Check us out at: https://www.cisspcybertraining.com/
Ethical dilemmas lurk around every corner in cybersecurity, ready to challenge even the most technically competent professionals. Sean Gerber tackles these moral minefields head-on in this thought-provoking episode focused on CISSP Domain 1.1, presenting fifteen real-world ethical scenarios that will test your professional judgment.
The episode opens with crucial context about the New York Department of Financial Services (NYDFS) and its significant influence on cybersecurity standards in the financial sector. Sean explains how their recent bulletin addressing Iranian threats emphasizes essential security controls including multi-factor authentication and third-party risk management - requirements that extend well beyond the financial industry.
Diving into the ethical scenarios, listeners will confront challenging questions: What would you do upon discovering a concealed data breach orchestrated by previous leadership? How should you handle a zero-day vulnerability when the vendor is notorious for slow responses? Is it ever appropriate to modify security logging standards when employees resist what they perceive as surveillance?
Through each scenario, Sean walks through multiple possible responses, highlighting the correct ethical choice while acknowledging the complex organizational dynamics at play. The discussions reveal that ethical practice isn't just about knowing the right answer—it's about effectively implementing ethical decisions through proper channels, documentation, and constructive solutions.
The episode offers invaluable guidance for anyone preparing for the CISSP exam or working in cybersecurity, demonstrating that while technical competence opens doors in this field, ethical judgment keeps those doors from slamming shut. As cyber threats evolve in complexity, the moral compass of security professionals becomes an increasingly critical asset in protecting organizations and their stakeholders.
Ready to test your ethical judgment against CISSP standards? Visit CISSPcybertraining.com for 360 free practice questions and additional resources to strengthen both your technical knowledge and ethical reasoning.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey all Sean Gerber with CISSPCyber Training and hope you all
are having a beautifully blessedday today.
Today is CISSP QuestionThursday and we are going to be
going over CISSP questionsrelated to Domain 1.1, and that
training that was done prior wasdone on Monday.
(00:43):
So if you're new to CISSP cybertraining, we do training over
the products on Monday, or Ishould say over the domains, on
Monday, followed by the CISSPquestions on Thursday, and so
that's where we're at today.
So this is going to be a quick,before we get started, a quick
article around NYDFS issues someguidance around cybersecurity,
(01:04):
as it relates to how you shouldthink about this from a banking
standpoint.
Now, to set a little context,what is this?
What is the article?
What is NYDFS?
If you're not connected withthat NYDFS, they are a
regulating body within New Yorkand within the United States.
New York houses, majority ofour financial institutions are
within the state of New York andso therefore, much of the US
(01:27):
will follow whatever New Yorkdoes.
As it relates to the bankingindustry and it's not typically
just banking.
It's a lot of different aspectswhere they're a little bit more
liberal when it comes to, or, Ishould say conservative with
some aspects of how you want touse privacy and how you do
cybersecurity.
So many companies will use NewYork or California as the litmus
(01:48):
test of how they should deploytheir cybersecurity and privacy
type aspects within theircompany.
And so NYDFS has a lot of cloutand it has a lot of pull within
the rest of the financialindustry, especially within the
United States.
So they're just basicallycoming out and saying that, hey,
knock, knock.
If you didn't have a goodcybersecurity program before,
(02:08):
you should have one now.
You never know if you're goingto be a target of hackers around
the globe.
Again, anybody listening tothis podcast knows that can
happen at any point, any time.
It doesn't need NYDFS to cometap you on the shoulder.
However, awareness is key.
It's very important and so,therefore, that's why they're
coming out and doing awareness.
Now, if you're not familiar withNYDFS, I'm just going to
(02:30):
quickly highlight some differentaspects of why it's important
and why people are focused on it.
So there are some variousrequirements that it does come
out and enforces you to do One.
You must have a program inplace.
You must define it.
Now, in the United States,there's NYDFS, there's GLBA,
there's various other entitiesthat require this.
But because it's in the NewYork State, new York said, hey,
(02:54):
beyond what GLBA does and that'sa US-based law, we're going to
focus a little bit more of atarget approach on the New York
State environment.
So you got to have a program,you got to have a policy.
You have to have a CISOappointed and this means an
individual that is going to beyour CISO within your
organization.
Now, if you go to a lot ofbanks, they don't have CISOs,
(03:14):
especially small andmedium-sized banks.
They may have that as adual-hatted.
However, in New York, you haveto have one appointed, which
means that person has to havesignature authority.
That person needs to be part ofthe board.
Potentially.
There's a lot of differentaspects that go along with being
a CISO at a bank, a very largebank within the New York state
environment.
You need to have riskassessments done, you need to
(03:37):
have access controls and thenyou need to do pen tests on a
routine basis.
And then one of the key factorsthe last two was they have
multi-factor, and then thirdparty risk management are key
aspects of it.
Now, multi-factor is animportant part because of the
fact that we stress ifmulti-factor is used within any
organization.
Well, this document calls outmulti-factor as well.
(04:00):
I should say this bulletincalls out multi-factor and said
hey, if you haven't had it inplace yet, you need to truly
consider it to help protect yourorganization against these
Iranian challenges.
So, again, very interestingpart I forgot to mention there's
also encryption, audit,incident response reporting,
annual certifications and soforth.
That's all part of NYDFS.
(04:21):
But the point comes down to isis that if you are a bank within
the New York environment, youneed to follow those regulations
that are there.
You also need to pay attentionto potential Iranian hackers.
Now, if you're not in the NewYork's environment financial
services, oh, you don't need toworry about it.
No big deal.
No, that's we all know that'snot the case.
You should probably take onusof the whatever New York is
(04:43):
doing and maybe even implementthat within your company as well
.
I firmly believe that the moreconsistent that you can stay
with all of these differentsecurity mechanisms, the better
off you will be and the betteroff your customers will be.
So, again, just want to bringthat up NYDFS issues a bulletin
as it relates to the Iranianthreat.
(05:03):
That up NYDFS issues a bulletinas it relates to the Iranian
threat, talking about.
What are some different aspectsyou should put in place to
ensure that your company,especially your bank, your
financial institution, isprotected from these potential
challenges on a global scale.
Okay, so let's get into some ofthe questions we're going to
talk about today.
Okay, so, before we do wantedto just put out a quick shout
out to head on over to CISSPCybertraining and get access to
(05:26):
all the content that's availableto you there.
It's great, just go check itout.
There's a lot of great stuffavailable.
There's from a lot of freestuff.
I'm making some changes to thesite, but there's going to be a
lot of free stuff out there aswell as some paid stuff to help
you get what you need.
But head on over tocispcybertrainingcom, okay.
So question one let's roll intothis.
(05:48):
This is again tied to domain1.1 around ethics, so a lot of
these are going to bescenario-based questions focused
on ethics.
And how would you handle it?
Okay, question one A CISOdiscovers irrefutable evidence
that her organization suffered asignificant data breach six
(06:08):
months ago.
This was intentionally concealedby the previous CISO and a
former executive to avoid publicand regulatory fallout.
Not good.
The breach exposed sensitivecustomer PII and the current
CISO's organization's code ofethics emphasizes protecting the
reputation is everything.
It's above all else.
So what is the most ethicallysound course of action for the
(06:30):
current CISO according to ISCSquare's code of ethics?
Okay, so A quietly remediatethe breach and ensure future
incidents are reported withoutdisclosing the past concealment
to protect the company's currentreputation Probably not the
best choice.
B disclose a breach immediatelyand affected customers and
regulators understanding thismay cause significant
(06:50):
reputational and financial harmto the organization.
C inform the board of directorsand legal counsel recommending
strategy to address the pastconcealment while minimizing
additional damage.
Or D resign from the positionand avoid complicity and pass
concealment and protect personaland professional integrity.
I guess it's a tough spot to bein right For your CISO.
What would you do in thissituation?
(07:12):
So I would say it's going to bea combination.
One you might bite off on is Dis inform the board and legal
counsel, which is definitelysomething you would do.
You wouldn't just come out andarbitrarily say, hey, we did
this, we were bad.
You would want to make surelegal counsel and everybody's on
board before you even do any ofthis aspect.
But the right answer would be Bdisclose the breach immediately
(07:34):
to affected customers andregulators, understanding this
may cause significantreputational and financial harm
to the organization.
It could cause a lot offinancial or reputational harm
to you, especially why?
Because you walked into thedumpster fire and now you have
to deal with it.
Obviously, you would talk tolegal and you would get with
compliance and you would makesure that everybody is aligned
with your approach.
You'd have an approach definedand you would have a plan laid
(07:58):
out.
You, as a CISO, would beresponsible to ensure that this
plan is taken care of and thatyou have articulated it well to
the entire organization beforeyou actually come out Again.
This is going to be a huge deal.
You wouldn't just come out andsay it, but you'd want to come
out effectively and quickly towhat the situation is, to just
(08:19):
tell your customers of what'sactually happened, and it would
go badly, but you have to do it.
Question two a securityarchitect identifies a critical
zero-day vulnerability in awidely used third-party
component that has his companyrelies on, which could expose
millions of users across variousorganizations, millions and
billions.
The third-party vendor isnotoriously slow oh my goodness
(08:42):
to respond to security reports.
Not good the the architectorganizational policy requires
that all vulnerabilitydisclosures go through the
vendor first.
What is the architect's mostethical priority in this
situation, considering thepotential for widespread harm?
Okay, there's a vendor and histhird party.
They don't do things veryquickly and it could expose
(09:02):
millions and millions of usersacross many organizations.
So what should you do?
A adhere strictly to theorganizational policy by
reporting only to the vendor andawaiting their response.
B immediately disclose thevulnerability publicly to warn
the affected organizations andusers.
C develop and implementinternal mitigations and then
wait for the vendor to patchbefore external disclosure.
(09:25):
And then D report thevulnerability to the reputable
vulnerability coordinationcenter or the CERT to facilitate
the responsible disclosure.
Okay, so lots of stuff going onhere.
What would you do as anarchitect?
Well, as an architect, firstoff, you wouldn't just go and do
this.
You would actually go talk toyour legal and counsel around
(09:46):
this.
You'd talk to your CISO andmany of the other organizations
or people within your company.
But if it was you and it wasyour responsibility to report it
, then you probably would pick Dright, report the vulnerability
to a reputable vulnerabilitycoordination center and then to
facilitate a responsibledisclosure.
So again, you would firstcoordinate with the vendor.
You'd work with them, trying tofigure out what you're going to
(10:07):
do.
But if the vendor doesn'trespond and the vendor is very
slow to action you would need tocoordinate with your legal team
to say, okay, after X amount ofdays, we are going to the
reputable vulnerabilitycoordination center and then
you'd have that plan defined.
And you'd also define that planwith the vendor saying, hey,
we're coming out with this thing, whether you like it or not.
(10:28):
So, unless you get your acttogether, we're going to come
out and you're going to be named.
And again, you're not going tosay this.
Your legal counsel will, butit's going to be an important
part that you will want to makesure that they're aware of.
Question three is securityanalyst is tasked with deploying
an employee monitoring solutionthat records all internal
communications, includingpersonal messages, under the
(10:49):
guise of data loss prevention.
The analyst knows that thisviolates the spirit of the
company's privacy policy andpotentially local privacy laws.
Although the legal departmenthas provided a vague sign-off
that's what the plan is Hermanager insists that a rapid
deployment is necessary.
So what is the analyst's mostethical responsibility here?
(11:10):
So they're recording everythingthey are doing, they're being
the NSA and they're calling itunder data loss prevention Again
.
Now you look at the word, lookat the terms, look at the
question, the guise of data lossprevention.
It gives you the hint thatthere's something nefarious
going on here.
Maybe there is, maybe thereisn't.
Again, this is important whenyou are doing any sort of DLP,
(11:30):
you need to make sureeverybody's aligned with what's
going on and it's fulltransparency, not with all
employees, but with seniorleadership, that they know what
you're doing.
A deploy the solution asinstructed by her manager, as
legal has provided sign-offimplying it is permissible.
B deploy the solution butconfigure it to minimize the
collection of personalcommunications without informing
(11:51):
management.
C express her concerns to hermanager, citing potential
privacy policy and legal risks,and request a clear legal review
or policy amendment.
And then D report her manager'srequest to the internal ethics
hotline for or a regulatory body.
Okay, so D you would not wantto do that.
I mean, obviously you would dothat if you got nothing.
You thought this was absolutelystupid and everybody's being
(12:15):
negligent.
You would do that, but that'snot where you would go to
immediately.
C is the correct answer Expressyour concerns to your manager,
citing potential privacyviolations and legal risks, and
request a clear legal view orpolicy amendment.
So something to consider withthis is that I've had numerous
times where I have a policy hasbeen set up, we set up the
(12:36):
program, and then what ends uphappening is I talk to legal and
I go this is what's actuallyoccurring within this product,
and they go oh no, we don't wantto do that.
So legal will give you advicebased on what they know, and
sometimes it takes a little bitmore clear understanding, both
by you as the person that'sbringing this forward, and also
by legal, and so that may changethe approach.
(12:58):
So if you do have analysts thatcome to you, or if you are an
analyst and you're saying, hey,this is BS, this is not good,
there's a way to providecriticism in a polite and
effective manner.
This would be one of thosewhere you'd want to be very
careful, not in a way that becareful, you lose your job, but
be careful on how you comeacross, coming across saying you
(13:18):
are violating policies.
You should not do this.
That's a bit abrasive and thatwill not get you where you want,
but by bringing forwardsomething that needs clarity,
because maybe you're just alittle confused about it and
that you see some potentialrisks to the organization.
That is a much better approachand you'll get a lot better
listening from your legalcounsel.
So, again, it's all about theapproach.
(13:40):
Question four a CISSP certifiedsecurity consultant has been
hired by a small tech startupthank you very much to develop
an entire cybersecurity strategyYay.
During the initial assessment,the consultant realizes that her
existing knowledge base, whilestrong in the enterprise
security, has significant gapsin specific cloud-native and
serverless technologies.
The startup that predominantlyuses that should have been
(14:02):
figured out in the SOW.
What is the most ethical courseof action for this consultant?
Okay, so this person does notknow what they're doing on the
specific topic A inform thestartup of her knowledge gaps
and propose bringing in aspecialist or recommend another
consultant better suitedpotentially to oversee the
strategy.
B proceed with the engagementlearning on the job to fill in
(14:22):
the knowledge gaps and thestartup needs because they need
immediate help.
C decline the engagementlearning on the job to fill in
the knowledge gaps that thestartup needs because they need
immediate help.
C decline the engagemententirely to avoid providing
incompetent service.
Or.
D focus on areas of herexpertise and deprioritize
cloud-native aspects, as somesecurity is better than none.
Okay, the most ethical course ofaction.
Again, you could decline it.
That would be good to avoidyour incompetence, but the most
(14:46):
ethical plan would be to Ainform the startup of her
knowledge and propose bringingin a specialist, or recommend
another consultant better suitedto oversee the strategy.
Obviously, this needs to comeout during the SOW, your
statement of work, but this doeshappen from time to time where
you might get in and go oh, thisis not what they told me it is,
and this is definitely not inmy wheelhouse, so you may want
(15:10):
to go.
Ah, let's talk about this, boysand girls, because again, you
want to do the most ethical,ethical thing and give them the
product they need, again theservice they want, for the price
they've asked for.
And you need to be able toprovide the skills for it.
And if you can't, you need toown it and figure out what to do
to fix it.
But again, coming together withsolutions is a much better
(15:31):
solution than just going out tap, I'm out, tap out.
That does not help anybody andit actually hurts your overall
street cred.
Your street cred will be hurtalready because the fact is that
you're trying to do somethingyou can't do, but at the end of
the day, you need to make surethat you provide them the
service they paid you for.
Question five a security leaderholding a cissp discovers a
critical vulnerability in apopular social media platform.
(15:53):
Oh, yay, the platform haspublished a responsible
disclosure policy, but it offersno bug bounty program.
The researcher's rent is due.
Oh, you see where this is going, and he knows selling this
vulnerability on the blackmarket could solve his immediate
financial problems.
Yeah, baby, what is the mostethical decision according to
the ISE squared code of ethics?
Ok, so, yes, he could sell it.
(16:16):
Could he sell it?
Is that a good idea?
Okay, so, yes, he could sell it.
Could he sell it?
Is that a good idea?
A sell a vulnerability on theblack market to address his
personal financial needs, as theplatform offers no reward.
B follow the platform'sresponsible disclosure policy
even without financial incentivefor the safety of users.
C disclose the vulnerabilitypublicly immediately to force
the platform to patch, as theyoffer no incentives.
(16:36):
Or D contact the platformprivately, offer to fix the
vulnerability for direct paymentand threaten public disclosure
if refused.
Okay, so all the threateningstuff?
That's just bad.
Right, it's just really bad.
And then also put it on theblack market that's really bad
too.
Bottom line is if you're notgetting paid, you still need to
do the right thing and discloseit responsibly.
(16:58):
The other thing you got tounderstand is even if you just
said you know what, I'm justgoing to release it in the wild,
let it go, let it see whathappens.
You will be legally liable fordoing that and so you think
you're doing the right thing inyour mind.
Whatever that is, you will payfor it for quite some time.
So, highly recommend follow theresponsible disclosure policy,
no matter what.
(17:18):
That's the right call to do,because it's just the right call
to do.
Question six CISO is reviewing asecurity budget proposal.
This is a key project stronglyrecommended by our team as an
essential right.
It's essential.
Air quotes for mitigating asignificant threat is deemed
potentially too expensive bysenior management, who are
proposing that they defer it.
(17:40):
They push it down, they kickthe can down the road.
The CISO believes that adeferral would put the
organization in unacceptablerisk, potentially violating the
organization's stated risktolerance.
What is the most ethical actionfor the CISO?
So now you get risk.
Stated risk tolerance is animportant factor, especially in
the financial industry.
So what should this CISO do?
There's unacceptable risk A.
(18:01):
Accept the management'sdecision and document the
deferral and focus on budgetaryitems.
B clearly articulate the riskimplications of the deferral and
make sure they understand that,including potential regulatory
and financial impacts.
Ensuring that risk acceptanceis formally documented and
approved by the appropriatelevels of authority yes.
B or C implementing a projectsecretly by reallocating funds
(18:24):
from other areas withoutexplicit approval.
Or D resign in protest as theorganization is clearly not
prioritizing security.
Okay, well, the last one isjust I'm going to throw a fit
and take my ball and go home.
That's not right.
But B clearly articulate therisk implications.
Defer to senior management,including potential regulatory
and financial impacts, is animportant part of all this and
(18:45):
you want to make sure it'sdocumented.
Again, it comes down toeducation.
The board, in many of thesecases, senior management, is
going to find the money.
If it's that big of a deal, youjust have to do a really good
job of articulating why it is abig deal.
And again, you may also have tocome to the table saying,
because of this, we are going todefer in X, y and Z.
(19:06):
But, guys and gals, we reallyneed this and this is why
They'll find the money.
They will, most organizationswill, because if they don't,
they're legally being heldliable as well if it ever comes
out that the board or seniorleadership didn't want to spend
the money on security?
Uh, and something bad happens?
Yeah, they're all fired.
So everybody's aware.
(19:26):
It's again.
It's cya, cover your hiney,they will do it.
Question seven a cyber securityfirm uses a proprietary scanning
tool for its clients.
A new employee, cissp,discovers a critical flaw in
this tool and could allow theattacker to gain unauthorized
access to client data.
If exploited during a scan,reporting this internally would
(19:46):
delay the project timelines andcould reflect poorly on the
firm's reputation.
What is the most ethical thingfor this person to do?
A fix the flaw quietly withoutreporting it to formally avoid
delays and reputational damage.
B continue using the tool forcurrent projects, but stopping
using it for new clients untilthe fix is available.
C inform clients immediatelyabout the potential flaw in the
(20:10):
scanning tool.
Or.
D report the flaw internallythrough the formal bug reporting
process, emphasizing potentialclient impact.
Okay, the most ethical actionfor this would be D report the
flaw internally through yourformal bug process of
emphasizing potential clientimpact.
Again, you're going to have toget legal compliance, all these
boys and girls involved in this,so you really want to make sure
(20:32):
that it is well documented andyou've gone through your overall
process.
Again, that's the first step indoing this Fixing it's not
continuing to use it's not thebest idea, you may have to, but
you have to figure that one out.
And then informing clientsimmediately.
Again, that's not good if youdon't have legal and compliance
on board.
Question eight a financialinstitution's organizational
(20:53):
code of ethics explicitlyforbids employees from engaging
in any outside consulting workthat could create a conflict of
interest.
Yes, that is what I ran intowhen I was with my company, a
cissp certified employeesoffering a lucrative part-time
consulting role for a non-profit.
Yeah, that is unknown to him isthat this is a minority
investor of one of the most ofone of his financial
(21:14):
institutions criticalthird-party vendors.
What is the employee's mostethical decision?
Again, you're getting offered alucrative part-time consulting
role for a non-profit which,unknown to him, has a minority
investor in one of the most, inone of his financial
institutions criticalthird-party vendors.
So again, basically, what itcomes right down to is he's
going to go work for anon-profit.
(21:36):
This non-profit has someaspects to a third party that is
tied to his company.
He doesn't know this, butwhat's that going to do a
investigate the non-profit'saffiliations and, if a potential
conflict exists, disclose it tohis employers.
Employer before accepting.
B accept the role.
The non-profit is unrelated tothis direct work and the
conflict is unknown.
(21:57):
C accept the role but implementa personal Okay.
So this is really squishy.
It gets super tough and superinteresting.
So again, when it comes rightdown to it, the Code of Ethics
forbids the employees fromengaging in any outside
(22:18):
consulting work.
So investigating the nonprofitis an important part,
understanding who they all areand what's going on.
If a potential conflict exists,disclose it to the employer
before accepting.
That is A.
I would highly recommend that.
When I had this situation occurto me, I was very upfront and
transparent to my employer onwhat I was doing.
(22:38):
Part of it was my podcast.
Right, I came out with mypodcast, was running that, and
my employers.
I wanted to let them know whatI was doing because I'm talking
about stuff.
Their aspect was hey, we'refine with it, just don't mention
us.
That's the end of it.
They don't really.
They didn't want to be calledor not necessarily even not
mention them.
Just don't bring up any sort ofvulnerabilities.
That could be tied to myprevious organization and that
(23:00):
that went without saying, right.
So again, bring it up to peoplebefore you go and do it.
During an incident response, thesecurity professional discovers
evidence that a seniorexecutive's account was
compromised due to extremelyweak, non-compliant password
usage.
The organizational policystates that all incidents must
be fully documented, but theciso requests that details of
the executives password weaknessbe omitted from the final
(23:23):
report to avoid embarrassingthis executive.
Shame on you.
What is the securityprofessional's most ethical
obligation?
Okay, we don't want to dopublic shaming.
A omit the details as requestedby the CSO or CISO, as it is a
direct order from a superiormanagement.
B document the full details ofthe password weakness in the
(23:44):
report, citing theorganizational policy for full
documentation.
C document the full details butprovide a separate redacted
version to the CISO for externaldistribution.
Or D discuss with the CISO.
Omitting the details wouldhinder lessons learned and
proper remediation.
Okay, so there's a right wayand there's also the correct way
and the right way.
(24:04):
So the correct way would be Bdocument the full details of the
weakness, citing theorganizational policy for full
documentation.
That's right, no question aboutit.
However, you're going to wantto do this is the nuance and the
experience that you really needto get is that you would work
with the CISO going hey boss, wereally need to deploy that, we
really need to have this cited,we need to do it.
(24:25):
However, here are some optionsabout how we could do this in a
way that doesn't make ourexecutive look like a fool.
Maybe and the reason itprobably looks like a fool is, I
mean, I'll give you an examplethe executive's password, let's
just say, is this guy's name orgal's name?
Is super executive, that'stheir name, right, they put in
their password super executiverocks.
Ok, well, you know who superexecutive is.
(24:46):
Right, it's this guy or gal.
So you wouldn't put that in asa password.
You would probably highlightthe fact, maybe blur out part of
it and say, hey, this is aperson's name, they put this in
there, we're protecting thisperson, this individual.
Come up with solutions aroundit.
The executive would understand,they would see it and go, ooh,
they would squirm a little bitin their chair, but it wouldn't
(25:08):
call out the executive in frontof all of their friends.
So, again, just there's ways todo this that are more
professional that you wouldn'tjust go hey, you're sucks to be
you, I'm going to do this.
That are more professional thatyou wouldn't just go.
Hey, it sucks to be you, I'mgoing to do it.
Don't do that Bad idea.
Question 10, a CISSP certifiedindividual is working on a new
AI-driven product for hiscompany.
He discovers that the trainingdata sourced from a third party
(25:28):
contains personal identifiableinformation that is clearly not
consented for AI model trainingAha AIs baby, violating the
company's privacy policy andGDPR.
The team lead dismisses hisconcerns, stating that everyone
does it and it's essential formodel performance.
Yeah, everybody does it.
What's the problem?
What is the most ethical courseof action for this individual?
(25:48):
A continue working on theproduct, as a team lead has
dismissed the concern and themodel performance is imperative.
Performance is imperative.
Anonymize the PII and thetraining data on oneself and,
even if it might degrade themodel's performance slightly,
without informing the team lead.
C escalate the concern to thecompany's data protection
officer or DPO or legalcompliance department.
(26:10):
If you don't have a DPO, maybeyou have a chief risk officer,
somebody like that you wouldbring it up to.
Or.
D resign in protest.
Right, that's always one Resignand protest for the project to
avoid ethical conflicts.
I mean, that's obviously thedraconian approach, but it's not
the right approach.
The answer would be C escalateit to your DPO, risk officer,
legal compliance one of thosefolks and just say, hey, we need
(26:33):
to talk about this Againeducation and I wouldn't throw
your buddy under the bus.
Just say, hey, we have someconcerns, we need to talk about
this.
Uh, don't throw your boss underthe bus, but you also need to
let your boss know.
Hey, I'm going up here, I'mgonna go talk to these people.
You're awesome, but yeah, yousuck.
Question 11 a security analyst,part of the global team,
identifies a criticalvulnerability in a system used
(26:54):
primarily by employees in acountry with strict cyber
sovereignty laws.
This makes it legally ambiguousto fully disclose all collected
security log data to thecentral SOC located in another
country.
So, basically, you got theyhave sovereignty laws that you
got to keep the data local andthen sending it to another SOC
in a different country makes itchallenging.
(27:15):
Dealt with this.
Yes, it's very challenging.
The organizational policymandates full log centralization
.
What is the most ethicalapproach for this analyst?
So you need to have the logsout of this place where the logs
need to stay the cybersovereignty and the country says
no, but your policy says yes,you must.
So what is the most ethicalapproach for this analyst?
(27:36):
A prioritize a globalorganizational policy and
centralize all logs.
This offers better security,just do it.
B prioritize local countries,cyber sovereignty laws and limit
log collection orcentralization from that region.
C document the conflict, raiseit to legal and compliance and
propose a solution Haha, thatsounds very good.
That balances security andlegal requirements such as
(27:59):
anonymization, pseudonymization,local processing before
transfer.
X, y and Z Come up withsolutions.
D request a transfer of adifferent team to avoid personal
legal liability.
That's not my thing, it's a hotpotato, it's your problem.
So the answer is C document theconflict, raise it to legal and
compliance and propose asolution.
That's always the best optionWell, not always, but probably
(28:22):
in most cases the best option.
Question 12, a securityoperations manager has
discovered that one of hisdirect reports has been
consistently violating thecompany's acceptable use policy
by regularly browsing prohibitedwebsites on company devices
during work hours.
I ran into this a lot.
Yeah, especially in Europe.
They would go on porn, but theycould.
(28:43):
They can't do it in the UnitedStates, but they could do it
there.
So you had to deal withacceptable use In this case.
These guys and gals are goingto places they shouldn't be
going.
So this is an administrativepolicy violation, not a criminal
act, but it could expose acompany to malware because
they're going to potentiallyrisky sites.
What is the most ethical firststep for the manager?
A immediately terminate theemployee for policy violations.
(29:06):
I like that one, but that's notcorrect.
Just terminate everybody.
B issue a formal writtenwarning and document the
violation.
C block the websites and thenetwork level without informing
the employee of the monitoring.
Or D discreetly discuss theissue with the employee, explain
the risks and remind them ofthe policy.
So there's a couple things here, right?
So the answer is D and I agreewith that.
(29:26):
You discreetly talk to theemployee and say, hey, let us
not do this, but you need todocument all this and you need
to document with their managerand you need to talk to their
manager about it, but it wouldbe discreetly doing this, not
highlighting it, if you canavoid it.
Again, ultimate point is talkto the person, explain the
situation.
In many cases it can beresolved just by a conversation
and it goes away.
(29:47):
But you need to documenteverything that you did Because
you never know when it couldcome back to bite you and they
come back and say well, hey,sean said I could do it.
Yeah, no, that's, that's notthe case.
Question 13 during a routineinternal audit, someone at cissp
are you identify that there's acritical legacy system vital
for daily operations?
Okay, you got your ops whichdoes not meet the
(30:08):
organizational's current minimumsecurity baselines.
Okay, it has outdated out,outdated operating systems and
unpatched software.
Oh, not good End of the world,it's Armageddon.
Remediation would require asignificant investment in
downtime.
The operations department arguesthat against immediate
remediation due to the cost andservice disruption.
They don't want to affect ops.
(30:29):
What is the most ethical courseof action for this person?
A approve a temporary waiver ofthe system, acknowledging
operational constraints.
B insist on immediateremediation, threatening to
report the system on high riskto external auditors if not
fixed.
Again, draconian approach.
C clearly documented thedeviation of the security
baselines, conduct a formal riskassessment detailing the
potential impact and likelihoodand present the remediation
(30:53):
options as well as alternativesto the folks to basically risk
management, to understand whatto do.
And then, d advise operationsto implement workarounds to
accept the risk without formaldocumentation, given the
system's criticality.
So there's a lot going on hereand the correct answer is C
right, you want to do a riskassessment, look where it's at
(31:13):
from the baselines, includingprovide alternatives.
Right, that's the best approach, but you're going to have to
work through that withoperations and make sure they
understand it.
You may actually even have aworkaround in the short term and
tell you the risk assessment iscomplete.
You probably need to do that,but you need to document it.
That's where D falls flat is.
You have to document this andmake sure everybody's aligned,
(31:35):
including legal and complianceand your senior leaders.
Again, I can't stress thisenough Do not I repeat, do not
go alone on this.
If you do, you will end upwithout a chair when the music
stops, and we do not want that.
Question 14, a CISSP certifiedlead is tasked with implementing
a new security logging standardacross the organization.
(31:55):
The standard requires loggingspecific user actions that some
employees perceive as intrusiveand unnecessary surveillance.
Yes, big brother, leading tothe internal resistance.
The lead knows that these logsare critical for incident
detection and forensic analysis.
What is the most ethical actionto address this resistance?
Incident detection and forensicanalysis.
(32:16):
What is the most ethical actionto address this resistance?
A.
Engage with employees, clearlycommunicate the necessity of the
logs and basically explain theprivacy standards or safeguards
in place and offer channels fortheir feedback Again, listening
and providing feedback.
B.
Implement logging standards,fully ignoring the employee
complaints and just go, don'tworry about it.
C.
Implement scope of logging toavoid employee backlash, even if
it compromises securityvisibility.
(32:37):
Or.
D.
Seek a mandatory directive froma senior leader to force
compliance without furtherexplanation to employees.
Now, if you all read these,you're going to go.
You're probably going to figureout the right one, but the goal
around this is to go.
You know what.
Clearly communicate thenecessity for the logs and the
feedback.
Make sure they're aware ofwhat's going on and make sure
that they're aligned with it.
And even if they're not alignedwith it, you still have to do
(32:59):
it.
But you need to make sureeverybody understands the risk
and why you're doing what you'redoing.
Okay, you are employed by asoftware vendor.
You discover that a criticalsecurity patch released by the
company has a widely usedproduct inadvertently introduces
a new and even more severevulnerability.
Oh no, the executive teamdecides to delay public
(33:20):
announcement of the newvulnerability until the second
patch is is readied.
So they're not going to deployit because they are the public
announcement until the secondpatch is.
Patch is ready.
Fearing potential immediatestock market impact.
Okay, so they're already there.
Already there, they're publiclytraded, so that tells you
something, but they're going todelay on the public announcement
until the second patch is ready.
(33:41):
The executive team decisionconflicts with the company's
policy stating that customersafety is always first.
What is the most ethical thingyou should be doing?
A remain silent, continueworking on the second patch as
per the executive's instructions.
B publicly disclose a newvulnerability immediately to
alert customers.
C inform the board of directorsand legal counsel about the
(34:04):
executive team's decision andits potential ill ethical or
legal implications.
Or.
D inform the direct manager ofthe ethical conflict and suggest
a compromise solution,basically a private notification
to high-risk customers.
Okay, again, there's lots ofnuances in which way this could
go.
The answer is C informing theboard of directors and legal
(34:25):
counsel.
That is what you should do, butthere would be a lot of things
leading up to that, and youmight be a security analyst and
that's not your role to do that.
Your role is that you're doingwhatever, but, as let's just say
, you are somebody that is insenior leadership position.
This is something that youwould want to highlight to the
board of directors if you're notgetting it resolved.
(34:47):
That being said, if you'rewilling to take it to the board
of directors, highly, highlylikely that your senior leaders
will not be bucking you andthey'll go okay, let's do this.
What do we need to do?
Because they're not going towant to take this to the board
or legal counsel.
They're going to want it to beresolved internally and quietly,
to get it taken care of and bedone the right way.
But, yeah, you're going to wantto make sure that you bring
(35:10):
this out and you get it resolvedas fast as you possibly can
without having to go and do jumpthrough a bunch of hoops.
But the correct answer is cinform the board of directors
and legal counsel about theexecutive team's decision and
its potential ethical legalimplications.
Okay, that is all I have for youtoday.
Again, this is cissp cybertraining and you can head on
over here get all kinds of freestuff.
(35:31):
It's amazing, you love it.
It's going to incredible.
But head over toCISSPcybertrainingcom.
Expect some changes coming tothe site.
Got a lot of great stuff coming.
A lot of great stuff happeningon YouTube as well, so you are
going to love it.
If you're studying for yourCISSP, it's going to be really
good for you.
All right, hope you have awonderful, wonderful day and we
will catch you all on the flipside, see ya.
(35:51):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes.
I would greatly appreciate yourfeedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
(36:12):
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
The CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey all Sean Gerber with CISSPCyber Training and hope you all
are having a beautifully blessedday today.
Today is CISSP QuestionThursday and we are going to be
going over CISSP questionsrelated to Domain 1.1, and that
training that was done prior wasdone on Monday.
(00:43):
So if you're new to CISSP cybertraining, we do training over
the products on Monday, or Ishould say over the domains, on
Monday, followed by the CISSPquestions on Thursday, and so
that's where we're at today.
So this is going to be a quick,before we get started, a quick
article around NYDFS issues someguidance around cybersecurity,
(01:04):
as it relates to how you shouldthink about this from a banking
standpoint.
Now, to set a little context,what is this?
What is the article?
What is NYDFS?
If you're not connected withthat NYDFS, they are a
regulating body within New Yorkand within the United States.
New York houses, majority ofour financial institutions are
within the state of New York andso therefore, much of the US
(01:27):
will follow whatever New Yorkdoes.
As it relates to the bankingindustry and it's not typically
just banking.
It's a lot of different aspectswhere they're a little bit more
liberal when it comes to, or, Ishould say conservative with
some aspects of how you want touse privacy and how you do
cybersecurity.
So many companies will use NewYork or California as the litmus
(01:48):
test of how they should deploytheir cybersecurity and privacy
type aspects within theircompany.
And so NYDFS has a lot of cloutand it has a lot of pull within
the rest of the financialindustry, especially within the
United States.
So they're just basicallycoming out and saying that, hey,
knock, knock.
If you didn't have a goodcybersecurity program before,
(02:08):
you should have one now.
You never know if you're goingto be a target of hackers around
the globe.
Again, anybody listening tothis podcast knows that can
happen at any point, any time.
It doesn't need NYDFS to cometap you on the shoulder.
However, awareness is key.
It's very important and so,therefore, that's why they're
coming out and doing awareness.
Now, if you're not familiar withNYDFS, I'm just going to
(02:30):
quickly highlight some differentaspects of why it's important
and why people are focused on it.
So there are some variousrequirements that it does come
out and enforces you to do One.
You must have a program inplace.
You must define it.
Now, in the United States,there's NYDFS, there's GLBA,
there's various other entitiesthat require this.
But because it's in the NewYork State, new York said, hey,
(02:54):
beyond what GLBA does and that'sa US-based law, we're going to
focus a little bit more of atarget approach on the New York
State environment.
So you got to have a program,you got to have a policy.
You have to have a CISOappointed and this means an
individual that is going to beyour CISO within your
organization.
Now, if you go to a lot ofbanks, they don't have CISOs,
(03:14):
especially small andmedium-sized banks.
They may have that as adual-hatted.
However, in New York, you haveto have one appointed, which
means that person has to havesignature authority.
That person needs to be part ofthe board.
Potentially.
There's a lot of differentaspects that go along with being
a CISO at a bank, a very largebank within the New York state
environment.
You need to have riskassessments done, you need to
(03:37):
have access controls and thenyou need to do pen tests on a
routine basis.
And then one of the key factorsthe last two was they have
multi-factor, and then thirdparty risk management are key
aspects of it.
Now, multi-factor is animportant part because of the
fact that we stress ifmulti-factor is used within any
organization.
Well, this document calls outmulti-factor as well.
(04:00):
I should say this bulletincalls out multi-factor and said
hey, if you haven't had it inplace yet, you need to truly
consider it to help protect yourorganization against these
Iranian challenges.
So, again, very interestingpart I forgot to mention there's
also encryption, audit,incident response reporting,
annual certifications and soforth.
That's all part of NYDFS.
(04:21):
But the point comes down to isis that if you are a bank within
the New York environment, youneed to follow those regulations
that are there.
You also need to pay attentionto potential Iranian hackers.
Now, if you're not in the NewYork's environment financial
services, oh, you don't need toworry about it.
No big deal.
No, that's we all know that'snot the case.
You should probably take onusof the whatever New York is
(04:43):
doing and maybe even implementthat within your company as well
.
I firmly believe that the moreconsistent that you can stay
with all of these differentsecurity mechanisms, the better
off you will be and the betteroff your customers will be.
So, again, just want to bringthat up NYDFS issues a bulletin
as it relates to the Iranianthreat.
(05:03):
That up NYDFS issues a bulletinas it relates to the Iranian
threat, talking about.
What are some different aspectsyou should put in place to
ensure that your company,especially your bank, your
financial institution, isprotected from these potential
challenges on a global scale.
Okay, so let's get into some ofthe questions we're going to
talk about today.
Okay, so, before we do wantedto just put out a quick shout
out to head on over to CISSPCybertraining and get access to
(05:26):
all the content that's availableto you there.
It's great, just go check itout.
There's a lot of great stuffavailable.
There's from a lot of freestuff.
I'm making some changes to thesite, but there's going to be a
lot of free stuff out there aswell as some paid stuff to help
you get what you need.
But head on over tocispcybertrainingcom, okay.
So question one let's roll intothis.
(05:48):
This is again tied to domain1.1 around ethics, so a lot of
these are going to bescenario-based questions focused
on ethics.
And how would you handle it?
Okay, question one A CISOdiscovers irrefutable evidence
that her organization suffered asignificant data breach six
(06:08):
months ago.
This was intentionally concealedby the previous CISO and a
former executive to avoid publicand regulatory fallout.
Not good.
The breach exposed sensitivecustomer PII and the current
CISO's organization's code ofethics emphasizes protecting the
reputation is everything.
It's above all else.
So what is the most ethicallysound course of action for the
(06:30):
current CISO according to ISCSquare's code of ethics?
Okay, so A quietly remediatethe breach and ensure future
incidents are reported withoutdisclosing the past concealment
to protect the company's currentreputation Probably not the
best choice.
B disclose a breach immediatelyand affected customers and
regulators understanding thismay cause significant
(06:50):
reputational and financial harmto the organization.
C inform the board of directorsand legal counsel recommending
strategy to address the pastconcealment while minimizing
additional damage.
Or D resign from the positionand avoid complicity and pass
concealment and protect personaland professional integrity.
I guess it's a tough spot to bein right For your CISO.
What would you do in thissituation?
(07:12):
So I would say it's going to bea combination.
One you might bite off on is Dis inform the board and legal
counsel, which is definitelysomething you would do.
You wouldn't just come out andarbitrarily say, hey, we did
this, we were bad.
You would want to make surelegal counsel and everybody's on
board before you even do any ofthis aspect.
But the right answer would be Bdisclose the breach immediately
(07:34):
to affected customers andregulators, understanding this
may cause significantreputational and financial harm
to the organization.
It could cause a lot offinancial or reputational harm
to you, especially why?
Because you walked into thedumpster fire and now you have
to deal with it.
Obviously, you would talk tolegal and you would get with
compliance and you would makesure that everybody is aligned
with your approach.
You'd have an approach definedand you would have a plan laid
(07:58):
out.
You, as a CISO, would beresponsible to ensure that this
plan is taken care of and thatyou have articulated it well to
the entire organization beforeyou actually come out Again.
This is going to be a huge deal.
You wouldn't just come out andsay it, but you'd want to come
out effectively and quickly towhat the situation is, to just
(08:19):
tell your customers of what'sactually happened, and it would
go badly, but you have to do it.
Question two a securityarchitect identifies a critical
zero-day vulnerability in awidely used third-party
component that has his companyrelies on, which could expose
millions of users across variousorganizations, millions and
billions.
The third-party vendor isnotoriously slow oh my goodness
(08:42):
to respond to security reports.
Not good the the architectorganizational policy requires
that all vulnerabilitydisclosures go through the
vendor first.
What is the architect's mostethical priority in this
situation, considering thepotential for widespread harm?
Okay, there's a vendor and histhird party.
They don't do things veryquickly and it could expose
(09:02):
millions and millions of usersacross many organizations.
So what should you do?
A adhere strictly to theorganizational policy by
reporting only to the vendor andawaiting their response.
B immediately disclose thevulnerability publicly to warn
the affected organizations andusers.
C develop and implementinternal mitigations and then
wait for the vendor to patchbefore external disclosure.
(09:25):
And then D report thevulnerability to the reputable
vulnerability coordinationcenter or the CERT to facilitate
the responsible disclosure.
Okay, so lots of stuff going onhere.
What would you do as anarchitect?
Well, as an architect, firstoff, you wouldn't just go and do
this.
You would actually go talk toyour legal and counsel around
(09:46):
this.
You'd talk to your CISO andmany of the other organizations
or people within your company.
But if it was you and it wasyour responsibility to report it
, then you probably would pick Dright, report the vulnerability
to a reputable vulnerabilitycoordination center and then to
facilitate a responsibledisclosure.
So again, you would firstcoordinate with the vendor.
You'd work with them, trying tofigure out what you're going to
(10:07):
do.
But if the vendor doesn'trespond and the vendor is very
slow to action you would need tocoordinate with your legal team
to say, okay, after X amount ofdays, we are going to the
reputable vulnerabilitycoordination center and then
you'd have that plan defined.
And you'd also define that planwith the vendor saying, hey,
we're coming out with this thing, whether you like it or not.
(10:28):
So, unless you get your acttogether, we're going to come
out and you're going to be named.
And again, you're not going tosay this.
Your legal counsel will, butit's going to be an important
part that you will want to makesure that they're aware of.
Question three is securityanalyst is tasked with deploying
an employee monitoring solutionthat records all internal
communications, includingpersonal messages, under the
(10:49):
guise of data loss prevention.
The analyst knows that thisviolates the spirit of the
company's privacy policy andpotentially local privacy laws.
Although the legal departmenthas provided a vague sign-off
that's what the plan is Hermanager insists that a rapid
deployment is necessary.
So what is the analyst's mostethical responsibility here?
(11:10):
So they're recording everythingthey are doing, they're being
the NSA and they're calling itunder data loss prevention Again
.
Now you look at the word, lookat the terms, look at the
question, the guise of data lossprevention.
It gives you the hint thatthere's something nefarious
going on here.
Maybe there is, maybe thereisn't.
Again, this is important whenyou are doing any sort of DLP,
(11:30):
you need to make sureeverybody's aligned with what's
going on and it's fulltransparency, not with all
employees, but with seniorleadership, that they know what
you're doing.
A deploy the solution asinstructed by her manager, as
legal has provided sign-offimplying it is permissible.
B deploy the solution butconfigure it to minimize the
collection of personalcommunications without informing
(11:51):
management.
C express her concerns to hermanager, citing potential
privacy policy and legal risks,and request a clear legal review
or policy amendment.
And then D report her manager'srequest to the internal ethics
hotline for or a regulatory body.
Okay, so D you would not wantto do that.
I mean, obviously you would dothat if you got nothing.
You thought this was absolutelystupid and everybody's being
(12:15):
negligent.
You would do that, but that'snot where you would go to
immediately.
C is the correct answer Expressyour concerns to your manager,
citing potential privacyviolations and legal risks, and
request a clear legal view orpolicy amendment.
So something to consider withthis is that I've had numerous
times where I have a policy hasbeen set up, we set up the
(12:36):
program, and then what ends uphappening is I talk to legal and
I go this is what's actuallyoccurring within this product,
and they go oh no, we don't wantto do that.
So legal will give you advicebased on what they know, and
sometimes it takes a little bitmore clear understanding, both
by you as the person that'sbringing this forward, and also
by legal, and so that may changethe approach.
(12:58):
So if you do have analysts thatcome to you, or if you are an
analyst and you're saying, hey,this is BS, this is not good,
there's a way to providecriticism in a polite and
effective manner.
This would be one of thosewhere you'd want to be very
careful, not in a way that becareful, you lose your job, but
be careful on how you comeacross, coming across saying you
(13:18):
are violating policies.
You should not do this.
That's a bit abrasive and thatwill not get you where you want,
but by bringing forwardsomething that needs clarity,
because maybe you're just alittle confused about it and
that you see some potentialrisks to the organization.
That is a much better approachand you'll get a lot better
listening from your legalcounsel.
So, again, it's all about theapproach.
(13:40):
Question four a CISSP certifiedsecurity consultant has been
hired by a small tech startupthank you very much to develop
an entire cybersecurity strategyYay.
During the initial assessment,the consultant realizes that her
existing knowledge base, whilestrong in the enterprise
security, has significant gapsin specific cloud-native and
serverless technologies.
The startup that predominantlyuses that should have been
(14:02):
figured out in the SOW.
What is the most ethical courseof action for this consultant?
Okay, so this person does notknow what they're doing on the
specific topic A inform thestartup of her knowledge gaps
and propose bringing in aspecialist or recommend another
consultant better suitedpotentially to oversee the
strategy.
B proceed with the engagementlearning on the job to fill in
(14:22):
the knowledge gaps and thestartup needs because they need
immediate help.
C decline the engagementlearning on the job to fill in
the knowledge gaps that thestartup needs because they need
immediate help.
C decline the engagemententirely to avoid providing
incompetent service.
Or.
D focus on areas of herexpertise and deprioritize
cloud-native aspects, as somesecurity is better than none.
Okay, the most ethical course ofaction.
Again, you could decline it.
That would be good to avoidyour incompetence, but the most
(14:46):
ethical plan would be to Ainform the startup of her
knowledge and propose bringingin a specialist, or recommend
another consultant better suitedto oversee the strategy.
Obviously, this needs to comeout during the SOW, your
statement of work, but this doeshappen from time to time where
you might get in and go oh, thisis not what they told me it is,
and this is definitely not inmy wheelhouse, so you may want
(15:10):
to go.
Ah, let's talk about this, boysand girls, because again, you
want to do the most ethical,ethical thing and give them the
product they need, again theservice they want, for the price
they've asked for.
And you need to be able toprovide the skills for it.
And if you can't, you need toown it and figure out what to do
to fix it.
But again, coming together withsolutions is a much better
(15:31):
solution than just going out tap, I'm out, tap out.
That does not help anybody andit actually hurts your overall
street cred.
Your street cred will be hurtalready because the fact is that
you're trying to do somethingyou can't do, but at the end of
the day, you need to make surethat you provide them the
service they paid you for.
Question five a security leaderholding a cissp discovers a
critical vulnerability in apopular social media platform.
(15:53):
Oh, yay, the platform haspublished a responsible
disclosure policy, but it offersno bug bounty program.
The researcher's rent is due.
Oh, you see where this is going, and he knows selling this
vulnerability on the blackmarket could solve his immediate
financial problems.
Yeah, baby, what is the mostethical decision according to
the ISE squared code of ethics?
Ok, so, yes, he could sell it.
(16:16):
Could he sell it?
Is that a good idea?
Okay, so, yes, he could sell it.
Could he sell it?
Is that a good idea?
A sell a vulnerability on theblack market to address his
personal financial needs, as theplatform offers no reward.
B follow the platform'sresponsible disclosure policy
even without financial incentivefor the safety of users.
C disclose the vulnerabilitypublicly immediately to force
the platform to patch, as theyoffer no incentives.
(16:36):
Or D contact the platformprivately, offer to fix the
vulnerability for direct paymentand threaten public disclosure
if refused.
Okay, so all the threateningstuff?
That's just bad.
Right, it's just really bad.
And then also put it on theblack market that's really bad
too.
Bottom line is if you're notgetting paid, you still need to
do the right thing and discloseit responsibly.
(16:58):
The other thing you got tounderstand is even if you just
said you know what, I'm justgoing to release it in the wild,
let it go, let it see whathappens.
You will be legally liable fordoing that and so you think
you're doing the right thing inyour mind.
Whatever that is, you will payfor it for quite some time.
So, highly recommend follow theresponsible disclosure policy,
no matter what.
(17:18):
That's the right call to do,because it's just the right call
to do.
Question six CISO is reviewing asecurity budget proposal.
This is a key project stronglyrecommended by our team as an
essential right.
It's essential.
Air quotes for mitigating asignificant threat is deemed
potentially too expensive bysenior management, who are
proposing that they defer it.
(17:40):
They push it down, they kickthe can down the road.
The CISO believes that adeferral would put the
organization in unacceptablerisk, potentially violating the
organization's stated risktolerance.
What is the most ethical actionfor the CISO?
So now you get risk.
Stated risk tolerance is animportant factor, especially in
the financial industry.
So what should this CISO do?
There's unacceptable risk A.
(18:01):
Accept the management'sdecision and document the
deferral and focus on budgetaryitems.
B clearly articulate the riskimplications of the deferral and
make sure they understand that,including potential regulatory
and financial impacts.
Ensuring that risk acceptanceis formally documented and
approved by the appropriatelevels of authority yes.
B or C implementing a projectsecretly by reallocating funds
(18:24):
from other areas withoutexplicit approval.
Or D resign in protest as theorganization is clearly not
prioritizing security.
Okay, well, the last one isjust I'm going to throw a fit
and take my ball and go home.
That's not right.
But B clearly articulate therisk implications.
Defer to senior management,including potential regulatory
and financial impacts, is animportant part of all this and
(18:45):
you want to make sure it'sdocumented.
Again, it comes down toeducation.
The board, in many of thesecases, senior management, is
going to find the money.
If it's that big of a deal, youjust have to do a really good
job of articulating why it is abig deal.
And again, you may also have tocome to the table saying,
because of this, we are going todefer in X, y and Z.
(19:06):
But, guys and gals, we reallyneed this and this is why
They'll find the money.
They will, most organizationswill, because if they don't,
they're legally being heldliable as well if it ever comes
out that the board or seniorleadership didn't want to spend
the money on security?
Uh, and something bad happens?
Yeah, they're all fired.
So everybody's aware.
(19:26):
It's again.
It's cya, cover your hiney,they will do it.
Question seven a cyber securityfirm uses a proprietary scanning
tool for its clients.
A new employee, cissp,discovers a critical flaw in
this tool and could allow theattacker to gain unauthorized
access to client data.
If exploited during a scan,reporting this internally would
(19:46):
delay the project timelines andcould reflect poorly on the
firm's reputation.
What is the most ethical thingfor this person to do?
A fix the flaw quietly withoutreporting it to formally avoid
delays and reputational damage.
B continue using the tool forcurrent projects, but stopping
using it for new clients untilthe fix is available.
C inform clients immediatelyabout the potential flaw in the
(20:10):
scanning tool.
Or.
D report the flaw internallythrough the formal bug reporting
process, emphasizing potentialclient impact.
Okay, the most ethical actionfor this would be D report the
flaw internally through yourformal bug process of
emphasizing potential clientimpact.
Again, you're going to have toget legal compliance, all these
boys and girls involved in this,so you really want to make sure
(20:32):
that it is well documented andyou've gone through your overall
process.
Again, that's the first step indoing this Fixing it's not
continuing to use it's not thebest idea, you may have to, but
you have to figure that one out.
And then informing clientsimmediately.
Again, that's not good if youdon't have legal and compliance
on board.
Question eight a financialinstitution's organizational
(20:53):
code of ethics explicitlyforbids employees from engaging
in any outside consulting workthat could create a conflict of
interest.
Yes, that is what I ran intowhen I was with my company, a
cissp certified employeesoffering a lucrative part-time
consulting role for a non-profit.
Yeah, that is unknown to him isthat this is a minority
investor of one of the most ofone of his financial
(21:14):
institutions criticalthird-party vendors.
What is the employee's mostethical decision?
Again, you're getting offered alucrative part-time consulting
role for a non-profit which,unknown to him, has a minority
investor in one of the most, inone of his financial
institutions criticalthird-party vendors.
So again, basically, what itcomes right down to is he's
going to go work for anon-profit.
(21:36):
This non-profit has someaspects to a third party that is
tied to his company.
He doesn't know this, butwhat's that going to do a
investigate the non-profit'saffiliations and, if a potential
conflict exists, disclose it tohis employers.
Employer before accepting.
B accept the role.
The non-profit is unrelated tothis direct work and the
conflict is unknown.
(21:57):
C accept the role but implementa personal Okay.
So this is really squishy.
It gets super tough and superinteresting.
So again, when it comes rightdown to it, the Code of Ethics
forbids the employees fromengaging in any outside
(22:18):
consulting work.
So investigating the nonprofitis an important part,
understanding who they all areand what's going on.
If a potential conflict exists,disclose it to the employer
before accepting.
That is A.
I would highly recommend that.
When I had this situation occurto me, I was very upfront and
transparent to my employer onwhat I was doing.
(22:38):
Part of it was my podcast.
Right, I came out with mypodcast, was running that, and
my employers.
I wanted to let them know whatI was doing because I'm talking
about stuff.
Their aspect was hey, we'refine with it, just don't mention
us.
That's the end of it.
They don't really.
They didn't want to be calledor not necessarily even not
mention them.
Just don't bring up any sort ofvulnerabilities.
That could be tied to myprevious organization and that
(23:00):
that went without saying, right.
So again, bring it up to peoplebefore you go and do it.
During an incident response, thesecurity professional discovers
evidence that a seniorexecutive's account was
compromised due to extremelyweak, non-compliant password
usage.
The organizational policystates that all incidents must
be fully documented, but theciso requests that details of
the executives password weaknessbe omitted from the final
(23:23):
report to avoid embarrassingthis executive.
Shame on you.
What is the securityprofessional's most ethical
obligation?
Okay, we don't want to dopublic shaming.
A omit the details as requestedby the CSO or CISO, as it is a
direct order from a superiormanagement.
B document the full details ofthe password weakness in the
(23:44):
report, citing theorganizational policy for full
documentation.
C document the full details butprovide a separate redacted
version to the CISO for externaldistribution.
Or D discuss with the CISO.
Omitting the details wouldhinder lessons learned and
proper remediation.
Okay, so there's a right wayand there's also the correct way
and the right way.
(24:04):
So the correct way would be Bdocument the full details of the
weakness, citing theorganizational policy for full
documentation.
That's right, no question aboutit.
However, you're going to wantto do this is the nuance and the
experience that you really needto get is that you would work
with the CISO going hey boss, wereally need to deploy that, we
really need to have this cited,we need to do it.
(24:25):
However, here are some optionsabout how we could do this in a
way that doesn't make ourexecutive look like a fool.
Maybe and the reason itprobably looks like a fool is, I
mean, I'll give you an examplethe executive's password, let's
just say, is this guy's name orgal's name?
Is super executive, that'stheir name, right, they put in
their password super executiverocks.
Ok, well, you know who superexecutive is.
(24:46):
Right, it's this guy or gal.
So you wouldn't put that in asa password.
You would probably highlightthe fact, maybe blur out part of
it and say, hey, this is aperson's name, they put this in
there, we're protecting thisperson, this individual.
Come up with solutions aroundit.
The executive would understand,they would see it and go, ooh,
they would squirm a little bitin their chair, but it wouldn't
(25:08):
call out the executive in frontof all of their friends.
So, again, just there's ways todo this that are more
professional that you wouldn'tjust go hey, you're sucks to be
you, I'm going to do this.
That are more professional thatyou wouldn't just go.
Hey, it sucks to be you, I'mgoing to do it.
Don't do that Bad idea.
Question 10, a CISSP certifiedindividual is working on a new
AI-driven product for hiscompany.
He discovers that the trainingdata sourced from a third party
(25:28):
contains personal identifiableinformation that is clearly not
consented for AI model trainingAha AIs baby, violating the
company's privacy policy andGDPR.
The team lead dismisses hisconcerns, stating that everyone
does it and it's essential formodel performance.
Yeah, everybody does it.
What's the problem?
What is the most ethical courseof action for this individual?
(25:48):
A continue working on theproduct, as a team lead has
dismissed the concern and themodel performance is imperative.
Performance is imperative.
Anonymize the PII and thetraining data on oneself and,
even if it might degrade themodel's performance slightly,
without informing the team lead.
C escalate the concern to thecompany's data protection
officer or DPO or legalcompliance department.
(26:10):
If you don't have a DPO, maybeyou have a chief risk officer,
somebody like that you wouldbring it up to.
Or.
D resign in protest.
Right, that's always one Resignand protest for the project to
avoid ethical conflicts.
I mean, that's obviously thedraconian approach, but it's not
the right approach.
The answer would be C escalateit to your DPO, risk officer,
legal compliance one of thosefolks and just say, hey, we need
(26:33):
to talk about this Againeducation and I wouldn't throw
your buddy under the bus.
Just say, hey, we have someconcerns, we need to talk about
this.
Uh, don't throw your boss underthe bus, but you also need to
let your boss know.
Hey, I'm going up here, I'mgonna go talk to these people.
You're awesome, but yeah, yousuck.
Question 11 a security analyst,part of the global team,
identifies a criticalvulnerability in a system used
(26:54):
primarily by employees in acountry with strict cyber
sovereignty laws.
This makes it legally ambiguousto fully disclose all collected
security log data to thecentral SOC located in another
country.
So, basically, you got theyhave sovereignty laws that you
got to keep the data local andthen sending it to another SOC
in a different country makes itchallenging.
(27:15):
Dealt with this.
Yes, it's very challenging.
The organizational policymandates full log centralization
.
What is the most ethicalapproach for this analyst?
So you need to have the logsout of this place where the logs
need to stay the cybersovereignty and the country says
no, but your policy says yes,you must.
So what is the most ethicalapproach for this analyst?
(27:36):
A prioritize a globalorganizational policy and
centralize all logs.
This offers better security,just do it.
B prioritize local countries,cyber sovereignty laws and limit
log collection orcentralization from that region.
C document the conflict, raiseit to legal and compliance and
propose a solution Haha, thatsounds very good.
That balances security andlegal requirements such as
(27:59):
anonymization, pseudonymization,local processing before
transfer.
X, y and Z Come up withsolutions.
D request a transfer of adifferent team to avoid personal
legal liability.
That's not my thing, it's a hotpotato, it's your problem.
So the answer is C document theconflict, raise it to legal and
compliance and propose asolution.
That's always the best optionWell, not always, but probably
(28:22):
in most cases the best option.
Question 12, a securityoperations manager has
discovered that one of hisdirect reports has been
consistently violating thecompany's acceptable use policy
by regularly browsing prohibitedwebsites on company devices
during work hours.
I ran into this a lot.
Yeah, especially in Europe.
They would go on porn, but theycould.
(28:43):
They can't do it in the UnitedStates, but they could do it
there.
So you had to deal withacceptable use In this case.
These guys and gals are goingto places they shouldn't be
going.
So this is an administrativepolicy violation, not a criminal
act, but it could expose acompany to malware because
they're going to potentiallyrisky sites.
What is the most ethical firststep for the manager?
A immediately terminate theemployee for policy violations.
(29:06):
I like that one, but that's notcorrect.
Just terminate everybody.
B issue a formal writtenwarning and document the
violation.
C block the websites and thenetwork level without informing
the employee of the monitoring.
Or D discreetly discuss theissue with the employee, explain
the risks and remind them ofthe policy.
So there's a couple things here, right?
So the answer is D and I agreewith that.
(29:26):
You discreetly talk to theemployee and say, hey, let us
not do this, but you need todocument all this and you need
to document with their managerand you need to talk to their
manager about it, but it wouldbe discreetly doing this, not
highlighting it, if you canavoid it.
Again, ultimate point is talkto the person, explain the
situation.
In many cases it can beresolved just by a conversation
and it goes away.
(29:47):
But you need to documenteverything that you did Because
you never know when it couldcome back to bite you and they
come back and say well, hey,sean said I could do it.
Yeah, no, that's, that's notthe case.
Question 13 during a routineinternal audit, someone at cissp
are you identify that there's acritical legacy system vital
for daily operations?
Okay, you got your ops whichdoes not meet the
(30:08):
organizational's current minimumsecurity baselines.
Okay, it has outdated out,outdated operating systems and
unpatched software.
Oh, not good End of the world,it's Armageddon.
Remediation would require asignificant investment in
downtime.
The operations department arguesthat against immediate
remediation due to the cost andservice disruption.
They don't want to affect ops.
(30:29):
What is the most ethical courseof action for this person?
A approve a temporary waiver ofthe system, acknowledging
operational constraints.
B insist on immediateremediation, threatening to
report the system on high riskto external auditors if not
fixed.
Again, draconian approach.
C clearly documented thedeviation of the security
baselines, conduct a formal riskassessment detailing the
potential impact and likelihoodand present the remediation
(30:53):
options as well as alternativesto the folks to basically risk
management, to understand whatto do.
And then, d advise operationsto implement workarounds to
accept the risk without formaldocumentation, given the
system's criticality.
So there's a lot going on hereand the correct answer is C
right, you want to do a riskassessment, look where it's at
(31:13):
from the baselines, includingprovide alternatives.
Right, that's the best approach, but you're going to have to
work through that withoperations and make sure they
understand it.
You may actually even have aworkaround in the short term and
tell you the risk assessment iscomplete.
You probably need to do that,but you need to document it.
That's where D falls flat is.
You have to document this andmake sure everybody's aligned,
(31:35):
including legal and complianceand your senior leaders.
Again, I can't stress thisenough Do not I repeat, do not
go alone on this.
If you do, you will end upwithout a chair when the music
stops, and we do not want that.
Question 14, a CISSP certifiedlead is tasked with implementing
a new security logging standardacross the organization.
(31:55):
The standard requires loggingspecific user actions that some
employees perceive as intrusiveand unnecessary surveillance.
Yes, big brother, leading tothe internal resistance.
The lead knows that these logsare critical for incident
detection and forensic analysis.
What is the most ethical actionto address this resistance?
Incident detection and forensicanalysis.
(32:16):
What is the most ethical actionto address this resistance?
A.
Engage with employees, clearlycommunicate the necessity of the
logs and basically explain theprivacy standards or safeguards
in place and offer channels fortheir feedback Again, listening
and providing feedback.
B.
Implement logging standards,fully ignoring the employee
complaints and just go, don'tworry about it.
C.
Implement scope of logging toavoid employee backlash, even if
it compromises securityvisibility.
(32:37):
Or.
D.
Seek a mandatory directive froma senior leader to force
compliance without furtherexplanation to employees.
Now, if you all read these,you're going to go.
You're probably going to figureout the right one, but the goal
around this is to go.
You know what.
Clearly communicate thenecessity for the logs and the
feedback.
Make sure they're aware ofwhat's going on and make sure
that they're aligned with it.
And even if they're not alignedwith it, you still have to do
(32:59):
it.
But you need to make sureeverybody understands the risk
and why you're doing what you'redoing.
Okay, you are employed by asoftware vendor.
You discover that a criticalsecurity patch released by the
company has a widely usedproduct inadvertently introduces
a new and even more severevulnerability.
Oh no, the executive teamdecides to delay public
(33:20):
announcement of the newvulnerability until the second
patch is is readied.
So they're not going to deployit because they are the public
announcement until the secondpatch is.
Patch is ready.
Fearing potential immediatestock market impact.
Okay, so they're already there.
Already there, they're publiclytraded, so that tells you
something, but they're going todelay on the public announcement
until the second patch is ready.
(33:41):
The executive team decisionconflicts with the company's
policy stating that customersafety is always first.
What is the most ethical thingyou should be doing?
A remain silent, continueworking on the second patch as
per the executive's instructions.
B publicly disclose a newvulnerability immediately to
alert customers.
C inform the board of directorsand legal counsel about the
(34:04):
executive team's decision andits potential ill ethical or
legal implications.
Or.
D inform the direct manager ofthe ethical conflict and suggest
a compromise solution,basically a private notification
to high-risk customers.
Okay, again, there's lots ofnuances in which way this could
go.
The answer is C informing theboard of directors and legal
(34:25):
counsel.
That is what you should do, butthere would be a lot of things
leading up to that, and youmight be a security analyst and
that's not your role to do that.
Your role is that you're doingwhatever, but, as let's just say
, you are somebody that is insenior leadership position.
This is something that youwould want to highlight to the
board of directors if you're notgetting it resolved.
(34:47):
That being said, if you'rewilling to take it to the board
of directors, highly, highlylikely that your senior leaders
will not be bucking you andthey'll go okay, let's do this.
What do we need to do?
Because they're not going towant to take this to the board
or legal counsel.
They're going to want it to beresolved internally and quietly,
to get it taken care of and bedone the right way.
But, yeah, you're going to wantto make sure that you bring
(35:10):
this out and you get it resolvedas fast as you possibly can
without having to go and do jumpthrough a bunch of hoops.
But the correct answer is cinform the board of directors
and legal counsel about theexecutive team's decision and
its potential ethical legalimplications.
Okay, that is all I have for youtoday.
Again, this is cissp cybertraining and you can head on
over here get all kinds of freestuff.
(35:31):
It's amazing, you love it.
It's going to incredible.
But head over toCISSPcybertrainingcom.
Expect some changes coming tothe site.
Got a lot of great stuff coming.
A lot of great stuff happeningon YouTube as well, so you are
going to love it.
If you're studying for yourCISSP, it's going to be really
good for you.
All right, hope you have awonderful, wonderful day and we
will catch you all on the flipside, see ya.
(35:51):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes.
I would greatly appreciate yourfeedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
(36:12):
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
The CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.