The SANS material seems to be more "inline" with the ISC2 way of thinking. At least SANS does mention where you need to just "swollow the peel" and move on.<br><br>I have personally found a number of clear differences even when it comes to things such as encryption methods, systems, types. I can't remember from the top of my head but I bet I have found inconsistences between Shon Harris book and the ISC2 guide.<br>
<br>The point is, Shon Harris is very good when it comes to drive the concept home. Clearly the level of trickery of the CISSP exam - if it is true which I don't know (yet) - might get in the way.<br><br>Andrea<br><br>
<div class="gmail_quote">On Mon, Sep 21, 2009 at 2:57 PM, Holland, Brandon <span dir="ltr"><<a href="mailto:hollandb@frmaint.com">hollandb@frmaint.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
You're right, I can't seem to find anything anywhere in there as well.<br>
I have been studying Shon Harris mainly, but did study some SANS CISSP<br>
course material as well. I remember having a conversation about<br>
cryptography and availability with a CISSP (we have multiple) at work.<br>
The conclusion was confidentiality hinders availability... but that<br>
must've been wrong. (Or it definitely is for the test.)<br>
<br>
It's plain as day in the official guide:<br>
"Cryptography supports all three of the core principles of information<br>
security." The concept being by limiting access to only authorized<br>
individuals you are somehow making the system more available since<br>
unauthorized users can't get in to destroy the system.<br>
<br>
I can see that to some extent... but do you REALLY have to be authorized<br>
to break a system? Does a DOS require successful authentication - not<br>
normally.<br>
<br>
I KNOW I read this somewhere with the opposite outcome as the answer but<br>
not sure where it came from now.<br>
<br>
At least all this talk about it will have me remembering this answer on<br>
the test, even if I don't agree with it.<br>
<br>
Thanks,<br>
<font color="#888888">Brandon<br>
</font><div class="im"><br>
-----Original Message-----<br>
From: <a href="mailto:cisspstudy-bounces@cccure.org">cisspstudy-bounces@cccure.org</a><br>
</div><div><div></div><div class="h5">[mailto:<a href="mailto:cisspstudy-bounces@cccure.org">cisspstudy-bounces@cccure.org</a>] On Behalf Of Jordan, Lemuel CTR<br>
Sent: Monday, September 21, 2009 8:26 AM<br>
To: The CISSP Study Mailing list<br>
Subject: Re: [Cisspstudy] Databases and cryptography<br>
<br>
<br>
I just scanned through chapter 8 of the Shon Harris Book, and did not<br>
find<br>
any discussion on "availability". Do you happen to remember which area<br>
of<br>
the book you saw this about cryptography hurting availability.<br>
<br>
I plan to take the test in Nov or Dec, things like this make me worry<br>
also.<br>
<br>
Lem<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:cisspstudy-bounces@cccure.org">cisspstudy-bounces@cccure.org</a><br>
[mailto:<a href="mailto:cisspstudy-bounces@cccure.org">cisspstudy-bounces@cccure.org</a>]<br>
On Behalf Of Holland, Brandon<br>
Sent: Monday, September 21, 2009 8:58 AM<br>
To: The CISSP Study Mailing list<br>
Subject: Re: [Cisspstudy] Databases and cryptography<br>
<br>
That worries me. I plan on taking the test Nov or Dec, and now am<br>
wondering if I should effectively flush what I've learned from Shon<br>
Harris and read the ISC2 Official guide for those crazy "just for the<br>
test" answers like that. I am too lazy to look right now, but am SURE<br>
that the CISSP Shon Harris book I read says cryptography actually HURTS<br>
availability... because u are specifically limiting availability by<br>
obscuring the data. It's like another "hoop" you have to go through<br>
before having your data available. And if you can't get through it,<br>
your data is unavailable.<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:cisspstudy-bounces@cccure.org">cisspstudy-bounces@cccure.org</a><br>
[mailto:<a href="mailto:cisspstudy-bounces@cccure.org">cisspstudy-bounces@cccure.org</a>] On Behalf Of Andrea Gatta<br>
Sent: Saturday, September 19, 2009 7:27 PM<br>
To: The CISSP Study Mailing list<br>
Subject: Re: [Cisspstudy] Databases and cryptography<br>
<br>
Well, that is true. But just based on the fact that ISC2 looks very much<br>
concerned about keys get lost/corrupted.<br>
<br>
On the other hand the last answer - which is sadly the one I picked up -<br>
looks quite reasonable.<br>
<br>
As a note - looking at the crypto chapter in the ISC2 book it looks<br>
pretty clear that they consider availability as one one of the security<br>
services offered by cryptography (page 226). I am sure that availability<br>
is not mentioned as a crypto sec service in any other book (but I will<br>
look into it).<br>
<br>
Andrea<br>
<br>
<br>
On Sun, Sep 20, 2009 at 1:15 AM, Mike Archuleta <<a href="mailto:mlarchuleta@gmail.com">mlarchuleta@gmail.com</a>><br>
wrote:<br>
<br>
<br>
Well if you follow the chain of thought from the last question.<br>
If a digruntled employee has access. YES<br>
<br>
Sent from my iPhone<br>
<br>
On Sep 19, 2009, at 6:01 PM, Andrea Gatta<br>
<<a href="mailto:andrea.gatta@gmail.com">andrea.gatta@gmail.com</a>> wrote:<br>
<br>
<br>
<br>
Another thing I have noticed with cryptography is that<br>
ISC2 tends to riconduct all risks/downsides if cryptography not to<br>
breach of disclosure as one would thing but instead to (again)<br>
availability, this time in the technical sense (below one example but I<br>
am sure I had others):<br>
<br>
What is the primary risk of using cryptographic<br>
protection for systems or data:<br>
<br>
- loss of the system means loss of all data<br>
<br>
- a hardware failure may lead to lost data or system<br>
integrity<br>
<br>
- a disgruntled user may lead to denial of service<br>
<br>
- an employee may may hide is activities from the<br>
security department<br>
<br>
Obviously (now) the third aswer is the correct one<br>
<br>
Andrea<br>
<br>
<br>
<br>
<br>
<br>
<br>
On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <<br>
<mailto:<a href="mailto:mlarchuleta@gmail.com">mlarchuleta@gmail.com</a>> <a href="mailto:mlarchuleta@gmail.com">mlarchuleta@gmail.com</a>> wrote:<br>
<br>
<br>
Oh yeah!!! The test really quizes you on subject<br>
matter. Even though I passed on the first try I wasn't entirely happy<br>
with the experience.<br>
<br>
Sent from my iPhone<br>
<br>
On Sep 19, 2009, at 5:41 PM, Andrea Gatta <<br>
<mailto:<a href="mailto:andrea.gatta@gmail.com">andrea.gatta@gmail.com</a>> <a href="mailto:andrea.gatta@gmail.com">andrea.gatta@gmail.com</a>> wrote:<br>
<br>
<br>
<br>
So I guess I should actually watch out<br>
for these sort of questions in the real exam...<br>
<br>
Andrea<br>
<br>
<br>
On Sun, Sep 20, 2009 at 12:28 AM, Mike<br>
Archuleta < <mailto:<a href="mailto:mlarchuleta@gmail.com">mlarchuleta@gmail.com</a>><br>
<mailto:<a href="mailto:mlarchuleta@gmail.com">mlarchuleta@gmail.com</a>> <a href="mailto:mlarchuleta@gmail.com">mlarchuleta@gmail.com</a>> wrote:<br>
<br>
<br>
I remember this question. It is<br>
the most correct answer based on wording. After realizing that answer<br>
included placed with autorized users.<br>
<br>
I think I argued with myself for<br>
five minutes. Who places a database near authorized users? I put a<br>
database in the data center with aal my servers and backup systems.<br>
<br>
Sent from my iPhone<br>
<br>
On Sep 19, 2009, at 5:19 PM,<br>
Andrea Gatta < <mailto:<a href="mailto:andrea.gatta@gmail.com">andrea.gatta@gmail.com</a>><br>
<mailto:<a href="mailto:andrea.gatta@gmail.com">andrea.gatta@gmail.com</a>> <a href="mailto:andrea.gatta@gmail.com">andrea.gatta@gmail.com</a>> wrote:<br>
<br>
<br>
<br>
Well, same here.<br>
<br>
Unfortunately the<br>
question is from the official ISC2 guide, page 747 ;-)<br>
<br>
Point is, any chance<br>
they got it wrong ?<br>
<br>
Andrea<br>
<br>
<br>
On Sun, Sep 20, 2009 at<br>
12:15 AM, Mike Archuleta < <mailto:<a href="mailto:mlarchuleta@gmail.com">mlarchuleta@gmail.com</a>><br>
<mailto:<a href="mailto:mlarchuleta@gmail.com">mlarchuleta@gmail.com</a>> <mailto:<a href="mailto:mlarchuleta@gmail.com">mlarchuleta@gmail.com</a>><br>
<a href="mailto:mlarchuleta@gmail.com">mlarchuleta@gmail.com</a>> wrote:<br>
<br>
<br>
I would think<br>
niether improve or reduce availability. I don't think if crypto as an<br>
availability feature.<br>
<br>
Sent from my<br>
iPhone<br>
<br>
<br>
On Sep 19, 2009,<br>
at 5:06 PM, Andrea Gatta < <mailto:<a href="mailto:andrea.gatta@gmail.com">andrea.gatta@gmail.com</a>><br>
<mailto:<a href="mailto:andrea.gatta@gmail.com">andrea.gatta@gmail.com</a>> <mailto:<a href="mailto:andrea.gatta@gmail.com">andrea.gatta@gmail.com</a>><br>
<a href="mailto:andrea.gatta@gmail.com">andrea.gatta@gmail.com</a>> wrote:<br>
<br>
<br>
<br>
Hi<br>
there,<br>
I am<br>
wondering if anyone could shed a light on the following question (and<br>
answer):<br>
<br>
In terms<br>
of databases, cryptography can:<br>
<br>
- only<br>
restrict and reduce availability<br>
<br>
-<br>
improve availability by allowing data to be easily placed where<br>
authorized users can access it<br>
<br>
-<br>
improve availability by increasing the granularity of the access<br>
controls<br>
<br>
-<br>
neither reduce or improve availability<br>
<br>
<br>
As far<br>
as the author of the question is concerned the correct answer is:<br>
"improve availability by allowing data to be easily placed where<br>
authorized users can access it"<br>
<br>
The only<br>
reason I can think of for the answer to have a sense is that<br>
cryptography protects a resource from unauthorized users access through<br>
the mean of concealing its content.<br>
<br>
With a<br>
very long shot one could say that the resource would be "available" just<br>
to authorizaed users. Which means that this question uses "availability"<br>
in a very extensive - and I would add divious - way.<br>
<br>
As far<br>
as I am concerned encryption does provide confidentiality and integrity<br>
as natural security services.<br>
<br>
Thoughts<br>
?<br>
<br>
Thanks<br>
Andrea<br>
<br>
<br>
_______________________________________________<br>
<br>
cisspstudy mailing list<br>
<br>
<mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>> <mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>><br>
<mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>> <a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
cisspstudy<br>
mailing list<br>
<br>
<mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>> <mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>><br>
<mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>> <a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
cisspstudy mailing list<br>
<br>
<mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>> <mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>><br>
<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
cisspstudy mailing list<br>
<mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>><br>
<mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>> <a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
cisspstudy mailing list<br>
<mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>><br>
<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
<br>
<br>
<br>
_______________________________________________<br>
cisspstudy mailing list<br>
<mailto:<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a>><br>
<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<br>
<<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a>><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
cisspstudy mailing list<br>
<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
<br>
<br>
<br>
_______________________________________________<br>
cisspstudy mailing list<br>
<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
cisspstudy mailing list<br>
<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
<br>
_______________________________________________<br>
cisspstudy mailing list<br>
<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
<br>
_______________________________________________<br>
cisspstudy mailing list<br>
<a href="mailto:cisspstudy@cccure.org">cisspstudy@cccure.org</a><br>
<a href="http://cccure.org/mailman/listinfo/cisspstudy_cccure.org" target="_blank">http://cccure.org/mailman/listinfo/cisspstudy_cccure.org</a><br>
</div></div></blockquote></div><br>