The CISSP Explain Concepts In Plain English Thread

ZzBloopzZ

Hello!

Thought I would make a new thread. The main focus of this thread is for users to post concepts that they are having trouble understanding, then other users can try to explain those concepts in simplified plain English.

Problems I am having:

1. Test questions often have various answers that are Recovery, Restoration and Corrective. Sometimes all three are present in the answer choices! I often get confused, could someone please explain the difference and what area they are applicable?

2. Same with RPO Vs. RTO. I get confused when questions say point in time since both are related to time. Only thing I understand is that RPO must be less then MTD. Part of RPO is how long it takes to recover from a particular incident. However, I need more information then that to understand question. I will find a real example once I run into it again on a practice exam.


Concepts I learned that are helpful:

- Think of IPSec as a tractor trailer. The AH is the tractor, so it knows where it is going. The trailer is concealed (ESP) and no one knows what's inside until it gets to the destination and the back doors are open (hopefully full of beer!)

- In upside down pyramid: Policy > Standards > Guidelines > Procedures. You start with Policy and work you way down, the documents/details get more and more detailed as you go. I kept mixing up the order of the last two so the trick I use is that the pyramid STARTS and ENDS with a word starting with P, thus Policy and Procedures are at the ends.

- Due Care Vs. Due Dilligence. Here is a quote from JDMurray's that really helped:

Oh, I hate these two. It's like describing the difference between "jealously" and "envy." Kinda the same thing but not exactly. Here goes:

Due diligence is performing reasonable examination and research before committing to a course of action. Basically, "look before you leap." In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be "haphazard" or "not doing your homework."

Due care is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is "negligence."

PDU order from layer 1 up: BFP(SD)Dx3 (Bits, Frames, Packets, (Segment (TCP)/Datagram (UDP), Data Stream, Data Stream, Data Stream. I don't think I can share the acronyms I use but they are all extremely vulgar and sexual related. I'm sure you pervs can figure it out. But hey, it helps me remember it!

Here are more specific topics that I have read from various Pass threads to study up on:

OAuth Vs. OpenID

IDaaS

SAML

CPTED, here is another good video. This is VERY testable from what I have heard. Sybex mentions nothing about this.

Have yet to find a good one on XACML, which I heard is also very testable.

I will post more that have helped me as I find them.

Ultra256

Let me try to explain

2. Same with RPO Vs. RTO. I get confused when questions say point in time since both are related to time. Only thing I understand is that RPO must be less then MTD. Part of RPO is how long it takes to recover from a particular incident. However, I need more information then that to understand question. I will find a real example once I run into it again on a practice exam

Comments : Both are not related to time. RTO which is Recovery time objective is related to Time and RPO which is Recovery point objective is related to data (To be precise, it is related to data you afford to loose during a disaster.).

For RTO you need to first understand what MTD is. MTD is the maximum tolerable downtime for the business. Suppose you have a business function which is operational and if the business functional becomes non operational for more that 4 hrs, you have serious trouble. In that case, your maximum tolerable downtime (MTD) would be 4 hrs. So since your MTD is 4 Hrs, you must ensure that you cannot wait for 4 hrs and your objective must be to recover the technical infrastructure less than MTD which is defined as RTO. So RTO may be 2 Hrs based on the asset and other factors.

RPO is simple as how much data you afford to loose during disaster. For real time transactions RPO would be zero, so you need to have remote mirroring at alternative site for your recovery process.

1. Test questions often have various answers that are Recovery, Restoration and Corrective. Sometimes all three are present in the answer choices! I often get confused, could someone please explain the difference and what area they are applicable?

Comments: Yes, These are confusing. Let me try to explain each of them

Corrective : While performing a corrective action, you are trying to bring back the system to its normal operations after a minor incident like malware infections. Consider you system is affected with a malware. You Quarantine / Remove the malware using an antivirus software which brings the system back to its normal. So this simple action is Corrective. One more example from our day to day life is our window system got hanged, we just restart the system to bring back to its normal stage. This again is corrective.

Recovery : Just imagine, you have a malware infection and it has erased your hard disk. In this case, just performing a Quarantine or removing the malware wont help to bring the system back to its normal stage. You will have to restore your data from the backup tape. For that you will need to have recovery mechanisms such as daily backup or system imaging or a cluster etc. So the daily backup, system imaging , clusters makes up your recovery controls.

Restoration : I don't think this a control, It is an action performed to restore your activities which are disrupted due to some disaster or due to an incident. Consider a Disaster scenario, where you need to perform two actions. First you need to recover your business functions at an alternate location using the recovery measures mentioned in the above example and the same time you will have some team (Salvage team) trying to restore the normal business at the affected site.

Footnote : I am having CISSP exam tomorrow.

Ultra256

Just a correction. RPO and RTO are both related to time.
RTO has a much holistic approach including all the systems required for a recovery. But RPO only mentions about data.

harrym1

Goodluck Ultra256

ZzBloopzZ

Wow, you should be a teacher Ultra! Thanks so much for your clear explanations. I ended up reading Domain 1 of the Eric Conrad 3E and it had similar explanations. I have it internalized inside out 100% now.

You definitely sound like you are ready for the exam just from your solid explanations. When is your exam? Good luck!

Ultra256

Passed the CISSP today. Will post my experience tomorrow. Exhausted today....It was a marathon indeed...

webpriestess

Congratulations Ultra! I'm glad it's over for you and you can get some rest! I can't wait to see what you post tomorrow.

This is a great thread, Buddy. I have always struggled with "enticement" versus "entrapment". I get that one is "Not Guilty" and the other one is "Guilty", but it seems like there is a fine line between the two. Does anyone have any examples comparing enticement versus entrapment that they care to share?

One more thing - every single source that I have read says that walls/door should be "fire resistance rating of 1 hour". Is this correct? Because the transcender states that it's two hours. This burns me up, because I pay good money for this practice exam engine and I expect it to be flawless.

Thanks!
::Claudia

Ultra256

Hi Claudia,

Very Good morning from the southern part of India.

1. Enticement Vs Entrapment

Let me try to explain.

Imagine you were in school, and you have a mate whom you dislike. It's your Birthday and you have pack full of Candies on your desk. You call up that mate and tell him " Hey, mate I have some candies for you on my desk. Go and have your share of it". He feels happy and takes his candies. Same time you complain to your teacher that " Teacher, That guy stole my B'day candies".

It is Enticement when you say : "Hey, mate I have some candies for you on my desk. Go and have your share of it".
It is Entrapment when you say : " Teacher, That guy stole my B'day candies" because you have trapped your mate showing him those candies.

Enticement is legal. Entrapment is illegal.

In infosec world this is done through Honeypots. You keep a vulnerable system at your perimeter to track the activities of the attacker and to keep him away from the real stuff. This is enticement. And if you complain to the law enforcement that an attacker has accessed you honeypot. This is entrapment because honeypots are there for to be accessed.

2. Fire resistance rating of 1 hour

This can vary with local regulations. But on a minimum it must have a resistance rating of one hour.

iBrokeIT

webpriestess wrote: »

I have always struggled with "enticement" versus "entrapment". I get that one is "Not Guilty" and the other one is "Guilty", but it seems like there is a fine line between the two.

I love this one.

Entrapment is where the subject is persuaded (usually by law enforcement) to commit a crime they would not have committed otherwise.
Enticement is where the subject is assisted in committing a crime they would have otherwise committed without assistance.

Think of a hitman situation. You are looking to hire a hitman, you get introduced to one, you hire him, pay him and then he turns out to be law enforcement that would be enticement.

Conversely, a hitman introduces himself to you (undercover law enforcement), offers his services to you, you mention that one time your spouse made you mad and he suggests you would be better off without them but you have doubts and he convinces you to go through with it which you finally agree - that would be entrapment because you may have made the decision to not go through with it if it weren't for his suggestion and persuasion.

Grossly simplified examples but you get should get the idea now.

Edit - Think of it this way:
Enticement - providing resources to a crime you were going to commit anyway
Entrapment - persuading you to commit a crime you normally wouldn't commit

ZzBloopzZ

Just wanted to clarify RPO a bit more. It is not only for data loss but also system inaccessibility. Thus you can think of it as "How much data/work loss an organization can "afford" to lose before severely impacting it's Operations/Reputation"

webpriestess

Hey guys! Thanks for commenting on enticement vs. entrapment. You cleared it up for me and gave me a good laugh too

::Claudia

ZzBloopzZ

Need help understanding SOA (Service Oriented Architecture) in plain English. Especially with a real world example. Also, how exactly does it relate to SOAP?

Thanks!

ZzBloopzZ

Anyone? :c)

webpriestess

I once wrote a SOA type of app for user provisioning. Think of SOA as in Web Services...like AWS (Amazon Web Services). Just like any other Object Oriented App, i wrote a whole bunch of classes to do stuff...create users, reset password, display info. This was an API that you can connect interfaces to (mobile, web).

SOAP is the means that carried the XML data/wsdl stuff that includes parameters (firstname: Daffy lastname: Duck)

So I had this SOA app that I built. I snapped in create user, modify info, view info and reset password to a Web app that people can hit from their desks...and then I made a mini one for phones that only reset passwords.

I hope that helped. I'm sorry I didn't see this yesterday. And I hope it makes it to you in time. Good luck

::Claudia

ZzBloopzZ

Thanks Claudia! Could you talk a little more about WSDL please.

Thanks!

webpriestess

Okay, now that I'm not typing this from my smart phone in bed and I'm actually at my desk in the office

Let's say you are starting to create your own website dedicated to people preparing for the CISSP. It's moved you that much. One of the things that you want to present on this web site is books that cover the CISSP CBK.

At this point, you are the Web Services Consumer. You have your own fancy database driven dynamic type of website, but Amazon has all this great data. Why should you have to build a dataset with all of this information from SCRATCH when you get it from Amazon?

So, You connect to Amazon's Web Service to get a hold of thier book information, which contains the latest prices, the ISDN numbers, an thumbnail images, etc.

SOAP would be the messages sent back and forth between you (the Web Services Consumer), and Amazon (the Web Services Provider). You would sent over something along the lines of <Keywords>CISSP</Keywords> and you would get back some results that would look like this: <Title>CISSP Sexy Guide</Title>
<Title>CISSP for the Newb</Title>
<Title>Pass the CISSP in 1 day</Title>

Web Services Description Language basically defines the (Web) Service data schema. It handles the processes of requests and how it will handle the response back to you. It does this in plain old XML format. It would look something like this:

<xsd:element name="GetBookPrice">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="ISBN" type="string"/>
<xsd:element name="Title" type="string"/>
<xsd:element name="NumPages" type="integer"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>

WSDL describes how the data should be coming back, and SOAP would be the actual data. This AWS stuff actually exists if you want to look into it more.

It's been a long time sense I worked on this, so I'm a little rusty. Thanks for the refreshing challenge

::Claudia

ZzBloopzZ

WOW! Amazing example Claudia. I get it 100% now, thanks so much!!

Seab

Super example, thanks! So, is CISSP sexy guide and CISSP in 1 day release yet?

Buddysmom

These are some great examples. Thanks everyone. I just joined the forum today. I'm working on taking the CISSP and don't expect that I will for a few months but I am studying every day.

webpriestess

Welcome Buddysmom