How do you GENIUS pass the CISSP!? I Got 645 FAIL!!!!!!!!!!!!!!!!!!!!!!!!!!!!

2

Comments

  • broli720broli720 Member Posts: 394 ■■■■□□□□□□
    @DavidEthington

    David, have you read any documentation dealing with incident response? Have you dealt or been on any such team? I only ask because your answers are pretty alarming. Law enforcement has no jurisdiction here unless regulatory requirements were not met in that specific environment. And even then, organizations are not required to disclose breaches unless customer PII was compromised. Furthermore, involving law enforcement brings about a whole number of other legal headaches not to mention what it does to the competitive advantage of your organization.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Actually - @broli720 brings up another good point. Besides the scenario that I mentioned, imagine that a breach did occur. For example, let's say that someone broke into an FTP server from the Internet and a sysadmin detected it via log inspection. A careful review reveals that no data was exfiltrated and the hacker was looking to cause mischief by trying to delete files. The first step is still to close the vulnerability. In this particular scenario, there is not likely to be any legal obligation to report a crime. This type of breach is a trepass to chattels and is a tort. The breach is of company property and the sysadmin has no obligation or even right to report on behalf of the company unless he/she was authorized to do so.

    For example, if this scenario occurred at my company and the sysadmin called law enforcement, the sysadmin would risk discipline for breach of confidentiality and failure to follow security processes. We take reputational risk just as seriously.

    There are however some scenarios where the individual may possibly have an obligation to report a cyber-crime directly to law-enforcement - for example - if the individual discovers child-**** on a file-server for example. But generally speaking, a good incident team would still manage it.
  • DavidEthingtonDavidEthington Member Posts: 22 ■□□□□□□□□□
    The question specifically said that a bank account had been compromised. Legally speaking, law enforcement is to be notified. I didn't write the law. I didn't write the CISSP exam, either.

    In the field I work in, everything is reported, up to and including disgruntled employees and DUIs, so I am naturally hypersensitive about this stuff. However, I've seen this question pop up on exams, and you always notify authorities in the event of a crime. That's not the ONLY thing you do, I understand that.
  • CyberfiSecurityCyberfiSecurity Member Posts: 184
    I thought law enforcement to be notified later, but at the present time you have to isolate the account by disabling to avoid any further damages. If during the internal investigation that the account is compromised by corporate employee(s), the management has to get Corporate human resource involvement.

    In this situation you disable the account is nothing to do with cover up.
    [SIGPIC][/SIGPIC]
    Vice President | Citigroup, Inc.
    President/CEO | Agility Fidelis, Inc.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    The first thing in regards to this two type of question would be that D is definitely wrong. Uplugging the network or disbale the customer accounts violates the princinpal of least privileges. A bank teller should not have an access to disable customer account, that would be a privilege of a user account administration team, not a bank teller. The same goes to the operator, an operator should not have the privilege to unplug the cable from the network, that would be the responsbility of an incident handler, not an operator.

    In another view, if you would to implement an organization wide policy, you cannot trust end users to decide if it is compromise. How would you trust the bank teller or operator choice if he 'notice' that it is compromise? You cannot be sure that a bank teller or operator had the capability to identify a compromise corrrectly. If you organization wide policy states that individuals has the right to perform containment steps, chances are your business is going to have a good time that your administrator would think its correct to shutdown a computer that may not have confirm it has been compromise and halt production thanks to your policy.

    Identification phase comes in two steps. First would be an indication of breach, reported via users to their respective managers, help desk are would usually be the next point of contact for the organization since most department have access to their contact easily. The users cannot be sure if they had been compromise, but sense something. The help desk would then forward to the next point of contact, usually the point of contact that the management had decided in their policy, be it the incident handling, or SOC. A ticket will be created to document the necessary actions taken, an onsite handler will then access the situation, via speaking to users and performing some investigation on the system.

    The compromise 'notice' by the user will then be considered confirmed by the incident handler then the incident handler will report back to the same point of contact SOC/Incident Management before sending the rest of the incident handling team down, a manager (for getting contacts/sending people like an officer in a warzone) and two incident handlers, sometimes the administrators that handles the particular system is invovle, while 2 is the taught by organization and industry, 4 people makes an ideal team; two handlers, one managers (aka the captian in warzone), and one administrator (for getting around access problems and rebuilding packages)

    In other words, C is the correct choice of answer.
    Answer A (contact the customer and asked them to change their password) is wrong because this is not the duty of the bank teller, but the compliace team.
    Answer B (notify the law enforcement) is wrong because this is not the duty of the bank teller, but the compliance team after approved by business owner. Also notifying the law enforcement would possibly cause a seizure to equipment and thus halt production, thus this would require business owner approval.
    Answer D (disable the customer's account) is wrong because the Bank Teller should not have access to disbaling the account, this should be the privilege of user account administration team after approval by higher management.
  • sojournsojourn Member Posts: 61 ■■□□□□□□□□
    LionelTeo is 100% right on this, I think. People are getting too caught up in notifying authorities and haven't actually read the question.

    A bank teller does not notify the authorities. The CISSP is VERY CLEAR on roles and responsibilities, who does what. One of the most important caveats for answering any question is answer it in terms of the role poised.

    No one is saying that in this scenario that law enforcement should not be involved in some point, but in no way is it the first thing which should be done, and it should not be done by the teller.

    Further discussion of what people do at their own company is fine, but it is not relevant for the CISSP exam. One of the keys to passing the CISSP is un-learning the "this is how we do it at my company" and replacing it with "this is how ISC2 want us to do it". End of.

    The only case that a teller would notify authorities, that I can think of, is that "A robber enters the bank and shoots three customers. What should the bank teller do?"
  • DavidEthingtonDavidEthington Member Posts: 22 ■□□□□□□□□□
    REMOVED UNNECESSARY QUOTE


    Where does the CISSP delineate roles and responsibilities in this scenario? Shooting three people and robbing someone via electronic means is still a crime, and you are legally obligated to report it.

    All in all, this is turning into an excellent discussion.
  • kalkan999kalkan999 Member Posts: 269 ■■■■□□□□□□
    Paul78. What's the most consistent 'annoyance' with your law firm here in the US and EU DP laws? I have challenges with US and NZ laws concerning a client of mine whose company bought another in NZ, (I am not a law firm, but GRC is HEAVY) and the laws over there are much more stringent regarding employer compliance and liability with employee behavior whilst on said employer network, especially regarding said employee's web 'habits.'
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    Shooting 3 people, or robbing a bank is part of a bank teller roles and responsbility, however, this had to be introduce to the bank teller through training including a notification button in place where the bank teller can use in terms of emergency.

    The case of a customer account is different, this is a situation that does not warrant an immediate response, no one is pointing gun or robbing someone on the street. If you notify the authority straight off as a bank teller instead of going through the proper management, not only you would probably cause seizure to equipment due to investigation, you would also attract the media attention, employees that is not be on scene may also spread rumors like wildfire, and media would write articles base on anything they can get hold of, including such rumors.

    All these combine ended up damaging the company reputation, losing investor faith, revenue loss, production halt, and even make worse if the customer account is not compromise, you could had make a mistake, he can be transferring money to his relative, another bank account or initiate a monthly transfer to his son overseas. You would also lose credibility, not following 4 eyes principle, proper communication channels, and procedures and policy set by the bank.

    Notifying the authorities is not the bank teller roles, but the business owners. If the bank teller can produce evidence that he had inform the management through the proper channel. Then it would be the respective manager duty to go through the proper chanel (helpdesk -> IH Team -> Business Owner). It would eventually be the business owners responsibility to decide to notify law enforcement. And this is done so after the confirmation of such incident, working with internal compliance, lawyers, spokesman and several C-title employee on possible various impact. Then they would notify the law enforcement. The reputation and financial harm to the company will have much less impact.

    And not all incidents requires law enforcement, in the case of virus alert found the a system can be another situation, this can be something that can be resolve internally. Disgruntled employee also wouldn't warrant you to immediate to seize his item, because he is not stealing a laptop in front of you, you would require an official warrant search (externally) or had capture enough evidence before you can even think of seizing his/her tool of crime (laptop/computer). Although they are all cause by criminal, they have to be approach differently because other various factor have to consider (company reputation, rumors, incident logging, 4 eyes principle, possible damage, impact)
  • sojournsojourn Member Posts: 61 ■■□□□□□□□□
    Where does the CISSP delineate roles and responsibilities in this scenario? Shooting three people and robbing someone via electronic means is still a crime, and you are legally obligated to report it.

    All in all, this is turning into an excellent discussion.

    In most of the questions asked. CISSP roles are stipulated at the start of each question. The candidate needs to apply their discretion and their understanding of the separation of duties for each role.

    1. As a CEO...
    2. As a security pracitioner..
    3. A helpdesk employee...
    4. The auditor is asked to...
    5. A user finds..

    In this case, a bank teller would be a user. They use a system. They perform their day to day tasks and adhere to policy stipulated from above.

    Hypothetically speaking, I would expect that a bank would have policies in place which users agree to use, which could explain what the teller is to do if they encounter this scenario. There is not enough information in the question for the answer to be anything other than (C).
  • DavidEthingtonDavidEthington Member Posts: 22 ■□□□□□□□□□
    That's a very good point. And not to create a wrong impression, you always inform the boss. However, liability is liability. If you just disable the account, you are doing the wrong thing.
  • lovelltlovellt Registered Users Posts: 1 ■□□□□□□□□□
    The best advice I got before starting the journey to study for the CISSP, was to approach it as if I was in management. The CISSP exam is by no means a "technical" exam. After years of studying for Microsoft, Cisco and other technical certifications, it was difficult at first to get out of that mindset. Remember that management cares about personnel, cost, compliance and regulations first.
  • tufexamstufexams Member Posts: 15 ■□□□□□□□□□
    Funny. I took the exam several times (much more times than I ever wanted to take any exam) and I try to put myself in the management mind set......'think like a manager', 'preserve human life', yada, yada. I must've been fortunate enough to have very difficult tests. icon_surprised.gif . NONE of the 'managers' that I have ever worked for including a full bird retired AF colonel with two master's degrees, PMP, and a boatload of other certs would have a single clue how to answer some of the questions that I got......much too technical. I barely could slip by figuring some of this out. So, sorry techexams forum, based on the tests that I received, Technical and Management!
  • JonnygJonnyg Member Posts: 84 ■■■□□□□□□□
    People say that you need to think like a manager. While this helps you get in the right mindset, it won't save you if you skipped over the technical details while studying because you didn't bother to learn them. Trying to sum it up as a management exam or "not a technical" exam and basing your preparation on that is a big mistake. The long story short is you need to know everything that is covered, including the technical. Ironically, that would make you a better manager in the real world, too.

    As far as the question is concerned, I agree with those who say the teller is a user and does not have the responsibility, let alone the permissions, to carry out any of the actions except Answer C. The only option in this list of four possible options that is even feasible is to notify management. In the context of the question, the teller (user) simply does not have the responsibility or permissions to do anything else other than notify management. This is the kind of thinking you need to have to ensure you pass the exam. As an exam tip, use this example as a way to get in the mindset to eliminate options during your exam. There will often be clues that allow you to immediately eliminate impossible answers or "silly" answers. You have to really be careful when you read through the questions and first determine exactly what it is asking you.
    Working on: Nothing, finally.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    While simply saying thinking like a manager is easy, you will have to understand a few traits of a manager which are.
    - Always use an existing technology or framework instead of inventing your own, never start something your own
    Life Example: A team decided to invent their own online purchase authentication system instead of using an existing framework which known flaws that had already been covered, starting building your own system will means that a bug that could have been covered in other framework would have been introduce again by your developers

    - 1 input 1 outcome, if there is two outcome pertaining to one input. Then split the input into two different input.
    Example: A user account management use case have two outcomes, 1 can be the account has been locked/unlocked while the other is that the user had requested a password reset. This resulting in sometimes have careless mistake within the team. The use case has been split into two, A mass locked use case and a user password reset usecase.

    - Always use technology as the first time of defense, user are the last line of defense.
    Example: A company that has been heavily targeting by phishing mail for the last few months, even though the users are constantly being educated, users sometimes are still being tricked in clicking on the wrong email. In another company, these problem does not exist because a mail gate inspection tool is being installed and explicitly filter such emails.

    -
    All Human Make Mistakes
    This include you, me, developer, a bank teller, system administrator, everyone. Thus we cannot trust the user alone. In everything we do, someone else should verify, which leads to the next point below

    - Every changes must have a 4 eyes principle. In fact, almost everything must have 4 eyes principle and audit trail
    Example: A security specialist figure that his performance and bonus is base on the vulnerability reported on the system, he decided to report less vulnerability as a result. Who is watching the watcher? This illustrate the importance of separation of duties

    -
    Always thinks in terms of the business!
    Its always about the money. The idea of implementing xxx technology may sounds great. But if the cost of implementation is more than the cost that is use to protect the business; then the budget would be better spend elsewhere.

    -
    Hybrid takes the best of both worlds
    Automation may be a nice idea, but sometimes machine makes mistake, while having it manually is a tiring task. Thus finding a hybrid consisting of a hybrid of automation with some manual inspection can result in the benefit of both areas. Human to check for automation mistake while at the same time having less

    -
    There is always some form of residual risk left no matter what
    In IT Security, someone would always had the extreme idea of having totally no risk, especially business owners. That is impossible, there is always risk somewhere, and budget are always limited. Therefore budget is always spend to reduce risk to the acceptable level, and beyond the acceptable level, every amount spend would result in decreasing ROI. Therefore, its always important to keep in mind to explain in terms of risk, reducing risk to acceptable level, and spending the budget wisely.

    If this wall of text above still doesn't help (you get this far in reading? eh?). Start spending sometime and observe problems in your daily life, interact more and start thinking of the systemantic way to fix thing permanently instead of fire fighting would help.
  • EasyPeezyEasyPeezy Member Posts: 111 ■■■□□□□□□□
    I strongly believe you guys are reading way too much into the scenario question. The best form of containment in this case is to disable the account. Followed by alerting the customer and management.

    There should be no debate with regards the compromise or whether the bank teller has jurisdiction to tell a compromise – The question clearly says “HAS BEEN COMPROMISED” Similarly, there is no point arguing what powers a bank teller has… The question clearly indicated that she had the jurisdiction of 4 possible solutions… So, instead of arguing that she might not have rights to disable accounts or call the customer…. The question says she has.

    On that basis… the best line of action and the first thing to do would be to stop any further damage (containment) The same way you will pull a network cable on a virus infected computer to stop it propagating itself across the network or externally in the second scenario.
  • xnxxnx Member Posts: 464 ■■■□□□□□□□
    I'd choose D
    Getting There ...

    Lab Equipment: Using Cisco CSRs and 4 Switches currently
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    EasyPeezy wrote: »
    I strongly believe you guys are reading way too much into the scenario question. The best form of containment in this case is to disable the account. Followed by alerting the customer and management.

    There should be no debate with regards the compromise or whether the bank teller has jurisdiction to tell a compromise – The question clearly says “HAS BEEN COMPROMISED” Similarly, there is no point arguing what powers a bank teller has… The question clearly indicated that she had the jurisdiction of 4 possible solutions… So, instead of arguing that she might not have rights to disable accounts or call the customer…. The question says she has.

    On that basis… the best line of action and the first thing to do would be to stop any further damage (containment) The same way you will pull a network cable on a virus infected computer to stop it propagating itself across the network or externally in the second scenario.


    This is wrong even in incident handling aspect, containment action does not perform by a bank teller. Containment action are only perform after confirmation by incident handler, not a banker tell. Containment action cannot be perform with the absence of 4 eyes principle. Its 100% wrong to perform containment without proper confirmation on an incident; and for every possible "incidents" out there, 90% are simply false positive.

    The question say 'notice' has been compromise, not confirmed that its has been compromise. There is lot of false positive incidents everyday because these people do not have the proper training or tools to identify the compromise. If everyone just have a greenlight to perform containment here and there, chances are a service is not available when you require it.

    In CISSP aspect, the company would violate the principle of least privilege as the bank teller do not have the rights to disable the account, the company design in the first place would not have allow it.
  • EasyPeezyEasyPeezy Member Posts: 111 ■■■□□□□□□□
    I am sure someone said to take the CISSP from the lame man/manager’s point of views…!!! i.e. not getting technical.

    “If you were a bank teller and noticed that a customer's account have been compromised, what is the FIRST thing you should do?”

    Read the question again… and forget the job description… The questions clearly states that you have the authority to perform all 4 functions… which one will you perform first…!!!

    Whether the account has been compromised or not is not in question… it clearly says “HAS BEEN COMPROMISED”…. You are getting way too technical bro… This question is based on English and common sense… nothing technical at all.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    Key word, noticed. Noticed is different from confirm that its been compromise. many cases in daily life come from notice are false positive. Without proper tools or technology, there is no way you can confirm the compromise.

    Secondly, the question does not state that the the bank teller has the access to do so. There is no explicitly statement that indicate so

    Thirdly, from a manager point, every bank has a proper policy on how to report an incident, and clearly stating who should contain them

    Lastly, account holders can take legal action against you if you were to close their account wrongly without actual confirmation of the account being compromise. Your C level employee needs to know and able to explain to account holders on such actions taken. Account holders will not buy the words perform by a bank teller without authorization.

    You can get into legal liability by both the account owner and the bank, especially if your bank performs huge transaction on big clients. If you simply close the account without considerating the implication as the account holders may actually be performing a legit transaction and the accounts may be required by the customer for daily huge transaction. You are doing a big disservice to the bank by performing an action that your C level and spokesman could not explain

    Your action would result in reputation loss, revenue loss and investor faith loss because your C level employee and spokesman cannot be accountable for your action, and would not be able to confirm the incident just because of what one person notice without 4eyes principle involved
  • EasyPeezyEasyPeezy Member Posts: 111 ■■■□□□□□□□
    Let me reiterate… you are reading too much meaning into the question.

    The fact that the question asks what you would do FIRST…. Means that you are capable of doing all 4 tasks. The question is a judgement of what you task you will perform FIRST… not whether or not you could do it or have the legal obligation to do it.

    Similarly, if there was not a confirmed compromise… there is no basis for the question…!!!
    You could not:
    1. Contact the customer and asked them to change their password – No basis to call them. Would be false alarm
    2. Notify the law enforcement – And say what exactly???
    3. Document the incident and inform management – There is no incidence to document..!!!
    4. Disable the customer's account. – Deprive the customer their account??? Nah!
  • bigdummybigdummy Member Posts: 30 ■□□□□□□□□□
    EasyPeezy wrote: »
    I am sure someone said to take the CISSP from the lame man/manager’s point of views…!!! i.e. not getting technical.

    “If you were a bank teller and noticed that a customer's account have been compromised, what is the FIRST thing you should do?”

    Read the question again… and forget the job description… The questions clearly states that you have the authority to perform all 4 functions… which one will you perform first…!!!

    Whether the account has been compromised or not is not in question… it clearly says “HAS BEEN COMPROMISED”…. You are getting way too technical bro… This question is based on English and common sense… nothing technical at all.

    There are two categories of people on this forum - those who are studying for the CISSP and those who have already passed the CISSP. Sorry bro, but I think it would be extremely wise for all of us wannabe CISSP's to listen to the advice of those who actually are CISSP's.

    One of the key concepts of CISSP is knowing the difference in the roles & responsibilities of different categories of people (senior management, data owner, data custodian, IT staff, end user, auditor). Those who have passed the test have repeatedly given the advice to pay strict attention to the job role of the person named in the question.

    So I'd argue that your suggestion to "forget the job description" is ill advised. The job description is likely the most important part of the question, and the key to the correct answer.

    Also, I've read the question several times, and I don't see where it says the teller has authority to perform all four functions...but maybe I'm missing something?
  • EasyPeezyEasyPeezy Member Posts: 111 ■■■□□□□□□□
    @bigdummy

    Indeed there are two categories of people… Those that are learned and would put up a good argument and those that take whatever anybody else says as gospel truth. Having passed CISSP counts for nothing in this particular argument. Say the question was about Business Impact Analysis, Business Continuity or indeed Disaster Recovery… The CBK clearly states who does what and tests your knowledge on it too. I dare anyone in this forum to show me where the CBK mentions or appoints roles to a “Bank Clerk”, I am fairly certain it does not test us on the roles and jurisdiction of a bank clerk too. For all intents and purpose you could substitute the “Bank Clerk” with “God” – and you could do any of the four answers, which would you do?.

    I have it on good source (Clement Dupuis - a CISSP lecturer) that the right answer is D. “Disable the user account”.
  • DavidEthingtonDavidEthington Member Posts: 22 ■□□□□□□□□□
    To be fair, I PASSED the CISSP. I'm pretty sure I was nowhere close to maxing it.
  • TheProfezzorTheProfezzor Member Posts: 204 ■■■□□□□□□□
    EasyPeezy wrote: »
    Indeed there are two categories of people… Those that are learned and would put up a good argument and those that take whatever anybody else says as gospel truth. Having passed CISSP counts for nothing in this particular argument. Say the question was about Business Impact Analysis, Business Continuity or indeed Disaster Recovery… The CBK clearly states who does what and tests your knowledge on it too. I dare anyone in this forum to show me where the CBK mentions or appoints roles to a “Bank Clerk”, I am fairly certain it does not test us on the roles and jurisdiction of a bank clerk too. For all intents and purpose you could substitute the “Bank Clerk” with “God” – and you could do any of the four answers, which would you do?.

    I have it on good source (Clement Dupuis - a CISSP lecturer) that the right answer is D. “Disable the user account”.

    Who is the bank teller? Is he "Senior Management" or is he the "Data Owner"?. I am pretty sure he isn't any of those. He's working on a system, that has been provided to him by the organization. He is there, filling in a role. If that's the case, there is "Role-Based Access Control" in place. Which means, he either has rights to disable accounts or he doesn't. In either case, since he isn't the BEST guy to decide on a COMPROMISE or an INTRUSION (Not his area of expertise), he should be reporting the findings to the management. If the incident was more severe, he was to call the law enforcement. He should not ask the customer to change the password because, he might not be sure if the customer know's how to do it or if the customer does not follow the teller properly.

    I won't select option 'D' (Disable the account) because, disabling or enabling of accounts and authorizing or revoking access to users, isn't his responsibility and I doubt he would have privileges to do it. All authorization of accounts are at the managements discretion. The teller is just the "End User" in the system. He is just using the system and following orders.

    The best option according to me would be 'C' (Document the incident and inform the management).
    OSCP: Loading . . .
  • TheProfezzorTheProfezzor Member Posts: 204 ■■■□□□□□□□
    "For example, consider a security-related incident involving a single system that has become unreliable. The system is now continuously rebooting itself, declaring that the security kernel is not available. Network operations detects the outage and since it is security-related, security operations is called in. It turns out that the system in question is highly critical to the organization, and that it will need to be back up and running in a very short timeframe"
    Official Guide to CISSP CBK 3rd - Page 678 - "Manage Incident Response".

    "When a company endures a computer crime, it should leave the environment and evidence unaltered and contact whomever has been delegated to investigate these types of situations. Someone who is unfamiliar with the proper process of collecting data and evidence from a crime scene could instead destroy that evidence, and thus all hope of prosecuting individuals, and achieving a conviction would be lost. Companies should have procedures for many issues in computer security such as enforcement procedures, disaster recovery and continuity procedures, and backup procedures. It is also necessary to have a procedure for dealing with computer incidents because they have become an increasingly important issue of today’s information security departments."
    All In One CISSP Exam Guide 6th (Shon Harris) - Page 1033 - "Incident Management".

    "
    Incident handling or incident response are the terms most commonly associated with how an organization proceeds to identify, react, and recover from security incidents. Finally, a Computer Security Incident Response Team (CSIRT) is a term used for the group that is tasked with monitoring, identifying, and responding to security incidents. The overall goal of the incident response plan is to allow the organization to control the cost and damage associated with incidents and to make the recovery of impacted systems quicker."
    CISSP Study Guide 2nd Edition (Eric Conrad) - Page 328 - "Incident Management".

    "In one organization, the responsibility to respond to computer infections was extended to users. Close to each computer was a checklist that identified common symptoms of malware infection. If users suspected their computers were infected, they were instructed to disconnect the NIC and contact the help desk to report the issue. By disconnecting the NIC, they quickly helped contain the malware to their system and stopped it from spreading any further.This isn’t possible in all organizations, but in this case, users were part of a very large network operations center and they were all involved in some form of computer support. In other words, they weren’t typical end users but had a substantial amount of technical expertise"
    CISSP Study Guide 6th - Sybex - Page 509 - "Incident Response".



    Note: Kindly focus on the bold sentences.


    OSCP: Loading . . .
  • TheProfezzorTheProfezzor Member Posts: 204 ■■■□□□□□□□
    EasyPeezy wrote: »
    Let me reiterate… you are reading too much meaning into the question.
    3. Document the incident and inform management – There is no incidence to document..!!!

    If you think a "Compromised Account" has nothing to do with incidents, you are wrong.
    OSCP: Loading . . .
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    Life is about ups and downs. Life is about winning and failing challenges. Winning is about getting back up from loses and winning small victories!
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    EasyPeezy wrote: »
    Let me reiterate… you are reading too much meaning into the question.
    The fact that the question asks what you would do FIRST…. Means that you are capable of doing all 4 tasks. The question is a judgement of what you task you will perform FIRST… not whether or not you could do it or have the legal obligation to do it.
    Similarly, if there was not a confirmed compromise… there is no basis for the question…!!!
    You could not:
    1. Contact the customer and asked them to change their password – No basis to call them. Would be false alarm
    2. Notify the law enforcement – And say what exactly???
    3. Document the incident and inform management – There is no incidence to document..!!!
    4. Disable the customer's account. – Deprive the customer their account??? Nah!

    In regards to your responds about there is no incident to document. You seems not to understand the difference between an Security Event and Incident. An event is an occurence in the network, while an incident is a change in the system/operating procedures that does not confine with process/standards/policy. In the situation of a notice of an account compromise, this a likely incident, then there is a requirement for the bank teller to notify the higher management to look into it.

    You also had not put up debatable point in regards on how the company is going to face with the impact of the sudden media interest your company, your C level employees response to your action in closing a customer account, and your forensic team is going have a reasonable timeframe to conclude how the compromise occur and if any other account had been compromised the same way had the answer would been D
    EasyPeezy wrote: »
    Indeed there are two categories of people… Those that are learned and would put up a good argument and those that take whatever anybody else says as gospel truth. Having passed CISSP counts for nothing in this particular argument. Say the question was about Business Impact Analysis, Business Continuity or indeed Disaster Recovery… The CBK clearly states who does what and tests your knowledge on it too. I dare anyone in this forum to show me where the CBK mentions or appoints roles to a “Bank Clerk”, I am fairly certain it does not test us on the roles and jurisdiction of a bank clerk too. For all intents and purpose you could substitute the “Bank Clerk” with “God” – and you could do any of the four answers, which would you do?.
    I have it on good source (Clement Dupuis - a CISSP lecturer) that the right answer is D. “Disable the user account”.

    I agree that passing CISSP means noting in this arguement; and this would apply in the same way as how you would quote Clement name in your arguement. There is a difference between putting up facts why D is the answer then simply quoting the source you had from somewhat without the factual statements.

    Unfortunately, from you previous two post, you had not a single debatable point answer on why D is the answer. You had been going on to CBK knowledge, clement dupis, reading too much into the question, none of these are solve the question how you as an IT Security Professional is going to help to protect the business reputation, faith in investor, customers, media response, giving reasonable time for C Level Employee response and forensic team for investgation on accounts compromise had you select D to close the account without notifying them.

    Secondly, you said that you are fairly certain it does not test us on the roles and jurisdiction of a bank clerk too. For all intents and purpose you could substitute the “Bank Clerk” with “God” – and you could do any of the four answers?. From the previous post from me, you should had read enough on debatable points that I had put up that has noting to regards to roles, but rather to look at the question from the business perspective, on how much money and reputation your company could had loss upon closing an account and how your C title employees cannot react just in time because they are not notified.

    Thirdly, you did not provide what exactly does Clement Dupis said; this is important. We should think for Clement Dupis and his help in putting up CCCure for helping people to obtain CISSP. You could had put a reasonable points by posting what he had said/posted so we could move this debate forward, but rather, you use his name to put a good weigh in your arguement, and place others CISSP as irrelevant. In short, you twisted his name and reputation to try to prove right, as the expense of Clement reputation, and the Profezzor has quoted enough source point to the correct answer in this question, people would had misunderstood Clement is teaching the wrong things.
  • dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    Example of the type of questions that I have NO clue on answering:

    1) If you were a bank teller and noticed that a customer's account have been compromised, what is the FIRST thing you should do?

    A) contact the customer and asked them to change their password
    B) notify the law enforcement
    C) document the incident and inform management (I choose this one)
    D) disable the customer's account

    The Answer is E:
    Start up wireshark and capture what the hacker is doing. This is called non-repudiation as he cannot deny that he did it since you saw everything with your own eyes icon_lol.gif Then call the customer and tell them you have changed their password to a stronger one since they didn't choose a good one in the first place. (something you know)
Sign In or Register to comment.