CCT351: BitLocker Bypass Reality Check (YellowKey) and CISSP Practice Questions

Show Notes

BitLocker feels like a safety net until you see how a single bypass can change the whole risk picture. Today we react to the Yellow Key vulnerability (noted in the news and referenced as CVE 2645585) and use it as a practical CISSP training moment: a public proof of concept is available, a vendor patch is not, and the attack hinges on physical access. That mix forces you to think clearly about what “high risk” actually means, why “critical” is not always the right label, and how real security teams respond when the perfect fix does not exist yet.

We connect the story to CISSP domains you are actively tested on. Domain 3 shows up in the basics of data at rest encryption and the uncomfortable truth that encryption is only as strong as its implementation. Domain 7 shows up in zero-day vulnerability management, compensating controls, and the need to have patch deployment ready to move the moment Microsoft ships a fix. We also highlight why secure boot and firmware integrity checks matter, and why endpoint detection may not help when an attacker can silently read files with little to no logging signal.

Then we shift into five exam-style questions designed to sharpen your decision-making: how to classify risk using likelihood and impact, how to spot absolute-language distractors, which CIA triad principle is actually failing when data is accessed without detection, and why data minimisation can reduce breach impact more than “adding another tool.” If you’re studying for the CISSP exam and want practice that feels like real life, this is built for you.

Subscribe for weekly CISSP practice, share this with a study partner, and leave a review so more candidates can find the show. What control would you tighten first if a BitLocker bypass hit your fleet tomorrow?

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome And Weekly Format
• 0:25: Yellow Key BitLocker Bypass Explained
• 3:18: Mitigations And CISSP Domain Links
• 5:22: Free Content And Cohort Offer
• 6:48: Question 1 Risk Classification
• 10:52: Question 2 CIA Triad Failure
• 14:10: Question 3 Best Organizational Response
• 17:36: Question 4 Reduce Impact With Data Limits
• 20:13: Question 5 Implementation Beats Algorithms
• 23:33: Wrap Up And Where To Learn More

Transcript

Welcome And Weekly Format

SPEAKER_00 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber. I'm your host of the Action Active Informative Podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

Yellow Key BitLocker Bypass Explained

SPEAKER_01 0:25

Hey all Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is Thursday, and we are going to be talking about various aspects related to the CISSP domains. And this is going to be the question day, right? This is Thursday, and on Thursdays we talk about various questions related to the CISSP exam. So we are going to get into a question today around, well, we're going to be focused around stuff that's going to be tied to the recent article that I saw in the news related to Yellow Key. So I don't know if you've all seen it, but it's called Yellow Key, and it's tracked as CVE 2645585. What does it do? Well, it bypasses BitLocker encryption, which is bad, and it's allowing a u attacker to read and write files on a targeted Windows device. Yeah, it's not good. So the public proof of concept is already in the wild, and Microsoft does not yet have a patch. So that's a kind of a big deal, especially if you're running BitLocker within your organization. So here's the critical detail Exploitation requires physical access. So, or again, it's dropped substantially from what you would expect if you had to have remote access. So you have to have physical access to the box. This isn't a remote type attack, but again, don't let that lull you into complacency because lost and stolen laptops are a very real threat vector. Now, when I was a CISO, I had to deal with a lot of threat or a lot of different computers that were stolen. And I saw that routinely, and I'd get a actually get the email in the morning saying, hey, XYZ in Belgium lost, why? And you're just dealing with all of those. So Microsoft has issued an advisory recommending mitigations. Things like customizing secure boot and verifying firmware integrity are important. While they work for a patch, the biggest issue here is that research William Dorman has already flagged that even the temporary mitigation may have a bypass as well. So don't count on it as your only defense. So experts are pointing back to the basics. Gartner's Eric Greener says the audit your environment first. So as like we've talked about, anytime dealing with CISSP and anytime in security, auditing your environment and knowing what you have in your environment is a crucial step in what's going on. So you need to understand where you're exposed. That's an important part, right? So by auditing it, you find that out. It's an important piece. Now, Netspy's Carl Forsaian added that physical security controls around Windows devices are your best near-term defense. And the detection note from Faulson said that if an attacker just reads the files from your encrypted volume, they will likely be no indicators at all. You may never even know what happened. So, interesting part that it's you need to kind of understand what related to Microsoft and Yellow Key.

Mitigations And CISSP Domain Links

SPEAKER_01 3:18

So as it relates to the domains, there's some key things. I'm trying to change this up a little bit with the podcast just to give you a little bit more information related to these questions and on current news and events. And I think yellow key is a great example of how different types of vulnerabilities out there can affect you and your company. So domain three, obviously, BitLocker is a data at rest encryption control. Yellow key is a cryptographic bypass. So it's a reminder that encryption is only good as its implementation. Now, the vulnerability manager, that's domain seven, that's your zero day, which basically means there's no patch. There's physical security, access controls on devices, and patch management must be ready to go when the fix comes in quickly. So you need to really understand these are complementing controls, both physical and the encryption piece, and the defense in depth requires you to have both. BitLocker alone is obviously not enough. So some takeaways you can have related to this article. You audit where BitLocker is deployed and who could physically access those devices. Now, if you're in an organization or an enterprise that has a lot of different devices, this is an important part. And you need to ensure that you have physical security policies in place that deals with no unintended devices, screen locks, or it has access controls around that. You need to make sure that you enable your secure boot and verify firmware integrity now. So limit your data storage to reduce what is at risk and then have your patch deployment plan ready for when Microsoft releases the fix. That's an important part of what's going on. You need to make sure you have that teed up and ready to go, right? So bit uh bit locker, yellow key, and the attack on it from Microsoft. So this is a big deal because I would be very concerned if, especially since they do not have a patch at this time. So interesting things, and we are living in. Okay, so we're gonna roll into some CISSP questions, and we're gonna focus around what we just heard about today, and and how you can understand some of the questions and what the thought process is with those.

Free Content And Cohort Offer

SPEAKER_01 5:22

But before we do, wanted a quick shout out for CISSP cyber training and how important it is for you to go there and sign up. It's easy. Sign up for a couple things. One, all of my free content is there. You can sign up for that. It's amazing. There's lots of free things to help you on your CISSP journey to get you going down the path for self-study. It's a very good product. Very it's it's amazing. It truly is. Yeah, I am a little biased, of course, but it is good. It's very good, especially if you're just trying to get started on all this uh CISSP. The second thing is my cohort. So I have a cohort that is kicking off the 7th of July. And what is the cohort? The cohort is an eight-week boot camp-ish kind of sprint thing. And the sprint is designed to have all the things you need to be able to pass the CISSP exam. It's gonna be, we're gonna meet to get meet once a week and we're gonna go over what you're gonna deal with out in the exam. There's gonna be things you're gonna have to go do, there's study materials you're gonna have to go through. It is going to be a full of content idea, and it's gonna have tons of information. But if you're serious about getting your CISSP done within two months, this is gonna be the path for you. Now, if you sign up early, you can save yourself $100 on the purchase price of this cohort. So I would highly recommend you go over to CISSP Cyber Training and click on the link for the CISSP cohort. So very, very interesting stuff that we're dealing with.

Question 1 Risk Classification

SPEAKER_01 6:48

Okay, so let's get into the questions we're gonna talk about today. Okay, so let's get started. The question number one. A security researcher publicly discloses a zero-day vulnerability that bypasses full disk encryption on Windows endpoints. A working proof of concept is immediately available and the vendor has not yet released a patch. Which of the following best describes the appropriate risk classification for this vulnerability? A low risk. Full disk encryption prevents any data exposure regardless of the exploit. B medium risk. Exploitation requires both network access and elevated privileges. C. High risk. A public exploit exists, sensitive data is exposed, and no vendor patch is available. Or D. Critical risk, remote, unauthenticated code execution is possibly possible across all affected systems. Okay, so some key concept to pull out of this, right? We know that it's dealing with full disk encryption. There is a working proof of concept that is available, and the vendor has not released a patch. Now, which of the following best describes the appropriate risk classification for this vulnerability? Okay, so the interesting part in all this is that it did not mention anything about being physical devices or remote code. So you have to think about that. Hmm, what should it be? So A, we'll reach out the ones that I know are incorrect. So A, low risk, full disencryption prevents any data exposure regardless of the exploit. So obviously we know that if you can bypass encryption, then it doesn't matter. Anytime they use an absolutes, I would be highly suspect of the answer. Any absolutes, right? No problem. Big deal, regardless of the exploit. That's usually something that's going to be a red flag. So A is out, low risk. B, medium risk. Exploitation requires both network access and elevated privileges. So this one we know, this basically, well, we don't know, but based on what we think we understand, if this was related to the most recent vulnerabilities on Windows, then it does not need to have elevated privileges. You just need to have physical access to the device. So it's an interesting piece there. And then high risk, let's go to the critical risk. Remote unauthenticated unauthenticated code execution is possible across all affected systems. So we know that based on the most recent article, that this, if we're dealing with a Windows vulnerability, this does not have remote unauthenticated execution. So it would be related to probably having a uh situation where it's all physical access. So it would be C a public exploit exists, sensitive endpoint data is exposed, and no vendor patch is available. So if you're looking at the concept, again, this is one of those you might go, well, I don't know if it's high risk, if it's low risk. Just kind of keep this in the back of your mind. Go use the what's in the questions, right? Which one is best going after what they're asking for? So don't take the things you know, but know the fact that in this situation, you have public exploit, does exist. So that's a big high risk item. Sensitive data is exposed because it's encrypted data, and no vendor patches available. That would be a high risk item in any bucket. Now, if they would have talked about unauthenticated uh remote execution capabilities, then at that point in time you would want to go, okay, let's make this critical. But again, you don't want to make it's it's a challenge when you're in the CISO position or you're in a security position where all of a sudden everything can become a critical risk, and you want to avoid that at all costs. Okay, so it's not always critical. So again, likelihood and impact, the public availability of a working proof of concept directly increases likelihood, right? Since even the low-skilled attackers can leverage it. The absence of a vendor patch means no technical remediation exists, obviously, then elevating the urgency even more. And then on high risk, it's not critical because the attack requires both physical access, which we don't know, but we kind of hint to, right? And then ruling out the remote unauthenticated exploitation. That's the bigger piece in this, is that you're ruling out remote unauthenticated exploitation. Okay, let's roll into the next

Question 2 CIA Triad Failure

SPEAKER_01 10:52

question. Question number two. An attacker gains physical access to an employee's corporate laptop and silently reads confidential files from the most from the encrypted volume by exploiting a flaw in the encryption implementation. The laptop owner reviews the system logs afterwards and finds no anomalies or alerts. Which security principle does the most does this scenario most directly illustrate a failure of? Okay, so we're looking at a physical access again, corporate laptop, and silently reads confidential files from encrypted volumes by exploitating flaws and encryption implementation. Okay, so the gain act system logs after and finds no alerts. Interesting, no alerts at all. So what is the most directly, how does this most directly illustrate the failure of? So let's go A, availability. The system was inaccessible during the attack. B nonrepudiation. The attacker could be not held accountable for their actions. C integrity. The confidential date files were modified without authorization. Or D. Confidentiality. A sensitive data was accessed, accessed without detection or authorization. Okay, so let's go to the ones that we know are wrong. A availability. The system was inaccessible during the attack. Well, no, it was accessible, right? So they actually had someone available to read it. They were reading it right then and there. So it was not an availability problem. Non-repudiation. The attacker could not be held accountable for their actions. Well, that being said, they were actually somebody had physical access to it. So if you had cameras in place, you had something like that, you could figure out who did it. But that's not the most direct, the most directly illustrated from the failure. And then integrity. The confidential files were modified without authorization. So it did not talk about that at all. So integrity really wasn't the issue. The biggest issue is confidentiality. So the most right here, so which security principle does this scenario most directly illustrate a failure of? And that would be confidentiality. Sensitive data was accessed without detection or authorization. So the attacker accessed the files without authorization, left no detectable trace. This is where a textbook breach of confidentiality. So again, one of the three pillars of the CIA triad is your confidentiality, integrity, and availability. So availability was not impacted since obviously the system continued to operate normally normally, and again, no issues there whatsoever. Integrity was not violated because the files were read, not altered. Didn't say anything about altering the files at all. And then non-repudiation relates to approving that the actions occurred and cannot be denied. So again, this is not an unauthorized access itself itself. It was there, it was available, and you could prove it if you had cameras in the building. So that it's really the biggest problem we're dealing with here is the confidentiality aspects. So this one, this scenario specifically underscores the critical gap in detective controls. And when attacked it generates no logs or alerts, only preventive controls can can take care of this, such as physical security policies that stand between the attacker and the data. So you as an organization, you need to have actual detective and controls against physical devices, is imperative to have that. Preventive controls just don't always cut it. Okay, so let's move on to the next question.

Question 3 Best Organizational Response

SPEAKER_01 14:10

Question number three. A vendor has issued a security advisory for a critical encryption bypass vulnerability affecting endpoints devices, but has not yet released a patch. A third party researcher has also warned that the vendor's recommended interim mitigation may in itself have a bypass. Which of the following represents the most appropriate organizational response? Okay. So a disable full disk encryption on all endpoints until a patch has been made available. B implement a layered physical security approach, tighten device access policies, and prepare for patch deployment plans. C. Replace all affected endpoints with devices running a different operating system. Or D block all internet access on affected devices to prevent remote exploitation. Again, the vendor has issued a security advisor for a critical encryption bypass vulnerability affecting endpoint devices but not released a patch. The third party researcher has also warned that vendors recommend interim mitigation may itself have a bypass. Which of the phone represents the most appropriate organizational response? So let's get into the ones that are not correct. A. Disable full disk encryption on all endpoints until a patch is available. Yeah, that's just downright foolish. So yeah, don't do that. That's a bad idea. Even though the patch is, they still gotta have physical access, right? So you gotta have someone, you gotta have a sleeper within the home, within your walls of your moat, your castle, you gotta have a bad person, right? They gotta have physical access. So do not turn off the full disk encryption. Bad idea. C. Replace all affected endpoints with devices running on different operating systems. That just sounds like a nightmare. Uh no, we we don't do that. Again, we we you gotta plan this out. If you're dealing with security, you want to do no harm, right? You want to do no harm to the devices, to the people. You have to put things in place, but you gotta ask yourself, what is the risk? Next one is block all internet access on affected devices to prevent remote exploitation. So you're blocking, you're DDoSing yourself, basically, because you're blocking the internet from all affected devices to prevent remote exploitation, which we also know is not this risk. It's a physical risk, right? We know that. So it's a physical risk. What's up with that? So key factors, right? Key factors on all this. So the correct answer is B implement layered physical security controls, tighten access policies, and prepare patch deployment plans. Even if you don't know the answer to this question, if you just follow those, those are key things. Layered physical security controls, tighten access policies, and prepare for patch deployment. All of those make total sense in setting up your organization. So this is again compensating controls and defense in depth are key concepts with the CISSP. And this is one of those questions that requires that. It's kind of going into that. So the vulnerability requires physical access, strengthening physical security controls, enforcing unattended devices and policies, restricting access and requiring screen locks. These are all physical pieces, right? They are the ones that will directly reduce the attack surface immediately. And you should do that anyway, depending on the certification that your company might be going through. This is an important part of any organization. Disabling encryption is a bad idea, right? That that's just foolishness. I'm sorry. But it's again, these kind of questions do come up. People will ask them of themselves, and then you really have to deal with those kind of challenges. All right, let's move on to the next question. Question

Question 4 Reduce Impact With Data Limits

SPEAKER_01 17:36

number four. Question four is follow the disclosure of an encryption bypass vulnerability. A security architect reviews the organization's endpoint strategy, and it finds that employees routinely store large volumes of sensitive corporate data on their laptops. Oh no, don't do it. Which of the following best reduces the potential impact of a successful attack? Okay, so you know that there's a bulb, there's this bypass vulnerability, which we've been talking about. The security architect reviews the organization's endpoint strategy and finds employees are routinely storing volumes, large amounts of sensitive corporate data locally on their laptops. So that's a problem. What are we going to do about it? What's the potential impact of a successful attack? A enforce full disk encryption on all endpoints. B require multi-factor authentication for all device logins. C, minimize the amount of sensitive data stored locally on endpoints, and D deploy endpoint detection and response software on all laptops. Okay, so again, the the which of the following recommends best reduces the potential impact of a successful attack? So many of those answers are correct, right, from my point of view. But they're asking this question best reduces the potential impact. Right? So what is the impact? It's not what actually occurs within the system, it's the impact to it. So A is not correct because if we enforce full disk encryption, that's great. A is great, but it doesn't matter because it's already compromised in this situation. B require multi-factor authentication for all device logins. B does not help against the physical bypass of a disk encryption, right? So that's not doesn't really help you in that situation. The next one is D. Deploy deploy endpoint detection and response software to all laptops. Even though EDR is a valuable detection tool, but researchers have noted the passive read file attack may generate no detectable indicators at all. So again, you got to have a little bit of context around this, right? And they would have that in the question itself. But knowing full well that that is probably not the situation, you want to minimize the amount of sensitive data stored on a locally on an endpoint. Again, that's an important part of all this. You don't want this, you need to have a policy in place and you need to enforce it. When employees are storing sensitive data on the laptops, you now have many more vectors that you have to protect. Keeping these within a SharePoint library or keeping them on a certain uh location that is well protected is the best form of protecting your corporate data. So just keep that in mind, especially with any organization, it's an important part of that. So let's move on to the next question.

Question 5 Implementation Beats Algorithms

SPEAKER_01 20:13

Question five. A security team discovers that strong encryption implementation on corporate endpoints has been bypassed through a flaw in how the encryption was integrated with the operating system's boot process. It's not in the algorithm itself, it's in the boot process. Which of the following best explains why strong encryption algorithms are alone are insufficient to guarantee the data security. Okay, so they're talking in this situation where we have encryption. And there is a flaw in how the encryption was deployed, but not in the encryption algorithm itself. Okay, so there are some people out there that will go and implement their own encryption algorithms. Terrible idea. Don't do that. Stick with what you know works. But that being said, A, encryption algorithms weaker than AES 256 cannot adequately protect a data at rest. B, encryption is designed to protect data in transit, not data stored on local devices. C, strong encryption must be supported by complementary physical, operational, and implementation controls to be effective, or D, full disk encryption should be replaced with hardware security modules for endpoint protection. Okay, so again, the security team discovers strong implementation strong encryption implementation on corporate endpoints has been bypassed, right, through this problem that we're dealing with. So, which best explains why strong encryption algorithms alone are insufficient to guarantee data security. Okay, so and the answers that are incorrect, let's start with those. A encryption algorithms are weaker than AES 256, can and they cannot adequately protect data at rest. So the encryption app absolutely protects the data at rest, right? That's yeah, it's fine. So this is factually incorrect. It's not something you would say, no, that's that's something you don't want to bite off on. B, encryption is designed to protect data in transit, not data stored on devices. Okay, so B encryption is designed to protect data in transit, not data stored on local devices. So we know that this is not truly the case. Encryption is used in many different ways, one from both in transit as well as devices that are sitting on or information that's sitting on a device. So this is factually incorrect as well. Then the next one, full disk encryption should be replaced with hardware security modules for endpoint protection. Okay, so when you're dealing with question or answer D, when you're dealing with HSMs, they serve different purposes and are not a replacement for full disk encryption, right? So they are the theoretically strong algorithm is only as secure as the system surrounding its implementation. When you're dealing with HSMs, they are not a replacement for endpoint protection at all. So that would be one that you would just throw away as well. So the answer, the correct answer is C strong encryption must be supported by complementary, physical, operational implementation controls to be effective. If you just read that answer, you would go, it doesn't fit it's not an absolutes, right? It's very generic, it's but it also makes total sense. You have a complementary control, they are physical, operational, and implementation controls. That makes total sense. And so therefore, the other ones had shades of not making sense. So that's a real easy, quick way to go. Okay, this one's out, this one's out, and break it at least at a minimum, break it down to a couple questions. If you, if this is a question that would be hard for you, break those down to figure out which one is the best for you. Okay.

Wrap Up And Where To Learn More

SPEAKER_01 23:33

Well, that's all I have for you today. I hope you guys enjoyed this. Head on over to CISSP Cyber Training, and there's get all the great stuff that's out there and available for you at CISSP Cyber Training. All right, we'll talk to you later and we'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.