Effective CISSP Questions

Your company is selling toys online and ships globally. The business has been supported by a 3-tier web system for around four years. To improve transaction performance, the database server is equipped with a RAID 5 storage composed of three 1TB SSDs (solid-state drive) with 3 years of MTBF (mean time between failure) and warranty. The newly recruited system administrator is planning for replacing the SSDs with new ones in higher capacity. The customer data in the database is classified as confidential. Which of the following is the best way to address this issue?
A. Consult the information system owner
B. Destroy the media to avoid disclosure of information
C. Engage the maintenance provider and exchange the SSDs for warranty or cost rebate
D. Upgrade the RAID storage to five 2TB SSDs with 5 years of MTBF

Continue reading

Single Sign-On and Federated Identity

Single Sign-On

The identity of a principal is stored in the Identity Provider (IdP), trusted by service providers (SP) which conversely rely on the identity information from the IdP as they may not manage or maintain a directory of identities.

IdP-initiated SSO refers to the scenario that the subject is authenticated by the IdP first, then gets access to the resources on the service providers.

SP-initiated SSO refers to the scenario that an unauthenticated principal requests the resources on the service providers and is redirected to the IdP for authentication.

A subject authenticated by the IdP can roam among the SPs.

Federated Identity

The system entities engaged in a federation manage their own directory. The identity information is mapped (not synchronized or replicated) across the directories in the federation.

A subject authenticated by any of the system entities can roam in the federation.


Effective CISSP Questions

Your company usually holds meetings with partners, suppliers, or consultants in the meeting rooms on the 1st floor, a public workspace isolated from the internal network. However, employees need to connect their devices to the internal network for business purpose. You are evaluating VPN solutions that use the multi-factor authentication (MFA) to address this issue. Which of the following authentication mechanisms best meets your requirement?
D. OIDC (OpenID Connect)
C. Smart card with the user’s private key protected by a cognitive password
D. SAML (Security Assertion Markup Language)

Continue reading

Identity as a Service (IDaaS)

Identity as a Service (IDaaS) is an authentication infrastructure that is built, hosted and managed by a third-party service provider. IDaaS can be thought of as single sign-on (SSO) for the cloud.

An IDaaS for the enterprise is typically purchased as a subscription-based managed service. A cloud service provider may also host applications for a fee and provide subscribers with role-based access to specific applications or even entire virtualized desktops through a secure portal.



Effective CISSP Questions

There are many visitors and employees holding meetings in the meeting rooms in your company. Oftentimes, they need to plug their laptops to the Ethernet ports in the meeting room or connect to the wireless access points to get access to the internet for business purpose. You are evaluating the Network Access Protection (NAP) solutions. Which of the following is the least feasible?
A. Maintain a white list for MAC filtering
B. Implement 802.1X or EAP over LAN
C. Enable DHCP snooping
D. Use VLAN to isolate traffic

Continue reading


Effective CISSP Questions

Your company finished conducting an asset inventory. As the head of the sales department, you are assigned as the data owner of the customer master data, which you then classified as privacy according to the classification scheme. You are now authorizing employees to access the customer data based on their duty. Which of the following security models is most likely used to support the task?
A. Clark-Wilson Model
B. Take-Grant Model
C. Biba Model
D. Brewer and Nash Model

Continue reading

Digital Envelope

Digital Envelope

Digital Envelope

The enveloped-data content type consists of an encrypted content of any type and encrypted content-encryption keys for one or more recipients.

The combination of the encrypted content and one encrypted content-encryption key for a recipient is a “digital envelope” for that recipient.


The content is encrypted with the content-encryption key.

The data to be protected is padded, then the padded data is encrypted using the
content-encryption key.

Content-encryption Key

The content-encryption key for the desired content-encryption algorithm is randomly generated.

Any type of content can be enveloped for an arbitrary number of recipients using any of the three key management techniques for each recipient.

Source: RFC 3369: Cryptographic Message Syntax (CMS)



Both S/MIME and PGP support protecting the encryption/session key using the public-key encryption. At the conceptual level, S/MIME and PGP apply. The diagram is an excerpt from Wikipedia and I think that’s why PGP is the answer.

The session key in S/MIME can be exchanged through:

  1. Key transport by public-key encryption (supported by CA)
  2. Key agreement
  3. Shared Key



Security Culture

Security Culture

This question of security culture is discussed in Luke’s group.

IMO, culture is a big issue and varies from company to company. I would

  1. clarify the management’s expectation upon security and culture,
  2. set the goals according to those expectations and/or requirements,
  3. analyze the dimensions of security culture, and
  4. define metrics and KPIs to measure if the goals are achieved.

The following are some factors to consider:

  • the risk appetite of the board,
  • arrangement of the security function,
  • the soundness of the policy framework,
  • security budget,
  • meeting frequency or attendance of the management,
  • the readiness of the management system,
  • total hours of training and education,
  • the number of incidents reported, and
  • sense of urgency and accountability, etc.