CISSP questions

Rolandofeld

Hi everyone,

Longtime lurker here starting my CISSP studies. Firstly wanted to say thanks to everyone who contributes here, found some very useful info/resources here already!

A have a couple of questions regarding some Domain 1 specifics that are not making sense to me and would appreciate input on:

*Baselines: Mandatory or not? i am reading through Conrads study guide and it says not. It didnt 'sound right' to me so i went back and checked the cybrary videos, which has the exact opposite: mandatory.

*Copyright vs Patent for software code and algorithms. Can an algorithm be a patent? ive read conflicting reports on this

*The purpose of a countermeasure - In the sybex study guide (8th edition) there is a question regarding the purpose of a countermeasure. Answers included lowering EF and lowering ARO. I choose EF which turned out to be wrong. Lowering ARO was correct.
Could a countermeasure not lower the EF of an asset?

thanks for anyone who can shed some light on the above and good luck to those studying also

JDMurray

EF (Exposure Factor) is how much damage an asset may sustain if successfully attacked (exploited). A safeguard (such as a firewall) is used to make an asset less vulnerable (that is, exposed) to attack prior to an attack occurring. A countermeasure (such as traditional anti-virus) only comes into play after an attempt to attack the asset has been made.

If ARO is defined as "the number of times per year the asset would be successfully attacked by a threat," you can see that the number of successful attacks (per year) can be reduced by both safeguards and countermeasures. However, the amount of damage sustained by the asset in a successful attack is determined as if there were no safeguards or countermeasures present.