Why is this answer incorrect??

niall.nf · December 2013

Hi all, Im working my way through cccure questions and dont understand why the two attached questions are the answers they are.
I can maybe see the first answer in that a "Threat" encompasses "Threat Agents" and therefore the most best answer but is that not just splitting hairs??

The second question ive attached dosent make sense to me at all, surely passwords are technical controls first before being preventive????

can someone wiser than me explain??

JockVSJock · December 2013

I think you answered both questions correctly.

If you haven't noticed, sometimes there are inconsistencies with answers for CISSP Material:

http://www.techexams.net/forums/isc-sscp-cissp/95285-conrand-transcender-have-same-question-password-guessing-crarcking-yet.html

As for the Threat, which is a potential negative occurance, I have never heard of a threat agent. Not able to reference that term in any CISSP material that I have.

As for Preventive Access Controls, can't find any examples of password management as a part of it. Here are some of the examples found in CISSP Study Guide 6th Edition from Sybex:

Examples of preventive access controls includes fences, locks. biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification, penetration testing, access control methods, encryption,
auditing, CCTV, smart cards, callback procedures, security policies, security awareness training, antivirus software, firewalls and IPS.

From the same book, pg 7, definition of Technical/Logical Control

Examples of logical or technical access controls include authentication methods (such as usernames, passwords, smart cards, and biometrics)

niall.nf · December 2013

Hi Jock, Thanks for the reply. Yeah thats pretty much what I was thinking about passwords being technical. I couldnt believe it when I saw it marked red!!!
Shon Harris does mention Threat agents in her AIO book and it was based on her definition that I chose the answer I did.

From Shon Harris:

"A threat is any potential danger that is associated with the exploitation of a vulnerability.
The threat is that someone, or something, will identify a specific vulnerability
and use it against the company or individual. The entity that takes advantage of a vulnerability
is referred to as a threat agent. A threat agent could be an intruder accessing
the network through a port on the firewall, a process accessing data in a way that violates
the security policy, a tornado wiping out a facility, or an employee making an
unintentional mistake that could expose confidential information."

Thanks again for your help Jock..

JockVSJock · December 2013

Threat and Threat Agent are the same thing, IMO.

Talk about splitting hairs and misinformation on test...welcome to the wonderful world of IT certifications!

netstat · December 2013

Read the question properly.

A password alone might be seen as technical but Password Management as a process is a preventive contol which for example (as part of the password management life cycle) prevents the password from being guessed/brutefoced by changing it on a frequent basis. This is a preventive process.

The questions states "an event" A threat agent cannot be an event. A threat agent is "something or someone" that has potential/can (trigger) exploit the vulnerability. Such as a hacker or an automated tool.

A threat is the "event" of someone or something (the threat agent) identifying this weakness to exploit it.

A vulnerability is then the weakness itself.

atx1975 · December 2013

I concur with Netstat. These are the type of questions you will see so read each word carefully to find exactly what they are asking.

LinuxRacr · December 2013

Netstat, thanks for that insight. Your explanation really helps frame the thought process needed for the questions.

Why is this answer incorrect??

Comments