You’re implementing an L2TP/IPsec VPN solution to support remote employees. Which of the following is not true? (Source: Wentz QOTD)
A. AH may not be available in IPsec
B. AH ensures integrity only, but not confidentiality through encryption
C. Implementation of ESP is a mandatory requirement of IPsec
D. ESP ensures both confidentiality and the same level of integrity as AH does
Monthly Archives: July 2020
What is Assurance?
The diagram demonstrates the ISO assurance system in terms of management systems. The following are common management systems:
- Quality Management System (QMS, ISO 9001)
- Environmental management systems (EMS, ISO 14001)
- Food Safety Management System (FSMS, ISO 22001)
- Business Continuity Management System (BCMS, ISO 22301)
- Information Security Management System (ISMS, ISO 27001)
- Occupational health and safety management systems (OHSMS, ISO 45001)
No. 1 of the 15 Best New Security Certifications eBooks To Read In 2020
Really pleased to know my book, The Effective CISSP: Security and Risk Management, is ranked as the No. 1 of the 15 Best New Security Certifications eBooks To Read In 2020 by BookAuthority.
Farewell, Mr. Democracy!
V&V, RMF, and ISO SDLC
I added more information about the confusing C&A process into the post, Jargons: V&V and C&A. The newly added materials are included as follows.
Added on 2020/07/30:
There were various information system certification and accreditation processes across the US federal agencies, such as DITSCAP, DIACAP, NIACAP, NISCAP, and DCID 6/3. Those legacy C&A processes can be confusing because of the diversity and inconsistency across agencies. For example, the obsolete DITSCAP C&A process treated V&V as phases in its C&A process. Thanks to the NIST RMF (SP 800-37 R2), it becomes the latest and unified version of C&A.
The NIST RMF is integrated with the SDLC detailed in NIST SP 800-160 v1, which is aligned with the SDLC introduced in ISO 15288. In other words, terminologies certification and accreditation are not used in the NIST RMF any more. C&A (Certification and Accreditation) is replaced by A&A (Assessment and Authorization) in RMF and V&V (Verification and Validation) in ISO 15288.
References
CISSP PRACTICE QUESTIONS – 20200731
Wired Equivalent Privacy (WEP), ratified in 1997, is the first-generation security solution for 802.11 wireless networks. The 64-bit WEP uses the stream cipher RC4 with a 24-bit initialization vector (IV) and a 40-bit secret key. Hackers can use Aircrack-ng to sniff wireless traffic and crack the secret key by exploiting the short IV. Which of the following best describes the attack used to break WEP? (Source: Wentz QOTD)
A. Ciphertext-only
B. Known-plaintext
C. Chosen-plaintext
D. Chosen-ciphertext
CISSP PRACTICE QUESTIONS – 20200730
Which of the following is the most popular cryptographic hash function used in the blockchain or cryptocurrency? (Source: Wentz QOTD)
A. AES 256
B. SHA-256
C. BITCOIN-160
D. BLAKE2
Why IPsec doesn’t support non-repudiation?
This post is a digest of “IPsec and Non-repudiation.”
Why IPsec doesn’t support non-repudiation? The following is a quick answer:
- Only a few obsoleted IPsec-related RFCs used the term, “non-repudiation.”
- The latest IPsec-related RFCs avoid using the term, “non-repudiation.”
- Non-repudiation applies to the application level. (RFC 4359)
CISSP PRACTICE QUESTIONS – 20200729
Which of the following is least likely to ensure security through the application of cryptographic hash? (Source: Wentz QOTD)
A. Establish HTTP sessions by Digest Access Authentication
B. Persist passwords with pepper
C. Detect error using odd parity
D. Enforce accountability through digital signature
Digest of NIST Cybersecurity Framework
This post is a digest of the Framework for Improving Critical Infrastructure Cybersecurity (also known as NSIT Cybersecurity Framework) Version 1.1 from NIST.