[Cisspstudy] Databases and cryptography

Mike Archuleta mlarchuleta at gmail.com
Sat Sep 19 20:15:01 EDT 2009 

Well if you follow the chain of thought from the last question.  If a  
digruntled employee has access. YES

Sent from my iPhone

On Sep 19, 2009, at 6:01 PM, Andrea Gatta <andrea.gatta at gmail.com>  
wrote:

> Another thing I have noticed with cryptography is that ISC2 tends to  
> riconduct all risks/downsides if cryptography not to breach of  
> disclosure as one would thing but instead to (again) availability,  
> this time in the technical sense (below one example but I am sure I  
> had others):
>
> What is the primary risk of using cryptographic protection for  
> systems or data:
>
> - loss of the system means loss of all data
>
> - a hardware failure may lead to lost data or system integrity
>
> - a disgruntled user may lead to denial of service
>
> - an employee may may hide is activities from the security department
>
> Obviously (now) the third aswer is the correct one
>
> Andrea
>
>
>
>
>
> On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <mlarchuleta at gmail.com 
> > wrote:
> Oh yeah!!! The test really quizes you on subject matter.  Even  
> though I passed on the first try I wasn't entirely happy with the  
> experience.
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 5:41 PM, Andrea Gatta <andrea.gatta at gmail.com>  
> wrote:
>
>> So I guess I should actually watch out for these sort of questions  
>> in the real exam...
>>
>> Andrea
>>
>> On Sun, Sep 20, 2009 at 12:28 AM, Mike Archuleta <mlarchuleta at gmail.com 
>> > wrote:
>> I remember this question.  It is the most correct answer based on  
>> wording.  After realizing that answer included placed with  
>> autorized users.
>>
>> I think I argued with myself for five minutes.  Who places a  
>> database near authorized users? I put a database in the data center  
>> with aal my servers and backup systems.
>>
>> Sent from my iPhone
>>
>> On Sep 19, 2009, at 5:19 PM, Andrea Gatta <andrea.gatta at gmail.com>  
>> wrote:
>>
>>> Well, same here.
>>>
>>> Unfortunately the question is from the official ISC2 guide, page  
>>> 747  ;-)
>>>
>>> Point is, any chance they got it wrong ?
>>>
>>> Andrea
>>>
>>> On Sun, Sep 20, 2009 at 12:15 AM, Mike Archuleta <mlarchuleta at gmail.com 
>>> > wrote:
>>> I would think niether improve or reduce availability.  I don't  
>>> think if crypto as an availability feature.
>>>
>>> Sent from my iPhone
>>>
>>>
>>> On Sep 19, 2009, at 5:06 PM, Andrea Gatta <andrea.gatta at gmail.com>  
>>> wrote:
>>>
>>> Hi there,
>>> I am wondering if anyone could shed a light on the following  
>>> question (and answer):
>>>
>>> In terms of databases, cryptography can:
>>>
>>> - only restrict and reduce availability
>>>
>>> - improve availability by allowing data to be easily placed where  
>>> authorized users can access it
>>>
>>> - improve availability by increasing the granularity of the access  
>>> controls
>>>
>>> - neither reduce or improve availability
>>>
>>>
>>> As far as the author of the question is concerned the correct  
>>> answer is: "improve availability by allowing data to be easily  
>>> placed where authorized users can access it"
>>>
>>> The only reason I can think of for the answer to have a sense is  
>>> that cryptography protects a resource from unauthorized users  
>>> access through the mean of concealing its content.
>>>
>>> With a very long shot one could say that the resource would be  
>>> "available" just to authorizaed users. Which means that this  
>>> question uses "availability" in a very extensive - and I would add  
>>> divious - way.
>>>
>>> As far as I am concerned encryption does provide confidentiality  
>>> and integrity as natural security services.
>>>
>>> Thoughts ?
>>>
>>> Thanks
>>> Andrea
>>> _______________________________________________
>>> cisspstudy mailing list
>>> cisspstudy at cccure.org
>>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>>
>>> _______________________________________________
>>> cisspstudy mailing list
>>> cisspstudy at cccure.org
>>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>>
>>> _______________________________________________
>>> cisspstudy mailing list
>>> cisspstudy at cccure.org
>>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>> _______________________________________________
>> cisspstudy mailing list
>> cisspstudy at cccure.org
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> cisspstudy mailing list
>> cisspstudy at cccure.org
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090919/3c52cde0/attachment-0001.html>

More information about the cisspstudy mailing list