CISSP PRACTICE QUESTIONS – 20191023

Effective CISSP Questions

Your company is selling toys online and shipping globally. When signing in to the web site, a customer, Jack, forgot his password. He clicked the “Forgot password?” button to reset his password and received a password notification email in 2 minutes that provided his old password for him to sign in. Jack called the customer service to complain about the insecure web system because of receiving the password notification email.  As a security professional, which of the following is the best suggestion?
A. Implement a self-service portal to reset password
B. Accelerate the delivery speed of password notification emails
C. Employ one-way function to handle passwords and concatenated random strings
D. Use AES256 to encrypt passwords with salts

Continue reading

Governance Practices

Information Security Governance

The board of directors and senior management govern an organization to achieve its ultimate goal: to create and deliver values.

  • They institute the organizational structure and systems to support operations,
  • communicate the organization’s mission and vision to guide direction,
  • set goals to align strategies,
  • optimize resources to realize strategies,
  • monitor performance to respond to changes,
  • manage risks to ensure success, and
  • behave responsibly to uphold integrity.

CISSP PRACTICE QUESTIONS – 20191022

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. In a threat modeling meeting, the development team identified a design flaw that might result in SQL injection attacks. The solution is a typical 3-tier architecture, the webserver farms for front-end presentation, elastic application server clusters for business logic, and database cluster for data persistence. The risk shall be addressed at the first priority after evaluation. As a security professional, which of the following is the best suggestion?
A. For front-end UX programmers to validate user inputs
B. For back-end web programmers to validate user inputs
C. For the solution architect to design a secure architecture
D. For back-end web programmers to authenticate and authorize every HTTP request

Continue reading

The Effective CISSP Book Series

The Effective CISSP
Security and Risk Management

I’m working on my first book of the Effective CISSP series:
The Effective CISSP – Security and Risk Management
I hope it will be available on Amazon in November.

As an experienced IT/InfoSec professional, I’ve tried my best to integrate all the domain knowledge to guide CISSP aspirants with technical background through the governance and management areas.

This book is helpful both to CISSP and CISM.

CISSP PRACTICE QUESTIONS – 20191021

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. In a threat modeling meeting, the project team is analyzing and prioritizing the risks. As a security professional, which of the following is the best to prioritize risks?
A. Annual Rate of Occurrence (ARO)
B. Risk exposure
C. Business Impact Analysis (BIA)
D. Estimated financial loss

Continue reading

Risk = Threat x Vulnerability

What is Risk

Risk Exposure

Risk exposure is a measure of risk that is evaluated with consideration of all the risk factors. If the effect is evaluated with monetary value, risk exposure is an indicator of potential financial loss. A risk score is a common type of risk exposure.

Risk = Threat x Vulnerability

This formula is overly simplified and has been misunderstood for years. It is elaborated as follows:

  • The Risk term in the formula should refer to “Risk Score” or “Risk Exposure.”
  • The Threat term in the formula should refer to “The impact of a threat.”
  • The Vulnerability term in the formula should refer to “The likelihood of the vulnerability being exploited.”
  • The formula should be interpreted as “Risk Exposure is a function of the impact of a threat and the likelihood of the vulnerability being exploited.” As a result, the calculation doesn’t necessarily have to be multiplication.