November 27, 2025 • 26 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
Zero trust isn’t a checkbox or a buzzword; it’s a mindset shift that changes how we design networks, ship code, and protect data. We dig into what “never trust, always verify” actually looks like when you have a messy reality: hybrid clouds, legacy apps living next to microservices, and users hopping on through VPNs that still grant too much access after MFA.
We start with a timely lesson from an AI analytics supplier breach to show why third-party integrations can be your Achilles heel. From there, we map out where policy should live and how it should be enforced: near the workload, with PEPs at gateways or in a service mesh, and a central PDP to keep logic consistent while decisions happen at wire speed. You’ll hear why relying on VLANs, static ACLs, or a “trusted subnet” breaks the zero trust promise, and how to move toward per-request evaluation that accounts for identity, device posture, location, and behavior.
Then we go data-first. Labels, encryption, and rights management let policies travel with sensitive files, so access and usage rules hold even off-network. We contrast ZTNA with legacy VPNs, explain how to avoid turning MFA into a broad hall pass, and share a realistic migration path: start with one critical application, microsegment around it, validate performance and usability, and expand. This is the playbook that reduces lateral movement, shrinks blast radius, and helps you pass the CISSP with real-world understanding.
If this resonates, subscribe, share with a teammate who’s designing access controls, and leave a review with your biggest zero trust roadblock. Your feedback helps shape future deep dives and study guides.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISP Cyber Training.
We might be trading and CISPexam.
My name is Sean Gerber.
Join me each week as I providethe information you need.
CISP exam and grow your cyberchecker in the light.
(00:21):
Alright.
SPEAKER_01 (00:25):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Training and hope you all
are having a beautifully blessedday today.
Today is CISSP questionThursday, and we are going to be
getting directly into CISSPquestions that are tied to Zero
Trust or Domain Four.
That is the ultimate goal, isaround giving you some
information you need to pass theCISSP.
(00:47):
And we're starting off with somedeep dive into some questions.
The ultimate goal of thesequestions is to kind of help
guide you and direct you in whatyou need to do to be able to be
able to pass the CISSP the firsttime.
And I got an article, or Ishould say, I got an email today
from one of the guys that havebeen taking my courses and they
passed the CISSP.
Once again, I love getting theseemails of folks that are
(01:07):
actually emailing me in saying,hey, I passed it.
Thank you.
So it's great, great things thatare coming out of CISSP cyber
training.
And just wanted to kind of letyou know things are moving.
It's awesome.
You all are probably gettingready to head into the
Thanksgiving time for this year,and we're getting to
Thanksgiving and Christmas.
So you know what?
Enjoy the time with yourfamilies as you can.
(01:28):
Also, as you get family closetogether, yeah, hang on, because
sometimes we don't alwaysnecessarily agree.
Yes, that is a different topic,different podcast altogether,
but when you're dealing witheveryone together, it can be
challenging to say the least.
So we're gonna, before we dothat, I have an article I wanted
to talk to you all about that Ithink is actually quite
(01:49):
interesting.
And we have become reliant uponAI.
And I use it in my consultingbusiness.
Uh, it's very, very helpful tohelp draft uh policies, to help
with certain types of questionsrelated to certain tools.
It is amazing and it provides somuch value, and I continue to
see the value that it provideson a daily basis.
(02:10):
And I know many of you are alsousing this AI capabilities in
certain various numerous ways,I'm sure.
But an interesting part thatcame out, and this was just an
article that came out in InfoSecor InfoSec Security Magazine,
and it is OpenAI warns of mixedpanel data breach impacting API
users.
(02:30):
So, what exactly is that?
As I'd never really heard ofwhat mixed panel is, but mixed
panel is an analytic providerused by OpenAI.
Basically, they're the ones thatare bringing information into
OpenAI, and they were smished,right?
So these folks were ended uphaving a phishing SMS phishing
attack, and then this smishedthat they had, they had exposed
(02:53):
some limited, air quotes,limited analytical data for some
users of OpenAI'sdeveloper/slash API platform.
So because they provide APIconnections back into OpenAI and
they were able to becompromised, they ended up
having some level of access intoOpenAI's API gateway or API
(03:13):
platform of some kind.
And as a result, it opened up apotential issue with anyone that
was connecting to OpenAI's APIenvironment.
So what they're saying is thosethat there was no critical
information that was actuallylost, such as passwords, payment
information, or anything thathad of the actual content or
chat that may have occurred viathe API connection.
(03:34):
So no users of the core chat GPTwere basically affected by it.
And then there's also a lot ofthey say just kind of low-level
stuff that has occurred.
Um, what really it comes down tois this just shows that you
know, even though these folksprovide a lot of information to
us all and they provide aservice that is pretty amazing,
they are the targets as well.
(03:56):
And it's not actually Chat GPT,it's though, as we've mentioned
before, time and again in CISSPcyber training, your third-party
integrations can be yourAchilles heel.
As a result, AI, or I shouldsay, open AI, is telling people
that any of the developers thatmight be tied to this incident,
he's warning that they're theyare warning them not to
basically treat this as ifthere's an issue that's out
(04:19):
there, that they should be veryuh careful about any clicking on
anything that occurs, and theyshould watch out for any
unexpected communications thatare coming from anyone else.
Bottom line, standard phishingtype uh activities.
And so now you need to becareful.
But this is a problem, right?
So this is a challenge that weall have, and it's becoming a
(04:39):
more adept or I should sayadroit problem in that if you
are a developer and you're inthe developer space, uh, you
need to be really trulyunderstanding the security
implications of what you'redoing.
Because in many cases, you havekeys of the kingdoms, and so
your security person that'swithin your organization that is
helping you, you, you, yourcompany, needs to make sure that
(05:00):
they have a good plan on how doyou manage your credentials for
your organization as well.
So that's a whole differentconversation.
Um, and but bottom line is thatthis has been attacked by users.
So this company called MaxMixPanel, and they are a data
analytics supplier.
Again, developers, be on thewear out because you know what,
someone's coming after you, justlike everybody else.
(05:23):
So let's move on to what we'regonna talk about today.
But before we do, I have tothrow out a shameless plug for
CISSP Cyber Training.
Head on over to CISSP CyberTraining and get access to all
the content if you're studyingfor the CISSP exam.
I've got various types ofproducts that are out there
available for you from free allthe way up to my gold package,
and that's all available to youdepending upon what you need and
(05:46):
how you see value in the CISSP.
I can provide you value onhelping you study for the exam
as well as helping you uh getyour cybersecurity career going.
And if you need any sort ofassistance or consulting
capabilities, it's all there andavailable at CISSP Cyber
Training.
So head on over, get freecontent, gobs of stuff, get some
paid content to help you pass itthe first time.
(06:08):
You won't regret it at all.
I guarantee you, you won't youwon't regret it at all.
All right, so let's get intowhat we're gonna talk about.
Okay, so as a member of CISSPCyber Training, you will have
access to all of thesequestions.
Uh, these are all for the paidsubscribers that are getting
with me, but you can have accessto these, you can walk through
these, and we go through each ofeach of one of these questions
individually.
(06:29):
So let's get into this.
All right, this is all tied tozero trust.
All right, question one (06:32):
an organization is designing a zero
trust architecture, you'll seethe acronym ZTA for a hybrid
environment such as on-prem andmultiple clouds.
That is quite normal, and youwill see more of this.
Which of the following designdecisions most accurately
reflects a core zero trustprinciple rather than supporting
practice or implementationdetails?
(06:54):
Okay, a segmenting the internalnetwork into multiple VLANs with
firewalls between criticalsubnets.
B replacing traditional VPNswith the split tunnel VPN and
stronger IPsec ciphers.
C implementing full diskencryption on all endpoints and
servers connecting the sensitivedata, or D making access
decisions based on continuousevaluation of the identity,
(07:16):
device posture, and context ofevery request, context, I should
say, of every request.
So yet again, understand ZTA,understand zero trust
architecture.
This isn't something that youset and you forget.
It's a morphic type of activity,and you want to set the example
of zero trust.
Trust no one.
That's the ultimate thoughtprocess behind this.
So let's think about that.
(07:38):
Which one would it be?
Segmenting internal networksinto multiple VLANs, well, that
is great and that's helpful, butit's probably not the most way,
most successful way to do this.
That's a traditional way ofsetting up their networks in a
in that type of activity.
Replacing traditional VPNs withsplit tunnel VPNs and stronger
IPsec tunnels.
Again, that's a greatarchitecture plan, has
(08:00):
opportunity, but it's notsomething necessarily tied to
ZTA.
Implementing full diskencryption and all endpoints and
servers connecting to sensitivedata.
So again, that's a part that isgood would fall into ZTA as far
as being an access or a part ofit, right?
Of trusting no one.
You want to have set up somelevel of encryption, but it
wouldn't be the most accurateway to do this.
(08:24):
Making access decisions based oncontinuous evaluation of
identity, device posture, andcontext for every request.
Okay, so that's a little bitmore around the zero trust
concept, right?
You trust no one.
So the answer would be D.
So zero trust assumes thenetwork is always hostile, which
we do if we just did an articleand we talked about that.
And there's no request that isinherently trusted just because
(08:45):
it becomes from a trustednetwork segment.
Just like we saw, right?
Just because you have someonethat's especially in third
parties, that means you couldactually run a situation where
you could compromise you justbecause of that situation.
So every access request is anevaluation based on identity,
device posture, context, as faras location, and any sort of
behavior patterns that are withthem.
(09:06):
This is the heart of zero trust.
Again, never trust, alwaysverify.
Again, TNO, trust no one.
So the answer would be D.
Question two (09:16):
a security architect is tasked with
evolving a traditional castleand moat environment into a zero
trust architecture.
So we all know castle and moatis you just you surround the
most protected credentials, ornot credentials, but your your
castle jewels, right?
And you just put barriers andlevels of protection to help
keep the bad guys out.
(09:37):
The problem is once you breakover the moat and you get
through the castle walls, youfound a nice gooey center and
things are more challenging.
So they propose a this company,or I should say, this question
they say propose deploying acentralized policy decision
point, PDP, and a policyenforcement point, P E P.
So Papa Delta Papa, Papa EchoPapa.
(09:59):
Which design choice best alignswith zero trust for east-west
traffic inside the data center?
Okay, so you got east and westtraffic.
North and south is in and out.
Uh, you've got east-west is yourlateral traffic within the data
center.
So which one best aligns withzero trust for internal network
traffic?
A implement PEPs for eachapplication gateway or service
(10:21):
mesh proxy that evaluatesrequests per session using
identity and posture beforeforwarding.
Okay, so this is somethingthat's a gateway that's set up
inside.
That's basically it's like it'slike a toll booth in between the
conversations that areoccurring, the internal network
traffic.
Question B, or I should sayanswer B.
Place the PEP only at theinternal edge and enforce access
(10:43):
decisions for inbound traffic.
Internal traffic flows areallowed once inside.
Okay, so that maybe fits morethe castle remote thought
process.
C, use the PDP dynamically topush ACLs to core routers once a
day based on the user groupmemberships.
Okay, so that potentially hasthat's more of a security
mechanism.
It's not really something tohelp deal with your internal
(11:05):
traffic per se.
It does, but it's uh it's not asgood.
Configure the PDP to authorizeall traffic from RFC 1918
addresses and deny all public IPaddresses by default.
That would probably that couldcause you some issues, right?
Because if you've got externalstuff, it's basically saying in
all allowing all internaltraffic that's meeting the RFC
(11:26):
1918 requirements, and then ifthere's any public IP addresses
that are coming in that needlateral left and right traffic,
you would deny that, which isn'tthe right idea because of the
simple fact that you may havesome sort of public IP addresses
that have communications in yournetwork.
Now, that is a good thoughtprocess, and I think that it's
probably one of the more betterones, potentially, depending
(11:46):
upon the organization thatyou're in.
However, there anytime you startdenying public IP addresses
internal to your network, youcan run into breaking things
that you didn't anticipate,especially in a network that's
more legacy, it's been aroundfor a while.
So the answer is A.
Implement PEPs on eachapplication gateway or service
mesh proxy that evaluatesrequests per session using
(12:09):
identity and posture beforeforwarding.
So again, we talk about this.
It's zero trust.
It encouraged placingenforcement closest to the
resource or with the workloadpath.
So again, you want to basicallylimit, trust no one, you know,
trust but verify piece of this.
And so, therefore, every timethat some application is using a
gateway, then it would have toverify who it is.
(12:30):
Um, application gateways,sidecar proxies, or other
service mesh components areideal places for PEPs just
because every transaction isbeing seen by them.
Now, again, you're gonna have tohave someone who really truly
understands ZTR or a zero trust,ZTA, I should say.
Should really understand ZTAbefore you start putting these
things in.
Because if you put them in againand you don't know what you're
(12:52):
doing, you're gonna startbreaking stuff.
So just something to thinkabout.
Per request, per sessionevaluations are there.
You need to look at those.
Um, and then these also aredealing with fine-grained uh
least privileged access as well.
So understand PDP and PDP.
Now, what is PDP?
I should have gone into this PDPa little bit.
PDP will centralize your policylogic, right?
(13:14):
So the your PEP's query orcache, what's going on between
it, the PDP will actuallyunderstand that logic between
the two.
And it's the one that opens upthe gate or lets the gate go
back down.
So this pattern is exactly whatZTA reference architecture
describes as modernenvironments.
API gateways plus a servicemesh.
Now, I would say most companiesout there will struggle with
(13:35):
this, and it's not many that arelike that.
The government is pushing inthat path.
If you are forcing yourself orwanting to go down the ZTA
route, uh, then you need toreally get some an architect who
really truly understands it.
I would say I understand theconcepts.
I would not be the right personto architect that, just because
that's it's a bit beyond wheremy knowledge had begun when I
(13:55):
left being in architecture.
But it doesn't mean you can'tlearn it.
It's just it's it's prettysubstantial, and you need to
have a really good plan aroundit, and you need to find the
right person to help you dothat.
Okay, question three (14:05):
a financial institution claims to
have implemented zero trust byrequiring multi-factor
authentication, MFA, for all VPNaccess.
Yay! Once authenticated, usersreceive an IP in a trusted
subnet that has broad access tointernal systems.
Hmm.
Which statement best describes azero trust gap if it still
exists?
(14:25):
Okay, so this is saying we havea problem, Houston.
What is it?
It's a zero trust gap that stillexists.
A MFA is not sufficient becauseit does not encrypt data in
transit between the users andthe internal systems.
Okay, so if you listen to thatagain, it is not sufficient
because it doesn't encrypt data.
Well, that doesn't make sense,so we throw that one out.
B, zero trust is incompletebecause trust is still primarily
(14:46):
granted based on the networklocation after authentication.
So again, multi-factor setup forall VPN access.
Once that is done, they receivean IP in a trusted network.
So the authentication piece ishappening because they got a VPN
and they have MFA.
So now they're good to go,right?
But because it's still grantedon the network location, because
(15:07):
it's probably tied to that basedon your VPN location, then that
is just still opening you wideup.
And VPNs, as we know, are verycan be very promiscuous.
They can allow a lot of thingsto happen within your
organization unless you havevery have very strict tight
controls around VPNs.
So what does this mean?
Well, actually, let's go intothe next question.
(15:28):
Zero trust requires biometricauthentication.
The current MFA methods must beupgraded to FIDO-based
biometrics to be compliant.
Again, the MFA will allow youin, but once you're in, you're
in the soft GUI center.
Zero trust is incomplete becauseVPNs must terminate in the DMZ
and currently terminate directlyon internal servers.
So that isn't necessarily bad ifthey had controls in place, but
(15:50):
it's saying at the DMZ, then itwould be that wouldn't really
work either.
So that you wouldn't want thatone.
So then we know the answer is B.
Zero trust is incomplete becausetrust is still primarily granted
based on network location afterauthentication.
So what does all this mean?
Once the user authenticates tojoin the trusted subnet, they
are effectively inside,obviously, the moat, right?
Our castle and moat thoughtprocess, and the soft GUI center
(16:13):
is now available to them.
This is an implicit trust basedon the network location, right?
So this is what Zero Trust doesnot want you to do.
ZTA is a continuous and granularauthentication or authorization,
and therefore it must expect tobasically trust but verify.
And the I should say verify,then trust.
The MFA at the door, then onceyou get there, it's wide open.
(16:36):
So you don't want that tohappen.
A single VPN connection shouldnot equal broad, long-lived
access.
This is a very past type ofactivity that has occurred for
many, many, for a millennia.
It has been around for a longtime.
And especially it's bad if youstart throwing your contractors
into the mix.
All right, question four.
(16:56):
An enterprise wants to extendzero trust principles to the
data layer.
Sensitive documents arefrequently copied outside the
corporate network ontocontractor devices, which is
which control best aligns withthe zero trust principles
aligned to or applied to datarather than just networks or
applications.
A using host-based firewalls toblock outbound connections from
(17:17):
contractor devices to unknown IPaddresses.
B implementing full tunnel VPNand blocking all split tunneling
on contractor devices.
C applying persistent dataclassification and rights
management to enforce accesscontrols and usage restrictions
even off corporate networks, orD enforcing stricter password
complexity policies for allcontractor accounts.
(17:41):
Okay, so we want to know whichone best aligns with the zero
trust principles applied to datarather than just the networks or
applications.
So that it'll narrow it down.
We're focusing on the data.
So the answer would be well,should I say that yet?
No, let's go into A.
Is A the right answer?
No, it's not.
Using host-based firewalls toblock outbound connections from
(18:02):
contractor devices to unknown IPaddresses.
Okay, that's great.
That's a network thing, but it'snot focused on the data.
So that's not what you want.
Implementing full tunnel VPNsand blocking all split tunneling
on contractor devices.
Well, that yeah, you don't wantthat.
You do not want split tunnelingon contractor devices.
Um, and but full tunnel VPNs,that is not what you want, and
(18:24):
that's not data focused.
D, enforcing stricter passwordcomplexity requirements for all
contractor accounts.
Okay, so again, that's that's agreat control, but that's not
tied to the best aspects of datarather than just network or
applications, because yourpassword control would be
focused primarily on yourapplication.
So the answer would be C,applying persistent data
(18:45):
classification and rightsmanagement to enforce access
controls and usage restrictionseven off corporate network.
Yeah, baby, data classification.
It is what you want.
Risk management, mostdefinitely, understand it, but
most people don't do it and theyjust really struggle with it.
Data classification is hard,especially if you have an
(19:05):
already existing network and youjust really want to make sure
that your people are happy.
So, what are we talking abouthere?
Okay, so when you're dealingwith a data-centric environment,
zero trust can and should beapplied to all at all the data
levels.
So it should, it should not belimited.
Now, I've seen it where the datalevels may be not as applied to
zero trust because of uhconnectivity challenges and
(19:26):
because of access issues.
So, but that being said, youshould apply it to the data
itself and it carries policiesand protections wherever it
goes, wherever it stays,regardless of the location.
Situation I had, it was dealingwith intellectual property that
was stored in locations outsidethe United States.
Anytime it was outside theUnited States, it was become
unavailable.
You could not use it because ofthe data classification labeling
(19:47):
that was tied to it.
And this is where you would getinto public, internal,
confidential, highly restricted,etc.
Now the risk management aspects,this is where you're dealing
with attribute-based accesscontrols, which is your A back,
which we've talked aboutnumerous times on CISSP cyber
training.
And this is where you want tohave that tied to your data.
Also, why don't you want to haveencryption obviously tied to
your data and identity policies?
(20:09):
Because again, certain roleswith certain devices can open
the files.
Certain roles and certaindevices cannot open the files.
So it's really important thatyou decouple the trust from the
network, meaning that if you'reon the network, oh, you're
trusted, you want to get it downto the data level and be
granular because people are onthe move.
It's like out of a movie, coinstravel.
(20:30):
That's the out of the movie,Sahara.
Coins travel, you don't knowwhere they go.
Same with data.
Data just travels everywhere, itgoes everywhere.
So therefore, you should haveprotections based on the data,
not necessarily on the access orthe network itself.
All right, question five (20:44):
the last melon.
Okay, question five.
The large healthcare provider istransitioning from a flat
internal network to a zero trustarchitecture.
Yay! Resources are a mix oflegacy client server
applications, modernmicroservices.
Oh man, it's all the Guccistuff.
Which phased approaches mostclosely reflect a realistic and
(21:05):
effective zero trust migrationstrategy.
So, how would you understandthis?
So we go A.
Immediately decommission theexisting perimeter firewalls and
rely solely on identity anddevice posture to control access
to all the internal resources.
That's a great idea.
You don't do that one.
B, start with critical businessapplications, applying micro
(21:26):
segmentation and identity awareaccess controls around them
while gradually extending thezero trust techniques to other
systems.
Maybe.
B, migrate all legacyapplications to microservices
before implementing a zero trustconcept or controls, ensuring
architectural consistency.
Okay, but that isn't necessarilybad, but that probably wouldn't
(21:47):
be your that wouldn't be thelast step here.
B or D replace all existing VPNswith cloud-based zero trust
network access, ZTNA solutions,and consider zero trust
mitigation or migrationcomplete.
Yeah, the first part was good,second part, not so good.
Okay, so what is a realistic andeffective zero trust migration
strategy from the from yourperspective, from a CISSP?
(22:10):
Why would you study for this?
What would you do?
Okay, so if you're looking tomigrate to zero trust, the some
of those are good, some of thoseare not so good.
First one, not so good.
But B is a correct answer.
Start with the critical businessapplications, applying
micro-segmentation, identifyingidentity aware access controls
around them, while gradually,key word, gradually extending
(22:32):
zero trust techniques to othersystems.
Again, business criticalapplications.
And I would say that that'sprobably one of the most
effective things to do.
Why is it business critical?
Because that's what makes youthe money, baby.
Without those, you're not makingmoney.
So you want to make sure thatyou start with those and you
apply micro-segmentation.
Those also are the ones thatbecome the most disruptive.
So you really want to startslowly in that environment.
(22:54):
Start with one application thatmaybe isn't tied to your entire
company's business portfolio,right?
So you don't pick the biggestone.
You pick one that's tiny, tryit, work on it, let everybody
know this is going to be ajourney.
Once you figure that out, thenwhat ends up happening is you
start slowly and begin migratingthose to other business critical
(23:15):
applications.
Once that is determined, thenyou can start moving out to the
different other levels withinyour network.
Again, this is a journey.
I can't stress this enough.
And you need to set theexpectation with your leadership
that this is a journey.
Because uh, and I say it slowand like methodical like that,
like that really cool voicethat's on a beer commercial.
(23:38):
Um, no, you you you have to letthem know this is gonna take
some time.
And they will want it doneyesterday because what ends up
happening is, and and this issomething you'll run into from a
security professional, you mayget into the situation of going,
well, now it's it's one morething, and this may actually
outlive you.
So you're gonna have to have areally good strategy long term,
(23:58):
how you're gonna migrate tothis, and then also make sure
everybody's aligned from thebeginning of the company on
down.
Because if you're a very largeorganization, this will take
years.
If you're not a very largeorganization, this can happen
within a period of six months,maybe 12 months, and you can be
there.
Uh, but uh again, it's ajourney.
So it's not a race, believe me.
(24:18):
But if you don't do this well,I'm gonna kind of harp on this
just a little bit.
If you don't do this well uh andyou don't have a really good
plan around it, it will fallflat.
Everybody will hate IT.
They will kick you out and theywill have pitchforks and torches
to run you out of town.
So please think wisely beforedoing this and have a really
good strategy.
You can also reach out to me atCISSP Cyber Training, and I'll
(24:40):
see if I can help you.
I'm happy to help you with thisin any way possible.
Okay, this is John Gerber withCISSP Cyber Training.
I again, I hope you enjoyed thistoday.
Uh, man, CISSP training, CISPCyber Training is growing.
The podcast is growing.
Getting lots of great feedbackfrom the podcast, it just keeps
exploding.
And uh go out to CISSP CyberTraining, check out what's out
(25:01):
there.
There's a bunch of free stuff.
There's also a really great paidcontent that is out there.
I have actually been remiss.
I guess it's Black Friday hereyet tomorrow, and I don't have
anything out for Black Friday.
So you may see something in yourinboxes if you've signed up for
Black Friday to get a reductionon some of the products that I
have out there.
Yeah, I just didn't even thinkabout that.
It's kind of spaced out of mymind.
(25:22):
But go to CISSP Cyber Training,check it out, you will love it,
and we will catch you all on theflip side.
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube, and just head to
my channel at CISSP CyberTraining, and you will find a
(25:43):
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISP Cyber Training.
We might be trading and CISPexam.
My name is Sean Gerber.
Join me each week as I providethe information you need.
CISP exam and grow your cyberchecker in the light.
(00:21):
Alright.
SPEAKER_01 (00:25):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Training and hope you all
are having a beautifully blessedday today.
Today is CISSP questionThursday, and we are going to be
getting directly into CISSPquestions that are tied to Zero
Trust or Domain Four.
That is the ultimate goal, isaround giving you some
information you need to pass theCISSP.
(00:47):
And we're starting off with somedeep dive into some questions.
The ultimate goal of thesequestions is to kind of help
guide you and direct you in whatyou need to do to be able to be
able to pass the CISSP the firsttime.
And I got an article, or Ishould say, I got an email today
from one of the guys that havebeen taking my courses and they
passed the CISSP.
Once again, I love getting theseemails of folks that are
(01:07):
actually emailing me in saying,hey, I passed it.
Thank you.
So it's great, great things thatare coming out of CISSP cyber
training.
And just wanted to kind of letyou know things are moving.
It's awesome.
You all are probably gettingready to head into the
Thanksgiving time for this year,and we're getting to
Thanksgiving and Christmas.
So you know what?
Enjoy the time with yourfamilies as you can.
(01:28):
Also, as you get family closetogether, yeah, hang on, because
sometimes we don't alwaysnecessarily agree.
Yes, that is a different topic,different podcast altogether,
but when you're dealing witheveryone together, it can be
challenging to say the least.
So we're gonna, before we dothat, I have an article I wanted
to talk to you all about that Ithink is actually quite
(01:49):
interesting.
And we have become reliant uponAI.
And I use it in my consultingbusiness.
Uh, it's very, very helpful tohelp draft uh policies, to help
with certain types of questionsrelated to certain tools.
It is amazing and it provides somuch value, and I continue to
see the value that it provideson a daily basis.
(02:10):
And I know many of you are alsousing this AI capabilities in
certain various numerous ways,I'm sure.
But an interesting part thatcame out, and this was just an
article that came out in InfoSecor InfoSec Security Magazine,
and it is OpenAI warns of mixedpanel data breach impacting API
users.
(02:30):
So, what exactly is that?
As I'd never really heard ofwhat mixed panel is, but mixed
panel is an analytic providerused by OpenAI.
Basically, they're the ones thatare bringing information into
OpenAI, and they were smished,right?
So these folks were ended uphaving a phishing SMS phishing
attack, and then this smishedthat they had, they had exposed
(02:53):
some limited, air quotes,limited analytical data for some
users of OpenAI'sdeveloper/slash API platform.
So because they provide APIconnections back into OpenAI and
they were able to becompromised, they ended up
having some level of access intoOpenAI's API gateway or API
(03:13):
platform of some kind.
And as a result, it opened up apotential issue with anyone that
was connecting to OpenAI's APIenvironment.
So what they're saying is thosethat there was no critical
information that was actuallylost, such as passwords, payment
information, or anything thathad of the actual content or
chat that may have occurred viathe API connection.
(03:34):
So no users of the core chat GPTwere basically affected by it.
And then there's also a lot ofthey say just kind of low-level
stuff that has occurred.
Um, what really it comes down tois this just shows that you
know, even though these folksprovide a lot of information to
us all and they provide aservice that is pretty amazing,
they are the targets as well.
(03:56):
And it's not actually Chat GPT,it's though, as we've mentioned
before, time and again in CISSPcyber training, your third-party
integrations can be yourAchilles heel.
As a result, AI, or I shouldsay, open AI, is telling people
that any of the developers thatmight be tied to this incident,
he's warning that they're theyare warning them not to
basically treat this as ifthere's an issue that's out
(04:19):
there, that they should be veryuh careful about any clicking on
anything that occurs, and theyshould watch out for any
unexpected communications thatare coming from anyone else.
Bottom line, standard phishingtype uh activities.
And so now you need to becareful.
But this is a problem, right?
So this is a challenge that weall have, and it's becoming a
(04:39):
more adept or I should sayadroit problem in that if you
are a developer and you're inthe developer space, uh, you
need to be really trulyunderstanding the security
implications of what you'redoing.
Because in many cases, you havekeys of the kingdoms, and so
your security person that'swithin your organization that is
helping you, you, you, yourcompany, needs to make sure that
(05:00):
they have a good plan on how doyou manage your credentials for
your organization as well.
So that's a whole differentconversation.
Um, and but bottom line is thatthis has been attacked by users.
So this company called MaxMixPanel, and they are a data
analytics supplier.
Again, developers, be on thewear out because you know what,
someone's coming after you, justlike everybody else.
(05:23):
So let's move on to what we'regonna talk about today.
But before we do, I have tothrow out a shameless plug for
CISSP Cyber Training.
Head on over to CISSP CyberTraining and get access to all
the content if you're studyingfor the CISSP exam.
I've got various types ofproducts that are out there
available for you from free allthe way up to my gold package,
and that's all available to youdepending upon what you need and
(05:46):
how you see value in the CISSP.
I can provide you value onhelping you study for the exam
as well as helping you uh getyour cybersecurity career going.
And if you need any sort ofassistance or consulting
capabilities, it's all there andavailable at CISSP Cyber
Training.
So head on over, get freecontent, gobs of stuff, get some
paid content to help you pass itthe first time.
(06:08):
You won't regret it at all.
I guarantee you, you won't youwon't regret it at all.
All right, so let's get intowhat we're gonna talk about.
Okay, so as a member of CISSPCyber Training, you will have
access to all of thesequestions.
Uh, these are all for the paidsubscribers that are getting
with me, but you can have accessto these, you can walk through
these, and we go through each ofeach of one of these questions
individually.
(06:29):
So let's get into this.
All right, this is all tied tozero trust.
All right, question one (06:32):
an organization is designing a zero
trust architecture, you'll seethe acronym ZTA for a hybrid
environment such as on-prem andmultiple clouds.
That is quite normal, and youwill see more of this.
Which of the following designdecisions most accurately
reflects a core zero trustprinciple rather than supporting
practice or implementationdetails?
(06:54):
Okay, a segmenting the internalnetwork into multiple VLANs with
firewalls between criticalsubnets.
B replacing traditional VPNswith the split tunnel VPN and
stronger IPsec ciphers.
C implementing full diskencryption on all endpoints and
servers connecting the sensitivedata, or D making access
decisions based on continuousevaluation of the identity,
(07:16):
device posture, and context ofevery request, context, I should
say, of every request.
So yet again, understand ZTA,understand zero trust
architecture.
This isn't something that youset and you forget.
It's a morphic type of activity,and you want to set the example
of zero trust.
Trust no one.
That's the ultimate thoughtprocess behind this.
So let's think about that.
(07:38):
Which one would it be?
Segmenting internal networksinto multiple VLANs, well, that
is great and that's helpful, butit's probably not the most way,
most successful way to do this.
That's a traditional way ofsetting up their networks in a
in that type of activity.
Replacing traditional VPNs withsplit tunnel VPNs and stronger
IPsec tunnels.
Again, that's a greatarchitecture plan, has
(08:00):
opportunity, but it's notsomething necessarily tied to
ZTA.
Implementing full diskencryption and all endpoints and
servers connecting to sensitivedata.
So again, that's a part that isgood would fall into ZTA as far
as being an access or a part ofit, right?
Of trusting no one.
You want to have set up somelevel of encryption, but it
wouldn't be the most accurateway to do this.
(08:24):
Making access decisions based oncontinuous evaluation of
identity, device posture, andcontext for every request.
Okay, so that's a little bitmore around the zero trust
concept, right?
You trust no one.
So the answer would be D.
So zero trust assumes thenetwork is always hostile, which
we do if we just did an articleand we talked about that.
And there's no request that isinherently trusted just because
(08:45):
it becomes from a trustednetwork segment.
Just like we saw, right?
Just because you have someonethat's especially in third
parties, that means you couldactually run a situation where
you could compromise you justbecause of that situation.
So every access request is anevaluation based on identity,
device posture, context, as faras location, and any sort of
behavior patterns that are withthem.
(09:06):
This is the heart of zero trust.
Again, never trust, alwaysverify.
Again, TNO, trust no one.
So the answer would be D.
Question two (09:16):
a security architect is tasked with
evolving a traditional castleand moat environment into a zero
trust architecture.
So we all know castle and moatis you just you surround the
most protected credentials, ornot credentials, but your your
castle jewels, right?
And you just put barriers andlevels of protection to help
keep the bad guys out.
(09:37):
The problem is once you breakover the moat and you get
through the castle walls, youfound a nice gooey center and
things are more challenging.
So they propose a this company,or I should say, this question
they say propose deploying acentralized policy decision
point, PDP, and a policyenforcement point, P E P.
So Papa Delta Papa, Papa EchoPapa.
(09:59):
Which design choice best alignswith zero trust for east-west
traffic inside the data center?
Okay, so you got east and westtraffic.
North and south is in and out.
Uh, you've got east-west is yourlateral traffic within the data
center.
So which one best aligns withzero trust for internal network
traffic?
A implement PEPs for eachapplication gateway or service
(10:21):
mesh proxy that evaluatesrequests per session using
identity and posture beforeforwarding.
Okay, so this is somethingthat's a gateway that's set up
inside.
That's basically it's like it'slike a toll booth in between the
conversations that areoccurring, the internal network
traffic.
Question B, or I should sayanswer B.
Place the PEP only at theinternal edge and enforce access
(10:43):
decisions for inbound traffic.
Internal traffic flows areallowed once inside.
Okay, so that maybe fits morethe castle remote thought
process.
C, use the PDP dynamically topush ACLs to core routers once a
day based on the user groupmemberships.
Okay, so that potentially hasthat's more of a security
mechanism.
It's not really something tohelp deal with your internal
(11:05):
traffic per se.
It does, but it's uh it's not asgood.
Configure the PDP to authorizeall traffic from RFC 1918
addresses and deny all public IPaddresses by default.
That would probably that couldcause you some issues, right?
Because if you've got externalstuff, it's basically saying in
all allowing all internaltraffic that's meeting the RFC
(11:26):
1918 requirements, and then ifthere's any public IP addresses
that are coming in that needlateral left and right traffic,
you would deny that, which isn'tthe right idea because of the
simple fact that you may havesome sort of public IP addresses
that have communications in yournetwork.
Now, that is a good thoughtprocess, and I think that it's
probably one of the more betterones, potentially, depending
(11:46):
upon the organization thatyou're in.
However, there anytime you startdenying public IP addresses
internal to your network, youcan run into breaking things
that you didn't anticipate,especially in a network that's
more legacy, it's been aroundfor a while.
So the answer is A.
Implement PEPs on eachapplication gateway or service
mesh proxy that evaluatesrequests per session using
(12:09):
identity and posture beforeforwarding.
So again, we talk about this.
It's zero trust.
It encouraged placingenforcement closest to the
resource or with the workloadpath.
So again, you want to basicallylimit, trust no one, you know,
trust but verify piece of this.
And so, therefore, every timethat some application is using a
gateway, then it would have toverify who it is.
(12:30):
Um, application gateways,sidecar proxies, or other
service mesh components areideal places for PEPs just
because every transaction isbeing seen by them.
Now, again, you're gonna have tohave someone who really truly
understands ZTR or a zero trust,ZTA, I should say.
Should really understand ZTAbefore you start putting these
things in.
Because if you put them in againand you don't know what you're
(12:52):
doing, you're gonna startbreaking stuff.
So just something to thinkabout.
Per request, per sessionevaluations are there.
You need to look at those.
Um, and then these also aredealing with fine-grained uh
least privileged access as well.
So understand PDP and PDP.
Now, what is PDP?
I should have gone into this PDPa little bit.
PDP will centralize your policylogic, right?
(13:14):
So the your PEP's query orcache, what's going on between
it, the PDP will actuallyunderstand that logic between
the two.
And it's the one that opens upthe gate or lets the gate go
back down.
So this pattern is exactly whatZTA reference architecture
describes as modernenvironments.
API gateways plus a servicemesh.
Now, I would say most companiesout there will struggle with
(13:35):
this, and it's not many that arelike that.
The government is pushing inthat path.
If you are forcing yourself orwanting to go down the ZTA
route, uh, then you need toreally get some an architect who
really truly understands it.
I would say I understand theconcepts.
I would not be the right personto architect that, just because
that's it's a bit beyond wheremy knowledge had begun when I
(13:55):
left being in architecture.
But it doesn't mean you can'tlearn it.
It's just it's it's prettysubstantial, and you need to
have a really good plan aroundit, and you need to find the
right person to help you dothat.
Okay, question three (14:05):
a financial institution claims to
have implemented zero trust byrequiring multi-factor
authentication, MFA, for all VPNaccess.
Yay! Once authenticated, usersreceive an IP in a trusted
subnet that has broad access tointernal systems.
Hmm.
Which statement best describes azero trust gap if it still
exists?
(14:25):
Okay, so this is saying we havea problem, Houston.
What is it?
It's a zero trust gap that stillexists.
A MFA is not sufficient becauseit does not encrypt data in
transit between the users andthe internal systems.
Okay, so if you listen to thatagain, it is not sufficient
because it doesn't encrypt data.
Well, that doesn't make sense,so we throw that one out.
B, zero trust is incompletebecause trust is still primarily
(14:46):
granted based on the networklocation after authentication.
So again, multi-factor setup forall VPN access.
Once that is done, they receivean IP in a trusted network.
So the authentication piece ishappening because they got a VPN
and they have MFA.
So now they're good to go,right?
But because it's still grantedon the network location, because
(15:07):
it's probably tied to that basedon your VPN location, then that
is just still opening you wideup.
And VPNs, as we know, are verycan be very promiscuous.
They can allow a lot of thingsto happen within your
organization unless you havevery have very strict tight
controls around VPNs.
So what does this mean?
Well, actually, let's go intothe next question.
(15:28):
Zero trust requires biometricauthentication.
The current MFA methods must beupgraded to FIDO-based
biometrics to be compliant.
Again, the MFA will allow youin, but once you're in, you're
in the soft GUI center.
Zero trust is incomplete becauseVPNs must terminate in the DMZ
and currently terminate directlyon internal servers.
So that isn't necessarily bad ifthey had controls in place, but
(15:50):
it's saying at the DMZ, then itwould be that wouldn't really
work either.
So that you wouldn't want thatone.
So then we know the answer is B.
Zero trust is incomplete becausetrust is still primarily granted
based on network location afterauthentication.
So what does all this mean?
Once the user authenticates tojoin the trusted subnet, they
are effectively inside,obviously, the moat, right?
Our castle and moat thoughtprocess, and the soft GUI center
(16:13):
is now available to them.
This is an implicit trust basedon the network location, right?
So this is what Zero Trust doesnot want you to do.
ZTA is a continuous and granularauthentication or authorization,
and therefore it must expect tobasically trust but verify.
And the I should say verify,then trust.
The MFA at the door, then onceyou get there, it's wide open.
(16:36):
So you don't want that tohappen.
A single VPN connection shouldnot equal broad, long-lived
access.
This is a very past type ofactivity that has occurred for
many, many, for a millennia.
It has been around for a longtime.
And especially it's bad if youstart throwing your contractors
into the mix.
All right, question four.
(16:56):
An enterprise wants to extendzero trust principles to the
data layer.
Sensitive documents arefrequently copied outside the
corporate network ontocontractor devices, which is
which control best aligns withthe zero trust principles
aligned to or applied to datarather than just networks or
applications.
A using host-based firewalls toblock outbound connections from
(17:17):
contractor devices to unknown IPaddresses.
B implementing full tunnel VPNand blocking all split tunneling
on contractor devices.
C applying persistent dataclassification and rights
management to enforce accesscontrols and usage restrictions
even off corporate networks, orD enforcing stricter password
complexity policies for allcontractor accounts.
(17:41):
Okay, so we want to know whichone best aligns with the zero
trust principles applied to datarather than just the networks or
applications.
So that it'll narrow it down.
We're focusing on the data.
So the answer would be well,should I say that yet?
No, let's go into A.
Is A the right answer?
No, it's not.
Using host-based firewalls toblock outbound connections from
(18:02):
contractor devices to unknown IPaddresses.
Okay, that's great.
That's a network thing, but it'snot focused on the data.
So that's not what you want.
Implementing full tunnel VPNsand blocking all split tunneling
on contractor devices.
Well, that yeah, you don't wantthat.
You do not want split tunnelingon contractor devices.
Um, and but full tunnel VPNs,that is not what you want, and
(18:24):
that's not data focused.
D, enforcing stricter passwordcomplexity requirements for all
contractor accounts.
Okay, so again, that's that's agreat control, but that's not
tied to the best aspects of datarather than just network or
applications, because yourpassword control would be
focused primarily on yourapplication.
So the answer would be C,applying persistent data
(18:45):
classification and rightsmanagement to enforce access
controls and usage restrictionseven off corporate network.
Yeah, baby, data classification.
It is what you want.
Risk management, mostdefinitely, understand it, but
most people don't do it and theyjust really struggle with it.
Data classification is hard,especially if you have an
(19:05):
already existing network and youjust really want to make sure
that your people are happy.
So, what are we talking abouthere?
Okay, so when you're dealingwith a data-centric environment,
zero trust can and should beapplied to all at all the data
levels.
So it should, it should not belimited.
Now, I've seen it where the datalevels may be not as applied to
zero trust because of uhconnectivity challenges and
(19:26):
because of access issues.
So, but that being said, youshould apply it to the data
itself and it carries policiesand protections wherever it
goes, wherever it stays,regardless of the location.
Situation I had, it was dealingwith intellectual property that
was stored in locations outsidethe United States.
Anytime it was outside theUnited States, it was become
unavailable.
You could not use it because ofthe data classification labeling
(19:47):
that was tied to it.
And this is where you would getinto public, internal,
confidential, highly restricted,etc.
Now the risk management aspects,this is where you're dealing
with attribute-based accesscontrols, which is your A back,
which we've talked aboutnumerous times on CISSP cyber
training.
And this is where you want tohave that tied to your data.
Also, why don't you want to haveencryption obviously tied to
your data and identity policies?
(20:09):
Because again, certain roleswith certain devices can open
the files.
Certain roles and certaindevices cannot open the files.
So it's really important thatyou decouple the trust from the
network, meaning that if you'reon the network, oh, you're
trusted, you want to get it downto the data level and be
granular because people are onthe move.
It's like out of a movie, coinstravel.
(20:30):
That's the out of the movie,Sahara.
Coins travel, you don't knowwhere they go.
Same with data.
Data just travels everywhere, itgoes everywhere.
So therefore, you should haveprotections based on the data,
not necessarily on the access orthe network itself.
All right, question five (20:44):
the last melon.
Okay, question five.
The large healthcare provider istransitioning from a flat
internal network to a zero trustarchitecture.
Yay! Resources are a mix oflegacy client server
applications, modernmicroservices.
Oh man, it's all the Guccistuff.
Which phased approaches mostclosely reflect a realistic and
(21:05):
effective zero trust migrationstrategy.
So, how would you understandthis?
So we go A.
Immediately decommission theexisting perimeter firewalls and
rely solely on identity anddevice posture to control access
to all the internal resources.
That's a great idea.
You don't do that one.
B, start with critical businessapplications, applying micro
(21:26):
segmentation and identity awareaccess controls around them
while gradually extending thezero trust techniques to other
systems.
Maybe.
B, migrate all legacyapplications to microservices
before implementing a zero trustconcept or controls, ensuring
architectural consistency.
Okay, but that isn't necessarilybad, but that probably wouldn't
(21:47):
be your that wouldn't be thelast step here.
B or D replace all existing VPNswith cloud-based zero trust
network access, ZTNA solutions,and consider zero trust
mitigation or migrationcomplete.
Yeah, the first part was good,second part, not so good.
Okay, so what is a realistic andeffective zero trust migration
strategy from the from yourperspective, from a CISSP?
(22:10):
Why would you study for this?
What would you do?
Okay, so if you're looking tomigrate to zero trust, the some
of those are good, some of thoseare not so good.
First one, not so good.
But B is a correct answer.
Start with the critical businessapplications, applying
micro-segmentation, identifyingidentity aware access controls
around them, while gradually,key word, gradually extending
(22:32):
zero trust techniques to othersystems.
Again, business criticalapplications.
And I would say that that'sprobably one of the most
effective things to do.
Why is it business critical?
Because that's what makes youthe money, baby.
Without those, you're not makingmoney.
So you want to make sure thatyou start with those and you
apply micro-segmentation.
Those also are the ones thatbecome the most disruptive.
So you really want to startslowly in that environment.
(22:54):
Start with one application thatmaybe isn't tied to your entire
company's business portfolio,right?
So you don't pick the biggestone.
You pick one that's tiny, tryit, work on it, let everybody
know this is going to be ajourney.
Once you figure that out, thenwhat ends up happening is you
start slowly and begin migratingthose to other business critical
(23:15):
applications.
Once that is determined, thenyou can start moving out to the
different other levels withinyour network.
Again, this is a journey.
I can't stress this enough.
And you need to set theexpectation with your leadership
that this is a journey.
Because uh, and I say it slowand like methodical like that,
like that really cool voicethat's on a beer commercial.
(23:38):
Um, no, you you you have to letthem know this is gonna take
some time.
And they will want it doneyesterday because what ends up
happening is, and and this issomething you'll run into from a
security professional, you mayget into the situation of going,
well, now it's it's one morething, and this may actually
outlive you.
So you're gonna have to have areally good strategy long term,
(23:58):
how you're gonna migrate tothis, and then also make sure
everybody's aligned from thebeginning of the company on
down.
Because if you're a very largeorganization, this will take
years.
If you're not a very largeorganization, this can happen
within a period of six months,maybe 12 months, and you can be
there.
Uh, but uh again, it's ajourney.
So it's not a race, believe me.
(24:18):
But if you don't do this well,I'm gonna kind of harp on this
just a little bit.
If you don't do this well uh andyou don't have a really good
plan around it, it will fallflat.
Everybody will hate IT.
They will kick you out and theywill have pitchforks and torches
to run you out of town.
So please think wisely beforedoing this and have a really
good strategy.
You can also reach out to me atCISSP Cyber Training, and I'll
(24:40):
see if I can help you.
I'm happy to help you with thisin any way possible.
Okay, this is John Gerber withCISSP Cyber Training.
I again, I hope you enjoyed thistoday.
Uh, man, CISSP training, CISPCyber Training is growing.
The podcast is growing.
Getting lots of great feedbackfrom the podcast, it just keeps
exploding.
And uh go out to CISSP CyberTraining, check out what's out
(25:01):
there.
There's a bunch of free stuff.
There's also a really great paidcontent that is out there.
I have actually been remiss.
I guess it's Black Friday hereyet tomorrow, and I don't have
anything out for Black Friday.
So you may see something in yourinboxes if you've signed up for
Black Friday to get a reductionon some of the products that I
have out there.
Yeah, I just didn't even thinkabout that.
It's kind of spaced out of mymind.
(25:22):
But go to CISSP Cyber Training,check it out, you will love it,
and we will catch you all on theflip side.
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube, and just head to
my channel at CISSP CyberTraining, and you will find a
(25:43):
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!