Why does everybody learn CIA?

WhyCIAIt’s quite interesting that almost every CISSP aspirant learns the CIA triangle (Confidentiality, Integrity, and Availability) but just a few know why they need to know about it.

It seems to be a simple or straightforward question. However, it lays the foundation of information security and risk management and plays a vital role on your way to success in the CISSP exam.

Why do you think it’s imperative to learn about the CIA triangle? Your feedback and comments are always welcome!

Which is more important? Accuracy or Acceptability?

hqufd

Which criteria is the most important consideration for the selection and deployment of a biometric authentication system?
A. Crossover error rate (CER) or Equal error rate (ERR)
B. processing speed

I’m a little bit confused

Shon Harris 5th e

This question is a post from Ehab Badawi in Luke’s SNT group on 2019/05/04 6:59 AM Taipei Standard Time.

It seems to be a simple question at first glance. However, I would prefer B to A. It deserves more attention to think about the criteria for the selection and deployment of a biometric authentication system.

The accuracy of a biometric system can be evaluated by using well-known performance indicators, e.g., False Accept Rate (FAR), False Reject Rate (FRR), and Equal Error Rate (EER).

The value of the EER can be easily obtained from the ROC (relative operating characteristic) curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is the most accurate.

Based on the information above, EER or accuracy is an essential factor to consider when selecting a biometric authentication system.

However, when evaluating a biometric authentication system, there are other factors to consider, such as cost, acceptability, and so forth. Processing speed affects acceptability. Let’s consider the following case:

  • System A, EER=0.2, Processing speed=20,000 matches/sec
  • System B, EER=0.2, Processing speed=18,000 matches/sec
  • System C, EER=0.3, Processing speed=15,000 matches/sec
  • System D, EER=0.4, Processing speed=20,000 matches/sec

If our criteria to purchase a biometric authentication system is EER < 0.3 and Processing speed >= 15000. System A and B are the qualified alternatives. In general, we will select and deploy System A as it has a higher processing speed. In this case, the processing speed would be more decisive or more important.

So, which one is the most important consideration? EER or processing speed? And what does “important” mean? Undoubtedly, we have to take both of them into account to select and deploy a biometric authentication system.

I would treat EER as a selection criterion while processing speed the deployment criterion. EER depends on use cases, security first or convenience first; processing speed affects system throughput and user acceptability. In practice, I would prefer to choosing a system with higher processing speed from alternative systems with similar or equal EER. That’s why I prefer B to A, even though it seems that Answer A, CER or ER, is a more popular answer.

References

 

 

Scrum Practice Question

ScrumAndTheScrumGuide

You are the head of the research and development (R&D) department of a pharmaceutical company and the Product Owner of the Scrum team developing an application that handles the most sensitive data for your department. You are concerned with the protection of the application data stored in the database. As a product owner, how do you address the concern of data confidentiality in the database?

A. Assign any development team member to develop a proprietary cryptographic module to encrypt the data in the database.
B. Assign the most senior development team member to develop the application code utilizing a standard cipher that is openly reviewed and certified.
C. Outsource the task to a professional cryptographic vendor and require them to use a standard cipher that is openly reviewed and certified.
D. Add the encryption requirement of a standard cipher that must be openly reviewed and certified, into the product backlog and let the development team decide the implementation details.

PS. Scrum is quite popular these days. It’s good for security professionals to fulfill the security by design principle in the context of the agile setting, while Scrum is one of the mainstream frameworks.

Security through obscurity

pexels-photo-886660

Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

This post is the justification of the Cryptography Practice Question. The recommended answer is A, Task a development team member to develop the application code utilizing a standard cipher that is openly reviewed and certified.


It is a proprietary cryptographic solution to develop a cryptographic module in-house or use one without public review and certification, and it is a way of “security through obscurity” which doesn’t follow the Kerckhoffs’s principle or Shannon’s maxim.

The concept of Kerckhoffs’s principle and Shannon’s maxim is widely embraced by cryptographers, as it is believed to be a more effective and secure way than “security through obscurity.”

The FIPS 140-2, Federal Information Processing Standard (FIPS) Publication 140-2, is a U.S. government computer security standard used to approve cryptographic modules. This standard specifies the security requirements that will be satisfied by a cryptographic module. FIPS 140-2 defines four levels of security, simply named “Level 1” to “Level 4”. It does not specify in detail what level of security is required by any particular application.

References

Cryptography Practice Question

TheKerchoffPrinciple

You are a development team member of the Scrum team developing an application that handles the most sensitive data for the research and development department in your company. You are considering the protection of the application configurations in storage to follow the security by design principle. After some research, you are aware that some protection mechanisms are broken and insecure. e.g. WEP and DES. How should you do to protect your application configurations in storage?

A. Task a development team member to develop the application code utilizing a standard cipher that is openly reviewed and certified.
B. Task the most senior engineer to develop a symmetric cipher and classify it as the most sensitive asset.
C. Task the most senior engineer to develop an asymmetric cipher and classify it as the most sensitive asset.
D. Hire an implementation subject matter expert with the Ph.D. degree to develop an asymmetric cipher and classify it as the most sensitive asset.

The Concept of Business Continuity

norrmanbusinesscontinuitymanagement

Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

This post is the justification of the Business Continuity Practice Question. The recommended answer is A, “Facilitate the process for the determination of the maximum tolerable downtime, and invite the VP of information technology to commit to the recovery time objective and recovery point objective.”

This question is designed based on the Topic 1.7 Identity, analyze, and prioritize Business Continuity (BC) requirements in Domain 1 of the CISSP exam outline.


Enterprises are doing business to deliver value, or business is all about delivering value. Common factors affecting value delivery are people, process, technology, and so forth. A process delivering value is commonly called business process. The basic idea behind the concept of business continuity is to recover critical business processes subject to the limited enterprise resources available in case of a disruptive incident or disaster.

Based on the statements above, we can conclude some key points as follows:

  1. Information technology (IT) is “one” of the most critical factors of business continuity.
  2. The scope of business continuity planning includes critical business processes and the underlying information systems.
  3. Business people identify or determine critical business processes first, then the underlying information systems by IT people. The criticality of a business process is evaluated by the maximum tolerable downtime (MTD); a process with 2-hour MTD is apparently much more critical than the one with 2-day MTD.
  4. Information systems should be recovered by IT people based on the business requirements specified by the business people and negotiated with IT people; specifically, recovery time objective (RTO) and recovery point objective (RPO).
  5. Business and IT people work together to achieve the goal of business continuity. A business continuity plan (BCP) as a master plan is the output of business continuity planning that usually includes a disaster recovery plan (DRP) as a sub-plan prepared by IT people.

It’s ineffective for IT people to conduct any disaster recovery planning before the critical business processes are determined, not to mention making decisions on alternative sites, e.g., mirror site, hot site, warm site, or code site, you name it.

The essence of business impact analysis (BIA) is to identify critical business processes and the impact in case of a disaster. MTDs of business processes are the most important output of BIA. RTO and RPO are objectives guiding the DRP; both of them are derived from MTD and negotiated between the business and IT people. In other words, RTO and RPO are commitments of IT to the business to fulfill the MTD requirement.

So, what about the business continuity planning process and the role of CISO? They vary from business to business. It’s not uncommon for a CISO as a coordinator or facilitator to facilitate the BIA process. This reemphasizes the importance of the R&R of CISO.

I won’t recommend Answer B, C, and D as the correct answers mainly because the decision about the hot site or cold site are made before the critical business processes are identified and not justified with any cost/benefit analysis.

Security Function

Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

This post is the justification of the Information Security Governance Practice Question. The recommended answer is B, The role and responsibility (R&R) of CISO.

This question is designed based on the Topic 1.2 (Evaluate and apply security governance principles) in Domain 1 of the CISSP exam outline.


Information Security is an emerging discipline and the CSO or CISO role enlisted in the senior management team is a trend. However, the title or name of security function doesn’t necessarily determine the role and responsibility (R&R) well. One may be appointed as a CISO, while he or she is practically authorized to do things just like a middle information security manager. That’s why R&R is the first and most concern for a CISO to get things rolling.

A strategy is an approach or a high-level plan, usually prepared or developed by senior management. Strategy management divides into two parts: strategy development(formulation) and strategy implementation(execution). It’s impossible to implement a strategy (through an information security program) without its existence or before it is developed.

Information security strategy should align with business goals and corporate or business strategy; it comprises the (future) desired state, current state, and a roadmap with resource and constraint considerations to fill the gap between the desired and current state.

An information security program is a means to implement the information security strategy. A program-specific policy is usually developed to support the associated information security program.

The business mission/vision, goals, and upper-level strategy should be reviewed, and the business and security requirements should be elicited to develop an information security strategy and ensure strategic alignment.

The following is a generic reference process:

  1. Clarify and confirm R&R; communicate to redefine or modify it if necessary
  2. Review business mission/vision, goals and upper-level strategy, and elicit business and security requirements
  3. Develop an InfoSec strategy (Answer D is lack of a strategy)
  4. Implement the InfoSec strategy (through InfoSec program and policies)