CISSP hell question need explanation

amol9w

hi guys,plz help on below question, i have exam in next week want quick reply.
As a vendor, you need to provide periodic patches or updates to a product. Your customers would like to be sure that they are downloading the patches from the legitimate site. Further, they would like to ensure that the integrity of the download has not been compromised. An effective way to do this is through the use of:
A. Symmetric cryptography
B. Digital signatures.
C. Asymmetric cryptography
D. PGP
Answer: B
I selected C, since digital signature i think is not used on website , rather CA is used . Why B is right ??

The risk analysis team has come up with a set of findings and identified certain threats. The information security team puts up a contingency plan in place so that the company can continue to function if that threat takes place. This would be termed as:
A. Risk acceptance
B. Risk reduction
C. Risk mitigation
D. Risk transfer
Answer: B
As per CISSP books , risk mitigation is right word here...why the hell the B is correct choice

jonwinterburn

Digital signature is correct. Recall they are used for integrity and authentication; they can be used to prove that the software you have downloaded (in this case, software patches) is authentic. You're thinking about the website providing the patches, but that could have been compromised and still have a legitimate SSL/TLS certificate. What the question is asking for, is how you prove the software from the site is genuine.

As for the risk question, I agree that the wording isn't great.

Archon

1. B
2. Surely risk reduction and risk mitigation are pretty much the same thing.

dave0212

Question 1 answered

Question 2, Archon is bang on the money, they are the same thing. I would be surprised to see this on a ISC2 actual exam (maybe an ISACA exam) as they are to close to differentiate. but ISO 27005 uses reduction in its terminology rather than mitigation.

Update:
Just had a look at the 2011 standard as I am more familiar with the 2008 edition and they have changed it to Risk Modification

amol9w

There are 2 question here
1) like to be sure that they are downloading the patches from the legitimate site. ---> Digital Certificate is right not the signature which is used on docs, hence C is right since it includes DC

2) like to ensure that the integrity of the download has not been compromised. --> Both B & C can accomplish this but B would be too granular hence right answer

amol9w

Q2 says you to pick up risk response which doesn't include "risk reduction" as choice but "risk mitigation".

If it wasn't last stage of risk response I would select "risk reduction" as response as I will like to clean-up and then have risk assessment done.

So C is the only right option here....why r u holding on to B ????

dave0212

Risk reduction and risk mitigation are interchangeable terms, it is a poorly worded question.

Have a read of NIST publication 800-39, it uses both terminologies to mean the same process

I would expect to see these as actual answers on a well defined question

A. Risk acceptance
B. Risk avoidance
C. Risk mitigation/reduction
D. Risk transfer

jonwinterburn

amol9w wrote: »

1) like to be sure that they are downloading the patches from the legitimate site. ---> Digital Certificate is right not the signature which is used on docs, hence C is right since it includes DC

I disagree. Yes, the correct terminology would be digital certificate. But the question offers digital signature, which is contained within the certificate, and the fact software is code SIGNED makes digital signature correct. Digital signature - Wikipedia, the free encyclopedia

amol9w

Ok, I would put it in this way. DC required Digital Signature on it which requires use of Asymmetric Cryptography.

So the best answer is the granular one hence Digital Signature is right answer

Asymmetric cryptography --> Digital Signature --> Digital Certificate

amol9w

Another hell raiser question hope i don't come accross to such in exam or do i have to ???


DES is a symmetric algorithm that was a standard for many years. However, with the increase in availability of computing power to break algorithms, this standard has now been replaced. Which of these is the replacement for DES?
A. IDEA
B. 3DES
C. AES
D. Secure and Fast Encryption routine (SAFER)

Answer: C ,

With computing power becoming more easily available, the need was felt to have a more efficient and secure system than DES. Advanced Encryption Standard (AES) was developed for this purpose. Triple DES is an intermediate solution.

Why the hell I should not select B.

dave0212

Look at the history of ciphers

DES was the standard used by the US government to encrypt unclassified sensitive data, it is not a cipher (by IBM, I cant remember the name) but a name Data Encryption Standard, when DES was broken the US government requested a new standard and AES was born once again a name (Advanced Encryption Standard) not a cipher (it's actually the Rijndael cipher)

So AES was a direct replacement for DES

Hope that helps

5ekurity

It's all about the wording of the question. It specifically asked what the replacement of DES was. 2DES was created but found to be no more secure than DES, so that was scrapped for 3DES. Essentially, 3DES runs the DES algorithm 3 times on the data being encrypted (3 iterations), so it can't be a replacement. AES was designed to replace the DES algorithms, therefore AES is correct.

cyberguypr

OP, are you sure you are ready for this exam? In my eyes the AES question is a freebie. And this is coming from a guy who doesn't really like crypto. The exam is not in the lines of "which kind of fire extinguisher is used for kitchen fires", but more like "if two trains are approaching from different directions at 45 MPH, what is the name of the driver on train B?"

dave0212

I have to agree with cyberguypr, these are underhand throws from the question pool and you wont get many of those, majority are fast balls and some are epic curve balls. Not sure what you are using for study but highly recommend the AIO book and Logical Security Videos.

Also supplement areas of weakness, I hated cryptography until I read the AIO guide (the official guide is so dry and dull) but as a side study try something like The Code Book by Simon Singh (I actually loved reading that book and learnt a lot about cryptography from it)

5ekurity

dave0212 wrote: »

some are epic curve balls

And some are elliptic curve balls (sorry, couldn't resist)

amol9w

I have been going through test question since last week and haven't touched books..some concepts are getting diluted whereas some things I found new.... probably too tired after going through lots of question..i can recollect AES question I walkthrough 6months back and today I just didn't read the question well....

Well for me its no turning back now preparing for exam on and off since last 2 years.. the last 3 days - 1 & 2 day will go through book only and 3rd day no reading/question session just relax and then head to testcenter on 27th.

I have 2 days remaining and need to go through last cccure questions - 1700 , is lot of target probably should have started test question preparation earlier but I know in my heart I am ready ...just questions like this makes me looking fool as why am I not getting some questions right.

5ekurity

Everyone is different I guess, but usually if you are interested in learning the material, it makes sense to read the book / training material first, hit the practice exams to reinforce your knowledge / determine weak areas, brush up on weak areas, re-validate with practice tests, then take the actual exam. I don't know what book you are using, but if it's the Shon Harris AIO there is almost no way possible you'd get that accomplished in two days, plus 1700 practice questions. Good luck to you.

amol9w

Ok let me put my way...Being looking to do CISSP precisely since last 3-4 years.. postponed exam last time due to syllabus change.. then got married and work life busy.. the again on track and off track till finally I decided to appear in dec 14 end. But again due to work postponed. Finally booked in Dec for Jan27 slot..then the pressure started mounting and I began to go through.

I have around 10yrs exp started with desktop/server then network and now in InfoSec job.. did CCNA, BCMSN[CCNP], CCSA...till2007 lost track to enjoy some life..and now rebooting with CISSP in 2015...

My strong domain I would say crypto,risk,BCP...weak ones would be physical & environmental , legal.

For network, OS I know it , have read only once and still in test getting good score ...for s/w I think should not be so much concern as they have CISSLP....but making sure I know the concepts.

Few things like Cyrpto DES sub types,crypt attack are hard for me hence tries to memorize them again and again. And gate,lock,fence types & ratings I just can't memorize will go through them daily till exam.

In next 5 days I plan for - 2 days for cccure 1700questions, 2 days read Official and AIO , 1 day casual reading

For test using SSI Logic & cccure. Total tester is too easy so when at home I go through that...during traveling I go through Practice exam 2nd edition .. Being scoring between 70 -80% in SSI & Practice exam. Will check cccure from tomorrow 2 identify still weak areas and while going through books will get it covered.

Hope so all will be well.

Dante182

Regarding the risk question: Risk mitigation and risk reduction are not actually interchangable terms. To mitigate risk, you would have to put a control in place to address that risk with the intention to prevent the threat from occuring. In the question it states that a "contingency plan in place....",meaning that a compensating control (not a mitigating control) has been put in place to reduce the impact of the risk should a threat be realised.

The question is worded correctly (IMO), but also to "trick" you. Take this though with a pinch of salt, I've haven't written CISSP - but I do work in risk consulting and these are two seperate terms we use with clients.

I hope this was helpful.

instant000

amol9w wrote: »

hi guys,plz help on below question, i have exam in next week want quick reply.
As a vendor, you need to provide periodic patches or updates to a product. Your customers would like to be sure that they are downloading the patches from the legitimate site. Further, they would like to ensure that the integrity of the download has not been compromised. An effective way to do this is through the use of:

On the surface, it looks like two questions:
1. Make sure customers are accessing the correct website.
2. Make sure the download is good.

Now, you said asymmetric cryptography. But, how do you know the certificate is good? That's right, you check it's signature. If the cert is signed by acme.moon, you probably don't want to trust it.

The software should be signed by the company that issued it. You check the signature. If you think of just checking the hash, that should match, which can be seen as a form of signature, and you should still think "signature" as the answer.

So, in this case, the best option is digital signature, as you decide whether or not a website or software is good by whether or not you trust the signature.

The risk analysis team has come up with a set of findings and identified certain threats. The information security team puts up a contingency plan in place so that the company can continue to function if that threat takes place. This would be termed as:

Not a good question. The best options are too similar. Even within this thread, we have people arguing about what the terms mean, based on industry-specific background.

Others have answered about AES.

Note: From my experience, the exam won't ask technical questions such as what a term means. It is more about scenarios in which the CISSP candidate chooses what is best for the business.

Hope this helps.

amol9w

Dante182 wrote: »

Regarding the risk question: Risk mitigation and risk reduction are not actually interchangable terms. To mitigate risk, you would have to put a control in place to address that risk with the intention to prevent the threat from occuring. In the question it states that a "contingency plan in place....",meaning that a compensating control (not a mitigating control) has been put in place to reduce the impact of the risk should a threat be realised..

Risk reduction is part of risk mitigation. Risk cannot be eleminated but can be brought to acceptable level using controls which was done here using compensating control as other options are not possible .

How can you prevent Disaster ? hence compensate

Spin Lock

amol9w wrote: »

hi guys,plz help on below question, i have exam in next week want quick reply.
As a vendor, you need to provide periodic patches or updates to a product. Your customers would like to be sure that they are downloading the patches from the legitimate site. Further, they would like to ensure that the integrity of the download has not been compromised. An effective way to do this is through the use of:
A. Symmetric cryptography
B. Digital signatures.
C. Asymmetric cryptography
D. PGP
Answer: B
I selected C, since digital signature i think is not used on website , rather CA is used . Why B is right ??

I realize this question has been answered, but I feel like beating a dead horse, so I'll chime in.

Reading the question, it's pretty clear what your customers want from you:
1. Proof they are downloading files from you and not someone else (sounds like non-repudiation to me)
2. Proof the integrity of the downloaded files hasn't been compromised.

I started with #2 first because it's simple. The word "integrity" is a dead giveaway that the answer must involve some sort of hashing/ message digest. Looking at my answer choices, the ones that involve hashing are Digital Signatures and PGP. So immediately, I eliminated the other two choices : A & C.

Now I look at requirement 1 to choose between DS and PGP. Technically, PGP provides integrity (through MD5) and non-repudiation (through web of trust), but the "better" answer is Digital Signatures. From what I've read in the CISSP books they limit their discussion of PGP to encrypting email or whole drive encryption. Digital Sigs, on the other hand, seem to be described to solve the problem described in this question exactly - first you generate a message digest of the outgoing file (to provide integrity), then you encrypt the MD with your private key to provide source non-repudiation.

colemic

Mitigating risk means putting a control in place to prevent the threat from occurring. (Such as patching a SQL server.) Reducing risk, is removing the SQL server from the environment altogether. Mitigations do not reduce risk.

amol9w wrote: »

Risk reduction is part of risk mitigation. Risk cannot be eleminated but can be brought to acceptable level using controls which was done here using compensating control as other options are not possible .

How can you prevent Disaster ? hence compensate

amol9w

colemic wrote: »

Mitigating risk means putting a control in place to prevent the threat from occurring. (Such as patching a SQL server.) Reducing risk, is removing the SQL server from the environment altogether. Mitigations do not reduce risk.

Risk cannot be eliminated only reduced/mitigated with controls. Mitigation do reduce the risk. Removing SQL server is avoiding risk not reducing risk


There are 4 choice as per official guide : (1) Risk Avoid (2) Risk Transfer (3) Risk Mitigate (4) Risk Accept

dave0212

colemic wrote: »

Mitigating risk means putting a control in place to prevent the threat from occurring. (Such as patching a SQL server.) Reducing risk, is removing the SQL server from the environment altogether. Mitigations do not reduce risk.

That would be removing risk not reducing it, Risk Avoidance would be the removal of SQL from the environment Risk Reduction is implementing controls to reduce the likelihood or impact of the risk

sherlee

Risk Reduction: To reduce the chances of the threat to the system.(Its not managerial approach.)
Risk Mitigation: To tackle the risk in systematic way .(managerial approach.)

dave0212

Risk Mitigation
Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. The alternatives to mitigate risk depend on: (i) the risk management tier and the scope of risk response decisions assigned or delegated to organizational officials at that tier (defined by the organizational governance structures); and (ii) the organizational risk management strategy and associated risk response strategies. The means used by organizations to mitigate risk can involve a combination of risk response measures across the three tiers. For example, risk mitigation can include common security controls at Tier 1, process re-engineering at Tier 2, and/or new or enhanced management, operational, or technical safeguards or countermeasures (or some combination of all three) at Tier 3. Another example of a potential risk requiring mitigation can be illustrated when adversaries gain access to mobile devices (e.g., laptop computers or personal digital assistants) while users are travelling. Possible risk mitigation measures include, for example, organizational policies prohibiting transport of mobile devices to certain areas of the world or procedures for users to obtain a clean mobile device that is never allowed to connect to the organizational networks.

astudent

Archon wrote: »

1. B
2. Surely risk reduction and risk mitigation are pretty much the same thing.

I am pretty sure that risk reduction and risk mitigation are same thing. The risk management text book I read explains that risk mitigation is an U.S. term for risk reduction. This probably explains why risk reduction is used in ISO framework and risk reduction/risk mitigation is used in NIST framework.

colemic

My bad. I was in a rush trying to respond before leaving for the day and I had a brain fart. Should have known better.

Cyberscum

To be honest I would think that this would be risk acceptance. At no point is the team dealing with the threat directly. They are making a contingency plans for continued operations, but do not (in my eyes) deal with the threat itself.

amol9w

Just completed the test on cccure --- scored 80% . The questions were too easy after going through SSI question bank. But today is last day i will give tests and then next 2 days read books and last day relax.. and then CISSP exam.

Hope i will go through it