[Cisspstudy] Databases and cryptography
Andrea Gatta
andrea.gatta at gmail.com
Sat Sep 19 20:27:19 EDT 2009
Well, that is true. But just based on the fact that ISC2 looks very much
concerned about keys get lost/corrupted.
On the other hand the last answer - which is sadly the one I picked up -
looks quite reasonable.
As a note - looking at the crypto chapter in the ISC2 book it looks pretty
clear that they consider availability as one one of the security services
offered by cryptography (page 226). I am sure that availability is not
mentioned as a crypto sec service in any other book (but I will look into
it).
Andrea
On Sun, Sep 20, 2009 at 1:15 AM, Mike Archuleta <mlarchuleta at gmail.com>wrote:
> Well if you follow the chain of thought from the last question. If a
> digruntled employee has access. YES
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 6:01 PM, Andrea Gatta <andrea.gatta at gmail.com> wrote:
>
> Another thing I have noticed with cryptography is that ISC2 tends to
> riconduct all risks/downsides if cryptography not to breach of disclosure as
> one would thing but instead to (again) availability, this time in the
> technical sense (below one example but I am sure I had others):
>
> What is the primary risk of using cryptographic protection for systems or
> data:
>
> - loss of the system means loss of all data
>
> - a hardware failure may lead to lost data or system integrity
>
> - a disgruntled user may lead to denial of service
>
> - an employee may may hide is activities from the security department
>
> Obviously (now) the third aswer is the correct one
>
> Andrea
>
>
>
>
>
> On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta < <mlarchuleta at gmail.com>
> mlarchuleta at gmail.com> wrote:
>
>> Oh yeah!!! The test really quizes you on subject matter. Even though I
>> passed on the first try I wasn't entirely happy with the experience.
>>
>> Sent from my iPhone
>>
>> On Sep 19, 2009, at 5:41 PM, Andrea Gatta < <andrea.gatta at gmail.com>
>> andrea.gatta at gmail.com> wrote:
>>
>> So I guess I should actually watch out for these sort of questions in the
>> real exam...
>>
>> Andrea
>>
>> On Sun, Sep 20, 2009 at 12:28 AM, Mike Archuleta <<mlarchuleta at gmail.com><mlarchuleta at gmail.com>
>> mlarchuleta at gmail.com> wrote:
>>
>>> I remember this question. It is the most correct answer based on
>>> wording. After realizing that answer included placed with autorized users.
>>>
>>> I think I argued with myself for five minutes. Who places a database
>>> near authorized users? I put a database in the data center with aal my
>>> servers and backup systems.
>>>
>>> Sent from my iPhone
>>>
>>> On Sep 19, 2009, at 5:19 PM, Andrea Gatta < <andrea.gatta at gmail.com><andrea.gatta at gmail.com>
>>> andrea.gatta at gmail.com> wrote:
>>>
>>> Well, same here.
>>>
>>> Unfortunately the question is from the official ISC2 guide, page 747 ;-)
>>>
>>> Point is, any chance they got it wrong ?
>>>
>>> Andrea
>>>
>>> On Sun, Sep 20, 2009 at 12:15 AM, Mike Archuleta <<mlarchuleta at gmail.com><mlarchuleta at gmail.com><mlarchuleta at gmail.com>
>>> mlarchuleta at gmail.com> wrote:
>>>
>>>> I would think niether improve or reduce availability. I don't think if
>>>> crypto as an availability feature.
>>>>
>>>> Sent from my iPhone
>>>>
>>>>
>>>> On Sep 19, 2009, at 5:06 PM, Andrea Gatta < <andrea.gatta at gmail.com><andrea.gatta at gmail.com><andrea.gatta at gmail.com>
>>>> andrea.gatta at gmail.com> wrote:
>>>>
>>>> Hi there,
>>>>> I am wondering if anyone could shed a light on the following question
>>>>> (and answer):
>>>>>
>>>>> In terms of databases, cryptography can:
>>>>>
>>>>> - only restrict and reduce availability
>>>>>
>>>>> - improve availability by allowing data to be easily placed where
>>>>> authorized users can access it
>>>>>
>>>>> - improve availability by increasing the granularity of the access
>>>>> controls
>>>>>
>>>>> - neither reduce or improve availability
>>>>>
>>>>>
>>>>> As far as the author of the question is concerned the correct answer
>>>>> is: "improve availability by allowing data to be easily placed where
>>>>> authorized users can access it"
>>>>>
>>>>> The only reason I can think of for the answer to have a sense is that
>>>>> cryptography protects a resource from unauthorized users access through the
>>>>> mean of concealing its content.
>>>>>
>>>>> With a very long shot one could say that the resource would be
>>>>> "available" just to authorizaed users. Which means that this question uses
>>>>> "availability" in a very extensive - and I would add divious - way.
>>>>>
>>>>> As far as I am concerned encryption does provide confidentiality and
>>>>> integrity as natural security services.
>>>>>
>>>>> Thoughts ?
>>>>>
>>>>> Thanks
>>>>> Andrea
>>>>> _______________________________________________
>>>>> cisspstudy mailing list
>>>>> <cisspstudy at cccure.org> <cisspstudy at cccure.org><cisspstudy at cccure.org>
>>>>> cisspstudy at cccure.org
>>>>> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org><http://cccure.org/mailman/listinfo/cisspstudy_cccure.org><http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
>>>>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>>>>
>>>>
>>>> _______________________________________________
>>>> cisspstudy mailing list
>>>> <cisspstudy at cccure.org> <cisspstudy at cccure.org><cisspstudy at cccure.org>
>>>> cisspstudy at cccure.org
>>>> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org><http://cccure.org/mailman/listinfo/cisspstudy_cccure.org><http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
>>>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>>>
>>>
>>> _______________________________________________
>>> cisspstudy mailing list
>>> <cisspstudy at cccure.org> <cisspstudy at cccure.org>cisspstudy at cccure.org
>>> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org><http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
>>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>>
>>>
>>> _______________________________________________
>>> cisspstudy mailing list
>>> <cisspstudy at cccure.org> <cisspstudy at cccure.org>cisspstudy at cccure.org
>>> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org><http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
>>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>>
>>>
>> _______________________________________________
>> cisspstudy mailing list
>> <cisspstudy at cccure.org>cisspstudy at cccure.org
>> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
>> _______________________________________________
>> cisspstudy mailing list
>> <cisspstudy at cccure.org>cisspstudy at cccure.org
>> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
>> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>>
>>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090920/05fd7fa8/attachment.html>
More information about the cisspstudy
mailing list