CISSP PRACTICE QUESTIONS – 20200627

Effective CISSP Questions

Your company sells toys online worldwide. A web-based E-Commerce system developed by an in-house Integrated Product Team (IPT) supports the business. The development team is considering a solution to protect customer orders in motion. Which of the following is the best solution in terms of security, performance, and cost/benefit ratio?
A. For developers to implement encryption in the business logic layer for full mediation
B. For the architect to incorporate a software encryption module as a cross-cutting aspect
C. For database administrators to implement a secure enclave on the database server
D. For web server administrators to enable secure transmission

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. For web server administrators to enable secure transmission.

TheKerchoffPrinciple

Business Values

It’s common for companies to have developers focus on solving their assigned business problems to create more values. Issues such as logging, security, caching, performance, etc. are called cross-cutting concerns, aspects of a program that affect other concerns. “In computer science, a concern is a particular set of information that has an effect on the code of a computer program.” (Wikipedia)

Cross-cutting Concerns

As cross-cutting concerns will affect other concerns, they are typically addressed in common or shared modules to relive the developer’s burden. It’s not a good practice for developers to implement encryption functions on an individual basis. It may lead to inconsistent and proprietary implementations, violation of the Kerchoff principle, and more overhead and costs.

Software Encryption Module

Incorporating a software encryption module as a cross-cutting aspect is feasible, but the concern of encryption can be separated from the application and handled by other services. The software encryption module implemented as part of the application will impose more work upon the development team and distract them. The software encryption will hinder the performance of the application. Instead, the implementation of a hardware security module (HSM) can offload the encryption workload and improve performance and scalability.

Secure Enclave

The secure enclave on the database server may protect data in use and at rest, but not in motion or transit.

HTTPS

Asking web server administrators to implement HTTPS (TLS/SSL) with a certificate to enable secure transmission is a common practice, which can utilize the power of HSM if needed.

Reference


A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Leave a Reply