Category Archives: Technology

CISSP PRACTICE QUESTIONS – 20191024

Posted on by
Reply

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. To streamline the order fulfillment process, the system will be integrated with the ones of key business partners. The development is evaluating solutions to address the issue of access control between systems in this supply chain integration initiative. As a security professional, which of the following is the best?
A. Identity as a Service (IDaaS)
B. Federated Identity
C. Single Sign-On (SSO)
D. Kerberos

Continue reading

Security Function

Posted on by
Reply

governancestructure

What is a Function?

A function is a collection of activities or procedures arranged in a logical way that accepts input and produces output.

An organizational unit or department performs one or more functions to create and deliver values. For example, the functions performed by HR include staffing, development, compensation, safety and health, employee and labor relations, and so forth.

However, a function may or may not be performed by a department that appears in the organizational structure diagram officially. So does the security function.

Security Function

A security function is a function that ensures security by applying safeguards to protect assets from threats to achieve confidentiality, integrity, and availability.

For simplicity, a security function can be viewed as an unofficial or virtual security department. A security department performs security functions, but security functions can be performed by any department officially or unofficially.

Large organizations typically institute a dedicated organizational unit or department to perform security functions, while some organizations just decide to perform security functions without a formal department. For instance, it’s common for organizations to delegate IT department to take care of security instead of the information security department.

CISSP PRACTICE QUESTIONS – 20191023

Posted on by
Reply

Effective CISSP Questions

Your company is selling toys online and shipping globally. When signing in to the web site, a customer, Jack, forgot his password. He clicked the “Forgot password?” button to reset his password and received a password notification email in 2 minutes that provided his old password for him to sign in. Jack called the customer service to complain about the insecure web system because of receiving the password notification email.  As a security professional, which of the following is the best suggestion?
A. Implement a self-service portal to reset password
B. Accelerate the delivery speed of password notification emails
C. Employ a one-way function to handle passwords and concatenated random strings
D. Use AES256 to encrypt passwords with salts

Continue reading

Governance Practices

Posted on by
Reply

Information Security Governance

The board of directors and senior management govern an organization to achieve its ultimate goal: to create and deliver values.

  • They institute the organizational structure and systems to support operations,
  • communicate the organization’s mission and vision to guide direction,
  • set goals to align strategies,
  • optimize resources to realize strategies,
  • monitor performance to respond to changes,
  • manage risks to ensure success, and
  • behave responsibly to uphold integrity.

CISSP PRACTICE QUESTIONS – 20191022

Posted on by
1

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. In a threat modeling meeting, the development team identified a design flaw that might result in SQL injection attacks. The solution is a typical 3-tier architecture, the webserver farms for front-end presentation, elastic application server clusters for business logic, and database cluster for data persistence. The risk shall be addressed at the first priority after evaluation. As a security professional, which of the following is the best suggestion?
A. For front-end UX programmers to validate user inputs
B. For back-end web programmers to validate user inputs
C. For the solution architect to design a secure architecture
D. For back-end web programmers to authenticate and authorize every HTTP request

Continue reading

Cipher Operations 101

Posted on by
Reply
Remember the four TRUE rules, and you can make it!

1 AND 0 => 1 is the left-hand side, 0 is the right-hand side
1 stands for true; 0 for false

AND => both sides are true, the result is true
OR => either side is true, the result is true
XOR => both sides differ, the result is true
NOT => reverse the result

Examples:
1 AND 0 => 0
NOT (1 AND 0) => NOT 0 => 1

The Effective CISSP Book Series

Posted on by
Reply

The Effective CISSP
Security and Risk Management

I’m working on my first book of the Effective CISSP series:
The Effective CISSP – Security and Risk Management
I hope it will be available on Amazon in November.

As an experienced IT/InfoSec professional, I’ve tried my best to integrate all the domain knowledge to guide CISSP aspirants with technical background through the governance and management areas.

This book is helpful both to CISSP and CISM.

The Effective CISSP Cover PageThe Effective CISSP Contents 1

The Effective CISSP Contents 2

Added on 2020/05/11:

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Buy Your Copy

 

CISSP PRACTICE QUESTIONS – 20191021

Posted on by
Reply

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. In a threat modeling meeting, the project team is analyzing and prioritizing the risks. As a security professional, which of the following is the best to prioritize risks?
A. Annual Rate of Occurrence (ARO)
B. Risk exposure
C. Business Impact Analysis (BIA)
D. Estimated financial loss

Continue reading

Risk = Threat x Vulnerability

Posted on by
Reply

What is Risk

Risk Exposure

Risk exposure is a measure of risk that is evaluated with consideration of all the risk factors. If the effect is evaluated with monetary value, risk exposure is an indicator of potential financial loss. A risk score is a common type of risk exposure.

Risk = Threat x Vulnerability

This formula is overly simplified and has been misunderstood for years. It is elaborated as follows:

  • The Risk term in the formula should refer to “Risk Score” or “Risk Exposure.”
  • The Threat term in the formula should refer to “The impact of a threat.”
  • The Vulnerability term in the formula should refer to “The likelihood of the vulnerability being exploited.”
  • The formula should be interpreted as “Risk Exposure is a function of the impact of a threat and the likelihood of the vulnerability being exploited.” As a result, the calculation doesn’t necessarily have to be multiplication.

CISSP PRACTICE QUESTIONS – 20191020

Posted on by
Reply

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house, while portions of the solution will be outsourced to an external software vendor. The project team is evaluating software outsourcing candidates. As a security professional, which of the following is the least concern?
A. The financial history
B. Foreign ownership, control, and influence
C. Key escrow agreement
D. Right to conduct code reviews

Continue reading