CISSP PRACTICE QUESTIONS – 20200901

Conventional network segmentation through switch hubs, VLANs, or firewalls improves network performance and administration.  However, it cannot provide granular and dynamic security enforcement to meet diversified and dynamic business environments. As a security professional, you are concerned with advanced persistent threats (APTs). Which of the following is least likely to mitigate the threat?
A. Employ Zero Trust infrastructure
B. Micro-segment networks to support lateral movement
C. Enforce and demonstrate compliance, e.g., HIPAA, PCI-DSS, or SOX
D. Use separate software environments, e.g., dev, testing, and stagging

Continue reading

Lateral Movement

What is Lateral Movement?

Lateral movement refers to that attacker’s untargeted, stealthy exploration and navigation around networks for high-value assets after gaining initial access. Lateral Movement is an attack tactic defined in the MITRE ATT&CK knowledge base.

Lateral movement refers to the techniques that a cyberattacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. After entering the network, the attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools.

Lateral movement is a key tactic that distinguishes today’s advanced persistent threats (APTs) from simplistic cyberattacks of the past.

Source: CrowdStrike

Continue reading

CISSP PRACTICE QUESTIONS – 20200831

Your company is planning for migrating the on-premise E-Commerce system to a PaaS. As a security professional, which of the following is the least concern for the selection of cloud service providers?
A. The location of data persistence.
B. The elasticity of backend services.
C. The report on security controls at the user entity.
D. Rules of engagement when conducting pentesting.

Continue reading

Wentz’s Publications

1. The Effective CISSP: Security and Risk Management

Security and Risk Management (SRM) is the first book in my “The Effective CISSP (TEC)” series. I wrote this book as a supplement or complement but not a replacement to the well-known study guides, e.g., the Sybex Official Study Guide (OSG) or McGraw-Hill All-In-One (AIO).

This book helps in the preparation of CISSP, CISM, and other security certification exams. Moreover, it’s an excellent reference in practice. It introduces the following core security concepts across domains, but not all the eight domains, with a holistic and integrated approach:

Continue reading

CISSP PRACTICE QUESTIONS – 20200830

To improve operational transparency and achieve legal and regulatory compliance, your company is implementing the information governance (IG) program. After taking the inventory of assets, you are considering asset classification and protection. As a member of the steering committee, which of the following is not an appropriate treatment?
A. Recipes, as trade secrets, should be classified by the management.
B. Patents, as confidential contents, should be classified by the data owner.
C. Personal data, as private information, can be anonymized by the data processor.
D. Forensic evidence and e-discovery shall be handled by qualified staff.

Continue reading

CISSP PRACTICE QUESTIONS – 20200829

A life cycle is a collection of predefined stages/phases and processes. The conventional term, SDLC, may refer to the development life cycle of a system or software. Which of the following is not true?
A. An SDLC can be repeated as many times as a project requires.
B. The NIST SDLC is more prescriptive than software-based SDLC.
C. A short iteration as a sprint entails delivering values when an SDLC ends.
D. The acquisition is not a concern of SDLC because development is not procurement.

Continue reading

Handy Navigation in the Kindle Reader

The Effective CISSP: Practice Questions

This book is a compilation of Wentz QOTD, which is publicly available on Wentz’s blog for free. So, you don’t have to buy it. It comprises 365 questions well categorized into CISSP domains and topics.

  • The Kindle version has been published and available on Amazon.
  • The paperback version is still in review and will be available soon.

Handy Navigation

The following video demonstrates how to navigate between questions and answers in the Kindle reader.