Full Transcript
https://www.youtube.com/watch?v=qbVY0Cg8Ntw
[00:00] in this video I'm going to be doing 50 cissp practice questions with you and I'm going to be going through the mindset it takes to pass this exam I'm Andrew Ral I've been teaching cissp courses since 2005 2006 the thousands of students over the many years and I've always told people this passing this exam is not just about knowledge in fact I've met quite a few folks that have memorized the study guide that knows the material inside out they go to take the exam and they fail in almost every single domain this exam is not just about knowledge I've always told people it's only about 50% knowledge so if you memorize the book it's not going to get you over that basically 70% you need to pass this exam what you need to do is you need to have the mindset you need to be able to think like a manager and in this video I want you guys to learn to develop that thinking I want you guys to develop that mindset that you need to go in there and pass this exam so as I go
[01:01] in there and pass this exam so as I go through all the questions with you I'm
[01:02] through all the questions with you I'm going to be teaching you that mindset
[01:04] going to be teaching you that mindset always keep that in mind it's not just
[01:06] always keep that in mind it's not just about knowledge just don't pick up the
[01:07] about knowledge just don't pick up the study guide start studying and before
[01:10] study guide start studying and before you know it you take the test and fail
[01:12] you know it you take the test and fail pick up the study guide learn it but
[01:14] pick up the study guide learn it but then learn the mindset to pass this exam
[01:16] then learn the mindset to pass this exam let's get right into it so we got 50
[01:17] let's get right into it so we got 50 questions now as I show the questions on
[01:20] questions now as I show the questions on the screen like right now I want you
[01:23] the screen like right now I want you guys generally pause the video read it
[01:26] guys generally pause the video read it and answer it because I'm just going to
[01:27] and answer it because I'm just going to read it and answer it right away I'm not
[01:29] read it and answer it right away I'm not going to pause it at any at any point
[01:31] going to pause it at any at any point that's what the pause button is for
[01:32] that's what the pause button is for right if I'm too slow speed me up a
[01:35] right if I'm too slow speed me up a little bit that's fine but I want you
[01:37] little bit that's fine but I want you guys to learn the mindset of it and I'm
[01:39] guys to learn the mindset of it and I'm going to give you guys a lot of tips as
[01:40] going to give you guys a lot of tips as I go through every single one of these
[01:42] I go through every single one of these questions so it's going to be a pretty
[01:43] questions so it's going to be a pretty long video let's get right into it all
[01:45] long video let's get right into it all right practice question number one in
[01:48] right practice question number one in the context of Disaster Recovery
[01:50] the context of Disaster Recovery planning what is the most critical
[01:52] planning what is the most critical aspect to consider when creating a
[01:54] aspect to consider when creating a recovery time objective a the cost of
[01:57] recovery time objective a the cost of implementing disaster recovery measures
[01:59] implementing disaster recovery measures theability of backup data the
[02:01] theability of backup data the criticality of business functions the
[02:03] criticality of business functions the geographical location of the disaster.
[02:06] geographical location of the disaster recovery site now one of the things that
[02:08] recovery site now one of the things that we find in the cisp exam is you're going
[02:11] we find in the cisp exam is you're going to get quite a lot of questions like
[02:13] to get quite a lot of questions like this where most of the choices if not
[02:16] this where most of the choices if not all the choices are absolutely correct
[02:18] all the choices are absolutely correct you're going to have this one where it's
[02:20] you're going to have this one where it's most now I'm going to give you guys a
[02:22] most now I'm going to give you guys a tip that I've given all my students that
[02:24] tip that I've given all my students that has helped them on tons of practice
[02:26] has helped them on tons of practice question anytime you guys get a question
[02:29] question anytime you guys get a question where you see something like most that
[02:31] where you see something like most that tells me something that all of these
[02:33] tells me something that all of these choices if not at least two will be
[02:37] choices if not at least two will be absolutely correct so when you're
[02:39] absolutely correct so when you're thinking about something it's most
[02:41] thinking about something it's most critical aspect you know for some
[02:43] critical aspect you know for some companies it may be the cost for some
[02:46] companies it may be the cost for some companies it may be well is there backup
[02:48] companies it may be well is there backup data available for some companies be how
[02:51] data available for some companies be how critical is that business function and
[02:53] critical is that business function and then hey where exactly are those
[02:55] then hey where exactly are those Disaster Recovery site so we got a great
[02:58] Disaster Recovery site so we got a great question here four choices let's see
[03:00] question here four choices let's see what the answer is on this one this is
[03:02] what the answer is on this one this is going to be C now why is that well when
[03:04] going to be C now why is that well when you come to a
[03:07] you come to a question and you have and this is going
[03:10] question and you have and this is going to be a mindset that I'm going teaching
[03:11] to be a mindset that I'm going teaching throughout these questions when you come
[03:13] throughout these questions when you come to a question where you have choices
[03:17] to a question where you have choices that are all correct here's a quick tip
[03:18] that are all correct here's a quick tip here's the mindset go with the broadest
[03:20] here's the mindset go with the broadest one go with the choice that includes all
[03:24] one go with the choice that includes all the other choices for
[03:26] the other choices for example this
[03:28] example this answer the how critical a business
[03:31] answer the how critical a business function the criticality of business
[03:33] function the criticality of business functions this here will tell us some
[03:36] functions this here will tell us some generally something that's very critical
[03:39] generally something that's very critical will dictate the cost so it includes a
[03:43] will dictate the cost so it includes a right it'll dictate how it should be
[03:45] right it'll dictate how it should be backed up on when you know where the
[03:47] backed up on when you know where the availability should be the geographical
[03:50] availability should be the geographical location recovery site this one here was
[03:52] location recovery site this one here was more of a throut answer yes it shouldn't
[03:54] more of a throut answer yes it shouldn't be close to your actual data centers but
[03:57] be close to your actual data centers but in this one here we're looking at how
[03:58] in this one here we're looking at how fast we can bring things up don't forget
[04:00] fast we can bring things up don't forget the recovery time objective specifies
[04:03] the recovery time objective specifies the maximum allowable downtime for a
[04:05] the maximum allowable downtime for a critical business function so when critical business function so when you're thinking about a particular you're thinking about a particular question the criticality of business question the criticality of business function this here will then dictate function this here will then dictate maybe how much we should be spending on maybe how much we should be spending on backing that thing up something that's backing that thing up something that's super critical will generally require a super critical will generally require a lot of lot of money to maybe you have multiple backups money to maybe you have multiple backups across multiple sites maybe have it in across multiple sites maybe have it in cloud and physical locations in one all cloud and physical locations in one all right good question remember the tip if one choice is including all the other choices or one choice includes multiple choices or one choice includes multiple choices that's generally a good answer choices that's generally a good answer uh for that particular question one of uh for that particular question one of the things about the cissp is thinking the things about the cissp is thinking like a manager quick tip when you think like a manager quick tip when you think like a manager you don't think specific like a manager you don't think specific you think overview managers don't see you think overview managers don't see one thing a tech does technical people one thing a tech does technical people if they work on a firewalls they fix if they work on a firewalls they fix fire they fix firewalls managers they fire they fix firewalls managers they don't see just firewalls the CD higher don't see just firewalls the CD higher system so this something we have to system so this something we have to think about we think of business think about we think of business functions we think of keeping our functions we think of keeping our business running we thinking of keeping
[05:06] business running we thinking of keeping it coste effective great tips there all.
[05:09] it coste effective great tips there all right practice question number two now.
[05:11] right practice question number two now this is going to be a straightup.
[05:13] this is going to be a straightup knowledge question this is a question if.
[05:15] knowledge question this is a question if you have the knowledge you're going to.
[05:16] you have the knowledge you're going to get it right if not you're going to be.
[05:18] get it right if not you're going to be kind of messed up here so which of the.
[05:20] kind of messed up here so which of the following security models is most likely.
[05:22] following security models is most likely to be used in a highly classified.
[05:24] to be used in a highly classified government agency where data.
[05:26] government agency where data confidentiality is of utmost important.
[05:29] confidentiality is of utmost important the Biba or bber model B lapadula or.
[05:33] the Biba or bber model B lapadula or lapadula depend on how you want to.
[05:34] lapadula depend on how you want to pronounce that Clark Wilson the Brewer.
[05:36] pronounce that Clark Wilson the Brewer Nash model let's go into this so in this.
[05:39] Nash model let's go into this so in this particular one the bell model is the.
[05:43] particular one the bell model is the model of confidentiality now notice they.
[05:46] model of confidentiality now notice they say data.
[05:47] say data confidentiality bell model basically has.
[05:51] confidentiality bell model basically has a set of rules and it comes with the.
[05:53] a set of rules and it comes with the principles of no read up no write down.
[05:59] principles of no read up no write down all right so no read up no write down.
[06:01] all right so no read up no write down what this does is it ensures that Folks.
[06:03] what this does is it ensures that Folks at a lower level maybe somebody with.
[06:06] at a lower level maybe somebody with secret cannot read top secret data and secret cannot read top secret data and no write down folks with top secret
[06:11] no write down folks with top secret can't write to a secret why is that
[06:14] can't write to a secret why is that because what they're saying here is that
[06:15] because what they're saying here is that someone who has a top secret clearance
[06:18] someone who has a top secret clearance can't take top secret data copy it and
[06:20] can't take top secret data copy it and then put it into secret documents or
[06:22] then put it into secret documents or public documents so these are the rules
[06:26] public documents so these are the rules of confidentiality now once again this
[06:28] of confidentiality now once again this question is most knowledge based if you
[06:30] question is most knowledge based if you knew your your models you probably would
[06:34] knew your your models you probably would have gotten this one correct the rest of
[06:36] have gotten this one correct the rest of these are basically Integrity model I'm
[06:38] these are basically Integrity model I'm not going to get into this here because
[06:39] not going to get into this here because this is not a training course but when
[06:41] this is not a training course but when we in the course we'll cover all the
[06:42] we in the course we'll cover all the different models that are out there such
[06:44] different models that are out there such as the bya model and what their and what
[06:47] as the bya model and what their and what that model rules is for integrity make
[06:49] that model rules is for integrity make sure you know these models for your exam
[06:51] sure you know these models for your exam practice question number three another
[06:54] practice question number three another knowledge one which cryptographic
[06:56] knowledge one which cryptographic algorithm is best suited for ensuring
[06:58] algorithm is best suited for ensuring the integrity of large files or messages
[07:02] the integrity of large files or messages so this one you need to know your
[07:03] so this one you need to know your algorithms before going into your exam
[07:05] algorithms before going into your exam room know what algorithms are symmetric
[07:07] room know what algorithms are symmetric know not of pros and cons of symmetric
[07:09] know not of pros and cons of symmetric asymmetric and integrity so in this
[07:12] asymmetric and integrity so in this particular one the only Integrity
[07:14] particular one the only Integrity algorithm that I have here is going to
[07:16] algorithm that I have here is going to be shaw 256 which is a pretty standard
[07:20] be shaw 256 which is a pretty standard Integrity algorithm that we use in
[07:23] Integrity algorithm that we use in today's world in fact most things that
[07:25] today's world in fact most things that utilizes a cryptographic hash is going
[07:28] utilizes a cryptographic hash is going to be sha 2 56 don't forget sha Comes
[07:31] to be sha 2 56 don't forget sha Comes This is sha 2 there's a sha 3 they come
[07:34] This is sha 2 there's a sha 3 they come a variety of sizes from 128
[07:37] a variety of sizes from 128 256 uh 384 512 so there's different
[07:40] 256 uh 384 512 so there's different variety of sizes but 256 seems to be the
[07:42] variety of sizes but 256 seems to be the standard one RSA is an asymmetric
[07:45] standard one RSA is an asymmetric algorithm AES is a symmetric algorithm
[07:48] algorithm AES is a symmetric algorithm if not these are going to be the two
[07:49] if not these are going to be the two most famous symmetric and asymmetric Dez
[07:52] most famous symmetric and asymmetric Dez is depreciated you should not be using
[07:54] is depreciated you should not be using Dez Dez has been cracked because of its
[07:56] Dez Dez has been cracked because of its smaller key size at 56 bit that is a
[07:58] smaller key size at 56 bit that is a symmetric algorithm also all right
[08:01] symmetric algorithm also all right practice question number
[08:03] practice question number four in the context of network security
[08:07] four in the context of network security which of the following protocol is least
[08:09] which of the following protocol is least likely to be used for securely
[08:11] likely to be used for securely transmitting sensitive Data before
[08:13] transmitting sensitive Data before taking your exam no your protocols know
[08:16] taking your exam no your protocols know which ones is you should be using in the
[08:18] which ones is you should be using in the world of security and which ones you
[08:20] world of security and which ones you should not be okay we are all pretty
[08:22] should not be okay we are all pretty much familiar with https as https is
[08:27] much familiar with https as https is secured with SSL so that's good
[08:30] secured with SSL so that's good SSH is this is the secure shell this is
[08:33] SSH is this is the secure shell this is your secure version of telnet so that is
[08:35] your secure version of telnet so that is secure SNMP does include encryption now
[08:39] secure SNMP does include encryption now this is uh simple Network management
[08:41] this is uh simple Network management protocol this is used to manage Network
[08:43] protocol this is used to manage Network components gather statistics but Network
[08:45] components FTP is insecure FTP is not
[08:50] components FTP is insecure FTP is not sensitive all right now I want you guys
[08:52] sensitive all right now I want you guys to not to this word lease on your exam
[08:56] to not to this word lease on your exam be prepared for tons of questions where
[08:58] be prepared for tons of questions where you have lease
[09:00] you have lease most uh you're also going to have things
[09:02] most uh you're also going to have things where you have to choose things that are
[09:05] where you have to choose things that are not like this which one of these is not
[09:07] not like this which one of these is not going to be the best answer so be
[09:09] going to be the best answer so be prepared for a lot of questions if not
[09:11] prepared for a lot of questions if not all of them basically comes like this.
[09:13] all of them basically comes like this okay don't forget to know your algorithms before going into your test.
[09:17] algorithms before going into your test practice question number five let's take a look.
[09:22] which of the following is the most critical consideration when designing a disaster recovery plan for a data center.
[09:27] a redund power providers B knowledge of geographic disasters C geographic location of of the backup data center and D backup of a disaster recovery plan.
[09:42] now this is a good question basically when you're making a disaster recovery plan you know what are you thinking about what goes through your mind.
[09:48] and all of these pretty much sounds good D for example should you back up your plan yes you should.
[09:52] you should know where the disaster where your backup data center is.
[09:56] you should know all the geographic disasters where your backup data center is going to be such as is the disaster site I'm sorry is the backup site prone to earthquakes hurricanes and can you get multiple Pro Power providers coming in to a data center.
[10:10] now let's go through.
[10:12] in to a data center now let's go through this so the best answer here is going to
[10:15] this so the best answer here is going to be SE and here's why I gave you guys a
[10:18] tip earlier if one choice is doing multiple of those choices it's probably
[10:20] multiple of those choices it's probably going to be the correct answer always go
[10:22] going to be the correct answer always go with that broader answer and say to
[10:24] with that broader answer and say to yourself well what choice here includes
[10:26] yourself well what choice here includes all the others for example
[10:27] all the others for example the location of a data center can
[10:30] the location of a data center can dictate can you get redundant power
[10:34] dictate can you get redundant power coming into it the location of a data
[10:37] coming into it the location of a data center or or backup data center in other
[10:39] center or or backup data center in other words determines what type of disaster
[10:42] words determines what type of disaster is prone to some data centers may be
[10:44] is prone to some data centers may be prone to earthquakes while some are not
[10:47] prone to earthquakes while some are not for example you put one in San Francisco
[10:50] for example you put one in San Francisco or California versus putting one in the
[10:52] or California versus putting one in the middle of the country where they might
[10:54] middle of the country where they might not get earthquakes but they may get
[10:55] not get earthquakes but they may get tornadoes and hurricanes on the coast
[10:56] tornadoes and hurricanes on the coast and so so on uh backup of a disaster
[10:58] and so so on uh backup of a disaster recover plan while this is important you
[11:01] recover plan while this is important you have to say which one is more important
[11:03] have to say which one is more important like which one you going to go with over
[11:05] like which one you going to go with over one over the other I give you guys a
[11:07] one over the other I give you guys a quick tip when you're doing your cisp
[11:10] quick tip when you're doing your cisp
[11:13] quick tip when you're doing your cisp exam I want you guys to say this to exam
[11:16] I want you guys to say this to yourself you're looking at the question in real life
[11:19] because this test is definitely not real life
[11:21] in real life you can go with multiple things
[11:24] in real life we're not going to go with one option right
[11:26] in real life we don't would want
[11:27] in real life we do everything here but you have to choose one option and
[11:32] the tip I tell people is if in real life think about this in a real life
[11:35] if in real life you can only do one thing one thing and one thing only what would it be
[11:38] if you go with this you can't go with that in real life like which one is the most critical one
[11:39] because if you think about it the geographic location would be more important
[11:42] like where you put like if I said you can choose the right location or just back up your plan which one would you go it
[11:43] you back up your plan if youg get the location no right
[11:46] that's why C is a better answer here
[11:47] okay that's why you got to focus yourself on one and one choice only
[11:51] all right next question in a cloud computer environment
[12:15] question in a cloud computer environment which of the following is the most
[12:17] which of the following is the most critical factor for ensuring data
[12:19] critical factor for ensuring data security and privacy Services provided
[12:22] security and privacy Services provided by the cloud provider strong auth strong
[12:25] by the cloud provider strong auth strong Access Control authentication regular
[12:27] Access Control authentication regular security Audits and assessment service
[12:29] security Audits and assessment service level agreements with the provider okay
[12:31] level agreements with the provider okay this one also has multiple correct
[12:33] this one also has multiple correct answers why look at this we got this
[12:34] answers why look at this we got this word most here now I'm going to
[12:37] eliminate two choices first of all the
[12:39] eliminate two choices first of all the slas are mostly going to be for things
[12:41] slas are mostly going to be for things like the performance the S the
[12:43] like the performance the S the performance of the service provided like
[12:45] performance of the service provided like uptime and downtime so me eliminate that
[12:47] uptime and downtime so me eliminate that one Services provided by the cloud
[12:49] one Services provided by the cloud provider you know AWS offers quite a lot
[12:51] provider you know AWS offers quite a lot of services from web services data
[12:54] of services from web services data backups and so on I don't think that's
[12:56] backups and so on I don't think that's really going to look so much so to data
[12:57] really going to look so much so to data priate security
[12:59] priate security now we come down to two things now you
[13:03] now we come down to two things now you have to focus yourself you have to say
[13:04] have to focus yourself you have to say to yourself
[13:05] to yourself okay I'm going to use a cloud provider
[13:08] okay I'm going to use a cloud provider now in real life once again we're going
[13:10] now in real life once again we're going to have both you know you're going to
[13:11] to have both you know you're going to want to think about is it a secure
[13:15] want to think about is it a secure authentication and is these data centers
[13:17] authentication and is these data centers being checked things like sock reports
[13:19] being checked things like sock reports and so on you know which one are we
[13:22] and so on you know which one are we going to go with and now you really got
[13:24] going to go with and now you really got to narrow it down now if you're going to
[13:26] to narrow it down now if you're going to have one thing and one thing only
[13:27] have one thing and one thing only remember that's this tip I gave you if
[13:30] remember that's this tip I gave you if you can choose one of those choices and
[13:32] you can choose one of those choices and no more like if you can only go with one
[13:33] no more like if you can only go with one would you want regular security Audits
[13:36] would you want regular security Audits and no authentication or would you want
[13:38] and no authentication or would you want great authentication or forget the
[13:40] great authentication or forget the security audits this is how you have to
[13:41] security audits this is how you have to think all right this is the mindset if
[13:43] think all right this is the mindset if you go with one forget the other one
[13:45] you go with one forget the other one you're not going to get it you can only
[13:47] you're not going to get it you can only get one which one would it be would you
[13:49] get one which one would it be would you guys want authentication would you guys
[13:50] guys want authentication would you guys want security audits well I don't know
[13:52] want security audits well I don't know but you but if I'm going go with a cloud
[13:54] but you but if I'm going go with a cloud provider I think if I can only have one
[13:56] provider I think if I can only have one I'm going to go with that strong
[13:57] I'm going to go with that strong authentication I want good
[13:59] authentication I want good authentication in directly impacts the
[14:02] authentication in directly impacts the data security and especially the word
[14:04] data security and especially the word privacy gives this away because access
[14:07] privacy gives this away because access controls controls the access between
[14:09] controls controls the access between subjects and objects Access Control
[14:11] subjects and objects Access Control controls things like Bob can access that
[14:14] controls things like Bob can access that file Mary can write to that file Bob can
[14:17] file Mary can write to that file Bob can only read to it and so on and so on.
[14:19] only read to it and so on and so on so B is the best answer now remember.
[14:23] so B is the best answer now remember this tip if you can do one you got to.
[14:24] this tip if you can do one you got to forget the rest and that gives you this.
[14:26] forget the rest and that gives you this here plus if you read very carefully one.
[14:28] of the one of the main reasons that.
[14:30] of the one of the main reasons that people don't get questions correctly on.
[14:32] people don't get questions correctly on this exam is they read it too quick they.
[14:35] this exam is they read it too quick they have to read directly into the question.
[14:37] have to read directly into the question and answer as they give as they get the.
[14:40] and answer as they give as they get the question practice question number seven.
[14:44] question practice question number seven which of the following cryptographic.
[14:46] which of the following cryptographic techniques does cryptographic shredding.
[14:48] techniques does cryptographic shredding predominantly depend on so this is.
[14:51] predominantly depend on so this is called Crypt shredding symmetric.
[14:53] called Crypt shredding symmetric asymmetric hash or stiggy now for this.
[14:56] one here if you understood what crypto.
[14:58] one here if you understood what crypto shreding is it is a pretty easy question.
[15:00] shreding is it is a pretty easy question as most Crypt shredding is done with.
[15:02] as most Crypt shredding is done with symmetric encryption so what exactly is.
[15:04] symmetric encryption so what exactly is crypto shredding so crypto shredding is.
[15:06] crypto shredding so crypto shredding is basically used in the cloud what crypto.
[15:08] basically used in the cloud what crypto shred in does is that in order to delete.
[15:11] shred in does is that in order to delete cloud data right you can't go and wipe.
[15:14] cloud data right you can't go and wipe physically wipe out the hard drives of.
[15:16] physically wipe out the hard drives of an AWS server but what you could do is.
[15:18] an AWS server but what you could do is you can encrypt the data with a key on
[15:21] you can encrypt the data with a key on your
[15:21] your machine symmetric key now remember the
[15:24] machine symmetric key now remember the thing with symmetric encryption the key
[15:26] thing with symmetric encryption the key that encrypts is the same key that
[15:28] that encrypts is the same key that decrypts so if I encrypt data in
[15:30] decrypts so if I encrypt data in the cloud with a key store the key on this
[15:33] cloud with a key store the key on this machine right
[15:34] machine right here and then I delete this key
[15:37] here and then I delete this key permanently this key is gone forever
[15:39] permanently this key is gone forever there's no way to decrypt that data in
[15:41] there's no way to decrypt that data in the cloud because the key that encrypted
[15:43] the cloud because the key that encrypted the data has is gone that's is crypto
[15:46] the data has is gone that's is crypto shredded now where is it you know what
[15:48] shredded now where is it you know what type of key does it use it doesn't use
[15:50] type of key does it use it doesn't use an asymmetric key that's two keys public
[15:53] an asymmetric key that's two keys public and private Keys a hash really doesn't
[15:55] and private Keys a hash really doesn't any cryp data it just produces a
[15:56] any cryp data it just produces a cryptographic hash stenography is
[15:58] cryptographic hash stenography is basically basically hidden data in data
[16:00] basically basically hidden data in data basically hidden like a message inside
[16:02] basically hidden like a message inside of a picture it does not use that
[16:03] of a picture it does not use that function this here is a knowledge based
[16:07] function this here is a knowledge based question quite a lot of my students get
[16:09] question quite a lot of my students get questions on Crypt shredding make sure
[16:10] questions on Crypt shredding make sure to know it for your exam once
[16:12] to know it for your exam once again practice question number eight in
[16:16] again practice question number eight in the context of security incident
[16:18] the context of security incident response which of the following is the
[16:20] response which of the following is the most important consideration when determining the severity of an incident
[16:26] determining the severity of an incident the number of system affected okay I like that answer
[16:28] the financial impact definitely the level of media attention depending on the company sure the potential harm to the organization's reputation sure okay you got to think like a manager here
[16:40] you got to say to yourself if I'm the boss which one would I be worried about the most
[16:45] the number of system being affected yes this is going to bring it down yes you can lose money yes the media is going to come come after you
[16:59] the potential but there's one thing here that stands out the most there's one that if you know that takes over all the answers
[17:09] remember this tip if one choice does the does the others then that's the answer
[17:10] watch the number of systems going down affects how much money we make
[17:15] if we get Negative media attention we lose money the potential harm to the
[17:23] money the potential harm to the organization again we lose money like organization again we lose money like which one of these choices is going to which one of these choices is going to lead to the other to the main to the to lead to the other to the main to the to the main choice it's like the financial the main choice it's like the financial impact is the end goal right the impact is the end goal right the financial impact is what happens at the financial impact is what happens at the end not what happens throughout see it end not what happens throughout see it as the manager manager sees to the end of the tunnel the text is who see throughout the tunnel so this is the end thing that happens of course if you were thinking like a manager you would have said well money is involved so that's probably the answer anytime you take your exam and you see a choice that talks about money money being involved it's probably a good option it may not be the correct option but it's a good option to keep to keep an eye on practice question number nine which of the following is the most critical step in the secure sdlc or software develop for preventing keyword preventing security preventing security vulnerabilities penetration testing code vulnerabilities penetration testing code review requirements Gathering user
[18:25] review requirements Gathering user acceptance tesed this one here you're acceptance tesed this one here you're really have to think now when you think really have to think now when you think about preventing security vulnerabilities what can we do the word prevention means to go back right so you're preventing heart disease by exercising and eating right now you don't prevent heart disease after you get it right so you don't prevent vulnerabilities by cleaning up a virus that means you got the virus you never prevented it so anything to do with testing in is eliminated because testing comes after the fact right testing is something we're going to like if you're testing for heart disease right that means that you probably are seeing maybe if you have it that means you haven't really prevented it right so if you're testing to see if there's bugs means hey you didn't prevent the bugs you can test to see if there's bugs in there though if your you can test to see if your prevention method worked but you're not preventing him review is another word if
[19:27] preventing him review is another word if you're reviewing something thing that
[19:29] you're reviewing something thing that means that you're checking to see if
[19:30] means that you're checking to see if your prevention method works the best
[19:33] your prevention method works the best way to prevent things is to collect the
[19:35] way to prevent things is to collect the requirements correctly what requirements
[19:38] requirements correctly what requirements are we needed to prevent a particular
[19:42] are we needed to prevent a particular security bugs maybe we need particular
[19:44] security bugs maybe we need particular coding standards or particular methods
[19:46] coding standards or particular methods of coding that software or we can
[19:48] of coding that software or we can prevent vulnerabilities by
[19:51] prevent vulnerabilities by using again in requirements you would
[19:54] using again in requirements you would list one of requirements is using the
[19:55] list one of requirements is using the latest in security protocols for example
[19:59] latest in security protocols for example so remember this word prevent read
[20:01] so remember this word prevent read carefully if you got this one wrong you
[20:02] carefully if you got this one wrong you weren't reading
[20:04] weren't reading carefully question 10 in the context of
[20:07] carefully question 10 in the context of security governance what is the primary
[20:10] security governance what is the primary role of a steering committee developing
[20:13] role of a steering committee developing technical security controls managing
[20:15] technical security controls managing day-to-day security operations setting
[20:18] day-to-day security operations setting strategic security objectives and
[20:19] strategic security objectives and priorities conducting security risk
[20:21] priorities conducting security risk assessment now couple things here this
[20:25] assessment now couple things here this is a question about management uh still
[20:28] is a question about management uh still in committee is a committee that
[20:30] in committee is a committee that quotequote steerers to determine
[20:32] quotequote steerers to determine directions to determine where are we
[20:34] directions to determine where are we going like for example a security
[20:35] going like for example a security steering committee is going to set all
[20:37] steering committee is going to set all those highlevel policies within the
[20:39] those highlevel policies within the organizations what we should be doing
[20:41] organizations what we should be doing now and of course in the future so when
[20:43] now and of course in the future so when you think of a manager's job does a
[20:45] you think of a manager's job does a manager deals with the daytoday work do
[20:48] manager deals with the daytoday work do they deal with the day especially a
[20:51] they deal with the day especially a stering committee right they determine
[20:52] stering committee right they determine futuristic things they don't determine
[20:55] futuristic things they don't determine the day-to-day things you may have a
[20:57] the day-to-day things you may have a day-to-day operations manager but when
[20:58] day-to-day operations manager but when it comes to a steering committee they're
[21:00] it comes to a steering committee they're not going to be doing the day-to- DAT
[21:02] not going to be doing the day-to- DAT operational tasks
[21:05] operational tasks managers let's be realistic are not very
[21:08] managers let's be realistic are not very smart in terms of technical things in
[21:10] smart in terms of technical things in fact managers depends on a technical
[21:12] fact managers depends on a technical team to give them a lot of technical
[21:13] team to give them a lot of technical directions so that would eliminate
[21:15] directions so that would eliminate developing technical security controls
[21:18] developing technical security controls steering committees don't do that maybe
[21:21] steering committees don't do that maybe they work with the technical team to do
[21:23] they work with the technical team to do that conducting risk assessments that's
[21:27] that conducting risk assessments that's something more like a security manager
[21:29] something more like a security manager should do not necessarily a steering
[21:31] should do not necessarily a steering committee a steering committee again is
[21:33] committee a steering committee again is very high level they determine high
[21:36] very high level they determine high level future task that we should be
[21:38] level future task that we should be doing so nothing in particular bringing
[21:41] doing so nothing in particular bringing the answer to C stering committees in
[21:44] the answer to C stering committees in particular such as a security steering
[21:47] particular such as a security steering committee within an organization will
[21:49] committee within an organization will develop the security objectives and
[21:52] develop the security objectives and strategic strategic means long-term
[21:54] strategic strategic means long-term strategic plans for example are about 3
[21:56] strategic plans for example are about 3 to 5 years and what we should be
[21:58] to 5 years and what we should be prioritizing this is going to be more of
[21:59] prioritizing this is going to be more of what a manager a team of management
[22:02] what a manager a team of management should be doing all right practice
[22:04] should be doing all right practice question number
[22:06] question number 11 oops in a distributed denial of
[22:10] 11 oops in a distributed denial of service attack mitigation strategy what
[22:13] service attack mitigation strategy what is the most important goal during the
[22:15] is the most important goal during the detection and response phase all right
[22:18] detection and response phase all right detection and response phase identifying
[22:20] detection and response phase identifying the source of the attack mitigating the
[22:23] the source of the attack mitigating the attack and restoring service collecting
[22:25] attack and restoring service collecting evidence for legal prosecution blocking
[22:27] evidence for legal prosecution blocking the traff from a know IP address so this
[22:30] the traff from a know IP address so this one you really have to read into it so
[22:32] one you really have to read into it so it says detection and response so you
[22:34] it says detection and response so you have to detect it and you have to
[22:36] have to detect it and you have to respond to a Dos attack what's a Dos
[22:40] respond to a Dos attack what's a Dos attack it's when you have a ton of bots
[22:42] attack it's when you have a ton of bots coming after your website generating a
[22:44] coming after your website generating a ton of traffic maybe bring the website
[22:48] ton of traffic maybe bring the website offline identifying the source of attack
[22:51] offline identifying the source of attack that sounds good mitigating a restoring
[22:54] that sounds good mitigating a restoring service well that's good because that's
[22:56] service well that's good because that's how you should respond collecting
[22:58] how you should respond collecting evidence for legal prosecution is going
[22:59] evidence for legal prosecution is going to come way after this blocking traffic
[23:02] to come way after this blocking traffic for not knowing this here is going to
[23:04] for not knowing this here is going to help to slow or stop it so we want this
[23:09] help to slow or stop it so we want this identifying the source of attack
[23:10] identifying the source of attack although that's good in detection which
[23:12] although that's good in detection which one here was better so I Got A and
[23:15] one here was better so I Got A and B now notice the goal the key word now
[23:19] B now notice the goal the key word now if you guys
[23:20] if you guys selected
[23:22] selected um
[23:24] um a right if you guys selected a you're
[23:28] a right if you guys selected a you're going with what you're doing you're not
[23:30] going with what you're doing you're not going with the goal of what exactly is
[23:33] going with the goal of what exactly is the goal of detect and response did you
[23:38] the goal of detect and response did you get that the goal of detecting an attack
[23:40] get that the goal of detecting an attack and responding to it is to stop the
[23:44] and responding to it is to stop the attack right mitigate the attack slow it
[23:46] attack right mitigate the attack slow it down and restore services that is the
[23:48] down and restore services that is the goal of what we're trying to
[23:51] goal of what we're trying to do in doing that you will identify the
[23:55] do in doing that you will identify the source of attack you may block traffic
[23:57] source of attack you may block traffic from no one IP but that is what you're
[23:59] from no one IP but that is what you're doing that is not the goal of
[24:01] doing that is not the goal of it my goal is to lose weight I want to
[24:04] it my goal is to lose weight I want to lose 10 PBS okay but me jumping on a
[24:08] lose 10 PBS okay but me jumping on a treadmill is not a goal the goal is to
[24:11] treadmill is not a goal the goal is to lose the weight the activity of jumping
[24:13] lose the weight the activity of jumping on a tread me will lead to my goal the
[24:16] on a tread me will lead to my goal the cisp exam is worded very uniquely you
[24:20] cisp exam is worded very uniquely you have to pay attention to the words if
[24:23] have to pay attention to the words if you guys got this question wrong because
[24:25] you guys got this question wrong because you didn't read correctly read the
[24:27] you didn't read correctly read the question clearly hopefully as you go
[24:28] question clearly hopefully as you go through these 50 questions you're going
[24:30] through these 50 questions you're going to see okay I need to start reading
[24:31] to see okay I need to start reading these questions more carefully and
[24:33] these questions more carefully and you're going to see the answer is you
[24:35] you're going to see the answer is you know the answer is not that difficult if
[24:36] know the answer is not that difficult if you read them more
[24:38] you read them more carefully practice question number 12
[24:42] carefully practice question number 12 which of the following controls is most
[24:45] which of the following controls is most effective in preventing a privilege
[24:48] effective in preventing a privilege escalation attack role based Access
[24:50] escalation attack role based Access Control Network intrusion detection
[24:52] Control Network intrusion detection system antivirus software security
[24:54] system antivirus software security information and event management okay
[24:56] information and event management okay pretty easy question if you you
[24:57] pretty easy question if you you understood what it is so it's a
[24:59] understood what it is so it's a privilege escalation privilege
[25:00] privilege escalation privilege escalations is when I log in as a normal
[25:02] escalations is when I log in as a normal user and I do something to the machine
[25:06] user and I do something to the machine to boost my privilege to become an
[25:08] to boost my privilege to become an administrator now couple things here
[25:11] administrator now couple things here that I can eliminate right off the bat
[25:13] that I can eliminate right off the bat first of all a network intrusion
[25:14] first of all a network intrusion detection system that's not going to
[25:17] detection system that's not going to help you here because this here detects
[25:19] help you here because this here detects intrusions on a network this here
[25:22] intrusions on a network this here detects intrusions uh coming through
[25:24] detects intrusions uh coming through your entire network so maybe like a word
[25:27] your entire network so maybe like a word or something like that sprinted on the
[25:28] or something like that sprinted on the network privilege escalations attack
[25:31] network privilege escalations attack generally happens on a single
[25:32] generally happens on a single system as see this here can detect
[25:35] system as see this here can detect events this is a correlation of logs
[25:37] events this is a correlation of logs think like Splunk so this here is not
[25:39] think like Splunk so this here is not going to be preventing it but this can
[25:42] going to be preventing it but this can detect it and some people may say well
[25:45] detect it and some people may say well Andrew well maybe an IDs can detect a
[25:48] Andrew well maybe an IDs can detect a worm that's going to do a privilege
[25:49] worm that's going to do a privilege escalation but once again the word is
[25:52] escalation but once again the word is prevent this is
[25:54] prevent this is detect antivirus
[25:56] detect antivirus software versus role base Access Control
[25:59] software versus role base Access Control now I do like these two answers these
[26:01] now I do like these two answers these are great answers because 99% of the
[26:03] are great answers because 99% of the time guys for them to do a privilege
[26:06] time guys for them to do a privilege escalation attack they probably going to
[26:08] escalation attack they probably going to use some kind of malware so in that case
[26:12] use some kind of malware so in that case C is a good answer but then you have a
[26:14] C is a good answer but then you have a role base Access Control now you got to
[26:16] role base Access Control now you got to come back to the mindset I told you you
[26:18] come back to the mindset I told you you can only do one thing if you do a you're
[26:20] can only do one thing if you do a you're not doing C if you do a in other words
[26:23] not doing C if you do a in other words you limit the guy's
[26:25] you limit the guy's permission versus C you install an
[26:28] permission versus C you install an antivirus so if you're doing one you're
[26:30] antivirus so if you're doing one you're not doing the other so remember this
[26:31] not doing the other so remember this choice if you do one you're not doing
[26:33] choice if you do one you're not doing the other that's how you got to see this
[26:35] the other that's how you got to see this if I'm doing this I ain't doing that one
[26:37] if I'm doing this I ain't doing that one in real life yes I know you'll have
[26:38] in real life yes I know you'll have antivirus and you'll have restricting
[26:40] antivirus and you'll have restricting user accounts because role based access
[26:42] user accounts because role based access control is basically putting people into
[26:44] control is basically putting people into groups and assign in permissions so
[26:47] groups and assign in permissions so which one would I go with I'm going to
[26:48] which one would I go with I'm going to tell you I'm going to go with role base
[26:50] tell you I'm going to go with role base Access Control here's why role based
[26:52] Access Control here's why role based Access Control literally is limiting
[26:53] Access Control literally is limiting people to a particular role like if you
[26:55] people to a particular role like if you work in accountant you can only do
[26:57] work in accountant you can only do accountant duties you're normal user on
[26:58] accountant duties you're normal user on this machine and you can access these
[27:00] this machine and you can access these account and files
[27:03] account and files antivirus if you just install antivirus
[27:05] antivirus if you just install antivirus but you give them full access to the
[27:06] but you give them full access to the network great but that means that if
[27:09] network great but that means that if they use a privilege escalation software
[27:12] they use a privilege escalation software that's not considered as a virus or zero
[27:14] that's not considered as a virus or zero day exploit they're going to get through
[27:15] day exploit they're going to get through but if they didn't even have permission
[27:17] but if they didn't even have permission in the first place the system would have
[27:19] in the first place the system would have limited them in other words to just
[27:21] limited them in other words to just those particular tasks making this a
[27:24] those particular tasks making this a better better answer than just that so
[27:28] better better answer than just that so again use this thing where I'm telling
[27:29] again use this thing where I'm telling you if you're doing one choice you're
[27:31] you if you're doing one choice you're not doing the other in other words you
[27:32] not doing the other in other words you can only do this and everything else you
[27:34] can only do this and everything else you will not be doing because again in real
[27:36] will not be doing because again in real life guys we are going to be doing
[27:37] life guys we are going to be doing everything yeah I know we're going to do
[27:38] everything yeah I know we're going to do everything but for this exam we can only
[27:41] everything but for this exam we can only do
[27:43] one question 13 in the context of
[27:46] one question 13 in the context of security risk management which of the
[27:48] security risk management which of the following risk treatment options is the
[27:50] following risk treatment options is the most appropriate for risk that are
[27:53] most appropriate for risk that are outside the organization's risk
[27:56] outside the organization's risk appetite risk risk avoidance tolerance
[27:59] appetite risk risk avoidance tolerance acceptance or mitigation so we have to
[28:01] acceptance or mitigation so we have to know our risk responses here so the
[28:04] know our risk responses here so the first thing up we have to decode you
[28:06] first thing up we have to decode you know what exactly are they asking for so
[28:09] know what exactly are they asking for so when something is outside your appetite
[28:11] when something is outside your appetite it means you don't want it to happen
[28:13] it means you don't want it to happen risk appetite is how much risk you're
[28:15] risk appetite is how much risk you're willing to take so if you have no
[28:17] willing to take so if you have no appetite for the risk the only thing
[28:18] appetite for the risk the only thing here you can do is
[28:21] here you can do is elimination Wipe Out the risk so the
[28:23] elimination Wipe Out the risk so the risk will not happen which one of these
[28:26] risk will not happen which one of these respon is is going to tell you that you
[28:31] respon is is going to tell you that you know which one of your responses is
[28:32] know which one of your responses is going to tell you that it's going to
[28:33] going to tell you that it's going to eliminate risk now if you know your risk
[28:35] eliminate risk now if you know your risk responses it's pretty easy so for
[28:38] responses it's pretty easy so for example you should automatically
[28:40] example you should automatically eliminate acceptance because acceptance
[28:42] eliminate acceptance because acceptance means to do nothing it's when you take
[28:44] means to do nothing it's when you take no action against your risk and if it
[28:45] no action against your risk and if it happens it happens means you're willing
[28:47] happens it happens means you're willing to accept it you know you have a big
[28:49] to accept it you know you have a big appetite for
[28:51] appetite for it risk transference the risk can still
[28:54] it risk transference the risk can still take place it's just that somebody else
[28:57] take place it's just that somebody else has has to deal with it generally like
[28:59] has has to deal with it generally like hireing an insurance company risk
[29:01] hireing an insurance company risk mitigation and avoidance this is the one
[29:03] mitigation and avoidance this is the one that confuses people mitigation is
[29:06] that confuses people mitigation is lowering all right this lowers a risk
[29:09] lowering all right this lowers a risk risk mitigation lowers probability and
[29:13] risk mitigation lowers probability and or impact for example installing an
[29:15] or impact for example installing an antivirus you can still get virus on the
[29:17] antivirus you can still get virus on the computer but it's it's a lower
[29:19] computer but it's it's a lower probability and or impact of a virus hit
[29:22] probability and or impact of a virus hit in your machine but risk avoidance is
[29:26] in your machine but risk avoidance is the elimination of
[29:29] the elimination of risk risk avoidance eliminates risk
[29:33] risk risk avoidance eliminates risk remember that it's an action you take to
[29:36] remember that it's an action you take to eliminate risk for example I don't have
[29:38] eliminate risk for example I don't have the risk appetite for virus a on a
[29:41] the risk appetite for virus a on a Windows Server how do you eliminate
[29:43] Windows Server how do you eliminate virus a don't use Windows if you don't
[29:46] virus a don't use Windows if you don't use Windows and virus a only affects
[29:47] use Windows and virus a only affects windows then you know what you'll never
[29:49] windows then you know what you'll never get virus a then move to a Linux server
[29:52] get virus a then move to a Linux server that eliminates virus a but you know you
[29:56] that eliminates virus a but you know you guys got to remember something you know
[29:57] guys got to remember something you know just to make this a little complex here
[29:59] just to make this a little complex here for you guys every action has risk every
[30:02] for you guys every action has risk every single action we do in life has risk so
[30:05] single action we do in life has risk so by eliminate one risk you may get
[30:06] by eliminate one risk you may get another risk but and you know that word
[30:07] another risk but and you know that word is gone that risk is gone because that
[30:09] is gone that risk is gone because that risk is completely
[30:11] risk is completely eliminated practice question number 14
[30:15] eliminated practice question number 14 which of the following security controls
[30:17] which of the following security controls is most effective in preventing the
[30:20] is most effective in preventing the execution of malicious code from an
[30:22] execution of malicious code from an untrusted
[30:24] untrusted Source now keep in mind the word
[30:28] Source now keep in mind the word preventing intrusion prevention
[30:30] preventing intrusion prevention systems anti virus software application
[30:33] systems anti virus software application whitelisting host Bas firewalls so these
[30:37] whitelisting host Bas firewalls so these are all good now once again in real life
[30:41] are all good now once again in real life you're going to have all these things in
[30:42] you're going to have all these things in real life you're going to have an IPS
[30:46] real life you're going to have an IPS installed with an antivirus installed
[30:48] installed with an antivirus installed with a host based detection system in
[30:51] with a host based detection system in fact every time you install allot of
[30:53] fact every time you install allot of these endpoint security software you're
[30:55] these endpoint security software you're going to have all those so you install
[30:57] going to have all those so you install some antic endpoint security or MCA
[30:59] some antic endpoint security or MCA whatever is that you're using they come
[31:00] whatever is that you're using they come generally with some kind of ips malware
[31:03] generally with some kind of ips malware detection and some kind of
[31:05] detection and some kind of firewall so which one here would you go
[31:08] firewall so which one here would you go with well let's start out it says from
[31:11] with well let's start out it says from untrusted sources how can we stop people
[31:15] untrusted sources how can we stop people from execution of malicious Cod from
[31:18] from execution of malicious Cod from untrusted sources which one am I going
[31:20] untrusted sources which one am I going to eliminate first I'm going to go with
[31:21] to eliminate first I'm going to go with a whole Spas firewall a firewall blocks
[31:24] a whole Spas firewall a firewall blocks traffic coming into the system but if
[31:27] traffic coming into the system but if the user goes out and grabs the traffic
[31:29] the user goes out and grabs the traffic and clicks on the file and says the
[31:31] and clicks on the file and says the download it's not the firewall is not
[31:33] download it's not the firewall is not going to stop it I liit that one
[31:36] going to stop it I liit that one intrusion prevention systems this here
[31:39] intrusion prevention systems this here stops malicious trafficking coming into
[31:41] stops malicious trafficking coming into the system but what if the user
[31:42] the system but what if the user initiated that not going to
[31:45] initiated that not going to help antivir now comes down to two
[31:48] help antivir now comes down to two things antivirus and Whit listing so
[31:52] things antivirus and Whit listing so what exactly is application whitelisting
[31:54] what exactly is application whitelisting application wh listing Whit listing is
[31:57] application wh listing Whit listing is when you say you can install only those
[31:58] when you say you can install only those software and blacklisting is when you
[32:01] software and blacklisting is when you say you cannot install these software
[32:03] say you cannot install these software blacklisting is very broad because if
[32:05] blacklisting is very broad because if you blacklist 10 applications then they
[32:07] you blacklist 10 applications then they can install every other application on
[32:08] can install every other application on the planet but if you whitelist 10
[32:10] the planet but if you whitelist 10 applications that's all they can install
[32:13] applications that's all they can install let me ask you guys a question which one
[32:14] let me ask you guys a question which one would you guys go
[32:15] would you guys go with whitel list in other words you can
[32:17] with whitel list in other words you can only install these five
[32:20] only install these five software or you can install anything you
[32:22] software or you can install anything you want but I'm putting antivirus which one
[32:24] want but I'm putting antivirus which one would you go with again if you're doing
[32:26] would you go with again if you're doing one you not doing the other all right
[32:28] one you not doing the other all right that's how you got to see this are you
[32:30] that's how you got to see this are you doing one if you do this one you're not
[32:31] doing one if you do this one you're not doing this one which one would you guys
[32:33] doing this one which one would you guys go with I'll tell you which one I'll go
[32:34] go with I'll tell you which one I'll go with I'm going to go with the white
[32:35] with I'm going to go with the white listing here's why because with the
[32:37] listing here's why because with the white listing I'm saying you can only
[32:39] white listing I'm saying you can only install these five software and nothing
[32:42] install these five software and nothing else will ever be executable on this
[32:44] else will ever be executable on this machine versus an antivirus then you can
[32:46] machine versus an antivirus then you can install whatever you want that's how you
[32:48] install whatever you want that's how you get this one making c a better answer
[32:51] get this one making c a better answer than b are you guys getting this
[32:54] than b are you guys getting this mindset all right are you guys seeing
[32:56] mindset all right are you guys seeing how I'm seeing in it you see it like
[32:58] how I'm seeing in it you see it like this the cisp not too difficult
[33:01] this the cisp not too difficult right practice question
[33:04] right practice question 15 in the context of cryptography which
[33:07] 15 in the context of cryptography which of the following statement about the
[33:08] of the following statement about the birthday attack is true it's a type of
[33:11] birthday attack is true it's a type of cryptographic attack that targets weak
[33:13] cryptographic attack that targets weak encryption algorithms it's a collision
[33:15] encryption algorithms it's a collision attack that occurs when two different
[33:16] attack that occurs when two different inputs produces the same hash value it's
[33:19] inputs produces the same hash value it's a form of side Channel attack that
[33:21] a form of side Channel attack that exploits the physical characteristics of
[33:22] exploits the physical characteristics of a cryptographic device it's an attack on
[33:25] a cryptographic device it's an attack on the birthday Paradox that compromise
[33:27] the birthday Paradox that compromise encryption Keys now this one here does
[33:29] encryption Keys now this one here does have a few good answers but one of them
[33:32] have a few good answers but one of them is the absolute true answer more true
[33:34] is the absolute true answer more true than others so first of all let's
[33:36] than others so first of all let's eliminate the absolute wrong one it has
[33:38] eliminate the absolute wrong one it has really nothing to do with the physical
[33:40] really nothing to do with the physical characteristics of any cryptographic uh
[33:42] characteristics of any cryptographic uh devices and it's not considered side
[33:44] devices and it's not considered side Channel attack now it does it does play
[33:48] Channel attack now it does it does play off What's called the birthday Paradox
[33:50] off What's called the birthday Paradox and the birthday Paradox is when you put
[33:52] and the birthday Paradox is when you put a certain number of people in a room
[33:54] a certain number of people in a room there's a high probability that two
[33:55] there's a high probability that two people have the exact same birthday it
[33:58] people have the exact same birthday it does play off of that birthday
[34:00] does play off of that birthday Paradox it is it's a type of cryptograph
[34:03] Paradox it is it's a type of cryptograph that that targets weak encryption we
[34:05] that that targets weak encryption we don't want to say weak encryption
[34:06] don't want to say weak encryption algorithm so I'm going to eliminate this
[34:08] algorithm so I'm going to eliminate this because technically the algorithms are
[34:09] because technically the algorithms are not weak it's just that they didn't have
[34:10] not weak it's just that they didn't have a high enough bit
[34:13] a high enough bit strength so you have it comes down to B
[34:16] strength so you have it comes down to B and D here and we got to understand what
[34:18] and D here and we got to understand what exactly is it now by its definition it
[34:21] exactly is it now by its definition it really is a collision attack when two
[34:24] really is a collision attack when two different inputs produces the same hash
[34:25] different inputs produces the same hash output so that basically is its
[34:28] output so that basically is its definition this uses the birthday par
[34:30] definition this uses the birthday par the birthday Paradox but there's no keys
[34:33] the birthday Paradox but there's no keys in in in in uh in hashen hashen doesn't
[34:37] in in in in uh in hashen hashen doesn't utilize Keys hashen takes data of
[34:41] utilize Keys hashen takes data of basically any length hashes it and
[34:44] basically any length hashes it and produces a cryptographic hash it doesn't
[34:46] produces a cryptographic hash it doesn't it's not a key it's a function the
[34:48] it's not a key it's a function the output that 128bit 256bit hash is not a
[34:51] output that 128bit 256bit hash is not a key that's just a hash value what
[34:54] key that's just a hash value what exactly is a birthday parado quick quick
[34:56] exactly is a birthday parado quick quick lesson on
[34:58] lesson on this by definition hashen takes data of
[35:01] this by definition hashen takes data of any length and any kind of data and
[35:03] any length and any kind of data and outputs technically should be a unique
[35:06] outputs technically should be a unique hash the problem is you have unlimited
[35:08] hash the problem is you have unlimited inputs in other words you can put
[35:09] inputs in other words you can put unlimited amount on or types of data and
[35:13] unlimited amount on or types of data and it's going to Output let's say a 256bit
[35:15] it's going to Output let's say a 256bit hash but there's only certain number of
[35:18] hash but there's only certain number of 256bit hashes which is how many hashes
[35:21] 256bit hashes which is how many hashes with 2 to the 256 a very big number so
[35:23] with 2 to the 256 a very big number so the probability of
[35:25] the probability of having different messages with the exact
[35:28] having different messages with the exact same hash exists but how high is that
[35:32] same hash exists but how high is that probability well let's say let's say
[35:36] probability well let's say let's say that I told you that this algorithm can
[35:38] that I told you that this algorithm can only produce 10 hashes well then there's
[35:40] only produce 10 hashes well then there's a high probability that different
[35:42] a high probability that different messages are going to produce the same
[35:44] messages are going to produce the same hash because you only have 10 probable
[35:45] hash because you only have 10 probable hashes but when the number is 2 to the
[35:47] hashes but when the number is 2 to the 256 it's very unlikely you see the
[35:50] 256 it's very unlikely you see the birthday attack is when is when you have
[35:52] birthday attack is when is when you have two different messages with the exact
[35:54] two different messages with the exact same hash if you only had 10 hash is
[35:57] same hash if you only had 10 hash is probable let's say your algorithm only
[35:59] probable let's say your algorithm only produce 10 hash it's a high probability
[36:01] produce 10 hash it's a high probability of having a birthday attack where does
[36:02] of having a birthday attack where does this affect
[36:03] this affect you what exactly is hashed a lot
[36:06] you what exactly is hashed a lot passwords are hash right no password is
[36:08] passwords are hash right no password is ever stored in clear text or it
[36:09] ever stored in clear text or it shouldn't be it should be stored as a
[36:11] shouldn't be it should be stored as a hash with the birthday attack and affect
[36:13] hash with the birthday attack and affect a system is when let's say your password
[36:15] a system is when let's say your password is car C and I come to your computer and
[36:18] is car C and I come to your computer and I type van and logs me in Su what
[36:21] I type van and logs me in Su what happened here the word car and the word
[36:22] happened here the word car and the word van is producing the same cryptographic
[36:24] van is producing the same cryptographic hash generally the more hashes you have
[36:26] hash generally the more hashes you have like 256 bid it's very unlikely but it's
[36:29] like 256 bid it's very unlikely but it's not impossible and that's the definition
[36:31] not impossible and that's the definition of a birthday attack join me in the
[36:33] of a birthday attack join me in the course and we'll go more into
[36:34] course and we'll go more into cryptography if you want to learn more
[36:36] cryptography if you want to learn more about that let's go to number 16 which
[36:40] about that let's go to number 16 which of the following is the primary goal of
[36:42] of the following is the primary goal of a security awareness training program
[36:45] a security awareness training program within an
[36:46] within an organization to ensure all employees can
[36:48] organization to ensure all employees can effectively respond to security
[36:50] effectively respond to security incidents to reduce the likelihood of
[36:52] incidents to reduce the likelihood of inside of threats and data breaches to
[36:54] inside of threats and data breaches to achieve compliance with industry
[36:55] achieve compliance with industry standards to teach employ the
[36:57] standards to teach employ the organization security expectations now
[37:00] organization security expectations now this is a question of the word primary
[37:03] this is a question of the word primary and the word goal you have to read it
[37:05] and the word goal you have to read it carefully what answer did you get well
[37:09] carefully what answer did you get well you're looking at the end point remember
[37:11] you're looking at the end point remember anytime you see the word goal you're
[37:12] anytime you see the word goal you're looking at the endpoint when you see
[37:14] looking at the endpoint when you see this word primary you know most of those
[37:15] this word primary you know most of those choices are correct like when you're
[37:17] choices are correct like when you're doing security awareness training you're
[37:19] doing security awareness training you're going to teach them what what you expect
[37:21] going to teach them what what you expect them to do you're going to teach them
[37:23] them to do you're going to teach them how to
[37:24] how to respond to security incident
[37:27] respond to security incident you're going to achieve compliance with
[37:29] you're going to achieve compliance with industry standards because that's one of
[37:31] industry standards because that's one of the reasons why you would do it but what
[37:34] the reasons why you would do it but what exactly is the goal well the goal here
[37:37] exactly is the goal well the goal here is really to reduce data breaches why do
[37:41] is really to reduce data breaches why do we do this what is the end point time
[37:44] we do this what is the end point time you see this word go think of well you
[37:46] you see this word go think of well you know what exactly is the main
[37:49] know what exactly is the main reason not doing it doing it is the act
[37:53] reason not doing it doing it is the act of doing the actual action the act of
[37:56] of doing the actual action the act of doing it but the goal is what you want
[37:58] doing it but the goal is what you want out of
[37:59] out of it now let me show you how all of this
[38:02] it now let me show you how all of this links up look to teach employees the
[38:04] links up look to teach employees the security expectations will
[38:06] security expectations will reduce the likelihood of inserted
[38:09] reduce the likelihood of inserted threats to ensure all employers respond
[38:12] threats to ensure all employers respond effectively will reduce employer threats
[38:14] effectively will reduce employer threats now comes B and C which a lot of you
[38:16] now comes B and C which a lot of you guys probably went with C
[38:19] guys probably went with C but why why do we have laws and
[38:22] but why why do we have laws and regulations why do we follow these
[38:25] regulations why do we follow these certain compliance not just the be in
[38:26] certain compliance not just the be in compliance but those compliance those
[38:29] compliance but those compliance those laws and regulations that why we should
[38:31] laws and regulations that why we should have security awareness training is
[38:33] have security awareness training is really to
[38:35] really to reduce the likelihood of threats and and
[38:38] reduce the likelihood of threats and and um data breaches so I want you guys
[38:40] um data breaches so I want you guys remember look at the end goal look at
[38:41] remember look at the end goal look at where exactly are we going with this
[38:43] where exactly are we going with this best
[38:44] best answer number
[38:47] answer number 17 in the context of cloud computing
[38:50] 17 in the context of cloud computing what is the primary concern when it
[38:51] what is the primary concern when it comes to data security and compliance
[38:53] comes to data security and compliance now the word here is compliance you know
[38:56] now the word here is compliance you know when you comes the primary concern with
[38:57] when you comes the primary concern with data compliance data encryption during
[39:00] data compliance data encryption during transmission sounds good physical
[39:03] transmission sounds good physical security data center that sounds good
[39:05] security data center that sounds good data sovereignty so data
[39:07] data sovereignty so data sovereignty this affects the
[39:09] sovereignty this affects the jurisdiction of the data where is the
[39:11] jurisdiction of the data where is the data created where the data is stored
[39:13] data created where the data is stored and the laws that applies to it for
[39:15] and the laws that applies to it for example data collected in the EU because
[39:19] example data collected in the EU because the data was the data of collects there
[39:21] the data was the data of collects there and it's EU citizens data has to have EU
[39:24] and it's EU citizens data has to have EU laws applied to it and jurisdiction
[39:27] laws applied to it and jurisdiction multiactor authentication for cloud
[39:29] multiactor authentication for cloud users I like this because it's a cloud
[39:31] users I like this because it's a cloud this is a good question because when
[39:32] this is a good question because when you're managing the cloud you want
[39:34] you're managing the cloud you want everything you want data encryption
[39:35] everything you want data encryption during transmission you want physical
[39:37] during transmission you want physical security you want to worry about laws
[39:39] security you want to worry about laws you want to worry about hey you got to
[39:41] you want to worry about hey you got to make sure that hackers can't get into
[39:42] make sure that hackers can't get into use multiactor
[39:43] use multiactor now which one is going to be a primary
[39:46] now which one is going to be a primary one the primary one once you get a
[39:48] one the primary one once you get a question like this which one affects all
[39:50] question like this which one affects all the others well let me tell you guys
[39:51] the others well let me tell you guys something the data sovereignty and the
[39:54] something the data sovereignty and the jurisdiction will affect fect the
[39:57] jurisdiction will affect fect the encryption we use will affect how the
[40:00] encryption we use will affect how the data centers are secure and will affect
[40:02] data centers are secure and will affect the type of authentication this is one
[40:04] the type of authentication this is one where you use that mindset if one choice
[40:07] where you use that mindset if one choice can include all the other choices then
[40:09] can include all the other choices then that is the primary thing ideally your
[40:12] that is the primary thing ideally your you think about this what's your primary
[40:14] you think about this what's your primary concern your primary concern is all of
[40:16] concern your primary concern is all of these things so which one here is all
[40:18] these things so which one here is all that's the mindset which one is all go
[40:21] that's the mindset which one is all go with that
[40:23] with that one practice question number 18 which of
[40:27] one practice question number 18 which of the following encryption algorithm is
[40:30] the following encryption algorithm is considered the least computably
[40:32] considered the least computably efficient but provides the highest level
[40:34] efficient but provides the highest level of security ases RSA ECC and Blowfish so
[40:38] of security ases RSA ECC and Blowfish so which one here is not very good at
[40:41] which one here is not very good at Computing which one is really slow in
[40:42] Computing which one is really slow in other words notice this word lease now
[40:46] other words notice this word lease now if you know if you know the difference
[40:49] if you know if you know the difference between symmetric asymmetric hashing and
[40:51] between symmetric asymmetric hashing and so on this a pretty easy one because if
[40:53] so on this a pretty easy one because if you remember in your teaching and your
[40:55] you remember in your teaching and your learning
[40:57] learning symmetric encryption is very quick but
[40:59] symmetric encryption is very quick but passing a key is difficult versus
[41:01] passing a key is difficult versus asymmetric asymmetric is very
[41:04] asymmetric asymmetric is very computationally intensive but it's easy
[41:07] computationally intensive but it's easy to pass the keys around so that means
[41:09] to pass the keys around so that means RSA is the answer here because RSA is
[41:12] RSA is the answer here because RSA is the only asymmetric this is a symmetric
[41:14] the only asymmetric this is a symmetric actually ECC is a symmetric but ECC uses
[41:17] actually ECC is a symmetric but ECC uses a smaller key size than RSA ECC is
[41:22] a smaller key size than RSA ECC is really not too bad when it comes to
[41:24] really not too bad when it comes to computation because it actually uses a
[41:26] computation because it actually uses a small key size versus
[41:29] small key size versus RSA uh so this one no good this one no
[41:32] RSA uh so this one no good this one no good and Blowfish is this is a symmetric
[41:34] good and Blowfish is this is a symmetric algor them so once you know symmetric
[41:35] algor them so once you know symmetric you should have eliminated A and D and
[41:38] you should have eliminated A and D and then it was like RSA and ECC remember
[41:40] then it was like RSA and ECC remember for your exam RSA requires a bigger key
[41:43] for your exam RSA requires a bigger key size than ECC or the elliptic curve
[41:45] size than ECC or the elliptic curve which requires a smaller key size making
[41:47] which requires a smaller key size making RSA not the best when it comes to
[41:49] RSA not the best when it comes to computation for example an RSA key may
[41:52] computation for example an RSA key may be 2048 bit versus an ECC may be 384 or
[41:55] be 2048 bit versus an ECC may be 384 or 256
[41:57] 256 question number
[41:59] question number 19 okay um I don't have a lot of
[42:03] 19 okay um I don't have a lot of questions on sock reports but please no
[42:06] questions on sock reports but please no sock sock reports is on everybody cisp
[42:10] sock sock reports is on everybody cisp exam sock one sock 2 sock three and then
[42:13] exam sock one sock 2 sock three and then type 1 type two reports make sure you
[42:15] type 1 type two reports make sure you know the difference for your test a
[42:17] know the difference for your test a vendor provides you with a sock two type
[42:20] vendor provides you with a sock two type two report what statement most
[42:22] two report what statement most accurately interprets this report the
[42:25] accurately interprets this report the vendor system control gos are properly
[42:26] vendor system control gos are properly designed the vendor has achieved a
[42:28] designed the vendor has achieved a certain level of compliance with a
[42:29] certain level of compliance with a recognize
[42:30] recognize standard the vendor system controls has
[42:33] standard the vendor system controls has been audited over a specific period of
[42:35] been audited over a specific period of time or found to be operating
[42:36] time or found to be operating efficiently the event has no security
[42:39] efficiently the event has no security vulnerabilities now almost all of these
[42:41] vulnerabilities now almost all of these answers are correct but one is more
[42:43] answers are correct but one is more correct than the others here is why
[42:46] correct than the others here is why first of all aak report does tell you
[42:48] first of all aak report does tell you the controls if they're good it does
[42:50] the controls if they're good it does tell you it may tell you if it's
[42:52] tell you it may tell you if it's recognizable by a standard but by
[42:55] recognizable by a standard but by looking at a report you can see if it is
[42:57] looking at a report you can see if it is or is
[42:58] or is not SEC okay whoever is doing the audit
[43:01] not SEC okay whoever is doing the audit I like that but you know what's better a
[43:03] I like that but you know what's better a sock T report is done over a period of
[43:06] sock T report is done over a period of time a sock tour report is generally
[43:07] time a sock tour report is generally done over a period of 6 to 12 months so
[43:11] done over a period of 6 to 12 months so you would see that on a sock two report
[43:13] you would see that on a sock two report they'll say well between this time and
[43:15] they'll say well between this time and this time we ordered the systems and the
[43:18] this time we ordered the systems and the system came back to be good or bad now
[43:21] system came back to be good or bad now remember sock three t a sock uh type
[43:24] remember sock three t a sock uh type three report is basically the same thing
[43:26] three report is basically the same thing except it's more of a high level
[43:27] except it's more of a high level publicly available summary of it make
[43:30] publicly available summary of it make sure to know this topic for your
[43:35] test question 20 which of the following
[43:38] test question 20 which of the following is the primary purpose of a security
[43:40] is the primary purpose of a security policy within an
[43:42] policy within an organization to specify detailed
[43:44] organization to specify detailed technical configuration for for security
[43:46] technical configuration for for security controls to outline roles and
[43:48] controls to outline roles and responsibility security Personnel
[43:50] responsibility security Personnel provide high level guidance and
[43:51] provide high level guidance and direction for security efforts to define
[43:53] direction for security efforts to define specific incidents and response
[43:55] specific incidents and response procedure
[43:56] procedure no for your exam policy so you have
[43:59] no for your exam policy so you have policy standards
[44:02] policy standards guidelines right and then you have your
[44:04] guidelines right and then you have your step-by-step procedures so it's not
[44:07] step-by-step procedures so it's not something that's very technical a policy
[44:09] something that's very technical a policy is a much more of a high level thing now
[44:13] is a much more of a high level thing now this is going to be straight out of your
[44:14] this is going to be straight out of your books any book you read should tell you
[44:16] books any book you read should tell you this
[44:17] this now to specify detailed configuration
[44:19] now to specify detailed configuration for security that's going to be more of
[44:21] for security that's going to be more of a procedure to outline this is going to
[44:23] a procedure to outline this is going to be more of like a racy chart something
[44:25] be more of like a racy chart something that shows roles and responsibilities
[44:27] that shows roles and responsibilities not not so much on a policy to define
[44:30] not not so much on a policy to define specific this is more of an incident
[44:32] specific this is more of an incident respon literally it says the word
[44:33] respon literally it says the word procedur so you should eliminated that
[44:34] procedur so you should eliminated that now remember for your exam policies are
[44:37] now remember for your exam policies are directives from management where does
[44:39] directives from management where does policy comes from management gets
[44:41] policy comes from management gets policies from industry standards and
[44:43] policies from industry standards and property regulations that they have to
[44:45] property regulations that they have to follow so management sets the direction
[44:47] follow so management sets the direction of the organization security with their
[44:49] of the organization security with their policies and remember something if
[44:52] policies and remember something if management is right in the policy what
[44:53] management is right in the policy what do you know about it it's not going to
[44:56] do you know about it it's not going to be technical because they're not it's
[44:58] be technical because they're not it's not going to be super detailed because
[44:59] not going to be super detailed because they generally don't have time to sit
[45:00] they generally don't have time to sit there write detailed stuff so it's going
[45:02] there write detailed stuff so it's going to be more high level but it's going to
[45:04] to be more high level but it's going to set the direction of where we're
[45:07] set the direction of where we're going question
[45:09] going question 21 in a security incident response plan
[45:14] 21 in a security incident response plan what is the primary purpose of a post
[45:16] what is the primary purpose of a post incident review so we got this word
[45:18] incident review so we got this word primary again and then the you know the
[45:21] primary again and then the you know the purpose of it the purpose like what's
[45:23] purpose of it the purpose like what's the end goal here identifying
[45:26] the end goal here identifying Prosecuting the attackers responsible
[45:28] Prosecuting the attackers responsible okay assessing the effectiveness of
[45:30] okay assessing the effectiveness of response and identifying erors
[45:32] response and identifying erors Improvement okay communicating incident
[45:34] Improvement okay communicating incident to external parties such as customer and
[45:36] to external parties such as customer and media okay restoring effective systems
[45:39] media okay restoring effective systems and restore services to normal now
[45:41] and restore services to normal now notice this is the post-incident review
[45:43] notice this is the post-incident review so what's a post incident review is
[45:44] so what's a post incident review is after the incident has happened you're
[45:46] after the incident has happened you're reviewing what happened and what you did
[45:48] reviewing what happened and what you did right what you did wrong this here is
[45:50] right what you did wrong this here is going to be straight up for process of
[45:52] going to be straight up for process of improvement like why would you review
[45:55] improvement like why would you review post me after why would you review after
[45:58] post me after why would you review after the incident it's during the mitigation
[46:01] the incident it's during the mitigation of the incident responding to the
[46:03] of the incident responding to the incident are you going to try to
[46:05] incident are you going to try to identify the
[46:07] identify the attackers so that's not right it's
[46:09] attackers so that's not right it's during that that you may have to uh
[46:11] during that that you may have to uh communicate to customers that their data
[46:13] communicate to customers that their data was lost it's during the response to the
[46:16] was lost it's during the response to the incident you're going to restore system
[46:18] incident you're going to restore system post comes after so read the question
[46:20] post comes after so read the question carefully to get this one right take
[46:23] carefully to get this one right take away from this read your questions
[46:24] away from this read your questions carefully if you didn't get that one
[46:27] carefully if you didn't get that one right which of the following security
[46:29] right which of the following security control is most effective in
[46:32] control is most effective in preventing a malware in uh infections
[46:36] preventing a malware in uh infections from malicious email attachment
[46:38] from malicious email attachment prevention systems content filtering
[46:40] prevention systems content filtering host based firewall and Patch management
[46:43] host based firewall and Patch management now how can we prevent so prevent is not
[46:46] now how can we prevent so prevent is not a detection right prevention stops
[46:50] a detection right prevention stops things before they even occur like how
[46:52] things before they even occur like how can we not even get it onto the machine
[46:54] can we not even get it onto the machine well host based firewall can generally
[46:58] well host based firewall can generally stop things trying to enter the machine
[46:59] stop things trying to enter the machine but if the user initiated especially
[47:02] but if the user initiated especially like on a uh like on a email and
[47:04] like on a uh like on a email and somebody double clicks it and just
[47:05] somebody double clicks it and just starts downloading it'll
[47:07] starts downloading it'll come patch management can stop it from
[47:10] come patch management can stop it from being installed but it wouldn't stop the
[47:12] being installed but it wouldn't stop the things from getting to the machine an
[47:14] things from getting to the machine an IPS can prevent that the virus from
[47:16] IPS can prevent that the virus from getting in to the machine if the virus
[47:19] getting in to the machine if the virus is circulating around the network and it
[47:21] is circulating around the network and it doesn't say whether it's a whole Space
[47:23] doesn't say whether it's a whole Space one or it's a network one so the best
[47:24] one or it's a network one so the best thing how do we really stop the
[47:27] thing how do we really stop the virus from getting to the to the users's
[47:30] virus from getting to the to the users's inbox just use a Content filter the key
[47:33] inbox just use a Content filter the key word here is preventing so you got to
[47:35] word here is preventing so you got to read that one
[47:37] read that one carefully question
[47:40] carefully question 23 in the context of security code in
[47:43] 23 in the context of security code in practice which of the following actions
[47:45] practice which of the following actions is most important for preventing common
[47:48] is most important for preventing common vulnerabilities like SQL injection and
[47:50] vulnerabilities like SQL injection and crossy scrip
[47:52] crossy scrip in implementing input validation and
[47:55] in implementing input validation and output encoding using latest programming
[47:57] output encoding using latest programming language regularly scan it for
[47:59] language regularly scan it for application encrypting sensitive data in
[48:02] application encrypting sensitive data in transit okay first of all I can
[48:04] transit okay first of all I can eliminate one answer right off the bat
[48:07] eliminate one answer right off the bat here noce vulnerabilities like a SQL
[48:09] here noce vulnerabilities like a SQL injection across a script so seel
[48:11] injection across a script so seel injection is when they come to your
[48:13] injection is when they come to your website they type SQL commands into a
[48:16] website they type SQL commands into a field that you have where you can type
[48:18] field that you have where you can type data in and they can execute basically
[48:20] data in and they can execute basically SQL commands against your system crossy
[48:22] SQL commands against your system crossy scripting is when they type scripts into
[48:24] scripting is when they type scripts into that uh and then execute it against your
[48:27] that uh and then execute it against your website this can do things like def face
[48:28] website this can do things like def face the website expose sensitive data
[48:30] the website expose sensitive data corrupt data bring down your websites
[48:32] corrupt data bring down your websites creating all kinds of Dos attacks and so
[48:34] creating all kinds of Dos attacks and so on now first of all you could be using
[48:38] on now first of all you could be using SSL I don't care what type of encryption
[48:41] SSL I don't care what type of encryption you're using if you have coded your
[48:43] you're using if you have coded your website incorrectly and I can just type
[48:45] website incorrectly and I can just type anything in the boxes on your website I
[48:47] anything in the boxes on your website I don't care what encryption you're using
[48:48] don't care what encryption you're using you're going to show me the data so I
[48:50] you're going to show me the data so I can eliminate encryption right off the
[48:52] can eliminate encryption right off the bat using the latest programming
[48:54] bat using the latest programming language and framework does not prevent
[48:56] language and framework does not prevent sequent injections and cross scripting
[48:58] sequent injections and cross scripting it's good coding practices that does
[49:01] it's good coding practices that does that scanning is not a preventive thing
[49:06] that scanning is not a preventive thing right me the context which follow a is
[49:07] right me the context which follow a is most
[49:09] most preventing scanning is something you do
[49:11] preventing scanning is something you do afterwards to see if a prevention
[49:13] afterwards to see if a prevention technique is working so we can eliminate
[49:15] technique is working so we can eliminate that and of course the answer here is
[49:17] that and of course the answer here is going to be now input
[49:19] going to be now input validation limits what you can actually
[49:23] validation limits what you can actually type into the box so for example
[49:26] type into the box so for example if a SQL command requires 20 characters
[49:30] if a SQL command requires 20 characters and you limit it to just
[49:32] and you limit it to just five then you can't enter that right
[49:34] five then you can't enter that right that command could never work so that's
[49:36] that command could never work so that's how you would do it with input
[49:38] how you would do it with input validation so remember input validation
[49:41] validation so remember input validation output in codent can solve things like
[49:43] output in codent can solve things like sequin injection crossy
[49:45] sequin injection crossy scripton all right question
[49:48] scripton all right question 24 in a security answer response which
[49:51] 24 in a security answer response which of the f is the most critical step
[49:52] of the f is the most critical step immediately after detecting a security
[49:57] immediately after detecting a security incident identify the scope and impact
[50:00] incident identify the scope and impact of the incident notify executive
[50:03] of the incident notify executive management uh implemented containment
[50:05] management uh implemented containment and mitigation measures gather evidence
[50:08] and mitigation measures gather evidence for legal prosecution so
[50:10] for legal prosecution so notice most
[50:13] notice most critical immediately after so this
[50:15] critical immediately after so this Security in we do right away well if you
[50:18] Security in we do right away well if you try to identify how big this thing
[50:21] try to identify how big this thing is that's going to take
[50:24] is that's going to take time notify an executive management and
[50:27] time notify an executive management and stakeholders that's going to take time
[50:29] stakeholders that's going to take time this thing could be stealing data as we
[50:31] this thing could be stealing data as we speak Gathering evidence something
[50:33] speak Gathering evidence something you're going to do way afterwards the
[50:35] you're going to do way afterwards the incident the best thing here to do is
[50:37] incident the best thing here to do is going to be to contain the incident in
[50:41] going to be to contain the incident in your study guide there is a list of what
[50:43] your study guide there is a list of what you should be doing during incident
[50:45] you should be doing during incident security incident response make sure to
[50:47] security incident response make sure to know these steps for your exam the
[50:49] know these steps for your exam the moment an incident is detected you have
[50:50] moment an incident is detected you have to contain the incident you have to for
[50:53] to contain the incident you have to for example you don't want it to spread all
[50:55] example you don't want it to spread all over the Network and the longer you wait
[50:57] over the Network and the longer you wait the more data could be stolen or get
[50:59] the more data could be stolen or get corrupted in your
[51:01] corrupted in your business practice question 25 an
[51:04] business practice question 25 an application stores password for user
[51:07] application stores password for user authentication which of the following
[51:09] authentication which of the following would be the best practice for storing
[51:11] would be the best practice for storing these
[51:13] these password encrypting the password using a
[51:16] password encrypting the password using a yes storing the password in a clear text
[51:18] yes storing the password in a clear text with strict Access Control using salted
[51:21] with strict Access Control using salted hashes for password storage masking the
[51:24] hashes for password storage masking the password before storage now this one
[51:26] password before storage now this one plays on your level of knowledge if you
[51:28] plays on your level of knowledge if you when in your cryptographic chapters when
[51:30] when in your cryptographic chapters when you study this or I go over in the class
[51:32] you study this or I go over in the class I show you guys in the course I'll show
[51:34] I show you guys in the course I'll show you
[51:35] you exactly how hashes work and I'll show
[51:38] exactly how hashes work and I'll show you guys how I'm going to use a hash
[51:39] you guys how I'm going to use a hash function to Hash a particular password
[51:42] function to Hash a particular password so if you know that you would have known
[51:44] so if you know that you would have known that passwords are hashed
[51:46] that passwords are hashed now we don't incp passwords with
[51:49] now we don't incp passwords with symetric keys as it wouldn't make sense
[51:51] symetric keys as it wouldn't make sense that you would then need the key to
[51:52] that you would then need the key to decrypt it you never Store password in
[51:55] decrypt it you never Store password in clear text and maskin doesn't really do
[51:58] clear text and maskin doesn't really do anything maskin just doesn't show it on
[52:00] anything maskin just doesn't show it on the screen but the computer still sees
[52:02] the screen but the computer still sees it now what exactly is a salted password
[52:07] it now what exactly is a salted password so a salted hash is basically when they
[52:09] so a salted hash is basically when they add a bunch of characters to the actual
[52:12] add a bunch of characters to the actual password before they hash it all right
[52:14] password before they hash it all right so the password the hashes are more
[52:17] so the password the hashes are more complex making it somewhat harder to
[52:19] complex making it somewhat harder to reverse that hash we'll cover sutan in
[52:22] reverse that hash we'll cover sutan in the course if not make sure to study it
[52:23] the course if not make sure to study it for your exam
[52:27] for your exam question 26 which of the following
[52:29] question 26 which of the following security controls is most effective in
[52:31] security controls is most effective in prevented unauthorized physical access
[52:34] prevented unauthorized physical access to a data center biometric
[52:36] to a data center biometric authentication server level C camera uh
[52:39] authentication server level C camera uh CCTV surveillance cameras man traps
[52:42] CCTV surveillance cameras man traps Access Control intrusion detection for
[52:44] Access Control intrusion detection for data centers now this one here is
[52:47] data centers now this one here is preventing unauthorized physical access
[52:50] preventing unauthorized physical access so first of all we can eliminate notice
[52:52] so first of all we can eliminate notice it's preventing stopping people from
[52:56] it's preventing stopping people from coming in a camera doesn't stop
[52:58] coming in a camera doesn't stop anyone all right you have a camera in
[53:00] anyone all right you have a camera in your house it can detour it can scare
[53:03] your house it can detour it can scare but it's not a preventive
[53:05] but it's not a preventive control a detection system is basically
[53:08] control a detection system is basically like a camera it can detect people
[53:09] like a camera it can detect people coming in but it doesn't stop them from
[53:12] coming in but it doesn't stop them from coming in biometric at the server level
[53:15] coming in biometric at the server level this is at the server level that
[53:17] this is at the server level that wouldn't stop you put in Biometrics on
[53:19] wouldn't stop you put in Biometrics on your server doesn't stop you from coming
[53:20] your server doesn't stop you from coming into your data center making a mantop so
[53:23] into your data center making a mantop so what's a mantop man trops are double
[53:24] what's a mantop man trops are double door
[53:26] door they come in it's two doors people come
[53:29] they come in it's two doors people come in one of the
[53:30] in one of the door they open one the door they come in
[53:33] door they open one the door they come in that door locks and before the other
[53:34] that door locks and before the other door can open for them to get in there's
[53:36] door can open for them to get in there's some kind of authentication mechanism
[53:38] some kind of authentication mechanism sometimes they have to put a passcode in
[53:39] sometimes they have to put a passcode in there a thumb print or some kind of card
[53:41] there a thumb print or some kind of card reader or a visual inspection by some
[53:44] reader or a visual inspection by some kind of security guard to let them in
[53:46] kind of security guard to let them in make can this the best preventive way
[53:49] make can this the best preventive way for them get in this is the only control
[53:50] for them get in this is the only control here that actually deals with a physical
[53:52] here that actually deals with a physical access into
[53:54] access into somewhere
[53:56] somewhere question
[53:57] question 27 which of the following is the most
[54:00] 27 which of the following is the most important reason for including security
[54:01] important reason for including security controls in the system development life
[54:03] controls in the system development life cycle to meet Regulatory Compliance
[54:06] cycle to meet Regulatory Compliance requirements to ensure code and practice
[54:08] requirements to ensure code and practice secure code and practices are followed
[54:10] secure code and practices are followed to reduce the overall cost to expedite
[54:12] to reduce the overall cost to expedite the delivery of a new system so by you
[54:16] the delivery of a new system so by you including uh good Security Control in
[54:18] including uh good Security Control in your sdlc which is the way how you're
[54:20] your sdlc which is the way how you're going to develop your software it
[54:23] going to develop your software it doesn't reduce the cost it may actually
[54:24] doesn't reduce the cost it may actually increase to cost sometimes it may reduce
[54:27] increase to cost sometimes it may reduce it so it's hard to determine that it
[54:29] it so it's hard to determine that it doesn't exped I think security is known
[54:31] doesn't exped I think security is known security are known to slow things now
[54:33] security are known to slow things now and it's very
[54:35] and it's very subjective now comes two things to meet
[54:39] subjective now comes two things to meet Regulatory Compliance and ensure secure
[54:40] Regulatory Compliance and ensure secure quote and practice a
[54:42] quote and practice a follow a lot of you guys may go with
[54:45] follow a lot of you guys may go with this option but I'm thinking like a
[54:46] this option but I'm thinking like a manager I'm going to go with compliance
[54:48] manager I'm going to go with compliance requirements now I'm going to tell you
[54:51] requirements now I'm going to tell you guys you have to go with one over the
[54:53] guys you have to go with one over the other see if you you're doing one you're
[54:55] other see if you you're doing one you're not doing the other remember this
[54:57] not doing the other remember this mindset here's a quick thing if you're
[55:00] mindset here's a quick thing if you're doing to meet Regulatory
[55:03] doing to meet Regulatory Compliance right that's the only reason
[55:06] Compliance right that's the only reason why you would do it that's a b is to
[55:09] why you would do it that's a b is to ensure when I got good SC you could care
[55:11] ensure when I got good SC you could care less about the the requirements so which
[55:13] less about the the requirements so which one would you go with would you go for
[55:15] one would you go with would you go for just requirements or would you go to
[55:17] just requirements or would you go to ensure secured code and practices are
[55:19] ensure secured code and practices are followed that makes this the best answer
[55:22] followed that makes this the best answer here's why because if you go with a then
[55:25] here's why because if you go with a then you're saying that if there is no
[55:28] you're saying that if there is no regulations you're not going to do
[55:29] regulations you're not going to do it if you go with B you're saying well I
[55:32] it if you go with B you're saying well I don't care about any regulations I
[55:34] don't care about any regulations I include it in the sdlc to ensure code
[55:37] include it in the sdlc to ensure code and practice are follow isn't that why
[55:38] and practice are follow isn't that why you do this and a results in
[55:43] you do this and a results in B the why do they have it if they put it
[55:46] B the why do they have it if they put it into Regulatory Compliance the whole
[55:49] into Regulatory Compliance the whole their objective they're doing that is to
[55:51] their objective they're doing that is to get B remember something as a cissp as a
[55:55] get B remember something as a cissp as a manager you're not
[55:56] manager you're not thinking at the middle you're not
[55:58] thinking at the middle you're not thinking almost at the end you're seeing
[56:00] thinking almost at the end you're seeing the end go like why why are we really
[56:02] the end go like why why are we really doing
[56:03] doing this think like that a your
[56:07] this think like that a your tellest all right we do
[56:09] tellest all right we do 2728 make sure to know this is I can see
[56:12] 2728 make sure to know this is I can see automatically cve common volum exposure
[56:15] automatically cve common volum exposure database CVSs the score make sure you
[56:17] database CVSs the score make sure you know for your exam it's going into it
[56:20] know for your exam it's going into it given the cve 2023 1 2 3 45 with a CVS
[56:25] given the cve 2023 1 2 3 45 with a CVS version three base curve 9 which of the
[56:26] version three base curve 9 which of the following is most likely true so you
[56:28] following is most likely true so you have to know this for your exam don't go
[56:30] have to know this for your exam don't go in there without knowing it you don't
[56:31] in there without knowing it you don't have to know how to calculate the score
[56:33] have to know how to calculate the score just know what the score means the
[56:35] just know what the score means the vulnerability of the low severity
[56:37] vulnerability of the low severity imposed minimal trap requires a complex
[56:40] imposed minimal trap requires a complex condition the vulnerabilities are
[56:42] condition the vulnerabilities are critical and POS is significant yes the
[56:44] critical and POS is significant yes the vulnerability impact is primary related
[56:45] vulnerability impact is primary related to data confidentiality okay answer here
[56:48] to data confidentiality okay answer here if you know this one it's pretty easy
[56:50] if you know this one it's pretty easy and straightforward you know that the
[56:52] and straightforward you know that the CVSs scores goes from zero to 10 and
[56:56] CVSs scores goes from zero to 10 and generally if something is 10 it's going
[56:57] generally if something is 10 it's going to be something that is this 9.8 it's
[57:00] to be something that is this 9.8 it's something that's easy to do easy to
[57:02] something that's easy to do easy to exploit creates massive harm against the
[57:04] exploit creates massive harm against the CIA confidentiality integrity and
[57:07] CIA confidentiality integrity and avability that c is the is the correct
[57:10] avability that c is the is the correct answer here this is not a low score it
[57:14] answer here this is not a low score it does not require a complex remember if
[57:16] does not require a complex remember if it's a complex condition the CVSs score
[57:18] it's a complex condition the CVSs score reduces significantly the impact is
[57:21] reduces significantly the impact is related to even if it's related to
[57:23] related to even if it's related to confidentiality doesn't affect Integrity
[57:25] confidentiality doesn't affect Integrity or or availability the score does get
[57:27] or or availability the score does get reduced so doesn't do that make sure to
[57:29] reduced so doesn't do that make sure to understand your CVSs score before going
[57:32] understand your CVSs score before going in for your exam as a security Personnel
[57:34] in for your exam as a security Personnel you should also know your CVSs score so
[57:37] you should also know your CVSs score so when you see it on a security bulletin
[57:38] when you see it on a security bulletin you know what it means in the course
[57:40] you know what it means in the course we'll go through how to how to compute
[57:42] we'll go through how to how to compute it I'll show you guys a calculator on
[57:44] it I'll show you guys a calculator on that which of the following security
[57:47] that which of the following security controls is most effective when
[57:49] controls is most effective when preventing unauthorized access to
[57:51] preventing unauthorized access to sensitive data storing a mobile device
[57:53] sensitive data storing a mobile device that may be lost or St stolen strong
[57:56] that may be lost or St stolen strong encryption regular uh regularly updating
[57:58] encryption regular uh regularly updating device firmware implementing device
[58:01] device firmware implementing device authentication or storing data in a
[58:03] authentication or storing data in a secure Cloud environment now right off
[58:06] secure Cloud environment now right off the bat I can tell you guys that this
[58:07] the bat I can tell you guys that this question has caused my students a lot of
[58:09] question has caused my students a lot of Heartache some people have disagreed
[58:10] Heartache some people have disagreed with the answer and I'll tell you how I
[58:12] with the answer and I'll tell you how I got to the correct answer so first thing
[58:14] got to the correct answer so first thing up you got to eliminate one choice
[58:16] up you got to eliminate one choice notice unauthorized access to sensitive
[58:19] notice unauthorized access to sensitive data stored on the device so you telling
[58:22] data stored on the device so you telling it to store it in the cloud does not
[58:23] it to store it in the cloud does not answer the particular question so
[58:26] answer the particular question so eliminate that now the other one I'll
[58:28] eliminate that now the other one I'll eliminate is regularly updating device
[58:30] eliminate is regularly updating device firmware why because even the it can
[58:33] firmware why because even the it can have the best firmware out there but if
[58:36] have the best firmware out there but if the firmware itself or the device itself
[58:38] the firmware itself or the device itself is not secured you just keep updating
[58:41] is not secured you just keep updating things in an insecure device now this is
[58:45] things in an insecure device now this is where it gets people authentication or
[58:47] where it gets people authentication or encryption so here's what I'll tell you
[58:50] encryption so here's what I'll tell you guys the way to get this answer is if
[58:53] guys the way to get this answer is if you have your phone I have my phone with
[58:55] you have your phone I have my phone with me yes I have my phone so if I have my
[58:58] me yes I have my phone so if I have my phone if you have one you're not going
[59:00] phone if you have one you're not going to have the other remember that if you
[59:03] to have the other remember that if you have one you're not going to have the
[59:04] have one you're not going to have the other that's how you have to think of
[59:06] other that's how you have to think of this so would you guys I'm going to tell
[59:08] this so would you guys I'm going to tell you guys you guys are going to have
[59:09] you guys you guys are going to have amazing biometric authentication no one
[59:11] amazing biometric authentication no one can break but the data is not encrypted
[59:14] can break but the data is not encrypted or I'm going to tell you guys the data
[59:16] or I'm going to tell you guys the data is encrypted but there's no
[59:18] is encrypted but there's no authentication on it now you're probably
[59:20] authentication on it now you're probably saying well if they if they can just get
[59:22] saying well if they if they can just get in can they see it yes that's true true
[59:25] in can they see it yes that's true true but you got to choose
[59:26] but you got to choose one all right now it says Biometrics
[59:30] one all right now it says Biometrics authentication it doesn't say something
[59:33] authentication it doesn't say something like password
[59:34] like password authentication so when data is stolen
[59:38] authentication so when data is stolen when a device is stolen somebody finds
[59:40] when a device is stolen somebody finds it all right even if they can't get in
[59:43] it all right even if they can't get in or get out what would you want the best
[59:45] or get out what would you want the best thing here would be to en encrypt the
[59:48] thing here would be to en encrypt the data if the data is encrypted it doesn't
[59:51] data if the data is encrypted it doesn't matter if they steal the because
[59:53] matter if they steal the because remember how do you buy pass
[59:54] remember how do you buy pass authentication if you can't get in you
[59:56] authentication if you can't get in you just take out the Drive Mount the drive
[59:58] just take out the Drive Mount the drive to a different machine and you can see
[01:00:00] to a different machine and you can see all the
[01:00:01] all the data so that you know that would be the
[01:00:03] data so that you know that would be the option if this thing is still falls into
[01:00:05] option if this thing is still falls into the wrong hands it's still the data is
[01:00:07] the wrong hands it's still the data is unreadable unless they get the
[01:00:09] unreadable unless they get the encryption Keys making a the best
[01:00:12] encryption Keys making a the best answer
[01:00:14] answer 30 which of the following security
[01:00:16] 30 which of the following security principles emphasizes that security
[01:00:18] principles emphasizes that security mechanisms should not rely on the
[01:00:21] mechanisms should not rely on the secrecy of design or implementation
[01:00:23] secrecy of design or implementation lease privilege defense in depth open
[01:00:26] lease privilege defense in depth open design separation of Duties best answer
[01:00:28] design separation of Duties best answer here guys is going to be an open design
[01:00:30] here guys is going to be an open design here's why it's a pretty straightforward
[01:00:32] here's why it's a pretty straightforward question least privileges is when people
[01:00:35] question least privileges is when people don't have much power on the network
[01:00:37] don't have much power on the network they're not admins or regular users
[01:00:39] they're not admins or regular users defense in depth is utiliz in multiple
[01:00:41] defense in depth is utiliz in multiple controls to keep things
[01:00:43] controls to keep things secure having a firewall an IDS system
[01:00:47] secure having a firewall an IDS system antivirus is a form of defense and depth
[01:00:50] antivirus is a form of defense and depth separation of Duties is one person can
[01:00:52] separation of Duties is one person can perform all duties on a system to bypass
[01:00:54] perform all duties on a system to bypass pass controls and commit fraud so open
[01:00:57] pass controls and commit fraud so open design such as Linux which means the
[01:00:59] design such as Linux which means the source code is available for anyone to
[01:01:01] source code is available for anyone to see this one here there's no there's no
[01:01:04] see this one here there's no there's no secrecy of how the system is designed
[01:01:07] secrecy of how the system is designed how the system is implemented there's no
[01:01:09] how the system is implemented there's no secrecy on the source code of Linux the
[01:01:11] secrecy on the source code of Linux the secrecy on the source code of Windows
[01:01:13] secrecy on the source code of Windows though because that's called a closed
[01:01:14] though because that's called a closed design or closed Source versus open
[01:01:16] design or closed Source versus open source type systems make sure to know
[01:01:18] source type systems make sure to know the difference for your
[01:01:21] the difference for your tests 31 which of the following is the
[01:01:24] tests 31 which of the following is the most critical aspect of design of
[01:01:26] most critical aspect of design of privacy by Design notice term for your
[01:01:28] privacy by Design notice term for your exam encrypting sensitive data at risk
[01:01:31] exam encrypting sensitive data at risk and in transit appointed a data
[01:01:33] and in transit appointed a data Protection Officer involving privacy
[01:01:36] Protection Officer involving privacy expert for the from the Inception of the
[01:01:38] expert for the from the Inception of the project regular regularly updating uh
[01:01:41] project regular regularly updating uh the organization privacy policy
[01:01:43] the organization privacy policy so notice a critical aspect privacy by
[01:01:48] so notice a critical aspect privacy by Design is what it's when you design
[01:01:50] Design is what it's when you design application from the very beginning to
[01:01:54] application from the very beginning to to secure private data pii person
[01:01:58] to secure private data pii person identifiable Phi personal health
[01:02:01] identifiable Phi personal health information so encrypting the data at
[01:02:03] information so encrypting the data at rest and in transit is good I like that
[01:02:07] rest and in transit is good I like that answer appointing a data Protection
[01:02:09] answer appointing a data Protection Officer who's going to be in charge and
[01:02:10] Officer who's going to be in charge and oversee it I like that answer involving
[01:02:13] oversee it I like that answer involving privacy experts from the very beginning
[01:02:15] privacy experts from the very beginning so this thing is designed with privacy
[01:02:18] so this thing is designed with privacy wait a minute that sounds like the uh
[01:02:20] wait a minute that sounds like the uh best answer and regularly updated it's
[01:02:22] best answer and regularly updated it's good to update the policy but it's not
[01:02:24] good to update the policy but it's not going to be to get this out there is
[01:02:26] going to be to get this out there is make sure that you follow certain
[01:02:28] make sure that you follow certain compliance I'm going eliminate that
[01:02:31] compliance I'm going eliminate that answer I'm going to also eliminate
[01:02:33] answer I'm going to also eliminate encrypting sensitive data although
[01:02:35] encrypting sensitive data although that's an important one I think the most
[01:02:38] that's an important one I think the most important thing is from the very
[01:02:41] important thing is from the very beginning of your your steps to design
[01:02:48] beginning of your your steps to design by privacy having good priv having good
[01:02:50] by privacy having good priv having good privacy by Design is to bring the right
[01:02:52] privacy by Design is to bring the right people involved and design the program
[01:02:54] people involved and design the program correctly this is the most critical step
[01:02:56] correctly this is the most critical step so some people will
[01:02:59] so some people will say Okay Andrew how do you know I'm
[01:03:01] say Okay Andrew how do you know I'm doing a real
[01:03:03] doing a real exam you know how do I know I'm going to
[01:03:05] exam you know how do I know I'm going to get this one right how do I get this one
[01:03:06] get this one right how do I get this one right say to yourself if I can only do
[01:03:08] right say to yourself if I can only do one thing right you know which one here
[01:03:11] one thing right you know which one here if you do it right is going to lead to
[01:03:13] if you do it right is going to lead to the others which one here this one here
[01:03:15] the others which one here this one here is going to make sure that you all we
[01:03:17] is going to make sure that you all we got to get everything here done you got
[01:03:18] got to get everything here done you got to get a data protection data Protection
[01:03:20] to get a data protection data Protection Officer if you follow
[01:03:22] Officer if you follow gdpr got to update your organization
[01:03:24] gdpr got to update your organization Poli
[01:03:25] Poli you got to encrypt your data but which
[01:03:27] you got to encrypt your data but which one of these choices is now going to if
[01:03:31] one of these choices is now going to if I do this it's going to lead me into the
[01:03:32] I do this it's going to lead me into the others well if you get the right people
[01:03:35] others well if you get the right people involved it's going to ensure that you
[01:03:37] involved it's going to ensure that you get the right data if you do this right
[01:03:40] get the right data if you do this right you're can to have the right data
[01:03:41] you're can to have the right data Protection Officer if you do this right
[01:03:42] Protection Officer if you do this right you're going to update it say you get
[01:03:44] you're going to update it say you get this one correct part of the
[01:03:47] this one correct part of the mindset question 32 when assessing the
[01:03:50] mindset question 32 when assessing the security of industrial controler IC
[01:03:52] security of industrial controler IC Systems what is the primary focus of our
[01:03:54] Systems what is the primary focus of our red team engagement so what's IC
[01:03:58] red team engagement so what's IC industrial control control systems are
[01:04:00] industrial control control systems are things like water power uh Supply system
[01:04:03] things like water power uh Supply system gas supply system big Industrial Systems
[01:04:06] gas supply system big Industrial Systems identifying vulnerabilities conducting
[01:04:09] identifying vulnerabilities conducting penetration testing simulating realistic
[01:04:11] penetration testing simulating realistic attacks audit in compliance with
[01:04:13] attacks audit in compliance with industry standards so first of all you
[01:04:16] industry standards so first of all you got to understand red team and blue team
[01:04:18] got to understand red team and blue team okay to to get this one correct so first
[01:04:21] okay to to get this one correct so first of
[01:04:22] of all red team doesn't really audit for
[01:04:24] all red team doesn't really audit for compliance and standards they're
[01:04:26] compliance and standards they're generally within your
[01:04:27] generally within your business identifying vulnerabilities in
[01:04:31] business identifying vulnerabilities in the infrastructure okay conducting the
[01:04:33] the infrastructure okay conducting the penetration testing okay simulating
[01:04:36] penetration testing okay simulating realistic attack this is going to be the
[01:04:37] realistic attack this is going to be the best answer why is that because a red
[01:04:40] best answer why is that because a red team does do penetration testing a red
[01:04:43] team does do penetration testing a red team does do by them doing that they are
[01:04:47] team does do by them doing that they are going to be identifying and exploiting
[01:04:50] going to be identifying and exploiting vulnerabilities so red team aims to
[01:04:52] vulnerabilities so red team aims to identify vulnerabilities and weakness is
[01:04:54] identify vulnerabilities and weakness is in the system and then they go about to
[01:04:57] in the system and then they go about to exploit it to see what
[01:04:59] exploit it to see what happens so if you're thinking well A and
[01:05:02] happens so if you're thinking well A and B is correct yet it is correct but C
[01:05:06] B is correct yet it is correct but C includes A and B making C the best
[01:05:09] includes A and B making C the best answer on this
[01:05:12] answer on this one
[01:05:14] one 33 when verifying a digital signature
[01:05:17] 33 when verifying a digital signature which of the following steps is the most
[01:05:18] which of the following steps is the most critical for ensuring the signatures
[01:05:23] critical for ensuring the signatures authenticity decrypting the message
[01:05:24] authenticity decrypting the message using the public
[01:05:26] using the public key verifying the digital certificate of
[01:05:29] key verifying the digital certificate of the sender checking the timestamp of the
[01:05:31] the sender checking the timestamp of the signature comparing the hash value of
[01:05:34] signature comparing the hash value of the received data with the decrypted
[01:05:36] the received data with the decrypted hash value in the signature now couple
[01:05:38] hash value in the signature now couple things here you have to understand how a
[01:05:41] things here you have to understand how a digital signature works so a digital
[01:05:44] digital signature works so a digital signature basically takes a
[01:05:46] signature basically takes a message hashes the
[01:05:49] message hashes the message and to produce a cryptographic
[01:05:51] message and to produce a cryptographic hash and then encrypts the hash with the
[01:05:55] hash and then encrypts the hash with the sender private
[01:05:57] sender private key with the sender private key that's a
[01:06:00] key with the sender private key that's a digital signature so what's a digital
[01:06:01] digital signature so what's a digital signature is basically an encrypted hash
[01:06:05] signature is basically an encrypted hash of the message with the sender's private
[01:06:08] of the message with the sender's private key when you receive it for you to
[01:06:11] key when you receive it for you to verify the hash you then take the
[01:06:14] verify the hash you then take the message and you hash it and then you
[01:06:19] message and you hash it and then you decode the signature that was sent to
[01:06:21] decode the signature that was sent to you from the sender with the sender's
[01:06:23] you from the sender with the sender's public key you never get the sender's
[01:06:25] public key you never get the sender's private key and if the two hashes
[01:06:27] private key and if the two hashes matches that means that it had to come
[01:06:29] matches that means that it had to come from that guy from the sender because
[01:06:30] from that guy from the sender because you're using his public key and the
[01:06:33] you're using his public key and the message was never changed why because
[01:06:37] message was never changed why because the hashes match the me the me the
[01:06:39] the hashes match the me the me the hashes didn't match couple things would
[01:06:41] hashes didn't match couple things would have tell you either the message was
[01:06:43] have tell you either the message was changed or you're using the wrong key it
[01:06:45] changed or you're using the wrong key it means it never came from that guy
[01:06:46] means it never came from that guy digital signatures for your exam
[01:06:48] digital signatures for your exam remember it does a couple things it does
[01:06:50] remember it does a couple things it does non
[01:06:51] non audiation Integrity all right so not
[01:06:54] audiation Integrity all right so not reputation the guy can't deny it came
[01:06:56] reputation the guy can't deny it came from him because you're using his public
[01:06:57] from him because you're using his public key so if you know this information this
[01:06:59] key so if you know this information this one here is pretty easy because you
[01:07:01] one here is pretty easy because you notice it doesn't really check for time
[01:07:04] notice it doesn't really check for time stamps verifying the certificate doesn't
[01:07:07] stamps verifying the certificate doesn't actually mean it came from that person
[01:07:10] actually mean it came from that person right you you do know you can check the
[01:07:11] right you you do know you can check the certificate actually came but remember
[01:07:13] certificate actually came but remember the hash was If the message Chang you
[01:07:16] the hash was If the message Chang you wouldn't really
[01:07:17] wouldn't really know decrypting the message using the
[01:07:20] know decrypting the message using the public key you don't decrypt the
[01:07:22] public key you don't decrypt the message you see digital signatures does
[01:07:25] message you see digital signatures does not encrypt the data in fact digital
[01:07:27] not encrypt the data in fact digital signatures doesn't provide
[01:07:28] signatures doesn't provide confidentiality so if you did said that
[01:07:30] confidentiality so if you did said that one incorrect what I just explained to
[01:07:33] one incorrect what I just explained to you was the matur not the process and
[01:07:35] you was the matur not the process and purpose of a digital signature question
[01:07:38] purpose of a digital signature question 34 what is the most import what is the
[01:07:41] 34 what is the most import what is the most critical factor to consider When
[01:07:44] most critical factor to consider When selecting a vendor in the context of
[01:07:47] selecting a vendor in the context of information security vendor reputation
[01:07:50] information security vendor reputation geographic location data classification
[01:07:52] geographic location data classification and business Contour
[01:07:54] and business Contour so you're thinking security all right
[01:07:56] so you're thinking security all right when you're thinking in security you're
[01:07:57] when you're thinking in security you're thinking okay we're going to go out
[01:07:59] thinking okay we're going to go out we're going to select a vendor maybe to
[01:08:00] we're going to select a vendor maybe to store data process data something like
[01:08:02] store data process data something like that you know why are you using this
[01:08:04] that you know why are you using this particular vendor now I do like almost
[01:08:06] particular vendor now I do like almost all the answers here is correct they're
[01:08:08] all the answers here is correct they're all important there things to consider
[01:08:10] all important there things to consider such as the reputation of that vendor
[01:08:12] such as the reputation of that vendor where they're located the type of data
[01:08:14] where they're located the type of data we're going to store with them and
[01:08:16] we're going to store with them and business continuity of that vendor now
[01:08:18] business continuity of that vendor now here's the thing there's one answer here
[01:08:22] here's the thing there's one answer here that holds all the other an there's one
[01:08:24] that holds all the other an there's one answer here that affects all the other
[01:08:27] answer here that affects all the other answer and that answer is going to be
[01:08:29] answer and that answer is going to be data classification and I want you guys
[01:08:31] data classification and I want you guys to no this one because data
[01:08:33] to no this one because data classification will affect everything
[01:08:36] classification will affect everything about the data where it's stored who has
[01:08:38] about the data where it's stored who has access to it how they can access it what
[01:08:41] access to it how they can access it what type of cloud systems it can be used on
[01:08:43] type of cloud systems it can be used on what type of hard drive or or physical
[01:08:46] what type of hard drive or or physical medium that it can be stored on where is
[01:08:48] medium that it can be stored on where is it going to be stored in a vault in a
[01:08:50] it going to be stored in a vault in a file in a lock cabinet where can this
[01:08:52] file in a lock cabinet where can this data be stored so data classification is
[01:08:55] data be stored so data classification is a good answer throughout your exam if
[01:08:58] a good answer throughout your exam if you ever see it as a choice on the exam
[01:09:00] you ever see it as a choice on the exam I want you guys to pay attention to it
[01:09:02] I want you guys to pay attention to it because you know why it's probably going
[01:09:04] because you know why it's probably going to be one of the better answers that are
[01:09:06] to be one of the better answers that are out there so data classification is
[01:09:08] out there so data classification is definitely good because data
[01:09:09] definitely good because data classification May dictate what type of
[01:09:12] classification May dictate what type of reputation the person must have it may
[01:09:14] reputation the person must have it may dictate where this person is located it
[01:09:16] dictate where this person is located it may dictate what type of cont policies
[01:09:19] may dictate what type of cont policies that that person has in place making
[01:09:21] that that person has in place making this the best answer question 35 what is
[01:09:26] this the best answer question 35 what is the primary goal of security governance
[01:09:28] the primary goal of security governance framework compliance with industry
[01:09:30] framework compliance with industry standards mitigating all risk to zero
[01:09:32] standards mitigating all risk to zero maximizing share all the profits
[01:09:34] maximizing share all the profits aligning security with business
[01:09:37] aligning security with business objectives so the primary goal all right
[01:09:41] objectives so the primary goal all right what exactly the primary and this one in
[01:09:42] what exactly the primary and this one in particular is security governance
[01:09:44] particular is security governance framework and particularly security
[01:09:47] framework and particularly security governance so security governance is the
[01:09:49] governance so security governance is the management of all security activities to
[01:09:52] management of all security activities to accomplish basically the organization
[01:09:54] accomplish basically the organization objectives and you can see the answer
[01:09:56] objectives and you can see the answer here so is it compliance with industry
[01:09:58] here so is it compliance with industry standard I like that you're never going
[01:10:00] standard I like that you're never going to mitigate all risk to zero as that is
[01:10:02] to mitigate all risk to zero as that is practically impossible maximize
[01:10:05] practically impossible maximize shareholders profit I do like that
[01:10:07] shareholders profit I do like that answer align in security with business
[01:10:09] answer align in security with business objectives I like this answer so now we
[01:10:11] objectives I like this answer so now we bring it we brought it down to three now
[01:10:15] bring it we brought it down to three now compliance with industry standards this
[01:10:17] compliance with industry standards this is a good answer but it's not the best
[01:10:18] is a good answer but it's not the best answer and the reason for that is
[01:10:20] answer and the reason for that is because you're saying that the goal of
[01:10:22] because you're saying that the goal of this is just so if there was no industry
[01:10:24] this is just so if there was no industry standard you wouldn't have this no not
[01:10:26] standard you wouldn't have this no not the good one maximize shareholders
[01:10:28] the good one maximize shareholders profit and align it with business
[01:10:31] profit and align it with business objectives so maximizing shareholders
[01:10:34] objectives so maximizing shareholders profit is something that is of corporate
[01:10:37] profit is something that is of corporate governance framework not just the
[01:10:39] governance framework not just the security governance framework the
[01:10:41] security governance framework the security governance framework is
[01:10:43] security governance framework is basically to keep the security function
[01:10:46] basically to keep the security function aligned with business objectives that's
[01:10:48] aligned with business objectives that's going to lead to maximizing shareholders
[01:10:50] going to lead to maximizing shareholders profit but it's not the only component
[01:10:52] profit but it's not the only component to maximize shareholders L profit you're
[01:10:54] to maximize shareholders L profit you're going to have good corporate governance
[01:10:56] going to have good corporate governance and that's and remember security
[01:10:58] and that's and remember security governance or is information technology
[01:11:01] governance or is information technology governance information system governance
[01:11:02] governance information system governance is a subset of corporate governance we
[01:11:05] is a subset of corporate governance we learned that in domain one making D here
[01:11:08] learned that in domain one making D here the best
[01:11:10] the best answer practice question 36 which of the
[01:11:14] answer practice question 36 which of the following is best which which of the
[01:11:16] following is best which which of the following best represents the concept of
[01:11:18] following best represents the concept of due care and security governance so this
[01:11:20] due care and security governance so this one here you have to have just no quick
[01:11:22] one here you have to have just no quick definition controls prevent all security
[01:11:25] definition controls prevent all security incident okay exercise and reasonable
[01:11:27] incident okay exercise and reasonable security measure protect asset okay
[01:11:30] security measure protect asset okay conducting security
[01:11:31] conducting security audits uh assigning security
[01:11:34] audits uh assigning security responsibility solely to the IT
[01:11:36] responsibility solely to the IT department now this particular one is a
[01:11:38] department now this particular one is a straightforward definition if you knew
[01:11:40] straightforward definition if you knew the definition you should have gotten
[01:11:42] the definition you should have gotten this one correct as this is the
[01:11:44] this one correct as this is the definition of due care due care is when
[01:11:46] definition of due care due care is when you do what's called reasonable security
[01:11:49] you do what's called reasonable security practices in order to secure an asset
[01:11:53] practices in order to secure an asset it's like what would a reasonable person
[01:11:55] it's like what would a reasonable person have done to secure this machine for
[01:11:56] have done to secure this machine for example a reasonable person updates
[01:11:58] example a reasonable person updates their machine a reasonable security guy
[01:12:00] their machine a reasonable security guy keep backup of data implementing control
[01:12:04] keep backup of data implementing control they do that this is correct conducting
[01:12:06] they do that this is correct conducting uh security audits yeah they do that I
[01:12:08] uh security audits yeah they do that I don't know about this thing here that
[01:12:09] don't know about this thing here that says assign it to slowly to the IT
[01:12:12] says assign it to slowly to the IT department but you do assign it to the
[01:12:14] department but you do assign it to the IT department don't forget by exercis
[01:12:17] IT department don't forget by exercis and reasonable security measures you're
[01:12:19] and reasonable security measures you're going to do a you're going to do c and
[01:12:21] going to do a you're going to do c and you're going to do D some reasons why it
[01:12:24] you're going to do D some reasons why it would eliminated D this word solely and
[01:12:27] would eliminated D this word solely and the other one is a to prevent all
[01:12:29] the other one is a to prevent all security you can't really present
[01:12:30] security you can't really present prevent all you can try your best to
[01:12:32] prevent all you can try your best to prevent most be careful of this word
[01:12:35] prevent most be careful of this word all okay question 37 in a multi-tier
[01:12:39] all okay question 37 in a multi-tier application architecture which of the
[01:12:41] application architecture which of the following layers is most most vulnerable
[01:12:44] following layers is most most vulnerable to injection attacks such as sequin
[01:12:46] to injection attacks such as sequin injection and command injection
[01:12:48] injection and command injection presentation application data link or
[01:12:50] presentation application data link or transport now I included this because
[01:12:53] transport now I included this because every single one of the cisp candidate
[01:12:55] every single one of the cisp candidate or you included will get an OSI question
[01:12:59] or you included will get an OSI question know what happens at the layers know
[01:13:01] know what happens at the layers know what devices happens there because they
[01:13:03] what devices happens there because they may ask for attacks against devices and
[01:13:05] may ask for attacks against devices and more importantly no what attacks can
[01:13:07] more importantly no what attacks can happen at each lirer no for example like
[01:13:11] happen at each lirer no for example like where a Dos may happen such as a ping
[01:13:14] where a Dos may happen such as a ping flood where would that take place in
[01:13:16] flood where would that take place in this particular one we're looking at a
[01:13:19] this particular one we're looking at a SQL injection so if you know SQL
[01:13:21] SQL injection so if you know SQL injections and and Comm B injection you
[01:13:24] injections and and Comm B injection you pretty much know that this was an
[01:13:26] pretty much know that this was an application layer attack and this is not
[01:13:29] application layer attack and this is not something that is uh very difficult to
[01:13:32] something that is uh very difficult to understand because if you understand
[01:13:33] understand because if you understand what's happening at the different layers
[01:13:35] what's happening at the different layers it's not that difficult for example the
[01:13:37] it's not that difficult for example the presentation deals with really
[01:13:38] presentation deals with really formatting of the data not so much so of
[01:13:40] formatting of the data not so much so of typing in and seeing the data and
[01:13:42] typing in and seeing the data and interacting with the application the
[01:13:44] interacting with the application the data link layer this is all the way at
[01:13:47] data link layer this is all the way at the bottom of the OSI model this is
[01:13:49] the bottom of the OSI model this is going to be with the pass and a frames
[01:13:50] going to be with the pass and a frames This concerns itself more with things
[01:13:52] This concerns itself more with things like pass and frames like using a MAC
[01:13:54] like pass and frames like using a MAC address this where switches work so it's
[01:13:56] address this where switches work so it's not really with the application the
[01:13:58] not really with the application the transport layer deals with when data
[01:14:00] transport layer deals with when data arrives at your machine things such as
[01:14:02] arrives at your machine things such as know and the particular port number
[01:14:04] know and the particular port number error check and error recovery and like
[01:14:06] error check and error recovery and like connection oriented connections it's not
[01:14:08] connection oriented connections it's not really going to deal so much so with the
[01:14:09] really going to deal so much so with the application itself the best answer here
[01:14:11] application itself the best answer here is going to be the presentation layer
[01:14:13] is going to be the presentation layer once again make sure you know your OSI
[01:14:16] once again make sure you know your OSI know it inside out know what happens in
[01:14:19] know it inside out know what happens in each layer know what devices operates
[01:14:21] each layer know what devices operates where and of course know the different
[01:14:23] where and of course know the different attack in the course we have a great
[01:14:24] attack in the course we have a great outline on
[01:14:26] outline on that question 38 which of the following
[01:14:28] that question 38 which of the following security assessment methods is most
[01:14:31] security assessment methods is most suitable for evaluating the security
[01:14:33] suitable for evaluating the security posture of an application source code so
[01:14:37] posture of an application source code so you have to
[01:14:38] you have to evaluate basically the security like how
[01:14:41] evaluate basically the security like how secure security posture of the source
[01:14:43] secure security posture of the source code so which one here looks at the
[01:14:45] code so which one here looks at the source code Well Network scanning is not
[01:14:49] source code Well Network scanning is not going to actually look at the source
[01:14:51] going to actually look at the source code social engineering is is talking
[01:14:53] code social engineering is is talking with people you should have eliminated
[01:14:54] with people you should have eliminated those to now comes which one which one
[01:14:57] those to now comes which one which one of these here looks at more of the
[01:14:59] of these here looks at more of the source code vulnerability scanning or
[01:15:01] source code vulnerability scanning or Statics if you use something like the
[01:15:03] Statics if you use something like the Nexus scanner it's not going to scan the
[01:15:04] Nexus scanner it's not going to scan the source code it's going to scan the outer
[01:15:06] source code it's going to scan the outer of the application or the entire
[01:15:08] of the application or the entire compiled the compiled
[01:15:10] compiled the compiled application the only thing here that
[01:15:13] application the only thing here that actually looks at the source code of an
[01:15:15] actually looks at the source code of an application is static analysis in which
[01:15:17] application is static analysis in which case it basically reads the code to see
[01:15:19] case it basically reads the code to see if there's any vulnerability in the code
[01:15:21] if there's any vulnerability in the code make sure you know things for your exam
[01:15:22] make sure you know things for your exam things like Dynamic static testing uh
[01:15:26] things like Dynamic static testing uh for your
[01:15:27] for your exam question number 39 almost all of
[01:15:31] exam question number 39 almost all of you guys will get questions on gdpr know
[01:15:33] you guys will get questions on gdpr know it well for your test which of the
[01:15:35] it well for your test which of the following best captures the primary
[01:15:37] following best captures the primary intent of gdpr insur EU citizens can
[01:15:40] intent of gdpr insur EU citizens can shop online securely protecting the
[01:15:42] shop online securely protecting the fundamental right to privacy to data
[01:15:44] fundamental right to privacy to data privacy of EU citizens uh EU residents
[01:15:47] privacy of EU citizens uh EU residents encourag an international business to
[01:15:49] encourag an international business to operate within the EU streamline an
[01:15:50] operate within the EU streamline an updated
[01:15:51] updated Legacy uh EU privacy so first of all if
[01:15:55] Legacy uh EU privacy so first of all if you know what gdpr is gdpr is is a
[01:15:58] you know what gdpr is gdpr is is a European basically it's a data standard
[01:16:02] European basically it's a data standard or I should say um protection and what
[01:16:06] or I should say um protection and what this does is that it looks at the data
[01:16:09] this does is that it looks at the data privacy and the answer is B of EU
[01:16:12] privacy and the answer is B of EU citizens it basically tells
[01:16:15] citizens it basically tells organizations that if you store EU data
[01:16:18] organizations that if you store EU data the you have to secure it and you have
[01:16:19] the you have to secure it and you have to give the users control back of their
[01:16:21] to give the users control back of their data if you set you have to let them
[01:16:24] data if you set you have to let them know if you're going to uh if you go to
[01:16:26] know if you're going to uh if you go to a website and you have like tracking
[01:16:28] a website and you have like tracking cookies on you have to let them know for
[01:16:30] cookies on you have to let them know for your exam know what the gdpr is I need
[01:16:33] your exam know what the gdpr is I need you guys to know things like the data
[01:16:35] you guys to know things like the data Protection Officer that's an important
[01:16:37] Protection Officer that's an important term and a role make sure to study that
[01:16:39] term and a role make sure to study that for your exam in the course we'll give a
[01:16:41] for your exam in the course we'll give a much more things in different laws you
[01:16:42] much more things in different laws you should be familiar with all right here
[01:16:44] should be familiar with all right here is a question that's a hid and miss that
[01:16:47] is a question that's a hid and miss that some people get some people don't but
[01:16:48] some people get some people don't but you should know the formul is to
[01:16:50] you should know the formul is to calculate in a symmetric in a in a
[01:16:53] calculate in a symmetric in a in a symmetric key network of 100 nodes where
[01:16:56] symmetric key network of 100 nodes where each uh each node securely communicates
[01:16:58] each uh each node securely communicates with every other node using a unique key
[01:17:00] with every other node using a unique key how many symmetric keys are needed so
[01:17:03] how many symmetric keys are needed so this one I put a big
[01:17:05] this one I put a big number but on the exam you're going to
[01:17:08] number but on the exam you're going to have to just no this formula it's n *
[01:17:12] have to just no this formula it's n * nus1 / 2 so I'm going to show you guys a
[01:17:16] nus1 / 2 so I'm going to show you guys a a quick easy example of this so let's
[01:17:19] a quick easy example of this so let's say you have three users on a network uh
[01:17:22] say you have three users on a network uh you have Bob Mary and Jane all right
[01:17:26] you have Bob Mary and Jane all right three people now for these people to
[01:17:28] three people now for these people to communicate securely using a unique key
[01:17:32] communicate securely using a unique key now unique means different key so you
[01:17:33] now unique means different key so you would have a key between Bob and Mary so
[01:17:35] would have a key between Bob and Mary so when they communicate Jane can't see
[01:17:37] when they communicate Jane can't see between Bob and Jane So when they're
[01:17:39] between Bob and Jane So when they're communicating Mary can't see and between
[01:17:42] communicating Mary can't see and between Mary and Jane So when they communicate
[01:17:44] Mary and Jane So when they communicate Bob can't see so one two three keys if
[01:17:46] Bob can't see so one two three keys if Peter joined the mix Peter needs a
[01:17:48] Peter joined the mix Peter needs a unique key with Bob with Jane and for
[01:17:50] unique key with Bob with Jane and for Mary that means six key three mors were
[01:17:53] Mary that means six key three mors were added so if you have four people just do
[01:17:55] added so if you have four people just do the map 4 minus you put 4 4 - 1 is 3 3 *
[01:17:59] the map 4 minus you put 4 4 - 1 is 3 3 * 4 is 12 2 is 6 so if you put in the
[01:18:02] 4 is 12 2 is 6 so if you put in the number
[01:18:04] number 100 and you do the formula you get 5050
[01:18:07] 100 and you do the formula you get 5050 on this not a calculation for your exam
[01:18:10] on this not a calculation for your exam it's one of the few formulas you need to
[01:18:13] it's one of the few formulas you need to know there are some formulas in Risk
[01:18:15] know there are some formulas in Risk Management that I tell students to know
[01:18:16] Management that I tell students to know they're hidden miss when you get them
[01:18:18] they're hidden miss when you get them but so is this
[01:18:20] one okay next question when assessing
[01:18:23] one okay next question when assessing the risk to Phi in a cloud environment
[01:18:26] the risk to Phi in a cloud environment which of the following should be of
[01:18:28] which of the following should be of primary concern location of the data
[01:18:30] primary concern location of the data center type of encryption used in the
[01:18:32] center type of encryption used in the data storage SLA uh uptime guarantee by
[01:18:36] data storage SLA uh uptime guarantee by the cloud provider data access and
[01:18:38] the cloud provider data access and control agreements with the provider
[01:18:41] control agreements with the provider okay so this one here good set of things
[01:18:43] okay so this one here good set of things if I was you I'm looking at this
[01:18:45] if I was you I'm looking at this going man all these are good yeah
[01:18:48] going man all these are good yeah because you know if the data center is
[01:18:49] because you know if the data center is stored in in in Russia you probably
[01:18:51] stored in in in Russia you probably don't want that
[01:18:53] don't want that the type of encryption yeah they use
[01:18:55] the type of encryption yeah they use weak encryption want that SLA up times
[01:18:58] weak encryption want that SLA up times notice this is Phi should be a primary
[01:19:01] notice this is Phi should be a primary concerned although I would be a concern
[01:19:02] concerned although I would be a concern with the up time not so much I'm
[01:19:05] with the up time not so much I'm thinking more of like losing the data to
[01:19:08] thinking more of like losing the data to hackers not just it going
[01:19:10] hackers not just it going down data access and control agreements
[01:19:13] down data access and control agreements with the provider I think I would need
[01:19:15] with the provider I think I would need that because we need to make sure the
[01:19:16] that because we need to make sure the provider has good in there now you got
[01:19:18] provider has good in there now you got to apply some of the techniques I've
[01:19:20] to apply some of the techniques I've taught you so far if you did it you
[01:19:21] taught you so far if you did it you probably got the answer already because
[01:19:24] probably got the answer already because the answer here is the most generic
[01:19:26] the answer here is the most generic answer you see location of the data
[01:19:30] answer you see location of the data center is important because the data
[01:19:32] center is important because the data center again is in China or Russia you
[01:19:34] center again is in China or Russia you don't want that data center to be in a
[01:19:36] don't want that data center to be in a in a country where you know what maybe
[01:19:39] in a country where you know what maybe the government can control that or take
[01:19:41] the government can control that or take control of it or as an adversary of us
[01:19:43] control of it or as an adversary of us in the United States type of encryption
[01:19:46] in the United States type of encryption using the data
[01:19:47] using the data storage you probably you know you're
[01:19:50] storage you probably you know you're worried about that because if they use
[01:19:52] worried about that because if they use Dez you don't want that you want them to
[01:19:53] Dez you don't want that you want them to use AES encryption when you come down to
[01:19:56] use AES encryption when you come down to to choices where you're like man these
[01:20:00] to choices where you're like man these two are 100% right then go with the one
[01:20:01] two are 100% right then go with the one that includes both because did the
[01:20:04] that includes both because did the agreement can specify where the data
[01:20:06] agreement can specify where the data should be located the agreement can
[01:20:08] should be located the agreement can specify the type of encryption that
[01:20:10] specify the type of encryption that should be there so if you had applied
[01:20:12] should be there so if you had applied the right um technique should have got
[01:20:14] the right um technique should have got this one
[01:20:16] this one right 42 why is data remnants considered
[01:20:20] right 42 why is data remnants considered a security concern it increases the
[01:20:22] a security concern it increases the storage costs it can lead to the data
[01:20:25] storage costs it can lead to the data being corrupt residual data might be
[01:20:27] being corrupt residual data might be recoverable after uh deletion of this or
[01:20:30] recoverable after uh deletion of this or or dis wipe it results in slow data
[01:20:33] or dis wipe it results in slow data access P2 data remnants is a Hot Topic
[01:20:36] access P2 data remnants is a Hot Topic data remnants if you know the definition
[01:20:38] data remnants if you know the definition here it's a pretty easy question data
[01:20:40] here it's a pretty easy question data Remnant is when you take out a hard
[01:20:42] Remnant is when you take out a hard drive you delete the data off of it and
[01:20:44] drive you delete the data off of it and the data is not all deleted or or some
[01:20:47] the data is not all deleted or or some most of it or some of it is recoverable
[01:20:49] most of it or some of it is recoverable so that is definitely C an increase to
[01:20:52] so that is definitely C an increase to theore storage cost it doesn't increase
[01:20:54] theore storage cost it doesn't increase storage costs because you're getting rid
[01:20:56] storage costs because you're getting rid of storage it can lead to the data being
[01:20:58] of storage it can lead to the data being corrupt it has nothing to do with data
[01:21:00] corrupt it has nothing to do with data corruption it's more about data being
[01:21:02] corruption it's more about data being recoverable it results in slow data
[01:21:04] recoverable it results in slow data access when you're data Remnant you
[01:21:06] access when you're data Remnant you erase the disc there's nothing about
[01:21:08] erase the disc there's nothing about accessing
[01:21:09] accessing data now you're going to worry about
[01:21:11] data now you're going to worry about data remnants and the security concern
[01:21:13] data remnants and the security concern because if you take out a hard drive
[01:21:15] because if you take out a hard drive that has a lot of data on it you put
[01:21:16] that has a lot of data on it you put that drive in the garbage that data
[01:21:18] that drive in the garbage that data might still be accessible and people can
[01:21:20] might still be accessible and people can then take that and recover data
[01:21:22] then take that and recover data basically steal your data or get your
[01:21:24] basically steal your data or get your data from your
[01:21:25] data from your business best thing to do are to do
[01:21:27] business best thing to do are to do things like sanitize the media giant
[01:21:29] things like sanitize the media giant magnet across it or Shred the drive so
[01:21:31] magnet across it or Shred the drive so the data is
[01:21:33] the data is unrecoverable question number 43 a
[01:21:36] unrecoverable question number 43 a security analyst observes multiple
[01:21:39] security analyst observes multiple unauthorized data extraction attempts
[01:21:42] unauthorized data extraction attempts from a database server upon
[01:21:44] from a database server upon investigation all extraction attempts
[01:21:46] investigation all extraction attempts have been tracked back to a single user
[01:21:48] have been tracked back to a single user account which of the following should be
[01:21:50] account which of the following should be the analyst imediate action
[01:21:53] the analyst imediate action delete the user
[01:21:54] delete the user account notify the user isolate or
[01:21:58] account notify the user isolate or disable the account and initiate an
[01:22:00] disable the account and initiate an incident
[01:22:02] incident response implement the ster Access
[01:22:04] response implement the ster Access Control in database so I mentioned
[01:22:06] Control in database so I mentioned earlier in this video when you're doing
[01:22:08] earlier in this video when you're doing when you're F when you're doing security
[01:22:10] when you're F when you're doing security incident response you have to follow the
[01:22:12] incident response you have to follow the steps so right now you notice this upon
[01:22:15] steps so right now you notice this upon all attempts been TR so you have done
[01:22:17] all attempts been TR so you have done you know the attack you know the attack
[01:22:19] you know the attack you know the attack is happening you have have to contain it
[01:22:21] is happening you have have to contain it right you have to stop it how do you
[01:22:22] right you have to stop it how do you stop this account from this happening
[01:22:24] stop this account from this happening right away choose the best answer
[01:22:25] right away choose the best answer deleting the user account you don't
[01:22:28] deleting the user account you don't delete anything because deleting user
[01:22:30] delete anything because deleting user accounts can cause data to be
[01:22:33] accounts can cause data to be lost you don't call the user and tell
[01:22:35] lost you don't call the user and tell the user what you're doing right away
[01:22:37] the user what you're doing right away the best thing here is to disable this
[01:22:39] the best thing here is to disable this account implementing strier Access
[01:22:42] account implementing strier Access Control this person already has it you
[01:22:43] Control this person already has it you need to disable and stop it because
[01:22:45] need to disable and stop it because strier access controll in the database
[01:22:48] strier access controll in the database server uh maybe he has accessor do it to
[01:22:51] server uh maybe he has accessor do it to another server best answer answer here
[01:22:52] another server best answer answer here is definitely to isolate disable it so
[01:22:55] is definitely to isolate disable it so those steps that you learn about in the
[01:22:58] those steps that you learn about in the course your security inent response
[01:23:00] course your security inent response steps make sure to follow them even if
[01:23:03] steps make sure to follow them even if you the question doesn't ask like you
[01:23:05] you the question doesn't ask like you know what step to do next because this
[01:23:06] know what step to do next because this is a scenario based
[01:23:08] is a scenario based question question number 44 which of the
[01:23:11] question question number 44 which of the following security assessment methods is
[01:23:14] following security assessment methods is most effective for identifying known
[01:23:17] most effective for identifying known vulnerabilities that are not disclosed
[01:23:20] vulnerabilities that are not disclosed publicly notice most effective
[01:23:24] publicly notice most effective identifying unknown vulnerabilities that
[01:23:27] identifying unknown vulnerabilities that are not disclosed publicly vulnerability
[01:23:28] are not disclosed publicly vulnerability scanning penetration testing code review
[01:23:31] scanning penetration testing code review information security and event
[01:23:34] information security and event management okay so this one here I
[01:23:37] management okay so this one here I thought this one was pretty easy a lot
[01:23:38] thought this one was pretty easy a lot of my students have trouble with this
[01:23:39] of my students have trouble with this one let's go through
[01:23:41] one let's go through it the keyword here is is not publicly
[01:23:44] it the keyword here is is not publicly disclosed and notice it's identifying
[01:23:47] disclosed and notice it's identifying unknown things that haven't been found
[01:23:50] unknown things that haven't been found if it's something that's unknown a
[01:23:52] if it's something that's unknown a vulnerability scanner is not going to
[01:23:54] vulnerability scanner is not going to find it the vulnerability scanner uses a
[01:23:56] find it the vulnerability scanner uses a database of no
[01:23:59] vulnerabilities information the seam
[01:24:01] vulnerabilities information the seam systems this just correlates events this
[01:24:04] systems this just correlates events this doesn't really is not going to help you
[01:24:05] doesn't really is not going to help you detect things and for it's not going to
[01:24:08] detect things and for it's not going to help you go out to detect and if it does
[01:24:09] help you go out to detect and if it does have a detection engine on it it has to
[01:24:11] have a detection engine on it it has to be
[01:24:13] be known code review and penetration
[01:24:16] known code review and penetration testing so this is where this one
[01:24:19] testing so this is where this one becomes difficult if you're reviewing
[01:24:21] becomes difficult if you're reviewing codes
[01:24:23] codes are doing a penetration test the best
[01:24:25] are doing a penetration test the best thing here I'm going to tell you guys is
[01:24:27] thing here I'm going to tell you guys is a penetration test and here's why you
[01:24:30] a penetration test and here's why you see a penetration
[01:24:31] see a penetration test ethical hacking one of the courses
[01:24:34] test ethical hacking one of the courses I teach is C by the way this here finds
[01:24:38] I teach is C by the way this here finds all kinds of vulnerabilities within a
[01:24:40] all kinds of vulnerabilities within a system a pin tester will try all
[01:24:43] system a pin tester will try all different vulnerabilities and try to
[01:24:44] different vulnerabilities and try to exploit those vulnerabilities look for
[01:24:47] exploit those vulnerabilities look for new vulnerabilities to find a code
[01:24:50] new vulnerabilities to find a code review is generally done by Pro
[01:24:52] review is generally done by Pro programmers code reviews they're good
[01:24:56] programmers code reviews they're good but that's done more at the application
[01:24:58] but that's done more at the application Level and it's mostly going to look for
[01:25:01] Level and it's mostly going to look for KN for example static analysis it's to
[01:25:04] KN for example static analysis it's to look for KN vulnerabilities in certain
[01:25:06] look for KN vulnerabilities in certain codes versus a pentest is the best of
[01:25:08] codes versus a pentest is the best of these
[01:25:11] answers question 45 in the context of
[01:25:13] answers question 45 in the context of forensics investigation which of the
[01:25:15] forensics investigation which of the following best describe the primary
[01:25:16] following best describe the primary purpose of maintaining a chain of
[01:25:18] purpose of maintaining a chain of custody so what's a chain of custody
[01:25:20] custody so what's a chain of custody it's basically it's a document that
[01:25:22] it's basically it's a document that tracks evidence from the moment you
[01:25:24] tracks evidence from the moment you gather it to giving it back so that
[01:25:26] gather it to giving it back so that whole uh evidence life cycle from
[01:25:29] whole uh evidence life cycle from collection of the evidence storing it
[01:25:31] collection of the evidence storing it analyzing it presenting it returning it
[01:25:34] analyzing it presenting it returning it now it'll say who took it when they took
[01:25:37] now it'll say who took it when they took it where they who took it when they took
[01:25:39] it where they who took it when they took it how they took it where they store it
[01:25:40] it how they took it where they store it who had access to it when did they
[01:25:42] who had access to it when did they access it what did they do with it
[01:25:44] access it what did they do with it basically it is a document showing me
[01:25:46] basically it is a document showing me every single thing documented that has
[01:25:49] every single thing documented that has happened to this evidence it ensures
[01:25:52] happened to this evidence it ensures evidence is properly cataloged not
[01:25:54] evidence is properly cataloged not necessarily to demonstrate the Integrity
[01:25:56] necessarily to demonstrate the Integrity yes it does because it looks to how the
[01:25:58] yes it does because it looks to how the evidence was handled if it was handled
[01:25:59] evidence was handled if it was handled correctly to ensure only authorized it
[01:26:02] correctly to ensure only authorized it doesn't do that it just shows how the
[01:26:04] doesn't do that it just shows how the evidence was handled to protect it no it
[01:26:07] evidence was handled to protect it no it doesn't really protect anything it
[01:26:09] doesn't really protect anything it does evidence protection is like storing
[01:26:12] does evidence protection is like storing it in an encrypted Vault not using the
[01:26:15] it in an encrypted Vault not using the chain of custody so the chain of custody
[01:26:17] chain of custody so the chain of custody is to demonstrate the Integrity of
[01:26:19] is to demonstrate the Integrity of it question number 46 which of the
[01:26:22] it question number 46 which of the following provides the best Assurance of
[01:26:25] following provides the best Assurance of an application security posture over
[01:26:27] an application security posture over time conduct annual pent house Implement
[01:26:31] time conduct annual pent house Implement strict password policy continuous
[01:26:33] strict password policy continuous integration with security testing
[01:26:35] integration with security testing quarterly vulnerability assessment I
[01:26:38] quarterly vulnerability assessment I thought this one was easy hopefully you
[01:26:40] thought this one was easy hopefully you guys got it not's best
[01:26:43] guys got it not's best assurance and it's going to be done over
[01:26:45] assurance and it's going to be done over time there's a couple things here
[01:26:47] time there's a couple things here penetration test is this doesn't have to
[01:26:48] penetration test is this doesn't have to be done
[01:26:50] be done annually okay they could be done done
[01:26:52] annually okay they could be done done annually they could be done quarterly or
[01:26:53] annually they could be done quarterly or as
[01:26:55] as needed stricter password policies well
[01:26:58] needed stricter password policies well passwords are good but it says over time
[01:27:01] passwords are good but it says over time I'm not sure how password policies
[01:27:02] I'm not sure how password policies affects over time quarterly a
[01:27:05] affects over time quarterly a vulnerability test for example like the
[01:27:08] vulnerability test for example like the PCI is done dependent on how much swipes
[01:27:11] PCI is done dependent on how much swipes you have or how many cards you do so not
[01:27:14] you have or how many cards you do so not necessarily quarterly see these are put
[01:27:16] necessarily quarterly see these are put in hardcore timestamps on these things
[01:27:19] in hardcore timestamps on these things so the best thing here guys is
[01:27:20] so the best thing here guys is continuous integration this one the word
[01:27:23] continuous integration this one the word best assurance and especially over time
[01:27:25] best assurance and especially over time is you have to go with the word
[01:27:26] is you have to go with the word continuous security is not a quarterly
[01:27:29] continuous security is not a quarterly thing it's not an annual thing it is a
[01:27:31] thing it's not an annual thing it is a continuous
[01:27:33] continuous thing question number
[01:27:36] thing question number 47 an organization wants to make sure it
[01:27:38] 47 an organization wants to make sure it sensitive data is unreadable if it's
[01:27:40] sensitive data is unreadable if it's intercepted during transmission which
[01:27:43] intercepted during transmission which principle is the organization most
[01:27:45] principle is the organization most concerned about so hopefully you guys
[01:27:46] concerned about so hopefully you guys this is the beginning this is the first
[01:27:48] this is the beginning this is the first chapter you're going to read in your
[01:27:49] chapter you're going to read in your book this is going to be about the CIA
[01:27:52] book this is going to be about the CIA all right confidential integrity and
[01:27:54] all right confidential integrity and availability you if you intercept data
[01:27:56] availability you if you intercept data you can't access the data best answer
[01:27:58] you can't access the data best answer here guys is going to be C this is
[01:27:59] here guys is going to be C this is basically one do the definition here
[01:28:01] basically one do the definition here only authorized individual can access or
[01:28:04] only authorized individual can access or read the particular data that's the
[01:28:06] read the particular data that's the basically the definition confidentiality
[01:28:08] basically the definition confidentiality Integrity is no all no unauthorized
[01:28:11] Integrity is no all no unauthorized modification or no unintentional
[01:28:13] modification or no unintentional modification availability the up time of
[01:28:15] modification availability the up time of the day N repudiation is a subject
[01:28:17] the day N repudiation is a subject cannot deny that an event has taken
[01:28:21] cannot deny that an event has taken place question number
[01:28:23] place question number 48 in the context of mobile application
[01:28:26] 48 in the context of mobile application development ensuring that application
[01:28:29] development ensuring that application components are not exposed to other apps
[01:28:31] components are not exposed to other apps on the same device refers to all right
[01:28:34] on the same device refers to all right you guys need to know this one for your
[01:28:36] you guys need to know this one for your exam you need to know the term is it
[01:28:38] exam you need to know the term is it data and Transit data and Transit is
[01:28:40] data and Transit data and Transit is when data is moving from one location to
[01:28:43] when data is moving from one location to the other they're looking at other apps
[01:28:45] the other they're looking at other apps on the same device so it's not going to
[01:28:47] on the same device so it's not going to be this this is more for like Network
[01:28:48] be this this is more for like Network unless like SSL would do this SSH
[01:28:52] unless like SSL would do this SSH code alisation is basically hidden or
[01:28:56] code alisation is basically hidden or hid in the source code so make it harder
[01:28:58] hid in the source code so make it harder for people to read
[01:28:59] for people to read it um data at rest this encrypts the
[01:29:03] it um data at rest this encrypts the data this is data not being exposed all
[01:29:06] data this is data not being exposed all of other apps on the same device the
[01:29:08] of other apps on the same device the best thing here is a Sandbox so on
[01:29:10] best thing here is a Sandbox so on mobile devices we have application
[01:29:12] mobile devices we have application sandbox so sandbox basically it
[01:29:14] sandbox so sandbox basically it restricts the memory space so only that
[01:29:16] restricts the memory space so only that app can operate there that way other
[01:29:18] app can operate there that way other apps can't in can't bleed over or get
[01:29:21] apps can't in can't bleed over or get over to that space and steal the apps
[01:29:23] over to that space and steal the apps data it's one of the things because of
[01:29:25] data it's one of the things because of application sandbox and it's one of the
[01:29:27] application sandbox and it's one of the things that makes mobile mobile devices
[01:29:29] things that makes mobile mobile devices pretty
[01:29:30] pretty secure question number 49 we're getting
[01:29:33] secure question number 49 we're getting down to the end here which of the
[01:29:35] down to the end here which of the following is the most critical factor
[01:29:36] following is the most critical factor for ensuring the success of a security
[01:29:38] for ensuring the success of a security governance program advanced technology
[01:29:40] governance program advanced technology comprehensive security policies strong
[01:29:43] comprehensive security policies strong executive support and experienced
[01:29:45] executive support and experienced security staff now if you have been
[01:29:47] security staff now if you have been studying cisp you should no this one
[01:29:49] studying cisp you should no this one right off the bat it is a common cisis P
[01:29:52] right off the bat it is a common cisis P question in which case the most
[01:29:54] question in which case the most important part of any security program
[01:29:56] important part of any security program is of course going to be Senior
[01:29:58] is of course going to be Senior Management support Senior Management
[01:30:00] Management support Senior Management support if you don't have Senior
[01:30:02] support if you don't have Senior Management support you will not have
[01:30:06] Management support you will not have comprehensive policies because remember
[01:30:08] comprehensive policies because remember comes from it comes to management you
[01:30:10] comes from it comes to management you will not have experience security staff
[01:30:12] will not have experience security staff as they wouldn't hire it you wouldn't
[01:30:13] as they wouldn't hire it you wouldn't have advanced technology or the great
[01:30:15] have advanced technology or the great technology because they wouldn't care to
[01:30:17] technology because they wouldn't care to to implement it once Senior Management
[01:30:20] to implement it once Senior Management supports everything starts to fall into
[01:30:22] supports everything starts to fall into place you get the right budget you get
[01:30:24] place you get the right budget you get the right people you get the right
[01:30:26] the right people you get the right technology you get the right standards
[01:30:28] technology you get the right standards to follow you get the right guidelines
[01:30:30] to follow you get the right guidelines and procedures and all that great
[01:30:33] and procedures and all that great stuff question number 50 in a token in a
[01:30:39] stuff question number 50 in a token in a tokenization in a token basically a
[01:30:41] tokenization in a token basically a token system uh what parently
[01:30:43] token system uh what parently distinguishes a token from the original
[01:30:45] distinguishes a token from the original sensitive data it
[01:30:47] sensitive data it represents now the token is always
[01:30:50] represents now the token is always longer than original data the the token
[01:30:52] longer than original data the the token contains crypted segment of the day the
[01:30:53] contains crypted segment of the day the token on its own has no meaningful value
[01:30:55] token on its own has no meaningful value information the token must be reversible
[01:30:57] information the token must be reversible to the original day without any
[01:30:59] to the original day without any additional information so you guys
[01:31:00] additional information so you guys should know tokenization tokens are used
[01:31:02] should know tokenization tokens are used a lot you go to PayPal you check out
[01:31:04] a lot you go to PayPal you check out you're using a token uh any you go to
[01:31:07] you're using a token uh any you go to Best Buy you check out with PayPal
[01:31:08] Best Buy you check out with PayPal you're using a token token is basically
[01:31:12] you're using a token token is basically a representation of sensitive data the
[01:31:15] a representation of sensitive data the token by itself has no meaningful value
[01:31:18] token by itself has no meaningful value if you steal the
[01:31:20] if you steal the token uh you can't get the data so a
[01:31:23] token uh you can't get the data so a token is used to represent a block of
[01:31:25] token is used to represent a block of data for example a token can be used to
[01:31:28] data for example a token can be used to represent a particular credit card and
[01:31:30] represent a particular credit card and every time you use this token it builds
[01:31:32] every time you use this token it builds your credit card but if somebody ever
[01:31:33] your credit card but if somebody ever steals your token you can never get back
[01:31:35] steals your token you can never get back your credit card so that's what a token
[01:31:36] your credit card so that's what a token is for this one is more of a data
[01:31:39] is for this one is more of a data definition question all right I said I
[01:31:41] definition question all right I said I got 50 questions I got one more for you
[01:31:43] got 50 questions I got one more for you just to throwing a bonus in here I
[01:31:45] just to throwing a bonus in here I wanted to include this one because some
[01:31:47] wanted to include this one because some people a lot of people are getting
[01:31:49] people a lot of people are getting questions on Dev secure Ops agile
[01:31:54] questions on Dev secure Ops agile continuous uh
[01:31:57] continuous uh deployment uh continuous integration
[01:31:59] deployment uh continuous integration cidi let's see what this question is
[01:32:01] cidi let's see what this question is just make sure you study these topics
[01:32:02] just make sure you study these topics for your exam in a def secure Ops
[01:32:04] for your exam in a def secure Ops environment where is the responsibility
[01:32:06] environment where is the responsibility for the for security primary lie in the
[01:32:09] for the for security primary lie in the context of continuous integration
[01:32:12] context of continuous integration continuous deployment versus agile
[01:32:15] continuous deployment versus agile solely with the security team in cidi uh
[01:32:18] solely with the security team in cidi uh and with developers in agile equally
[01:32:20] and with developers in agile equally distributed across
[01:32:22] distributed across primarily with developers and C equally
[01:32:25] primarily with developers and C equally across all the teams in agile solely
[01:32:27] across all the teams in agile solely within the operations team and C with
[01:32:29] within the operations team and C with the security team and agile okay Dev
[01:32:32] the security team and agile okay Dev secure Ops so Dev Ops is continuous
[01:32:36] secure Ops so Dev Ops is continuous deployment continuous integration keep
[01:32:38] deployment continuous integration keep pushing out software keep updating
[01:32:40] pushing out software keep updating software adile is the development of
[01:32:43] software adile is the development of software generally done in increments or
[01:32:45] software generally done in increments or in iteration things like following scrum
[01:32:48] in iteration things like following scrum extreme programming and so on if you
[01:32:50] extreme programming and so on if you guys know me you know I teach a lot of
[01:32:51] guys know me you know I teach a lot of project management but anyhow this
[01:32:54] project management but anyhow this question I did find it to be pretty easy
[01:32:56] question I did find it to be pretty easy because it follows an old principle
[01:32:59] because it follows an old principle security lies in whose hand security
[01:33:03] security lies in whose hand security lies in everyone's
[01:33:05] lies in everyone's hand
[01:33:07] hand B security is not something that lies in
[01:33:10] B security is not something that lies in the hands of just developers security
[01:33:12] the hands of just developers security doesn't lie in the hands of just
[01:33:14] doesn't lie in the hands of just implementers or
[01:33:15] implementers or installers security is basically
[01:33:18] installers security is basically everyone's responsibility all right
[01:33:19] everyone's responsibility all right that's one of the first things we're
[01:33:20] that's one of the first things we're going to learn about security security
[01:33:22] going to learn about security security is not just one person's job it's
[01:33:23] is not just one person's job it's everybody's job everybody has to do
[01:33:25] everybody's job everybody has to do their job because if there's a one break
[01:33:26] their job because if there's a one break in security the entire thing
[01:33:29] in security the entire thing breaks all right guys that concluded my
[01:33:32] breaks all right guys that concluded my 50 questions if you found value in this
[01:33:35] 50 questions if you found value in this video give it a like subscribe to her
[01:33:38] video give it a like subscribe to her Channel we'll do a lot more videos if
[01:33:39] Channel we'll do a lot more videos if you guys want me to do more of these
[01:33:41] you guys want me to do more of these kinds of videos to help you pass your
[01:33:43] kinds of videos to help you pass your exam let me know I'll be happy to took
[01:33:45] exam let me know I'll be happy to took me a while to make this it did take me a
[01:33:48] me a while to make this it did take me a while um to make these questions
[01:33:52] while um to make these questions uh to do it hopefully this helps you out
[01:33:54] uh to do it hopefully this helps you out I did this a lot for my own students
[01:33:56] I did this a lot for my own students they have asked me to review these
[01:33:57] they have asked me to review these questions quite a lot so I said let me
[01:33:59] questions quite a lot so I said let me make a video and shared with everyone
[01:34:00] make a video and shared with everyone else if you are studying for your
[01:34:03] else if you are studying for your cissp and um you want to join me in a
[01:34:06] cissp and um you want to join me in a class i' would be greatly appreciate it
[01:34:08] class i' would be greatly appreciate it here's what I tell people guys studying
[01:34:10] here's what I tell people guys studying for the cissp is not where you take it
[01:34:12] for the cissp is not where you take it if you go you spend $4,000 10,000 $8,000
[01:34:15] if you go you spend $4,000 10,000 $8,000 some of these crazy companies that are
[01:34:17] some of these crazy companies that are charging crazy money you know it's not
[01:34:19] charging crazy money you know it's not where you take it it's who's teaching it
[01:34:21] where you take it it's who's teaching it that matters I've been teaching this a
[01:34:22] that matters I've been teaching this a long time so I'm going to tell you guys
[01:34:25] long time so I'm going to tell you guys hey join me in a class uh me and my
[01:34:28] hey join me in a class uh me and my colleagues here I did all the training
[01:34:29] colleagues here I did all the training videos for the cisp Tia so when you sign
[01:34:33] videos for the cisp Tia so when you sign up for a class you'll get my entire boot
[01:34:34] up for a class you'll get my entire boot camp as a uh a video course and I may
[01:34:37] camp as a uh a video course and I may even be your boot camp instructor so
[01:34:40] even be your boot camp instructor so guys if you found value once again
[01:34:41] guys if you found value once again please like the video subscribe to the
[01:34:44] please like the video subscribe to the channel I'll see you in the next
[01:34:46] channel I'll see you in the next video