer is D detectiveDetective.
Access controls are designed toidentify and record events
after they have occurred.
Again, enhanced logging andmonitoring would help detect any
(06:47):
sort of situation that would beoccurring.
Question four an organizationmandates that all employees
attend annual security awarenesstraining which includes modules
on social engineering tacticsand password security.
This is primarily an example ofwhich type of access control A
logical, b, administrative, c,physical or D technical.
(07:09):
Okay, again, they're trying togive employees training related
to social engineering andpassword security.
And the answer is Badministrative Again,
administrative controls.
They involve the policies,procedures, standards,
guidelines and so forth.
Their ultimate purpose is tohelp teach people right, and
security awareness will fallinto that bucket.
So it's administrative.
(07:31):
Question five implementingmandatory access controls within
an operating system.
Kernel is an example of whichtype of access control.
Again, implementing mandatoryaccess controls within an
operating system.
Kernel is an example of whattype of access control.
Again, implementing mandatoryaccess controls within an
operating system.
Kernel is an example of whattype of access control.
So, mac, mandatory accesscontrols a physical, b,
administrative, c, detective ord logical again mandatory access
(07:56):
controls, otherwise known asmac.
Within an operating system,it's kernel.
What would?
What would it be?
And it is D logical, rightlogical controls.
These are technical controlsthat are used for implementing
through hardware, software, andthey're designed to control the
resources and access to those.
So, again, mac is enforced bythe operating system and it's a
technical mechanism.
So therefore, it would be,under logical.
(08:18):
Question six, placing a securitycamera at the perimeter of a
building serves as two types ofaccess controls.
Security cameras at theperimeter are two types.
What are they?
A, deterrent and detective.
C preventative and corrective.
C detective and corrective, orD preventative and deterrent.
Okay, again, what are the twotypes of access controls for
(08:41):
cameras?
They are A, a, deterrent anddetective.
Okay, so a deterrent you see acamera.
You usually think you have tothink twice about do I do it or
do I not?
Also, detective is there'scameras being used.
They are probably beingmonitored and so therefore,
they've got some sort ofsomething on you now, something
to consider with all of this.
We've worked, worked throughall these.
(09:01):
We talked about this at CISSPCyber Training multiple times.
Cameras are one of those thingsthat you don't know if there's
actually a camera in thosebubbles or if they're just there
to keep you guessing Again.
And then most times cameras areafter the fact.
There's not someone physicallywatching them at that time.
So if you are a bad person andyou're trying to get into
something and you cover yourselfup, odds are probably pretty
(09:23):
high.
They're not going to catch yougoing in Now.
They may come after you've doneit, but by then you may be long
gone.
So yeah, don't use your powersfor good, not evil.
Question 7.
After a server room experiencesa power outage, an
uninterruptible power supply UPSautomatically kicks in to
maintain system uptime.
This is an example of what typeof access control A
(09:45):
preventative, b detective, c,corrective or D compensating.
Again, the server room has apower outage, ups kicks in.
What is this?
And the answer is Dcompensating control.
Yes, a compensating control isimplemented to mitigate the risk
associated with thevulnerability, obviously when
the primary control does notwork.
So that's what ends uphappening and the UPS
(10:07):
compensates for it because itbrings up power to help you do a
safe shutdown.
Again, upss are not designedfor you to run on them all day
long.
They're a big battery.
They're designed for you tohelp you do a safe shutdown or
deal with small intermittentissues.
Question eight which of thefollowing biometric factors is
generally considered the leastreliable for high security
(10:27):
access control due to itssusceptibility to environmental
factors and temporary changes?
In which biometric factorgenerally considered least
reliable for high security areasbecause it's susceptibility to
environmental factors andtemporary changes?
A iris scan, b voicerecognition, c fingerprint scan
(10:48):
or D facial recognition?
And the answer is B voicerecognition.
And guess what?
Today you get a perfect exampleof that.
Yes, I can barely talk, andbecause I can barely talk and my
voice sounds really bad, Iwould have a hard time with
voice recognition software,right?
So it's just, it's consideredless reliable because of this.
For high security reasons,because things change.
(11:09):
Voice changes, irises do notchange, I guess typically.
I'm not a doctor, but I can'timagine they change very often.
Question nine a security policymandates the use of personal
identification cards forphysical access to government
facility.
This is an example of whichtype of access control.
Okay, so you had a personalidentification, personal
identity verification card.
What is that?
(11:29):
It would be A logical, badministrative, c physical or D
compensating.
And you're asked they have tohave a physical card, wink, wink
, physical.
For which type of accesscontrol?
And the answer is C.
Physical tokens are used forcontrol access to physical
locations, again maintaining theuse for their administrative
control.
But the actual card of the doorreader is a physical access
(11:51):
control mechanism.
So when you're using a beepbeep, that's what it's for.
Again, we've talked about beepbeeps before on the podcast and
how well they work.
Question 10.
Implementing a data lossprevention software that
monitors and prevents sensitivedata from leaving the
organization's network isprimarily an example of which
type of access control.
Again, implementing DLPsoftware that monitors and
(12:12):
prevents sensitive data fromleaving your organization's
network is what type of accesscontrol?
A logical, b, physical, c,administrative, d, detective.
Okay, so which one?
Is it for DLP?
And the answer is A logical,right.
Dlp software operates at thedata and network layers, using
(12:34):
technical mechanisms to controland prevent unauthorized data
exfiltration, right.
So this falls in the categoryof logical or technical access
controls.
So those are one of the aspects, because you're putting
something in place from atechnical perspective to keep
people at bay.
Question 11.
An organization implements apolicy requiring users to change
their passwords every 60 days.
This is an example of what typeof access control A
(12:56):
Preventative, b, detective, c,corrective or D Administrative.
So, again, an organizationimplements a policy requiring
users to change their passwordsevery six days.
What type of access control isthis?
Okay, so which one could it be?
Could it be administrative orcould it be preventative?
Oh, it is preventative, right,because, again, the policy's in
(13:20):
place, but what's actuallyoccurring is that the fact is
that you have a you want toforce people to change their
password because of a passwordpotentially been compromised, so
therefore they would put in apreventative control.
Again, this is a force.
This regulated changes youreffectiveness and potential
compromised credentials.
So it's an important part.
Question 12 which of thefollowing is a key difference
(13:40):
between discretionary accesscontrols DAC and mandatory
access controls MAC?
Okay, so A DAC is centrallyadministrated, while MAC is
controlled by the individualuser.
B MAC relies on security labels, while DAC is controlled by the
individual user, is based onuser identities and group
memberships.
C DAC is generally moreflexible and easier to implement
(14:00):
than MAC.
Or D.
Mac focuses on preventingunauthorized access, while DAC
focuses on detecting it.
So which of the following isthe key difference between DAC
and MAC?
And the answer is B MAC relieson security labels, while DAC
uses user identities and groupmemberships.
Right?
So again, these are all done.
Comparing labels is assigned toeach of the subjects and
(14:22):
objects and then a DAC,typically assigned, is typically
granted based on the owner'sdiscretion and their group
memberships.
Question 13, implementing asecurity guard at the entrance
of a building who checksidentification badges is an
example of which two types ofaccess controls.
Again, you put a security guardat the gate when you walk in.
So which two types of accesscontrols are they A logical and
(14:46):
physical, b preventive anddetective, c physical and
preventive, and D deterrent andcorrective.
So which two types of having asecurity guard at the entrance?
It is C physical and preventiveright.
The security guard is theentrance.
It is c physical and preventiveright.
The security guard is aphysical presence and then by
having them present their ids,it is also intended to prevent
unauthorized access of peopletrying to gain access to your
(15:06):
environment.
One thing that's really good is, if you have those, is to put
your um security guard, not havethem there all the time, just
have them kind of pop in, popout kind of thing.
So it's kind of cool.
Question 14 after successfulbrute force attack and on a user
account, the security teamimplements account lockout
policies after a certain numberof failed login attempts.
This is an example of whichtype of access control?
(15:29):
Again, after successful bruteforce attacks on a user account,
the team finally puts in alockout policy.
What would that be?
A preventative, d Detective, cDeterrent, D Corrective?
And the answer is D Corrective,right.
The lockout policies aim todamage or limit any further
access from an unauthorized user.
(15:51):
Therefore, you put in thecorrective action to stop this
from occurring.
Last question which of thefollowing best describes a
purpose of proofing the contextof the identity management?
Again, which of the followingbest describes the purpose of
proofing in the context ofidentity management A assigning
(16:11):
specific access rights andpermissions to a newly
established identity.
B verifying the individualpresenting the identity is
genuinely associated with thatspecific identity.
C Establishing uniqueidentifiers for a user within
the system.
Or.
D Implementing strongauthentication mechanisms to
protect the established identity?
Again, which of the followingbest describes the purpose of
(16:32):
air quotes?
Proofing the context of theidentity management?
And the answer is B Verifyingthe individual presenting the
data is generally associatedwith the identity.
What does it mean when you proofit?
You got to have driver'slicense, birth certificate,
those types of things to provethat Sean is who he says he is.
He's not just somebody, thatjust random showing up, and now
(16:52):
that can all these things beforged?
Sure, do people HR people andthem look at these in a depth.
Maybe, maybe not, but, thatbeing said, it does have
something that you can use.
I mean something you can useAnyway.
So that's all we've got fortoday.
Hope you guys have a wonderfulday.
Go to CISSP Cyber Training.
Check out what we have.
A lot of free stuff.
A lot of free stuff.
Also, I have the ability foryou to gain access to all of my
(17:16):
blueprint.
My blueprint will help you passthe CISSP.
Guaranteed, I guarantee you itwill do it.
You follow the blueprint andyou go through what it tells you
to do.
You will pass the CISSP.
So all this stuff is put outthere for you guys.
All this content is availableto you.
Again, the only thing holdingyou back from your CISSP is you.
Again, go check out CISSP CyberTraining.
You'll love it, I guarantee it.
(17:37):
It's amazing.
I get lots of people thatreally give good reviews of what
we provided, and the ultimatepoint is just to help you pass
that doggone test.
We really want you to pass thetest we do.
All right, have a wonderful dayand we will catch you all on
the flip side, see you.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey all, it's Sean Gerber withCISSP Cyber Training, and I hope
you all are having abeautifully blessed day today.
Today is CISSP QuestionThursday and we are going to be
going over questions related tothe CISSP exam that was covered
on Monday, so content that wasbrought up on Monday today, the
(00:43):
questions that we go over forthat content, and so, if you
also notice, I have a reallycool voice today.
Yeah, I've been struggling witha bit of a cold.
First I thought it wasallergies, now I actually think
it's a cold and I got that whiletraveling.
Yes, I love it, it's wonderful,but we're just going to go
through some CISSP questions andyou just won't care what I
sound like today.
(01:04):
Now, I don't know if you all sawthis in the news or not, but
this occurred, I think, april29th, somewhere right around in
there is when the actualincident did occur.
April 28th is what it is, andthis article is from Financial
Times and it goes into a littlebit of detail around what they
saw and what happened.
Now, the biggest issue thatcame out of this article and
think that really comes rightdown to spain as a whole, um is
(01:26):
that this was a temporaryblackout, with some of their
electricity and their power grip.
The interesting part aroundthis was is that it was a
roughly 60 percent of spain'selectricity.
Electricity demand was lostwithin about under five seconds,
so that's a pretty substantialamount, right?
So it's like your entirecountry, two--thirds of it,
going dark because of somethingthat occurred, and so, because
(01:48):
of this, they have been runningto all kinds of ideas of what
actually caused it.
Now, from a cyber attack, ithasn't necessarily been ruled
out that it wasn't a cyberattack.
It also hasn't been completelyconfirmed that it was a cyber
attack.
They don't really truly know.
One of the aspects that Ithought was interesting is that
they've been focusing on thesmall electric providers.
(02:09):
So, in most countries theUnited States is no different
there are multiple electricalproviders throughout the country
, and each of these folks arebusinesses that are providing
electricity to the grid.
Now, some are big, some aresmall, and the regulations that
are tied to that at least in theUnited States, they throw them
all under criticalinfrastructure.
However, they keep a lot ofthis pretty wide open, as of the
(02:34):
protection controls and whatyou should use, and so,
therefore, because thesecontrols are kind of wide open
and they let you have some sortof autonomy on putting controls
in place.
They will vary from company tocompany, so if it's a large
company, they may have the fundsand the resources to be able to
fully invest in what they needto do to protect their
organization.
When they're a larger or asmaller company, they may not
(02:55):
have the same level ofcapabilities and so, as a result
, they may not have the sameprotections, and so, therefore,
they would be a great place totarget if you were a bad guy or
girl, and so that's what they're.
One of the things they're tryingto consider is were the smaller
electrical companies targets ofthis, or what actually caused
(03:15):
it?
I don't know.
To lose 60% of your powerconsumption, you lose it within
five seconds.
To me, if it isn't a cyberattack, which it might not be,
it also shows a lot ofweaknesses within your
organization or within youroverall ecosystem to ensure that
this is better protected.
So I think it'll be interestingto see where the information is
(03:37):
shared.
There's lots of differentsharing that's going to be
occurring through the differentISACs.
The industrial side or theelectrical side has their own
ISAC, and so that just talksabout the fragility of the
overall ecosystem related to thepower grid and so forth.
So if you are interested in OTand IT security, I'd highly
recommend that you start gettingstudying up on that.
(03:58):
I think it's going to be a bigdemand for it here in the future
, especially as we become moreand more connected and more and
more tied to this OT environment.
We thought it was a big dealback when I first got started in
cyber back in the early 2000s,and it hasn't matured to its
point yet.
So it will be very, veryinteresting where it goes in the
(04:18):
next 15 to 20 years.
Okay, so let's get started ontoday's questions.
Again, these are questions overdomain four of the CISSP exam.
Question one which of thefollowing is the most critical
initial step in establishing atrustworthy digital identity for
a new user within a highsecurity environment?
A assigning a temporarypassword and requiring password
(04:39):
changes upon first login.
B implementing a multi-factorauthentication from the onset?
C rigorous identity proofingand verification processes.
Or.
D granting least privilegeaccess based on their initial
role?
Again, which of the followingis the most critical initial
step in establishing atrustworthy digital identity?
And it is C rigorous identityproofing and verification
(05:01):
processes.
Again, this is probably one ofthe most critical steps you can
is ensuring that the person whoyou have working for you is the
person who they say they are,and this can be done especially
when you're dealing with a highsecurity environment.
This may come down to havingvarious product protocols and
processes in place to dobackground checks and so forth.
So the answer is C.
(05:24):
Question two a securityadministrator discovers an
unauthorized individualattempting to tailgate an
authorized employee through asecure data center entrance.
Which type of access controlbest describes a security
mechanism that should haveprevented this situation?
A preventative, b detective, ccorrective or D deterrent?
And the answer is A apreventative right.
(05:44):
So you should have hadsomething in place to stop this
from happening A man trap, aturnstile, a guard watching it
that would have been put inplace to help stop somebody from
tailgating into thisenvironment.
I've worked through all ofthose.
You can get around them all,but again, they're designed just
to slowly stop somebody from,or to slow somebody down from
trying to get into a very secureenvironment.
(06:05):
Question three after successfuldata breach, an organization
implements an enhanced loggingand monitoring capabilities to
identify any future maliciousactivity.
This is an example of whichtype of access control, again
after a successful data breach,an organization implements an
enhanced logging and monitoringcapability to identify any
future malicious activity.
(06:25):
This is an example of what typeof access control and we don't
tell you the answer just yet andA preventative, b deterrent, c
corrective or D detective?
And the answer is D detectiveDetective.
Access controls are designed toidentify and record events
after they have occurred.
Again, enhanced logging andmonitoring would help detect any
(06:47):
sort of situation that would beoccurring.
Question four an organizationmandates that all employees
attend annual security awarenesstraining which includes modules
on social engineering tacticsand password security.
This is primarily an example ofwhich type of access control A
logical, b, administrative, c,physical or D technical.
(07:09):
Okay, again, they're trying togive employees training related
to social engineering andpassword security.
And the answer is Badministrative Again,
administrative controls.
They involve the policies,procedures, standards,
guidelines and so forth.
Their ultimate purpose is tohelp teach people right, and
security awareness will fallinto that bucket.
So it's administrative.
(07:31):
Question five implementingmandatory access controls within
an operating system.
Kernel is an example of whichtype of access control.
Again, implementing mandatoryaccess controls within an
operating system.
Kernel is an example of whattype of access control.
Again, implementing mandatoryaccess controls within an
operating system.
Kernel is an example of whattype of access control.
So, mac, mandatory accesscontrols a physical, b,
administrative, c, detective ord logical again mandatory access
(07:56):
controls, otherwise known asmac.
Within an operating system,it's kernel.
What would?
What would it be?
And it is D logical, rightlogical controls.
These are technical controlsthat are used for implementing
through hardware, software, andthey're designed to control the
resources and access to those.
So, again, mac is enforced bythe operating system and it's a
technical mechanism.
So therefore, it would be,under logical.
(08:18):
Question six, placing a securitycamera at the perimeter of a
building serves as two types ofaccess controls.
Security cameras at theperimeter are two types.
What are they?
A, deterrent and detective.
C preventative and corrective.
C detective and corrective, orD preventative and deterrent.
Okay, again, what are the twotypes of access controls for
(08:41):
cameras?
They are A, a, deterrent anddetective.
Okay, so a deterrent you see acamera.
You usually think you have tothink twice about do I do it or
do I not?
Also, detective is there'scameras being used.
They are probably beingmonitored and so therefore,
they've got some sort ofsomething on you now, something
to consider with all of this.
We've worked, worked throughall these.
(09:01):
We talked about this at CISSPCyber Training multiple times.
Cameras are one of those thingsthat you don't know if there's
actually a camera in thosebubbles or if they're just there
to keep you guessing Again.
And then most times cameras areafter the fact.
There's not someone physicallywatching them at that time.
So if you are a bad person andyou're trying to get into
something and you cover yourselfup, odds are probably pretty
(09:23):
high.
They're not going to catch yougoing in Now.
They may come after you've doneit, but by then you may be long
gone.
So yeah, don't use your powersfor good, not evil.
Question 7.
After a server room experiencesa power outage, an
uninterruptible power supply UPSautomatically kicks in to
maintain system uptime.
This is an example of what typeof access control A
(09:45):
preventative, b detective, c,corrective or D compensating.
Again, the server room has apower outage, ups kicks in.
What is this?
And the answer is Dcompensating control.
Yes, a compensating control isimplemented to mitigate the risk
associated with thevulnerability, obviously when
the primary control does notwork.
So that's what ends uphappening and the UPS
(10:07):
compensates for it because itbrings up power to help you do a
safe shutdown.
Again, upss are not designedfor you to run on them all day
long.
They're a big battery.
They're designed for you tohelp you do a safe shutdown or
deal with small intermittentissues.
Question eight which of thefollowing biometric factors is
generally considered the leastreliable for high security
(10:27):
access control due to itssusceptibility to environmental
factors and temporary changes?
In which biometric factorgenerally considered least
reliable for high security areasbecause it's susceptibility to
environmental factors andtemporary changes?
A iris scan, b voicerecognition, c fingerprint scan
(10:48):
or D facial recognition?
And the answer is B voicerecognition.
And guess what?
Today you get a perfect exampleof that.
Yes, I can barely talk, andbecause I can barely talk and my
voice sounds really bad, Iwould have a hard time with
voice recognition software,right?
So it's just, it's consideredless reliable because of this.
For high security reasons,because things change.
(11:09):
Voice changes, irises do notchange, I guess typically.
I'm not a doctor, but I can'timagine they change very often.
Question nine a security policymandates the use of personal
identification cards forphysical access to government
facility.
This is an example of whichtype of access control.
Okay, so you had a personalidentification, personal
identity verification card.
What is that?
(11:29):
It would be A logical, badministrative, c physical or D
compensating.
And you're asked they have tohave a physical card, wink, wink
, physical.
For which type of accesscontrol?
And the answer is C.
Physical tokens are used forcontrol access to physical
locations, again maintaining theuse for their administrative
control.
But the actual card of the doorreader is a physical access
(11:51):
control mechanism.
So when you're using a beepbeep, that's what it's for.
Again, we've talked about beepbeeps before on the podcast and
how well they work.
Question 10.
Implementing a data lossprevention software that
monitors and prevents sensitivedata from leaving the
organization's network isprimarily an example of which
type of access control.
Again, implementing DLPsoftware that monitors and
(12:12):
prevents sensitive data fromleaving your organization's
network is what type of accesscontrol?
A logical, b, physical, c,administrative, d, detective.
Okay, so which one?
Is it for DLP?
And the answer is A logical,right.
Dlp software operates at thedata and network layers, using
(12:34):
technical mechanisms to controland prevent unauthorized data
exfiltration, right.
So this falls in the categoryof logical or technical access
controls.
So those are one of the aspects, because you're putting
something in place from atechnical perspective to keep
people at bay.
Question 11.
An organization implements apolicy requiring users to change
their passwords every 60 days.
This is an example of what typeof access control A
(12:56):
Preventative, b, detective, c,corrective or D Administrative.
So, again, an organizationimplements a policy requiring
users to change their passwordsevery six days.
What type of access control isthis?
Okay, so which one could it be?
Could it be administrative orcould it be preventative?
Oh, it is preventative, right,because, again, the policy's in
(13:20):
place, but what's actuallyoccurring is that the fact is
that you have a you want toforce people to change their
password because of a passwordpotentially been compromised, so
therefore they would put in apreventative control.
Again, this is a force.
This regulated changes youreffectiveness and potential
compromised credentials.
So it's an important part.
Question 12 which of thefollowing is a key difference
(13:40):
between discretionary accesscontrols DAC and mandatory
access controls MAC?
Okay, so A DAC is centrallyadministrated, while MAC is
controlled by the individualuser.
B MAC relies on security labels, while DAC is controlled by the
individual user, is based onuser identities and group
memberships.
C DAC is generally moreflexible and easier to implement
(14:00):
than MAC.
Or D.
Mac focuses on preventingunauthorized access, while DAC
focuses on detecting it.
So which of the following isthe key difference between DAC
and MAC?
And the answer is B MAC relieson security labels, while DAC
uses user identities and groupmemberships.
Right?
So again, these are all done.
Comparing labels is assigned toeach of the subjects and
(14:22):
objects and then a DAC,typically assigned, is typically
granted based on the owner'sdiscretion and their group
memberships.
Question 13, implementing asecurity guard at the entrance
of a building who checksidentification badges is an
example of which two types ofaccess controls.
Again, you put a security guardat the gate when you walk in.
So which two types of accesscontrols are they A logical and
(14:46):
physical, b preventive anddetective, c physical and
preventive, and D deterrent andcorrective.
So which two types of having asecurity guard at the entrance?
It is C physical and preventiveright.
The security guard is theentrance.
It is c physical and preventiveright.
The security guard is aphysical presence and then by
having them present their ids,it is also intended to prevent
unauthorized access of peopletrying to gain access to your
(15:06):
environment.
One thing that's really good is, if you have those, is to put
your um security guard, not havethem there all the time, just
have them kind of pop in, popout kind of thing.
So it's kind of cool.
Question 14 after successfulbrute force attack and on a user
account, the security teamimplements account lockout
policies after a certain numberof failed login attempts.
This is an example of whichtype of access control?
(15:29):
Again, after successful bruteforce attacks on a user account,
the team finally puts in alockout policy.
What would that be?
A preventative, d Detective, cDeterrent, D Corrective?
And the answer is D Corrective,right.
The lockout policies aim todamage or limit any further
access from an unauthorized user.
(15:51):
Therefore, you put in thecorrective action to stop this
from occurring.
Last question which of thefollowing best describes a
purpose of proofing the contextof the identity management?
Again, which of the followingbest describes the purpose of
proofing in the context ofidentity management A assigning
(16:11):
specific access rights andpermissions to a newly
established identity.
B verifying the individualpresenting the identity is
genuinely associated with thatspecific identity.
C Establishing uniqueidentifiers for a user within
the system.
Or.
D Implementing strongauthentication mechanisms to
protect the established identity?
Again, which of the followingbest describes the purpose of
(16:32):
air quotes?
Proofing the context of theidentity management?
And the answer is B Verifyingthe individual presenting the
data is generally associatedwith the identity.
What does it mean when you proofit?
You got to have driver'slicense, birth certificate,
those types of things to provethat Sean is who he says he is.
He's not just somebody, thatjust random showing up, and now
(16:52):
that can all these things beforged?
Sure, do people HR people andthem look at these in a depth.
Maybe, maybe not, but, thatbeing said, it does have
something that you can use.
I mean something you can useAnyway.
So that's all we've got fortoday.
Hope you guys have a wonderfulday.
Go to CISSP Cyber Training.
Check out what we have.
A lot of free stuff.
A lot of free stuff.
Also, I have the ability foryou to gain access to all of my
(17:16):
blueprint.
My blueprint will help you passthe CISSP.
Guaranteed, I guarantee you itwill do it.
You follow the blueprint andyou go through what it tells you
to do.
You will pass the CISSP.
So all this stuff is put outthere for you guys.
All this content is availableto you.
Again, the only thing holdingyou back from your CISSP is you.
Again, go check out CISSP CyberTraining.
You'll love it, I guarantee it.
(17:37):
It's amazing.
I get lots of people thatreally give good reviews of what
we provided, and the ultimatepoint is just to help you pass
that doggone test.
We really want you to pass thetest we do.
All right, have a wonderful dayand we will catch you all on
the flip side, see you.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.