I went wrong on this one for two reasons, first, I looked for "One of these things is not like the other" which should sound familiar. 3 of them referred to 'consumer' and my mind went to consumer / retail / household, not a business consumer. Then I looked at A which talked about TOE, and I remembered just about enough of common criteria to know that a Target of Evaluation was a common criteria thing. And so I chose A, which from the earlier comment I now know was not incorrect, but not the 'best' answer. Clearly 'best' in this instance needs to include it is a category of produces, and implementation independent. Thanks for these videos and your tips. I'm nearly there!

This lady is awesome. Honestly, I used this logic and it works like magic 🪄

First!

In Bell La Padula, there is a concept of 'Trusted Subject' which can violate all the * property restrictions. Not sure if it applies to Biba as well.

I chose D. But don’t you think security policy would be a better term here than corporate policy?

I was confused between A and C but chose C because I believed that whatever product you’re going to buy it should be able to address your needs above all.

This is GOLD! Thank you!

cheers Gwen, Thank you

Bookmarking 34:52 for remembering the order! Great video!!!

Your videos helped me clear the CISSP in January. Thank you, from India! :)

LOVE these, Gwen! Thank you!

Thank you 😊You are a very good teacher- even I understood 😃

12:20 😃👀

Thanks 😊

50:39 I wish. Unfortunately, small people like me are at the mercy of idiots, so it becomes personal.

44:50 Two framed photos on the wall behind you caught my eye, maybe because I am a cocky lone wolf 😄

39:20 😃 I like your style.

37:19 Indeed. Treat them with respect, support them, and make them loyal to your enterprise. If you want to be cynical about it, it’s safer and cheaper in the long run.

35:27 What for? Just to pass this test or the GRC bit of an audit?…

28:34 OK, risk analysis. I agree. However, I totally lack confidence in a system that is inherently vulnerable like hell. By default. It feels almost like on purpose. To mention but very few sources of risk: Ineffectual control of critical infrastructure that can affect matters of national security. National agencies using contractors (which is, effectively, “man-in-the-middle”s awaiting to happen). The reactive security default stance. Over- reliance on technology. Who told you that using clouds (or various forms of AI which are only as intelligent as their programmers) is a good idea? Using OSs and other software products that are purposefully deficient and with a short lifespan in order to secure further revenue to the software developers who need to sell antivirus products and suchlike. The obvious (to the outsider) promotion of a naive and narrow mindset whilst cynically speaking about Zero Trust (beware of the ‘trusted partners’). I really don’t know why people have to have an adversarial mindset (I do, actually, know- to have someone to blame for their own incompetence), but it is not really working long-term. Speaking of- has it even occurred to anyone, busy as everyone is to chase the scent of mundane technological red herrings, that any AI (or other technological system) can be hacked into, either by other humans or an alien civilisation? No. Obviously not. I truly, truly hope that humankind will not have to face a Zero Day attack from another species because as the West is awfully vulnerable, so is the entire planet one cosmic sitting duck.

27:33 There are sectors that should not be left at their own devices, at the whim of irresponsible corporate managers. Take the energy sector, transport, water supply, healthcare, telecommunications- they should be recognised for what they are i.e. critical infrastructure. Imagine a big water supply company being hacked into. Or a biolab database being compromised (modifying data would be worse than stealing it for corporate espionage purposes).

26:20 That’s where the risks assessments are flawed. Take Mitre Att&ck which is a superb endeavour. It cannot help you assess unknown risks and prepare properly (maybe against script kiddies attacks and other small hacker fish). All you can reliably assess is your defences. What do all successful attacks have in common? Or, better put, why are they successful? (*Hint* the first and most important layer of the answer is non- technical).

24:42 Yeah, video streaming. I was thinking about that, actually, when I read yesterday about UDP which I understand is much less safe than TCP. In all fairness, ensuring integrity via using HTTPS and TCP is kinda obsolete in the age of deepfakes. Maybe Communication science should not be divorced from the Information Technology. PS- I am not referring to your video. I don’t know who you really are, but I think that you are a highly intelligent lady with loads of experience. My criticism pertains to this damned test.

23:05 Accessibility or marketing? 😏 Up to this point you haven’t said anything confidential.

17:34 It is a genuinely good idea to make everyone (and I mean everyone) in an organisation more aware of risks, safety, and being money wise, BUT not at the detriment of other things. Money and technicalities of any safety system are contingent on threats, business landscape, how good you are at playing the money making game. Other things are not contingent on externalities. It’s like a human body- if its immunity is good, it can fend off all sorts of infections. Whereas your security paradigm is mostly reactive, for what I could gather, that’s why Zero Days happen. A virus in your system causes a devastating pandemic because your employees don’t know how to cyber wash their hands properly etc.

14:15 What is the average amount paid for a ransomware attack? I don’t know, let’s say $500,000. Spending $499,999 on developing your immunity to attacks by training and checking your staff’s attitudes and safety- related behaviour, sacking a few bad apples, and continuously helping the individuals to attain maturity and good posture is still cheaper.

13:37 Get your priorities right! First and foremost the human wellbeing which includes the lives of people in a hospital, so if you’re a boss who makes money off the backs of ill people, at least you could pay due diligence and part with a part of your profit to ensure that you don’t put their lives in danger by allowing a ransomware attack. Those money greedy CEOs should face criminal prosecution and not be allowed to settle in court by paying their weekly coffee budget.

12:24 I don’t know much about it, but the MFA systems are not infallible. I was reading yesterday about Kerberos, and even I (not being particularly smart and definitely not knowledgeable) could see it’s vulnerable. What good is it to rely so much on an authentication server that checks credentials with a database that has had a SQL injection? The SSO that embodies the accessibility principle at the detriment of integrity and confidentiality (since when putting all your eggs in one basket is safe practice?). As I said, I don’t know all the terminology, but I hope you will understand the idea.

10:36 I wholeheartedly agree. But my definition of ‘wisely’ doesn’t fit with the common nonsense. What do you invest in? Expensive software, pentesting services, fancy physical security devices? How much less money would you have spent had you invested in people’s training and attitudes? That’s why I’m saying your paradigm is myopic.

9:43 Oh, so it is about people. Allegedly.

8:15 Lady, that’s nonsense. Had you discussed something confidential in this call you would have not allowed just everyone to join in, uploaded it on KZbin, etc.

5:45 I want to help them, but they don’t want to be helped because their big egos get in the way. Very well, then, suit yourselves. And talking about being rude- isn’t it rude to test people in a covert manner? Isn’t permission based on transparency the thing that makes the difference between pentesting and hacking? Why is psychological hacking, then, allowed? What are the candidates- criminals interrogated by FBI?

4:41 Accessibility principle.

4:02 No. If you care about people, you care about your colleagues, your clients, and about your dumbarse CEO who has no clue about anything but the bank accounts and ‘networking’ whilst playing golf with other muppets in high positions. If you do care about people, you will do the technical bits related to security. If you don’t, you won’t. Even worse, not cultivating this attitude leads to inside threats. It’s an idiotic and myopic management strategy.

3:46 Then boycott their selfish and stupid arses by not working for them. Many fall prey and sell themselves for a smaller or larger amount of peanuts and a nice entry in their CVs. I think it’s a Western mentality- and this is one ginormous vulnerability of the Western system. Empty arrogance and not cultivating the only real resource an organisation has i.e. its people.

3:13 Precisely. Who really puts any effort in working for a manager who doesn’t give a damn about anything else but their pockets? They will lay you off only to protect their profits. The whole mentality is shit.

0:53 I do, but I don’t like it. Which makes me doubt I will ever work for such managers. Is this test an empathy test? It should test knowledge, attitudes, and cognitive resilience. But not like that- not telling the candidates what they’re tested for. It’s patronising, disrespectful, and dishonest- are these qualities that are part of a manager’s job description? Now I know what job descriptions I will weed out.

Kindly provide more daily of Practice questions

We need more Q/A daily. It is very useful

Thanks Gwen, I just passed CISSP provisionally yesterday and I appreciate your Video . Exam was totally different from the practice test but it helped 😂

Thank you

Hi Gwen. I want to thank you for this, and all your videos on the CISSP. I passed my test today. Your insights, tips, tricks on techniques on how to approach questions and answers were invaluable. I found you to be correct, the vast majority of the questions could be answered from a management perspective ( a business & security management perspective). Thanks again!!

Thank you for the amazing content Gwen. These really helped get hang of the mindset. I have provisionally passed CISSP today.

gracias

thanks te quiero

Interesting the way to find the answer, as a non English native speaker, I always get confused on these kinds of questions

Does the CCSP really have questions like this? Or is this more CISSP material?

The first two questions were challenging, but I answered the last two correctly. Will this type of question be on the CISSP exam, which I have on February 29, 2024?

Thank you for the tips! I will be taking the test in 10 days.

Question 9 I think the answer is the Chinese wall ( Brewer and Nash )