You are developing a backup strategy to support the information system contingency plan (ISCP) that must meet the recovery time objective (RTO) and recovery point objective (RPO) determined in the business continuity plan (BCP). The full backup is scheduled at midnight on Sundays. It takes 7 hours to restore the full backup, differential or incremental backup would be restored afterward. If the RTO is 24 hours and RPO is 1 day. Which of the following is the best decision in terms of backup efficiency?
A. Perform a full backup on Sunday and incremental backups on weekdays.
B. Perform a full copy backup on Sunday and incremental backups on weekdays.
C. Perform an incremental backup every one hour
D. Call a meeting to review the objectives
Your company sells toys online and ships globally. As a security professional, you are planning for a security assessment. As the password attack is one of the most common attacks, for example, brute force attack, dictionary attack, rainbow table attack, and so forth, an external security team will be employed to inspect weak passwords. For experienced, ethical hackers, which of the following passwords most likely takes the highest cryptanalysis work factor?
It’s a significant decision on how to persist the user passwords when developing a software solution, that is, a decision to encrypt or hash passwords at rest.
- To encrypt passwords at rest supports the software feature, “retrieve password.” Users can “retrieve” or query the original password if they forgot the password. Why supporting users to retrieve passwords? It’s because resetting passwords is more cumbersome and costly than retrieving passwords. If your target users are not tech-savvy, resetting passwords may be a nightmare. Supporting password reset requests may frustrate your customer support team. Besides, DBAs have access to the credentials; they may be “technically” capable of decrypting them even if they are not authorized to do so.
- To hash passwords at rest requires the feature, “reset password.” The hashed password can not be “decrypted” or can not be “retrieved” because the password is not stored but its “hash.”
Your company sells toys online and ships globally. The cryptographic implementation of the shopping website follows FIPS (Federal Information Processing Standards). The customer service representatives (CSR) report a serious workload issue that customer complaints flock in from all service channels about the inconvenience of the website password reset procedure. If retrieving passwords is technically impossible, which of the following cryptographic algorithms is most likely to cause this problem?
A. DES (Data Encryption Algorithm)
B. SHA (Secure Hash Algorithms)
C. MD5 (Message Digest)
D. Advanced Encryption Standard (AES)
Which produces more possible outcomes, a coin, or dice? The answer is dice.
Generally speaking, a coin has only two sides (the head and tail), but a dice has six (1 to 6). For a fair dice, each side has an equal possibility (one out of six) to show up.
However, for a biased dice, the probability of each side is not equal. For example, throwing a biased dice may always turn out to be one or two; the sides of three to six never appear. So a dice is not necessarily harder to guess than a coin if it is biased (e.g., only the “one” side always appears).
The key point of cryptography is the cryptographic key. If a key generator produces keys with few variations, it is more vulnerable. It is like a Ferrari racing car equipped with a 1200 CC engine. That is, a 256-bit key generator may only have the capability of generating 64 bits of combinations.
Entropy is the measure of the generator’s capability of randomness.
- The entropy of a fair coin is 1, based on the probability of 0.5 (head) and 0.5 (tail)
- The entropy of a fair dice is 2.58496, based on the probability of 1/6 for each side (1 to 6)
Which produces more possible outcomes, a coin, or dice? The answer is dice if both of them are fair.
The international standard, ISO 31000:2018 Risk management — Guidelines, provides guidelines on managing risk faced by organizations but does not define certification requirements for risk management. It includes definitions and terms, principles, and recommendations for establishing a risk management framework and process but does not include detailed instructions on risk management or advice relevant to any specific domain.
The following are related standards:
- ISO Guide 73:2009 on Risk management – Vocabulary
- ISO 31004:2013 on Risk management – Guidance for the implementation of ISO 31000
- ISO 31010:2009 on Risk management – Risk assessment techniques
Risk management of ISO 31000 is driven by values that are realized by the achievement of objectives. In other words, managing risk is managing the effect of uncertainty on objectives to create and protect values, that is directed by a set of principles, based on a robust management framework, and following a defined process.
Your company sells toys online and ships globally. The shopping website employs a reasonably long password policy and stores the customer’s password as an MD5 hash in the database. To which of the following network password attacks through the regular login user interface is your website most vulnerable?
A. Brute force attack
B. Dictionary attack
C. Rainbow table attack
D. Birthday attack
Your company sells toys online and ships globally. The shopping website employs a weak password policy and stores the customer’s password as an MD5 hash in the database. After conducting a password assessment, the report discloses that many customers use the notorious naive password ‘0000’. Which of the following can best address the vulnerability to mitigate rainbow table attacks?
A. Replace MD5 with SHA2
B. Implement cell-level encryption in the database
C. Prepend or append strings before computing hashes
D. Employ initialization vector to increase entropy
I share one question on my blog and Facebook group each day. Those daily questions (CISSP PRACTICE QUESTIONS) provide CISSP aspirants a source to think from an integrated viewpoint.
I also share posts to clarify critical concepts from time to time. Information security is an emerging discipline. It’s not as rigid as mathematics or physics. Don’t be surprised that there are few unified or tutorial infosec materials. Moreover, there exist inconsistent or even conflicting perspectives. So, it’s more crucial to think than memorize.
My blog would provide the following benefits:
- CISSP PRACTICE QUESTIONS
- Feature posts to clarify key concepts
- InfoSec Conceptual Model: Wentz’s Governance and Risk Model
- Recurring reminders: think in-depth and comprehensively, and learn systematically and effectively
I hope you enjoy your CISSP journey!
You are developing a backup strategy to support the information system contingency plan (ISCP) that must meet the recovery time objective (RTO) and recovery point objective (RPO) determined in the business continuity plan (BCP). The full backup is scheduled at midnight on Sundays. It takes 7 hours to restore the full backup, differential or incremental backup would be restored afterward. Given the MTD (Maximum Tolerable Downtime) is 24 hours, RTO is 7 hours, and RPO is 1 hour, which of the following is the best decision?
A. Perform a full backup on Sunday and incremental backups on every one hour.
B. Perform a full backup on Sunday and differential backups on every one hour.
C. Perform a full backup every day
D. Call a meeting to review the objectives