[Cisspstudy] Databases and cryptography

Andrea Gatta andrea.gatta at gmail.com
Sat Sep 19 20:01:15 EDT 2009 

Another thing I have noticed with cryptography is that ISC2 tends to
riconduct all risks/downsides if cryptography not to breach of disclosure as
one would thing but instead to (again) availability, this time in the
technical sense (below one example but I am sure I had others):

What is the primary risk of using cryptographic protection for systems or
data:

- loss of the system means loss of all data

- a hardware failure may lead to lost data or system integrity

- a disgruntled user may lead to denial of service

- an employee may may hide is activities from the security department

Obviously (now) the third aswer is the correct one

Andrea





On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <mlarchuleta at gmail.com>wrote:

> Oh yeah!!! The test really quizes you on subject matter.  Even though I
> passed on the first try I wasn't entirely happy with the experience.
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 5:41 PM, Andrea Gatta <andrea.gatta at gmail.com> wrote:
>
> So I guess I should actually watch out for these sort of questions in the
> real exam...
>
> Andrea
>
> On Sun, Sep 20, 2009 at 12:28 AM, Mike Archuleta < <mlarchuleta at gmail.com>
> mlarchuleta at gmail.com> wrote:
>
>> I remember this question.  It is the most correct answer based on wording.
>>  After realizing that answer included placed with autorized users.
>>
>> I think I argued with myself for five minutes.  Who places a database near
>> authorized users? I put a database in the data center with aal my servers
>> and backup systems.
>>
>> Sent from my iPhone
>>
>> On Sep 19, 2009, at 5:19 PM, Andrea Gatta < <andrea.gatta at gmail.com>
>> andrea.gatta at gmail.com> wrote:
>>
>> Well, same here.
>>
>> Unfortunately the question is from the official ISC2 guide, page 747  ;-)
>>
>> Point is, any chance they got it wrong ?
>>
>> Andrea
>>
>> On Sun, Sep 20, 2009 at 12:15 AM, Mike Archuleta <<mlarchuleta at gmail.com><mlarchuleta at gmail.com>
>> mlarchuleta at gmail.com> wrote:
>>
>>> I would think niether improve or reduce availability.  I don't think if
>>> crypto as an availability feature.
>>>
>>> Sent from my iPhone
>>>
>>>
>>> On Sep 19, 2009, at 5:06 PM, Andrea Gatta < <andrea.gatta at gmail.com><andrea.gatta at gmail.com>
>>> andrea.gatta at gmail.com> wrote:
>>>
>>>  Hi there,
>>>> I am wondering if anyone could shed a light on the following question
>>>> (and answer):
>>>>
>>>> In terms of databases, cryptography can:
>>>>
>>>> - only restrict and reduce availability
>>>>
>>>> - improve availability by allowing data to be easily placed where
>>>> authorized users can access it
>>>>
>>>> - improve availability by increasing the granularity of the access
>>>> controls
>>>>
>>>> - neither reduce or improve availability
>>>>
>>>>
>>>> As far as the author of the question is concerned the correct answer is:
>>>> "improve availability by allowing data to be easily placed where authorized
>>>> users can access it"
>>>>
>>>> The only reason I can think of for the answer to have a sense is that
>>>> cryptography protects a resource from unauthorized users access through the
>>>> mean of concealing its content.
>>>>
>>>> With a very long shot one could say that the resource would be
>>>> "available" just to authorizaed users. Which means that this question uses
>>>> "availability" in a very extensive - and I would add divious - way.
>>>>
>>>> As far as I am concerned encryption does provide confidentiality and
>>>> integrity as natural security services.
>>>>
>>>> Thoughts ?
>>>>
>>>> Thanks
>>>> Andrea
>>>> _______________________________________________
>>>> cisspstudy mailing list
>>>>  <cisspstudy at cccure.org> <cisspstudy at cccure.org>cisspstudy at cccure.org
>>>>  <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org><http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
>>>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>>>
>>>
>>> _______________________________________________
>>> cisspstudy mailing list
>>>  <cisspstudy at cccure.org> <cisspstudy at cccure.org>cisspstudy at cccure.org
>>>  <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org><http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
>>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>>
>>
>> _______________________________________________
>> cisspstudy mailing list
>> <cisspstudy at cccure.org>cisspstudy at cccure.org
>>  <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> cisspstudy mailing list
>>  <cisspstudy at cccure.org>cisspstudy at cccure.org
>>  <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090920/d9c0f566/attachment.html>

More information about the cisspstudy mailing list