Effective CISSP Questions

SAML refers to Security Assertion Markup Language. Which of the following statements about “assertion” is not true?
A. It is a package of information produced by the relying party
B. It describes an act of authentication performed on a subject
C. It contains attribute information about the subject
D. It may have authorization data for the subject to access a specified resource

Continue reading


Risk Capacity and Risk Appetite

身為資安社群的一份子, 我想從個人及國安的角度, 分享一點看法.

資安其實就是風險管理的議題之一. 我們使用zoom, 就個人而言, 大多數的人都是選擇接受風險. 但站在國安的角度, 資安其實是國家安全議題, 所以從政府的角度, 若禁用Zoom或提醒民眾Zoom的可能風險, 是完全正確的作法.

有人主張: “如果你有真正很機密的事情,我會勸你,別說Zoom,其他的視訊軟體通通都不該用。那才是真正的安全!” 這很顯然是對資安的一大誤解. 資安的目標並非無限上綱, 資安的保護措施也不是毫無上限. 這完全取決於我們對資安風險的可接受程度與實際的能力(如預算). 我們使用任何產品, 應當在”有意識到風險”的前提下, 儘量取得充足的資訊, 再作出如何因應風險的決定.

Zoom的創辦人Eric Yuan是中國山東人, 因為早期加入WebEx(目前被Cisco併購), 所以後來在這個基礎上成立了Zoom.

Zoom主要是觸動歐美及台灣資安界最重視的隱私(Privacy)及遵循性(Compliance)問題. 以我們及歐美的角度, Zoom可能渉及嚴重的法律爭議. 例如:

  1. Zoom的安裝程式被發現夾帶惡意軟體(malware)
  2. Zoom不實宣傳端對端的保密功能(end-to-end encryption)
  3. Zoom使用不符資安原則的自製加密演算法
  4. Zoom會將加密金鑰發送到中國的伺服器(受中國法律管轄)

其它功能及安全問題就不細列舉, 有興趣可參考以下連結:

台灣的個資法已施行有年, 資通安全法亦於去年正式施行, 制度及實務面亦都能與歐美國家接軌. 再加上台灣能把資安列為國安的國家政策, 都值得國人感到放心及驕傲!

我們對某產品的信心(confidence),讓我們作出使用它的決定,亦即接受某種程度的風險。而信心的來源,其一是產品的可信任程度(trustworthiness), 其二是公正第三方對產品的背書或保證(assurance). 為什麼 Cisco, Microsoft 的產品可能也有很多問題,但用戶卻相信他們比較安全,差異就在此。 Zoom要取得用戶的信任, 必須先讓自己變得可靠(trustworthy), 產品實作除了儘可能符合安全標準外, 若能取得第三方的驗證, 我想應該是可以獲得大家的信任及採用的.

雖然我個人也是常使用Zoom, 在個人層次也算是接受風險. 但我會持續觀注Zoom的資安改善情況. 若未來Zoom無明顯改善, 基於個人安全意識的總合就是國家的整體安全的角度. 我個人會選擇並建議他人使用其它安全的遠端視訊方案.



Effective CISSP Questions

You are preparing for Information System Contingency Plan (ISCP) and considering solutions of alternate sites. Which of the following is not one of the objectives that directly drive your planning work in terms of information systems?
A. Maximum Tolerable Downtime (MTD)
B. Service Delivery Objective (SDO)
C. Recovery Point Objective (RPO)
D. Recovery Time Objective (RTO)

Continue reading

Common BIA Terminologies

Common BIA Terminologies

The first version of NIST SP 800-34 used the term Maximum Allowable Outage (MAO) to describe the downtime threshold of the information system. To further delineate the business process and the information system downtime, Maximum Tolerable Downtime (MTD) and Recovery Time Objective (RTO) terms are used.

Downtime here refers to the disruption of the business process, while outage emphasizes the unavailability of the information system. Terms such as downtime, interruption, and disruption can be used interchangeably, so do allowable, acceptable, and tolerable. Maximum Tolerable Downtime (MTD) is also known as Maximum Tolerable Period of Disruption (MTPD) and Maximum Allowable Outage (MAO) as Maximum Tolerable Outage (MTO).

As various methodologies or approaches may define those terminologies differently and lead to miscommunication, the diagram in this post demonstrates a scenario to introduce common languages used in the analysis of business impact.

Acceptable Interruption Window (AIW)

Acceptable Interruption Window (AIW) is “the maximum period of time that a system can be unavailable before compromising the achievement of the enterprise’s business objectives.” (ISACA, 2019)

AIW is also known as the Maximum Tolerable Downtime (MTD) or Maximum Tolerable Period of Disruption (MTPD). However, the definition by ISACA emphasizes “system,” while MTD or MTPD is a business term that focuses on the disruption of business processes or prioritized activities.

Work Recovery Time (WRT)

Work Recovery Time (WRT) is the “length of time needed to recover lost data, work backlog, and manually captured work once a system is recovered and repaired.” (BRCCI, 2019)

WRT is typically related to the Recovery Point Objective (RPO). The shorter is the RPO; the quicker is the WRT. The sum of the repairing time and WRT should be less than the Recovery Time Objective (RTO).

Recovery Time Objective (RTO)

Recovery Time Objective (RTO) is “the amount of time allowed for the recovery of a business function or resource after a disaster occurs.” (ISACA, 2019)

The recovery of a business function or resource means it meets both the ROP and Service Delivery Objective (SDO), and subject to Maximum Tolerable Outages (MTO); it is restored with the latest data and operates at an adequate level of services within the constraint of MTO.

Recovery Point Objective (RPO)

Recovery Point Objective (RPO) is “determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.”  (ISACA, 2019)

The RPO drives the design of recovery or alternate site and backup strategy. It also affects Work Recovery Time (WRT).

Service Delivery Objective (SDO)

Service Delivery Objective (SDO) is “directly related to the business needs, it is the level of services to be reached during the alternate mode until the normal situation is restored.” (ISACA, 2019)

When a system is resumed within the RTO and RPO, it operates in alternate mode, in which the system should provide an adequate level of services and meet the SDO.

Maximum Tolerable Outage (MTO)

Maximum Tolerable Outage (MTO) is the maximum time that an enterprise can support processing in alternate mode. (ISACA, 2019)

The alternate mode is not viable for long-term operations. MTO sets the objective of the time period for the business continuity solutions to transit to normal mode.

Maximum Tolerable Downtime (MTD)

See Acceptable Interruption Window (AIW).



Effective CISSP Questions

In cryptography, an initialization vector (IV) can achieve semantic security, a property whereby the encryption under the same key does not generate repeated patterns so that an attacker can not infer relationships between plaintext and ciphertext.  Which of the following statements about IV is not true?
A. IV is an arbitrary number that is used only once.
B. IV must be protected to the extent which is as secure as the secret key.
C. An incorrect IV used for decryption in CBC mode causes only the first block of plaintext to be corrupted, not the remaining.
D. Counter (CTR) mode turns a block cipher into a stream cipher and doesn’t employ an IV in the strict sense.

Continue reading