CISSP PRACTICE QUESTIONS – 20210407

Effective CISSP Questions

Which of the following least aligns with the concept of Zero Trust? (Wentz QOTD)
A. Record network traffic for visibility
B. Encrypt traffic over LAN using IPSec
C. Dynamically open ports using port knocking
D. Implement multi-tier firewalls as part of the defense-in-depth strategy

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Implement multi-tier firewalls as part of the defense-in-depth strategy.

The concept of Zero Trust was incepted as early as 2003 when de-perimeterization, removing the physical network locations, was prevalent. Many organizations started initiations to implement similar concepts. NIST published the special publication 800-207 in Aug. 2020, that unified various perspectives, introduced the Zero Trust concepts and environment and proposed a Zero Trust Architecture.

Never trust, always verify. The fundamental concept of Zero Trust is no reliance on physical locations to authorize access implicitly (trust). Every access has to be authenticated, explicitly authorized, and logged; data flow needs to be encrypted and recorded. A fine-grained and dynamic mechanism should be implemented to support access control. As a result, I conclude Zero Trust is a new cybersecurity paradigm for access control, or Access Control 2.0, that features data-centric, fine-grained, dynamic, and visibility.

  • Accounting and recording network traffic provides visibility.
  • Zero Trust is location agnostic. Encrypting traffic over LAN using IPSec as what happened in the WAN.
  • Port knocking applies authentication at the port level and supports dynamic policies. Besides, we also use network access control (e.g., 802.1X) and user authentication at the application level. Never trust, always verify.
  • Multi-tier firewalls imply security is enforced by physical network locations, e.g., external, DMZ, and internal networks. It’s not a Zero Trust flavor, which centers on data or assets and uses logical boundary or software-defined perimeter.
Evolvement of Zero Trust Concepts

Zero Trust Cybersecurity Paradigm

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

以下哪一項最不符合零信任(Zero Trust)的概念?(Wentz QOTD)
A. 記錄網絡流量以獲取可見性(visibility)
B. 使用IPSec加密LAN上的流量
C. 使用端口敲門(port knocking)來動態打開端口
D. 實施多層(multi-tier)防火牆作為縱深防禦策略(defense-in-depth)的一部分

Leave a Reply