August 21, 2025 • 25 mins
Check us out at: https://www.cisspcybertraining.com
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
A catastrophic data loss incident involving South Yorkshire Police serves as a powerful security lesson in today's episode. We examine how 96,174 pieces of body-worn video evidence vanished during an IT upgrade, affecting 126 criminal cases. This real-world security failure highlights the critical importance of proper data management, backups, and third-party oversight—fundamental concepts that directly apply to your CISSP exam preparation.
The heart of this episode tackles five challenging CISSP exam questions spanning multiple security domains. We methodically work through complex scenarios involving encryption algorithm selection, mitigating Single Sign-On risks in healthcare environments, containing Advanced Persistent Threats, addressing cross-border data protection compliance, and handling SQL injection vulnerabilities in government applications.
For each question, I break down the critical thinking process that helps you eliminate incorrect answers and identify the best solution. You'll understand why AES-256 balances security and performance for financial data, how multi-factor authentication strengthens SSO implementations, when network segmentation becomes crucial for APT containment, why Data Loss Prevention systems address insider threats, and the importance of parameterized queries in secure software development.
This episode demonstrates how to approach scenario-based questions methodically, turning what seems overwhelming into manageable decision points. By breaking down complex questions step-by-step, you dramatically improve your chances of success on the CISSP exam while building practical security knowledge that translates directly to real-world challenges.
Visit CISSP Cyber Training for more resources, including 360 free practice questions to accelerate your certification journey. Remember, a methodical approach to security problems is your path to passing the CISSP exam the first time.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Good morning everybody.
It's Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifullyblessed day today.
Today is CISSP QuestionThursday and we're going to go
over just a few questions thatmight be a little bit more
challenging as it relates to theCISSP exam.
The ultimate goal on Thursdayswas to provide CISSP questions
(00:45):
and then, along with that, onMondays, we actually provide
some training around what we'redoing.
So Monday is the training,thursday is the questions, and
then we just keep on trucking on.
That's the plan.
Now what we're going to talkabout here in just a minute is
the five questions that I have,as it relates to all of the
CISSP questions or all of thedomains, and not I just won't
(01:09):
cover them all because there'sonly five questions, but it's
just going to cover some deepquestions that may ask and some
scenario-based questions thatyou may have questions about
that's question.
Saying that word about fourtimes in about one sentence,
that's a lot.
So, all right, let's get goinginto what we're going to talk
about today.
Well, before we get started inthe questions today, there was
an article that I saw in theInfoSecurity magazine and this
(01:31):
is around the South Yorkshirepolice deletes 96,000 pieces of
evidence.
Now, if you all have known,we've talked about this at CISSP
Cyber Training.
There's an important part thatyou have a good plan related to
the protection of data withinyour organization.
Now, as you're dealing withpolice officers, obviously a big
factor for them is the digitalevidence that's out there, and
(01:54):
there is a process by which youwill manage the digital evidence
of any case that you have, andthat's that chain of custody
process.
Now, the problem that came intoin this situation is that some
people just didn't understandwhat they were doing and it
caused a huge issue.
So, basically, they deletedaround 96,174 pieces of body
(02:15):
worn video.
So it's your video that youhave that police officers have
when they're going and doingsome sort of investigation, and
it's all the video that goeswith it.
Now, as we know, video isextremely intensive, right, it
stores up a lot of data, and Ican see what ended up happening
is potentially this is just thequick look at this is that you
know what?
Hey, we've got all this stuffjust sitting around, nobody's
(02:36):
using it.
Let's delete it because it'staking up storage space and it
costs us money.
Now, that's my just a quickthought, and I can see how
someone would come to thatconclusion, but what it came
right down to is an it upgradein 2023 caused the digital
evidence management systemstored on a to be stored on a
local disk.
So they had it from a cloudsituation.
(02:56):
They put it on local disk.
A mass deletion occurred on july26, 2023 during a third-party
data transfer to a storage gridplatform.
So in this case here, it wasn'tbecause someone just said I got
space, I want to delete it.
It actually was because theywere taking a move with it.
Now, as we all know, movingdata that's related to anything
(03:18):
that's important like this.
You would want to have a goodplan in place on how to deal
with it.
You'd have your backups, you'dmaintain your backups, you would
do a data storage move.
Then you would verify yourbackups actually occurred.
They couldn't prefer the SYPcould not provide definitive
explanation for the deletion.
They just deleted it.
So I would say there's a tragedyof errors in this that
(03:42):
potentially could be a bigfactor.
One one they probably had an itperson that did not totally
understand how to move thesedigital assets from one location
to the next.
They may have done it with athird party, they may have done
it internally, but they didn'ttruly know how to verify that
once the data is in one location, it's moved to the next
location, and then how do theyvalidate that the data was
actually moved?
(04:02):
I think it.
It was just a hey, let's justcopy paste and then real quickly
if any sort of a issue with thedata transfer were to occur and
the data becomes corrupted.
Now you have a bigger situation.
Now.
This affected about 126criminal cases, but with only
one case potentially impacted atthe court stage at this point.
(04:23):
But it's 126 criminal cases.
Now, not everything with thefootage is imperative to the
business case itself, but itshows a lack of knowledge,
potentially, on how this shouldhave occurred.
They may not have wanted to payfor someone to actually do this
, but yet at the end of the day,they probably should have paid
(04:44):
someone to do this.
So what does it come right downday?
They probably should have paidsomeone to do this.
So what does it come right downto?
You need to have failures indata.
They had failures in datamanagement, backups and record
keeping, obviously because thesethings happen.
So they need to, from anorganizational standpoint, need
to have a really good plan inplace when they're considering
any sort of move like this,especially when you're dealing
with chain of custody aspectsand you're dealing with court
(05:05):
cases.
So it's an important part.
The recommendations that cameout of the ICO as well as
implement adequate storagebackup solutions.
Shadow third parties that areaccessing these systems right.
So if there's a third partythat's managing it, are you
watching what they're doing?
You don't just going, hey, yeah, you guys take care of it.
No big deal.
You're going to need to shadowthem as well.
Define third-party roles andresponsibilities.
(05:28):
Conduct risk assessments Bigfactor is conducting a risk
assessment of what you have andthen ensure all records are
clearly identified and marked.
So there's a lot of failureshere that occurred.
Hopefully I mean unfortunatelyif you are in the court system,
if this body cam's footage wasimportant for your case and you
lost it, that would be extremelypoor.
(05:50):
It would be very bad.
So hopefully they can recoversome of this or at least it
won't be as big of an impact asit potentially could be with
their organization.
So, again, understanding howyour data is stored and
transferred is an important partof any organization, whether
you're in the police departmentor whether you're in corporate
(06:11):
America.
Okay, so let's go on and move onto the questions we have for
you today.
Okay, so you can get all thesequestions at CISSP Cyber
Training.
Everything that I have here andavailable is available to you.
This is obviously the freeversion is available to you.
This is obviously the freeversion is what I do with the
podcast, but you can get accessto the questions themselves
through my paid program that Ihave.
It's available for you.
(06:32):
Honestly, it's dirt cheapcompared to what you will pay
for a boot camp type program.
I'm giving you all the contentthat you need in a boot camp
type program available to you,as well as mentorship and
availability of myself to you ifyou see fit.
And finally, we have the freeversions.
I have available the bronzepackage.
(06:54):
I mean honestly that thing.
You should be picking that upimmediately.
The reason I say that isbecause it's free and if you
want to have a self-study thatyou don't really don't think you
need any sort of deep dive orany sort of type of boot camp
type activities, the freeversion is exactly what you need
and I would sign up for itimmediately because it's free
and it doesn't cost you anything.
(07:14):
So let's move into some of thequestions and let's answer these
and see where we go from there.
Question one scenario OK, youare a security architect at a
multinational financialinstitution.
The organization is deploying anew cloud-based application
that processes sensitivecustomer data.
The application requires strongencryption for data at rest and
in transit.
(07:34):
During the design phase, youmust select an encryption
algorithm that balances security, performance and compliance
with FIPS 140-3 standards.
The application will handlelarge volumes of data and
performance is a critical factor.
Which encryption algorithmshould you recommend for data at
rest to meet FIPS 140-3 and inoptimizing the performance?
(07:56):
Okay, first question or firstanswer A AES-256, b RSA-2048, c
triple DES, three48, c TripleDES and then Blowfish.
Okay, so those are the fouroptions that you have available
to you.
So which one is it?
Which encryption algorithmshould you recommend for data at
rest to meet FIPS 143 whileoptimizing performance?
(08:19):
So if you look at the questions, you'll go.
Well, you know what?
I know that Blowfish is asymmetric fight cipher and it's
not FIPS approved, so I'd throwthat out.
Triple Des is an older proCypher that's out there and it
is significantly slower thanothers that are on the market.
It is a FIPS approved, right,so that's a good thing.
(08:40):
Triple Des is FIPS approved,but it is a much slower type of
algorithm Cypher, I should say.
So if that's the case, I wouldthrow that one out as well.
So now you narrow it down totwo.
You got AES-256 and you gotRSA-2048.
Now RSA2048, that's a relativelynew one that's been out and
it's an asymmetric encryptionalgorithm.
Okay, and it's used for keyexchange or digital signatures.
(09:04):
It's not designed forencrypting large volumes of data
at rest due to itscomputational overhead, because
it's basically 2048-bit.
Now, that being said, can it doit?
Yes, should it do it?
Not necessarily it should beused for digital signatures
because of that situation.
So it leaves you to the lastone, which is AES-256.
(09:24):
This is a standard with 256-bitkey and it's a symmetric
encryption algorithm that isFIPS 140-3 compliant and it is
highly regarded as a securemethod for protecting sensitive
data.
Okay, so it gives you goodsecurity and it also helps with
the overhead that it isn'thaving to be computationally too
high.
So it works really efficientlyfor the data at rest situation.
(09:49):
So the answer would be AES-256.
Question two A large healthcareorganization is implementing a
new electronic health recordsystem, or EHR.
The system must comply withHIPAA regulations and ensures
that not only authorizedpersonnel can access patient
records.
I mean, actually can ensureonly authorized people, sorry.
The organization uses arole-based access control, or
(10:11):
RBAC, model, and is consideredimplementing a single sign-on
solution to streamline theaccess across multiple
applications.
However, there's a concernabout the potential for an
unauthorized access if an SSOsession is compromised.
Okay again.
So they have RBAC in place,they are going to put in SSO as
(10:33):
well, but they're concerned thatif an SSO session was
compromised, it would.
Then, because they're using itfor the single sign-on for many
applications, you would haveaccess to multiple applications
at one time.
The question what is the bestapproach to mitigate the risk of
unauthorized access in the SSOimplementation while maintaining
compliance with HIPAA?
Okay, so A a longer sessiontimeout period to reduce the
(10:57):
user reauthocation,reauthocation authentication I
can't speak.
I can't speak.
B implement multi-factorauthentication for all SSO
sessions.
C disable SSO and requireseparate logins for each
application.
Or D encrypt all SSO sessiontokens with TripleDes Okay.
So what is the best air quotesbest approach to mitigate the
(11:21):
risk of unauthorized access inan SSO implementation while
maintaining compliance withHIPAA?
Okay.
So let's knock out a few ofthese that maybe don't make any
sense or aren't the best answerA encrypt all SSO tokens with
TripleDes.
Okay, so TripleDes sessiontokens that we just we talked
about in the previous questionis a less secure and it is older
(11:43):
type of product out there, andso therefore it alone would not
address the authentication risk.
It would just encrypt theoverall session, so that in of
itself, is not necessarily thebest answer.
Overall session, so that in ofitself, is not necessarily the
best answer.
Disable SSO and requireseparate logins for each
application.
Disabling SSO would not helpyou, and you're now back to
(12:04):
where you were with square one,which is the fact that now
everybody has a login for theapplication and you know they're
using password reuse.
So that would not be a bestoption either.
So you've now narrowed it downto two.
You use longer session timeoutperiods to reduce user
re-authentication.
Well, if you're trying tomitigate the SSO issue, then
(12:24):
allowing for a longerre-authentication period would
not be a good idea, right?
Because that would increase therisk of session hijacking and
doesn't really necessarilyenhance security at all.
So the answer would be Bimplement multi-factor
authentication for all SSOsessions.
So again, multi-factor adds anadditional layer of security
(12:44):
requiring multiple forms ofverification, which we've all
talked about numerous times onthis podcast.
It significantly reduced theunauthorized access of an SSO is
compromised, so multi-factor isan important part.
Now, obviously, you can dodifferent levels of multi-factor
, from having an actualauthentication application on
your phone to just having textsent to you, which we know the
text sent to you is not the bestoption.
(13:06):
It is an option, but it's notthe best option.
So then this question, thoughthe ultimate goal is just
implement multi-factor for allSSO sessions.
Question three your organizationhas detected a sophisticated,
advanced, persistent threat APTtargeting its financial systems.
Oh no, the incident responseteam has identified indicators
of compromise, including unusualoutbound traffic to known
(13:28):
malicious IP addresses.
The organization uses a SIM,basically, you know, like a
Splunk or a ArcSight orsomething that is used to
monitor and correlate the logs,right, but the APT has evaded
initial detection by usingencrypted channels and low and
slowed attack techniques.
Very smart of them, it is.
So what is the most effective?
(13:49):
Stop to contain the APT andprevent further data
exfiltration.
Okay, obviously there's a lotof steps that have to go into
this and not just one, but let'sjust talk about what we have A
block all outbound traffic fromthe firewall until the threat is
fully analyzed.
B deploy new antivirussignatures to detect APT's
malware.
C increase the logging level ofall systems to capture more
(14:10):
data.
Or D implement networksegmentation to isolate affected
systems.
Okay, so there's a lot of littlethings in here you could do,
but which one is the best, themost effective that you could
actually have happen?
So let's start with one Blockall outbound traffic at the
firewall until the threat isfully analyzed.
Okay, that'll work, but you'llget a lot of people mad at you.
(14:31):
Basically because by doing this, nobody can move, nobody can do
anything within the business,so that would cause drama.
Now the APT is probably in yournetwork and they can move
laterally within your network.
So that would be a little bitof a challenge.
But again, if they can'tcommunicate outbound, that would
limit to what they can andcannot do.
So that's not a bad thing, but,man, there's a lot of
(14:54):
implications for doing that.
That would not be the mosteffective.
Step B deploy a new antivirussignature for the APTs malware.
Okay, so, antivirus signaturesmay not be effective
specifically against APTs.
Again, if it's a robot type APTactivity, maybe, but if it's
someone that's actively engagedin your network, probably not,
(15:15):
probably won't do much to themat all.
Increase the logging levels ofall systems and capture more
data.
That is good.
It can be helpful ininvestigation and it can provide
you a little more data.
Now, it might be a bit afterthe fact because you already
know they're in your environment, but it's not terrible, it's
just.
I think you would use that inconjunction with something else.
(15:35):
And then the last one isimplement network segmentation
to isolate the affected systems.
Yes, okay.
So implementation ofsegmentation would be very good.
Outbound traffic, potentially,um, parts of outbound traffic,
maybe there's parts that youknow where they're at.
You may do some sort ofsegmentation now.
Ideally, you would want yourarchitected network to be
segmented before you even havethis problem, but you may have
(15:58):
to start cutting off parts ofthe body to save the whole body,
and that's where thesegmentation piece comes into
play.
So you just have to figure outwhat is best for you and your
organization.
But in this situation, the bestanswer would be D implement
network segmentation to isolateaffected systems.
Question four All right, aglobal manufacturing company is
(16:18):
expanding its operations into anew country with the strict data
protection laws, includingmandatory breach notification
within 72 hours, sounds familiar.
The company's risk managementteam isn't conducting a risk
assessment to identify potentialthreats to customers' data
stored in the new data center.
The assessment identifies highlikelihood of insider threats
due to inadequate employeetraining and weak access
(16:38):
controls.
So what is the best approach tomitigate the insider risk while
aligning with the new country'sdata protection laws?
Okay, so the globalmanufacturer is expanding its
operations into a new countryand it's got breach notification
aspects.
What are you going to do?
Okay, so let us look at some ofthe questions and see what's
available.
Okay so?
(16:59):
A conduct a one-time securityawareness training for all
employees.
B outsource all data processingto a third-party vendor.
C encrypt all data at rest withproprietary algorithm.
Or.
D implement a data lossprevention solution to monitor
and block sensitive datatransfers.
Okay, again you're dealing witha different country and you've
got data breach laws that youhave to work through.
Speaker 1 (17:19):
What do you do?
Speaker 2 (17:21):
So well, let's look at to start taking these one by
one.
One you conduct a one-timesecurity awareness training for
all employees.
This is good, it is positive,right, but it's not sufficient
for what you're trying toaccomplish, right?
This will just kind of more orless be a placebo.
You're going to need to dotraining with people, but, at
the end of the day, that's notgoing to stop somebody from
getting data outside of yourorganization and that's not
(17:41):
going to really mitigate therisk of an insider risk problem.
Outsource all data processing toa third-party vendor Okay, this
could be some level ofprotection.
However, it does incur newrisks, such as third-party
vulnerabilities.
We talk about this a lot in theCISSP.
Is third-party risk management?
Do you have a third-party riskmanagement program in place?
(18:02):
This does not directly addressinsider threats specifically
within your organization, and soit's not necessarily the best.
Encrypt all data at rest withproprietary algorithm.
Again, proprietary encryptionis risky.
I do not recommend it.
It's not a good idea.
It may not also meet yourregulatory standards set up by
(18:23):
your country.
Stick with what is known.
Okay, so that's that one.
So I think we pretty much throwthose out.
Then, when we get to the lastone D, implement a data loss
prevention solution to monitorand block sensitive data
transfers.
Now, this is DLP.
Is really what you want to do?
That is an important factor inall organizations that you have
a DLP program in place and thatyou are watching what's going on
(18:46):
within your company.
So, dlp, great idea.
I would highly recommend it andtherefore that would be the
right answer in this specificquestion.
So again, unauthorized datatransfers by insiders would be
addressed specifically by theDLP program that you have in
place.
All right, let's move on to thenext one.
Okay, the last question,question five A software
(19:09):
development company is buildinga web application for a
government client that requirescompliance with the Secure
Software Development Framework,ssdf.
During the code review, theteam identified vulnerabilities
in the application's inputvalidation that could allow for
SQL injection attacks.
The development team is underpressure to meet deadlines and
is considering bypassing the fixto expedite delivery.
(19:32):
What is the best course ofaction to address the SQL
injection vulnerability whileadhering to SSDF guidelines?
So again, ssdf is the Secsoftware development framework.
And when we talk aboutframeworks, what is frameworks?
Frameworks are just like aguide, right, a guide on how you
should do step A, b, c and D.
They're not the rule, but theyare a great way for you to kind
(19:53):
of follow along and ensure thatyou're meeting, at least getting
some of the direction that theyare requiring or they're asking
of you.
All right, so let's look atsome of these questions.
A that they are requiring orthey're asking of you.
All right, so let's look atsome of these questions.
A implement parametized queriesand conduct a follow-up code
review.
B deploy the application andpatch vulnerabilities in the
next release cycle.
C use web application firewallsWAFs to block SQL injection
(20:14):
attempts.
Or.
D rewrite the application to adifferent programming language
to avoid the vulnerability.
Okay, so the question is what isthe best course of action to
address SQL injectionvulnerabilities while adhering
to SSDF guidelines?
Well, okay, so you got to knowwhat the SSDF guidelines would
be, but a lot of the codeguidelines would focus around
doing code reviews.
They also talk about makingsure that you have parameterized
(20:37):
queries.
They want to make sure that youhave input line comments that
are set up.
They want to make sure that youhave limited different aspects
within the code environment.
So we'll get into that in justa second.
But the bottom line is is thatthe framework is going to be
very specific around what aresome recommendations that you
should follow.
So, knowing that, knowing that,if you don't really know what
(20:59):
the SSDF is, and you go, well,let's just talk about a
framework.
What is a framework?
It's a step-by-step process andit's probably a little bit more
granular.
Then let's think about that.
And then it's dealingspecifically with code
development.
So now we're dealing with avery granular aspect around code
development.
So one of the questions isrewrite the application to a
different programming languageto avoid the vulnerability.
(21:19):
That is just a really badanswer.
It's just not that good, it'snot practical, right?
So rewriting your code, ifyou've all written it in one
level of code, now you're goingto write it in something else,
that's just, that's not going towork.
So I would not do that one.
That would be no, don't pickthat one.
C.
Another one was use webapplication firewalls to block
SQL injection attempts.
Now, this is good, right, youcan block the attempts that are
(21:41):
occurring, but it's more of acompensation control.
Compensating control.
It does not deal with the rootcause of the vulnerability
itself.
It's more of kind of just tocover it.
It's a placebo.
It's not a placebo, not really.
It will help but it's not goingto address the overall root
cause of the problem.
Deploy the application and patchvulnerabilities in the next
release cycle.
Okay, deploying without fixingsomething will violate any sort
(22:07):
of development framework.
So just think about that.
You have to.
If you know there's a problem,you got to fix it.
You cannot.
When you're dealing withdeploying code, when you're
doing a code review, and youlook at something, you go, oh my
goodness, I've got a problem.
You do not have the ability togo.
(22:27):
Well, hey, you know what, let'sjust deploy it, not worry about
it.
Yeah, you can't do that becauseyou know then you're
automatically injecting a knownrisk into your organization.
Now, can that happen?
Potentially, but this is whereyou would not do that from your
standpoint, from a code review,you would run it up the flagpole
.
And if the leadership saysdeploy it, that would be very
foolish of them.
But if they said just deploy itanyway, we want it to go, it's
(22:47):
not your head, it's theirs.
So and if after you wouldrecommend going, ah this is not
a good idea.
Bottom line is is you do nothave the responsibility to make
that call.
You do not have the ability tomake that call.
And if you do and you do makethat call, you should not be a
developer.
And then the last question isimplement a parametized queries
and conduct follow-up codereviews.
(23:08):
Okay, so this is the correctanswer.
And again, if you don't know,because coding gets a lot of
people with the CISSP is securecoding practices are recommended
by SFDF to prevent SQLinjections by using parameters,
and this would be code userinputs.
All of these things would helplimit the vulnerability in this
(23:28):
specific situation.
Now, when you're dealing with afollow-up code review, that
means that once you have madethe fix, you are going back over
to ensure that it is properlyimplemented.
You're tracking these things,You're making sure that you're
going in and you're testingBefore you push to deployment.
You're actually testing to makesure that the code is you're
not running into issues withthese different input
(23:49):
validations.
So, again, think about each ofthe questions, take your time,
walk through it in your mind,and if you walk through it in
your mind, you're going to domuch better, because out of
those four questions, they lookoverwhelming if you read them as
a whole, but if you startreading them individually, you
can probably I know you canbreak this down into.
Like you know what it's out ofthese two, pretty sure.
(24:11):
Or you know what hey, this is ano-brainer, it's this one.
Or if it's even down to three,you've increased your chances by
going.
Well, if it's one of thesethree, I'm going to guess on one
of the three.
You now are at least at a 33%chance of getting the right
answer, versus a 25% chance ifyou're just guessing.
So again, break down thequestion, take your time, don't
(24:34):
be in a hurry.
But again, keep in mind, whenyou're taking the CISSP, you
can't go back.
So be in a situation, be fast,but be methodical, think about
the question before you actuallyanswer the question.
Okay, that's all I have for youtoday.
I hope you guys enjoyed thislittle bit more of a deep dive
in the CISSP questions.
The ultimate goal of this is togive you the skills you need to
pass the CISSP the first time.
Head on over to CISSP CyberTraining.
Help me out with this.
(24:56):
Go out there, pay.
You can go and buy my programsthat are available for you.
I buy my programs that areavailable for you.
I've got free stuff, but I alsogot the paid products as well.
They're all available for you.
And what do you all got to do?
There's not much to it.
You just go out there, check itout, see how it can help you in
your overall plan.
All right, I appreciate all ofyour guys' time.
I hope you all are having awonderful, wonderful day and we
(25:17):
will catch you all on the flipside, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora or a cornucopia ofcontent to help you pass the
(25:37):
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Good morning everybody.
It's Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifullyblessed day today.
Today is CISSP QuestionThursday and we're going to go
over just a few questions thatmight be a little bit more
challenging as it relates to theCISSP exam.
The ultimate goal on Thursdayswas to provide CISSP questions
(00:45):
and then, along with that, onMondays, we actually provide
some training around what we'redoing.
So Monday is the training,thursday is the questions, and
then we just keep on trucking on.
That's the plan.
Now what we're going to talkabout here in just a minute is
the five questions that I have,as it relates to all of the
CISSP questions or all of thedomains, and not I just won't
(01:09):
cover them all because there'sonly five questions, but it's
just going to cover some deepquestions that may ask and some
scenario-based questions thatyou may have questions about
that's question.
Saying that word about fourtimes in about one sentence,
that's a lot.
So, all right, let's get goinginto what we're going to talk
about today.
Well, before we get started inthe questions today, there was
an article that I saw in theInfoSecurity magazine and this
(01:31):
is around the South Yorkshirepolice deletes 96,000 pieces of
evidence.
Now, if you all have known,we've talked about this at CISSP
Cyber Training.
There's an important part thatyou have a good plan related to
the protection of data withinyour organization.
Now, as you're dealing withpolice officers, obviously a big
factor for them is the digitalevidence that's out there, and
(01:54):
there is a process by which youwill manage the digital evidence
of any case that you have, andthat's that chain of custody
process.
Now, the problem that came intoin this situation is that some
people just didn't understandwhat they were doing and it
caused a huge issue.
So, basically, they deletedaround 96,174 pieces of body
(02:15):
worn video.
So it's your video that youhave that police officers have
when they're going and doingsome sort of investigation, and
it's all the video that goeswith it.
Now, as we know, video isextremely intensive, right, it
stores up a lot of data, and Ican see what ended up happening
is potentially this is just thequick look at this is that you
know what?
Hey, we've got all this stuffjust sitting around, nobody's
(02:36):
using it.
Let's delete it because it'staking up storage space and it
costs us money.
Now, that's my just a quickthought, and I can see how
someone would come to thatconclusion, but what it came
right down to is an it upgradein 2023 caused the digital
evidence management systemstored on a to be stored on a
local disk.
So they had it from a cloudsituation.
(02:56):
They put it on local disk.
A mass deletion occurred on july26, 2023 during a third-party
data transfer to a storage gridplatform.
So in this case here, it wasn'tbecause someone just said I got
space, I want to delete it.
It actually was because theywere taking a move with it.
Now, as we all know, movingdata that's related to anything
(03:18):
that's important like this.
You would want to have a goodplan in place on how to deal
with it.
You'd have your backups, you'dmaintain your backups, you would
do a data storage move.
Then you would verify yourbackups actually occurred.
They couldn't prefer the SYPcould not provide definitive
explanation for the deletion.
They just deleted it.
So I would say there's a tragedyof errors in this that
(03:42):
potentially could be a bigfactor.
One one they probably had an itperson that did not totally
understand how to move thesedigital assets from one location
to the next.
They may have done it with athird party, they may have done
it internally, but they didn'ttruly know how to verify that
once the data is in one location, it's moved to the next
location, and then how do theyvalidate that the data was
actually moved?
(04:02):
I think it.
It was just a hey, let's justcopy paste and then real quickly
if any sort of a issue with thedata transfer were to occur and
the data becomes corrupted.
Now you have a bigger situation.
Now.
This affected about 126criminal cases, but with only
one case potentially impacted atthe court stage at this point.
(04:23):
But it's 126 criminal cases.
Now, not everything with thefootage is imperative to the
business case itself, but itshows a lack of knowledge,
potentially, on how this shouldhave occurred.
They may not have wanted to payfor someone to actually do this
, but yet at the end of the day,they probably should have paid
(04:44):
someone to do this.
So what does it come right downday?
They probably should have paidsomeone to do this.
So what does it come right downto?
You need to have failures indata.
They had failures in datamanagement, backups and record
keeping, obviously because thesethings happen.
So they need to, from anorganizational standpoint, need
to have a really good plan inplace when they're considering
any sort of move like this,especially when you're dealing
with chain of custody aspectsand you're dealing with court
(05:05):
cases.
So it's an important part.
The recommendations that cameout of the ICO as well as
implement adequate storagebackup solutions.
Shadow third parties that areaccessing these systems right.
So if there's a third partythat's managing it, are you
watching what they're doing?
You don't just going, hey, yeah, you guys take care of it.
No big deal.
You're going to need to shadowthem as well.
Define third-party roles andresponsibilities.
(05:28):
Conduct risk assessments Bigfactor is conducting a risk
assessment of what you have andthen ensure all records are
clearly identified and marked.
So there's a lot of failureshere that occurred.
Hopefully I mean unfortunatelyif you are in the court system,
if this body cam's footage wasimportant for your case and you
lost it, that would be extremelypoor.
(05:50):
It would be very bad.
So hopefully they can recoversome of this or at least it
won't be as big of an impact asit potentially could be with
their organization.
So, again, understanding howyour data is stored and
transferred is an important partof any organization, whether
you're in the police departmentor whether you're in corporate
(06:11):
America.
Okay, so let's go on and move onto the questions we have for
you today.
Okay, so you can get all thesequestions at CISSP Cyber
Training.
Everything that I have here andavailable is available to you.
This is obviously the freeversion is available to you.
This is obviously the freeversion is what I do with the
podcast, but you can get accessto the questions themselves
through my paid program that Ihave.
It's available for you.
(06:32):
Honestly, it's dirt cheapcompared to what you will pay
for a boot camp type program.
I'm giving you all the contentthat you need in a boot camp
type program available to you,as well as mentorship and
availability of myself to you ifyou see fit.
And finally, we have the freeversions.
I have available the bronzepackage.
(06:54):
I mean honestly that thing.
You should be picking that upimmediately.
The reason I say that isbecause it's free and if you
want to have a self-study thatyou don't really don't think you
need any sort of deep dive orany sort of type of boot camp
type activities, the freeversion is exactly what you need
and I would sign up for itimmediately because it's free
and it doesn't cost you anything.
(07:14):
So let's move into some of thequestions and let's answer these
and see where we go from there.
Question one scenario OK, youare a security architect at a
multinational financialinstitution.
The organization is deploying anew cloud-based application
that processes sensitivecustomer data.
The application requires strongencryption for data at rest and
in transit.
(07:34):
During the design phase, youmust select an encryption
algorithm that balances security, performance and compliance
with FIPS 140-3 standards.
The application will handlelarge volumes of data and
performance is a critical factor.
Which encryption algorithmshould you recommend for data at
rest to meet FIPS 140-3 and inoptimizing the performance?
(07:56):
Okay, first question or firstanswer A AES-256, b RSA-2048, c
triple DES, three48, c TripleDES and then Blowfish.
Okay, so those are the fouroptions that you have available
to you.
So which one is it?
Which encryption algorithmshould you recommend for data at
rest to meet FIPS 143 whileoptimizing performance?
(08:19):
So if you look at the questions, you'll go.
Well, you know what?
I know that Blowfish is asymmetric fight cipher and it's
not FIPS approved, so I'd throwthat out.
Triple Des is an older proCypher that's out there and it
is significantly slower thanothers that are on the market.
It is a FIPS approved, right,so that's a good thing.
(08:40):
Triple Des is FIPS approved,but it is a much slower type of
algorithm Cypher, I should say.
So if that's the case, I wouldthrow that one out as well.
So now you narrow it down totwo.
You got AES-256 and you gotRSA-2048.
Now RSA2048, that's a relativelynew one that's been out and
it's an asymmetric encryptionalgorithm.
Okay, and it's used for keyexchange or digital signatures.
(09:04):
It's not designed forencrypting large volumes of data
at rest due to itscomputational overhead, because
it's basically 2048-bit.
Now, that being said, can it doit?
Yes, should it do it?
Not necessarily it should beused for digital signatures
because of that situation.
So it leaves you to the lastone, which is AES-256.
(09:24):
This is a standard with 256-bitkey and it's a symmetric
encryption algorithm that isFIPS 140-3 compliant and it is
highly regarded as a securemethod for protecting sensitive
data.
Okay, so it gives you goodsecurity and it also helps with
the overhead that it isn'thaving to be computationally too
high.
So it works really efficientlyfor the data at rest situation.
(09:49):
So the answer would be AES-256.
Question two A large healthcareorganization is implementing a
new electronic health recordsystem, or EHR.
The system must comply withHIPAA regulations and ensures
that not only authorizedpersonnel can access patient
records.
I mean, actually can ensureonly authorized people, sorry.
The organization uses arole-based access control, or
(10:11):
RBAC, model, and is consideredimplementing a single sign-on
solution to streamline theaccess across multiple
applications.
However, there's a concernabout the potential for an
unauthorized access if an SSOsession is compromised.
Okay again.
So they have RBAC in place,they are going to put in SSO as
(10:33):
well, but they're concerned thatif an SSO session was
compromised, it would.
Then, because they're using itfor the single sign-on for many
applications, you would haveaccess to multiple applications
at one time.
The question what is the bestapproach to mitigate the risk of
unauthorized access in the SSOimplementation while maintaining
compliance with HIPAA?
Okay, so A a longer sessiontimeout period to reduce the
(10:57):
user reauthocation,reauthocation authentication I
can't speak.
I can't speak.
B implement multi-factorauthentication for all SSO
sessions.
C disable SSO and requireseparate logins for each
application.
Or D encrypt all SSO sessiontokens with TripleDes Okay.
So what is the best air quotesbest approach to mitigate the
(11:21):
risk of unauthorized access inan SSO implementation while
maintaining compliance withHIPAA?
Okay.
So let's knock out a few ofthese that maybe don't make any
sense or aren't the best answerA encrypt all SSO tokens with
TripleDes.
Okay, so TripleDes sessiontokens that we just we talked
about in the previous questionis a less secure and it is older
(11:43):
type of product out there, andso therefore it alone would not
address the authentication risk.
It would just encrypt theoverall session, so that in of
itself, is not necessarily thebest answer.
Overall session, so that in ofitself, is not necessarily the
best answer.
Disable SSO and requireseparate logins for each
application.
Disabling SSO would not helpyou, and you're now back to
(12:04):
where you were with square one,which is the fact that now
everybody has a login for theapplication and you know they're
using password reuse.
So that would not be a bestoption either.
So you've now narrowed it downto two.
You use longer session timeoutperiods to reduce user
re-authentication.
Well, if you're trying tomitigate the SSO issue, then
(12:24):
allowing for a longerre-authentication period would
not be a good idea, right?
Because that would increase therisk of session hijacking and
doesn't really necessarilyenhance security at all.
So the answer would be Bimplement multi-factor
authentication for all SSOsessions.
So again, multi-factor adds anadditional layer of security
(12:44):
requiring multiple forms ofverification, which we've all
talked about numerous times onthis podcast.
It significantly reduced theunauthorized access of an SSO is
compromised, so multi-factor isan important part.
Now, obviously, you can dodifferent levels of multi-factor
, from having an actualauthentication application on
your phone to just having textsent to you, which we know the
text sent to you is not the bestoption.
(13:06):
It is an option, but it's notthe best option.
So then this question, thoughthe ultimate goal is just
implement multi-factor for allSSO sessions.
Question three your organizationhas detected a sophisticated,
advanced, persistent threat APTtargeting its financial systems.
Oh no, the incident responseteam has identified indicators
of compromise, including unusualoutbound traffic to known
(13:28):
malicious IP addresses.
The organization uses a SIM,basically, you know, like a
Splunk or a ArcSight orsomething that is used to
monitor and correlate the logs,right, but the APT has evaded
initial detection by usingencrypted channels and low and
slowed attack techniques.
Very smart of them, it is.
So what is the most effective?
(13:49):
Stop to contain the APT andprevent further data
exfiltration.
Okay, obviously there's a lotof steps that have to go into
this and not just one, but let'sjust talk about what we have A
block all outbound traffic fromthe firewall until the threat is
fully analyzed.
B deploy new antivirussignatures to detect APT's
malware.
C increase the logging level ofall systems to capture more
(14:10):
data.
Or D implement networksegmentation to isolate affected
systems.
Okay, so there's a lot of littlethings in here you could do,
but which one is the best, themost effective that you could
actually have happen?
So let's start with one Blockall outbound traffic at the
firewall until the threat isfully analyzed.
Okay, that'll work, but you'llget a lot of people mad at you.
(14:31):
Basically because by doing this, nobody can move, nobody can do
anything within the business,so that would cause drama.
Now the APT is probably in yournetwork and they can move
laterally within your network.
So that would be a little bitof a challenge.
But again, if they can'tcommunicate outbound, that would
limit to what they can andcannot do.
So that's not a bad thing, but,man, there's a lot of
(14:54):
implications for doing that.
That would not be the mosteffective.
Step B deploy a new antivirussignature for the APTs malware.
Okay, so, antivirus signaturesmay not be effective
specifically against APTs.
Again, if it's a robot type APTactivity, maybe, but if it's
someone that's actively engagedin your network, probably not,
(15:15):
probably won't do much to themat all.
Increase the logging levels ofall systems and capture more
data.
That is good.
It can be helpful ininvestigation and it can provide
you a little more data.
Now, it might be a bit afterthe fact because you already
know they're in your environment, but it's not terrible, it's
just.
I think you would use that inconjunction with something else.
(15:35):
And then the last one isimplement network segmentation
to isolate the affected systems.
Yes, okay.
So implementation ofsegmentation would be very good.
Outbound traffic, potentially,um, parts of outbound traffic,
maybe there's parts that youknow where they're at.
You may do some sort ofsegmentation now.
Ideally, you would want yourarchitected network to be
segmented before you even havethis problem, but you may have
(15:58):
to start cutting off parts ofthe body to save the whole body,
and that's where thesegmentation piece comes into
play.
So you just have to figure outwhat is best for you and your
organization.
But in this situation, the bestanswer would be D implement
network segmentation to isolateaffected systems.
Question four All right, aglobal manufacturing company is
(16:18):
expanding its operations into anew country with the strict data
protection laws, includingmandatory breach notification
within 72 hours, sounds familiar.
The company's risk managementteam isn't conducting a risk
assessment to identify potentialthreats to customers' data
stored in the new data center.
The assessment identifies highlikelihood of insider threats
due to inadequate employeetraining and weak access
(16:38):
controls.
So what is the best approach tomitigate the insider risk while
aligning with the new country'sdata protection laws?
Okay, so the globalmanufacturer is expanding its
operations into a new countryand it's got breach notification
aspects.
What are you going to do?
Okay, so let us look at some ofthe questions and see what's
available.
Okay so?
(16:59):
A conduct a one-time securityawareness training for all
employees.
B outsource all data processingto a third-party vendor.
C encrypt all data at rest withproprietary algorithm.
Or.
D implement a data lossprevention solution to monitor
and block sensitive datatransfers.
Okay, again you're dealing witha different country and you've
got data breach laws that youhave to work through.
Speaker 1 (17:19):
What do you do?
Speaker 2 (17:21):
So well, let's look at to start taking these one by
one.
One you conduct a one-timesecurity awareness training for
all employees.
This is good, it is positive,right, but it's not sufficient
for what you're trying toaccomplish, right?
This will just kind of more orless be a placebo.
You're going to need to dotraining with people, but, at
the end of the day, that's notgoing to stop somebody from
getting data outside of yourorganization and that's not
(17:41):
going to really mitigate therisk of an insider risk problem.
Outsource all data processing toa third-party vendor Okay, this
could be some level ofprotection.
However, it does incur newrisks, such as third-party
vulnerabilities.
We talk about this a lot in theCISSP.
Is third-party risk management?
Do you have a third-party riskmanagement program in place?
(18:02):
This does not directly addressinsider threats specifically
within your organization, and soit's not necessarily the best.
Encrypt all data at rest withproprietary algorithm.
Again, proprietary encryptionis risky.
I do not recommend it.
It's not a good idea.
It may not also meet yourregulatory standards set up by
(18:23):
your country.
Stick with what is known.
Okay, so that's that one.
So I think we pretty much throwthose out.
Then, when we get to the lastone D, implement a data loss
prevention solution to monitorand block sensitive data
transfers.
Now, this is DLP.
Is really what you want to do?
That is an important factor inall organizations that you have
a DLP program in place and thatyou are watching what's going on
(18:46):
within your company.
So, dlp, great idea.
I would highly recommend it andtherefore that would be the
right answer in this specificquestion.
So again, unauthorized datatransfers by insiders would be
addressed specifically by theDLP program that you have in
place.
All right, let's move on to thenext one.
Okay, the last question,question five A software
(19:09):
development company is buildinga web application for a
government client that requirescompliance with the Secure
Software Development Framework,ssdf.
During the code review, theteam identified vulnerabilities
in the application's inputvalidation that could allow for
SQL injection attacks.
The development team is underpressure to meet deadlines and
is considering bypassing the fixto expedite delivery.
(19:32):
What is the best course ofaction to address the SQL
injection vulnerability whileadhering to SSDF guidelines?
So again, ssdf is the Secsoftware development framework.
And when we talk aboutframeworks, what is frameworks?
Frameworks are just like aguide, right, a guide on how you
should do step A, b, c and D.
They're not the rule, but theyare a great way for you to kind
(19:53):
of follow along and ensure thatyou're meeting, at least getting
some of the direction that theyare requiring or they're asking
of you.
All right, so let's look atsome of these questions.
A that they are requiring orthey're asking of you.
All right, so let's look atsome of these questions.
A implement parametized queriesand conduct a follow-up code
review.
B deploy the application andpatch vulnerabilities in the
next release cycle.
C use web application firewallsWAFs to block SQL injection
(20:14):
attempts.
Or.
D rewrite the application to adifferent programming language
to avoid the vulnerability.
Okay, so the question is what isthe best course of action to
address SQL injectionvulnerabilities while adhering
to SSDF guidelines?
Well, okay, so you got to knowwhat the SSDF guidelines would
be, but a lot of the codeguidelines would focus around
doing code reviews.
They also talk about makingsure that you have parameterized
(20:37):
queries.
They want to make sure that youhave input line comments that
are set up.
They want to make sure that youhave limited different aspects
within the code environment.
So we'll get into that in justa second.
But the bottom line is is thatthe framework is going to be
very specific around what aresome recommendations that you
should follow.
So, knowing that, knowing that,if you don't really know what
(20:59):
the SSDF is, and you go, well,let's just talk about a
framework.
What is a framework?
It's a step-by-step process andit's probably a little bit more
granular.
Then let's think about that.
And then it's dealingspecifically with code
development.
So now we're dealing with avery granular aspect around code
development.
So one of the questions isrewrite the application to a
different programming languageto avoid the vulnerability.
(21:19):
That is just a really badanswer.
It's just not that good, it'snot practical, right?
So rewriting your code, ifyou've all written it in one
level of code, now you're goingto write it in something else,
that's just, that's not going towork.
So I would not do that one.
That would be no, don't pickthat one.
C.
Another one was use webapplication firewalls to block
SQL injection attempts.
Now, this is good, right, youcan block the attempts that are
(21:41):
occurring, but it's more of acompensation control.
Compensating control.
It does not deal with the rootcause of the vulnerability
itself.
It's more of kind of just tocover it.
It's a placebo.
It's not a placebo, not really.
It will help but it's not goingto address the overall root
cause of the problem.
Deploy the application and patchvulnerabilities in the next
release cycle.
Okay, deploying without fixingsomething will violate any sort
(22:07):
of development framework.
So just think about that.
You have to.
If you know there's a problem,you got to fix it.
You cannot.
When you're dealing withdeploying code, when you're
doing a code review, and youlook at something, you go, oh my
goodness, I've got a problem.
You do not have the ability togo.
(22:27):
Well, hey, you know what, let'sjust deploy it, not worry about
it.
Yeah, you can't do that becauseyou know then you're
automatically injecting a knownrisk into your organization.
Now, can that happen?
Potentially, but this is whereyou would not do that from your
standpoint, from a code review,you would run it up the flagpole
.
And if the leadership saysdeploy it, that would be very
foolish of them.
But if they said just deploy itanyway, we want it to go, it's
(22:47):
not your head, it's theirs.
So and if after you wouldrecommend going, ah this is not
a good idea.
Bottom line is is you do nothave the responsibility to make
that call.
You do not have the ability tomake that call.
And if you do and you do makethat call, you should not be a
developer.
And then the last question isimplement a parametized queries
and conduct follow-up codereviews.
(23:08):
Okay, so this is the correctanswer.
And again, if you don't know,because coding gets a lot of
people with the CISSP is securecoding practices are recommended
by SFDF to prevent SQLinjections by using parameters,
and this would be code userinputs.
All of these things would helplimit the vulnerability in this
(23:28):
specific situation.
Now, when you're dealing with afollow-up code review, that
means that once you have madethe fix, you are going back over
to ensure that it is properlyimplemented.
You're tracking these things,You're making sure that you're
going in and you're testingBefore you push to deployment.
You're actually testing to makesure that the code is you're
not running into issues withthese different input
(23:49):
validations.
So, again, think about each ofthe questions, take your time,
walk through it in your mind,and if you walk through it in
your mind, you're going to domuch better, because out of
those four questions, they lookoverwhelming if you read them as
a whole, but if you startreading them individually, you
can probably I know you canbreak this down into.
Like you know what it's out ofthese two, pretty sure.
(24:11):
Or you know what hey, this is ano-brainer, it's this one.
Or if it's even down to three,you've increased your chances by
going.
Well, if it's one of thesethree, I'm going to guess on one
of the three.
You now are at least at a 33%chance of getting the right
answer, versus a 25% chance ifyou're just guessing.
So again, break down thequestion, take your time, don't
(24:34):
be in a hurry.
But again, keep in mind, whenyou're taking the CISSP, you
can't go back.
So be in a situation, be fast,but be methodical, think about
the question before you actuallyanswer the question.
Okay, that's all I have for youtoday.
I hope you guys enjoyed thislittle bit more of a deep dive
in the CISSP questions.
The ultimate goal of this is togive you the skills you need to
pass the CISSP the first time.
Head on over to CISSP CyberTraining.
Help me out with this.
(24:56):
Go out there, pay.
You can go and buy my programsthat are available for you.
I buy my programs that areavailable for you.
I've got free stuff, but I alsogot the paid products as well.
They're all available for you.
And what do you all got to do?
There's not much to it.
You just go out there, check itout, see how it can help you in
your overall plan.
All right, I appreciate all ofyour guys' time.
I hope you all are having awonderful, wonderful day and we
(25:17):
will catch you all on the flipside, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora or a cornucopia ofcontent to help you pass the
(25:37):
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!