CISSP hell question need explanation
hi guys,plz help on below question, i have exam in next week want quick reply.
As a vendor, you need to provide periodic patches or updates to a product. Your customers would like to be sure that they are downloading the patches from the legitimate site. Further, they would like to ensure that the integrity of the download has not been compromised. An effective way to do this is through the use of:
A. Symmetric cryptography
B. Digital signatures.
C. Asymmetric cryptography
D. PGP
Answer: B
I selected C, since digital signature i think is not used on website , rather CA is used . Why B is right ??
The risk analysis team has come up with a set of findings and identified certain threats. The information security team puts up a contingency plan in place so that the company can continue to function if that threat takes place. This would be termed as:
A. Risk acceptance
B. Risk reduction
C. Risk mitigation
D. Risk transfer
Answer: B
As per CISSP books , risk mitigation is right word here...why the hell the B is correct choice
As a vendor, you need to provide periodic patches or updates to a product. Your customers would like to be sure that they are downloading the patches from the legitimate site. Further, they would like to ensure that the integrity of the download has not been compromised. An effective way to do this is through the use of:
A. Symmetric cryptography
B. Digital signatures.
C. Asymmetric cryptography
D. PGP
Answer: B
I selected C, since digital signature i think is not used on website , rather CA is used . Why B is right ??
The risk analysis team has come up with a set of findings and identified certain threats. The information security team puts up a contingency plan in place so that the company can continue to function if that threat takes place. This would be termed as:
A. Risk acceptance
B. Risk reduction
C. Risk mitigation
D. Risk transfer
Answer: B
As per CISSP books , risk mitigation is right word here...why the hell the B is correct choice
Comments
As for the risk question, I agree that the wording isn't great.
2. Surely risk reduction and risk mitigation are pretty much the same thing.
Question 2, Archon is bang on the money, they are the same thing. I would be surprised to see this on a ISC2 actual exam (maybe an ISACA exam) as they are to close to differentiate. but ISO 27005 uses reduction in its terminology rather than mitigation.
Update:
Just had a look at the 2011 standard as I am more familiar with the 2008 edition and they have changed it to Risk Modification
Working on
Learning Python and OSCP
1) like to be sure that they are downloading the patches from the legitimate site. ---> Digital Certificate is right not the signature which is used on docs, hence C is right since it includes DC
2) like to ensure that the integrity of the download has not been compromised. --> Both B & C can accomplish this but B would be too granular hence right answer
If it wasn't last stage of risk response I would select "risk reduction" as response as I will like to clean-up and then have risk assessment done.
So C is the only right option here....why r u holding on to B ????
Have a read of NIST publication 800-39, it uses both terminologies to mean the same process
I would expect to see these as actual answers on a well defined question
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation/reduction
D. Risk transfer
Working on
Learning Python and OSCP
I disagree. Yes, the correct terminology would be digital certificate. But the question offers digital signature, which is contained within the certificate, and the fact software is code SIGNED makes digital signature correct. Digital signature - Wikipedia, the free encyclopedia
So the best answer is the granular one hence
Asymmetric cryptography --> Digital Signature --> Digital Certificate
DES is a symmetric algorithm that was a standard for many years. However, with the increase in availability of computing power to break algorithms, this standard has now been replaced. Which of these is the replacement for DES?
A. IDEA
B. 3DES
C. AES
D. Secure and Fast Encryption routine (SAFER)
Answer: C ,
Why the hell I should not select B.
DES was the standard used by the US government to encrypt unclassified sensitive data, it is not a cipher (by IBM, I cant remember the name) but a name Data Encryption Standard, when DES was broken the US government requested a new standard and AES was born once again a name (Advanced Encryption Standard) not a cipher (it's actually the Rijndael cipher)
So AES was a direct replacement for DES
Hope that helps
Working on
Learning Python and OSCP
Also supplement areas of weakness, I hated cryptography until I read the AIO guide (the official guide is so dry and dull) but as a side study try something like The Code Book by Simon Singh (I actually loved reading that book and learnt a lot about cryptography from it)
Working on
Learning Python and OSCP
And some are elliptic curve balls
Well for me its no turning back now preparing for exam on and off since last 2 years.. the last 3 days - 1 & 2 day will go through book
I have 2 days remaining and need to go through last cccure questions - 1700 , is lot of target probably should have started test question preparation earlier but I know in my heart I am ready ...just questions like this makes me looking fool as why am I not getting some questions right.
I have around 10yrs exp started with desktop/server then network and now in InfoSec job.. did CCNA, BCMSN[CCNP], CCSA...till2007 lost track to enjoy some life..and now rebooting with CISSP in 2015...
My strong domain I would say crypto,risk,BCP...weak ones would be physical & environmental , legal.
For network, OS I know it , have read only once and still in test getting good score ...for s/w I think should not be so much concern as they have CISSLP....but making sure I know the concepts.
Few things like Cyrpto DES sub types,crypt attack are hard for me hence tries to memorize them again and again. And gate,lock,fence types & ratings I just can't memorize will go through them daily till exam.
In next 5 days I plan for - 2 days for cccure 1700questions, 2 days read Official and AIO , 1 day casual reading
For test using SSI Logic & cccure. Total tester is too easy so when at home I go through that...during traveling I go through Practice exam 2nd edition .. Being scoring between 70 -80% in SSI & Practice exam. Will check cccure from tomorrow 2 identify still weak areas and while going through books will get it covered.
Hope so all will be well.
The question is worded correctly (IMO), but also to "trick" you. Take this though with a pinch of salt, I've haven't written CISSP - but I do work in risk consulting and these are two seperate terms we use with clients.
I hope this was helpful.
On the surface, it looks like two questions:
1. Make sure customers are accessing the correct website.
2. Make sure the download is good.
Now, you said asymmetric cryptography. But, how do you know the certificate is good? That's right, you check it's signature. If the cert is signed by acme.moon, you probably don't want to trust it.
The software should be signed by the company that issued it. You check the signature. If you think of just checking the hash, that should match, which can be seen as a form of signature, and you should still think "signature" as the answer.
So, in this case, the best option is digital signature, as you decide whether or not a website or software is good by whether or not you trust the signature.
Not a good question. The best options are too similar. Even within this thread, we have people arguing about what the terms mean, based on industry-specific background.
Others have answered about AES.
Note: From my experience, the exam won't ask technical questions such as what a term means. It is more about scenarios in which the CISSP candidate chooses what is best for the business.
Hope this helps.
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
Risk reduction is part of risk mitigation. Risk cannot be eleminated but can be brought to acceptable level using controls which was done here using compensating control as other options are not possible .
How can you prevent Disaster ? hence compensate
I realize this question has been answered, but I feel like beating a dead horse, so I'll chime in.
Reading the question, it's pretty clear what your customers want from you:
1. Proof they are downloading files from you and not someone else (sounds like non-repudiation to me)
2. Proof the integrity of the downloaded files hasn't been compromised.
I started with #2 first because it's simple. The word "integrity" is a dead giveaway that the answer must involve some sort of hashing/ message digest. Looking at my answer choices, the ones that involve hashing are Digital Signatures and PGP. So immediately, I eliminated the other two choices : A & C.
Now I look at requirement 1 to choose between DS and PGP. Technically, PGP provides integrity (through MD5) and non-repudiation (through web of trust), but the "better" answer is Digital Signatures. From what I've read in the CISSP books they limit their discussion of PGP to encrypting email or whole drive encryption. Digital Sigs, on the other hand, seem to be described to solve the problem described in this question exactly - first you generate a message digest of the outgoing file (to provide integrity), then you encrypt the MD with your private key to provide source non-repudiation.
Risk cannot be eliminated only reduced/mitigated with controls. Mitigation do reduce the risk. Removing SQL server is avoiding risk not reducing risk
There are 4 choice as per official guide : (1) Risk Avoid (2) Risk Transfer (3) Risk Mitigate (4) Risk Accept
That would be removing risk not reducing it, Risk Avoidance would be the removal of SQL from the environment Risk Reduction is implementing controls to reduce the likelihood or impact of the risk
Working on
Learning Python and OSCP
Risk Mitigation: To tackle the risk in systematic way .(managerial approach.)
Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. The alternatives to mitigate risk depend on: (i) the risk management tier and the scope of risk response decisions assigned or delegated to organizational officials at that tier (defined by the organizational governance structures); and (ii) the organizational risk management strategy and associated risk response strategies. The means used by organizations to mitigate risk can involve a combination of risk response measures across the three tiers. For example, risk mitigation can include common security controls at Tier 1, process re-engineering at Tier 2, and/or new or enhanced management, operational, or technical safeguards or countermeasures (or some combination of all three) at Tier 3. Another example of a potential risk requiring mitigation can be illustrated when adversaries gain access to mobile devices (e.g., laptop computers or personal digital assistants) while users are travelling. Possible risk mitigation measures include, for example, organizational policies prohibiting transport of mobile devices to certain areas of the world or procedures for users to obtain a clean mobile device that is never allowed to connect to the organizational networks.
Working on
Learning Python and OSCP
I am pretty sure that risk reduction and risk mitigation are same thing. The risk management text book I read explains that risk mitigation is an U.S. term for risk reduction. This probably explains why risk reduction is used in ISO framework and risk reduction/risk mitigation is used in NIST framework.
Hope i will go through it