[Cisspstudy] Databases and cryptography

Mon Sep 21 09:25:56 EDT 2009

I just scanned through chapter 8 of the Shon Harris Book, and did not find
any discussion on "availability". Do you happen to remember which area of
the book you saw this about cryptography hurting availability. 

I plan to take the test in Nov or Dec, things like this make me worry also.

Lem

-----Original Message-----
From: cisspstudy-bounces at cccure.org [mailto:cisspstudy-bounces at cccure.org]
On Behalf Of Holland, Brandon
Sent: Monday, September 21, 2009 8:58 AM
To: The CISSP Study Mailing list
Subject: Re: [Cisspstudy] Databases and cryptography

That worries me.  I plan on taking the test Nov or Dec, and now am
wondering if I should effectively flush what I've learned from Shon
Harris and read the ISC2 Official guide for those crazy "just for the
test" answers like that.  I am too lazy to look right now, but am SURE
that the CISSP Shon Harris book I read says cryptography actually HURTS
availability... because u are specifically limiting availability by
obscuring the data.  It's like another "hoop" you have to go through
before having your data available.  And if you can't get through it,
your data is unavailable.

-----Original Message-----
From: cisspstudy-bounces at cccure.org
[mailto:cisspstudy-bounces at cccure.org] On Behalf Of Andrea Gatta
Sent: Saturday, September 19, 2009 7:27 PM
To: The CISSP Study Mailing list
Subject: Re: [Cisspstudy] Databases and cryptography

Well, that is true. But just based on the fact that ISC2 looks very much
concerned about keys get lost/corrupted. 

On the other hand the last answer - which is sadly the one I picked up -
looks quite reasonable.

As a note - looking at the crypto chapter in the ISC2 book it looks
pretty clear that they consider availability as one one of the security
services offered by cryptography (page 226). I am sure that availability
is not mentioned as a crypto sec service in any other book (but I will
look into it).

Andrea

On Sun, Sep 20, 2009 at 1:15 AM, Mike Archuleta <mlarchuleta at gmail.com>
wrote:

	Well if you follow the chain of thought from the last question.
If a digruntled employee has access. YES

	Sent from my iPhone

	On Sep 19, 2009, at 6:01 PM, Andrea Gatta
<andrea.gatta at gmail.com> wrote:

		Another thing I have noticed with cryptography is that
ISC2 tends to riconduct all risks/downsides if cryptography not to
breach of disclosure as one would thing but instead to (again)
availability, this time in the technical sense (below one example but I
am sure I had others):

		What is the primary risk of using cryptographic
protection for systems or data:

		- loss of the system means loss of all data

		- a hardware failure may lead to lost data or system
integrity

		- a disgruntled user may lead to denial of service

		- an employee may may hide is activities from the
security department 

		Obviously (now) the third aswer is the correct one

		Andrea

		On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <
<mailto:mlarchuleta at gmail.com> mlarchuleta at gmail.com> wrote:

			Oh yeah!!! The test really quizes you on subject
matter.  Even though I passed on the first try I wasn't entirely happy
with the experience.

			Sent from my iPhone

			On Sep 19, 2009, at 5:41 PM, Andrea Gatta <
<mailto:andrea.gatta at gmail.com> andrea.gatta at gmail.com> wrote:

				So I guess I should actually watch out
for these sort of questions in the real exam...

				Andrea

				On Sun, Sep 20, 2009 at 12:28 AM, Mike
Archuleta < <mailto:mlarchuleta at gmail.com>
<mailto:mlarchuleta at gmail.com> mlarchuleta at gmail.com> wrote:

					I remember this question.  It is
the most correct answer based on wording.  After realizing that answer
included placed with autorized users. 

					I think I argued with myself for
five minutes.  Who places a database near authorized users? I put a
database in the data center with aal my servers and backup systems.

					Sent from my iPhone

					On Sep 19, 2009, at 5:19 PM,
Andrea Gatta < <mailto:andrea.gatta at gmail.com>
<mailto:andrea.gatta at gmail.com> andrea.gatta at gmail.com> wrote:

						Well, same here. 

						Unfortunately the
question is from the official ISC2 guide, page 747  ;-)

						Point is, any chance
they got it wrong ?

						Andrea

						On Sun, Sep 20, 2009 at
12:15 AM, Mike Archuleta < <mailto:mlarchuleta at gmail.com>
<mailto:mlarchuleta at gmail.com>  <mailto:mlarchuleta at gmail.com>
mlarchuleta at gmail.com> wrote:

							I would think
niether improve or reduce availability.  I don't think if crypto as an
availability feature.

							Sent from my
iPhone

							On Sep 19, 2009,
at 5:06 PM, Andrea Gatta < <mailto:andrea.gatta at gmail.com>
<mailto:andrea.gatta at gmail.com>  <mailto:andrea.gatta at gmail.com>
andrea.gatta at gmail.com> wrote:

								Hi
there,
								I am
wondering if anyone could shed a light on the following question (and
answer):

								In terms
of databases, cryptography can:

								- only
restrict and reduce availability

								-
improve availability by allowing data to be easily placed where
authorized users can access it

								-
improve availability by increasing the granularity of the access
controls

								-
neither reduce or improve availability

								As far
as the author of the question is concerned the correct answer is:
"improve availability by allowing data to be easily placed where
authorized users can access it"

								The only
reason I can think of for the answer to have a sense is that
cryptography protects a resource from unauthorized users access through
the mean of concealing its content.

								With a
very long shot one could say that the resource would be "available" just
to authorizaed users. Which means that this question uses "availability"
in a very extensive - and I would add divious - way.

								As far
as I am concerned encryption does provide confidentiality and integrity
as natural security services.

								Thoughts
?

								Thanks
								Andrea

_______________________________________________

cisspstudy mailing list

<mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
<mailto:cisspstudy at cccure.org> cisspstudy at cccure.org

<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
							cisspstudy
mailing list

<mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
<mailto:cisspstudy at cccure.org> cisspstudy at cccure.org

<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
						cisspstudy mailing list

<mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
cisspstudy at cccure.org

<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
					cisspstudy mailing list
					<mailto:cisspstudy at cccure.org>
<mailto:cisspstudy at cccure.org> cisspstudy at cccure.org

<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
				cisspstudy mailing list
				<mailto:cisspstudy at cccure.org>
cisspstudy at cccure.org

<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

			_______________________________________________
			cisspstudy mailing list
			<mailto:cisspstudy at cccure.org>
cisspstudy at cccure.org

<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

		_______________________________________________
		cisspstudy mailing list
		cisspstudy at cccure.org
		http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

	_______________________________________________
	cisspstudy mailing list
	cisspstudy at cccure.org
	http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
cisspstudy mailing list
cisspstudy at cccure.org
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org