NTLM Authentication and Insecure Ciphers

RetroTutorial: Installing MS-DOS LAN Manager 2.2c

When it comes to identity management, a directory is a repository of accounts. An account represents an entity with attributes and an identity to identify it uniquely. Password, as an authenticator, is the most commonly implemented authentication factor, something you know, so password breach results in a severe business impact.

Protecting passwords at rest, in transit, and in use is crucial. The account database can exist as a system file, registry, data structure in the memory, backup file in tapes, or in any ephemeral or persistent form in any storage. Understanding how operating systems store, convey, and cache authenticators (the password itself or its derivatives) for authentication is critical to minimizing the attack vectors and surface.

Continue reading

Information Security

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Information Security
Information Security

Security refers to the process of and the state reached by protecting something from danger or threat.

Information security is a discipline of protecting information assets from threats through security controls to achieve the security objectives of confidentiality, integrity, and availability, support business processes, and create value to fulfill the organizational mission and vision.

資訊安全

  • 安全是指保護某個東西免於受到危險或威脅的過程以及所達到的狀態。
  • 資訊安全是一門透過安全管制措施,保護資訊資產免於受到危害,以實現機密性、完整性和可用性的安全目標、進而支持組織的業務流程,並創造價值以實現使命和願景的學問。

CISSP PRACTICE QUESTIONS – 20210422

Effective CISSP Questions

Scrum is one of the most popular Agile approaches. Your company established a Scrum team to develop the E-Commerce website. Which of the following is correct? (Wentz QOTD)
A. The Project manager, as a servant leader, leads the Scrum team.
B. Daily Scrum can be finished in 5 minutes but never exceed15 minutes.
C. Scrum emphasizes prototyping to optimize predictability and control risk.
D. The Scrum Master is accountable for maximizing the value of the product.

Continue reading

CISSP PRACTICE QUESTIONS – 20210421

Effective CISSP Questions

Wi-Fi Protected Access (WPA), superseding Wired Equivalent Privacy (WEP) in 2003, WPA2 (2004), and WPA3 (2018) are security certification programs developed by the Wi-Fi Alliance to secure wireless networks. Which of the following is correct? (Wentz QOTD)
A. TKIP is used in WEP to enforce confidentiality.
B. WPA3 employs HMAC to enforce nonrepudiation.
C. WPA uses RC4 as the underlying cipher for confidentiality.
D. WPA2 uses a stream cipher in CCM mode (counter with CBC-MAC).

Continue reading

CISSP PRACTICE QUESTIONS – 20210420

Effective CISSP Questions

Your company hired a security analyst who got on board today. Which of the following should be conducted first per the identity proofing procedure? (Wentz QOTD)
A. Enroll the biometric template in a model database and provision services
B. Uniquely distinguish the individual among a given population or context
C. Establish the linkage between claimed identity and real-life existence of subject
D. Determine the authenticity, validity, and accuracy of identity information and relate it to a real-life subject

Continue reading

CISSP PRACTICE QUESTIONS – 20210418

Effective CISSP Questions

Your company establishes an E-Commerce website that sells toys around the world. All traffic is protected by HTTPS. Which of the following is the most feasible approach for the browser to submit the user’s password to the webserver? (Wentz QOTD)
A. Raw password
B. Hashed password
C. Salted password
D. Digital signature

Continue reading