November 13, 2025 • 20 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
A single compromised API key can undo months of hard work. We open with a clear-eyed look at a reported Treasury-related incident tied to a privileged access platform and use it to expose a bigger problem: API governance that lags behind development speed. If an API is a doorway into your environment, why do so many teams leave it unlocked, unlogged, and unmanaged? We share a practical blueprint for centralizing API traffic through gateways, tightening authentication, rotating keys, and getting real visibility into what flows in and out.
From there, we dive into CISSP Domain 1.6 with crisp, exam-style questions that double as leadership lessons. We compare civil and criminal standards of proof, explain where regulatory investigations fit, and show how penalties differ across case types. You’ll hear why chain of custody can make or break a criminal data theft case, how direct and circumstantial evidence complement each other, and what lawful collection requires under search and seizure laws. Along the way, we clarify GDPR’s reach, the role of the SEC in insider trading probes, and how ECPA, CFAA, and FISMA divide responsibilities across privacy, computer crime, and federal system security.
We also make the case for forensic readiness as a standing control, not a post-breach scramble. Centralized logging, synchronized time, packet capture on critical paths, immutable storage, and clear retention policies give you faster answers and stronger footing with regulators. Inside the organization, administrative investigations live or die by policy clarity, and whistleblower protections keep truth-tellers safe enough to speak. By the end, you’ll have tangible steps to harden APIs, gather admissible evidence, and navigate the maze of legal and regulatory expectations with confidence.
If this helped sharpen your thinking, follow the show, share it with a teammate who owns APIs or incident response, and leave a quick review so others can find us. Your feedback guides what we tackle next.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
All right, let's get started.
SPEAKER_01 (00:25):
Good morning, everybody.
This is Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifully blessedday today.
Today is CISSP questionThursday.
So, yes, we are going to begetting into the questions
related to domain 1.6 as itrelates to the content that we
provided on Monday's podcast.
So that's the ultimate goal ofthis Thursday is to provide you
(00:48):
information you need to pass theCISSP through some of the
questions and potentialquestions you may see on the
CISSP exam.
Again, these questions are notquestions that were pulled from
ISC Squared by any stretch ofthe imagination.
These are ones just to get youthinking and to think about how
domain 1.6, I thought thequestions could be asked of you
of that.
But before we get started, I hadan article I wanted to kind of
(01:11):
just briefly bring up to you,and it is around the recent
breach that occurred with theDepartment of Treasury.
And this is defined as an attackthat would occur from the
Chinese government, supposedly.
Again, I don't know thoseinformation, just re-reporting
what they have here in the news.
But the bottom line is thatthere was an issue that occurred
(01:32):
um later this week, or I shouldsay earlier this week, related
to the Department of Treasuryand how they had a major air
quotes security incidentinvolving Beyond Trust, which is
a cloud-based service.
And the point of Beyond Trust isit gives you a lot of different
kinds of credentials.
It acts as a PAM solution.
And so, yes, it would be a greattarget for someone to attack.
(01:53):
One of the things that they saidwas, they're bringing up in this
article is that no otheragencies within the U.S.
government were affected by thissituation.
Okay, I love how these articlescome out.
And I'm just gonna just be verytransparent.
I'm not, I have no idea if therewere more people or more
agencies affected by this by anystretch, but what I would ask or
bring up is how this attackoccurred.
(02:14):
You might want to think abouthow is it affecting other
agencies within the U.S.
government.
And this attack occurred becauseof a compromised API key for
remote management services fromBeyond Trust.
Now, that whole hole betweenBeyond Trust and the API key for
the Department of Tech Treasury,those specific key points, is
probably covered.
(02:35):
Yeah, it's probably good.
There's probably no issues therewhatsoever.
That being said, if you are thefederal government, they are
working with other companies aswell.
And they also use APIs and theyuse API remote management
services.
So the question really comesdown to is what kind of control
do they have over their APIinfrastructure?
I've been saying this for a longtime on CISSP Cyber Training,
(02:58):
and anybody that'll listen to meis the APIs, in my mind, are one
of the biggest vulnerabilitieswe have within the security
space.
And the reason I say that isbecause in most cases they are
unmanaged.
They're allowing people to makea connection into your
environment.
And the goal is that you havecontrol, tight controls over it,
allowing what comes in, whatgoes out.
(03:18):
But because they're so easy toestablish, it can be very
tempting for an individual to goand start up an API connection
and go, aha, it works, life isgood.
And yeah, it does work.
Unfortunately, it could, if it'snot configured correctly, will
create a nice little back doorfor people to get into your
environment.
So again, in this article,they're saying that in this at
(03:39):
this time, there's no indicationof any other federal agencies
that have been impacted by thisair quotes incident.
So if you are a cybersecurityprofessional or an IT
professional of any kind and youhave APIs within your
environment, you may want tolook at this pretty hard on how
you are managing your APIs.
We talked about this.
They need to go through agateway of some kind.
(04:00):
You need to route all of yourAPIs through one central spot.
One, at a minimum, it gives youa level of visibility into these
API connections.
And two, it gives you somesecurity controls over what's
occurring.
You should not allow justanybody to willy-nilly add APIs
to your organization.
So, again, I bring this up tothe point of the fact that if
(04:21):
you have this situation, or atleast in the case of the
Department of Treasury, there'sprobably other holes within
their environment that theytruly need to look at.
Again, the CVE score on this wasa 9.8, which is about as high as
you can get.
Um, and if this is one situationthat occurred, well, you can
expect there are probably more.
So, again, this is an articlefrom Security Week, and this is
(04:43):
the CISA.
No federal agency beyond thetreasury was impacted by the air
quotes Beyond Trust Beyond Trustincident.
Yeah, go check out your APIs.
Don't wait for it.
All right, let's move in to thequestions for today.
Okay, so again, this is overdomain one dot six.
Question one Which type ofinvestigation is most likely to
(05:04):
involve preponderance of theevidence as a standard of proof?
Again, in this type ofinvestigation, which type of
investigation I should say, ismost likely to involve a air
quotes preponderance of evidenceas the standard of proof?
A criminal.
B civil.
C regulatory or Dadministrative.
(05:25):
And the answer is B civil,right?
The preponderance of evidence isa civil matter.
That's what it means that theevidence must show that there is
more likely than not that theclaim is true.
Okay, the lower standard thanthat is beyond a reasonable
doubt, which is used in criminalinvestigations.
And so that the point of it isas you again, preponderance is
(05:46):
civil.
Question number two What is theprimary purpose of a regulatory
investigation?
Again, what is the primarypurpose of a regulatory
investigation?
A to enforce internalorganizational policies, B to
resolve disputes between privateparties.
C to ensure compliance withlegal and industry regulations,
or D to collect evidence ofcriminal prosecution.
(06:09):
For criminal prosecution, Ishould say.
So what is the primary purposeof regulatory investigations?
The answer is C to ensurecompliance with legal and
industry regulations.
Again, the ultimate goal is thatyou have many masters in the
cybersecurity space, and one ofthose is the industry or is your
local regulations between yourlocal and also your federal,
(06:30):
depending upon where you are at.
So you need to make sure that ifyou fall under those guidelines
of regulations determined byyour local or federal agencies,
you need to make sure that youfollow them.
Question three, which in whichscenario would chain of custody
documentation be most critical?
Again, in which scenario wouldchain of custody documentation
(06:52):
be most critical?
A administrative investigationsfor policy violations.
B internal audit for processimprovement.
C regulatory investigation fornoncompliance, or D criminal
investigations for data theft.
In which scenario would a chainof custody documentation be most
critical?
And the answer is D.
(07:12):
Criminal investigation for datatheft.
So again, chain of custodyrefers to the documentation and
handling of the specificevidence to ensure that its
integrity is maintainedthroughout the entire process.
In a criminal investigation, itwill be essential to document
all of this.
(07:41):
Question four, which of thefollowing is best example of
direct evidence in a criminalinvestigation?
Again, which of the following isa best example of direct
evidence in a criminalinvestigation?
A a witness statement aboutobserving the theft.
B a log file showingunauthorized access to a server.
C circumstantial evidencethinking a suspect linking a
(08:03):
suspect to the crime, or Dforensics analysis report of a
compromised system.
So which of the following is abest example of direct evidence
in a criminal investigation?
And the answer is A.
A witness statement aboutobserving the theft.
Again, so you have somebody, adirect person, a witness seeing
that they saw you lift it off ofthis USB drive would be a direct
(08:28):
evidence and that would beadmissible in court, right?
So you'd be brought in and youwould be used to answer what you
saw.
This is a in contrast, you know,a log file or a forensics report
would be considered a digitalevidence or circumstantial
evidence.
If I have somebody that haseyeballs on it, is a direct
evidence.
If I have something that's alittle bit tangential on the
side, it would be something thatis more along the lines of
(08:50):
digital evidence orcircumstantial evidence.
Question five.
When conducting an internalassess administrative
investigation, what is the mostimportant first step?
So when conducting an internaladministrative investigation,
what is the most important firststep?
A alerting law enforcement.
B notifying all employees of theinvestigation.
(09:12):
C.
Reviewing the organization'spolicies and procedures, or D
collecting all available digitalevidence.
Again, when conducting internaladministrative investigations,
what is the most important firststep?
And it is C reviewing theorganization's policies and
procedures.
That's the ultimate goal whenyou're dealing your important
most important first stepbecause if you don't have those
in place and you're trying to doan administrative investigation
(09:34):
and the person did somethingthat's outside of what your
policies and procedures are,that are outside of what they
define, then you could run therisk of, you know what, you
really don't have a case hereand you just might want to let
that sleeping dog lie.
It also will maybe make you go,you know what, I need to make
some changes to our overallpolicy structure.
Question six, what legalprinciple must be followed to
(09:55):
avoid evidence exclusion in acriminal trial due to unlawful
seizure?
What legal principle must befollowed to avoid evidence
exclusion in a criminal trialdue to unlawful seizure?
A search and seizure laws, Bchain of custody, C subpoena
authority, or D incidentresponse guidelines.
So what's the legal principlemust be followed to avoid
(10:17):
evidence exclusion in a criminaltrial, which means you can't
submit the evidence due tounlawful seizure?
And it would be A.
Search and seizure laws.
Again, these laws are set up togovern how evidence can be
collected legally.
In the United States, the FourthAmendment protects against
unreasonable searches andseizures.
And this came out, actually,this is a little bit of trivia,
(10:38):
came from during theRevolutionary War.
Uh the there was one of the bigissues they had was around the
British being able to just go inand seize whatever they want.
So the U.S.
created these laws to help helpput the guardrails upon this and
uh dictate what would beunreasonable searches and
seizures.
So again, if it's un if it'sobtained unlawfully, then it may
(10:59):
be excluded from the trial.
Question seven.
Which regulatory frameworkspecifically addresses data
protection and privacy forEuropean Union residents?
Which regulatory frameworkspecifically addresses data
protection and privacy forEuropean Union residents, EU
residents?
Okay, A.
SOX, B, GDPR, C, PCI, D S S, orD C C P A?
(11:24):
And the answer is B.
Yeah, General Data ProtectionRegulation, GDPR, aka.
It's a comprehensive dataprotection plan that was put
into place many years ago.
There was another one that wasset up, I can't remember, it was
Data, oh, I can't remember, DataShield or something like that.
But this GDPR was designed as anoverarching kind of protection.
And if you fail to meet whatGDPR asked for, it is expensive.
(11:47):
So people put a lot of time andmoney into being compliant with
GDPR.
Question eight, a company'sinternal investigations reveal
that an employee is violating anon-compete clause.
This type of investigation fallsunder which category?
So non-compete, an employeesviolating it.
A regulatory, B civil, Ccriminal, or D administrative.
(12:09):
Okay, then an employee violatingnon-compete laws and it would be
D administrative.
So internal investigations intonon-compete clauses would
typically be an administrativetype of investigation in nature.
And they they all more or lesscome down to you want to enforce
the company's policies.
So that would be anadministrative.
Question nine, whatdistinguishes civil
(12:30):
investigations from criminalinvestigations in terms of
penalties?
Again, what distinguishes acivil investigation from a
criminal investigation in termsof penalties?
A criminal investigations focuson financial or injunctive
relief.
B.
Criminal investigations canresult in imprisonment.
C.
Criminal investigations onlyresult in financial restitution,
(12:52):
or D.
Criminal investigations arealways initiated by private
entities.
Okay, what's the differencebetween civil and criminal?
A civil investigations focus onfinancial or injunctive relief,
right?
That's the main point of them.
They put injunctions in place toprevent certain actions rather
than punitive measures likeimprisonment.
That's the ultimate point.
But again, that comes back towith civil and criminal, the
(13:14):
differences in what is definedand needed for evidence beyond a
reasonable doubt is criminal.
And so therefore the evidenceaspect falls into that category.
Question ten.
Which of the following bestdescribes circumstantial
evidence?
Question ten is which of thefollowing best describes
circumstantial evidence?
A the direct observation of acriminal act.
(13:36):
B evidence that implies a factbut does not directly prove it.
C.
Evidence that is inadmissible incourt, or D evidence obtained
through direct forensicanalysis.
So again, what best describescircumstantial evidence?
It is B evidence that implies,air quotes, a fact but does not
directly improve it.
(13:56):
So if you see something thatisn't directly corroborates that
there was an issue, it will thenbe circumstantial evidence.
So again, finding a suspect'sfingerprints on a door does not
necessarily prove that theycommitted the burglary, but
implies they were present.
Or maybe they showed up earlieror later.
Again, that's just kind ofbringing all this little story
(14:17):
together that the circumstantialpiece of it.
When you're dealing with IT, didthe guy actually have USB
access?
Did the person log in that day?
Did the person use their USBaccess?
So on and so forth.
Question 11 An investigationinto insider trading is likely
conducted by which type ofauthority?
So insider trading, who would bedoing that?
A criminal law enforcement.
(14:39):
B administrative reviewcommittee.
C, primary a private arbitrationpanel, or D, financial
regulatory body.
So an investigation into insidertrading is conducted by which
type of authority?
And it would most likely be theD, the financial regulatory
body.
Now, insider trading, again,buying and selling securities
based on non-public information.
If you do that, that violateswhat the SEC has out there, and
(15:02):
so they're highly likely thatthey would get involved when
you're dealing with insidertrading.
That being said, you can alsosay that there would probably be
other people involved in this aswell, but the financial
regulatory body would take leadon these types of situations.
Doesn't mean they won't comeback after you for criminal
aspects, aka Martha Stewart.
That's where she ended updealing with that.
(15:23):
Question 12, which type of whatwhich concept ensures that every
individual who handles evidenceis recorded?
Which concept ensures that everyindividual who handles evidence
is recorded?
A evidence integrity.
B chain of custody.
C forensics readiness or DigitalSignature.
Again, which concept that everyindividual who handles, touches,
(15:45):
deals with it any way, isrecorded?
And the answer is B.
Chain of Custody.
Again, chain of custody tracksthe evidence from its collection
to the presentation in court,ensuring that everybody who
touches it has access that issupposed to have access to it.
It is there's a record of whotouched it, when they touched
it, and so forth.
Question 13.
Which act governs electroniccommunication privacy in the
(16:07):
United States?
A.
Sarbanes Oxley.
Or B Computer Fraud and AbuseAct.
C.
Electronic Communications andPrivacy Act, or D.
Federal Information SecurityManagement Act, or FISMA.
And the answer is C.
Electronic CommunicationsPrivacy Act, otherwise known as
ECPA.
This basically is an act thatwas put in place for electronic
communications and how they canbe accessed and intercepted in
(16:29):
the United States.
Okay, so that's a key factoraround that.
When you're dealing with SOCs,you know, that focuses on
financial practices, ComputerFraud and Abuse Act at C FAA,
CFAA, this deals with computerrelated crimes, and FISMA is
focused on the FederalInformation System Security.
So you gotta know thedifferences.
If you're gonna whittle themdown, the Electronic
Communications Privacy Act, atleast at a minimum, has it in
(16:51):
the name.
Question 14 Which of thefollowing is a primary objective
for forensic readiness?
A.
Ensuring regulatory compliance.
B reducing investigation time.
C enhancing user privacy, or D.
Preparing systems for collectionand preserving evidence.
It is A.
Ensuring regulatory compliance.
(17:13):
So forensic readiness involvesconfiguring and managing systems
so that the evidence can beefficiently collected and
preserved.
So the ultimate goal is you'reready for it, right?
This can occur because maybe youhave it in your organization you
have uh taps within yourorganization's network so that
you're collecting packetcaptures, PCAPs, and that is
then sent to another locationwhere it is stored.
(17:34):
So you are then being primarilyready for the event that you may
have to have some sort offorensics capability.
And this is all these log filesare being sent to a certain
spot.
Again, this is a strategic kindof thought process that you need
to plan for if this is somethingthat's important to your
organization.
Question 15.
A whistleblower protectionpolicy primarily addresses which
(17:54):
investigation related concern.
Again, a whistleblowerprotection policy primarily
addresses which investigationinvestigation related concern.
A evidence handling.
B investigator bias.
C protection from retaliation,or D preservation of chain of
custody.
So whistleblower protectionpolicy addresses which
investigation related concern,primarily, right?
(18:16):
And the answer is C, protectionfrom retaliation.
Whistleblower protections aredesigned to protect the
individuals who reportpotentially unethical or illegal
activities, right?
It's to help them.
It's helped to encourage peopleto come forward and without
having to be worrying thatsomeone's gonna throw you under
the bus.
So that again, that's theultimate goal is that the
whistleblower piece isprotection from retaliation.
(18:37):
If you violate that, that can gougly for everybody.
So you want to make sure that ifyou do have that within your
organization, you are watchingit very closely and you have a
good plan in place to deal withwhistleblowers.
Because yeah, if it comes acrossthat you are not doing well to
protect them, uh you got a lotbigger issues you're gonna be
fighting.
So they're just a piece ofadvice.
Again, not a lawyer, justtelling you some stuff from
(18:59):
experience.
Okay, that is all I have for youtoday.
Head on over to CISSP CyberTraining, go there.
You'll enjoy it.
I guarantee it.
You'll love it.
It's awesome.
It's got everything you need topass the CISSP exam.
It's all there.
No reason to go around checkingout other places, watching
videos and other things.
It's got it all available foryou to include an overall plan
(19:20):
for get passing the CISSP.
Now, again, it's there's a Ihave a blueprint that's within
the CISSP network in there inthe overall product plan.
And that plan, that blueprintwill help you step by step by
step on what you should study toget ready for the CISSP.
There's a lot of people outthere that can go and cram for
this thing, pass it, and moveon.
Well, that's great.
(19:41):
But the the nice part about whatI have with the blueprint is the
blueprint will step you through,help you learn the information
so that when you move on to thenext role, you actually
understand what they're askingof you.
And to be honest, if you wantmore money, there's a lot of
different companies out therethat will promote, hey, we can
help you get more money.
The way you're gonna get moremoney in cyber is you understand
the content.
You ain't gonna be able to getit, it's just by winging it.
(20:02):
Because you might wing it for alittle while, but then they'll
find out and you'll be fired.
So the ultimate goal, or you'llget hacked and then you'll be
fired.
The ultimate goal is again tolearn this information so that
you can then help your company,protect your company from the
evil hacker horde.
Now, the last thing is is go toalso reduce cyberrisk.com and
you can go there and you can, ifyou're looking for a consultant,
I can help you with that.
(20:24):
I've got a lot of partners thatI'm working with, and we can
help you with your needs fromvirtual SISOs down to individual
security, uh uh pen testing, youname it, it's available to you
at reducedcyberrisk.com.
So again, CISSP set.com or CISPcybertraining.com and reduce
cyberrisk.com.
Head to those, check them out, alot of great stuff for you.
(20:45):
Have a wonderful, wonderful day,and we will catch you all on the
flip side.
See ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
All right, let's get started.
SPEAKER_01 (00:25):
Good morning, everybody.
This is Sean Gerber with CISSPCyber Training, and hope you all
are having a beautifully blessedday today.
Today is CISSP questionThursday.
So, yes, we are going to begetting into the questions
related to domain 1.6 as itrelates to the content that we
provided on Monday's podcast.
So that's the ultimate goal ofthis Thursday is to provide you
(00:48):
information you need to pass theCISSP through some of the
questions and potentialquestions you may see on the
CISSP exam.
Again, these questions are notquestions that were pulled from
ISC Squared by any stretch ofthe imagination.
These are ones just to get youthinking and to think about how
domain 1.6, I thought thequestions could be asked of you
of that.
But before we get started, I hadan article I wanted to kind of
(01:11):
just briefly bring up to you,and it is around the recent
breach that occurred with theDepartment of Treasury.
And this is defined as an attackthat would occur from the
Chinese government, supposedly.
Again, I don't know thoseinformation, just re-reporting
what they have here in the news.
But the bottom line is thatthere was an issue that occurred
(01:32):
um later this week, or I shouldsay earlier this week, related
to the Department of Treasuryand how they had a major air
quotes security incidentinvolving Beyond Trust, which is
a cloud-based service.
And the point of Beyond Trust isit gives you a lot of different
kinds of credentials.
It acts as a PAM solution.
And so, yes, it would be a greattarget for someone to attack.
(01:53):
One of the things that they saidwas, they're bringing up in this
article is that no otheragencies within the U.S.
government were affected by thissituation.
Okay, I love how these articlescome out.
And I'm just gonna just be verytransparent.
I'm not, I have no idea if therewere more people or more
agencies affected by this by anystretch, but what I would ask or
bring up is how this attackoccurred.
(02:14):
You might want to think abouthow is it affecting other
agencies within the U.S.
government.
And this attack occurred becauseof a compromised API key for
remote management services fromBeyond Trust.
Now, that whole hole betweenBeyond Trust and the API key for
the Department of Tech Treasury,those specific key points, is
probably covered.
(02:35):
Yeah, it's probably good.
There's probably no issues therewhatsoever.
That being said, if you are thefederal government, they are
working with other companies aswell.
And they also use APIs and theyuse API remote management
services.
So the question really comesdown to is what kind of control
do they have over their APIinfrastructure?
I've been saying this for a longtime on CISSP Cyber Training,
(02:58):
and anybody that'll listen to meis the APIs, in my mind, are one
of the biggest vulnerabilitieswe have within the security
space.
And the reason I say that isbecause in most cases they are
unmanaged.
They're allowing people to makea connection into your
environment.
And the goal is that you havecontrol, tight controls over it,
allowing what comes in, whatgoes out.
(03:18):
But because they're so easy toestablish, it can be very
tempting for an individual to goand start up an API connection
and go, aha, it works, life isgood.
And yeah, it does work.
Unfortunately, it could, if it'snot configured correctly, will
create a nice little back doorfor people to get into your
environment.
So again, in this article,they're saying that in this at
(03:39):
this time, there's no indicationof any other federal agencies
that have been impacted by thisair quotes incident.
So if you are a cybersecurityprofessional or an IT
professional of any kind and youhave APIs within your
environment, you may want tolook at this pretty hard on how
you are managing your APIs.
We talked about this.
They need to go through agateway of some kind.
(04:00):
You need to route all of yourAPIs through one central spot.
One, at a minimum, it gives youa level of visibility into these
API connections.
And two, it gives you somesecurity controls over what's
occurring.
You should not allow justanybody to willy-nilly add APIs
to your organization.
So, again, I bring this up tothe point of the fact that if
(04:21):
you have this situation, or atleast in the case of the
Department of Treasury, there'sprobably other holes within
their environment that theytruly need to look at.
Again, the CVE score on this wasa 9.8, which is about as high as
you can get.
Um, and if this is one situationthat occurred, well, you can
expect there are probably more.
So, again, this is an articlefrom Security Week, and this is
(04:43):
the CISA.
No federal agency beyond thetreasury was impacted by the air
quotes Beyond Trust Beyond Trustincident.
Yeah, go check out your APIs.
Don't wait for it.
All right, let's move in to thequestions for today.
Okay, so again, this is overdomain one dot six.
Question one Which type ofinvestigation is most likely to
(05:04):
involve preponderance of theevidence as a standard of proof?
Again, in this type ofinvestigation, which type of
investigation I should say, ismost likely to involve a air
quotes preponderance of evidenceas the standard of proof?
A criminal.
B civil.
C regulatory or Dadministrative.
(05:25):
And the answer is B civil,right?
The preponderance of evidence isa civil matter.
That's what it means that theevidence must show that there is
more likely than not that theclaim is true.
Okay, the lower standard thanthat is beyond a reasonable
doubt, which is used in criminalinvestigations.
And so that the point of it isas you again, preponderance is
(05:46):
civil.
Question number two What is theprimary purpose of a regulatory
investigation?
Again, what is the primarypurpose of a regulatory
investigation?
A to enforce internalorganizational policies, B to
resolve disputes between privateparties.
C to ensure compliance withlegal and industry regulations,
or D to collect evidence ofcriminal prosecution.
(06:09):
For criminal prosecution, Ishould say.
So what is the primary purposeof regulatory investigations?
The answer is C to ensurecompliance with legal and
industry regulations.
Again, the ultimate goal is thatyou have many masters in the
cybersecurity space, and one ofthose is the industry or is your
local regulations between yourlocal and also your federal,
(06:30):
depending upon where you are at.
So you need to make sure that ifyou fall under those guidelines
of regulations determined byyour local or federal agencies,
you need to make sure that youfollow them.
Question three, which in whichscenario would chain of custody
documentation be most critical?
Again, in which scenario wouldchain of custody documentation
(06:52):
be most critical?
A administrative investigationsfor policy violations.
B internal audit for processimprovement.
C regulatory investigation fornoncompliance, or D criminal
investigations for data theft.
In which scenario would a chainof custody documentation be most
critical?
And the answer is D.
(07:12):
Criminal investigation for datatheft.
So again, chain of custodyrefers to the documentation and
handling of the specificevidence to ensure that its
integrity is maintainedthroughout the entire process.
In a criminal investigation, itwill be essential to document
all of this.
(07:41):
Question four, which of thefollowing is best example of
direct evidence in a criminalinvestigation?
Again, which of the following isa best example of direct
evidence in a criminalinvestigation?
A a witness statement aboutobserving the theft.
B a log file showingunauthorized access to a server.
C circumstantial evidencethinking a suspect linking a
(08:03):
suspect to the crime, or Dforensics analysis report of a
compromised system.
So which of the following is abest example of direct evidence
in a criminal investigation?
And the answer is A.
A witness statement aboutobserving the theft.
Again, so you have somebody, adirect person, a witness seeing
that they saw you lift it off ofthis USB drive would be a direct
(08:28):
evidence and that would beadmissible in court, right?
So you'd be brought in and youwould be used to answer what you
saw.
This is a in contrast, you know,a log file or a forensics report
would be considered a digitalevidence or circumstantial
evidence.
If I have somebody that haseyeballs on it, is a direct
evidence.
If I have something that's alittle bit tangential on the
side, it would be something thatis more along the lines of
(08:50):
digital evidence orcircumstantial evidence.
Question five.
When conducting an internalassess administrative
investigation, what is the mostimportant first step?
So when conducting an internaladministrative investigation,
what is the most important firststep?
A alerting law enforcement.
B notifying all employees of theinvestigation.
(09:12):
C.
Reviewing the organization'spolicies and procedures, or D
collecting all available digitalevidence.
Again, when conducting internaladministrative investigations,
what is the most important firststep?
And it is C reviewing theorganization's policies and
procedures.
That's the ultimate goal whenyou're dealing your important
most important first stepbecause if you don't have those
in place and you're trying to doan administrative investigation
(09:34):
and the person did somethingthat's outside of what your
policies and procedures are,that are outside of what they
define, then you could run therisk of, you know what, you
really don't have a case hereand you just might want to let
that sleeping dog lie.
It also will maybe make you go,you know what, I need to make
some changes to our overallpolicy structure.
Question six, what legalprinciple must be followed to
(09:55):
avoid evidence exclusion in acriminal trial due to unlawful
seizure?
What legal principle must befollowed to avoid evidence
exclusion in a criminal trialdue to unlawful seizure?
A search and seizure laws, Bchain of custody, C subpoena
authority, or D incidentresponse guidelines.
So what's the legal principlemust be followed to avoid
(10:17):
evidence exclusion in a criminaltrial, which means you can't
submit the evidence due tounlawful seizure?
And it would be A.
Search and seizure laws.
Again, these laws are set up togovern how evidence can be
collected legally.
In the United States, the FourthAmendment protects against
unreasonable searches andseizures.
And this came out, actually,this is a little bit of trivia,
(10:38):
came from during theRevolutionary War.
Uh the there was one of the bigissues they had was around the
British being able to just go inand seize whatever they want.
So the U.S.
created these laws to help helpput the guardrails upon this and
uh dictate what would beunreasonable searches and
seizures.
So again, if it's un if it'sobtained unlawfully, then it may
(10:59):
be excluded from the trial.
Question seven.
Which regulatory frameworkspecifically addresses data
protection and privacy forEuropean Union residents?
Which regulatory frameworkspecifically addresses data
protection and privacy forEuropean Union residents, EU
residents?
Okay, A.
SOX, B, GDPR, C, PCI, D S S, orD C C P A?
(11:24):
And the answer is B.
Yeah, General Data ProtectionRegulation, GDPR, aka.
It's a comprehensive dataprotection plan that was put
into place many years ago.
There was another one that wasset up, I can't remember, it was
Data, oh, I can't remember, DataShield or something like that.
But this GDPR was designed as anoverarching kind of protection.
And if you fail to meet whatGDPR asked for, it is expensive.
(11:47):
So people put a lot of time andmoney into being compliant with
GDPR.
Question eight, a company'sinternal investigations reveal
that an employee is violating anon-compete clause.
This type of investigation fallsunder which category?
So non-compete, an employeesviolating it.
A regulatory, B civil, Ccriminal, or D administrative.
(12:09):
Okay, then an employee violatingnon-compete laws and it would be
D administrative.
So internal investigations intonon-compete clauses would
typically be an administrativetype of investigation in nature.
And they they all more or lesscome down to you want to enforce
the company's policies.
So that would be anadministrative.
Question nine, whatdistinguishes civil
(12:30):
investigations from criminalinvestigations in terms of
penalties?
Again, what distinguishes acivil investigation from a
criminal investigation in termsof penalties?
A criminal investigations focuson financial or injunctive
relief.
B.
Criminal investigations canresult in imprisonment.
C.
Criminal investigations onlyresult in financial restitution,
(12:52):
or D.
Criminal investigations arealways initiated by private
entities.
Okay, what's the differencebetween civil and criminal?
A civil investigations focus onfinancial or injunctive relief,
right?
That's the main point of them.
They put injunctions in place toprevent certain actions rather
than punitive measures likeimprisonment.
That's the ultimate point.
But again, that comes back towith civil and criminal, the
(13:14):
differences in what is definedand needed for evidence beyond a
reasonable doubt is criminal.
And so therefore the evidenceaspect falls into that category.
Question ten.
Which of the following bestdescribes circumstantial
evidence?
Question ten is which of thefollowing best describes
circumstantial evidence?
A the direct observation of acriminal act.
(13:36):
B evidence that implies a factbut does not directly prove it.
C.
Evidence that is inadmissible incourt, or D evidence obtained
through direct forensicanalysis.
So again, what best describescircumstantial evidence?
It is B evidence that implies,air quotes, a fact but does not
directly improve it.
(13:56):
So if you see something thatisn't directly corroborates that
there was an issue, it will thenbe circumstantial evidence.
So again, finding a suspect'sfingerprints on a door does not
necessarily prove that theycommitted the burglary, but
implies they were present.
Or maybe they showed up earlieror later.
Again, that's just kind ofbringing all this little story
(14:17):
together that the circumstantialpiece of it.
When you're dealing with IT, didthe guy actually have USB
access?
Did the person log in that day?
Did the person use their USBaccess?
So on and so forth.
Question 11 An investigationinto insider trading is likely
conducted by which type ofauthority?
So insider trading, who would bedoing that?
A criminal law enforcement.
(14:39):
B administrative reviewcommittee.
C, primary a private arbitrationpanel, or D, financial
regulatory body.
So an investigation into insidertrading is conducted by which
type of authority?
And it would most likely be theD, the financial regulatory
body.
Now, insider trading, again,buying and selling securities
based on non-public information.
If you do that, that violateswhat the SEC has out there, and
(15:02):
so they're highly likely thatthey would get involved when
you're dealing with insidertrading.
That being said, you can alsosay that there would probably be
other people involved in this aswell, but the financial
regulatory body would take leadon these types of situations.
Doesn't mean they won't comeback after you for criminal
aspects, aka Martha Stewart.
That's where she ended updealing with that.
(15:23):
Question 12, which type of whatwhich concept ensures that every
individual who handles evidenceis recorded?
Which concept ensures that everyindividual who handles evidence
is recorded?
A evidence integrity.
B chain of custody.
C forensics readiness or DigitalSignature.
Again, which concept that everyindividual who handles, touches,
(15:45):
deals with it any way, isrecorded?
And the answer is B.
Chain of Custody.
Again, chain of custody tracksthe evidence from its collection
to the presentation in court,ensuring that everybody who
touches it has access that issupposed to have access to it.
It is there's a record of whotouched it, when they touched
it, and so forth.
Question 13.
Which act governs electroniccommunication privacy in the
(16:07):
United States?
A.
Sarbanes Oxley.
Or B Computer Fraud and AbuseAct.
C.
Electronic Communications andPrivacy Act, or D.
Federal Information SecurityManagement Act, or FISMA.
And the answer is C.
Electronic CommunicationsPrivacy Act, otherwise known as
ECPA.
This basically is an act thatwas put in place for electronic
communications and how they canbe accessed and intercepted in
(16:29):
the United States.
Okay, so that's a key factoraround that.
When you're dealing with SOCs,you know, that focuses on
financial practices, ComputerFraud and Abuse Act at C FAA,
CFAA, this deals with computerrelated crimes, and FISMA is
focused on the FederalInformation System Security.
So you gotta know thedifferences.
If you're gonna whittle themdown, the Electronic
Communications Privacy Act, atleast at a minimum, has it in
(16:51):
the name.
Question 14 Which of thefollowing is a primary objective
for forensic readiness?
A.
Ensuring regulatory compliance.
B reducing investigation time.
C enhancing user privacy, or D.
Preparing systems for collectionand preserving evidence.
It is A.
Ensuring regulatory compliance.
(17:13):
So forensic readiness involvesconfiguring and managing systems
so that the evidence can beefficiently collected and
preserved.
So the ultimate goal is you'reready for it, right?
This can occur because maybe youhave it in your organization you
have uh taps within yourorganization's network so that
you're collecting packetcaptures, PCAPs, and that is
then sent to another locationwhere it is stored.
(17:34):
So you are then being primarilyready for the event that you may
have to have some sort offorensics capability.
And this is all these log filesare being sent to a certain
spot.
Again, this is a strategic kindof thought process that you need
to plan for if this is somethingthat's important to your
organization.
Question 15.
A whistleblower protectionpolicy primarily addresses which
(17:54):
investigation related concern.
Again, a whistleblowerprotection policy primarily
addresses which investigationinvestigation related concern.
A evidence handling.
B investigator bias.
C protection from retaliation,or D preservation of chain of
custody.
So whistleblower protectionpolicy addresses which
investigation related concern,primarily, right?
(18:16):
And the answer is C, protectionfrom retaliation.
Whistleblower protections aredesigned to protect the
individuals who reportpotentially unethical or illegal
activities, right?
It's to help them.
It's helped to encourage peopleto come forward and without
having to be worrying thatsomeone's gonna throw you under
the bus.
So that again, that's theultimate goal is that the
whistleblower piece isprotection from retaliation.
(18:37):
If you violate that, that can gougly for everybody.
So you want to make sure that ifyou do have that within your
organization, you are watchingit very closely and you have a
good plan in place to deal withwhistleblowers.
Because yeah, if it comes acrossthat you are not doing well to
protect them, uh you got a lotbigger issues you're gonna be
fighting.
So they're just a piece ofadvice.
Again, not a lawyer, justtelling you some stuff from
(18:59):
experience.
Okay, that is all I have for youtoday.
Head on over to CISSP CyberTraining, go there.
You'll enjoy it.
I guarantee it.
You'll love it.
It's awesome.
It's got everything you need topass the CISSP exam.
It's all there.
No reason to go around checkingout other places, watching
videos and other things.
It's got it all available foryou to include an overall plan
(19:20):
for get passing the CISSP.
Now, again, it's there's a Ihave a blueprint that's within
the CISSP network in there inthe overall product plan.
And that plan, that blueprintwill help you step by step by
step on what you should study toget ready for the CISSP.
There's a lot of people outthere that can go and cram for
this thing, pass it, and moveon.
Well, that's great.
(19:41):
But the the nice part about whatI have with the blueprint is the
blueprint will step you through,help you learn the information
so that when you move on to thenext role, you actually
understand what they're askingof you.
And to be honest, if you wantmore money, there's a lot of
different companies out therethat will promote, hey, we can
help you get more money.
The way you're gonna get moremoney in cyber is you understand
the content.
You ain't gonna be able to getit, it's just by winging it.
(20:02):
Because you might wing it for alittle while, but then they'll
find out and you'll be fired.
So the ultimate goal, or you'llget hacked and then you'll be
fired.
The ultimate goal is again tolearn this information so that
you can then help your company,protect your company from the
evil hacker horde.
Now, the last thing is is go toalso reduce cyberrisk.com and
you can go there and you can, ifyou're looking for a consultant,
I can help you with that.
(20:24):
I've got a lot of partners thatI'm working with, and we can
help you with your needs fromvirtual SISOs down to individual
security, uh uh pen testing, youname it, it's available to you
at reducedcyberrisk.com.
So again, CISSP set.com or CISPcybertraining.com and reduce
cyberrisk.com.
Head to those, check them out, alot of great stuff for you.
(20:45):
Have a wonderful, wonderful day,and we will catch you all on the
flip side.
See ya.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!