CISSP practice exam says SSL is a compensating control isn't it a Deterrent control?

pcgizzmo

I came across the following question on a practice exam today.

You are asked to implement SSL on your companies Intranet to support your companies policy that all data from your companies Intranet and internal network be encrypted.

Which of the following access controls are you implementing?

A. corrective
B. deterrent
C. recovery
D. compensating

The make of the test says it's supposed to be D. compensating but I disagree.

If I were going to have to pick it would be Preventative which is not even an option. Encrypting SSL traffic prevents the data from being easily seen by packet capture.

Since that was not an option I would say B. Deterrent because the SSL makes it more of a hassle than what it may be worth to try and get the data

In fact CISSP for dummies says encryption is preventitive.

So, what do you guys think? How can it be D. compensating or is the test wrong and if it's not wrong and the CISSP test questions are worded this way I don't know how I'm going to pass because I'm obviously not thinking in the right mind set.

paul78

One thing about ISC2 questions is that there could be shades of right answers. But one answer is always more right than others. It should be preventative all things being equal. The question refers to a policy violation which presummably has no security control. So SSL is being used as a compensating control. That said, I can't explain why its not a corective control. So I'm equally stumped.

corpsec

You are asked to implement SSL on your companies Intranet to support your companies policy that all data from your companies Intranet and internal network be encrypted.

Which of the following access controls are you implementing?
A. corrective <-- Not corrective because corrective implies that the control is fixing unauthorized entry or return conditions before violations occurred. The keyword here is to support a policy and not fix it.
B. deterrent <-- Not deterrent because the question states that it's to support the policy for network must be encrypted..
C. recovery <-- Not recovery because it's not trying to recover from something..
D. compensating <-- Best answer because the question asks what access control are you implementing to support the company policy of the network must be encrypted. SSL is not the only choice for encryption, and if currently their intranet/internal network is just sending things in plain text then it's violating the "network be encrypted" criteria and thus a compensating control needs to be implemented.

secben

IMO, it should be a corrective control.

This is the official guides definitions of a corrective control:

"Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state"

...

"They can range from “quick fix” changes like new firewall rules, router access control list updates, and access policy changes to more long-term infrastructure changes like the introduction of certificates for wireless 802.1x authentication, movement from single-factor to multifactor authentication, for remote access, or the introduction of smart cards for authentication."

- Link: Official (ISC)2 Guide to the CISSP CBK, Second Edition - Harold F. Tipton - Google Books

By implementing SSL, you correct an issue with non-compliant to the security policy. So it's the most suitable answer.

Not sure if there's anything called "compensating control".

w77m

If I had this question, I would have picked Compensating Control also. Your compensating for a lack of encryption that doesn't presently exist. It can't be corrective because nothing has gone wrong, the nature of the network is that it has unencrypted traffic flowing. And it wouldn't be Deterrent because if I was going to sniff the network traffic I would not have known it was SSL encrypted until I actively was sniffing the traffic so I wasn't Deterred from trying.

pcgizzmo

I think if the answer is going to be compensatory they should have worded the question a little different. We don't know that this is not a server that just got built and your the web guy that comes in after the systems guy to setup IIS or Apache etc..

I'm thinking the question should be more like "It's been discovered that SSL is not currently running on your companies Intranet. You've been asked to implement it according to company policy that all traffic between your companies internal network and Intranet be encrypted."

Are the questions on the CISSP exam this ambiguous?

w77m

I just took the exam two days ago....there will be many a moment when you will scratch your head and think WTF?!?
The question you posted doesn't infer servers or any specific type of setups. All it says is encrypt data from intranet and internal network. Intranet is full other devices remember, not just servers..workstations, printers etc..

paul78

pcgizzmo wrote: »

Are the questions on the CISSP exam this ambiguous?

As recall, it wasn't necessarily ambiguous, just very nuanced. You really have to pick apart the double negatives and try not to infer anything additional that isn’t in the question.

Chivalry1

Pick the best answer from the chooses. I agree it should be preventive but in this case it is not listed as a option; which lends to the fact that the answer would be compensating. Following the method compensating would be the best answer in "this particular situation".

Paperlantern

secben wrote: »

IMO, it should be a corrective control.

This is the official guides definitions of a corrective control:

"Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state"

...

"They can range from “quick fix” changes like new firewall rules, router access control list updates, and access policy changes to more long-term infrastructure changes like the introduction of certificates for wireless 802.1x authentication, movement from single-factor to multifactor authentication, for remote access, or the introduction of smart cards for authentication."

- Link: Official (ISC)2 Guide to the CISSP CBK, Second Edition - Harold F. Tipton - Google Books

By implementing SSL, you correct an issue with non-compliant to the security policy. So it's the most suitable answer.

Not sure if there's anything called "compensating control".

I thought the same thing, I have been studying for CISSP now consistently for about 2 weeks. And on and off for the last 6 months (I've read the Conrad book through so far), and "compensating control" isn't something I'm yet familiar with. HOWEVER, I did just pick up that book, and I think it's just been some time since I've been through it, Compensating controls are defined in the glossary as "Additional Security Controls put in place to compensate for weaknesses in other controls."

JDMurray

Realize that many technologies fall under multiple security control categories. This makes them an excellent candidate for, "Two answers are correct, but one answer is more correct than the other" exam item answer options.

However, in this case, SSL is a compensating control because it compensates for network traffic that is normally unencrypted. SSL doesn't fix anythign that is broken, nor was it designed specifically to deter the sniffing of network traffic.

bryguy

When I think of a deterrent control, I think of the posted ADT sign outside of a house. A potenetial attacker can chose to ignore the sign, as the sign does nothing to actually physically prevent the would be theif. A deterrent control more or less "discourages" a would be attacker by inferring or explicitly stating potential consequences but does nothing to actually prevent an attack. I agree that "preventative control" would have been the best answer, but "compensating control" out of the 4 given, is the closest to the "right" answer. Expect 250 similar questions on the exam. Hope this helps a little, in addition to what everyone else has added.

JDMurray

When I'm deciding what kind of control some device or technology is, I ask myself, "Was this device specifically designed to be an XYZ control?" For example, a security video camera was specifically designed to be a detective control, but it can also serve as a deterrent control. However, video cameras were not specifically created to be a deterrent (a security video camera salesman on commission might tell you otherwise, though), so labeling them a detective control would be the correct assessment.