Sign up to save your podcasts
Or
Share RCR 059 - How to Understand Threat Modeling for the CISSP Exam Prep
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
RCR 059 - How to Understand Threat Modeling for the CISSP Exam Prep
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam.
- CISSP Article – Threat Modeling
- CISSP Training – Data Integrity and Threat Modeling
- CISSP Exam Questions
BTW - Get access to all my CISSP Training Courses here at: https://shongerber.com/
CISSP Exam Questions
Question: 060
You are a security consultant. A large enterprise customer hires you to ensure that their security operations are following industry standard control frameworks. For this project, the customer wants you to focus on technology solutions that will discourage malicious activities. Which type of control framework should you focus on?
- A. Preventative
- B. Deterrent
- C. Detective
- D. Corrective
- E. Assessment
Answer: [B] Explanation: Deterrent frameworks are technology-related and used to discourage malicious activities. For example, an intrusion prevention system or a firewall would be appropriate in this framework.
There are three other primary control frameworks. A preventative framework helps establish security policies and
security awareness training. A detective framework is focused on finding unauthorized activity in your environment
after a security incident. A corrective framework focuses on activities to get your environment back after a security
incident. There isn’t an assessment framework.
Source: From <https://blog.netwrix.com/2018/05/16/cissp-practice-exam-free-online-test-questions/>
------------------------------------
Question: 061
You are performing a risk analysis for an internet service provider (ISP) that has thousands of customers on its broadband network. Over the past 5 years, some customers have been compromised or experienced data breaches. The ISP has a large amount of monitoring and log data for all customers. You need to figure out the chances of additional customers experiencing a security incident based on that data. Which type of approach should you use for the risk analysis?
- A. Qualitative
- B. Quantitative
- C. STRIDE
- D. Reduction
- E. Market
Answer: [B] Explanation: You have three risk analysis methods to choose from: qualitative (which uses a risk analysis matrix), quantitative (which uses money or metrics to compute), or hybrid (a combination of qualitative and quantitative but not an answer choice in this scenario). Because the ISP has monitoring and log data, you should use a quantitative approach; it will help quantify the chances of additional customers experiencing a security risk.
STRIDE is used for threat modeling. A market approach is used for asset valuation. A reduction analysis attempts to eliminate duplicate analysis and is tied to threat modeling.
Source: From <https://blog.netwrix.com/2018/05/16/c
Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.
View all episodes
By Shon Gerber, vCISO, CISSP, Cyber Security Consultant, Author and EntrepreneurDescription:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam.
- CISSP Article – Threat Modeling
- CISSP Training – Data Integrity and Threat Modeling
- CISSP Exam Questions
BTW - Get access to all my CISSP Training Courses here at: https://shongerber.com/
CISSP Exam Questions
Question: 060
You are a security consultant. A large enterprise customer hires you to ensure that their security operations are following industry standard control frameworks. For this project, the customer wants you to focus on technology solutions that will discourage malicious activities. Which type of control framework should you focus on?
- A. Preventative
- B. Deterrent
- C. Detective
- D. Corrective
- E. Assessment
Answer: [B] Explanation: Deterrent frameworks are technology-related and used to discourage malicious activities. For example, an intrusion prevention system or a firewall would be appropriate in this framework.
There are three other primary control frameworks. A preventative framework helps establish security policies and
security awareness training. A detective framework is focused on finding unauthorized activity in your environment
after a security incident. A corrective framework focuses on activities to get your environment back after a security
incident. There isn’t an assessment framework.
Source: From <https://blog.netwrix.com/2018/05/16/cissp-practice-exam-free-online-test-questions/>
------------------------------------
Question: 061
You are performing a risk analysis for an internet service provider (ISP) that has thousands of customers on its broadband network. Over the past 5 years, some customers have been compromised or experienced data breaches. The ISP has a large amount of monitoring and log data for all customers. You need to figure out the chances of additional customers experiencing a security incident based on that data. Which type of approach should you use for the risk analysis?
- A. Qualitative
- B. Quantitative
- C. STRIDE
- D. Reduction
- E. Market
Answer: [B] Explanation: You have three risk analysis methods to choose from: qualitative (which uses a risk analysis matrix), quantitative (which uses money or metrics to compute), or hybrid (a combination of qualitative and quantitative but not an answer choice in this scenario). Because the ISP has monitoring and log data, you should use a quantitative approach; it will help quantify the chances of additional customers experiencing a security risk.
STRIDE is used for threat modeling. A market approach is used for asset valuation. A reduction analysis attempts to eliminate duplicate analysis and is tied to threat modeling.
Source: From <https://blog.netwrix.com/2018/05/16/c
Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.