[Cisspstudy] Databases and cryptography
Andrea Gatta
andrea.gatta at gmail.com
Mon Sep 21 15:15:37 EDT 2009
Well, I am schedule to take the exam middle of october. Just say a prayer
for me will ya ;-)
Andrea
On Mon, Sep 21, 2009 at 7:56 PM, Holland, Brandon <hollandb at frmaint.com>wrote:
> Yes, dump that paragraph in the trash. It's incorrect. Download Clement's
> errata and it's listed in there. I'm feeling good about not having read the
> official guide now. I was seriously thinking about purchasing, but after
> reading the errata, I feel like it may actually hurt my chances by trying to
> read it last especially this close to wanting to take the test. I'm going
> to skim through her chapters one more time, and take the book questions, and
> the cccure questions for that chapter only until I feel like I know the
> chapter and attempt it here very soon.
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org [mailto:cisspstudy-bounces at cccure.org]
> On Behalf Of Andrea Gatta
> Sent: Monday, September 21, 2009 1:47 PM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
> Thanks Clement.
>
> Coming back to the my original post I guess that one way to look at
> availability in the context of cryptography is "as a ramification" as
> opposed as a service.
>
> At least I believe this is what the question I have mentioned in my post
> was trying to get out of the unlucky CISSP candidate.
>
> Anyway for completeness'sake here is what page 226 of the ISC2 official
> giude to CBK states:
>
> " Uses of cryptography
>
> Availability. Cryptography supports all three of the core principles of
> information security. Many access control systems use cryptography to limit
> access to systems through the use pf passwords. Many token-based
> authentication systems use cryptography cased hash algorithm to compute
> one-time passwords.Denying unauthorized access prevents an attacker from
> entering and damaging the system or network, thereby denying access to
> authorized access
>
> "
>
> Any additional thoughts ?
>
> Andrea
>
>
> On Mon, Sep 21, 2009 at 6:32 PM, Clement Dupuis <clement.dupuis at cccure.com>
> wrote:
>
>
> WOW, what a fantastic thread.
>
> Let's face it, the official ISC2 book has a LARGE number of errors
> throughout the book. I am not talking about a few errors but dozens of
> errors.
>
> The book was written by 13 different authors who have their own
> style of writing, they even contradict themselves like this thread about
> availability. There are availability related to cryptography such as
> loosing your private key with no key escrow, however encryption does not
> address availability.
>
> I have errata for the ISC2 book on CCCure.Org, do a search for:
> errata using the search field at the top of the main page.
>
> Do not take for granted that because it is the official book it is
> accurate. So far it seems to be to the contrary.
>
> I would use Shon's books as my main study tool and the official book
> only as a checklist and reference.
>
> This is only my opinion
>
> Do take care
>
> Clement
>
>
> Clément Dupuis, CD
> CISSP, GCFW, GCIA, QEH, QSA, Security+, CEH, ECSA, LPT, CCSA, CCSE,
> MBNS, MBIS, MBHS, ACE
>
> ----------------------------------------------------------------------------------------------
> In real life:
> Senior Security Specialist and Instructor
> Security University
> >> Call me to get the best CISSP training <<
>
> ----------------------------------------------------------------------------------------------
> In Cyberspace:
> President/Security Evangelist/Chief Learning Officer (CLO)
> The CCCure Family of Portals
>
> ----------------------------------------------------------------------------------------------
> Business: 407 479 3903
> Fax: 407 264 8396
>
> Maintainer of :
> The CISSP and SSCP Open Study Guides Web Site
> http://www.cccure.org
>
> The Professional Security Testers Warehouse
> http://www.professionalsecuritytesters.org
>
> Knowledge sharing and giving back to the community
>
>
>
> On Mon, Sep 21, 2009 at 13:02, Sergio Pantoja <spantoja at gmail.com>
> wrote:
>
>
> IMHO, a exam may not lead to answer a question because they
> said so in a book, i hope the exam really test your experience in the field
> and your understanding of the security topics to help you have a
> broader/holistic approach.
>
>
> On Mon, Sep 21, 2009 at 12:45 PM, () <rlhj71 at yahoo.com>
> wrote:
>
>
> On page 219 of the ISC2 book, it states that "The cryptography domain
> addresses the principles, means, and methods of disguising information to
> ensure its integrity, confidentiality, and authenticity. UNLIKE THE OTHER
> DOMAINS, CRYPTOGRAPHY DOES NOT SUPPORT THE STANDARD OF AVAILABILITY."
>
> --- On Mon, 9/21/09, cisspstudy-request at cccure.org <
> cisspstudy-request at cccure.org> wrote:
>
>
>
> From: cisspstudy-request at cccure.org <cisspstudy-request at cccure.org>
> Subject: cisspstudy Digest, Vol 15, Issue 29
> To: cisspstudy at cccure.org
> Date: Monday, September 21, 2009, 10:38 AM
>
>
> Send cisspstudy mailing list submissions to
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
> or, via email, send a message with subject or body 'help' to
> cisspstudy-request at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-request@cccure.org
> >
>
> You can reach the person managing the list at
> cisspstudy-owner at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-owner@cccure.org>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisspstudy digest..."
>
>
> Today's Topics:
>
> 1. Re: Databases and cryptography (Holland, Brandon)
> 2. Re: Databases and cryptography (Andrea Gatta)
>
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 21 Sep 2009 08:57:24 -0500
> From: "Holland, Brandon" <hollandb at frmaint.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=hollandb@frmaint.com> >
> To: "The CISSP Study Mailing list" <cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
>
> Subject: Re: [Cisspstudy] Databases and cryptography
>
> Message-ID:
> <58B3233454132D468C5F0D655003DA6411FDB100 at MAIL.frmaint.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=58B3233454132D468C5F0D655003DA6411FDB100@MAIL.frmaint.com>
> >
> Content-Type: text/plain; charset="us-ascii"
>
>
> You're right, I can't seem to find anything anywhere in there as
> well.
> I have been studying Shon Harris mainly, but did study some SANS
> CISSP
> course material as well. I remember having a conversation about
> cryptography and availability with a CISSP (we have multiple) at
> work.
> The conclusion was confidentiality hinders availability... but that
> must've been wrong. (Or it definitely is for the test.)
>
> It's plain as day in the official guide:
> "Cryptography supports all three of the core principles of
> information
> security." The concept being by limiting access to only authorized
> individuals you are somehow making the system more available since
> unauthorized users can't get in to destroy the system.
>
> I can see that to some extent... but do you REALLY have to be
> authorized
> to break a system? Does a DOS require successful authentication -
> not
> normally.
>
> I KNOW I read this somewhere with the opposite outcome as the answer
> but
> not sure where it came from now.
>
> At least all this talk about it will have me remembering this answer
> on
> the test, even if I don't agree with it.
>
> Thanks,
> Brandon
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org
> >
> [mailto:cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> ] On Behalf Of Jordan, Lemuel CTR
> Sent: Monday, September 21, 2009 8:26 AM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
>
> I just scanned through chapter 8 of the Shon Harris Book, and did
> not
> find
> any discussion on "availability". Do you happen to remember which
> area
> of
> the book you saw this about cryptography hurting availability.
>
> I plan to take the test in Nov or Dec, things like this make me
> worry
> also.
>
> Lem
>
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org
> >
> [mailto:cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> ]
> On Behalf Of Holland, Brandon
> Sent: Monday, September 21, 2009 8:58 AM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
> That worries me. I plan on taking the test Nov or Dec, and now am
> wondering if I should effectively flush what I've learned from Shon
> Harris and read the ISC2 Official guide for those crazy "just for
> the
> test" answers like that. I am too lazy to look right now, but am
> SURE
> that the CISSP Shon Harris book I read says cryptography actually
> HURTS
> availability... because u are specifically limiting availability by
> obscuring the data. It's like another "hoop" you have to go through
> before having your data available. And if you can't get through it,
> your data is unavailable.
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org
> >
> [mailto:cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> ] On Behalf Of Andrea Gatta
> Sent: Saturday, September 19, 2009 7:27 PM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
> Well, that is true. But just based on the fact that ISC2 looks very
> much
> concerned about keys get lost/corrupted.
>
> On the other hand the last answer - which is sadly the one I picked
> up -
> looks quite reasonable.
>
> As a note - looking at the crypto chapter in the ISC2 book it looks
> pretty clear that they consider availability as one one of the
> security
> services offered by cryptography (page 226). I am sure that
> availability
> is not mentioned as a crypto sec service in any other book (but I
> will
> look into it).
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at 1:15 AM, Mike Archuleta <
> mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> wrote:
>
>
> Well if you follow the chain of thought from the last question.
> If a digruntled employee has access. YES
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 6:01 PM, Andrea Gatta
> <andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> wrote:
>
>
>
> Another thing I have noticed with cryptography is that
> ISC2 tends to riconduct all risks/downsides if cryptography not to
> breach of disclosure as one would thing but instead to (again)
> availability, this time in the technical sense (below one example
> but I
> am sure I had others):
>
> What is the primary risk of using cryptographic
> protection for systems or data:
>
> - loss of the system means loss of all data
>
> - a hardware failure may lead to lost data or system
> integrity
>
> - a disgruntled user may lead to denial of service
>
> - an employee may may hide is activities from the
> security department
>
> Obviously (now) the third aswer is the correct one
>
> Andrea
>
>
>
>
>
>
> On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <
> <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> wrote:
>
>
> Oh yeah!!! The test really quizes you on subject
> matter. Even though I passed on the first try I wasn't entirely
> happy
> with the experience.
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 5:41 PM, Andrea Gatta <
> <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> wrote:
>
>
>
> So I guess I should actually watch out
> for these sort of questions in the real exam...
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at 12:28 AM, Mike
> Archuleta < <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> wrote:
>
>
> I remember this question. It is
> the most correct answer based on wording. After realizing that
> answer
> included placed with autorized users.
>
> I think I argued with myself for
> five minutes. Who places a database near authorized users? I put a
> database in the data center with aal my servers and backup systems.
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 5:19 PM,
> Andrea Gatta < <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> wrote:
>
>
>
> Well, same here.
>
> Unfortunately the
> question is from the official ISC2 guide, page 747 ;-)
>
> Point is, any chance
> they got it wrong ?
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at
> 12:15 AM, Mike Archuleta < <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> wrote:
>
>
> I would think
> niether improve or reduce availability. I don't think if crypto as
> an
> availability feature.
>
> Sent from my
> iPhone
>
>
> On Sep 19, 2009,
> at 5:06 PM, Andrea Gatta < <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> wrote:
>
>
>
> Hi
> there,
> I am
> wondering if anyone could shed a light on the following question
> (and
> answer):
>
> In terms
> of databases, cryptography can:
>
> - only
> restrict and reduce availability
>
> -
> improve availability by allowing data to be easily placed where
> authorized users can access it
>
> -
> improve availability by increasing the granularity of the access
> controls
>
> -
> neither reduce or improve availability
>
>
> As far
> as the author of the question is concerned the correct answer is:
> "improve availability by allowing data to be easily placed where
> authorized users can access it"
>
> The only
> reason I can think of for the answer to have a sense is that
> cryptography protects a resource from unauthorized users access
> through
> the mean of concealing its content.
>
> With a
> very long shot one could say that the resource would be "available"
> just
> to authorizaed users. Which means that this question uses
> "availability"
> in a very extensive - and I would add divious - way.
>
> As far
> as I am concerned encryption does provide confidentiality and
> integrity
> as natural security services.
>
> Thoughts
> ?
>
> Thanks
> Andrea
>
>
> _______________________________________________
>
> cisspstudy mailing list
>
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy
> mailing list
>
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
>
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 21 Sep 2009 15:37:50 +0100
> From: Andrea Gatta <andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> To: The CISSP Study Mailing list <cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
>
> Subject: Re: [Cisspstudy] Databases and cryptography
>
> Message-ID:
> <89ab1b610909210737l59ac1349g7f8b6bb6c6076429 at mail.gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=89ab1b610909210737l59ac1349g7f8b6bb6c6076429@mail.gmail.com>
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> The SANS material seems to be more "inline" with the ISC2 way of
> thinking.
> At least SANS does mention where you need to just "swollow the peel"
> and
> move on.
>
> I have personally found a number of clear differences even when it
> comes to
> things such as encryption methods, systems, types. I can't remember
> from the
> top of my head but I bet I have found inconsistences between Shon
> Harris
> book and the ISC2 guide.
>
> The point is, Shon Harris is very good when it comes to drive the
> concept
> home. Clearly the level of trickery of the CISSP exam - if it is
> true which
> I don't know (yet) - might get in the way.
>
> Andrea
>
> On Mon, Sep 21, 2009 at 2:57 PM, Holland, Brandon <
> hollandb at frmaint.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=hollandb@frmaint.com>
> >wrote:
>
> > You're right, I can't seem to find anything anywhere in there as
> well.
> > I have been studying Shon Harris mainly, but did study some SANS
> CISSP
> > course material as well. I remember having a conversation about
> > cryptography and availability with a CISSP (we have multiple) at
> work.
> > The conclusion was confidentiality hinders availability... but
> that
> > must've been wrong. (Or it definitely is for the test.)
> >
> > It's plain as day in the official guide:
> > "Cryptography supports all three of the core principles of
> information
> > security." The concept being by limiting access to only
> authorized
> > individuals you are somehow making the system more available since
> > unauthorized users can't get in to destroy the system.
> >
> > I can see that to some extent... but do you REALLY have to be
> authorized
> > to break a system? Does a DOS require successful authentication -
> not
> > normally.
> >
> > I KNOW I read this somewhere with the opposite outcome as the
> answer but
> > not sure where it came from now.
> >
> > At least all this talk about it will have me remembering this
> answer on
> > the test, even if I don't agree with it.
> >
> > Thanks,
> > Brandon
> >
> > -----Original Message-----
> > From: cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org
> >
> > [mailto:cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> ] On Behalf Of Jordan, Lemuel CTR
> > Sent: Monday, September 21, 2009 8:26 AM
> > To: The CISSP Study Mailing list
> > Subject: Re: [Cisspstudy] Databases and cryptography
> >
> >
> > I just scanned through chapter 8 of the Shon Harris Book, and did
> not
> > find
> > any discussion on "availability". Do you happen to remember which
> area
> > of
> > the book you saw this about cryptography hurting availability.
> >
> > I plan to take the test in Nov or Dec, things like this make me
> worry
> > also.
> >
> > Lem
> >
> >
> > -----Original Message-----
> > From: cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org
> >
> > [mailto:cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> ]
> > On Behalf Of Holland, Brandon
> > Sent: Monday, September 21, 2009 8:58 AM
> > To: The CISSP Study Mailing list
> > Subject: Re: [Cisspstudy] Databases and cryptography
> >
> > That worries me. I plan on taking the test Nov or Dec, and now am
> > wondering if I should effectively flush what I've learned from
> Shon
> > Harris and read the ISC2 Official guide for those crazy "just for
> the
> > test" answers like that. I am too lazy to look right now, but am
> SURE
> > that the CISSP Shon Harris book I read says cryptography actually
> HURTS
> > availability... because u are specifically limiting availability
> by
> > obscuring the data. It's like another "hoop" you have to go
> through
> > before having your data available. And if you can't get through
> it,
> > your data is unavailable.
> >
> > -----Original Message-----
> > From: cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org
> >
> > [mailto:cisspstudy-bounces at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> ] On Behalf Of Andrea Gatta
> > Sent: Saturday, September 19, 2009 7:27 PM
> > To: The CISSP Study Mailing list
> > Subject: Re: [Cisspstudy] Databases and cryptography
> >
> > Well, that is true. But just based on the fact that ISC2 looks
> very much
> > concerned about keys get lost/corrupted.
> >
> > On the other hand the last answer - which is sadly the one I
> picked up -
> > looks quite reasonable.
> >
> > As a note - looking at the crypto chapter in the ISC2 book it
> looks
> > pretty clear that they consider availability as one one of the
> security
> > services offered by cryptography (page 226). I am sure that
> availability
> > is not mentioned as a crypto sec service in any other book (but I
> will
> > look into it).
> >
> > Andrea
> >
> >
> > On Sun, Sep 20, 2009 at 1:15 AM, Mike Archuleta <
> mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> > wrote:
> >
> >
> > Well if you follow the chain of thought from the last
> question.
> > If a digruntled employee has access. YES
> >
> > Sent from my iPhone
> >
> > On Sep 19, 2009, at 6:01 PM, Andrea Gatta
> > <andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> wrote:
> >
> >
> >
> > Another thing I have noticed with cryptography is
> that
> > ISC2 tends to riconduct all risks/downsides if cryptography not to
> > breach of disclosure as one would thing but instead to (again)
> > availability, this time in the technical sense (below one example
> but I
> > am sure I had others):
> >
> > What is the primary risk of using cryptographic
> > protection for systems or data:
> >
> > - loss of the system means loss of all data
> >
> > - a hardware failure may lead to lost data or
> system
> > integrity
> >
> > - a disgruntled user may lead to denial of service
> >
> > - an employee may may hide is activities from the
> > security department
> >
> > Obviously (now) the third aswer is the correct one
> >
> > Andrea
> >
> >
> >
> >
> >
> >
> > On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <
> > <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> wrote:
> >
> >
> > Oh yeah!!! The test really quizes you on
> subject
> > matter. Even though I passed on the first try I wasn't entirely
> happy
> > with the experience.
> >
> > Sent from my iPhone
> >
> > On Sep 19, 2009, at 5:41 PM, Andrea Gatta <
> > <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> wrote:
> >
> >
> >
> > So I guess I should actually watch
> out
> > for these sort of questions in the real exam...
> >
> > Andrea
> >
> >
> > On Sun, Sep 20, 2009 at 12:28 AM,
> Mike
> > Archuleta < <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> > <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> wrote:
> >
> >
> > I remember this question.
> It is
> > the most correct answer based on wording. After realizing that
> answer
> > included placed with autorized users.
> >
> > I think I argued with
> myself for
> > five minutes. Who places a database near authorized users? I put
> a
> > database in the data center with aal my servers and backup
> systems.
> >
> > Sent from my iPhone
> >
> > On Sep 19, 2009, at 5:19
> PM,
> > Andrea Gatta < <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> > <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> wrote:
> >
> >
> >
> > Well, same here.
> >
> > Unfortunately the
> > question is from the official ISC2 guide, page 747 ;-)
> >
> > Point is, any
> chance
> > they got it wrong ?
> >
> > Andrea
> >
> >
> > On Sun, Sep 20,
> 2009 at
> > 12:15 AM, Mike Archuleta < <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> > <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> <mailto:mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> > mlarchuleta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com> >
> wrote:
> >
> >
> > I would
> think
> > niether improve or reduce availability. I don't think if crypto
> as an
> > availability feature.
> >
> > Sent from
> my
> > iPhone
> >
> >
> > On Sep 19,
> 2009,
> > at 5:06 PM, Andrea Gatta < <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> > <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> <mailto:andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> > andrea.gatta at gmail.com <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com> >
> wrote:
> >
> >
> >
> > Hi
> > there,
> > I
> am
> > wondering if anyone could shed a light on the following question
> (and
> > answer):
> >
> > In
> terms
> > of databases, cryptography can:
> >
> > -
> only
> > restrict and reduce availability
> >
> > -
> > improve availability by allowing data to be easily placed where
> > authorized users can access it
> >
> > -
> > improve availability by increasing the granularity of the access
> > controls
> >
> > -
> > neither reduce or improve availability
> >
> >
> > As
> far
> > as the author of the question is concerned the correct answer is:
> > "improve availability by allowing data to be easily placed where
> > authorized users can access it"
> >
> > The
> only
> > reason I can think of for the answer to have a sense is that
> > cryptography protects a resource from unauthorized users access
> through
> > the mean of concealing its content.
> >
> >
> With a
> > very long shot one could say that the resource would be
> "available" just
> > to authorizaed users. Which means that this question uses
> "availability"
> > in a very extensive - and I would add divious - way.
> >
> > As
> far
> > as I am concerned encryption does provide confidentiality and
> integrity
> > as natural security services.
> >
> >
> Thoughts
> > ?
> >
> >
> Thanks
> >
> Andrea
> >
> >
> > _______________________________________________
> >
> > cisspstudy mailing list
> >
> > <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> > <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy
> > mailing list
> >
> > <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> > <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing
> list
> >
> > <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> > cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > <mailto:
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> > <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> > cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> _______________________________________________
> > cisspstudy mailing list
> > <mailto:cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org> >
> > cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090921/8d56f200/attachment.html
> >
>
> ------------------------------
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org <
> http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> End of cisspstudy Digest, Vol 15, Issue 29
> ******************************************
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
>
> --
> Sergio Pantoja H.
> spantoja at gmail.com
> System, Network and Security Administrator
> Linux User register #239475
> Mandrake Club Member
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090921/a654c6b4/attachment-0001.html>
More information about the cisspstudy
mailing list