It’s a significant decision on how to persist the user passwords when developing a software solution, that is, a decision to encrypt or hash passwords at rest.

• To encrypt passwords at rest supports the software feature, “retrieve password.” Users can “retrieve” or query the original password if they forgot the password. Why supporting users to retrieve passwords? It’s because resetting passwords is more cumbersome and costly than retrieving passwords. If your target users are not tech-savvy, resetting passwords may be a nightmare. Supporting password reset requests may frustrate your customer support team. Besides, DBAs have access to the credentials; they may be “technically” capable of decrypting them even if they are not authorized to do so.
• To hash passwords at rest requires the feature, “reset password.” The hashed password can not be “decrypted” or can not be “retrieved” because the password is not stored but its “hash.”

Source: OpenLearn

Which produces more possible outcomes, a coin, or dice? The answer is dice.

Generally speaking, a coin has only two sides (the head and tail), but a dice has six (1 to 6). For a fair dice, each side has an equal possibility (one out of six) to show up.

However, for a biased dice, the probability of each side is not equal. For example, throwing a biased dice may always turn out to be one or two; the sides of three to six never appear. So a dice is not necessarily harder to guess than a coin if it is biased (e.g., only the “one” side always appears).

The key point of cryptography is the cryptographic key. If a key generator produces keys with few variations, it is more vulnerable. It is like a Ferrari racing car equipped with a 1200 CC engine. That is, a 256-bit key generator may only have the capability of generating 64 bits of combinations.

Shannon entropy calculator

Entropy is the measure of the generator’s capability of randomness.

• The entropy of a fair coin is 1, based on the probability of 0.5 (head) and 0.5 (tail)
• The entropy of a fair dice is 2.58496, based on the probability of 1/6 for each side (1 to 6)

Which produces more possible outcomes, a coin, or dice? The answer is dice if both of them are fair.

The international standard, ISO 31000:2018 Risk management — Guidelines, provides guidelines on managing risk faced by organizations but does not define certification requirements for risk management. It includes definitions and terms, principles, and recommendations for establishing a risk management framework and process but does not include detailed instructions on risk management or advice relevant to any specific domain.

The following are related standards:

• ISO Guide 73:2009 on Risk management – Vocabulary
• ISO 31004:2013 on Risk management – Guidance for the implementation of ISO 31000
• ISO 31010:2009 on Risk management – Risk assessment techniques

Risk management of ISO 31000 is driven by values that are realized by the achievement of objectives. In other words, managing risk is managing the effect of uncertainty on objectives to create and protect values, that is directed by a set of principles, based on a robust management framework, and following a defined process.

I share one question on my blog and Facebook group each day. Those daily questions (CISSP PRACTICE QUESTIONS) provide CISSP aspirants a source to think from an integrated viewpoint.

• My blog: https://WentzWu.com
• Effective CISSP Group: https://www.facebook.com/groups/EffectiveCISSP/

I also share posts to clarify critical concepts from time to time. Information security is an emerging discipline. It’s not as rigid as mathematics or physics. Don’t be surprised that there are few unified or tutorial infosec materials. Moreover, there exist inconsistent or even conflicting perspectives. So, it’s more crucial to think than memorize.

My blog would provide the following benefits:

1. CISSP PRACTICE QUESTIONS
2. Feature posts to clarify key concepts
3. InfoSec Conceptual Model: Wentz’s Governance and Risk Model
4. Recurring reminders: think in-depth and comprehensively, and learn systematically and effectively

I hope you enjoy your CISSP journey!