50 CISSP Practice Questions. Master the CISSP Mindset

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video I'm going to be doing 50 cissp practice questions with you and I'm going to be going through the mindset it takes to pass this exam I'm Andrew Ral I've been teaching cissp courses since 2005 2006 the thousands of students over the many years and I've always told people this passing this exam is not just about knowledge in fact I've met quite a few folks that have memorized the study guide that knows the material inside out they go to take the exam and they fail in almost every single domain this exam is not just about knowledge I've always told people it's only about 50% knowledge so if you memorize the book it's not going to get you over that basically 70% you need to pass this exam what you need to do is you need to have the mindset you need to be able to think like a manager and in this video I want you guys to learn to develop that thinking I want you guys to develop that mindset that you need to go in there and pass this exam so as I go through all the questions with you I'm going to be teaching you that mindset always keep that in mind it's not just about knowledge just don't pick up the study guide start studying and before you know it you take the test and fail pick up the study guide learn it but then learn the mindset to pass this exam let's get right into it so we got 50 questions now as I show the questions on the screen like right now I want you guys generally pause the video read it and answer it because I'm just going to read it and answer it right away I'm not going to pause it at any at any point that's what the pause button is for right if I'm too slow speed me up a little bit that's fine but I want you guys to learn the mindset of it and I'm going to give you guys a lot of tips as I go through every single one of these questions so it's going to be a pretty long video let's get right into it all right practice question number one in the context of Disaster Recovery planning what is the most critical aspect to consider when creating a recovery time objective a the cost of implementing disaster recovery measures theability of backup data the criticality of business functions the geographical location of the disaster recovery site now one of the things that we find in the cisp exam is you're going to get quite a lot of questions like this where most of the choices if not all the choices are absolutely correct you're going to have this one where it's most now I'm going to give you guys a tip that I've given all my students that has helped them on tons of practice question anytime you guys get a question where you see something like most that tells me something that all of these choices if not at least two will be absolutely correct so when you're thinking about something it's most critical aspect you know for some companies it may be the cost for some companies it may be well is there backup data available for some companies be how critical is that business function and then hey where exactly are those Disaster Recovery site so we got a great question here four choices let's see what the answer is on this one this is going to be C now why is that well when you come to a question and you have and this is going to be a mindset that I'm going teaching throughout these questions when you come to a question where you have choices that are all correct here's a quick tip here's the mindset go with the broadest one go with the choice that includes all the other choices for example this answer the how critical a business function the criticality of business functions this here will tell us some generally something that's very critical will dictate the cost so it includes a right it'll dictate how it should be backed up on when you know where the availability should be the geographical location recovery site this one here was more of a throut answer yes it shouldn't be close to your actual data centers but in this one here we're looking at how fast we can bring things up don't forget the recovery time objective specifies the maximum allowable downtime for a critical business function so when you're thinking about a particular question the criticality of business function this here will then dictate maybe how much we should be spending on backing that thing up something that's super critical will generally require a lot of money to maybe you have multiple backups across multiple sites maybe have it in cloud and physical locations in one all right good question remember the tip if one choice is including all the other choices or one choice includes multiple choices that's generally a good answer uh for that particular question one of the things about the cissp is thinking like a manager quick tip when you think like a manager you don't think specific you think overview managers don't see one thing a tech does technical people if they work on a firewalls they fix fire they fix firewalls managers they don't see just firewalls the CD higher system so this something we have to think about we think of business functions we think of keeping our business running we thinking of keeping it coste effective great tips there all right practice question number two now this is going to be a straightup knowledge question this is a question if you have the knowledge you're going to get it right if not you're going to be kind of messed up here so which of the following security models is most likely to be used in a highly classified government agency where data confidentiality is of utmost important the Biba or bber model B lapadula or lapadula depend on how you want to pronounce that Clark Wilson the Brewer Nash model let's go into this so in this particular one the bell model is the model of confidentiality now notice they say data confidentiality bell model basically has a set of rules and it comes with the principles of no read up no write down all right so no read up no write down what this does is it ensures that Folks at a lower level maybe somebody with secret cannot read top secret data and no write down folks with top secret can't write to a secret why is that because what they're saying here is that someone who has a top secret clearance can't take top secret data copy it and then put it into secret documents or public documents so these are the rules of confidentiality now once again this question is most knowledge based if you knew your your models you probably would have gotten this one correct the rest of these are basically Integrity model I'm not going to get into this here because this is not a training course but when we in the course we'll cover all the different models that are out there such as the bya model and what their and what that model rules is for integrity make sure you know these models for your exam practice question number three another knowledge one which cryptographic algorithm is best suited for ensuring the integrity of large files or messages so this one you need to know your algorithms before going into your exam room know what algorithms are symmetric know not of pros and cons of symmetric asymmetric and integrity so in this particular one the only Integrity algorithm that I have here is going to be shaw 256 which is a pretty standard Integrity algorithm that we use in today's world in fact most things that utilizes a cryptographic hash is going to be sha 2 56 don't forget sha Comes This is sha 2 there's a sha 3 they come a variety of sizes from 128 256 uh 384 512 so there's different variety of sizes but 256 seems to be the standard one RSA is an asymmetric algorithm AES is a symmetric algorithm if not these are going to be the two most famous symmetric and asymmetric Dez is depreciated you should not be using Dez Dez has been cracked because of its smaller key size at 56 bit that is a symmetric algorithm also all right practice question number four in the context of network security which of the following protocol is least likely to be used for securely transmitting sensitive Data before taking your exam no your protocols know which ones is you should be using in the world of security and which ones you should not be okay we are all pretty much familiar with https as https is secured with SSL so that's good SSH is this is the secure shell this is your secure version of telnet so that is secure SNMP does include encryption now this is uh simple Network management protocol this is used to manage Network components gather statistics but Network components FTP is insecure FTP is not sensitive all right now I want you guys to not to this word lease on your exam be prepared for tons of questions where you have lease most uh you're also going to have things where you have to choose things that are not like this which one of these is not going to be the best answer so be prepared for a lot of questions if not all of them basically comes like this okay don't forget to know your algorithms before going into your test practice question number five let's take a look which of the following is the most critical consideration when designing a disaster recovery plan for a data center a redund power providers B knowledge of geographic disasters C geographic location of of the backup data center and D backup of a disaster recovery plan now this is a good question basically when you're making a disaster recovery plan you know what are you thinking about what goes through your mind and all of these pretty much sounds good D for example should you back up your plan yes you should you should know where the disaster where your backup data center is you should know all the geographic disasters where your backup data center is going to be such as is the disaster site I'm sorry is the backup site prone to earthquakes hurricanes and can you get multiple Pro Power providers coming in to a data center now let's go through this so the best answer here is going to be SE and here's why I gave you guys a tip earlier if one choice is doing multiple of those choices it's probably going to be the correct answer always go with that broader answer and say to yourself well what choice here includes all the others for example the location of a data center can dictate can you get redundant power coming into it the location of a data center or or backup data center in other words determines what type of disaster is prone to some data centers may be prone to earthquakes while some are not for example you put one in San Francisco or California versus putting one in the middle of the country where they might not get earthquakes but they may get tornadoes and hurricanes on the coast and so so on uh backup of a disaster recover plan while this is important you have to say which one is more important like which one you going to go with over one over the other I give you guys a quick tip when you're doing your cisp exam I want you guys to say this to yourself you're looking at the question in real life because this test is definitely not real life in real life you can go with multiple things in real life we're not going to go with one option right in real life we don't would want in real life we do everything here but you have to choose one option and the tip I tell people is if in real life think about this in a real life if in real life you can only do one thing one thing and one thing only what would it be if you go with this you can't go with that in real life like which one is the most critical one because if you think about it the geographic location would be more important like where you put like if I said you can choose the right location or just back up your plan which one would you go it you back up your plan if youg get the location no right that's why C is a better answer here okay that's why you got to focus yourself on one and one choice only all right next question in a cloud computer environment which of the following is the most critical factor for ensuring data security and privacy Services provided by the cloud provider strong auth strong Access Control authentication regular security Audits and assessment service level agreements with the provider okay this one also has multiple correct answers why look at this we got this word most here now I'm going to eliminate two choices first of all the slas are mostly going to be for things like the performance the S the performance of the service provided like uptime and downtime so me eliminate that one Services provided by the cloud provider you know AWS offers quite a lot of services from web services data backups and so on I don't think that's really going to look so much so to data priate security now we come down to two things now you have to focus yourself you have to say to yourself okay I'm going to use a cloud provider now in real life once again we're going to have both you know you're going to want to think about is it a secure authentication and is these data centers being checked things like sock reports and so on you know which one are we going to go with and now you really got to narrow it down now if you're going to have one thing and one thing only remember that's this tip I gave you if you can choose one of those choices and no more like if you can only go with one would you want regular security Audits and no authentication or would you want great authentication or forget the security audits this is how you have to think all right this is the mindset if you go with one forget the other one you're not going to get it you can only get one which one would it be would you guys want authentication would you guys want security audits well I don't know but you but if I'm going go with a cloud provider I think if I can only have one I'm going to go with that strong authentication I want good authentication in directly impacts the data security and especially the word privacy gives this away because access controls controls the access between subjects and objects Access Control controls things like Bob can access that file Mary can write to that file Bob can only read to it and so on and so on so B is the best answer now remember this tip if you can do one you got to forget the rest and that gives you this here plus if you read very carefully one of the one of the main reasons that people don't get questions correctly on this exam is they read it too quick they have to read directly into the question and answer as they give as they get the question practice question number seven which of the following cryptographic techniques does cryptographic shredding predominantly depend on so this is called Crypt shredding symmetric asymmetric hash or stiggy now for this one here if you understood what crypto shreding is it is a pretty easy question as most Crypt shredding is done with symmetric encryption so what exactly is crypto shredding so crypto shredding is basically used in the cloud what crypto shred in does is that in order to delete cloud data right you can't go and wipe physically wipe out the hard drives of an AWS server but what you could do is you can encrypt the data with a key on your machine symmetric key now remember the thing with symmetric encryption the key that encrypts is the same key that decrypts so if I encrypt data in the cloud with a key store the key on this machine right here and then I delete this key permanently this key is gone forever there's no way to decrypt that data in the cloud because the key that encrypted the data has is gone that's is crypto shredded now where is it you know what type of key does it use it doesn't use an asymmetric key that's two keys public and private Keys a hash really doesn't any cryp data it just produces a cryptographic hash stenography is basically basically hidden data in data basically hidden like a message inside of a picture it does not use that function this here is a knowledge based question quite a lot of my students get questions on Crypt shredding make sure to know it for your exam once again practice question number eight in the context of security incident response which of the following is the most important consideration when determining the severity of an incident the number of system affected okay I like that answer the financial impact definitely the level of media attention depending on the company sure the potential harm to the organization's reputation sure okay you got to think like a manager here you got to say to yourself if I'm the boss which one would I be worried about the most the number of system being affected yes this is going to bring it down yes you can lose money yes the media is going to come come after you the potential but there's one thing here that stands out the most there's one that if you know that takes over all the answers remember this tip if one choice does the does the others then that's the answer watch the number of systems going down affects how much money we make if we get Negative media attention we lose money the potential harm to the organization again we lose money like which one of these choices is going to lead to the other to the main to the to the main choice it's like the financial impact is the end goal right the financial impact is what happens at the end not what happens throughout see it as the manager manager sees to the end of the tunnel the text is who see throughout the tunnel so this is the end thing that happens of course if you were thinking like a manager you would have said well money is involved so that's probably the answer anytime you take your exam and you see a choice that talks about money money being involved it's probably a good option it may not be the correct option but it's a good option to keep to keep an eye on practice question number nine which of the following is the most critical step in the secure sdlc or software develop for preventing keyword preventing security vulnerabilities penetration testing code review requirements Gathering user acceptance tesed this one here you're really have to think now when you think about preventing security vulnerabilities what can we do the word prevention means to go back right so you're preventing heart disease by exercising and eating right now you don't prevent heart disease after you get it right so you don't prevent vulnerabilities by cleaning up a virus that means you got the virus you never prevented it so anything to do with testing in is eliminated because testing comes after the fact right testing is something we're going to like if you're testing for heart disease right that means that you probably are seeing maybe if you have it that means you haven't really prevented it right so if you're testing to see if there's bugs means hey you didn't prevent the bugs you can test to see if there's bugs in there though if your you can test to see if your prevention method worked but you're not preventing him review is another word if you're reviewing something thing that means that you're checking to see if your prevention method works the best way to prevent things is to collect the requirements correctly what requirements are we needed to prevent a particular security bugs maybe we need particular coding standards or particular methods of coding that software or we can prevent vulnerabilities by using again in requirements you would list one of requirements is using the latest in security protocols for example so remember this word prevent read carefully if you got this one wrong you weren't reading carefully question 10 in the context of security governance what is the primary role of a steering committee developing technical security controls managing day-to-day security operations setting strategic security objectives and priorities conducting security risk assessment now couple things here this is a question about management uh still in committee is a committee that quotequote steerers to determine directions to determine where are we going like for example a security steering committee is going to set all those highlevel policies within the organizations what we should be doing now and of course in the future so when you think of a manager's job does a manager deals with the daytoday work do they deal with the day especially a stering committee right they determine futuristic things they don't determine the day-to-day things you may have a day-to-day operations manager but when it comes to a steering committee they're not going to be doing the day-to- DAT operational tasks managers let's be realistic are not very smart in terms of technical things in fact managers depends on a technical team to give them a lot of technical directions so that would eliminate developing technical security controls steering committees don't do that maybe they work with the technical team to do that conducting risk assessments that's something more like a security manager should do not necessarily a steering committee a steering committee again is very high level they determine high level future task that we should be doing so nothing in particular bringing the answer to C stering committees in particular such as a security steering committee within an organization will develop the security objectives and strategic strategic means long-term strategic plans for example are about 3 to 5 years and what we should be prioritizing this is going to be more of what a manager a team of management should be doing all right practice question number 11 oops in a distributed denial of service attack mitigation strategy what is the most important goal during the detection and response phase all right detection and response phase identifying the source of the attack mitigating the attack and restoring service collecting evidence for legal prosecution blocking the traff from a know IP address so this one you really have to read into it so it says detection and response so you have to detect it and you have to respond to a Dos attack what's a Dos attack it's when you have a ton of bots coming after your website generating a ton of traffic maybe bring the website offline identifying the source of attack that sounds good mitigating a restoring service well that's good because that's how you should respond collecting evidence for legal prosecution is going to come way after this blocking traffic for not knowing this here is going to help to slow or stop it so we want this identifying the source of attack although that's good in detection which one here was better so I Got A and B now notice the goal the key word now if you guys selected um a right if you guys selected a you're going with what you're doing you're not going with the goal of what exactly is the goal of detect and response did you get that the goal of detecting an attack and responding to it is to stop the attack right mitigate the attack slow it down and restore services that is the goal of what we're trying to do in doing that you will identify the source of attack you may block traffic from no one IP but that is what you're doing that is not the goal of it my goal is to lose weight I want to lose 10 PBS okay but me jumping on a treadmill is not a goal the goal is to lose the weight the activity of jumping on a tread me will lead to my goal the cisp exam is worded very uniquely you have to pay attention to the words if you guys got this question wrong because you didn't read correctly read the question clearly hopefully as you go through these 50 questions you're going to see okay I need to start reading these questions more carefully and you're going to see the answer is you know the answer is not that difficult if you read them more carefully practice question number 12 which of the following controls is most effective in preventing a privilege escalation attack role based Access Control Network intrusion detection system antivirus software security information and event management okay pretty easy question if you you understood what it is so it's a privilege escalation privilege escalations is when I log in as a normal user and I do something to the machine to boost my privilege to become an administrator now couple things here that I can eliminate right off the bat first of all a network intrusion detection system that's not going to help you here because this here detects intrusions on a network this here detects intrusions uh coming through your entire network so maybe like a word or something like that sprinted on the network privilege escalations attack generally happens on a single system as see this here can detect events this is a correlation of logs think like Splunk so this here is not going to be preventing it but this can detect it and some people may say well Andrew well maybe an IDs can detect a worm that's going to do a privilege escalation but once again the word is prevent this is detect antivirus software versus role base Access Control now I do like these two answers these are great answers because 99% of the time guys for them to do a privilege escalation attack they probably going to use some kind of malware so in that case C is a good answer but then you have a role base Access Control now you got to come back to the mindset I told you you can only do one thing if you do a you're not doing C if you do a in other words you limit the guy's permission versus C you install an antivirus so if you're doing one you're not doing the other so remember this choice if you do one you're not doing the other that's how you got to see this if I'm doing this I ain't doing that one in real life yes I know you'll have antivirus and you'll have restricting user accounts because role based access control is basically putting people into groups and assign in permissions so which one would I go with I'm going to tell you I'm going to go with role base Access Control here's why role based Access Control literally is limiting people to a particular role like if you work in accountant you can only do accountant duties you're normal user on this machine and you can access these account and files antivirus if you just install antivirus but you give them full access to the network great but that means that if they use a privilege escalation software that's not considered as a virus or zero day exploit they're going to get through but if they didn't even have permission in the first place the system would have limited them in other words to just those particular tasks making this a better better answer than just that so again use this thing where I'm telling you if you're doing one choice you're not doing the other in other words you can only do this and everything else you will not be doing because again in real life guys we are going to be doing everything yeah I know we're going to do everything but for this exam we can only do one question 13 in the context of security risk management which of the following risk treatment options is the most appropriate for risk that are outside the organization's risk appetite risk risk avoidance tolerance acceptance or mitigation so we have to know our risk responses here so the first thing up we have to decode you know what exactly are they asking for so when something is outside your appetite it means you don't want it to happen risk appetite is how much risk you're willing to take so if you have no appetite for the risk the only thing here you can do is elimination Wipe Out the risk so the risk will not happen which one of these respon is is going to tell you that you know which one of your responses is going to tell you that it's going to eliminate risk now if you know your risk responses it's pretty easy so for example you should automatically eliminate acceptance because acceptance means to do nothing it's when you take no action against your risk and if it happens it happens means you're willing to accept it you know you have a big appetite for it risk transference the risk can still take place it's just that somebody else has has to deal with it generally like hireing an insurance company risk mitigation and avoidance this is the one that confuses people mitigation is lowering all right this lowers a risk risk mitigation lowers probability and or impact for example installing an antivirus you can still get virus on the computer but it's it's a lower probability and or impact of a virus hit in your machine but risk avoidance is the elimination of risk risk avoidance eliminates risk remember that it's an action you take to eliminate risk for example I don't have the risk appetite for virus a on a Windows Server how do you eliminate virus a don't use Windows if you don't use Windows and virus a only affects windows then you know what you'll never get virus a then move to a Linux server that eliminates virus a but you know you guys got to remember something you know just to make this a little complex here for you guys every action has risk every single action we do in life has risk so by eliminate one risk you may get another risk but and you know that word is gone that risk is gone because that risk is completely eliminated practice question number 14 which of the following security controls is most effective in preventing the execution of malicious code from an untrusted Source now keep in mind the word preventing intrusion prevention systems anti virus software application whitelisting host Bas firewalls so these are all good now once again in real life you're going to have all these things in real life you're going to have an IPS installed with an antivirus installed with a host based detection system in fact every time you install allot of these endpoint security software you're going to have all those so you install some antic endpoint security or MCA whatever is that you're using they come generally with some kind of ips malware detection and some kind of firewall so which one here would you go with well let's start out it says from untrusted sources how can we stop people from execution of malicious Cod from untrusted sources which one am I going to eliminate first I'm going to go with a whole Spas firewall a firewall blocks traffic coming into the system but if the user goes out and grabs the traffic and clicks on the file and says the download it's not the firewall is not going to stop it I liit that one intrusion prevention systems this here stops malicious trafficking coming into the system but what if the user initiated that not going to help antivir now comes down to two things antivirus and Whit listing so what exactly is application whitelisting application wh listing Whit listing is when you say you can install only those software and blacklisting is when you say you cannot install these software blacklisting is very broad because if you blacklist 10 applications then they can install every other application on the planet but if you whitelist 10 applications that's all they can install let me ask you guys a question which one would you guys go with whitel list in other words you can only install these five software or you can install anything you want but I'm putting antivirus which one would you go with again if you're doing one you not doing the other all right that's how you got to see this are you doing one if you do this one you're not doing this one which one would you guys go with I'll tell you which one I'll go with I'm going to go with the white listing here's why because with the white listing I'm saying you can only install these five software and nothing else will ever be executable on this machine versus an antivirus then you can install whatever you want that's how you get this one making c a better answer than b are you guys getting this mindset all right are you guys seeing how I'm seeing in it you see it like this the cisp not too difficult right practice question 15 in the context of cryptography which of the following statement about the birthday attack is true it's a type of cryptographic attack that targets weak encryption algorithms it's a collision attack that occurs when two different inputs produces the same hash value it's a form of side Channel attack that exploits the physical characteristics of a cryptographic device it's an attack on the birthday Paradox that compromise encryption Keys now this one here does have a few good answers but one of them is the absolute true answer more true than others so first of all let's eliminate the absolute wrong one it has really nothing to do with the physical characteristics of any cryptographic uh devices and it's not considered side Channel attack now it does it does play off What's called the birthday Paradox and the birthday Paradox is when you put a certain number of people in a room there's a high probability that two people have the exact same birthday it does play off of that birthday Paradox it is it's a type of cryptograph that that targets weak encryption we don't want to say weak encryption algorithm so I'm going to eliminate this because technically the algorithms are not weak it's just that they didn't have a high enough bit strength so you have it comes down to B and D here and we got to understand what exactly is it now by its definition it really is a collision attack when two different inputs produces the same hash output so that basically is its definition this uses the birthday par the birthday Paradox but there's no keys in in in in uh in hashen hashen doesn't utilize Keys hashen takes data of basically any length hashes it and produces a cryptographic hash it doesn't it's not a key it's a function the output that 128bit 256bit hash is not a key that's just a hash value what exactly is a birthday parado quick quick lesson on this by definition hashen takes data of any length and any kind of data and outputs technically should be a unique hash the problem is you have unlimited inputs in other words you can put unlimited amount on or types of data and it's going to Output let's say a 256bit hash but there's only certain number of 256bit hashes which is how many hashes with 2 to the 256 a very big number so the probability of having different messages with the exact same hash exists but how high is that probability well let's say let's say that I told you that this algorithm can only produce 10 hashes well then there's a high probability that different messages are going to produce the same hash because you only have 10 probable hashes but when the number is 2 to the 256 it's very unlikely you see the birthday attack is when is when you have two different messages with the exact same hash if you only had 10 hash is probable let's say your algorithm only produce 10 hash it's a high probability of having a birthday attack where does this affect you what exactly is hashed a lot passwords are hash right no password is ever stored in clear text or it shouldn't be it should be stored as a hash with the birthday attack and affect a system is when let's say your password is car C and I come to your computer and I type van and logs me in Su what happened here the word car and the word van is producing the same cryptographic hash generally the more hashes you have like 256 bid it's very unlikely but it's not impossible and that's the definition of a birthday attack join me in the course and we'll go more into cryptography if you want to learn more about that let's go to number 16 which of the following is the primary goal of a security awareness training program within an organization to ensure all employees can effectively respond to security incidents to reduce the likelihood of inside of threats and data breaches to achieve compliance with industry standards to teach employ the organization security expectations now this is a question of the word primary and the word goal you have to read it carefully what answer did you get well you're looking at the end point remember anytime you see the word goal you're looking at the endpoint when you see this word primary you know most of those choices are correct like when you're doing security awareness training you're going to teach them what what you expect them to do you're going to teach them how to respond to security incident you're going to achieve compliance with industry standards because that's one of the reasons why you would do it but what exactly is the goal well the goal here is really to reduce data breaches why do we do this what is the end point time you see this word go think of well you know what exactly is the main reason not doing it doing it is the act of doing the actual action the act of doing it but the goal is what you want out of it now let me show you how all of this links up look to teach employees the security expectations will reduce the likelihood of inserted threats to ensure all employers respond effectively will reduce employer threats now comes B and C which a lot of you guys probably went with C but why why do we have laws and regulations why do we follow these certain compliance not just the be in compliance but those compliance those laws and regulations that why we should have security awareness training is really to reduce the likelihood of threats and and um data breaches so I want you guys remember look at the end goal look at where exactly are we going with this best answer number 17 in the context of cloud computing what is the primary concern when it comes to data security and compliance now the word here is compliance you know when you comes the primary concern with data compliance data encryption during transmission sounds good physical security data center that sounds good data sovereignty so data sovereignty this affects the jurisdiction of the data where is the data created where the data is stored and the laws that applies to it for example data collected in the EU because the data was the data of collects there and it's EU citizens data has to have EU laws applied to it and jurisdiction multiactor authentication for cloud users I like this because it's a cloud this is a good question because when you're managing the cloud you want everything you want data encryption during transmission you want physical security you want to worry about laws you want to worry about hey you got to make sure that hackers can't get into use multiactor now which one is going to be a primary one the primary one once you get a question like this which one affects all the others well let me tell you guys something the data sovereignty and the jurisdiction will affect fect the encryption we use will affect how the data centers are secure and will affect the type of authentication this is one where you use that mindset if one choice can include all the other choices then that is the primary thing ideally your you think about this what's your primary concern your primary concern is all of these things so which one here is all that's the mindset which one is all go with that one practice question number 18 which of the following encryption algorithm is considered the least computably efficient but provides the highest level of security ases RSA ECC and Blowfish so which one here is not very good at Computing which one is really slow in other words notice this word lease now if you know if you know the difference between symmetric asymmetric hashing and so on this a pretty easy one because if you remember in your teaching and your learning symmetric encryption is very quick but passing a key is difficult versus asymmetric asymmetric is very computationally intensive but it's easy to pass the keys around so that means RSA is the answer here because RSA is the only asymmetric this is a symmetric actually ECC is a symmetric but ECC uses a smaller key size than RSA ECC is really not too bad when it comes to computation because it actually uses a small key size versus RSA uh so this one no good this one no good and Blowfish is this is a symmetric algor them so once you know symmetric you should have eliminated A and D and then it was like RSA and ECC remember for your exam RSA requires a bigger key size than ECC or the elliptic curve which requires a smaller key size making RSA not the best when it comes to computation for example an RSA key may be 2048 bit versus an ECC may be 384 or 256 question number 19 okay um I don't have a lot of questions on sock reports but please no sock sock reports is on everybody cisp exam sock one sock 2 sock three and then type 1 type two reports make sure you know the difference for your test a vendor provides you with a sock two type two report what statement most accurately interprets this report the vendor system control gos are properly designed the vendor has achieved a certain level of compliance with a recognize standard the vendor system controls has been audited over a specific period of time or found to be operating efficiently the event has no security vulnerabilities now almost all of these answers are correct but one is more correct than the others here is why first of all aak report does tell you the controls if they're good it does tell you it may tell you if it's recognizable by a standard but by looking at a report you can see if it is or is not SEC okay whoever is doing the audit I like that but you know what's better a sock T report is done over a period of time a sock tour report is generally done over a period of 6 to 12 months so you would see that on a sock two report they'll say well between this time and this time we ordered the systems and the system came back to be good or bad now remember sock three t a sock uh type three report is basically the same thing except it's more of a high level publicly available summary of it make sure to know this topic for your test question 20 which of the following is the primary purpose of a security policy within an organization to specify detailed technical configuration for for security controls to outline roles and responsibility security Personnel provide high level guidance and direction for security efforts to define specific incidents and response procedure no for your exam policy so you have policy standards guidelines right and then you have your step-by-step procedures so it's not something that's very technical a policy is a much more of a high level thing now this is going to be straight out of your books any book you read should tell you this now to specify detailed configuration for security that's going to be more of a procedure to outline this is going to be more of like a racy chart something that shows roles and responsibilities not not so much on a policy to define specific this is more of an incident respon literally it says the word procedur so you should eliminated that now remember for your exam policies are directives from management where does policy comes from management gets policies from industry standards and property regulations that they have to follow so management sets the direction of the organization security with their policies and remember something if management is right in the policy what do you know about it it's not going to be technical because they're not it's not going to be super detailed because they generally don't have time to sit there write detailed stuff so it's going to be more high level but it's going to set the direction of where we're going question 21 in a security incident response plan what is the primary purpose of a post incident review so we got this word primary again and then the you know the purpose of it the purpose like what's the end goal here identifying Prosecuting the attackers responsible okay assessing the effectiveness of response and identifying erors Improvement okay communicating incident to external parties such as customer and media okay restoring effective systems and restore services to normal now notice this is the post-incident review so what's a post incident review is after the incident has happened you're reviewing what happened and what you did right what you did wrong this here is going to be straight up for process of improvement like why would you review post me after why would you review after the incident it's during the mitigation of the incident responding to the incident are you going to try to identify the attackers so that's not right it's during that that you may have to uh communicate to customers that their data was lost it's during the response to the incident you're going to restore system post comes after so read the question carefully to get this one right take away from this read your questions carefully if you didn't get that one right which of the following security control is most effective in preventing a malware in uh infections from malicious email attachment prevention systems content filtering host based firewall and Patch management now how can we prevent so prevent is not a detection right prevention stops things before they even occur like how can we not even get it onto the machine well host based firewall can generally stop things trying to enter the machine but if the user initiated especially like on a uh like on a email and somebody double clicks it and just starts downloading it'll come patch management can stop it from being installed but it wouldn't stop the things from getting to the machine an IPS can prevent that the virus from getting in to the machine if the virus is circulating around the network and it doesn't say whether it's a whole Space one or it's a network one so the best thing how do we really stop the virus from getting to the to the users's inbox just use a Content filter the key word here is preventing so you got to read that one carefully question 23 in the context of security code in practice which of the following actions is most important for preventing common vulnerabilities like SQL injection and crossy scrip in implementing input validation and output encoding using latest programming language regularly scan it for application encrypting sensitive data in transit okay first of all I can eliminate one answer right off the bat here noce vulnerabilities like a SQL injection across a script so seel injection is when they come to your website they type SQL commands into a field that you have where you can type data in and they can execute basically SQL commands against your system crossy scripting is when they type scripts into that uh and then execute it against your website this can do things like def face the website expose sensitive data corrupt data bring down your websites creating all kinds of Dos attacks and so on now first of all you could be using SSL I don't care what type of encryption you're using if you have coded your website incorrectly and I can just type anything in the boxes on your website I don't care what encryption you're using you're going to show me the data so I can eliminate encryption right off the bat using the latest programming language and framework does not prevent sequent injections and cross scripting it's good coding practices that does that scanning is not a preventive thing right me the context which follow a is most preventing scanning is something you do afterwards to see if a prevention technique is working so we can eliminate that and of course the answer here is going to be now input validation limits what you can actually type into the box so for example if a SQL command requires 20 characters and you limit it to just five then you can't enter that right that command could never work so that's how you would do it with input validation so remember input validation output in codent can solve things like sequin injection crossy scripton all right question 24 in a security answer response which of the f is the most critical step immediately after detecting a security incident identify the scope and impact of the incident notify executive management uh implemented containment and mitigation measures gather evidence for legal prosecution so notice most critical immediately after so this Security in we do right away well if you try to identify how big this thing is that's going to take time notify an executive management and stakeholders that's going to take time this thing could be stealing data as we speak Gathering evidence something you're going to do way afterwards the incident the best thing here to do is going to be to contain the incident in your study guide there is a list of what you should be doing during incident security incident response make sure to know these steps for your exam the moment an incident is detected you have to contain the incident you have to for example you don't want it to spread all over the Network and the longer you wait the more data could be stolen or get corrupted in your business practice question 25 an application stores password for user authentication which of the following would be the best practice for storing these password encrypting the password using a yes storing the password in a clear text with strict Access Control using salted hashes for password storage masking the password before storage now this one plays on your level of knowledge if you when in your cryptographic chapters when you study this or I go over in the class I show you guys in the course I'll show you exactly how hashes work and I'll show you guys how I'm going to use a hash function to Hash a particular password so if you know that you would have known that passwords are hashed now we don't incp passwords with symetric keys as it wouldn't make sense that you would then need the key to decrypt it you never Store password in clear text and maskin doesn't really do anything maskin just doesn't show it on the screen but the computer still sees it now what exactly is a salted password so a salted hash is basically when they add a bunch of characters to the actual password before they hash it all right so the password the hashes are more complex making it somewhat harder to reverse that hash we'll cover sutan in the course if not make sure to study it for your exam question 26 which of the following security controls is most effective in prevented unauthorized physical access to a data center biometric authentication server level C camera uh CCTV surveillance cameras man traps Access Control intrusion detection for data centers now this one here is preventing unauthorized physical access so first of all we can eliminate notice it's preventing stopping people from coming in a camera doesn't stop anyone all right you have a camera in your house it can detour it can scare but it's not a preventive control a detection system is basically like a camera it can detect people coming in but it doesn't stop them from coming in biometric at the server level this is at the server level that wouldn't stop you put in Biometrics on your server doesn't stop you from coming into your data center making a mantop so what's a mantop man trops are double door they come in it's two doors people come in one of the door they open one the door they come in that door locks and before the other door can open for them to get in there's some kind of authentication mechanism sometimes they have to put a passcode in there a thumb print or some kind of card reader or a visual inspection by some kind of security guard to let them in make can this the best preventive way for them get in this is the only control here that actually deals with a physical access into somewhere question 27 which of the following is the most important reason for including security controls in the system development life cycle to meet Regulatory Compliance requirements to ensure code and practice secure code and practices are followed to reduce the overall cost to expedite the delivery of a new system so by you including uh good Security Control in your sdlc which is the way how you're going to develop your software it doesn't reduce the cost it may actually increase to cost sometimes it may reduce it so it's hard to determine that it doesn't exped I think security is known security are known to slow things now and it's very subjective now comes two things to meet Regulatory Compliance and ensure secure quote and practice a follow a lot of you guys may go with this option but I'm thinking like a manager I'm going to go with compliance requirements now I'm going to tell you guys you have to go with one over the other see if you you're doing one you're not doing the other remember this mindset here's a quick thing if you're doing to meet Regulatory Compliance right that's the only reason why you would do it that's a b is to ensure when I got good SC you could care less about the the requirements so which one would you go with would you go for just requirements or would you go to ensure secured code and practices are followed that makes this the best answer here's why because if you go with a then you're saying that if there is no regulations you're not going to do it if you go with B you're saying well I don't care about any regulations I include it in the sdlc to ensure code and practice are follow isn't that why you do this and a results in B the why do they have it if they put it into Regulatory Compliance the whole their objective they're doing that is to get B remember something as a cissp as a manager you're not thinking at the middle you're not thinking almost at the end you're seeing the end go like why why are we really doing this think like that a your tellest all right we do 2728 make sure to know this is I can see automatically cve common volum exposure database CVSs the score make sure you know for your exam it's going into it given the cve 2023 1 2 3 45 with a CVS version three base curve 9 which of the following is most likely true so you have to know this for your exam don't go in there without knowing it you don't have to know how to calculate the score just know what the score means the vulnerability of the low severity imposed minimal trap requires a complex condition the vulnerabilities are critical and POS is significant yes the vulnerability impact is primary related to data confidentiality okay answer here if you know this one it's pretty easy and straightforward you know that the CVSs scores goes from zero to 10 and generally if something is 10 it's going to be something that is this 9.8 it's something that's easy to do easy to exploit creates massive harm against the CIA confidentiality integrity and avability that c is the is the correct answer here this is not a low score it does not require a complex remember if it's a complex condition the CVSs score reduces significantly the impact is related to even if it's related to confidentiality doesn't affect Integrity or or availability the score does get reduced so doesn't do that make sure to understand your CVSs score before going in for your exam as a security Personnel you should also know your CVSs score so when you see it on a security bulletin you know what it means in the course we'll go through how to how to compute it I'll show you guys a calculator on that which of the following security controls is most effective when preventing unauthorized access to sensitive data storing a mobile device that may be lost or St stolen strong encryption regular uh regularly updating device firmware implementing device authentication or storing data in a secure Cloud environment now right off the bat I can tell you guys that this question has caused my students a lot of Heartache some people have disagreed with the answer and I'll tell you how I got to the correct answer so first thing up you got to eliminate one choice notice unauthorized access to sensitive data stored on the device so you telling it to store it in the cloud does not answer the particular question so eliminate that now the other one I'll eliminate is regularly updating device firmware why because even the it can have the best firmware out there but if the firmware itself or the device itself is not secured you just keep updating things in an insecure device now this is where it gets people authentication or encryption so here's what I'll tell you guys the way to get this answer is if you have your phone I have my phone with me yes I have my phone so if I have my phone if you have one you're not going to have the other remember that if you have one you're not going to have the other that's how you have to think of this so would you guys I'm going to tell you guys you guys are going to have amazing biometric authentication no one can break but the data is not encrypted or I'm going to tell you guys the data is encrypted but there's no authentication on it now you're probably saying well if they if they can just get in can they see it yes that's true true but you got to choose one all right now it says Biometrics authentication it doesn't say something like password authentication so when data is stolen when a device is stolen somebody finds it all right even if they can't get in or get out what would you want the best thing here would be to en encrypt the data if the data is encrypted it doesn't matter if they steal the because remember how do you buy pass authentication if you can't get in you just take out the Drive Mount the drive to a different machine and you can see all the data so that you know that would be the option if this thing is still falls into the wrong hands it's still the data is unreadable unless they get the encryption Keys making a the best answer 30 which of the following security principles emphasizes that security mechanisms should not rely on the secrecy of design or implementation lease privilege defense in depth open design separation of Duties best answer here guys is going to be an open design here's why it's a pretty straightforward question least privileges is when people don't have much power on the network they're not admins or regular users defense in depth is utiliz in multiple controls to keep things secure having a firewall an IDS system antivirus is a form of defense and depth separation of Duties is one person can perform all duties on a system to bypass pass controls and commit fraud so open design such as Linux which means the source code is available for anyone to see this one here there's no there's no secrecy of how the system is designed how the system is implemented there's no secrecy on the source code of Linux the secrecy on the source code of Windows though because that's called a closed design or closed Source versus open source type systems make sure to know the difference for your tests 31 which of the following is the most critical aspect of design of privacy by Design notice term for your exam encrypting sensitive data at risk and in transit appointed a data Protection Officer involving privacy expert for the from the Inception of the project regular regularly updating uh the organization privacy policy so notice a critical aspect privacy by Design is what it's when you design application from the very beginning to to secure private data pii person identifiable Phi personal health information so encrypting the data at rest and in transit is good I like that answer appointing a data Protection Officer who's going to be in charge and oversee it I like that answer involving privacy experts from the very beginning so this thing is designed with privacy wait a minute that sounds like the uh best answer and regularly updated it's good to update the policy but it's not going to be to get this out there is make sure that you follow certain compliance I'm going eliminate that answer I'm going to also eliminate encrypting sensitive data although that's an important one I think the most important thing is from the very beginning of your your steps to design by privacy having good priv having good privacy by Design is to bring the right people involved and design the program correctly this is the most critical step so some people will say Okay Andrew how do you know I'm doing a real exam you know how do I know I'm going to get this one right how do I get this one right say to yourself if I can only do one thing right you know which one here if you do it right is going to lead to the others which one here this one here is going to make sure that you all we got to get everything here done you got to get a data protection data Protection Officer if you follow gdpr got to update your organization Poli you got to encrypt your data but which one of these choices is now going to if I do this it's going to lead me into the others well if you get the right people involved it's going to ensure that you get the right data if you do this right you're can to have the right data Protection Officer if you do this right you're going to update it say you get this one correct part of the mindset question 32 when assessing the security of industrial controler IC Systems what is the primary focus of our red team engagement so what's IC industrial control control systems are things like water power uh Supply system gas supply system big Industrial Systems identifying vulnerabilities conducting penetration testing simulating realistic attacks audit in compliance with industry standards so first of all you got to understand red team and blue team okay to to get this one correct so first of all red team doesn't really audit for compliance and standards they're generally within your business identifying vulnerabilities in the infrastructure okay conducting the penetration testing okay simulating realistic attack this is going to be the best answer why is that because a red team does do penetration testing a red team does do by them doing that they are going to be identifying and exploiting vulnerabilities so red team aims to identify vulnerabilities and weakness is in the system and then they go about to exploit it to see what happens so if you're thinking well A and B is correct yet it is correct but C includes A and B making C the best answer on this one 33 when verifying a digital signature which of the following steps is the most critical for ensuring the signatures authenticity decrypting the message using the public key verifying the digital certificate of the sender checking the timestamp of the signature comparing the hash value of the received data with the decrypted hash value in the signature now couple things here you have to understand how a digital signature works so a digital signature basically takes a message hashes the message and to produce a cryptographic hash and then encrypts the hash with the sender private key with the sender private key that's a digital signature so what's a digital signature is basically an encrypted hash of the message with the sender's private key when you receive it for you to verify the hash you then take the message and you hash it and then you decode the signature that was sent to you from the sender with the sender's public key you never get the sender's private key and if the two hashes matches that means that it had to come from that guy from the sender because you're using his public key and the message was never changed why because the hashes match the me the me the hashes didn't match couple things would have tell you either the message was changed or you're using the wrong key it means it never came from that guy digital signatures for your exam remember it does a couple things it does non audiation Integrity all right so not reputation the guy can't deny it came from him because you're using his public key so if you know this information this one here is pretty easy because you notice it doesn't really check for time stamps verifying the certificate doesn't actually mean it came from that person right you you do know you can check the certificate actually came but remember the hash was If the message Chang you wouldn't really know decrypting the message using the public key you don't decrypt the message you see digital signatures does not encrypt the data in fact digital signatures doesn't provide confidentiality so if you did said that one incorrect what I just explained to you was the matur not the process and purpose of a digital signature question 34 what is the most import what is the most critical factor to consider When selecting a vendor in the context of information security vendor reputation geographic location data classification and business Contour so you're thinking security all right when you're thinking in security you're thinking okay we're going to go out we're going to select a vendor maybe to store data process data something like that you know why are you using this particular vendor now I do like almost all the answers here is correct they're all important there things to consider such as the reputation of that vendor where they're located the type of data we're going to store with them and business continuity of that vendor now here's the thing there's one answer here that holds all the other an there's one answer here that affects all the other answer and that answer is going to be data classification and I want you guys to no this one because data classification will affect everything about the data where it's stored who has access to it how they can access it what type of cloud systems it can be used on what type of hard drive or or physical medium that it can be stored on where is it going to be stored in a vault in a file in a lock cabinet where can this data be stored so data classification is a good answer throughout your exam if you ever see it as a choice on the exam I want you guys to pay attention to it because you know why it's probably going to be one of the better answers that are out there so data classification is definitely good because data classification May dictate what type of reputation the person must have it may dictate where this person is located it may dictate what type of cont policies that that person has in place making this the best answer question 35 what is the primary goal of security governance framework compliance with industry standards mitigating all risk to zero maximizing share all the profits aligning security with business objectives so the primary goal all right what exactly the primary and this one in particular is security governance framework and particularly security governance so security governance is the management of all security activities to accomplish basically the organization objectives and you can see the answer here so is it compliance with industry standard I like that you're never going to mitigate all risk to zero as that is practically impossible maximize shareholders profit I do like that answer align in security with business objectives I like this answer so now we bring it we brought it down to three now compliance with industry standards this is a good answer but it's not the best answer and the reason for that is because you're saying that the goal of this is just so if there was no industry standard you wouldn't have this no not the good one maximize shareholders profit and align it with business objectives so maximizing shareholders profit is something that is of corporate governance framework not just the security governance framework the security governance framework is basically to keep the security function aligned with business objectives that's going to lead to maximizing shareholders profit but it's not the only component to maximize shareholders L profit you're going to have good corporate governance and that's and remember security governance or is information technology governance information system governance is a subset of corporate governance we learned that in domain one making D here the best answer practice question 36 which of the following is best which which of the following best represents the concept of due care and security governance so this one here you have to have just no quick definition controls prevent all security incident okay exercise and reasonable security measure protect asset okay conducting security audits uh assigning security responsibility solely to the IT department now this particular one is a straightforward definition if you knew the definition you should have gotten this one correct as this is the definition of due care due care is when you do what's called reasonable security practices in order to secure an asset it's like what would a reasonable person have done to secure this machine for example a reasonable person updates their machine a reasonable security guy keep backup of data implementing control they do that this is correct conducting uh security audits yeah they do that I don't know about this thing here that says assign it to slowly to the IT department but you do assign it to the IT department don't forget by exercis and reasonable security measures you're going to do a you're going to do c and you're going to do D some reasons why it would eliminated D this word solely and the other one is a to prevent all security you can't really present prevent all you can try your best to prevent most be careful of this word all okay question 37 in a multi-tier application architecture which of the following layers is most most vulnerable to injection attacks such as sequin injection and command injection presentation application data link or transport now I included this because every single one of the cisp candidate or you included will get an OSI question know what happens at the layers know what devices happens there because they may ask for attacks against devices and more importantly no what attacks can happen at each lirer no for example like where a Dos may happen such as a ping flood where would that take place in this particular one we're looking at a SQL injection so if you know SQL injections and and Comm B injection you pretty much know that this was an application layer attack and this is not something that is uh very difficult to understand because if you understand what's happening at the different layers it's not that difficult for example the presentation deals with really formatting of the data not so much so of typing in and seeing the data and interacting with the application the data link layer this is all the way at the bottom of the OSI model this is going to be with the pass and a frames This concerns itself more with things like pass and frames like using a MAC address this where switches work so it's not really with the application the transport layer deals with when data arrives at your machine things such as know and the particular port number error check and error recovery and like connection oriented connections it's not really going to deal so much so with the application itself the best answer here is going to be the presentation layer once again make sure you know your OSI know it inside out know what happens in each layer know what devices operates where and of course know the different attack in the course we have a great outline on that question 38 which of the following security assessment methods is most suitable for evaluating the security posture of an application source code so you have to evaluate basically the security like how secure security posture of the source code so which one here looks at the source code Well Network scanning is not going to actually look at the source code social engineering is is talking with people you should have eliminated those to now comes which one which one of these here looks at more of the source code vulnerability scanning or Statics if you use something like the Nexus scanner it's not going to scan the source code it's going to scan the outer of the application or the entire compiled the compiled application the only thing here that actually looks at the source code of an application is static analysis in which case it basically reads the code to see if there's any vulnerability in the code make sure you know things for your exam things like Dynamic static testing uh for your exam question number 39 almost all of you guys will get questions on gdpr know it well for your test which of the following best captures the primary intent of gdpr insur EU citizens can shop online securely protecting the fundamental right to privacy to data privacy of EU citizens uh EU residents encourag an international business to operate within the EU streamline an updated Legacy uh EU privacy so first of all if you know what gdpr is gdpr is is a European basically it's a data standard or I should say um protection and what this does is that it looks at the data privacy and the answer is B of EU citizens it basically tells organizations that if you store EU data the you have to secure it and you have to give the users control back of their data if you set you have to let them know if you're going to uh if you go to a website and you have like tracking cookies on you have to let them know for your exam know what the gdpr is I need you guys to know things like the data Protection Officer that's an important term and a role make sure to study that for your exam in the course we'll give a much more things in different laws you should be familiar with all right here is a question that's a hid and miss that some people get some people don't but you should know the formul is to calculate in a symmetric in a in a symmetric key network of 100 nodes where each uh each node securely communicates with every other node using a unique key how many symmetric keys are needed so this one I put a big number but on the exam you're going to have to just no this formula it's n * nus1 / 2 so I'm going to show you guys a a quick easy example of this so let's say you have three users on a network uh you have Bob Mary and Jane all right three people now for these people to communicate securely using a unique key now unique means different key so you would have a key between Bob and Mary so when they communicate Jane can't see between Bob and Jane So when they're communicating Mary can't see and between Mary and Jane So when they communicate Bob can't see so one two three keys if Peter joined the mix Peter needs a unique key with Bob with Jane and for Mary that means six key three mors were added so if you have four people just do the map 4 minus you put 4 4 - 1 is 3 3 * 4 is 12 2 is 6 so if you put in the number 100 and you do the formula you get 5050 on this not a calculation for your exam it's one of the few formulas you need to know there are some formulas in Risk Management that I tell students to know they're hidden miss when you get them but so is this one okay next question when assessing the risk to Phi in a cloud environment which of the following should be of primary concern location of the data center type of encryption used in the data storage SLA uh uptime guarantee by the cloud provider data access and control agreements with the provider okay so this one here good set of things if I was you I'm looking at this going man all these are good yeah because you know if the data center is stored in in in Russia you probably don't want that the type of encryption yeah they use weak encryption want that SLA up times notice this is Phi should be a primary concerned although I would be a concern with the up time not so much I'm thinking more of like losing the data to hackers not just it going down data access and control agreements with the provider I think I would need that because we need to make sure the provider has good in there now you got to apply some of the techniques I've taught you so far if you did it you probably got the answer already because the answer here is the most generic answer you see location of the data center is important because the data center again is in China or Russia you don't want that data center to be in a in a country where you know what maybe the government can control that or take control of it or as an adversary of us in the United States type of encryption using the data storage you probably you know you're worried about that because if they use Dez you don't want that you want them to use AES encryption when you come down to to choices where you're like man these two are 100% right then go with the one that includes both because did the agreement can specify where the data should be located the agreement can specify the type of encryption that should be there so if you had applied the right um technique should have got this one right 42 why is data remnants considered a security concern it increases the storage costs it can lead to the data being corrupt residual data might be recoverable after uh deletion of this or or dis wipe it results in slow data access P2 data remnants is a Hot Topic data remnants if you know the definition here it's a pretty easy question data Remnant is when you take out a hard drive you delete the data off of it and the data is not all deleted or or some most of it or some of it is recoverable so that is definitely C an increase to theore storage cost it doesn't increase storage costs because you're getting rid of storage it can lead to the data being corrupt it has nothing to do with data corruption it's more about data being recoverable it results in slow data access when you're data Remnant you erase the disc there's nothing about accessing data now you're going to worry about data remnants and the security concern because if you take out a hard drive that has a lot of data on it you put that drive in the garbage that data might still be accessible and people can then take that and recover data basically steal your data or get your data from your business best thing to do are to do things like sanitize the media giant magnet across it or Shred the drive so the data is unrecoverable question number 43 a security analyst observes multiple unauthorized data extraction attempts from a database server upon investigation all extraction attempts have been tracked back to a single user account which of the following should be the analyst imediate action delete the user account notify the user isolate or disable the account and initiate an incident response implement the ster Access Control in database so I mentioned earlier in this video when you're doing when you're F when you're doing security incident response you have to follow the steps so right now you notice this upon all attempts been TR so you have done you know the attack you know the attack is happening you have have to contain it right you have to stop it how do you stop this account from this happening right away choose the best answer deleting the user account you don't delete anything because deleting user accounts can cause data to be lost you don't call the user and tell the user what you're doing right away the best thing here is to disable this account implementing strier Access Control this person already has it you need to disable and stop it because strier access controll in the database server uh maybe he has accessor do it to another server best answer answer here is definitely to isolate disable it so those steps that you learn about in the course your security inent response steps make sure to follow them even if you the question doesn't ask like you know what step to do next because this is a scenario based question question number 44 which of the following security assessment methods is most effective for identifying known vulnerabilities that are not disclosed publicly notice most effective identifying unknown vulnerabilities that are not disclosed publicly vulnerability scanning penetration testing code review information security and event management okay so this one here I thought this one was pretty easy a lot of my students have trouble with this one let's go through it the keyword here is is not publicly disclosed and notice it's identifying unknown things that haven't been found if it's something that's unknown a vulnerability scanner is not going to find it the vulnerability scanner uses a database of no vulnerabilities information the seam systems this just correlates events this doesn't really is not going to help you detect things and for it's not going to help you go out to detect and if it does have a detection engine on it it has to be known code review and penetration testing so this is where this one becomes difficult if you're reviewing codes are doing a penetration test the best thing here I'm going to tell you guys is a penetration test and here's why you see a penetration test ethical hacking one of the courses I teach is C by the way this here finds all kinds of vulnerabilities within a system a pin tester will try all different vulnerabilities and try to exploit those vulnerabilities look for new vulnerabilities to find a code review is generally done by Pro programmers code reviews they're good but that's done more at the application Level and it's mostly going to look for KN for example static analysis it's to look for KN vulnerabilities in certain codes versus a pentest is the best of these answers question 45 in the context of forensics investigation which of the following best describe the primary purpose of maintaining a chain of custody so what's a chain of custody it's basically it's a document that tracks evidence from the moment you gather it to giving it back so that whole uh evidence life cycle from collection of the evidence storing it analyzing it presenting it returning it now it'll say who took it when they took it where they who took it when they took it how they took it where they store it who had access to it when did they access it what did they do with it basically it is a document showing me every single thing documented that has happened to this evidence it ensures evidence is properly cataloged not necessarily to demonstrate the Integrity yes it does because it looks to how the evidence was handled if it was handled correctly to ensure only authorized it doesn't do that it just shows how the evidence was handled to protect it no it doesn't really protect anything it does evidence protection is like storing it in an encrypted Vault not using the chain of custody so the chain of custody is to demonstrate the Integrity of it question number 46 which of the following provides the best Assurance of an application security posture over time conduct annual pent house Implement strict password policy continuous integration with security testing quarterly vulnerability assessment I thought this one was easy hopefully you guys got it not's best assurance and it's going to be done over time there's a couple things here penetration test is this doesn't have to be done annually okay they could be done done annually they could be done quarterly or as needed stricter password policies well passwords are good but it says over time I'm not sure how password policies affects over time quarterly a vulnerability test for example like the PCI is done dependent on how much swipes you have or how many cards you do so not necessarily quarterly see these are put in hardcore timestamps on these things so the best thing here guys is continuous integration this one the word best assurance and especially over time is you have to go with the word continuous security is not a quarterly thing it's not an annual thing it is a continuous thing question number 47 an organization wants to make sure it sensitive data is unreadable if it's intercepted during transmission which principle is the organization most concerned about so hopefully you guys this is the beginning this is the first chapter you're going to read in your book this is going to be about the CIA all right confidential integrity and availability you if you intercept data you can't access the data best answer here guys is going to be C this is basically one do the definition here only authorized individual can access or read the particular data that's the basically the definition confidentiality Integrity is no all no unauthorized modification or no unintentional modification availability the up time of the day N repudiation is a subject cannot deny that an event has taken place question number 48 in the context of mobile application development ensuring that application components are not exposed to other apps on the same device refers to all right you guys need to know this one for your exam you need to know the term is it data and Transit data and Transit is when data is moving from one location to the other they're looking at other apps on the same device so it's not going to be this this is more for like Network unless like SSL would do this SSH code alisation is basically hidden or hid in the source code so make it harder for people to read it um data at rest this encrypts the data this is data not being exposed all of other apps on the same device the best thing here is a Sandbox so on mobile devices we have application sandbox so sandbox basically it restricts the memory space so only that app can operate there that way other apps can't in can't bleed over or get over to that space and steal the apps data it's one of the things because of application sandbox and it's one of the things that makes mobile mobile devices pretty secure question number 49 we're getting down to the end here which of the following is the most critical factor for ensuring the success of a security governance program advanced technology comprehensive security policies strong executive support and experienced security staff now if you have been studying cisp you should no this one right off the bat it is a common cisis P question in which case the most important part of any security program is of course going to be Senior Management support Senior Management support if you don't have Senior Management support you will not have comprehensive policies because remember comes from it comes to management you will not have experience security staff as they wouldn't hire it you wouldn't have advanced technology or the great technology because they wouldn't care to to implement it once Senior Management supports everything starts to fall into place you get the right budget you get the right people you get the right technology you get the right standards to follow you get the right guidelines and procedures and all that great stuff question number 50 in a token in a tokenization in a token basically a token system uh what parently distinguishes a token from the original sensitive data it represents now the token is always longer than original data the the token contains crypted segment of the day the token on its own has no meaningful value information the token must be reversible to the original day without any additional information so you guys should know tokenization tokens are used a lot you go to PayPal you check out you're using a token uh any you go to Best Buy you check out with PayPal you're using a token token is basically a representation of sensitive data the token by itself has no meaningful value if you steal the token uh you can't get the data so a token is used to represent a block of data for example a token can be used to represent a particular credit card and every time you use this token it builds your credit card but if somebody ever steals your token you can never get back your credit card so that's what a token is for this one is more of a data definition question all right I said I got 50 questions I got one more for you just to throwing a bonus in here I wanted to include this one because some people a lot of people are getting questions on Dev secure Ops agile continuous uh deployment uh continuous integration cidi let's see what this question is just make sure you study these topics for your exam in a def secure Ops environment where is the responsibility for the for security primary lie in the context of continuous integration continuous deployment versus agile solely with the security team in cidi uh and with developers in agile equally distributed across primarily with developers and C equally across all the teams in agile solely within the operations team and C with the security team and agile okay Dev secure Ops so Dev Ops is continuous deployment continuous integration keep pushing out software keep updating software adile is the development of software generally done in increments or in iteration things like following scrum extreme programming and so on if you guys know me you know I teach a lot of project management but anyhow this question I did find it to be pretty easy because it follows an old principle security lies in whose hand security lies in everyone's hand B security is not something that lies in the hands of just developers security doesn't lie in the hands of just implementers or installers security is basically everyone's responsibility all right that's one of the first things we're going to learn about security security is not just one person's job it's everybody's job everybody has to do their job because if there's a one break in security the entire thing breaks all right guys that concluded my 50 questions if you found value in this video give it a like subscribe to her Channel we'll do a lot more videos if you guys want me to do more of these kinds of videos to help you pass your exam let me know I'll be happy to took me a while to make this it did take me a while um to make these questions uh to do it hopefully this helps you out I did this a lot for my own students they have asked me to review these questions quite a lot so I said let me make a video and shared with everyone else if you are studying for your cissp and um you want to join me in a class i' would be greatly appreciate it here's what I tell people guys studying for the cissp is not where you take it if you go you spend $4,000 10,000 $8,000 some of these crazy companies that are charging crazy money you know it's not where you take it it's who's teaching it that matters I've been teaching this a long time so I'm going to tell you guys hey join me in a class uh me and my colleagues here I did all the training videos for the cisp Tia so when you sign up for a class you'll get my entire boot camp as a uh a video course and I may even be your boot camp instructor so guys if you found value once again please like the video subscribe to the channel I'll see you in the next video
Info
Channel: Technical Institute of America
Views: 21,076
Rating: undefined out of 5
Keywords: CISSP, CISSP Questions, CISSP Practice Question, CISSP Question
Id: qbVY0Cg8Ntw
Channel Id: undefined
Length: 94min 48sec (5688 seconds)
Published: Tue Oct 24 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.