Your company requires that passwords can not be cracked in one year with a brute force attack. You are implementing a password policy by specifying valid characters, as shown in the regular expression, /[a-zA-Z0-9!$]/. If it takes 4 hours to crack passwords with a length of 7 characters, what is the minimum password length to meet your company’s password requirement?
A. Seven characters
B. Eight characters
C. Nine characters
D. Ten characters
An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person—known as the assessment object) meets specific security objectives.
Three types of assessment methods can be used to accomplish this—testing, examination, and interviewing.
- Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors.
- Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
- Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence.
Assessment results are used to support the determination of security control effectiveness over time.
- Security tests verify that a control is functioning properly.
- Security assessments are comprehensive reviews of the security of a system, application, or other tested environment.
- Security audits use many of the same techniques followed during security assessments but must be performed by independent auditors.
In my opinion, ISC2 should follow the definition of NIST and rename the CISSP Domain 6 from “Security Assessment and Testing” to “Security Assessment.” Testing is just one type of the three security assessment methods, while an audit is a security assessment conducted by independent auditors.
Alice and Bob are students with a major in Computer Science, taking the Cryptography course this semester. They turned in the homework of implementing a 128-bit cryptographic key generator graded in terms of entropy. Alice received an A, while Bob received a B. Why did the professor grade so?
A. Alice’s generates keys faster than Bob’s
B. The entropy values of Alice and Bob are 0.970950594 and 0.992774454 respectively
C. Alice used mouse movements to generate randomness, while Bob used standard Operating System-level Application Programming Interface (API) functions
D. Alice’s key space is larger than Bob’s.
Your company is evaluating a new biometric access control system. Requirements for ease of use and user acceptance precede the level of security. The budget is not a concern. However, the error rate shall not exceed 3 times per day. There are 500 employees in the office building; each of them will go in and out 10 times on average every day. Three vendors submitted proposals as follows:
– Vendor A: Fingerprint, CER: 0.05%
– Vendor B: Iris, CER: 0.02%
– Vendor C: Retina, CER: 0.01%
As a security professional, which of the following solution will you suggest?
A. Vendor A
B. Vendor B
C. Vendor C
D. Any of them
Your company implemented a new fingerprint access control system. It seemingly does not work properly as you and many employees are sometimes rejected out of the door and the recognition speed is annoying. Which of the following is the best to address this issue?
A. Increase the False Rejection Rate (FRR)
B. Decrease the False Acceptance Rate (FAR)
C. Implement one-to-one authentication
D. Lower Equal Error Rate (EER)
A new business partner is applying for a VPN account in your company to work remotely. However, the password settings for partners are the same as those for employees. As a security professional, you consider the risk is higher for remote partners than inside workers, and the system administrator should provision password settings at a stricter and fine-grained level. A system administrator created a new account, generated a password randomly, and text him a URL in his mobile phone to activate the account. Which of the following should be considered most in terms of the provisioning process?
A. Identity Assurance Levels (IAL)
B. Authenticator Assurance Levels (AAL)
C. Federation Assurance Levels (FAL)
D. Evaluation Assurance Levels (EAL)