Effective CISSP Questions

You are developing a backup strategy to support the information system contingency plan (ISCP) that must meet the recovery time objective (RTO) and recovery point objective (RPO) determined in the business continuity plan (BCP). The full backup is scheduled at midnight on Sundays. It takes 7 hours to restore the full backup, differential or incremental backup would be restored afterward. If the RTO is 24 hours and RPO is 1 day. Which of the following is the best decision in terms of backup efficiency?
A. Perform a full backup on Sunday and incremental backups on weekdays.
B. Perform a full copy backup on Sunday and incremental backups on weekdays.
C. Perform an incremental backup every one hour
D. Call a meeting to review the objectives

Continue reading


Effective CISSP Questions

Your company sells toys online and ships globally. As a security professional, you are planning for a security assessment. As the password attack is one of the most common attacks, for example, brute force attack, dictionary attack, rainbow table attack, and so forth, an external security team will be employed to inspect weak passwords. For experienced, ethical hackers, which of the following passwords most likely takes the highest cryptanalysis work factor?
A. 0000
B. uTqD3S^#
C. !@#$%^&*
D. 4a7d1ed414474e4033ac29ccb8653d9b

Continue reading

Case Study for Cryptography

Case Study for Cryptography

It’s a significant decision on how to persist the user passwords when developing a software solution, that is, a decision to encrypt or hash passwords at rest.

  • To encrypt passwords at rest supports the software feature, “retrieve password.” Users can “retrieve” or query the original password if they forgot the password. Why supporting users to retrieve passwords? It’s because resetting passwords is more cumbersome and costly than retrieving passwords. If your target users are not tech-savvy, resetting passwords may be a nightmare. Supporting password reset requests may frustrate your customer support team. Besides, DBAs have access to the credentials; they may be “technically” capable of decrypting them even if they are not authorized to do so.
  • To hash passwords at rest requires the feature, “reset password.” The hashed password can not be “decrypted” or can not be “retrieved” because the password is not stored but its “hash.”


Effective CISSP Questions

Your company sells toys online and ships globally. The cryptographic implementation of the shopping website follows FIPS (Federal Information Processing Standards). The customer service representatives (CSR) report a serious workload issue that customer complaints flock in from all service channels about the inconvenience of the website password reset procedure. If retrieving passwords is technically impossible, which of the following cryptographic algorithms is most likely to cause this problem?
A. DES (Data Encryption Algorithm)
B. SHA (Secure Hash Algorithms)
C. MD5 (Message Digest)
D. Advanced Encryption Standard (AES)

Continue reading

Which produces more possible outcomes, a coin, or dice?


Source: OpenLearn

Which produces more possible outcomes, a coin, or dice? The answer is dice.

Generally speaking, a coin has only two sides (the head and tail), but a dice has six (1 to 6). For a fair dice, each side has an equal possibility (one out of six) to show up.

However, for a biased dice, the probability of each side is not equal. For example, throwing a biased dice may always turn out to be one or two; the sides of three to six never appear. So a dice is not necessarily harder to guess than a coin if it is biased (e.g., only the “one” side always appears).

The key point of cryptography is the cryptographic key. If a key generator produces keys with few variations, it is more vulnerable. It is like a Ferrari racing car equipped with a 1200 CC engine. That is, a 256-bit key generator may only have the capability of generating 64 bits of combinations.

Shannon entropy calculator

Entropy is the measure of the generator’s capability of randomness.

  • The entropy of a fair coin is 1, based on the probability of 0.5 (head) and 0.5 (tail)
  • The entropy of a fair dice is 2.58496, based on the probability of 1/6 for each side (1 to 6)

Which produces more possible outcomes, a coin, or dice? The answer is dice if both of them are fair.


ISO 31000:2018 Overview

ISO 31000_2018

The international standard, ISO 31000:2018 Risk management — Guidelines, provides guidelines on managing risk faced by organizations but does not define certification requirements for risk management. It includes definitions and terms, principles, and recommendations for establishing a risk management framework and process but does not include detailed instructions on risk management or advice relevant to any specific domain.

The following are related standards:

  • ISO Guide 73:2009 on Risk management – Vocabulary
  • ISO 31004:2013 on Risk management – Guidance for the implementation of ISO 31000
  • ISO 31010:2009 on Risk management – Risk assessment techniques

Risk management of ISO 31000 is driven by values that are realized by the achievement of objectives. In other words, managing risk is managing the effect of uncertainty on objectives to create and protect values, that is directed by a set of principles, based on a robust management framework, and following a defined process.


Effective CISSP Questions

Your company sells toys online and ships globally. The shopping website employs a reasonably long password policy and stores the customer’s password as an MD5 hash in the database. To which of the following network password attacks through the regular login user interface is your website most vulnerable?
A. Brute force attack
B. Dictionary attack
C. Rainbow table attack
D. Birthday attack

Continue reading