According to Martin Fowler, a maturity model is a tool that helps people assess the current effectiveness of a person or group and supports figuring out what capabilities they need to acquire next in order to improve their performance. Which of the following is an open-source maturity model to help organizations assess, formulate, and implement a software security strategy that can be integrated into their existing Software Development Lifecycle (SDLC)? A. Software Assurance Maturity Model (SAMM) B. Capability Maturity Model Integration (CMMI) C. Cybersecurity Maturity Model Certification (CMMC) D. Systems Security Engineering Capability Maturity Model (SSE-CMM)
A client sent a Kerberos authentication request to the authentication server (AS) and received a response with an encrypted part containing the session key and ticket-granting ticket (TGT). Which of the following should the client use to decrypt the ciphertext? A. The client’s secret key B. The client’s private key C. The authentication server’s public key D. The session key shared by the client and the ticket-granting server (TGS)
I believe ISC2’s decision of remote testing surprises the community. I respect their final decision, but I hope our concern and voice could be heard.
Capacity or Safety
Human life always takes priority over any other matter. I consider remote testing is implemented because of the limited or insufficient enrollment capacity or safety concerns about test centers. Isn’t it?
If test centers in the pandemic time are not safe, they should be shut down completely. If some of the test centers can be open, that means the safety issue is addressable. So, I believe that remote testing comes in to compensate for the insufficient capacity. However, in the past six months, the number of CISSP grows as many as in the prior 18 months.
The Growth of CISSP in the Past 6 Months
The number of CISSP increases by 6,016, from 141,607 to 147,623, in 6 months (1-Jul-20 to 1-Jan-21) during the peak pandemic time.
The number of CISSP increases by only 5,179, from 136,428 to 141,607, in 18 months (31-Dec-18 to 1-Jul-20).
People Safety, ISC2 Growth, Exam Integrity, and Tradeoff
We still have some “safe” test centers available, and the number of CISSP keeps growing (by 6,016 CISSPs in recent 6 months) without remote testing even during the pandemic time. Remote testing undoubtedly boosts the growth of ISC2 members, but it comes with a price of the potential loss of the exam integrity and long-term credit of ISC2 credentials.
The “Exams in Test Centers Only” Strategy
Even though more and more certification bodies have implemented remote testing, it’s an opportunity, in my view, for ISC2 to uniquely distinct itself from the competition by insisting on the strategy of “exams in test centers only.” It, in the meantime, maintains the high standard, exam integrity, and its credit.
Do It Differently
I hope ISC2 remains unique and competitive in the certification market, but remote testing would make it an average player. If remote testing is an unchangeable decision, I hope it is the most rigid and different from others.
A client is authenticating to an identity provider (IdP). Which of the following is the least feasible authenticator or authentication mechanism? A. A password transmitted in clear text B. A timestamp encrypted by the hash of the password C. A nonce from the IdP encrypted by the subject’s private key D. An attribute sent over TLS/SSL that uniquely identifies the subject
A software development team is concerned with the integrity of the access token received from the web site after users logging in. Which of the following is least likely considered? A. Is the access token altered? B. Is the web site the genuine origin of the access token? C. Is the web site signs the access token? D. Is the access token in transit lost?
Alice is a newly recruited employee. The Human Resource department is conducting her identity proofing and enrollment process. Which of the following should be conducted first? A. Validation B. Resolution C. Verification D. Authentication
A client submits a user’s identity in the clear textalone with a timestamp encrypted by the hash of the user’s password to the Kerberos Authentication Server. The Kerberos message is encapsulated as KRB_AS_REQ. Which of the following best describes the purpose of the process? A. Identification B. Authentication C. Pre-authentication D. The TGT (Ticket-granting ticket)
A session is a temporary logical connection between two end-user application processesfor message exchange. Which of the following statements about the sessionis not true? A. The session layer in the ISO OSI model maps to the application layer in TCP/IP. B. The establishment of a session is independent of underlying transports. C. The RESTful-style architecture prescribes how a session is managed. D. A session can maintain state information even if the transport is connectionless.