December 18, 2025 • 20 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
Headlines say the talent shortage is easing, yet nearly half of UK businesses still lack basic cyber skills. That disconnect sets the stage for a frank, practical tour through what actually reduces risk—no buzzwords required. We open with real takeaways from the UK’s international cyber skills initiatives and move quickly to the daily decisions that shape resilience: encryption in the cloud, least privilege by default, and how to keep role-based access control from collapsing under credential creep.
We make the identity layer tangible. Single sign-on can simplify life and lower password reuse, but it also centralizes risk. We share how to counterbalance SSO with MFA, conditional access, and strong monitoring. Cloud-based IAM accelerates deployment and gives flexibility, yet brings ongoing costs and integration challenges with legacy systems; outsourcing introduces a loss of control that must be offset by airtight requirements, auditability, and vendor transparency. Phishing remains the most reliable social engineering vector, so security awareness training isn’t optional—it’s the routine that turns policy into behavior.
Zero trust becomes manageable when you stop treating it like a switch and start treating it like a program. We outline a phased path: define protect surfaces, segment by sensitivity, apply continuous verification where the impact is highest, and expand deliberately. Vendor access deserves the same precision: NDAs for legal guardrails, least privilege for scope, monitoring for assurance, and scheduled reviews to remove stale permissions. Along the way, we talk mentorship, pro bono work, and competitions as concrete ways to grow talent while delivering real security outcomes.
We also road-test your knowledge with a focused Domain 1.9 CISSP question set, reinforcing the core ideas with scenario-based reasoning. If you’re preparing for the CISSP or leading a security program, you’ll walk away with a clear playbook: encrypt by default, minimize access, verify continuously, and measure what matters. If this resonates, subscribe, share with a teammate, and leave a review so others can find the show.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
Alright, let's get started.
SPEAKER_01 (00:26):
Good morning, everybody.
This is Sean Gerber with CISSPCyber Training and hope you all
are having a beautiful, blessedday today.
Today is, what is it?
It is CISSP question Thursday.
So we're gonna get into someCISSP questions that are
associated with the podcast thatoccurred on Monday over domain
one.
So it is gonna be an excitingday.
(00:47):
But before we get started, wehave usually I'd like to start
with a little bit of some news.
And there was just an articlethat popped out recently about
the UK hosts an internationalcyber skills conference.
Uh, I know this is a big topicfor a lot of different
companies, and I've I getapproached here and there about
CISOs, I should say, CIOs thatare looking for CISOs to do
(01:09):
fractional CISO work.
And this is no different.
There are tons of opportunitiesout there for security
professionals.
You just have to be able to bein the right place to find
those, and yet they have theexperience to help you with
that.
But the interesting part withthat was that this UK is
realizing that they are havingchallenges with filling their
cybersecurity roles.
(01:29):
And so, therefore, they had athree-day international
conference to discuss how totackle the growing threat of
cyber attacks.
Now, I'll be very transparent.
There is a lot of conversationsthat occur on how to deal with
this.
Sometimes I feel there areconversations and not enough
action.
But at least within thisconference, they're trying to do
some things to potentiallyoffset some of those challenges.
(01:53):
One of the things they had wasthis global cybersecurity skills
recommendations report.
And in this report, they did saythat they're trying to figure
out how to get this resolved.
And they did say that the numberof shortfalls within the UK of
jobs has gone down.
It's not as much as it was.
So they're saying about 11,000jobs in 2023 down to about 3,500
(02:15):
in 2024.
But the interesting part in thisis that they said 44% of UK
businesses still do not have thefundamental skills to protect
themselves from a cyber attack.
So the rules may have reduced,but I've seen this time and
again.
They do not have the knowledge,the businesses don't, to protect
(02:35):
themselves from a cyber event orincident.
And what can happen is that asthey don't have the skills to do
that, one event can becatastrophic for a business.
I mean, take it from me.
You already are running on verysmall margins your businesses,
and now you have a cybersecurityincident that occurs, it can be
(02:56):
damaging.
And if not, it can alsopotentially shut you down.
So it's important to understandthat if you are a cybersecurity
professional looking for a role,it is important that you work
hard to get your education uh ina level that will be acceptable
by people, but also to helpbusinesses that maybe don't
totally understand that theyhave a problem.
(03:17):
And this is one thing I'drecommend is that doing this pro
bono work, potentially likehelping nonprofits, is a very
good way for you to kind of gainsome knowledge, some expertise,
but also help people out becauseyou have knowledge that you may
not think you do, but you haveknowledge that many people just
are looking for.
Even if your knowledge in yourmind is a more basic type of
(03:38):
knowledge, there are there'stons of individuals out there
that are looking for someonethat has something to be able to
give them some guidance and somedirection.
They also had a, in thisarticle, they talk about the UK
launches two cyber skill uhschemes and one competition.
They're basically having tofigure out how to have
competitions to bring new peopleinto cybersecurity as well as
(03:58):
then educate and teach them sothat they can uh go out and try
to do more to help protect thethe overall country itself.
So it's again, they have a uhscheme that delivers tailored
support to universities,councils, and businesses across
England.
And then they also have acompetition to find young
talent.
Uh I will say that I have ayoung individual that I work
(04:19):
that I go to church with, and heis super smart, and we've done a
lot to kind of help kind ofguide and direct him uh into the
cybersecurity field because heis going to do wonders for that.
But it also takes someone thatcan kind of lead and mentor
individuals, these young folks,to kind of give them the
direction that they need to getinto the cybersecurity space.
(04:39):
Okay, so let's get into thequestions for this week.
Question, we're in group 10.
This is of domain one.
And if you go to CISSP CyberTraining, you'll be able to get
access to this courseware.
All of it's there is availableto you.
Uh, all these questions areavailable.
You can go and study for thesequestions for the CISSP, and you
can gain access to all theinformation there.
(05:00):
It is all, again, would you goin, you purchase any of this
content, it goes to a nonprofitthat is associated with adoptive
families.
So I would highly recommend thatif you're interested in the
CISSP, what a great way for youto be able to get the training
you need as well as being ableto help other people out.
So it's a good deal.
Okay, so we're again group 10.
This is 15 questions, and thisis we're tied to the today is
(05:23):
domain one, and it's 1.9.
So question one, which of thefollowing is the most effective
method for preventingunauthorized access to sensitive
data in a cloud environment?
Again, which is the following ismost effective method for
preventing unauthorized accessto sensitive data in a cloud
environment?
(05:43):
A implementing strong encryptionat rest and in transit.
B conducting regularvulnerability assessments.
C.
Limiting network access toauthorized users only, or D
regularly updating softwaresystems.
So the most effective way forpreventing unauthorized access
of sensitive data isimplementing strong encryption
and at rest and in transit.
(06:04):
So we talk about this in thepast is that when people gain
access to the data, it's veryeasy for them to gain access to
it.
I mean, I shouldn't say easy.
It's it's odds are highly likelythat they're going to gain
access to the data that you mayor may not want them to have.
And having encryption is animportant factor, especially
when you're dealing withsensitive data in a cloud
(06:24):
environment.
Question two, which of thefollowing is a common weakness
in the role-based accesscontrols?
Or are back?
A lack of segregation of duties,B excessive privileges, C,
overlapping roles, or D lack ofuser training.
Now, again, what is a commonweakness?
Now, this can be a coupledifferent things, right?
There can be weaknesses in thiswith lack of user training, and
(06:48):
there can be excessiveprivileges, but realistically,
the common weakness inrole-based access controls is
overlapping roles or credentialcreep.
Again, this in RBAC, this cancreate confusion and
inconsistency, complicating theaccess management and increasing
the risk of unauthorized access.
So overlapping roles can be aproblem with RBAC.
(07:11):
Question three, which of thefollowing is the best method for
ensuring that employees areaware of and comply with the
organization's securitypolicies?
Again, which of the following isthe best method for ensuring
that employees are aware andcomply with the organization's
security policies?
A posting security policies in avisible location.
B providing security awarenesstraining.
(07:32):
C implementing technicalcontrols to enforce compliance,
or D conducting regular securityaudits.
Again, which of the following isthe best method for ensuring
employees are aware and complywith the organization's security
policies?
And the answer is B providingsecurity awareness training.
Again, this training can be aneffective way to help employees.
(07:54):
Now it isn't going to be thepanacea and fix everything, but
it is a really good way to helpagain getting this stuff in
front of people on a routinebasis.
Over and over again.
Question four, which of thefollowing is a disadvantage of
using single sign-on solution?
So what's an advantagedisadvantage of using SSO?
A increased complexity.
(08:15):
B increased cost.
C limited scalability or Dreduced security.
Now, when you talk about this,what do you mean?
You're going to say, well, thisdoesn't make sense because it
does have increased complexity,it does increase your cost, and
it does limit, it doesn't reallylimit your scalability, but it I
guess it can because it dependson if everybody signs up for
SSO.
(08:36):
But what the main disadvantageis it reduces security.
And you're going, what do youmean?
Well, the reason is, and this iskind of a double-edged sword, is
that it can potentially exposeit's a single point of failure
within your organization, and itcan expose access to multiple
systems and applications.
It also is a benefit in the factthat not everybody has to
remember passwords for all theselogins, which is a lot of
(08:58):
password reuse that's thatoccurs.
So reduced security in the bestsituation, right?
So in this question, the bestanswer of all these answers is
the reduced security.
But keep in mind you need tounderstand with SSO what are the
other positives and negativesthat go along with that.
Question five, which of thefollowing is the best practice
(09:19):
for managing privilegedaccounts?
So which of the following is abest practice for managing
privileged accounts?
A use strong and complexpasswords.
B implement least privilegedaccess controls.
C, monitoring privileged accountactivity, or D regularly
changing passwords.
So which of the following is abest practice for managing
(09:40):
privileged accounts?
And the answer is B.
Implementing least privilegeaccess controls.
Again, least privilege iscrucial.
It's very important for themapping or managing of
privileged accounts and itminimizes potential damage from
an account compromise, right?
So if you have least privilegeand your account is compromised,
it does limit the blast radiusin which someone can gain access
(10:02):
to this data.
Question six, which of thefollowing is a disadvantage of
using cloud-based identity andaccess management solutions?
So what is a disadvantage ofusing cloud-based identity and
access management solutionssolutions?
A increased cost.
B decrease flexibility.
C decreased security.
(10:22):
Or D longer implementation time.
So longer implementation timeisn't true because when you're
deploying IAM within the cloud,it's very easy.
I should say it's it's easierthan if you were deploying it
on-prem.
The decreased security, no,that's important because IAM
account management is animportant factor unless you were
to just leave it wide open.
(10:43):
And then decreased flexibility,it does give you the flexibility
that you need.
Now, it sometimes can be alittle bit problematic when
you're dealing with on-prem andcloud and integrating your IAM
solution between the two, but itis it's not a factor.
It is actually increased cost.
So they they will lead to ahigher cost to ongoing service
fees and potential additionalcharges, making it a potential
(11:06):
disadvantage, a notabledisadvantage.
So there is increased cost byusing IAM solutions.
They don't do this stuff forfree, so unfortunately, you
gotta pay for it somehow.
Question seven Which of thefollowing is a common attack
vector for social engineeringattacks?
Okay, this is probably easy.
You guys will get this one.
A malware, B devenial service,C, phishing emails, or D,
(11:28):
unauthorized physical access.
Right?
A common attack vector forsocial engineering attacks is C
phishing attacks, right?
That's what they use to get asmuch of the information as they
can.
And the point is they maskaround it as legitimate emails.
Question eight, which of thefollowing is a best practice for
managing vendor access to anorganization's systems?
(11:50):
A providing vendors with broadaccess to the network, B
requiring vendors to signnon-disclosure agreements, C
monitoring vendor activity, or Dlimiting vendor access to
specific systems.
So which of the following is abest practice for managing
vendors' access to anorganization's system?
And the answer is B.
(12:11):
Okay, it's it's requiringvendors to sign non-disclosure
agreements.
Again, this is a best practice,and this is how you manage the
access.
It doesn't really manage it somuch.
It's more of just kind of, Iguess it's managing it.
It's not physically managing it,it's managing it from a
paperwork standpoint.
And it does help protectsensitive information by legally
binding them to confidentiality,which is an important part of
(12:32):
any vendor agreement.
Just keep in mind though, anydocument somebody signs is not
going to stop them from doingsomething with the data they
shouldn't do.
But it does add one more levelof protection that is there's
consequences associated if theywere to be doing something
inaccurate or wrong.
Question nine, which of thefollowing is a challenge
(12:53):
associated with implementing azero trust security model?
A decreased user productivity, Bincreased cost, C integration of
legacy systems, or D increasedcomplexity.
So again, the question is whichof the following is a challenge
associated with implementing azero trust security model?
And the answer is D.
(13:13):
It is an increased complexity.
Now, it all of those are animportant part of a zero trust
model.
Decreased user productivity,increased cost, integration with
legacy systems, all of those canbe a challenge associated with a
zero trust model.
But when it comes to thecomplexity piece of this, adding
(13:33):
zero trust security model doesintroduce a lot of complexity
and is a rigorous requirement,and requiring every access
request and continuallyaccessing trust, it can be a
very complicated securitymanagement plan.
And I would highly recommend ifyou're going to implement zero
trust within your organization,start small.
Start in areas that you know youcan use or that are not complex,
(13:56):
that don't have a lot of ties,and then just be build upon it.
And I will say a zero trust foryour entire environment, it
might be a great bumper sticker.
I don't know how well that youcan deploy zero trust from an
environment that started off asa blended environment.
So what I mean by that is if youstart Greenfield, where you
start with a brand new uhbuilding or a brand new network,
(14:21):
that you can move to a zerotrust relatively simply, not
easily, but simply.
If you start with nothing, nowif you start with a complicated
network that is already has anold legacy network built into
you're trying to embed within acloud environment, uh new
technology, old technology,moving to a zero trust
(14:42):
environment can be a bit moreproblematic.
And I will say that it could bevery, very challenging.
So you what you want to startoff with, especially if you're
dealing with a legacyenvironment that you have, uh
start small.
Start in areas that you feel youcan deploy zero trust, and you
may never get there.
You may never get to a completezero trust within your
environment because of theadditional costs that it may
(15:05):
result in you moving forward.
So just kind of keep that inmind.
Now, if you have mandates fromgovernmental officials that you
must be zero trust, well, then Iguess you'll just be dumping
gobs of money and try to figureit out.
But just know that if you don'thave mandates that you must have
your entire network zero trust,then you may it may, not saying
(15:25):
it will, but it may come downwhere you are in smaller uh
segments that you may deployyour zero trust.
Question 10.
Which of the following is a riskassociated with outsourcing
identity and access managementservices?
A loss of control, B, increasedcost, C, decreased security, or
D reduced vendor expertise.
So again, you're outsourcingyour IAM services.
(15:48):
And the answer is A, loss ofcontrol.
Okay, so I outsourcing IAM canlead to loss of control over the
management and security controlsassociated with it.
So one thing to think about isif one of the requirements is
you must maintain control, thatwould be one of the requirements
that you talk to your vendorabout and go, what can we do
here?
So you just need to kind ofthink about that before you
(16:09):
start going down the IAM path.
Get really prescriptive on whatare your requirements, what are
you asking for specifically totry to accomplish with your
IAM's uh deployment.
Question 11 Which of thefollowing is a best practice for
managing privileged accounts ina cloud environment?
Again, which of the following isa best practice for managing
privileged accounts in a cloudenvironment?
(16:30):
A using strong complexpasswords, B implementing least
privilege across our accesscontrols, C, monitoring
privileged access accountactivity, or D enforcing
multi-factor authentication.
So which of the following is thebest practice for managing
privileged accounts in a cloudenvironment?
And the answer is B implementingleast privilege access controls.
(16:51):
Again, least privilege controlsare vital for managing
privileged accounts in thecloud.
You want to do that anytime youcan, but especially for
privileged accounts.
It does limit the account'saccess to only what is
necessary, reducing thepotential impact of a
compromised account.
Question twelve, which of thefollowing is a common weakness
in identity and accessmanagement implementation?
(17:13):
A overlapping roles, B lack ofsegregation of duties, C, say
excessive privileges, or Dinconsistent password policies.
So which of the following is acommon attack, a common weakness
in identity and accessmanagement implementation?
And the answer is C.
Excessive privileges.
That is a common weakness thatyou will see in IAM.
(17:35):
Question 13.
Which of the following is a bestpractice for managing vendor
access to an organization'ssystems?
Okay, we talked about this alittle earlier, but it's a
different question.
Which of the following is a bestpractice for managing vendor
access to an organization'ssystems?
A providing vendors with broadaccess to the network.
B requiring vendors to signnon-disclosure agreements.
(17:56):
C monitoring a vendor activityor D regularly reviewing access
permissions.
Again, which of the following isa best practice for managing
access to an organization'ssystems?
And that is D.
Regularly reviewing accesspermissions.
This is a best practice formanaging vendor access and it
ensures that only necessarypermissions are granted in helps
(18:16):
identity and revoke the accessof outdated or unnecessary
access controls or accesscredentials.
Yes.
Sorry, I kind of lost my trainof thought on that one.
Question 14.
Which of the following is not acommon personnel security policy
control?
A background checks.
B separation of duties.
(18:37):
C mandatory vacations or D riskassessments.
So which of the following is nota common personnel security
policy control?
And the answer is D.
Risk assessments.
Risk assessments are a broaderprocess used to evaluate the
overall security posture of anorganization, including personal
security, but is not a specificcontrol within the personnel
security policies.
(18:59):
Question fifteen.
Which of the following is aprimary purpose of a
non-disclosure agreement?
So what is the primary purposeof a nondisclosure agreement, or
NDA?
A to protect the organization'sintellectual property.
B to ensure employees complywith companies' prop policies.
C to hold employees accountablefor their actions, or D to
(19:19):
prevent unauthorized access tosystems.
And again, the primary purposeof an NDA is to protect the
organization's intellectualproperty.
So A ND are NDAs.
They're the primarily used toprotect the organization's IP
and confidential information.
Again, by prohibiting employeesand contractors from disclosing
unauthorized to unauthorizedparties.
(19:40):
That being said, again, it's apiece of paper.
So it doesn't mean people aren'tgoing to do it.
Okay, I hope you guys enjoyedthis.
Again, this was off of domain1.9 of the CISSP ISC Squared
book.
You can go out to CISSP CyberTraining and you can get all of
this content for you at CISSPCybertraining.com.
Again, all pro Proceeds go tononprofit for adoptive families.
(20:03):
So again, go out and buy to yourheart's content.
Bye, bye, bye.
Have you guys have a wonderfulday again?
And you go out there, attack theevil hacker horde, and we'll
catch you all on the flip side.
See ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
Alright, let's get started.
SPEAKER_01 (00:26):
Good morning, everybody.
This is Sean Gerber with CISSPCyber Training and hope you all
are having a beautiful, blessedday today.
Today is, what is it?
It is CISSP question Thursday.
So we're gonna get into someCISSP questions that are
associated with the podcast thatoccurred on Monday over domain
one.
So it is gonna be an excitingday.
(00:47):
But before we get started, wehave usually I'd like to start
with a little bit of some news.
And there was just an articlethat popped out recently about
the UK hosts an internationalcyber skills conference.
Uh, I know this is a big topicfor a lot of different
companies, and I've I getapproached here and there about
CISOs, I should say, CIOs thatare looking for CISOs to do
(01:09):
fractional CISO work.
And this is no different.
There are tons of opportunitiesout there for security
professionals.
You just have to be able to bein the right place to find
those, and yet they have theexperience to help you with
that.
But the interesting part withthat was that this UK is
realizing that they are havingchallenges with filling their
cybersecurity roles.
(01:29):
And so, therefore, they had athree-day international
conference to discuss how totackle the growing threat of
cyber attacks.
Now, I'll be very transparent.
There is a lot of conversationsthat occur on how to deal with
this.
Sometimes I feel there areconversations and not enough
action.
But at least within thisconference, they're trying to do
some things to potentiallyoffset some of those challenges.
(01:53):
One of the things they had wasthis global cybersecurity skills
recommendations report.
And in this report, they did saythat they're trying to figure
out how to get this resolved.
And they did say that the numberof shortfalls within the UK of
jobs has gone down.
It's not as much as it was.
So they're saying about 11,000jobs in 2023 down to about 3,500
(02:15):
in 2024.
But the interesting part in thisis that they said 44% of UK
businesses still do not have thefundamental skills to protect
themselves from a cyber attack.
So the rules may have reduced,but I've seen this time and
again.
They do not have the knowledge,the businesses don't, to protect
(02:35):
themselves from a cyber event orincident.
And what can happen is that asthey don't have the skills to do
that, one event can becatastrophic for a business.
I mean, take it from me.
You already are running on verysmall margins your businesses,
and now you have a cybersecurityincident that occurs, it can be
(02:56):
damaging.
And if not, it can alsopotentially shut you down.
So it's important to understandthat if you are a cybersecurity
professional looking for a role,it is important that you work
hard to get your education uh ina level that will be acceptable
by people, but also to helpbusinesses that maybe don't
totally understand that theyhave a problem.
(03:17):
And this is one thing I'drecommend is that doing this pro
bono work, potentially likehelping nonprofits, is a very
good way for you to kind of gainsome knowledge, some expertise,
but also help people out becauseyou have knowledge that you may
not think you do, but you haveknowledge that many people just
are looking for.
Even if your knowledge in yourmind is a more basic type of
(03:38):
knowledge, there are there'stons of individuals out there
that are looking for someonethat has something to be able to
give them some guidance and somedirection.
They also had a, in thisarticle, they talk about the UK
launches two cyber skill uhschemes and one competition.
They're basically having tofigure out how to have
competitions to bring new peopleinto cybersecurity as well as
(03:58):
then educate and teach them sothat they can uh go out and try
to do more to help protect thethe overall country itself.
So it's again, they have a uhscheme that delivers tailored
support to universities,councils, and businesses across
England.
And then they also have acompetition to find young
talent.
Uh I will say that I have ayoung individual that I work
(04:19):
that I go to church with, and heis super smart, and we've done a
lot to kind of help kind ofguide and direct him uh into the
cybersecurity field because heis going to do wonders for that.
But it also takes someone thatcan kind of lead and mentor
individuals, these young folks,to kind of give them the
direction that they need to getinto the cybersecurity space.
(04:39):
Okay, so let's get into thequestions for this week.
Question, we're in group 10.
This is of domain one.
And if you go to CISSP CyberTraining, you'll be able to get
access to this courseware.
All of it's there is availableto you.
Uh, all these questions areavailable.
You can go and study for thesequestions for the CISSP, and you
can gain access to all theinformation there.
(05:00):
It is all, again, would you goin, you purchase any of this
content, it goes to a nonprofitthat is associated with adoptive
families.
So I would highly recommend thatif you're interested in the
CISSP, what a great way for youto be able to get the training
you need as well as being ableto help other people out.
So it's a good deal.
Okay, so we're again group 10.
This is 15 questions, and thisis we're tied to the today is
(05:23):
domain one, and it's 1.9.
So question one, which of thefollowing is the most effective
method for preventingunauthorized access to sensitive
data in a cloud environment?
Again, which is the following ismost effective method for
preventing unauthorized accessto sensitive data in a cloud
environment?
(05:43):
A implementing strong encryptionat rest and in transit.
B conducting regularvulnerability assessments.
C.
Limiting network access toauthorized users only, or D
regularly updating softwaresystems.
So the most effective way forpreventing unauthorized access
of sensitive data isimplementing strong encryption
and at rest and in transit.
(06:04):
So we talk about this in thepast is that when people gain
access to the data, it's veryeasy for them to gain access to
it.
I mean, I shouldn't say easy.
It's it's odds are highly likelythat they're going to gain
access to the data that you mayor may not want them to have.
And having encryption is animportant factor, especially
when you're dealing withsensitive data in a cloud
(06:24):
environment.
Question two, which of thefollowing is a common weakness
in the role-based accesscontrols?
Or are back?
A lack of segregation of duties,B excessive privileges, C,
overlapping roles, or D lack ofuser training.
Now, again, what is a commonweakness?
Now, this can be a coupledifferent things, right?
There can be weaknesses in thiswith lack of user training, and
(06:48):
there can be excessiveprivileges, but realistically,
the common weakness inrole-based access controls is
overlapping roles or credentialcreep.
Again, this in RBAC, this cancreate confusion and
inconsistency, complicating theaccess management and increasing
the risk of unauthorized access.
So overlapping roles can be aproblem with RBAC.
(07:11):
Question three, which of thefollowing is the best method for
ensuring that employees areaware of and comply with the
organization's securitypolicies?
Again, which of the following isthe best method for ensuring
that employees are aware andcomply with the organization's
security policies?
A posting security policies in avisible location.
B providing security awarenesstraining.
(07:32):
C implementing technicalcontrols to enforce compliance,
or D conducting regular securityaudits.
Again, which of the following isthe best method for ensuring
employees are aware and complywith the organization's security
policies?
And the answer is B providingsecurity awareness training.
Again, this training can be aneffective way to help employees.
(07:54):
Now it isn't going to be thepanacea and fix everything, but
it is a really good way to helpagain getting this stuff in
front of people on a routinebasis.
Over and over again.
Question four, which of thefollowing is a disadvantage of
using single sign-on solution?
So what's an advantagedisadvantage of using SSO?
A increased complexity.
(08:15):
B increased cost.
C limited scalability or Dreduced security.
Now, when you talk about this,what do you mean?
You're going to say, well, thisdoesn't make sense because it
does have increased complexity,it does increase your cost, and
it does limit, it doesn't reallylimit your scalability, but it I
guess it can because it dependson if everybody signs up for
SSO.
(08:36):
But what the main disadvantageis it reduces security.
And you're going, what do youmean?
Well, the reason is, and this iskind of a double-edged sword, is
that it can potentially exposeit's a single point of failure
within your organization, and itcan expose access to multiple
systems and applications.
It also is a benefit in the factthat not everybody has to
remember passwords for all theselogins, which is a lot of
(08:58):
password reuse that's thatoccurs.
So reduced security in the bestsituation, right?
So in this question, the bestanswer of all these answers is
the reduced security.
But keep in mind you need tounderstand with SSO what are the
other positives and negativesthat go along with that.
Question five, which of thefollowing is the best practice
(09:19):
for managing privilegedaccounts?
So which of the following is abest practice for managing
privileged accounts?
A use strong and complexpasswords.
B implement least privilegedaccess controls.
C, monitoring privileged accountactivity, or D regularly
changing passwords.
So which of the following is abest practice for managing
(09:40):
privileged accounts?
And the answer is B.
Implementing least privilegeaccess controls.
Again, least privilege iscrucial.
It's very important for themapping or managing of
privileged accounts and itminimizes potential damage from
an account compromise, right?
So if you have least privilegeand your account is compromised,
it does limit the blast radiusin which someone can gain access
(10:02):
to this data.
Question six, which of thefollowing is a disadvantage of
using cloud-based identity andaccess management solutions?
So what is a disadvantage ofusing cloud-based identity and
access management solutionssolutions?
A increased cost.
B decrease flexibility.
C decreased security.
(10:22):
Or D longer implementation time.
So longer implementation timeisn't true because when you're
deploying IAM within the cloud,it's very easy.
I should say it's it's easierthan if you were deploying it
on-prem.
The decreased security, no,that's important because IAM
account management is animportant factor unless you were
to just leave it wide open.
(10:43):
And then decreased flexibility,it does give you the flexibility
that you need.
Now, it sometimes can be alittle bit problematic when
you're dealing with on-prem andcloud and integrating your IAM
solution between the two, but itis it's not a factor.
It is actually increased cost.
So they they will lead to ahigher cost to ongoing service
fees and potential additionalcharges, making it a potential
(11:06):
disadvantage, a notabledisadvantage.
So there is increased cost byusing IAM solutions.
They don't do this stuff forfree, so unfortunately, you
gotta pay for it somehow.
Question seven Which of thefollowing is a common attack
vector for social engineeringattacks?
Okay, this is probably easy.
You guys will get this one.
A malware, B devenial service,C, phishing emails, or D,
(11:28):
unauthorized physical access.
Right?
A common attack vector forsocial engineering attacks is C
phishing attacks, right?
That's what they use to get asmuch of the information as they
can.
And the point is they maskaround it as legitimate emails.
Question eight, which of thefollowing is a best practice for
managing vendor access to anorganization's systems?
(11:50):
A providing vendors with broadaccess to the network, B
requiring vendors to signnon-disclosure agreements, C
monitoring vendor activity, or Dlimiting vendor access to
specific systems.
So which of the following is abest practice for managing
vendors' access to anorganization's system?
And the answer is B.
(12:11):
Okay, it's it's requiringvendors to sign non-disclosure
agreements.
Again, this is a best practice,and this is how you manage the
access.
It doesn't really manage it somuch.
It's more of just kind of, Iguess it's managing it.
It's not physically managing it,it's managing it from a
paperwork standpoint.
And it does help protectsensitive information by legally
binding them to confidentiality,which is an important part of
(12:32):
any vendor agreement.
Just keep in mind though, anydocument somebody signs is not
going to stop them from doingsomething with the data they
shouldn't do.
But it does add one more levelof protection that is there's
consequences associated if theywere to be doing something
inaccurate or wrong.
Question nine, which of thefollowing is a challenge
(12:53):
associated with implementing azero trust security model?
A decreased user productivity, Bincreased cost, C integration of
legacy systems, or D increasedcomplexity.
So again, the question is whichof the following is a challenge
associated with implementing azero trust security model?
And the answer is D.
(13:13):
It is an increased complexity.
Now, it all of those are animportant part of a zero trust
model.
Decreased user productivity,increased cost, integration with
legacy systems, all of those canbe a challenge associated with a
zero trust model.
But when it comes to thecomplexity piece of this, adding
(13:33):
zero trust security model doesintroduce a lot of complexity
and is a rigorous requirement,and requiring every access
request and continuallyaccessing trust, it can be a
very complicated securitymanagement plan.
And I would highly recommend ifyou're going to implement zero
trust within your organization,start small.
Start in areas that you know youcan use or that are not complex,
(13:56):
that don't have a lot of ties,and then just be build upon it.
And I will say a zero trust foryour entire environment, it
might be a great bumper sticker.
I don't know how well that youcan deploy zero trust from an
environment that started off asa blended environment.
So what I mean by that is if youstart Greenfield, where you
start with a brand new uhbuilding or a brand new network,
(14:21):
that you can move to a zerotrust relatively simply, not
easily, but simply.
If you start with nothing, nowif you start with a complicated
network that is already has anold legacy network built into
you're trying to embed within acloud environment, uh new
technology, old technology,moving to a zero trust
(14:42):
environment can be a bit moreproblematic.
And I will say that it could bevery, very challenging.
So you what you want to startoff with, especially if you're
dealing with a legacyenvironment that you have, uh
start small.
Start in areas that you feel youcan deploy zero trust, and you
may never get there.
You may never get to a completezero trust within your
environment because of theadditional costs that it may
(15:05):
result in you moving forward.
So just kind of keep that inmind.
Now, if you have mandates fromgovernmental officials that you
must be zero trust, well, then Iguess you'll just be dumping
gobs of money and try to figureit out.
But just know that if you don'thave mandates that you must have
your entire network zero trust,then you may it may, not saying
(15:25):
it will, but it may come downwhere you are in smaller uh
segments that you may deployyour zero trust.
Question 10.
Which of the following is a riskassociated with outsourcing
identity and access managementservices?
A loss of control, B, increasedcost, C, decreased security, or
D reduced vendor expertise.
So again, you're outsourcingyour IAM services.
(15:48):
And the answer is A, loss ofcontrol.
Okay, so I outsourcing IAM canlead to loss of control over the
management and security controlsassociated with it.
So one thing to think about isif one of the requirements is
you must maintain control, thatwould be one of the requirements
that you talk to your vendorabout and go, what can we do
here?
So you just need to kind ofthink about that before you
(16:09):
start going down the IAM path.
Get really prescriptive on whatare your requirements, what are
you asking for specifically totry to accomplish with your
IAM's uh deployment.
Question 11 Which of thefollowing is a best practice for
managing privileged accounts ina cloud environment?
Again, which of the following isa best practice for managing
privileged accounts in a cloudenvironment?
(16:30):
A using strong complexpasswords, B implementing least
privilege across our accesscontrols, C, monitoring
privileged access accountactivity, or D enforcing
multi-factor authentication.
So which of the following is thebest practice for managing
privileged accounts in a cloudenvironment?
And the answer is B implementingleast privilege access controls.
(16:51):
Again, least privilege controlsare vital for managing
privileged accounts in thecloud.
You want to do that anytime youcan, but especially for
privileged accounts.
It does limit the account'saccess to only what is
necessary, reducing thepotential impact of a
compromised account.
Question twelve, which of thefollowing is a common weakness
in identity and accessmanagement implementation?
(17:13):
A overlapping roles, B lack ofsegregation of duties, C, say
excessive privileges, or Dinconsistent password policies.
So which of the following is acommon attack, a common weakness
in identity and accessmanagement implementation?
And the answer is C.
Excessive privileges.
That is a common weakness thatyou will see in IAM.
(17:35):
Question 13.
Which of the following is a bestpractice for managing vendor
access to an organization'ssystems?
Okay, we talked about this alittle earlier, but it's a
different question.
Which of the following is a bestpractice for managing vendor
access to an organization'ssystems?
A providing vendors with broadaccess to the network.
B requiring vendors to signnon-disclosure agreements.
(17:56):
C monitoring a vendor activityor D regularly reviewing access
permissions.
Again, which of the following isa best practice for managing
access to an organization'ssystems?
And that is D.
Regularly reviewing accesspermissions.
This is a best practice formanaging vendor access and it
ensures that only necessarypermissions are granted in helps
(18:16):
identity and revoke the accessof outdated or unnecessary
access controls or accesscredentials.
Yes.
Sorry, I kind of lost my trainof thought on that one.
Question 14.
Which of the following is not acommon personnel security policy
control?
A background checks.
B separation of duties.
(18:37):
C mandatory vacations or D riskassessments.
So which of the following is nota common personnel security
policy control?
And the answer is D.
Risk assessments.
Risk assessments are a broaderprocess used to evaluate the
overall security posture of anorganization, including personal
security, but is not a specificcontrol within the personnel
security policies.
(18:59):
Question fifteen.
Which of the following is aprimary purpose of a
non-disclosure agreement?
So what is the primary purposeof a nondisclosure agreement, or
NDA?
A to protect the organization'sintellectual property.
B to ensure employees complywith companies' prop policies.
C to hold employees accountablefor their actions, or D to
(19:19):
prevent unauthorized access tosystems.
And again, the primary purposeof an NDA is to protect the
organization's intellectualproperty.
So A ND are NDAs.
They're the primarily used toprotect the organization's IP
and confidential information.
Again, by prohibiting employeesand contractors from disclosing
unauthorized to unauthorizedparties.
(19:40):
That being said, again, it's apiece of paper.
So it doesn't mean people aren'tgoing to do it.
Okay, I hope you guys enjoyedthis.
Again, this was off of domain1.9 of the CISSP ISC Squared
book.
You can go out to CISSP CyberTraining and you can get all of
this content for you at CISSPCybertraining.com.
Again, all pro Proceeds go tononprofit for adoptive families.
(20:03):
So again, go out and buy to yourheart's content.
Bye, bye, bye.
Have you guys have a wonderfulday again?
And you go out there, attack theevil hacker horde, and we'll
catch you all on the flip side.
See ya.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!