September 18, 2025 • 23 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
The cybersecurity landscape is evolving rapidly with AI development creating unprecedented challenges for organizations, security professionals, and insurance providers alike. How do we manage these emerging risks while maintaining fundamental security governance principles?
Sean Gerber tackles this question head-on by examining why liability insurance alone won't solve the AI security equation. Drawing from a fascinating Lawfare article, he unpacks how cyber insurance has failed to drive meaningful security improvements due to poor data collection, shallow assessments, and inadequate risk measurement. As AI systems increasingly generate their own code, determining liability becomes extraordinarily complex. Insurance companies may soon require more rigorous security evaluations before providing coverage for AI implementations, placing additional burden on businesses to demonstrate robust security practices.
Moving from theory to practice, Sean delivers five deep-dive questions on CISSP Domain 5.5 that demonstrate how security professionals must "think like managers" rather than just memorizing answers. Each scenario—from dealing with orphaned accounts after mergers to implementing role-based access controls in healthcare—illustrates the critical importance of governance, proper access management, and security process improvement. The questions challenge listeners to move beyond tactical thinking and embrace strategic security management approaches that balance business needs with risk mitigation.
The episode also unveils Sean's upcoming 7-day and 14-day CISSP bootcamp blueprints—intensive training plans designed for candidates who need to prepare efficiently without spending thousands on traditional bootcamps. These structured approaches provide a cost-effective alternative while still covering the comprehensive knowledge required to pass the challenging CISSP exam.
Ready to strengthen your CISSP preparation? Visit CISSPCyberTraining.com for free practice questions, video content, and specialized training materials designed to help you pass the exam on your first attempt. The combination of conceptual understanding and practical application demonstrated in this episode is exactly what distinguishes successful CISSP candidates from those who merely memorize practice tests.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:24):
All right, let's get started.
Hey, lashawn Gerber, with CISSPCyber Training and hope you all
are having a beautifullyblessed day.
Today is CISSP QuestionThursday and we are going to be
going over five deep divequestions related to Domain 5.5.
So we're pretty excited aboutthat and I definitely think
you're going to enjoy thesequestions because, like we talk
about, we can go through gobsand gobs of questions for the
(00:48):
CISSP but you can't reallymemorize them, and the reason is
is because they want you tothink like a manager, not
necessarily just memorizingquestions so you can pass the
test, and so therefore, wehighly recommend at CISSP Cyber
Training and most folks that areout there on the internet that
actually have a CISSP andunderstand cyber, they recommend
that you understand thequestion before you just try to
(01:09):
memorize the actual answers.
So we're going to get into someof those here in just a minute,
but before we do, we have acouple of questions or actually
an article I wanted to bringforward and show you and talk to
you about that I thought wasextremely interesting.
So this came from a friend ofmine that one of my partners at
Nextpeak, stephen Bartolone, andhe actually saw this article
(01:29):
out there.
That was really veryinteresting and it relates to AI
and the overall insurance riskair quotes that's out there that
they have to deal with.
So this article comes fromLawfare and it's like why
liability insurance won't saveAI.
Lessons from cyber insuranceand the one thing we've learned
with AI is the fact that there'sdevelopers creating this code,
(01:53):
but in many cases, ai iscreating its own code.
So there's some aspects of thisis like okay, who's going to be
responsible if something wereto happen in this space?
And their point was is thatliability and insurance alone
will not make AI safe.
Many people think that well,we'll just know what, we'll
throw rules against it, we'llcharge you a fortune or we'll
(02:13):
put you in jail if you can'tmake AI safe.
And cyber insurance does showthat these mechanisms often fail
to drive any sort of strongsecurity improvements.
There's a couple key quotes inhere that just kind of shocked
me a little bit in the fact thatcyber insurance, I should say
there'll be cyber insurancecompanies that may actually drop
(02:34):
you or won't even take you on,depending upon the type of AI
risk that you may incur.
So some of the key problemsobviously with cyber insurance
are poor data, the incidents areunderreported and loss of data
is quickly outdated.
Lost data is basically quicklyoutdated.
So the point of it is that theydon't really know right.
So the incidents are peopledon't report these.
In a lot of cases they'll paythe ransom and nobody says
(02:55):
anything about it.
It's also extremely hard tomeasure the risk right.
Safety security assessmentsthey rely on shallow
questionnaires, not a deepverification.
We've all done those andthey're designed more or less to
be kind of a placebo to gocheck, yeah, check, yeah, we're
good, we're good.
But in reality they need tohave a deeper level of
understanding of these networksand some of the questions
(03:16):
they're asking on these securityassessments.
Weak incentives, obviously,premiums based on company size,
sector, that's not really basedon their safety efforts.
What are they doing to try toreduce the risk and so the
premiums?
If you're a small company andyou're trying to make these
implementations, they may not beenough to justify the expense
that you have to go through totry to make it air quotes secure
(03:37):
.
The other one is catastrophicrisk.
You know one failure can impactmany users, obviously between
the shared models and thevarious infrastructures, and so
that can cascade.
Some of that's a big problemwith the overall insurance plan
is what are those catastrophicrisks and what is that cascading
effect?
A lot of times, third partiesthat are connected into
businesses.
You don't even always know thelevel of risk that you're
(03:58):
incurring by a third partyconnecting in and same with a
third party that's actuallyconnecting into an organization.
You may not even know thatyourself.
So it's just, it's a verysquishy, very squishy situation.
And then there's exclusions andthere's caps, right, insurers
will avoid high-risk scenarios,leaving gaps in coverage.
And then who's holding the bag?
The businesses.
(04:19):
So, when it comes to AIspecific challenges, you know
that's part of it.
Just dealing with insurance ofitself is that many of the
situations that occur in AIcould be accidental, right, and
they could spread acrossmultiple industries and be
harder to actually understandthe overall models themselves.
So it's a very weird spot we'regoing to be in and it's going
(04:40):
to be interesting to see whatinsurance companies will
actually put a risk against AIand willing to cover it.
I just don't know myself if Iwas an insurance company.
It's hard to understand,because some companies see this
as a really good opportunity toreally tighten down and avoid
the risk of their AI languagemodels that they're deploying.
(05:00):
Other companies are like, hey,this is awesome, let's just
throw it in place and let's go,and so that's a really tough
spot for insurance companies andwe'll see how they play with it
, because I just, yeah, I don'tknow what to.
Whatever I say is probablygoing to be the opposite, but to
me it would be.
Unless a person has a reallystrong security assessment they
know the network I think it'sall these the insurance
(05:23):
companies are going to require,not these little.
I think it's all these theinsurance companies are going to
require, not these littleplacebo type, just checkbox
options.
They're going to require somedeep level of assessments that
are going to have to occurbefore they're going to provide
coverage.
So it's just something to kindof consider, is all is.
I don't really even actuallyknow.
So bottom line is you can seethat these, these insurance
companies are going to requireaudits, incident reporting and
(05:44):
safety standards are all goingto have to be put in place,
especially as it relates to AI,and they're going to require to
see them.
And it's going to be one ofthose aspects that there's going
to be more burden put on thebusinesses to pay for these
audits and these additionalsecurity assessments.
So, again, if you're a seniorleader and you're listening to
this podcast going yeah, I don'treally know how I'm going to
(06:07):
deal with it.
You get your work cut out foryou.
I would say one thing, andagain, it's obviously a shameful
plug, but at Nextpeak we dohave a good AI risk assessment
strategy that can help youdramatically, and it is it's
based, especially if you're afinancial institution.
We have some really good toolsto help you in that regard.
But bottom line is you're goingto have to think about it and
you're going to really have tounderstand the risk to your
organization and you're going tohave to communicate that to one
(06:28):
your shareholders and two tothe overall auditors.
So really good article.
As from Lawfare, it wasactually caused me to really
think pretty hard about all ofthis and kind of get a deeper
understanding of it as well.
So, all right, so that's allI've got for that.
Let's move into what we're goingto talk about today.
Okay, so before we get startedin the questions, I wanted to
(06:48):
let you know that I'm justcoming up with a new bootcamp
idea.
That's going to be a seven dayand a 14 day bootcamp that you
can go through at CISSP, cyberTraining, and it'll walk you
through.
It's a blueprint that'll walkyou through the training that's
available to you and what youneed to do.
I'm not going to sugarcoat it.
It's going to be a challenge.
(07:10):
You're going to have to really,really focus on this
information to be able to gothrough seven to 14 days of
information.
Now you can go out and spendthousands and thousands of
dollars on a bootcamp, and ifthat's what you want to do, I
highly recommend you go do that.
This is for the folks that can'treally go out and spend that
kind of money.
Here is a bootcamp with all thecontent you need to pass the
CISSP, but I'm going to give itto you in a seven day and a 14
(07:31):
day package.
You can, obviously, if you wantto go longer, because we have
the three, the four and the fivemonth plans that are out there.
But I've been getting aspectsof people asking hey, what is
the plan?
If I want to get this done inthe next 10 to 15 days, what do
I need to do?
So you're going to get twooptions.
You're going to get a seven dayand you can kind of figure out
how you want to go about it.
That will be coming out soon.
You'll be able to go to CISSPCyber Training and you'll be
(07:53):
able to get access to thatthrough the paid products that
we have out there.
On CISSP Cyber Training, again,go check it out CISSP Cyber
Training.
We have a lot of free stuffthat's there.
We also have a lot of paidstuff that's available to you as
well.
One of this will be that 7 and14 day plan will be part of the
paid product.
But, that being said, if youwant the free stuff, there's
(08:14):
plenty of free stuff that'sthere that'll help get you on
the way to being able to studyfor the CISSP.
So let's get started in thesedeep dive questions over domain
5.5.
Okay, question one During aquarterly access review, the
security team noticed thatmultiple users still have
privileged access to a databasethat was decommissioned two
(08:35):
months ago.
Which of the followingrepresents the best air quotes
best action to take to mitigatethis risk?
Again.
So, during a quarterly reviewaccess review the security team
noticed that multiple usersstill have privilege.
That's another key term.
When you're reading throughthese questions, focus on key
words.
Privilege would be one that wasdecommissioned two months ago.
(08:57):
Which of the followingrepresents the best?
Another key word best action totake to mitigate this risk A
immediately disable the databaseaccounts to prevent
unauthorized access.
That's an option.
B notify the systems owner torequest account removals during
the next quarterly review cycle.
C implement an automated controlthat disables unused accounts
(09:18):
after a set period of activity.
Or D perform a root causeanalysis to determine why the
decommission process did notmake the revoked access and
update that overall process.
So each of those are right intheir own way.
Which one is air quotes best?
And the answer is D Perform aroot cause analysis to determine
why the decommissioning processdid not revoke access and
(09:41):
update the process.
So bottom line is likeimmediate disabit or disabling
the database to accounts fromany unauthorized access.
Good idea, but it's probably alittle bit more draconian.
Notify the system owner torequest an account removals
during the next quarterly review.
That is a correct thing.
It's a good plan to do.
But again, they mentionedprivileged.
So if it's privileged, youwouldn't want to wait to the
(10:02):
next quarterly review cycle.
C implement an automated controlthat disables unused accounts
after a set period of activity.
Well, that may be what's inplace, but for some reason it
didn't occur.
So therefore, performing theroot cause analysis would be the
better choice, because you justdon't know, and you need to
figure out why it didn't do whatit was supposed to do.
(10:22):
So improvements in governanceis a key factor when you're
dealing with the CISSP and howimportant it is.
So you just kind of have toplan for this, that you need to
think strongly about as you'rewalking through these questions
which one is the best answer,which one is not the best answer
and then make your choicesaccordingly.
(10:42):
Question two a large enterpriserecently automated its HR-driven
provisioning process.
However, there's a concern thatterminated users may retain
access for several hours untilthe next scheduled sync occurs.
Seen this happen, which of thefollowing controls is the most
effective to address this risk?
So again, someone gets let goand then they have a sync and
(11:04):
that will then remove the access.
So it could go hours.
What to define what hours is?
You know hours could be sixhours, four hours, could be 24
hours, could be 72 hours.
So the question you have to askyourself is what level of risk
are you willing to accept foryour organization?
And it may not be you thatmakes that decision, it may be
your board, maybe your CEO,whoever but you're going to have
(11:25):
to have a plan of how much riskis your organization willing to
accept during this process?
So, a reduce the synchronizationinterval between HR and the IAM
systems to near real time Okay,that's a possibility.
B require managers to manuallysubmit termination tickets
immediately after the employeedeparts Manual can be a problem.
C implement a quarterly auditto ensure that terminated users
(11:48):
are no longer have system access.
You say quarterly audit, that'sgood, but that doesn't deal
with the issue at hand right now.
And then D configureapplications to lock accounts
automatically after a definednumber of failed login attempts.
Okay, so that's an importantpart, but that doesn't really
address the overall problem thatwe're dealing with here.
And then one the best answerwould be A reduce the
(12:10):
synchronization interval betweenHR and the IAM the basically
identity and access managementsystems to near real time.
Now, that may be, may not bepossible.
So the question when they saynear real time is depends on
your situation and yourcompany's willing to accept risk
.
So something to guys kind ofconsider there Managers manually
(12:33):
submitting termination tickets,that's just not going to work
right.
They're going to fail.
Quarterly audits, like wementioned, are good, but it's
quarterly.
That doesn't really help you awhole lot in this situation.
And then deconfiguring thelockout?
Yeah, that's fine, but you'reassuming that the person who
gets access will lock themselvesout.
They may not, so that doesn'treally help you a whole lot.
(12:53):
Question three you areimplementing a role-based access
, or RBAC, in a healthcareenvironment.
The challenge is balancing theprinciple of least privilege
while minimizing administrativeoverhead.
Always a problem which approachbest satisfies both objectives.
And the objectives is, again,least privilege, also having
reducing or minimizingadministrative overhead.
(13:16):
A create a unique role for eachuser based on their specific
job duties.
B develop broad roles withextensive privileges to reduce
the number of roles to manage.
C define roles based on jobfunctions, ie nurse, doctor,
billing, so on and so forth, andgrant the minimum required
permissions.
And then D use discretionaryaccess controls or DAC to allow
(13:38):
users to share data as needed.
So again, challenge of balancingthe principle of least
privilege while minimizingadministrative overhead.
So basically means less roles.
Administrative overhead youwant less of those, but you also
have to have some level ofcontrol.
Administrative overhead youwant less of those, but you also
have to have some level ofcontrol.
So creating a unique role foreach user based on their
(13:59):
specific job duties is notreducing administrative overhead
, it's increasing it.
So it's a good thing, I mean asfar as RBAC goes.
But that makes it much morecomplicated.
Developing a broad roles withextensive privileges to reduce
the number of roles to manage,that does not fly in the face,
or that flies in the face ofleast privilege, which you want
to have less privileges, notmore privileges, so that one
would be thrown out as well.
(14:20):
Let's go down to the rightanswer.
C, but let's go down to D Usediscretionary access controls to
allow users to share data asneeded.
So you're putting adiscretionary access control in
place.
That is a very tactical type ofsituation and to do something
like that would make it, wouldgive you the ability to have
some.
It really kind of throws outrole-based access controls
(14:41):
because you're not dealing witha role, and it makes it much
more complicated from amanagerial or overhead
standpoint.
Will it work?
Yes, but is it complicatethings?
Yes, and it doesn't meet thosetwo objectives that they were
trying to accomplish.
C the correct answer is defineroles based on job functions ie
nurse, doctor, billing clerk andgrant the minimum required
(15:02):
permissions.
So again, it's reducing ouroverhead because you are having
it specifically to specificpositions.
Now you may change that and go.
The billing clerk may have veryspecific, but maybe it is
administration and you have onerole specifically set up for
administration and that'severybody outside of nurse,
doctor, clerk, et cetera, and sothat would reduce some of the
(15:24):
administrative overhead.
But it also does bothrole-based access based on the
overall role that they have.
So you just need to kind ofdecide which is that is.
But if you go through each, allfour of those questions, the
best one is number or number isC right?
Define roles based on a jobfunction and grant the minimum
required permissions asnecessary.
(15:45):
Question four an attacker gainsaccess to a low privilege
service account that has localadmin rights on several servers.
What is the best long-termmitigation strategy to prevent
the similar privilege escalationrisks?
Again, they have a lowprivilege service account that
has local admin on severalservers.
(16:06):
So the reduced privileges areon the service account, which is
good, but it has local adminrights on several servers.
That's bad.
Okay, so let's talk about this.
The best long-term mitigationplan A rotate service account
passwords on a regular schedule.
That's not a bad thing.
B remove unnecessary adminrights from the service accounts
and implement least privilege.
(16:27):
That's probably a better thing.
C is configure alerts for alllogins of service accounts.
Or?
D increase the complexity ofthe service account password to
30 plus characters.
So there's a lot of things thatare going on here and there's
some different kind ofstrategies, but there's a long
term strategy and a short termstrategy, okay.
So rotating service accountpasswords on a regular schedule
(16:49):
is a valuable thing and it'ssomething that would be useful.
However, depends on what thatschedule is going to be.
If it's daily, well, that'samazing.
If it's weekly okay, that'sreally good.
If it is daily or if it is likeevery quarter, okay, I'll take
that.
If it's once a year, yeah, it'snot so good.
And then if it's never done,well, obviously, that's not good
(17:10):
at all.
So you just need to determinewhat you're going to do in that
space Remove unnecessaryadministrative rights from the
service accounts and implementleast privilege.
We'll come back to that, becausethat is the correct answer.
Configure alerts for all loginsand service accounts so that's
good, we should have that inplace, but that will not stop
the long-term mitigationstrategy.
That's just basically atactical decision.
(17:32):
D increase the complexity ofthe service account passwords to
30 plus characters.
Well, that would be good.
You do a password reset and youwould force it to 30 characters
, which is awesome.
However, depending on wherethese folks are at within your
network, that may or may notdeter them from getting access
to all of your data.
So the right answer, the mostcorrect answer, the best
(17:52):
long-term mitigation strategy isB remove unnecessary
administrative rights from theservice accounts, which should
be a no-brainer, and implementlease privilege.
So all service accounts shouldhave any sort of administrative
rights removed, unless they arespecifically designated and they
need to have it.
And if they do need to have it,those need to be monitored and
on an ongoing basis, to makesure they don't do something
(18:14):
they shouldn't do.
So again, lots of nuances here,and I know we spent some time
on it, but the point of it is isthat you need to always look at
removing these unnecessaryadmin rights from any account
that you have, and again, thekey term is unnecessary.
If it's necessary, well then,obviously you got to keep it,
but anything that is just kindof yeah, we didn't really know
(18:35):
what to do with it, so we gaveit access, that's a bad idea.
Question five following a merger, an organization discovers
hundreds of orphaned accountsthat were never deprovisioned
from the acquired company'sdirectory.
Oh, shocker there.
Yeah, that's if you've done anysort of M&A, you'll find that
like, oh yeah, it's scary.
Which control would bestprevent the situation from
(18:56):
reoccurring after future mergersto the organizational changes
or organizational changes?
So, ok, we found it, weaddressed it.
How do we, what do we put inplace to stop it from the future
?
A conduct a one time cleanup ofthe orphaned accounts and move
on.
Ok, well, that, yeah, that'sgood, but not good enough.
B implement periodic accountrecertification with business
(19:17):
unit owners.
That looks promising.
C require users toreauthenticate every 30 days of
their account or their accountsare disabled.
That's not terrible.
That's a good idea.
It just adds a lot ofcomplexity, but we'll get to
that and then rely on HRnotifications to manually
disable accounts when employeesleave.
Okay, so kind of hinted to it.
B is the most correct answer.
(19:38):
And implement periodic accountrecertification with business
unit owners, and we'll come backto what that means here in just
a second.
So, conducting a one-timecleanup of orphaned accounts.
What does that mean?
Well, that's great.
That addresses the problem hereand now, but it does not
address the bigger problem, as aquestion that ask is what do
you do in the future mergers andorganizational changes?
How are you going to deal withthat.
(19:59):
So that's the big challenge andthat one just kind of throws
out the window.
Okay, c require users toreauthenticate every 30 days or
their account is disabled.
Now, that is a great idea.
That's awesome.
The problem is is you're nowgoing to get a lot of people
that are going to be ticked atyou because they got to
recertify every 30 days, and itwill make them very unhappy.
It will make them very moodyand they will want they'll have
(20:23):
pitchforks and flaming candlesflying at you candles or
pitchforks or whatever thosethings.
Whenever you've seen a moviewhere folks have got pitchforks
and torches, yeah, that'swhat'll happen to you if they do
that.
D rely on HR notifications toair quotes.
Manually disable accounts asemployees leave.
Okay, manually of anything inthe IT space is not good.
Yeah, just, you don't have timeand things will get missed.
(20:46):
So that's when you just gothrow that out the window Then.
So the right answer we talkabout is B implement periodic
account recertification withbusiness unit owners.
So the point of this is is thatwhen you're doing these
accounts, you need to make surethat the business units actually
understand what the heck youeven have.
There's been plenty of timeswhere I've had accounts numerous
accounts with that are tied tothe business and the business
(21:08):
says, yes, we must have this.
It has been going on like thisforever, we got to keep it.
But then when you start showingthem what it does and where
it's at and the risk that itincurs, they sometimes will
change their mind.
So the point is that you needto get your business unit owners
involved in all of these typesof discussions because at the
end of it it's on them, notnecessarily completely on you
(21:29):
Now it might be on you, but thegoal is you need more people
involved in this overalldecision-making process.
So that is all I have for youtoday.
Again, we just the deep dive.
We just go over about four tofive to six questions, kind of
dig deep into those, and thegoal again is to just kind of
walk you through a question andthe thought process that goes
(21:51):
into it.
These questions are notquestions that you will see on
the CISSP exam, but they are arevelation.
No, it's not even it.
They're a reflection yes, areflection of domain 5.5.
So if you understand 5.5 domainthe CISSP domain 5.5, and you
understand many of the differenttopics within that, then these
types of questions will be veryeasy for you because you'll go
(22:12):
through and you'll just startbeing able to whittle them out.
So, again, I highly recommendif you're interested in it.
I've got it.
I'm going to be having.
You'll see it soon.
If you're part of my program,I'll send out an email to
everybody.
Sign up for my free stuffYou'll get.
By doing that, you will getaccess to anything that's new
that's coming out within my,within my site, and I will send
you out any notifications on theseven and 10 day blueprint.
(22:32):
That will help you with thebootcamp and get you done.
I highly recommend that you doit.
It'll be awesome.
I totally recommend that.
If you're going to be gettingthe seven or 10 days, my
bootcamp will help you do that.
Okay, that's all I've got foryou.
I hope you have a great day andwe will catch you all on the
flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
(22:55):
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora or a cornucopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
(23:18):
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:24):
All right, let's get started.
Hey, lashawn Gerber, with CISSPCyber Training and hope you all
are having a beautifullyblessed day.
Today is CISSP QuestionThursday and we are going to be
going over five deep divequestions related to Domain 5.5.
So we're pretty excited aboutthat and I definitely think
you're going to enjoy thesequestions because, like we talk
about, we can go through gobsand gobs of questions for the
(00:48):
CISSP but you can't reallymemorize them, and the reason is
is because they want you tothink like a manager, not
necessarily just memorizingquestions so you can pass the
test, and so therefore, wehighly recommend at CISSP Cyber
Training and most folks that areout there on the internet that
actually have a CISSP andunderstand cyber, they recommend
that you understand thequestion before you just try to
(01:09):
memorize the actual answers.
So we're going to get into someof those here in just a minute,
but before we do, we have acouple of questions or actually
an article I wanted to bringforward and show you and talk to
you about that I thought wasextremely interesting.
So this came from a friend ofmine that one of my partners at
Nextpeak, stephen Bartolone, andhe actually saw this article
(01:29):
out there.
That was really veryinteresting and it relates to AI
and the overall insurance riskair quotes that's out there that
they have to deal with.
So this article comes fromLawfare and it's like why
liability insurance won't saveAI.
Lessons from cyber insuranceand the one thing we've learned
with AI is the fact that there'sdevelopers creating this code,
(01:53):
but in many cases, ai iscreating its own code.
So there's some aspects of thisis like okay, who's going to be
responsible if something wereto happen in this space?
And their point was is thatliability and insurance alone
will not make AI safe.
Many people think that well,we'll just know what, we'll
throw rules against it, we'llcharge you a fortune or we'll
(02:13):
put you in jail if you can'tmake AI safe.
And cyber insurance does showthat these mechanisms often fail
to drive any sort of strongsecurity improvements.
There's a couple key quotes inhere that just kind of shocked
me a little bit in the fact thatcyber insurance, I should say
there'll be cyber insurancecompanies that may actually drop
(02:34):
you or won't even take you on,depending upon the type of AI
risk that you may incur.
So some of the key problemsobviously with cyber insurance
are poor data, the incidents areunderreported and loss of data
is quickly outdated.
Lost data is basically quicklyoutdated.
So the point of it is that theydon't really know right.
So the incidents are peopledon't report these.
In a lot of cases they'll paythe ransom and nobody says
(02:55):
anything about it.
It's also extremely hard tomeasure the risk right.
Safety security assessmentsthey rely on shallow
questionnaires, not a deepverification.
We've all done those andthey're designed more or less to
be kind of a placebo to gocheck, yeah, check, yeah, we're
good, we're good.
But in reality they need tohave a deeper level of
understanding of these networksand some of the questions
(03:16):
they're asking on these securityassessments.
Weak incentives, obviously,premiums based on company size,
sector, that's not really basedon their safety efforts.
What are they doing to try toreduce the risk and so the
premiums?
If you're a small company andyou're trying to make these
implementations, they may not beenough to justify the expense
that you have to go through totry to make it air quotes secure
(03:37):
.
The other one is catastrophicrisk.
You know one failure can impactmany users, obviously between
the shared models and thevarious infrastructures, and so
that can cascade.
Some of that's a big problemwith the overall insurance plan
is what are those catastrophicrisks and what is that cascading
effect?
A lot of times, third partiesthat are connected into
businesses.
You don't even always know thelevel of risk that you're
(03:58):
incurring by a third partyconnecting in and same with a
third party that's actuallyconnecting into an organization.
You may not even know thatyourself.
So it's just, it's a verysquishy, very squishy situation.
And then there's exclusions andthere's caps, right, insurers
will avoid high-risk scenarios,leaving gaps in coverage.
And then who's holding the bag?
The businesses.
(04:19):
So, when it comes to AIspecific challenges, you know
that's part of it.
Just dealing with insurance ofitself is that many of the
situations that occur in AIcould be accidental, right, and
they could spread acrossmultiple industries and be
harder to actually understandthe overall models themselves.
So it's a very weird spot we'regoing to be in and it's going
(04:40):
to be interesting to see whatinsurance companies will
actually put a risk against AIand willing to cover it.
I just don't know myself if Iwas an insurance company.
It's hard to understand,because some companies see this
as a really good opportunity toreally tighten down and avoid
the risk of their AI languagemodels that they're deploying.
(05:00):
Other companies are like, hey,this is awesome, let's just
throw it in place and let's go,and so that's a really tough
spot for insurance companies andwe'll see how they play with it
, because I just, yeah, I don'tknow what to.
Whatever I say is probablygoing to be the opposite, but to
me it would be.
Unless a person has a reallystrong security assessment they
know the network I think it'sall these the insurance
(05:23):
companies are going to require,not these little.
I think it's all these theinsurance companies are going to
require, not these littleplacebo type, just checkbox
options.
They're going to require somedeep level of assessments that
are going to have to occurbefore they're going to provide
coverage.
So it's just something to kindof consider, is all is.
I don't really even actuallyknow.
So bottom line is you can seethat these, these insurance
companies are going to requireaudits, incident reporting and
(05:44):
safety standards are all goingto have to be put in place,
especially as it relates to AI,and they're going to require to
see them.
And it's going to be one ofthose aspects that there's going
to be more burden put on thebusinesses to pay for these
audits and these additionalsecurity assessments.
So, again, if you're a seniorleader and you're listening to
this podcast going yeah, I don'treally know how I'm going to
(06:07):
deal with it.
You get your work cut out foryou.
I would say one thing, andagain, it's obviously a shameful
plug, but at Nextpeak we dohave a good AI risk assessment
strategy that can help youdramatically, and it is it's
based, especially if you're afinancial institution.
We have some really good toolsto help you in that regard.
But bottom line is you're goingto have to think about it and
you're going to really have tounderstand the risk to your
organization and you're going tohave to communicate that to one
(06:28):
your shareholders and two tothe overall auditors.
So really good article.
As from Lawfare, it wasactually caused me to really
think pretty hard about all ofthis and kind of get a deeper
understanding of it as well.
So, all right, so that's allI've got for that.
Let's move into what we're goingto talk about today.
Okay, so before we get startedin the questions, I wanted to
(06:48):
let you know that I'm justcoming up with a new bootcamp
idea.
That's going to be a seven dayand a 14 day bootcamp that you
can go through at CISSP, cyberTraining, and it'll walk you
through.
It's a blueprint that'll walkyou through the training that's
available to you and what youneed to do.
I'm not going to sugarcoat it.
It's going to be a challenge.
(07:10):
You're going to have to really,really focus on this
information to be able to gothrough seven to 14 days of
information.
Now you can go out and spendthousands and thousands of
dollars on a bootcamp, and ifthat's what you want to do, I
highly recommend you go do that.
This is for the folks that can'treally go out and spend that
kind of money.
Here is a bootcamp with all thecontent you need to pass the
CISSP, but I'm going to give itto you in a seven day and a 14
(07:31):
day package.
You can, obviously, if you wantto go longer, because we have
the three, the four and the fivemonth plans that are out there.
But I've been getting aspectsof people asking hey, what is
the plan?
If I want to get this done inthe next 10 to 15 days, what do
I need to do?
So you're going to get twooptions.
You're going to get a seven dayand you can kind of figure out
how you want to go about it.
That will be coming out soon.
You'll be able to go to CISSPCyber Training and you'll be
(07:53):
able to get access to thatthrough the paid products that
we have out there.
On CISSP Cyber Training, again,go check it out CISSP Cyber
Training.
We have a lot of free stuffthat's there.
We also have a lot of paidstuff that's available to you as
well.
One of this will be that 7 and14 day plan will be part of the
paid product.
But, that being said, if youwant the free stuff, there's
(08:14):
plenty of free stuff that'sthere that'll help get you on
the way to being able to studyfor the CISSP.
So let's get started in thesedeep dive questions over domain
5.5.
Okay, question one During aquarterly access review, the
security team noticed thatmultiple users still have
privileged access to a databasethat was decommissioned two
(08:35):
months ago.
Which of the followingrepresents the best air quotes
best action to take to mitigatethis risk?
Again.
So, during a quarterly reviewaccess review the security team
noticed that multiple usersstill have privilege.
That's another key term.
When you're reading throughthese questions, focus on key
words.
Privilege would be one that wasdecommissioned two months ago.
(08:57):
Which of the followingrepresents the best?
Another key word best action totake to mitigate this risk A
immediately disable the databaseaccounts to prevent
unauthorized access.
That's an option.
B notify the systems owner torequest account removals during
the next quarterly review cycle.
C implement an automated controlthat disables unused accounts
(09:18):
after a set period of activity.
Or D perform a root causeanalysis to determine why the
decommission process did notmake the revoked access and
update that overall process.
So each of those are right intheir own way.
Which one is air quotes best?
And the answer is D Perform aroot cause analysis to determine
why the decommissioning processdid not revoke access and
(09:41):
update the process.
So bottom line is likeimmediate disabit or disabling
the database to accounts fromany unauthorized access.
Good idea, but it's probably alittle bit more draconian.
Notify the system owner torequest an account removals
during the next quarterly review.
That is a correct thing.
It's a good plan to do.
But again, they mentionedprivileged.
So if it's privileged, youwouldn't want to wait to the
(10:02):
next quarterly review cycle.
C implement an automated controlthat disables unused accounts
after a set period of activity.
Well, that may be what's inplace, but for some reason it
didn't occur.
So therefore, performing theroot cause analysis would be the
better choice, because you justdon't know, and you need to
figure out why it didn't do whatit was supposed to do.
(10:22):
So improvements in governanceis a key factor when you're
dealing with the CISSP and howimportant it is.
So you just kind of have toplan for this, that you need to
think strongly about as you'rewalking through these questions
which one is the best answer,which one is not the best answer
and then make your choicesaccordingly.
(10:42):
Question two a large enterpriserecently automated its HR-driven
provisioning process.
However, there's a concern thatterminated users may retain
access for several hours untilthe next scheduled sync occurs.
Seen this happen, which of thefollowing controls is the most
effective to address this risk?
So again, someone gets let goand then they have a sync and
(11:04):
that will then remove the access.
So it could go hours.
What to define what hours is?
You know hours could be sixhours, four hours, could be 24
hours, could be 72 hours.
So the question you have to askyourself is what level of risk
are you willing to accept foryour organization?
And it may not be you thatmakes that decision, it may be
your board, maybe your CEO,whoever but you're going to have
(11:25):
to have a plan of how much riskis your organization willing to
accept during this process?
So, a reduce the synchronizationinterval between HR and the IAM
systems to near real time Okay,that's a possibility.
B require managers to manuallysubmit termination tickets
immediately after the employeedeparts Manual can be a problem.
C implement a quarterly auditto ensure that terminated users
(11:48):
are no longer have system access.
You say quarterly audit, that'sgood, but that doesn't deal
with the issue at hand right now.
And then D configureapplications to lock accounts
automatically after a definednumber of failed login attempts.
Okay, so that's an importantpart, but that doesn't really
address the overall problem thatwe're dealing with here.
And then one the best answerwould be A reduce the
(12:10):
synchronization interval betweenHR and the IAM the basically
identity and access managementsystems to near real time.
Now, that may be, may not bepossible.
So the question when they saynear real time is depends on
your situation and yourcompany's willing to accept risk
.
So something to guys kind ofconsider there Managers manually
(12:33):
submitting termination tickets,that's just not going to work
right.
They're going to fail.
Quarterly audits, like wementioned, are good, but it's
quarterly.
That doesn't really help you awhole lot in this situation.
And then deconfiguring thelockout?
Yeah, that's fine, but you'reassuming that the person who
gets access will lock themselvesout.
They may not, so that doesn'treally help you a whole lot.
(12:53):
Question three you areimplementing a role-based access
, or RBAC, in a healthcareenvironment.
The challenge is balancing theprinciple of least privilege
while minimizing administrativeoverhead.
Always a problem which approachbest satisfies both objectives.
And the objectives is, again,least privilege, also having
reducing or minimizingadministrative overhead.
(13:16):
A create a unique role for eachuser based on their specific
job duties.
B develop broad roles withextensive privileges to reduce
the number of roles to manage.
C define roles based on jobfunctions, ie nurse, doctor,
billing, so on and so forth, andgrant the minimum required
permissions.
And then D use discretionaryaccess controls or DAC to allow
(13:38):
users to share data as needed.
So again, challenge of balancingthe principle of least
privilege while minimizingadministrative overhead.
So basically means less roles.
Administrative overhead youwant less of those, but you also
have to have some level ofcontrol.
Administrative overhead youwant less of those, but you also
have to have some level ofcontrol.
So creating a unique role foreach user based on their
(13:59):
specific job duties is notreducing administrative overhead
, it's increasing it.
So it's a good thing, I mean asfar as RBAC goes.
But that makes it much morecomplicated.
Developing a broad roles withextensive privileges to reduce
the number of roles to manage,that does not fly in the face,
or that flies in the face ofleast privilege, which you want
to have less privileges, notmore privileges, so that one
would be thrown out as well.
(14:20):
Let's go down to the rightanswer.
C, but let's go down to D Usediscretionary access controls to
allow users to share data asneeded.
So you're putting adiscretionary access control in
place.
That is a very tactical type ofsituation and to do something
like that would make it, wouldgive you the ability to have
some.
It really kind of throws outrole-based access controls
(14:41):
because you're not dealing witha role, and it makes it much
more complicated from amanagerial or overhead
standpoint.
Will it work?
Yes, but is it complicatethings?
Yes, and it doesn't meet thosetwo objectives that they were
trying to accomplish.
C the correct answer is defineroles based on job functions ie
nurse, doctor, billing clerk andgrant the minimum required
(15:02):
permissions.
So again, it's reducing ouroverhead because you are having
it specifically to specificpositions.
Now you may change that and go.
The billing clerk may have veryspecific, but maybe it is
administration and you have onerole specifically set up for
administration and that'severybody outside of nurse,
doctor, clerk, et cetera, and sothat would reduce some of the
(15:24):
administrative overhead.
But it also does bothrole-based access based on the
overall role that they have.
So you just need to kind ofdecide which is that is.
But if you go through each, allfour of those questions, the
best one is number or number isC right?
Define roles based on a jobfunction and grant the minimum
required permissions asnecessary.
(15:45):
Question four an attacker gainsaccess to a low privilege
service account that has localadmin rights on several servers.
What is the best long-termmitigation strategy to prevent
the similar privilege escalationrisks?
Again, they have a lowprivilege service account that
has local admin on severalservers.
(16:06):
So the reduced privileges areon the service account, which is
good, but it has local adminrights on several servers.
That's bad.
Okay, so let's talk about this.
The best long-term mitigationplan A rotate service account
passwords on a regular schedule.
That's not a bad thing.
B remove unnecessary adminrights from the service accounts
and implement least privilege.
(16:27):
That's probably a better thing.
C is configure alerts for alllogins of service accounts.
Or?
D increase the complexity ofthe service account password to
30 plus characters.
So there's a lot of things thatare going on here and there's
some different kind ofstrategies, but there's a long
term strategy and a short termstrategy, okay.
So rotating service accountpasswords on a regular schedule
(16:49):
is a valuable thing and it'ssomething that would be useful.
However, depends on what thatschedule is going to be.
If it's daily, well, that'samazing.
If it's weekly okay, that'sreally good.
If it is daily or if it is likeevery quarter, okay, I'll take
that.
If it's once a year, yeah, it'snot so good.
And then if it's never done,well, obviously, that's not good
(17:10):
at all.
So you just need to determinewhat you're going to do in that
space Remove unnecessaryadministrative rights from the
service accounts and implementleast privilege.
We'll come back to that, becausethat is the correct answer.
Configure alerts for all loginsand service accounts so that's
good, we should have that inplace, but that will not stop
the long-term mitigationstrategy.
That's just basically atactical decision.
(17:32):
D increase the complexity ofthe service account passwords to
30 plus characters.
Well, that would be good.
You do a password reset and youwould force it to 30 characters
, which is awesome.
However, depending on wherethese folks are at within your
network, that may or may notdeter them from getting access
to all of your data.
So the right answer, the mostcorrect answer, the best
(17:52):
long-term mitigation strategy isB remove unnecessary
administrative rights from theservice accounts, which should
be a no-brainer, and implementlease privilege.
So all service accounts shouldhave any sort of administrative
rights removed, unless they arespecifically designated and they
need to have it.
And if they do need to have it,those need to be monitored and
on an ongoing basis, to makesure they don't do something
(18:14):
they shouldn't do.
So again, lots of nuances here,and I know we spent some time
on it, but the point of it is isthat you need to always look at
removing these unnecessaryadmin rights from any account
that you have, and again, thekey term is unnecessary.
If it's necessary, well then,obviously you got to keep it,
but anything that is just kindof yeah, we didn't really know
(18:35):
what to do with it, so we gaveit access, that's a bad idea.
Question five following a merger, an organization discovers
hundreds of orphaned accountsthat were never deprovisioned
from the acquired company'sdirectory.
Oh, shocker there.
Yeah, that's if you've done anysort of M&A, you'll find that
like, oh yeah, it's scary.
Which control would bestprevent the situation from
(18:56):
reoccurring after future mergersto the organizational changes
or organizational changes?
So, ok, we found it, weaddressed it.
How do we, what do we put inplace to stop it from the future
?
A conduct a one time cleanup ofthe orphaned accounts and move
on.
Ok, well, that, yeah, that'sgood, but not good enough.
B implement periodic accountrecertification with business
(19:17):
unit owners.
That looks promising.
C require users toreauthenticate every 30 days of
their account or their accountsare disabled.
That's not terrible.
That's a good idea.
It just adds a lot ofcomplexity, but we'll get to
that and then rely on HRnotifications to manually
disable accounts when employeesleave.
Okay, so kind of hinted to it.
B is the most correct answer.
(19:38):
And implement periodic accountrecertification with business
unit owners, and we'll come backto what that means here in just
a second.
So, conducting a one-timecleanup of orphaned accounts.
What does that mean?
Well, that's great.
That addresses the problem hereand now, but it does not
address the bigger problem, as aquestion that ask is what do
you do in the future mergers andorganizational changes?
How are you going to deal withthat.
(19:59):
So that's the big challenge andthat one just kind of throws
out the window.
Okay, c require users toreauthenticate every 30 days or
their account is disabled.
Now, that is a great idea.
That's awesome.
The problem is is you're nowgoing to get a lot of people
that are going to be ticked atyou because they got to
recertify every 30 days, and itwill make them very unhappy.
It will make them very moodyand they will want they'll have
(20:23):
pitchforks and flaming candlesflying at you candles or
pitchforks or whatever thosethings.
Whenever you've seen a moviewhere folks have got pitchforks
and torches, yeah, that'swhat'll happen to you if they do
that.
D rely on HR notifications toair quotes.
Manually disable accounts asemployees leave.
Okay, manually of anything inthe IT space is not good.
Yeah, just, you don't have timeand things will get missed.
(20:46):
So that's when you just gothrow that out the window Then.
So the right answer we talkabout is B implement periodic
account recertification withbusiness unit owners.
So the point of this is is thatwhen you're doing these
accounts, you need to make surethat the business units actually
understand what the heck youeven have.
There's been plenty of timeswhere I've had accounts numerous
accounts with that are tied tothe business and the business
(21:08):
says, yes, we must have this.
It has been going on like thisforever, we got to keep it.
But then when you start showingthem what it does and where
it's at and the risk that itincurs, they sometimes will
change their mind.
So the point is that you needto get your business unit owners
involved in all of these typesof discussions because at the
end of it it's on them, notnecessarily completely on you
(21:29):
Now it might be on you, but thegoal is you need more people
involved in this overalldecision-making process.
So that is all I have for youtoday.
Again, we just the deep dive.
We just go over about four tofive to six questions, kind of
dig deep into those, and thegoal again is to just kind of
walk you through a question andthe thought process that goes
(21:51):
into it.
These questions are notquestions that you will see on
the CISSP exam, but they are arevelation.
No, it's not even it.
They're a reflection yes, areflection of domain 5.5.
So if you understand 5.5 domainthe CISSP domain 5.5, and you
understand many of the differenttopics within that, then these
types of questions will be veryeasy for you because you'll go
(22:12):
through and you'll just startbeing able to whittle them out.
So, again, I highly recommendif you're interested in it.
I've got it.
I'm going to be having.
You'll see it soon.
If you're part of my program,I'll send out an email to
everybody.
Sign up for my free stuffYou'll get.
By doing that, you will getaccess to anything that's new
that's coming out within my,within my site, and I will send
you out any notifications on theseven and 10 day blueprint.
(22:32):
That will help you with thebootcamp and get you done.
I highly recommend that you doit.
It'll be awesome.
I totally recommend that.
If you're going to be gettingthe seven or 10 days, my
bootcamp will help you do that.
Okay, that's all I've got foryou.
I hope you have a great day andwe will catch you all on the
flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
(22:55):
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora or a cornucopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
(23:18):
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!