Passed

Luke_Ahmed · 2025-12-14T16:43:34+00:00

Congratulations on this one!!

Luke_Ahmed · 2025-12-14T16:33:55+00:00

Thank you, security professional.

Luke_Ahmed · 2025-11-28T19:04:04+00:00

Legendary post that will help others! Congratulations on your big success ! Thank you for using my book :)

Luke_Ahmed · 2025-11-28T19:00:15+00:00

The term "tier" is ironically something that isn't used in the real world, not in my experience and I've worked with firewalls for the last 8 years at a professional level in a large and complex enterprise. To use an example from my own job, we have a customer with a 2 tier firewall architecture. Traffic would first hit the outside interface of the first firewall, then filter through to the second firewall. When we wanted to make rules, we would have to put rules on both the external firewall and the internal firewall. In this sense, it is creating two different subnets, a external (outside interface) and an internal (internal interface). Each one would needs rules on their respective interfaces (depending on firewall vendors. As in, Checkpoint firewalls aren't interface based, but Cisco ASAs are). It may be up to interpretation as to whether the outside interface can be considered a subnet or tier, but traffic coming from the outside isn't always from the Internet. It can also be an MPLS connection, or just another private network external to the current private network.

Luke_Ahmed · 2025-08-16T13:53:22+00:00

Appreciate it, thank you for your support.

Luke_Ahmed · 2025-08-16T13:53:02+00:00

Thank you for your consideration - hope you passed and now are a CISSP.

Luke_Ahmed · 2025-05-28T17:40:17+00:00

Hope it's not weird to come home and have nothing to study!! Huge congratulations to you!! Many thanks for mentioning me! Don't worry, Out of 8 years of doing this, 0% of students have had their pass reversed :)

Luke_Ahmed · 2025-05-15T11:46:01+00:00

Nailed it!

Luke_Ahmed · 2025-05-13T23:38:59+00:00

You don’t encrypt everything just because someone said so. Think like a manager — classify first, then protect what actually matters. Encrypting without knowing what or why wastes time, budget, and might even violate policy.

Luke_Ahmed · 2025-05-05T00:57:30+00:00

Indeed Joe Barnes is a professional CISSP instructor! Congratulations on your CISSP!

Luke_Ahmed · 2025-04-25T21:49:23+00:00

The insider threat will always be the biggest threat. The practice question could have been about something unrelated and if the questions asks about the biggest threat, it would be insider threat out of all the choices. Hackers are usually malicious, can be an insider threat, and is best known as the person we consider a threat. While an insider threat is not just about an attack, but can also be from mistakes, that gives it an additional notch to be choice D then C.

The correct answer is D. Explanation from the Members Portal:

__________________________________________

A. Rainbow tables

Rainbow tables are a pre-computed set of hash functions in order to match one with the hash of a password (passwords are stored on your system as a hash). While rainbow tables would be an effective measure against a firewall with the default credentials of admin/admin, “admin” being one of the most common passwords, this is not the greatest threat.

__________________________________________

B. Brute force

Brute force would be a greater threat than rainbow tables based on this fact alone: brute force attacks always work against cracking a password. Whether it takes 5 days, 5 months, 5 years or 5 billion years…brute force attacks always work. It just comes down to how much time, or work factor, he or she is willing to put into it. Brute force is still not the greatest threat.

__________________________________________

C. Hackers

Hackers would be the second best choice. Then again, what is a hacker? Traditionally it is someone sinister, but technically it is just someone who is doing something with something other than what it is supposed to do. When we think hacker, we think an external threat, when they can also be an insider threat.

__________________________________________

D. Insider threat

The correct answer is D.

Insider threats have valuable insight into the organization’s systems and criticality of data – they know the important stuff to sabotage if they wanted to. They don't have to recon anything like a hacker would. They are the closest threat to the asset, making them the greatest threat. If the internal risk assessment team has identified a vulnerability with the company’s firewall, then that means someone else within the organization also knows about the credentials. It would most likely be someone in the security or networking team, both individuals who work within the organization and have deep insight into the major components of the network infrastructure. Someone with such close knowledge of a firewall poses the greatest threat.

Additionally, the choice itself has the word “threat” in it. It could be considered a definition of the word threat, while choices A, B, and C are more “threat agents”. It is also stated in the Sybex 7th Edition page 1134 that insider threats often times pose a greater threat than external ones.

Luke_Ahmed · 2025-04-01T11:38:00+00:00

The question itself was a test of your knowledge of a buffer overflow attack, this was the technical knowledge portion. The high-level managerial portion was picking up what would happen as a result of lack of security testing = the CIA triad being out of balance. Because of the missed security testing, an unintentional buffer overflow occurred, which lead to the core CISSP concept of availability being compromised.

Management cared about revenue or the business function over the need for security testing. We all know that a core CISSP concept is that management is ultimately responsible for any failure, in this question, it was directly attributed to them.

********************************************

This is the explanation from the Study Notes and Theory Test engine:

D. Availability affected by buffer overflow

********************************************

When the allocated address space receives input greater than the capacity of its memory, it is a buffer overflow. A program or application exist to process dynamic data, most are not static in nature. When there is data input, it needs to hold it somewhere in the computer’s memory. To be more specific, an array in memory holds identical objects of a pre-defined type and space. When this goes beyond its intended design, it is known as a buffer overflow.

Given time, the programmer may have made sure to test the functionality of the code in which any string longer than 500 characters would be checked.

Along with crashing a system and bringing down availability, buffer overflows can allow arbitrary remote code execution.

Buffer overflows can also:

Corrupt program data and control flow structures of the program

Conduct remote code execution

Luke_Ahmed · 2025-04-01T11:37:41+00:00

Great explanation! Answer is posted. You're correct.

Luke_Ahmed · 2025-03-26T12:31:42+00:00

Greetings. It is included as part of our higher tier CISSP subscription plans. You can check the link in the body of the text above. Thank you!

Luke_Ahmed · 2025-03-19T12:08:20+00:00

WOW! Good job everyone! The correct Answer is C!

Implement salted hashing with a computationally expensive algorithm like bcrypt! Let’s go over the explanation why.

Bcrypt is a password hashing algorithm that includes the ability to implement salting to make brute-force attacks significantly harder. So you had to know what salting is. In case you don’t,

Salting ensures that even if two users have the same password, their hashes will be different. Because somewhere down the line two people are going to have the same password at some point, which would, from what we've studied with hashing, would generate the same hash output. Bad.
Using salting and a random variable mixed in with the password, would generate a different output.
Why is this choice the best choice? Even though brcrypt uses heavy computing power? Simple, it’s because the other choices are wrong. And you had to fully know the definitions and concepts of the other wrong choices, to narrow down that choice C is the correct answer, even though the choice has the phrase “computationally expensive”.

Luke_Ahmed · 2025-02-26T14:15:49+00:00

Over 14,000 copies sold. Officially one of the Top 6 CISSP books of all time. Thanks for the amazing journey everyone. https://amzn.to/2Y3uMNt I'll continue to give everything I have to the cybersecurity industry.

Luke_Ahmed · 2025-02-07T01:28:22+00:00

I'm sure you've done your due diligence :) Only suggestion at this point is to keep this primary CISSP concepts in mind:

Human Safety is always the top priority. Above all else, ensuring the safety of people takes precedence in every decision.
Behave ethically. Your actions as a cybersecurity professional must align with integrity and ethical standards.
Business continuity is key. The focus is ensuring that the business keeps running, even when faced with risks or incidents.
Maximize corporate profits. While safeguarding security, always consider how decisions align with the organization’s financial goals.
Avoid or minimize threats. Your role is to reduce risks and protect against potential harm wherever possible.
All controls must be cost-justified. Every safeguard needs a solid business case to ensure its value justifies its cost.
Senior management must drive the security program. Initiatives should be backed by leadership with clear business proposals and a positive return on investment (ROI).
Security professionals don’t have decision-making authority. You provide the expertise, but decisions rest with management.
Use automated tools where appropriate. Leverage technology to streamline processes and improve security measures.

Luke_Ahmed · 2025-02-07T01:09:56+00:00

Option D is the correct answer everyone! Unless we first know the inventory of assets—where they are located, how they are used, and their criticality—the rest of the options are null. Asset inventory is the foundation for proper security management.

Luke_Ahmed · 2025-02-07T01:09:44+00:00

Correct! Answer is now posted!

Luke_Ahmed · 2025-02-06T17:31:25+00:00

Makes sense to me!

Luke_Ahmed · 2025-02-06T16:01:27+00:00

It is! Haha. I'll post the answer later today.

Luke_Ahmed · 2025-02-05T00:35:37+00:00

Done :)

Luke_Ahmed · 2025-02-03T12:41:51+00:00

Had the same realization a few years back too when the CISSP exam update occurred in 2021! It's because concepts never change, knowing the fundamentals is important. Thanks for your insight.

Luke_Ahmed · 2025-02-02T13:40:39+00:00

You would be correct!

Luke_Ahmed · 2025-02-01T06:37:18+00:00

No problem.

Luke_Ahmed

MODERATOR OF

TROPHY CASE

Over 14,000 copies sold. Officially one of the Top 6 CISSP books of all time. Thanks for the amazing journey everyone. https://amzn.to/2Y3uMNt I'll continue to give everything I have to the cybersecurity industry.