CISSP Cyber Training Podcast - CISSP Training Program

Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur

Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀

  1. 4d ago

    CCT 361: Bad Epoll - Root Access in 6 Instructions

    Send us Fan Mail A six-instruction timing glitch in the Linux kernel can be the difference between “low-priv user” and full root control, and that is why we dig into the Bad EPoll vulnerability from a CISSP-ready, manager-first angle. We start by grounding what the Linux kernel EPoll subsystem does, why it is foundational to high-performance I/O, and why “just disable it” is not a real option when you’re dealing with production Linux servers, desktops, cloud workloads, and Android devices. Then we unpack the security mechanics in clear terms: a use-after-free race condition, an impossibly thin race window, and the way memory corruption turns into privilege escalation. We also talk about what makes this case extra concerning, including the report that it can be triggered from inside Chrome’s rendering sandbox. If you’ve ever relied on sandboxing, kernel boundaries, or “we run scanners” as your safety net, this story forces a more honest view of defense in depth. From there we connect the dots to CISSP Domain 8 software development security and real secure SDLC practice. We walk through where SAST, DAST, fuzzing, KASAN-style instrumentation, and AI-assisted code review help and where they fail, especially for concurrency bugs. The real takeaway is a layered detection strategy: automated testing plus manual secure code review for high-blast-radius code, support for external researchers through bug bounty programmes, and a patch management process that moves in days with verification and regression testing so incomplete fixes do not slip through. If this helps you think like a manager, subscribe, share the episode with a study buddy, and leave a review so more CISSP candidates can find it. Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

  2. Jul 6

    CCT 360: SSA Whistleblower and the Thumb Drive: What CISSP Asset Security Tells Us About This Disaster

    Send us Fan Mail Imagine hearing a claim that the most sensitive identity data in the United States could be sitting on a personal thumb drive. That allegation is still unverified and under investigation, but it gives us a rare chance to see CISSP Domain 2 asset security in real time, with consequences that go far beyond a typical data breach. I walk through what’s being reported about Social Security Administration data access and potential copying, then I put on the Domain 2 lens: data classification and handling requirements, who the true data owner is, what custodians should be enforcing, and how processors should be limited by scope, purpose, and time. We talk about why “high” impact data under FIPS 199 should automatically trigger stricter controls, and how failures in encryption, logging, and data loss prevention can let sensitive datasets slip outside organizational boundaries. We also dig into the part most teams get wrong: the data lifecycle. If you cannot execute secure disposal and verify it, you cannot “close Pandora’s box.” Using NIST SP 800-88, we break down clear, purge, and destroy, connect it to real operational controls like removable media restrictions, and turn the whole story into practical exam guidance and CISO-level program lessons you can use with leadership. Subscribe for more CISSP-ready breakdowns, share this with someone studying Domain 2, and leave a review so more security pros can find the show. What is the first control you would fix in your own environment? Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

  3. Jun 29

    CCT 359: ShinyHunters vs. Oracle — Supply Chain Risk Every CISSP Must Know

    Send us Fan Mail A vendor gets breached and suddenly your perimeter does not matter, because the attacker does not need to “hack” you. They just reuse the access you already approved. That’s the core lesson behind the Shiny Hunters campaign targeting Oracle PeopleSoft servers at colleges and universities, where compromised access led to large-scale theft of student data and a messy, high-impact supply chain incident. We walk through what supply chain security really means for modern cybersecurity and for the CISSP exam: it’s not only the software you buy, but also hardware vendors, cloud service providers, managed service providers, open source libraries, and contractors with privileged access. I break down the four supply chain attack vectors you need to know cold: compromised credentials and OAuth tokens, malicious code injection in CI/CD pipelines, open source package attacks like typosquatting and maintainer compromise, and hardware tampering. Along the way, we map the ideas to CISSP Domains 1, 3, 5, and 8 so you can answer questions like a manager, not just a technician. Then we go deeper on two concepts that keep showing up in both real breaches and exam questions. First, SBOM (Software Bill of Materials), the “nutrition label” that tells you exactly what’s inside your software so you can respond fast when a new CVE hits. Second, OAuth token governance, where long-lived or overly broad tokens can become silent master keys if you do not scope, expire, inventory, revoke, and monitor them properly. We finish with three practice questions and the reasoning behind the best answers and the common distractors. If this helps, subscribe so you do not miss the next training, share the episode with a CISSP study partner, and leave a review to help more security pros find the show. Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

  4. Jun 22

    CCT 358: EDR Bypass Ransomware: The Gentle Killer Threat Every CISSP Must Know

    Send us Fan Mail Your endpoint tool can be world class and still get taken out first. That’s the unsettling reality behind a new wave of “EDR killer” capabilities being packaged inside ransomware-as-a-service platforms, where affiliates can plug in advanced evasion without building it themselves. When attackers can blind endpoint detection and response before the ransomware payload runs, the old comfort of “we have EDR, so we’re covered” turns into a single point of failure. We unpack the reporting on a highly active ransomware operation and its toolset, then zoom in on the technical path that makes this work: BYOVD, bring your own vulnerable driver. With admin access, attackers load a legitimate but vulnerable signed driver, escalate into kernel mode, and terminate security processes from below the privilege stack. From there, we shift to what matters for real security programs: defence in depth, kernel integrity protections like HVCI and KMCI, strict driver allow and block policies, and aggressive driver hygiene to reduce attack surface. Then we put on the CISSP lens. We tie the scenario to Domain 7 security operations (EDR limits, incident response, monitoring), Domain 3 security architecture and engineering (layered controls, hardening), and Domain 1 security and risk management (risk = threat × vulnerability × impact, plus threat landscape shifts). The big takeaway is simple: your job isn’t to find the fanciest tool, it’s to build a program that still works when one control fails and to communicate that risk clearly to leadership. If this helps you think like a manager and study smarter, subscribe for weekly CISSP-focused breakdowns, share the episode with a teammate, and leave a review so more people can find the show. Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

  5. Jun 15

    CCT 357: Is Your Encrypted Data Already Stolen? Quantum Risk & Supply Chain Attacks for CISSP

    Send us Fan Mail Someone is stealing encrypted data right now and they are not trying to read it today. They are saving it for later, betting that quantum computing will eventually break the encryption that protects it. I dig into the “Harvest Now, Decrypt Later” strategy, why it matters most for long-term confidentiality, and how security leaders can talk about it as a present-day risk instead of science fiction. From there, I get practical with post-quantum planning: what the NIST post-quantum cryptography standards signal, why quantum key distribution is still niche for most organisations, and the big architectural idea to remember for the CISSP and for real enterprise security programs: crypto agility. We walk through concrete steps like building a cryptographic inventory, mapping where RSA and elliptic curve crypto live, identifying data with 10 to 20 year secrecy needs, and pushing vendors for a clear PQC roadmap. Then we pivot into CISSP Domain 1 supply chain risk management (SCRM and CSCRM). I explain why supply chains are a prime target, how modern supply chain attacks can ride in through poisoned open source packages, and what SolarWinds showed the world about scale and impact. We close with the nuts and bolts that actually reduce third-party risk: lifecycle supplier management, meaningful assessments (on-site when it matters), document and policy review, audits, and minimum security requirements baked into contracts and SLAs. If you want more training, check out CISSP Cyber Training, subscribe for weekly updates, share this with a friend who owns risk, and leave a quick review so more CISSP candidates can find the show. Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

  6. Jun 8

    CCT 356: Supply Chain Attacks Are Exploding in 2026 — Here's What the NCSC Wants You to Do

    Send us Fan Mail Your software is only as trustworthy as the dependencies you quietly inherit and attackers know it. Today I break down the NCSC warning on software supply chain security and why open source package ecosystems have become a high-value target for real-world compromises that spread fast through CI/CD pipelines. I walk through the attack patterns that keep showing up in incidents: maintainer account compromise, expired domain takeover, typosquatting, and credential chaining. We connect each technique to the CISSP mindset so you can spot it in scenario questions and, more importantly, recognise it in your own environment. Along the way, I explain why Node.js, Python, and Rust projects are especially exposed, how automation can turn “latest version” convenience into an enterprise incident, and why developer environments often become an overlooked attack surface. Then we get practical with controls you can actually implement: pausing automatic dependency updates when compromise is suspected, adding human approval for critical packages, rotating credentials immediately, enforcing MFA on developer and registry accounts, and using private or trusted registries to mirror and vet dependencies. I also zoom out to show how to build supply chain security into the secure SDLC with software composition analysis (SCA), code signing, checksum verification, audit logging, continuous monitoring, and an SBOM so you can respond fast when a package turns toxic. If this helps you tighten your dependency management and level up your CISSP prep, subscribe, share this with a teammate, and leave a quick review so more security pros can find the show. Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

  7. Jun 4

    CCT 355: Zapier Breach Lessons For Cloud Security and Setting Up TPRM Program in 15 Minutes

    Send us Fan Mail The breach that takes down a company often does not kick in the front door. It walks in through a “simple” integration you set up months ago, powered by a token no one remembered to rotate. We start with a real-world Zapier-style scenario and unpack how researchers chained together a harmless-looking code block, an AWS Lambda environment, and a misconfigured IAM role to reach private repository files and ultimately an NPM token that could enable a supply chain attack. From there, we zoom out to the bigger cloud security problem: non-human identities. Service accounts, API keys, and OAuth tokens multiply fast, and they are frequently overprivileged, poorly tracked, and left active long after an integration is retired. We also talk about why SaaS-to-SaaS connections are so hard to secure, and why agentic AI makes visibility even more urgent. If you do not know what systems are connected, what data crosses those links, and who owns the risk, you are effectively trusting an invisible tunnel into your environment. To make this actionable, we lay out a four-phase third-party risk management (TPRM) framework you can apply immediately: build a vendor and integration inventory with tiering, run real due diligence (SOC 2 Type II, ISO 27001, data access scope, subprocessors and fourth parties), lock protections into contracts (DPA language, right to audit, breach notification expectations), then enforce ongoing monitoring and governance with quarterly token reviews, logging, and incident response playbooks. If you are studying for the CISSP, you will also see exactly how this maps to Domain 1, Domain 3, Domain 4, and Domain 5. Subscribe for more practical CISSP training, share this with a teammate who owns vendor approvals, and leave a review so more security pros can find it. What is the one integration you would audit first? Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

  8. Jun 1

    CCT 354: Data Security Controls and Compliance Requirements for the CISSP (Domain 2.3) - REPLAY

    Send us Fan Mail Your firewall can be patched tomorrow, but what about the place your system hides its real secrets today? We start with a timely warning about a serious Fortinet FortiGate vulnerability and why perimeter devices are still a make-or-break control, then we pivot into the deeper layer most people ignore until it’s too late: memory. We walk through CISSP Domain 3.4 by focusing on what memory protection is actually trying to achieve: confidentiality, integrity, and process isolation. From there, we unpack how modern operating systems enforce separation with paging, segmentation, and strict read, write, execute controls. You’ll hear why Meltdown and Spectre were such a big deal, how speculative execution can leak passwords and encryption keys from privileged memory, and why patching decisions are never just “apply everything” but a risk-based vulnerability management call that depends on visibility into what you run. Next, we connect memory protection to virtualization security. We break down hypervisors, guest and host isolation, Type 1 versus Type 2 designs, and the threats that keep security teams up at night: VM escape, side-channel leakage through shared CPU resources, and the operational hazards of memory overcommitment. Then we bring in hardware roots of trust through TPMs: secure boot, measured boot, key storage for full disk encryption, TPM 2.0 types, and how HSM-style key management shows up in cloud environments. We close with practical best practices, from firmware and microcode updates to choosing encryption controls that fit your actual risk. If you’re studying for the CISSP or building a real-world security strategy, subscribe, share this with a teammate, and leave a review so more security pros can find it. Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

4.5
out of 5
34 Ratings

About

Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀

You Might Also Like