Symmetric ciphers encrypt plaintext into ciphertext using a secret key. Confusion and diffusion are two cryptographic properties of a cipher to make cryptanalysis difficult. Which of the following statements is not true?
A. Diffusion makes cryptographic attacks more difficult
B. Diffusion obscures the relationship between plaintext and ciphertext
C. Transposition algorithms and P-Box support diffusion
D. Diffusion applies to stream cipher only
Your company sells toys online and ships globally. Most developers of the development team for the online E-Commerce system are experienced ones. To prevent developers from writing code that is subject to SQL injection attacks, which of the following is the least effective?
A. Common Weakness Enumeration (CWE)
B. Common Vulnerabilities and Exposures (CVE)
C. Training
D. OWASP Top 10
Because of being subject to the risk of data integrity and availability, some global cloud service providers give up building data centers in regions where power supply is unstable. Which of the following risk treatment options or risk response strategies best describes the decision?
A. Risk elimination
B. Risk rejection
C. Risk aversion
D. Risk avoidance
Risk acceptance and risk retention may be used interchangeably in other risk management frameworks. However, there are some minute differences from the perspective of ISO 27005.
For those accepted risks that do not meet the normal risk acceptance criteria, the outcome of risk acceptance should highlight them with stated justification. Risk acceptance criteria may become inadequate and should be revised, but it is not always possible to do so promptly. For example, when it comes to accepting risk with desirable benefits or high cost of risk modification, odds are the outdated risk acceptance criteria cannot be revised timely. In this situation, the decision-maker should explicitly comment on the risks and include a justification for the decision to override normal risk acceptance criteria.
You are sniffing network traffic as a middle man and have captured a user’s encrypted login session for a couple of days. After analyzing the session packets, you conclude that the symmetric block cipher encrypts them. However, you are confused that the ciphertext of the password varies even though the user’s password is not changed. Which of the following is the least likely cipher mode of operation used to protect the user login session?
A. Electronic Codebook (ECB)
B. Cipher Block Chaining (CBC)
C. Cipher Feedback (CFB)
D. Output Feedback (OFB)
In good old days, people dial up to the ISP with a modem supported by the Point-to-Point Protocol, PPP. The client connected through PPP is authenticated, if required, by PAP or CHAP. The Extensible Authentication Protocol (EAP) is an authentication framework to extend PPP authentication.
EAP defines simple messages and their formats only; request and response are the core messages communicated between the peer (client) and the authenticator (server). EAP specifies how the authenticator requests identity and credential (MD5, OTP, or Token) and notifies the authentication outcome (success or failure). It also determines how the peer responds to the authenticator’s requests. However, EAP does not define how the authenticator verifies and validates the client’s identity, that can be completed by RADIUS, LDAP, or other protocols.
Remote access (e.g., dial-up, VPN), LAN, or wireless networks can authenticate clients through the EAP authentication framework.
Symmetric ciphers encrypt plaintext into ciphertext using a secret key. Confusion and diffusion are two cryptographic properties of a cipher to make cryptanalysis difficult. Which of the following statements is not true?
A. Substitution algorithms support confusion
B. Confusion applies to both stream and block cipher
C. Confusion makes recovering the secret key by the ciphertext-only attack more difficult
D. Confusion reduces patterns and obscures the relationship between plaintext and ciphertext
I came across the following post/question from Thor’s group:
A strategy is a high level, overall plan. It typically comprises a collection of initiatives to achieve long-term strategic goals, developed and scoped based on the requirements and constraints from stakeholders and the organization’s internal and external environment. So, we can say strategic goals or requirements drive a strategy.
An effective strategy should achieve strategic goals, realize benefits, and deliver values to address requirements. Programs, supported by policies and management commitment, implement a strategy. Standards and procedures support a policy.
A, B, C, and D can be sources of requirements and constraints that drive a strategy. If I have to choose the MOST important one, I would vote for B as senior management cares about compliance requirements the most in practice.
Compliance is a long term and broad concern. Laws, regulations, industry standards, contracts, corporate policy framework, ethics, and due diligence/due care are compliance requirements. They are subject to change, and organizations have to monitor and respond to this type of compliance risk over time. A strategy should address these concerns effectively.
Information security standards, e.g. ISO 27001, do not apply to every organization, while the organization’s internal standards are supporting policies. Policies are developed to support programs that implement a strategy. So, both industrial infosec standards or internal standards play a less significant role in developing a strategy than compliance requirements.
If the question sets the context in an organization that is implementing ISMS per the information security standard, say, ISO 27001, the answer A is appropriate, because the organizational goal is to meet the requirements of the standard and pass the certification audit. In this context, the effectiveness of the InfoSec strategy can be determined by if it meets the requirements of the InfoSec standard.
Your company sells toys online and ships globally. After a customer is authenticated, the client browser receives the following HTTP response:
HTTP/1.1 200 OK
Content-Type: application/json
{
“sub”: “VIP202003010001”,
“name”: “Alice”,
“email”: “alice@effectivecissp.com”,
“picture”: “http://effectivecissp.com/i/alice.jpg “
}
If the HTTP response is encoded and rendered as a JSON Web Token (JWT) payload, which of the following layers of the ISO Open Systems Interconnection model best describes this design?
A. Application
B. Presentation
C. Session
D. Transport
Your company sells toys online and ships globally. After a customer is authenticated, the client browser receives the following HTTP response:
HTTP/1.1 200 OK
Content-Type: application/json
{
“sub”: “VIP202003010001”,
“name”: “Alice”,
“email”: “alice@effectivecissp.com”,
“picture”: “http://effectivecissp.com/i/alice.jpg “
}
Which of the following best describes the protocol or standard the website supports?
A. Federated Identity Management (FIM)
B. Security Assertion Markup Language (SAML)
C. OIDC (OpenID Connect)
D. SSO (Single Sign-On)
