December 4, 2025 • 25 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
A headline about hacked nanny cams is more than a cautionary tale—it’s a mirror for how easily convenience eclipses security. We start with the Korean IP camera case to highlight simple, high-impact steps anyone can take: change default credentials, use unique passwords, turn off remote access unless you truly need it, and keep firmware current. Then we ask the harder question: how do you prove security works when the stakes are higher than a living room feed?
Shifting into CISSP Domain 6, we break down audit readiness, independence, and risk-based assurance. If you’re eyeing ISO 27001, the smartest first move is an internal audit program aligned with the standard’s control objectives. It validates design and operating effectiveness before an external auditor walks in, and it surfaces the documentation and evidence gaps that slow teams down. We also unpack governance: when boards want independent assurance, the audit function should report outside IT. Self-assessments still help, but they don’t replace a real audit.
Risk should lead, not scanner severity. Consider a “medium” vulnerability on a critical payment system that demands authenticated access and precise timing. Rather than knee-jerk patching or dismissal, a structured risk analysis weighs business impact, likelihood, and compensating controls like monitoring and segregation of duties. That approach drives better prioritization and stronger outcomes.
For ongoing evaluation, snapshots alone aren’t enough. Instead of doubling costly SOC 2s, blend risk-based self-assessments, targeted internal audits, and continuous monitoring to maximize coverage and value. And when your cloud provider won’t allow pen tests on shared PaaS, you can still gain assurance: request SOC 2 Type II, ISO 27001, and pen test summaries under NDA, then map their scope and results to your control requirements and risk appetite. Close gaps with compensating controls and a clear shared responsibility matrix.
If you’re preparing for the CISSP or modernizing your assurance program, this conversation will help you cut noise, focus effort, and build confidence where it counts. Subscribe, share with a teammate who handles audits, and leave a review to tell us what assurance challenge you want solved next.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISP Cybertraining Podcast.
We provide you training andtools you need to pass the CISP
exam first.
Hi, my name is Sean Gerber.
I'm your host of Active ActivityPodcast.
Join me each week as I providethe information you need to pass
the CISP exam and grow yourcyber security knowledge.
(00:21):
Alright.
SPEAKER_01 (00:26):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Training and hope you all
are having a beautifully blessedday today.
Today is CISSP questionThursday, and we are going to be
getting into the CISSP questionsrelated to domain five.
But before we do, I obviouslyhave this small little thing
we're going to talk about, justa couple little areas of within
(00:46):
the IP or IT space that may beaffecting you.
And as you are listening tothis, you're probably like we
talk about numerous times onthis podcast, you are probably a
cybersecurity professional orirrelated to that field in some
way or another.
And this article came out of thebleeping computer.
And this is where it comes downto some Korean experts arrest
(01:10):
individuals selling intimatevideos from hacked IP cameras.
So, as we all know, there's IPcameras everywhere.
They are all over the place.
And if they're not on yourphone, they are based in these
actually the normal cameras thatyou can buy.
If you can buy them from WISE,you can buy them from Lorex, you
can buy them from all kinds ofplaces, that these IP cameras
(01:31):
will be available to you.
And I have them as well.
If in within my businesses thatwe have, we have a couple
different businesses that arewith coffee and with Kona Ice.
And so I have at our warehousewe have cameras that are
located.
These are IP-based cameras, andthey work like a champ.
They are awesome.
They actually work very, verywell.
But the question comes into isis these fo these cameras can be
(01:54):
used so well that other peoplecan gain access to them.
And we've talked about this andwe deal with physical security a
lot.
If you have IP-based, especiallyWi-Fi-based cameras, uh you need
to make sure that you haveenabled the proper protections
on those cameras to ensure thatthey are not being utilized by
somebody else.
And this comes into the nannycams that has come out.
(02:15):
I think it was probably a coupleyears ago.
There were it was an articlethat actually came up around
nanny cams.
And those are the cameras thatare put in kids' bedrooms to
watch the kids in the eventsomething were to happen.
Well, those the the nanny camsituation, those uh cameras were
used again for inappropriatecontent.
And again, they were looking foranything they could find, and
(02:37):
then they would post it onwebsites that were inappropriate
for folks.
And so this is a situation thatcame up with Korea and a same
kind of concept as the NannyCam.
The Korean National Police uhthey basically arrested some
suspects who allegedly hackedover 120,000 IP cameras across
South Korea.
This would include cameras inhomes, commercial facilities,
(02:59):
and numerous other areas.
And they basically took thestolen footage and sent it to
adult sites overseas.
So your private things that areoccurring, uh if you have a
camera in those areas were beingwatched and monitored.
And again, there's probably allkinds of stuff that was really
not appropriate or really was nobig deal, but they did obviously
(03:20):
find some things that weresomething they were interested
in.
So they took this information.
So there was a basically anindividual took about 63,000
cameras and sold 545 videos ofabout$35 million, or actually
it's you Korean dollars, whichwas around$23,000.
And so they took they went, I'msorry, but you went through
(03:40):
$63,000 cameras to find$545videos.
That's a lot of us just sittingat home and just scanning
through stuff trying to findsomething to make$23,000.
I wonder how long that tookthem.
They they probably could, ifthey would be working and using
their powers for good and notevil, they probably would make
more money.
But uh again, that's what peopledo.
(04:02):
Uh there was a second, there wasan office worker who took about
70,000 cameras and he sold 648videos worth around$12,000.
So as you can see, there'ssituations that came up, and
it's about percentage-wise,honestly, you look at it from a
perspective, it was$63,545,000,$70,648.
(04:22):
So you've got to look through alot of cameras to find anything
of any value.
And so there's this is theseoffice workers were bored and
they decided, hey, we'll trythis out.
We'll see if we can get someextra cash out of this.
And so they decided to go andand do these things.
So the the challenge with thisis one, it's just morally
incorrect, it's wrong, it's notsomething that you should be
(04:45):
doing.
Uh, but two, the other aspect isthat what you're seeing is gonna
cause a lot of grief and issues.
One, for the people that arehaving now have to deal with the
trauma of people eyeballing themusing their cameras.
And two, is well, or shouldactually three, and then you
have children that arepotentially being seen in ways
that are inappropriate, sothat's really bad.
And then you run down the riskof now because you did this,
(05:08):
you're gonna go to prison for areally long time and be breaking
big rocks into little rocks.
Uh, so just a really bad thingfor well, let's, I mean, yeah,
fifty thousand dollars in thegrand scheme of things, when you
add them both up, it's that's alot of money, but it's not a lot
of money for the drama that theyhave caused and the issues
they're gonna cause forthemselves.
So basically it comes down toanytime you're dealing with an
(05:29):
IP camera or IoT type device,you want to make sure that you
change the default password, thedefault credentials.
And we did this in the hackingworld, is that we would
typically go and look forwireless access points that had
the administrative credentialsstill labeled, still there.
Because in the past, and theythey've changed this a lot since
then, but there would be a lotof wireless access points that
(05:51):
would use the same admincredentials, such as admin
username, admin password.
Uh assuming that you are goingto go and make the changes to
them when you actually installthem, which most people did not
do.
So changing default admincredentials, again, very
important part with uniquepasswords.
Do not replace and remove thisexact same password on all your
other devices because once theyget one, they can get many.
(06:14):
Uh disable remote access when itis not necessary.
Obviously, remote access is verynice.
Uh, I use it with my facilities,and it does give me access into
what's actually occurring atthem.
That being said, uh it's alsoone of those things that if you
don't change the password andput some level of credential uh
management on them, you couldhave yourself a lot of issues in
(06:36):
the future.
So again, disable remote accesswhen not necessary, and then
obviously keep your camerafirmware up to date.
Uh, this is something that I'dsay a lot of people don't do as
well because they just set theset them and forget them, these
IP address or IP cameras.
So those are really simplethings that you can put in place
that will protect you and yourfamily.
(06:56):
Depending upon where you havecameras within your home, uh you
may want to consider maybe nothaving cameras in those
locations.
Uh again, it just depends.
And you you may be maybeinterested, maybe not.
That's hard to say.
All I can say is if someone'sinterested in watching me
nay-nay, that you man, you'reout, you're just you're that
sucks.
You're just you're not gonna bea happy person because it's just
not pretty.
It's just not not good at all.
(07:18):
Uh, so again, that is theIP-based security cameras.
These are basically comes out ofthe Korea arrest suspects with
intimate videos from hacked IPoff of bleeping computer.
Okay, before we get started onwhat we're gonna talk about
today, one quick shameless plug.
Head on over to CISSP CyberTraining and get some great
(07:40):
stuff.
So I've got various productsthat are out there and available
to you at CISSP Cyber Training.
If you're listening to thispodcast, you are actually
interested in getting yourCISSP.
Well, guess what?
What a better place to go thanto CISSP Cyber Training to get
that kind of stuff.
So I've got a bunch of freethings that are out there for
you that can help you getstarted into this program.
(08:00):
However, if you really trulywant to get this thing knocked
out in a quick manner and haveyour best chance of passing the
exam, you want to really look atmy paid products.
I have various paid products outthere.
They are not expensive.
And let's put this inperspective: if you're trying to
get your CISSP and you're gonnaspend all this opportunity cost
studying for it and you're gonnago and go spend a bunch of money
(08:22):
on a test, you probably want toinvest a little money to ensure
that you have a really goodchance at passing the test.
Don't go cheap on this.
I mean it, I've done it, and youwill regret it.
Uh, and bottom line is if you'retrying to better yourself, you
really need the content to helpyou do that.
But head on over to CICP CyberTraining.
All of that information isavailable to you.
I've got questions, I've gottraining videos, you name it,
(08:43):
it's there and available to you.
However, if you just want thefree stuff, get that too,
because you know what?
That can help you at least getyou started and moving in the
right direction until you figureout what you really truly need.
All right, let's get into whatwe're gonna talk about today.
Okay, so today is going to bedomain six, deep dive questions.
I'm gonna be focused onquestions related to domain six,
and we want to get a little bitdeeper into these questions and
(09:06):
what some things you may want toconsider when reading them
potentially for the CISSP exam.
Now, again, we've made thiscontent or comment multiple
times and the disclaimer comesout.
This content most likely, Imean, it's possible, it's truly
possible, it most likely willnot be on the CISSP exam, but
it's going to give you goodunderstanding and direction of
what how to answer the questionswhen you go to take the exam.
(09:29):
So let's roll into questionnumber one.
An organization is preparing forits first ISO 27001 cert.
Senior leadership wants toensure that security controls
are operating effectively andthat the internal processes
conform to the standardsrequirements before bringing it
into an external certificationbody.
So basically, you want to makesure your act is together, you
(09:50):
have everything under control,and you are actually doing what
you're supposed to be doingbefore you bring somebody in to
highlight some challenges youmay have.
So, which of the following isthe best activity to perform
first?
A commission a full externalcertification audit against your
ISO 27001.
B, perform an internal auditprogram aligned with ISO 27001
(10:11):
control objectives.
C conduct a set of ad hoc pentests or internal facing systems
for and on internal facingsystems, or D run one-time
automated vulnerability scanacross all critical servers.
Okay, so there we the first oneobviously you guys can throw
out, right?
We just talked about it.
We want to make sure we gothrough this before we actually
(10:31):
bring somebody in.
So that one's an easy one tothrow out.
But let's kind of walk throughsome of these other questions.
So we talked about you want tomake sure you have a good plan.
So running a one-time automatedvulnerability scan across your
critical servers that will meetsome of the needs, but it's one
time.
It hasn't been something you'vebeen building upon.
So that one would probably beone that I would discount if I'm
not real sure.
(10:52):
Conduct a set of ad hoc pentests and on internet-facing
systems.
Now you'll probably have wantedto conduct at least one pen test
before bringing somecertification authority in to
look at your environment.
However, ad hoc means basicallyyou kind of do them on ad as a
whim.
And it's possible, but I don'tthink that's the best activity
to perform first.
(11:13):
The best activity would be toperform an internal audit
program aligned with the 27001.
So why is this the best?
Well, it's designed to verifyboth control design and
operational effectiveness.
So they're gonna look at howdoes it look, what's the design
of it, and then is it being doyou have the proper uh playbooks
in place, do you have the properACT processes in place to make
(11:33):
that happen?
You also explicitly expected bythe ISO 27001 as part of their
overall internal audit program.
They're gonna expect you to havedone this at some point in time.
And then you need to performbefore any external
certification to identify andremediate any nonconformities.
Well, I've dealing with thisright now with uh with a company
that we're gonna be workingthrough a SOC 2 audit.
(11:55):
And they want to make sure thatbefore the regulators come in,
you actually have done some ofthese things or at least have a
good understanding of where youare at because they're gonna
look at this and go, yeah,you're not there.
Yeah, you're not in the positionyou need to be.
So we want to make sure that weare in a good position uh to
financially or should to get theright controls in place to
ensure that they have what theyneed to be successful.
(12:16):
Question two, you are a securitymanager for a financial
institution.
The CIO wants your security teamto perform an independent audit
of IT general controls tosatisfy board directives on its
overall independence.
Your team does it designs, itcontrols and implements them and
monitors their performance.
Which of the following was themost appropriate response?
(12:36):
Okay, a recommend using aninternal audit function that
reports outside of IT to theboard or audit committee.
So basically your board wants tohave an independent view of
this.
They don't want to get all theirinformation from IT.
B, you agree that because thesecurity staff understands the
controls and you can they canaudit them efficiently and
effectively.
(12:57):
So you don't need to worry aboutthis being an independent thing.
You agree, but the label of theactivity of is a self-assessment
instead of an audit.
So you basically come down toand you say, well, we're not
gonna audit it, we're just gonnaself-assessment, which when
you're dealing with an auditversus a self-assessment, you
can't, the language can be verydifferent and you can also be
not as particular.
(13:17):
So they're gonna basically openup the guard guardrails and make
it so that they have plenty ofroom to maneuver and operate
within this air quotesassessment.
Or you decline and say, no,we're not doing this, insist
that only external publicaccounting firm can perform the
independent audit.
So what they want is they wantan independent audit done.
So we'll resummarize this byyour by a certain group.
(13:39):
They want it to be internalfirst, just to kind of before
they actually go and report itto outside of the organization.
So what should you recommend?
And so what it comes down to isyou should recommend A,
recommend using an internalaudit and report the outside of
it, report outside of IT to yourbasically your team and to the
board.
That's the one thing you reallykind of want to consider.
(14:00):
Now, having an external auditteam is great, they can perform
a lot of great things.
However, just using them, uh, itcan be very expensive.
And so if your board just wantsto have a good understanding of
what's what's going on, youwould want to have a third party
or an I say it a third party, itwould be an internal third
party, internal unbiased personor group of people to do the
(14:21):
audit.
Whereas with C and D, so youagree to it, but you also want
to use your security staff.
Well, they can be biased on thisplan.
And then if you agree to it, butyou want to do a self-assessment
versus an audit, it's basicallyyou're couching the fact that
you're probably not going tocome out very well in this
overall plan.
So you're gonna want to have abetter strategy.
So it's understandable.
So the best answer is A.
Question three (14:43):
a recent vulnerability assessment
identified several issues on acritical payment system.
One finding is a medium severityvulnerability per the scanner
that, if exploited, could bypasstransaction authorization
controls.
The vulnerability requiresauthenticated internal access
and precise timing, and thereare no public exploits
available.
(15:03):
Okay, so you got an issue, founda problem, right?
It's a medium severity problem.
Uh there are no known exploitsavailable at this time.
Uh, so it the but it does, ithas been confirmed that the
vulnerability does exist.
So what should the securityprofessionals do first?
A accept the standard severityand place the vulnerability into
(15:24):
a backlog behind higher severityissues.
Possible.
A immediately treat thevulnerability as critical and
require emergency patching.
Maybe not so much, because is amedium severity.
C close the finding because itexploits only the internal staff
with authenticated access, or Dperform a risk analysis that
considers business impact,likelihood, and existing
(15:46):
compensating controls.
Okay, so again, we're gonna comeback to you found a
vulnerability on a criticalpayment system.
It's not a criticalvulnerability, it's a critical
payment system.
One finding has a mediumseverity vulnerability per the
scanner.
What it's saying, uh, that ifexploited, it could bypass the
authentication controls that areon the overall critical system.
(16:07):
So, what should you do?
Well, we talked about A is youknow, putting it in uh backlog
might be a good option, uh, anduh, but it probably isn't the
first thing you want to do.
Uh immediately treat thevulnerability as a critical and
require emergency patching,probably not the best choice,
uh, especially since it is onlya medium severity vulnerability,
(16:27):
potentially.
C, close the finding becauseit's exploitable only to
internal staff.
Yeah, no, not probably not, uh,because you don't want to close
the finding at all.
You want to make sure you trackthat.
So the correct answer would beD, perform a risk analysis that
considers business impact,likelihood, and existing
compensating controls.
Again, understanding the overallrisk, evaluating it, and then
determining whether it's gonnaactually be a factor for your
(16:50):
organization.
These are important things thatyou should do.
You may have separation ofduties in place, you may have
other aspects that reallymitigate the risk.
And you may want to close thethis this situation.
However, uh, you you reallydon't want to go down that path
and say, well, it's just becauseit's exploitable to internal,
we're not gonna worry about it.
You know, you're gonna want tohave a whole process on how you
(17:11):
are remediating this situation.
Question four global SaaSprovider must comply with
regulatory expectations that asecurity controls be monitored
and evaluated on an ongoingbasis.
The provider already performsannual external SOC 2 audits.
Okay, so this is a global SaaSprovider is must comply with
regulatory expectations and theyalready do external SOC 2
(17:35):
audits.
Which of the following bestsatisfies the expectation of
ongoing evaluation whileoptimizing cost and coverage?
That's an important part.
Optimization of cost andcoverage.
A increase the incur externalSOC audit twice per year.
Or that's A, yeah.
B implement a risk-basedinternal assessment program
(17:55):
combining both self-assessments,targeted internal audits, and
continuous monitoring.
C perform a full scope internalaudit and security controls once
a year in addition to the SOC 2.
Or D rely on real-time securitymonitoring tools as a
continuously monitor securityevents.
Okay, so each of these areavailable, or I each of these
are good choices.
(18:16):
They're not not terriblechoices.
Uh, but when it comes back tothe ongoing evaluation while
optimizing cost and coverage,some of these are more expensive
than others.
So A, let's go and increase ourSOC 2 audit to twice a year.
Okay, that's not bad, right?
It'll help you increase thisthat you're you should have a
better visibility of what'sgoing on.
However, a SOC 2 audit is notinexpensive, they are rather
(18:39):
expensive.
So by doing this, you are nowgonna be in a situation where
you're just increasing yourcost.
Are you and are you actuallymaking it any better?
Maybe, maybe not.
Uh let's go to C perform a fullscope internal audit on all
security controls once a year inaddition to the SOC.
That's not a bad thing, but younow you got to tie up an
internal audit team.
The one problem with an internalaudit team, they may not have
(19:02):
all the security knowledge, sothey'll be pulling people from
your organization.
Um, so it maybe it isn't um themost cost effective, or the
coverage may not be as valuable.
Uh C, or I should say D, rely onreal-time security monitoring
tools as they are continuouslymonitoring security events.
You should have this in placeanyway if you're dealing with
SOC 2.
That's probably not your bestchoice.
(19:23):
I would say it's probably theleast desirable choice of all
the four.
Then the answer, correct answerwould be B, implement a
risk-based internal assessmentprogram combining both security
assessments, targeted internalaudits, and continuous
monitoring.
All of the three are in place.
And yes, so now you're lookingat everything.
So you're not just looking atone or two, or you're just
(19:45):
looking at every six months.
You now are looking at on acontinuous and optimized basis.
So again, this will definitelybalance out regulatory
expectations, operationalpractical practicality,
practicality.
I can't see big words, and thencost controls versus assurance.
So all of those pieces, theanswer would be B.
All right, question five.
(20:07):
The last question for thispodcast.
Your company is moving acritical application to a public
cloud provider using a PEASSmodel.
Okay, so it's platform as aservice.
If you're any of any questionsabout that, the provider does
not allow customer penetrationtests against the shared
platform.
Uh-huh.
That does happen.
But the publisher's independentthird-party reports, SOC2 type
(20:30):
2, which is the most aggressive,and also ISO 27001 and
penitentiar penetration testsummaries under are available to
you under an NDA.
So, what is the best approach toobtaining assurances that the
provider's controls areeffective?
So, again, they won't allow youto hit it because it's a
platform as a service model, butthey do SOC2, type two, they do
(20:52):
ISO 27001, and they do pentests.
And this is all available toyou.
The reports are under an NDA.
A reject the provider becausepenetration tests cannot be
performed by your internal redteam.
B, rely solely on the provider'smarketing documentation for
security white papers.
C, review the map of theindependent assurance reports to
your organization's controlrequirements and risk appetite,
(21:14):
or D demand full access to rawpenetration tests, artifacts,
and exploit chains from theprovider's red team.
Okay, so how Draconian do youwant to be?
So the key question on this isthat you need to understand, and
I've run into this multipletimes, as a CISO and in
different other aspects, you'regonna want to know it's all
(21:35):
about the risk, right?
It's all about the risk.
There's actually it's all aboutthe something song, but it's all
about the risk, right?
Well, if it's all about therisk, the key thing around this
then is you want to focus onwhat have they done, and if they
are actually truly havecertifications, SOC2 type 2 and
ISO 27001, as well as the pentests, if they've done this,
then that would really be a goodthing.
(21:58):
So A, let's talk about that.
Rejecting the provider becausepen tests cannot be performed by
your internal red team.
That is no no.
You can't necessarily say that.
Now, I say that if you havemulti-gazillion dollars in
IP-based information with thesepeople, then you may want to
talk to them and say, well, Ican't do it against your
platform, so maybe I'm willingto stand up my own platform that
(22:18):
you guys manage.
Those are options, right?
Now, I they they totally havelegit concerns about having you
do it against their stuff, butthen maybe you need to look at
other options architecturally.
B, rely solely on the provider'smarketing documentation and
security white papers.
Well, okay, anybody can put whatthey want in papers.
Now they could get sued, but youdefinitely don't want to rely on
(22:39):
that.
That that's great.
It might be the first hack ofgoing, okay, cool.
There's SOC 2 type 2.
Awesome.
Yeah, that might be great at thebeginning, but when it comes
right down to it, you're gonnawant to see their documentation.
So demand, demand is usually nota really good word when you're
trying to meet with people, soquestion uh or answer D, demand
full access to raw pen tests,artifacts, and exploit chains
(23:02):
from the provider's red team.
So demanding usually does not gowell.
Uh, it becomes veryconfrontational very quickly.
So I would highly recommend youdo not use that.
Uh, you actually maybe have agood uh discussion and dialogue
with them, and maybe they'll behappy enough to give that
information to you.
That being said, the rightanswer is C.
Review and map the independentassurance reports to your
(23:22):
organization's controlrequirements and risk appetite.
Comes right down to put themunder NDA.
Get the NDA, sign the NDA.
Then they will give you all thisinformation, and then you can
start looking at it and gleaningover it and determining if it
will meet your needs.
Again, you need the correctresponse is you want to get the
access to the reports, but yougot to get them under NDA.
You want to scope it anddetermine the coverage to ensure
(23:43):
that it covers your own network,and then you want to identify
gaps where your organizationmust implement compensating and
complementary controls.
So, again, that is the answer.
Again, that's on question five.
Review and map identity uhindependent assurance reports to
your organization's controlrequirements and risk appetite.
Okay, so if you go to CISSPCyber Training, I actually have
(24:04):
more questions that are tiedinto my deep dive.
I just don't have time to goover all of them right now.
Head on over to CISSP CyberTraining.
You can get access to those.
Those are all available to you.
Again, uh I'll have to tell youthat's on the paid subscription
to get access to some of thedeep dive questions that I have.
But you can actually, actually,actually, you can actually look
at the the video of this and youcan go through this.
(24:25):
This will be available on myblog uh as well as it'll be
posted, obviously, in thispodcast.
But all that's available to youat CISSP Cyber Training.
All right, thank you so much forjoining me today again.
I appreciate it.
I want to tell you that I hopeyou all are doing well.
And I get more people pinging meall the time saying, past, I
passed.
(24:45):
It's like it's like the ding onyour phone, you know.
Okay, ding, passed, ding, past.
It's been awesome.
I'm so excited that people arepassing using the CISSP cyber
trading content because they'revery, very happy with it.
So that's the ultimate goal.
Get you done, get you passed,get you moving on.
All right, have a great day, andwe will catch you all on the
flip side.
See ya.
(25:06):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
(25:29):
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISP Cybertraining Podcast.
We provide you training andtools you need to pass the CISP
exam first.
Hi, my name is Sean Gerber.
I'm your host of Active ActivityPodcast.
Join me each week as I providethe information you need to pass
the CISP exam and grow yourcyber security knowledge.
(00:21):
Alright.
SPEAKER_01 (00:26):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Training and hope you all
are having a beautifully blessedday today.
Today is CISSP questionThursday, and we are going to be
getting into the CISSP questionsrelated to domain five.
But before we do, I obviouslyhave this small little thing
we're going to talk about, justa couple little areas of within
(00:46):
the IP or IT space that may beaffecting you.
And as you are listening tothis, you're probably like we
talk about numerous times onthis podcast, you are probably a
cybersecurity professional orirrelated to that field in some
way or another.
And this article came out of thebleeping computer.
And this is where it comes downto some Korean experts arrest
(01:10):
individuals selling intimatevideos from hacked IP cameras.
So, as we all know, there's IPcameras everywhere.
They are all over the place.
And if they're not on yourphone, they are based in these
actually the normal cameras thatyou can buy.
If you can buy them from WISE,you can buy them from Lorex, you
can buy them from all kinds ofplaces, that these IP cameras
(01:31):
will be available to you.
And I have them as well.
If in within my businesses thatwe have, we have a couple
different businesses that arewith coffee and with Kona Ice.
And so I have at our warehousewe have cameras that are
located.
These are IP-based cameras, andthey work like a champ.
They are awesome.
They actually work very, verywell.
But the question comes into isis these fo these cameras can be
(01:54):
used so well that other peoplecan gain access to them.
And we've talked about this andwe deal with physical security a
lot.
If you have IP-based, especiallyWi-Fi-based cameras, uh you need
to make sure that you haveenabled the proper protections
on those cameras to ensure thatthey are not being utilized by
somebody else.
And this comes into the nannycams that has come out.
(02:15):
I think it was probably a coupleyears ago.
There were it was an articlethat actually came up around
nanny cams.
And those are the cameras thatare put in kids' bedrooms to
watch the kids in the eventsomething were to happen.
Well, those the the nanny camsituation, those uh cameras were
used again for inappropriatecontent.
And again, they were looking foranything they could find, and
(02:37):
then they would post it onwebsites that were inappropriate
for folks.
And so this is a situation thatcame up with Korea and a same
kind of concept as the NannyCam.
The Korean National Police uhthey basically arrested some
suspects who allegedly hackedover 120,000 IP cameras across
South Korea.
This would include cameras inhomes, commercial facilities,
(02:59):
and numerous other areas.
And they basically took thestolen footage and sent it to
adult sites overseas.
So your private things that areoccurring, uh if you have a
camera in those areas were beingwatched and monitored.
And again, there's probably allkinds of stuff that was really
not appropriate or really was nobig deal, but they did obviously
(03:20):
find some things that weresomething they were interested
in.
So they took this information.
So there was a basically anindividual took about 63,000
cameras and sold 545 videos ofabout$35 million, or actually
it's you Korean dollars, whichwas around$23,000.
And so they took they went, I'msorry, but you went through
(03:40):
$63,000 cameras to find$545videos.
That's a lot of us just sittingat home and just scanning
through stuff trying to findsomething to make$23,000.
I wonder how long that tookthem.
They they probably could, ifthey would be working and using
their powers for good and notevil, they probably would make
more money.
But uh again, that's what peopledo.
(04:02):
Uh there was a second, there wasan office worker who took about
70,000 cameras and he sold 648videos worth around$12,000.
So as you can see, there'ssituations that came up, and
it's about percentage-wise,honestly, you look at it from a
perspective, it was$63,545,000,$70,648.
(04:22):
So you've got to look through alot of cameras to find anything
of any value.
And so there's this is theseoffice workers were bored and
they decided, hey, we'll trythis out.
We'll see if we can get someextra cash out of this.
And so they decided to go andand do these things.
So the the challenge with thisis one, it's just morally
incorrect, it's wrong, it's notsomething that you should be
(04:45):
doing.
Uh, but two, the other aspect isthat what you're seeing is gonna
cause a lot of grief and issues.
One, for the people that arehaving now have to deal with the
trauma of people eyeballing themusing their cameras.
And two, is well, or shouldactually three, and then you
have children that arepotentially being seen in ways
that are inappropriate, sothat's really bad.
And then you run down the riskof now because you did this,
(05:08):
you're gonna go to prison for areally long time and be breaking
big rocks into little rocks.
Uh, so just a really bad thingfor well, let's, I mean, yeah,
fifty thousand dollars in thegrand scheme of things, when you
add them both up, it's that's alot of money, but it's not a lot
of money for the drama that theyhave caused and the issues
they're gonna cause forthemselves.
So basically it comes down toanytime you're dealing with an
(05:29):
IP camera or IoT type device,you want to make sure that you
change the default password, thedefault credentials.
And we did this in the hackingworld, is that we would
typically go and look forwireless access points that had
the administrative credentialsstill labeled, still there.
Because in the past, and theythey've changed this a lot since
then, but there would be a lotof wireless access points that
(05:51):
would use the same admincredentials, such as admin
username, admin password.
Uh assuming that you are goingto go and make the changes to
them when you actually installthem, which most people did not
do.
So changing default admincredentials, again, very
important part with uniquepasswords.
Do not replace and remove thisexact same password on all your
other devices because once theyget one, they can get many.
(06:14):
Uh disable remote access when itis not necessary.
Obviously, remote access is verynice.
Uh, I use it with my facilities,and it does give me access into
what's actually occurring atthem.
That being said, uh it's alsoone of those things that if you
don't change the password andput some level of credential uh
management on them, you couldhave yourself a lot of issues in
(06:36):
the future.
So again, disable remote accesswhen not necessary, and then
obviously keep your camerafirmware up to date.
Uh, this is something that I'dsay a lot of people don't do as
well because they just set theset them and forget them, these
IP address or IP cameras.
So those are really simplethings that you can put in place
that will protect you and yourfamily.
(06:56):
Depending upon where you havecameras within your home, uh you
may want to consider maybe nothaving cameras in those
locations.
Uh again, it just depends.
And you you may be maybeinterested, maybe not.
That's hard to say.
All I can say is if someone'sinterested in watching me
nay-nay, that you man, you'reout, you're just you're that
sucks.
You're just you're not gonna bea happy person because it's just
not pretty.
It's just not not good at all.
(07:18):
Uh, so again, that is theIP-based security cameras.
These are basically comes out ofthe Korea arrest suspects with
intimate videos from hacked IPoff of bleeping computer.
Okay, before we get started onwhat we're gonna talk about
today, one quick shameless plug.
Head on over to CISSP CyberTraining and get some great
(07:40):
stuff.
So I've got various productsthat are out there and available
to you at CISSP Cyber Training.
If you're listening to thispodcast, you are actually
interested in getting yourCISSP.
Well, guess what?
What a better place to go thanto CISSP Cyber Training to get
that kind of stuff.
So I've got a bunch of freethings that are out there for
you that can help you getstarted into this program.
(08:00):
However, if you really trulywant to get this thing knocked
out in a quick manner and haveyour best chance of passing the
exam, you want to really look atmy paid products.
I have various paid products outthere.
They are not expensive.
And let's put this inperspective: if you're trying to
get your CISSP and you're gonnaspend all this opportunity cost
studying for it and you're gonnago and go spend a bunch of money
(08:22):
on a test, you probably want toinvest a little money to ensure
that you have a really goodchance at passing the test.
Don't go cheap on this.
I mean it, I've done it, and youwill regret it.
Uh, and bottom line is if you'retrying to better yourself, you
really need the content to helpyou do that.
But head on over to CICP CyberTraining.
All of that information isavailable to you.
I've got questions, I've gottraining videos, you name it,
(08:43):
it's there and available to you.
However, if you just want thefree stuff, get that too,
because you know what?
That can help you at least getyou started and moving in the
right direction until you figureout what you really truly need.
All right, let's get into whatwe're gonna talk about today.
Okay, so today is going to bedomain six, deep dive questions.
I'm gonna be focused onquestions related to domain six,
and we want to get a little bitdeeper into these questions and
(09:06):
what some things you may want toconsider when reading them
potentially for the CISSP exam.
Now, again, we've made thiscontent or comment multiple
times and the disclaimer comesout.
This content most likely, Imean, it's possible, it's truly
possible, it most likely willnot be on the CISSP exam, but
it's going to give you goodunderstanding and direction of
what how to answer the questionswhen you go to take the exam.
(09:29):
So let's roll into questionnumber one.
An organization is preparing forits first ISO 27001 cert.
Senior leadership wants toensure that security controls
are operating effectively andthat the internal processes
conform to the standardsrequirements before bringing it
into an external certificationbody.
So basically, you want to makesure your act is together, you
(09:50):
have everything under control,and you are actually doing what
you're supposed to be doingbefore you bring somebody in to
highlight some challenges youmay have.
So, which of the following isthe best activity to perform
first?
A commission a full externalcertification audit against your
ISO 27001.
B, perform an internal auditprogram aligned with ISO 27001
(10:11):
control objectives.
C conduct a set of ad hoc pentests or internal facing systems
for and on internal facingsystems, or D run one-time
automated vulnerability scanacross all critical servers.
Okay, so there we the first oneobviously you guys can throw
out, right?
We just talked about it.
We want to make sure we gothrough this before we actually
(10:31):
bring somebody in.
So that one's an easy one tothrow out.
But let's kind of walk throughsome of these other questions.
So we talked about you want tomake sure you have a good plan.
So running a one-time automatedvulnerability scan across your
critical servers that will meetsome of the needs, but it's one
time.
It hasn't been something you'vebeen building upon.
So that one would probably beone that I would discount if I'm
not real sure.
(10:52):
Conduct a set of ad hoc pentests and on internet-facing
systems.
Now you'll probably have wantedto conduct at least one pen test
before bringing somecertification authority in to
look at your environment.
However, ad hoc means basicallyyou kind of do them on ad as a
whim.
And it's possible, but I don'tthink that's the best activity
to perform first.
(11:13):
The best activity would be toperform an internal audit
program aligned with the 27001.
So why is this the best?
Well, it's designed to verifyboth control design and
operational effectiveness.
So they're gonna look at howdoes it look, what's the design
of it, and then is it being doyou have the proper uh playbooks
in place, do you have the properACT processes in place to make
(11:33):
that happen?
You also explicitly expected bythe ISO 27001 as part of their
overall internal audit program.
They're gonna expect you to havedone this at some point in time.
And then you need to performbefore any external
certification to identify andremediate any nonconformities.
Well, I've dealing with thisright now with uh with a company
that we're gonna be workingthrough a SOC 2 audit.
(11:55):
And they want to make sure thatbefore the regulators come in,
you actually have done some ofthese things or at least have a
good understanding of where youare at because they're gonna
look at this and go, yeah,you're not there.
Yeah, you're not in the positionyou need to be.
So we want to make sure that weare in a good position uh to
financially or should to get theright controls in place to
ensure that they have what theyneed to be successful.
(12:16):
Question two, you are a securitymanager for a financial
institution.
The CIO wants your security teamto perform an independent audit
of IT general controls tosatisfy board directives on its
overall independence.
Your team does it designs, itcontrols and implements them and
monitors their performance.
Which of the following was themost appropriate response?
(12:36):
Okay, a recommend using aninternal audit function that
reports outside of IT to theboard or audit committee.
So basically your board wants tohave an independent view of
this.
They don't want to get all theirinformation from IT.
B, you agree that because thesecurity staff understands the
controls and you can they canaudit them efficiently and
effectively.
(12:57):
So you don't need to worry aboutthis being an independent thing.
You agree, but the label of theactivity of is a self-assessment
instead of an audit.
So you basically come down toand you say, well, we're not
gonna audit it, we're just gonnaself-assessment, which when
you're dealing with an auditversus a self-assessment, you
can't, the language can be verydifferent and you can also be
not as particular.
(13:17):
So they're gonna basically openup the guard guardrails and make
it so that they have plenty ofroom to maneuver and operate
within this air quotesassessment.
Or you decline and say, no,we're not doing this, insist
that only external publicaccounting firm can perform the
independent audit.
So what they want is they wantan independent audit done.
So we'll resummarize this byyour by a certain group.
(13:39):
They want it to be internalfirst, just to kind of before
they actually go and report itto outside of the organization.
So what should you recommend?
And so what it comes down to isyou should recommend A,
recommend using an internalaudit and report the outside of
it, report outside of IT to yourbasically your team and to the
board.
That's the one thing you reallykind of want to consider.
(14:00):
Now, having an external auditteam is great, they can perform
a lot of great things.
However, just using them, uh, itcan be very expensive.
And so if your board just wantsto have a good understanding of
what's what's going on, youwould want to have a third party
or an I say it a third party, itwould be an internal third
party, internal unbiased personor group of people to do the
(14:21):
audit.
Whereas with C and D, so youagree to it, but you also want
to use your security staff.
Well, they can be biased on thisplan.
And then if you agree to it, butyou want to do a self-assessment
versus an audit, it's basicallyyou're couching the fact that
you're probably not going tocome out very well in this
overall plan.
So you're gonna want to have abetter strategy.
So it's understandable.
So the best answer is A.
Question three (14:43):
a recent vulnerability assessment
identified several issues on acritical payment system.
One finding is a medium severityvulnerability per the scanner
that, if exploited, could bypasstransaction authorization
controls.
The vulnerability requiresauthenticated internal access
and precise timing, and thereare no public exploits
available.
(15:03):
Okay, so you got an issue, founda problem, right?
It's a medium severity problem.
Uh there are no known exploitsavailable at this time.
Uh, so it the but it does, ithas been confirmed that the
vulnerability does exist.
So what should the securityprofessionals do first?
A accept the standard severityand place the vulnerability into
(15:24):
a backlog behind higher severityissues.
Possible.
A immediately treat thevulnerability as critical and
require emergency patching.
Maybe not so much, because is amedium severity.
C close the finding because itexploits only the internal staff
with authenticated access, or Dperform a risk analysis that
considers business impact,likelihood, and existing
(15:46):
compensating controls.
Okay, so again, we're gonna comeback to you found a
vulnerability on a criticalpayment system.
It's not a criticalvulnerability, it's a critical
payment system.
One finding has a mediumseverity vulnerability per the
scanner.
What it's saying, uh, that ifexploited, it could bypass the
authentication controls that areon the overall critical system.
(16:07):
So, what should you do?
Well, we talked about A is youknow, putting it in uh backlog
might be a good option, uh, anduh, but it probably isn't the
first thing you want to do.
Uh immediately treat thevulnerability as a critical and
require emergency patching,probably not the best choice,
uh, especially since it is onlya medium severity vulnerability,
(16:27):
potentially.
C, close the finding becauseit's exploitable only to
internal staff.
Yeah, no, not probably not, uh,because you don't want to close
the finding at all.
You want to make sure you trackthat.
So the correct answer would beD, perform a risk analysis that
considers business impact,likelihood, and existing
compensating controls.
Again, understanding the overallrisk, evaluating it, and then
determining whether it's gonnaactually be a factor for your
(16:50):
organization.
These are important things thatyou should do.
You may have separation ofduties in place, you may have
other aspects that reallymitigate the risk.
And you may want to close thethis this situation.
However, uh, you you reallydon't want to go down that path
and say, well, it's just becauseit's exploitable to internal,
we're not gonna worry about it.
You know, you're gonna want tohave a whole process on how you
(17:11):
are remediating this situation.
Question four global SaaSprovider must comply with
regulatory expectations that asecurity controls be monitored
and evaluated on an ongoingbasis.
The provider already performsannual external SOC 2 audits.
Okay, so this is a global SaaSprovider is must comply with
regulatory expectations and theyalready do external SOC 2
(17:35):
audits.
Which of the following bestsatisfies the expectation of
ongoing evaluation whileoptimizing cost and coverage?
That's an important part.
Optimization of cost andcoverage.
A increase the incur externalSOC audit twice per year.
Or that's A, yeah.
B implement a risk-basedinternal assessment program
(17:55):
combining both self-assessments,targeted internal audits, and
continuous monitoring.
C perform a full scope internalaudit and security controls once
a year in addition to the SOC 2.
Or D rely on real-time securitymonitoring tools as a
continuously monitor securityevents.
Okay, so each of these areavailable, or I each of these
are good choices.
(18:16):
They're not not terriblechoices.
Uh, but when it comes back tothe ongoing evaluation while
optimizing cost and coverage,some of these are more expensive
than others.
So A, let's go and increase ourSOC 2 audit to twice a year.
Okay, that's not bad, right?
It'll help you increase thisthat you're you should have a
better visibility of what'sgoing on.
However, a SOC 2 audit is notinexpensive, they are rather
(18:39):
expensive.
So by doing this, you are nowgonna be in a situation where
you're just increasing yourcost.
Are you and are you actuallymaking it any better?
Maybe, maybe not.
Uh let's go to C perform a fullscope internal audit on all
security controls once a year inaddition to the SOC.
That's not a bad thing, but younow you got to tie up an
internal audit team.
The one problem with an internalaudit team, they may not have
(19:02):
all the security knowledge, sothey'll be pulling people from
your organization.
Um, so it maybe it isn't um themost cost effective, or the
coverage may not be as valuable.
Uh C, or I should say D, rely onreal-time security monitoring
tools as they are continuouslymonitoring security events.
You should have this in placeanyway if you're dealing with
SOC 2.
That's probably not your bestchoice.
(19:23):
I would say it's probably theleast desirable choice of all
the four.
Then the answer, correct answerwould be B, implement a
risk-based internal assessmentprogram combining both security
assessments, targeted internalaudits, and continuous
monitoring.
All of the three are in place.
And yes, so now you're lookingat everything.
So you're not just looking atone or two, or you're just
(19:45):
looking at every six months.
You now are looking at on acontinuous and optimized basis.
So again, this will definitelybalance out regulatory
expectations, operationalpractical practicality,
practicality.
I can't see big words, and thencost controls versus assurance.
So all of those pieces, theanswer would be B.
All right, question five.
(20:07):
The last question for thispodcast.
Your company is moving acritical application to a public
cloud provider using a PEASSmodel.
Okay, so it's platform as aservice.
If you're any of any questionsabout that, the provider does
not allow customer penetrationtests against the shared
platform.
Uh-huh.
That does happen.
But the publisher's independentthird-party reports, SOC2 type
(20:30):
2, which is the most aggressive,and also ISO 27001 and
penitentiar penetration testsummaries under are available to
you under an NDA.
So, what is the best approach toobtaining assurances that the
provider's controls areeffective?
So, again, they won't allow youto hit it because it's a
platform as a service model, butthey do SOC2, type two, they do
(20:52):
ISO 27001, and they do pentests.
And this is all available toyou.
The reports are under an NDA.
A reject the provider becausepenetration tests cannot be
performed by your internal redteam.
B, rely solely on the provider'smarketing documentation for
security white papers.
C, review the map of theindependent assurance reports to
your organization's controlrequirements and risk appetite,
(21:14):
or D demand full access to rawpenetration tests, artifacts,
and exploit chains from theprovider's red team.
Okay, so how Draconian do youwant to be?
So the key question on this isthat you need to understand, and
I've run into this multipletimes, as a CISO and in
different other aspects, you'regonna want to know it's all
(21:35):
about the risk, right?
It's all about the risk.
There's actually it's all aboutthe something song, but it's all
about the risk, right?
Well, if it's all about therisk, the key thing around this
then is you want to focus onwhat have they done, and if they
are actually truly havecertifications, SOC2 type 2 and
ISO 27001, as well as the pentests, if they've done this,
then that would really be a goodthing.
(21:58):
So A, let's talk about that.
Rejecting the provider becausepen tests cannot be performed by
your internal red team.
That is no no.
You can't necessarily say that.
Now, I say that if you havemulti-gazillion dollars in
IP-based information with thesepeople, then you may want to
talk to them and say, well, Ican't do it against your
platform, so maybe I'm willingto stand up my own platform that
(22:18):
you guys manage.
Those are options, right?
Now, I they they totally havelegit concerns about having you
do it against their stuff, butthen maybe you need to look at
other options architecturally.
B, rely solely on the provider'smarketing documentation and
security white papers.
Well, okay, anybody can put whatthey want in papers.
Now they could get sued, but youdefinitely don't want to rely on
(22:39):
that.
That that's great.
It might be the first hack ofgoing, okay, cool.
There's SOC 2 type 2.
Awesome.
Yeah, that might be great at thebeginning, but when it comes
right down to it, you're gonnawant to see their documentation.
So demand, demand is usually nota really good word when you're
trying to meet with people, soquestion uh or answer D, demand
full access to raw pen tests,artifacts, and exploit chains
(23:02):
from the provider's red team.
So demanding usually does not gowell.
Uh, it becomes veryconfrontational very quickly.
So I would highly recommend youdo not use that.
Uh, you actually maybe have agood uh discussion and dialogue
with them, and maybe they'll behappy enough to give that
information to you.
That being said, the rightanswer is C.
Review and map the independentassurance reports to your
(23:22):
organization's controlrequirements and risk appetite.
Comes right down to put themunder NDA.
Get the NDA, sign the NDA.
Then they will give you all thisinformation, and then you can
start looking at it and gleaningover it and determining if it
will meet your needs.
Again, you need the correctresponse is you want to get the
access to the reports, but yougot to get them under NDA.
You want to scope it anddetermine the coverage to ensure
(23:43):
that it covers your own network,and then you want to identify
gaps where your organizationmust implement compensating and
complementary controls.
So, again, that is the answer.
Again, that's on question five.
Review and map identity uhindependent assurance reports to
your organization's controlrequirements and risk appetite.
Okay, so if you go to CISSPCyber Training, I actually have
(24:04):
more questions that are tiedinto my deep dive.
I just don't have time to goover all of them right now.
Head on over to CISSP CyberTraining.
You can get access to those.
Those are all available to you.
Again, uh I'll have to tell youthat's on the paid subscription
to get access to some of thedeep dive questions that I have.
But you can actually, actually,actually, you can actually look
at the the video of this and youcan go through this.
(24:25):
This will be available on myblog uh as well as it'll be
posted, obviously, in thispodcast.
But all that's available to youat CISSP Cyber Training.
All right, thank you so much forjoining me today again.
I appreciate it.
I want to tell you that I hopeyou all are doing well.
And I get more people pinging meall the time saying, past, I
passed.
(24:45):
It's like it's like the ding onyour phone, you know.
Okay, ding, passed, ding, past.
It's been awesome.
I'm so excited that people arepassing using the CISSP cyber
trading content because they'revery, very happy with it.
So that's the ultimate goal.
Get you done, get you passed,get you moving on.
All right, have a great day, andwe will catch you all on the
flip side.
See ya.
(25:06):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
(25:29):
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Two Guys, Five Rings: Matt, Bowen & The Olympics
Two Guys (Bowen Yang and Matt Rogers). Five Rings (you know, from the Olympics logo). One essential podcast for the 2026 Milan-Cortina Winter Olympics. Bowen Yang (SNL, Wicked) and Matt Rogers (Palm Royale, No Good Deed) of Las Culturistas are back for a second season of Two Guys, Five Rings, a collaboration with NBC Sports and iHeartRadio. In this 15-episode event, Bowen and Matt discuss the top storylines, obsess over Italian culture, and find out what really goes on in the Olympic Village.