[Cisspstudy] Databases and cryptography
Andrea Gatta
andrea.gatta at gmail.com
Mon Sep 21 09:31:01 EDT 2009
Well, it might not ease your concern but this is exactly what I am doing.
Here is what I think: Shon Harris is a great tool to get through the huge
amount of data point contained in the CBK.
Besides, the true and authentic interpretation is held in the ISC2 official
giude to the CBK.
Andrea
On Mon, Sep 21, 2009 at 1:58 PM, Holland, Brandon <hollandb at frmaint.com>wrote:
> That worries me. I plan on taking the test Nov or Dec, and now am
> wondering if I should effectively flush what I've learned from Shon
> Harris and read the ISC2 Official guide for those crazy "just for the
> test" answers like that. I am too lazy to look right now, but am SURE
> that the CISSP Shon Harris book I read says cryptography actually HURTS
> availability... because u are specifically limiting availability by
> obscuring the data. It's like another "hoop" you have to go through
> before having your data available. And if you can't get through it,
> your data is unavailable.
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org
> [mailto:cisspstudy-bounces at cccure.org] On Behalf Of Andrea Gatta
> Sent: Saturday, September 19, 2009 7:27 PM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
> Well, that is true. But just based on the fact that ISC2 looks very much
> concerned about keys get lost/corrupted.
>
> On the other hand the last answer - which is sadly the one I picked up -
> looks quite reasonable.
>
> As a note - looking at the crypto chapter in the ISC2 book it looks
> pretty clear that they consider availability as one one of the security
> services offered by cryptography (page 226). I am sure that availability
> is not mentioned as a crypto sec service in any other book (but I will
> look into it).
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at 1:15 AM, Mike Archuleta <mlarchuleta at gmail.com>
> wrote:
>
>
> Well if you follow the chain of thought from the last question.
> If a digruntled employee has access. YES
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 6:01 PM, Andrea Gatta
> <andrea.gatta at gmail.com> wrote:
>
>
>
> Another thing I have noticed with cryptography is that
> ISC2 tends to riconduct all risks/downsides if cryptography not to
> breach of disclosure as one would thing but instead to (again)
> availability, this time in the technical sense (below one example but I
> am sure I had others):
>
> What is the primary risk of using cryptographic
> protection for systems or data:
>
> - loss of the system means loss of all data
>
> - a hardware failure may lead to lost data or system
> integrity
>
> - a disgruntled user may lead to denial of service
>
> - an employee may may hide is activities from the
> security department
>
> Obviously (now) the third aswer is the correct one
>
> Andrea
>
>
>
>
>
>
> On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <
> <mailto:mlarchuleta at gmail.com> mlarchuleta at gmail.com> wrote:
>
>
> Oh yeah!!! The test really quizes you on subject
> matter. Even though I passed on the first try I wasn't entirely happy
> with the experience.
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 5:41 PM, Andrea Gatta <
> <mailto:andrea.gatta at gmail.com> andrea.gatta at gmail.com> wrote:
>
>
>
> So I guess I should actually watch out
> for these sort of questions in the real exam...
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at 12:28 AM, Mike
> Archuleta < <mailto:mlarchuleta at gmail.com>
> <mailto:mlarchuleta at gmail.com> mlarchuleta at gmail.com> wrote:
>
>
> I remember this question. It is
> the most correct answer based on wording. After realizing that answer
> included placed with autorized users.
>
> I think I argued with myself for
> five minutes. Who places a database near authorized users? I put a
> database in the data center with aal my servers and backup systems.
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 5:19 PM,
> Andrea Gatta < <mailto:andrea.gatta at gmail.com>
> <mailto:andrea.gatta at gmail.com> andrea.gatta at gmail.com> wrote:
>
>
>
> Well, same here.
>
> Unfortunately the
> question is from the official ISC2 guide, page 747 ;-)
>
> Point is, any chance
> they got it wrong ?
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at
> 12:15 AM, Mike Archuleta < <mailto:mlarchuleta at gmail.com>
> <mailto:mlarchuleta at gmail.com> <mailto:mlarchuleta at gmail.com>
> mlarchuleta at gmail.com> wrote:
>
>
> I would think
> niether improve or reduce availability. I don't think if crypto as an
> availability feature.
>
> Sent from my
> iPhone
>
>
> On Sep 19, 2009,
> at 5:06 PM, Andrea Gatta < <mailto:andrea.gatta at gmail.com>
> <mailto:andrea.gatta at gmail.com> <mailto:andrea.gatta at gmail.com>
> andrea.gatta at gmail.com> wrote:
>
>
>
> Hi
> there,
> I am
> wondering if anyone could shed a light on the following question (and
> answer):
>
> In terms
> of databases, cryptography can:
>
> - only
> restrict and reduce availability
>
> -
> improve availability by allowing data to be easily placed where
> authorized users can access it
>
> -
> improve availability by increasing the granularity of the access
> controls
>
> -
> neither reduce or improve availability
>
>
> As far
> as the author of the question is concerned the correct answer is:
> "improve availability by allowing data to be easily placed where
> authorized users can access it"
>
> The only
> reason I can think of for the answer to have a sense is that
> cryptography protects a resource from unauthorized users access through
> the mean of concealing its content.
>
> With a
> very long shot one could say that the resource would be "available" just
> to authorizaed users. Which means that this question uses "availability"
> in a very extensive - and I would add divious - way.
>
> As far
> as I am concerned encryption does provide confidentiality and integrity
> as natural security services.
>
> Thoughts
> ?
>
> Thanks
> Andrea
>
>
> _______________________________________________
>
> cisspstudy mailing list
>
> <mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
> <mailto:cisspstudy at cccure.org> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy
> mailing list
>
> <mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
> <mailto:cisspstudy at cccure.org> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
>
> <mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org>
> <mailto:cisspstudy at cccure.org> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org>
> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org>
> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090921/fd83b54e/attachment-0001.html>
More information about the cisspstudy
mailing list