Security+ acquired, comment/question on non-repudiation

davevhdavevh Registered Users Posts: 2 ■□□□□□□□□□
Hi all, first post to the forum.

I took the Security+ exam yesterday and scored an 857. This was my second compTIA exam taken, my first was A+ waaay back in 2000. I would like to thank Darril Gibson for his great SY0-301 study guide (Kindle edition), and updated blog. It taught all the conceptual information needed for the exam, and the questions included helped to re-enforce the knowledge gained. I also purchased his practice question book (though I did not realize at the time they were the same one's from the study guide, just reformatted. No worries as it was still helpful and I was glad to hand over the total of $20.00 for both books to Darril).

I felt the actual exam questions were kind of stale and boring, and a few were oddly worded. Toward the end of the exam I was questioning how well I was doing, many of the questions were unlike any of the practice tests I took (including one's from outside Darril's book). I found that I used all the time allotted, as opposed having plenty of left over time for practice tests during my studying.

If you are studying for the exam and want to make sure you are well prepared, I would suggest doing a google search and finding as many practice questions as you can. If you buy a test voucher through getcertify4less they give you a free practice test as well. The CompTIA practice test is also a good resource.

Anyway, I feel the knowledge gained through Darril's book was far more valuable than the Cert itself (which I think is the whole point) and a good foundation for me to pursue and acquire the CISSP experience and ultimate certification.

So onto a topic that has been bugging me a bit. The topic of non-repudiation is emphasized through several technical factors, for example digital signatures. I imagine a scenario where an attacker gains access to a workstation, accesses the email client and performs the equivalent of bluejacking. The hosts certificate is used to sign an email, even though the user had no interaction with the certificate but simply affiliation. Could the user be held accountable, even though confidentiality was breached? How would you prove it either way (whether the user or attacker performed the act)? I assume forensics would be the only recourse...

Thanks to everyone who administera, and posts on this site, I am finding it a helpful resource.

David

Comments

  • DarrilDarril Member Posts: 1,588
    Congratulations on the pass. Glad to hear the book helped you pass with a great score of 857.

    On non-repudiation, you bring up a deeper point than the Security+ exam goes.

    For example, imagine that Joe became angry with Sally for some reason. Joe somehow discovers Sally's password and logs onto her account. He then sends a nasty, scathing email to the owner of the company using Sally's email and signs it using her certificate that is available simply because he is logged onto her account. The owner receives the email and sees that it is signed by Sally.

    Is it possible that Sally is held accountable and fired for this action? Absolutely even though she was framed.

    Then again, she may stress her innocence and the owner may investigate. Forensics may identify that the email was sent during a time when Sally wasn't even in the building. It's also possible that forensics can't prove it and it simply becomes a judgment call on the part of the owner.

    All of this goes back to the importance of authentication. If authentication is a simple password that isn't managed, it's easier for this to occur. On the other hand, if multifactor authentication using a combination of biometrics, a smart card, and a PIN is required, it is much less likely for this to occur.

    So this is a real-life possibility but not likely to be tested in the Security+ exam. I recently completed work with James Michael Stewart and Mike Chapple upgrading a CISSP book (ISBN 1118314174) and your comment had me thinking about the CISSP exam. It's entirely possible you could see something that addresses some element of this scenario, especially as it relates to poor authentication. Again though, one of the primary core requirements of non-repudiation is strong authentication.

    Good luck on the CISSP.
  • davevhdavevh Registered Users Posts: 2 ■□□□□□□□□□
    Thanks for the reply Darril!

    I appreciate your example above, and helping to clear up the implications of that scenario for me. I am really starting to enjoy many aspects of cyber security and hope for a professional future in it.

    I have wish-listed your soon-to-be released CISSP study guide on Amazon and look forward to reading it.

    David
Sign In or Register to comment.