Why is this answer incorrect??

niall.nfniall.nf Member Posts: 21 ■□□□□□□□□□
Hi all, Im working my way through cccure questions and dont understand why the two attached questions are the answers they are.
I can maybe see the first answer in that a "Threat" encompasses "Threat Agents" and therefore the most best answer but is that not just splitting hairs??

The second question ive attached dosent make sense to me at all, surely passwords are technical controls first before being preventive????

can someone wiser than me explain??

Comments

  • JockVSJockJockVSJock Member Posts: 1,118
    I think you answered both questions correctly.

    If you haven't noticed, sometimes there are inconsistencies with answers for CISSP Material:

    http://www.techexams.net/forums/isc-sscp-cissp/95285-conrand-transcender-have-same-question-password-guessing-crarcking-yet.html

    As for the Threat, which is a potential negative occurance, I have never heard of a threat agent. Not able to reference that term in any CISSP material that I have.

    As for Preventive Access Controls, can't find any examples of password management as a part of it. Here are some of the examples found in CISSP Study Guide 6th Edition from Sybex:

    Examples of preventive access controls includes fences, locks. biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification, penetration testing, access control methods, encryption,
    auditing, CCTV, smart cards, callback procedures, security policies, security awareness training, antivirus software, firewalls and IPS.


    From the same book, pg 7, definition of Technical/Logical Control

    Examples of logical or technical access controls include authentication methods (such as usernames, passwords, smart cards, and biometrics)
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • niall.nfniall.nf Member Posts: 21 ■□□□□□□□□□
    Hi Jock, Thanks for the reply. Yeah thats pretty much what I was thinking about passwords being technical. I couldnt believe it when I saw it marked red!!!
    Shon Harris does mention Threat agents in her AIO book and it was based on her definition that I chose the answer I did.
    From Shon Harris:

    "A threat is any potential danger that is associated with the exploitation of a vulnerability.
    The threat is that someone, or something, will identify a specific vulnerability
    and use it against the company or individual. The entity that takes advantage of a vulnerability
    is referred to as a threat agent. A threat agent could be an intruder accessing
    the network through a port on the firewall, a process accessing data in a way that violates
    the security policy, a tornado wiping out a facility, or an employee making an
    unintentional mistake that could expose confidential information."

    Thanks again for your help Jock..
  • JockVSJockJockVSJock Member Posts: 1,118
    Threat and Threat Agent are the same thing, IMO.

    Talk about splitting hairs and misinformation on test...welcome to the wonderful world of IT certifications!
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • netstatnetstat Member Posts: 65 ■■□□□□□□□□
    Read the question properly.

    A password alone might be seen as technical but Password Management as a process is a preventive contol which for example (as part of the password management life cycle) prevents the password from being guessed/brutefoced by changing it on a frequent basis. This is a preventive process.


    The questions states "an event" A threat agent cannot be an event. A threat agent is "something or someone" that has potential/can (trigger) exploit the vulnerability. Such as a hacker or an automated tool.

    A threat is the "event" of someone or something (the threat agent) identifying this weakness to exploit it.

    A vulnerability is then the weakness itself.
  • atx1975atx1975 Member Posts: 17 ■■■□□□□□□□
    I concur with Netstat. These are the type of questions you will see so read each word carefully to find exactly what they are asking.
  • LinuxRacrLinuxRacr Member Posts: 652 ■■■■□□□□□□
    Netstat, thanks for that insight. Your explanation really helps frame the thought process needed for the questions.
    My WGU B.S. IT - Security Progress : Transferred In|Remaining|In Progress|Completed
    AGC1, CLC1, GAC1, INC1, CTV1, INT1, BVC1, TBP1, TCP1, QLT1, HHT1, QBT1, BBC1 (39 CUs), (0 CUs) (0 CUs)
    WFV1, BNC1, EAV1, EBV1, COV1 | MGC1, IWC1 | CQV1, CNV1, IWT1, RIT1 | DRV1, DSV1, TPV1, CVV1 | EUP1, EUC1, DHV1| CUV1, C173 | BOV1, CJV1, TXP1, TXC1 | TYP1, TYC1, SBT1, RGT1 (84 CUs) DONE!
Sign In or Register to comment.