[Cisspstudy] Databases and cryptography
rlhj71 at yahoo.com
rlhj71 at yahoo.com
Mon Sep 21 12:45:39 EDT 2009
On page 219 of the ISC2 book, it states that "The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality, and authenticity. UNLIKE THE OTHER DOMAINS, CRYPTOGRAPHY DOES NOT SUPPORT THE STANDARD OF AVAILABILITY."
--- On Mon, 9/21/09, cisspstudy-request at cccure.org <cisspstudy-request at cccure.org> wrote:
From: cisspstudy-request at cccure.org <cisspstudy-request at cccure.org>
Subject: cisspstudy Digest, Vol 15, Issue 29
To: cisspstudy at cccure.org
Date: Monday, September 21, 2009, 10:38 AM
Send cisspstudy mailing list submissions to
cisspstudy at cccure.org
To subscribe or unsubscribe via the World Wide Web, visit
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
or, via email, send a message with subject or body 'help' to
cisspstudy-request at cccure.org
You can reach the person managing the list at
cisspstudy-owner at cccure.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisspstudy digest..."
Today's Topics:
1. Re: Databases and cryptography (Holland, Brandon)
2. Re: Databases and cryptography (Andrea Gatta)
----------------------------------------------------------------------
Message: 1
Date: Mon, 21 Sep 2009 08:57:24 -0500
From: "Holland, Brandon" <hollandb at frmaint.com>
To: "The CISSP Study Mailing list" <cisspstudy at cccure.org>
Subject: Re: [Cisspstudy] Databases and cryptography
Message-ID:
<58B3233454132D468C5F0D655003DA6411FDB100 at MAIL.frmaint.com>
Content-Type: text/plain; charset="us-ascii"
You're right, I can't seem to find anything anywhere in there as well.
I have been studying Shon Harris mainly, but did study some SANS CISSP
course material as well. I remember having a conversation about
cryptography and availability with a CISSP (we have multiple) at work.
The conclusion was confidentiality hinders availability... but that
must've been wrong. (Or it definitely is for the test.)
It's plain as day in the official guide:
"Cryptography supports all three of the core principles of information
security." The concept being by limiting access to only authorized
individuals you are somehow making the system more available since
unauthorized users can't get in to destroy the system.
I can see that to some extent... but do you REALLY have to be authorized
to break a system? Does a DOS require successful authentication - not
normally.
I KNOW I read this somewhere with the opposite outcome as the answer but
not sure where it came from now.
At least all this talk about it will have me remembering this answer on
the test, even if I don't agree with it.
Thanks,
Brandon
-----Original Message-----
From: cisspstudy-bounces at cccure.org
[mailto:cisspstudy-bounces at cccure.org] On Behalf Of Jordan, Lemuel CTR
Sent: Monday, September 21, 2009 8:26 AM
To: The CISSP Study Mailing list
Subject: Re: [Cisspstudy] Databases and cryptography
I just scanned through chapter 8 of the Shon Harris Book, and did not
find
any discussion on "availability". Do you happen to remember which area
of
the book you saw this about cryptography hurting availability.
I plan to take the test in Nov or Dec, things like this make me worry
also.
Lem
-----Original Message-----
From: cisspstudy-bounces at cccure.org
[mailto:cisspstudy-bounces at cccure.org]
On Behalf Of Holland, Brandon
Sent: Monday, September 21, 2009 8:58 AM
To: The CISSP Study Mailing list
Subject: Re: [Cisspstudy] Databases and cryptography
That worries me. I plan on taking the test Nov or Dec, and now am
wondering if I should effectively flush what I've learned from Shon
Harris and read the ISC2 Official guide for those crazy "just for the
test" answers like that. I am too lazy to look right now, but am SURE
that the CISSP Shon Harris book I read says cryptography actually HURTS
availability... because u are specifically limiting availability by
obscuring the data. It's like another "hoop" you have to go through
before having your data available. And if you can't get through it,
your data is unavailable.
-----Original Message-----
From: cisspstudy-bounces at cccure.org
[mailto:cisspstudy-bounces at cccure.org] On Behalf Of Andrea Gatta
Sent: Saturday, September 19, 2009 7:27 PM
To: The CISSP Study Mailing list
Subject: Re: [Cisspstudy] Databases and cryptography
Well, that is true. But just based on the fact that ISC2 looks very much
concerned about keys get lost/corrupted.
On the other hand the last answer - which is sadly the one I picked up -
looks quite reasonable.
As a note - looking at the crypto chapter in the ISC2 book it looks
pretty clear that they consider availability as one one of the security
services offered by cryptography (page 226). I am sure that availability
is not mentioned as a crypto sec service in any other book (but I will
look into it).
Andrea
On Sun, Sep 20, 2009 at 1:15 AM, Mike Archuleta <mlarchuleta at gmail.com>
wrote:
Well if you follow the chain of thought from the last question.
If a digruntled employee has access. YES
Sent from my iPhone
On Sep 19, 2009, at 6:01 PM, Andrea Gatta
<andrea.gatta at gmail.com> wrote:
Another thing I have noticed with cryptography is that
ISC2 tends to riconduct all risks/downsides if cryptography not to
breach of disclosure as one would thing but instead to (again)
availability, this time in the technical sense (below one example but I
am sure I had others):
What is the primary risk of using cryptographic
protection for systems or data:
- loss of the system means loss of all data
- a hardware failure may lead to lost data or system
integrity
- a disgruntled user may lead to denial of service
- an employee may may hide is activities from the
security department
Obviously (now) the third aswer is the correct one
Andrea
On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <
<mailto:mlarchuleta at gmail.com> mlarchuleta at gmail.com> wrote:
Oh yeah!!! The test really quizes you on subject
matter. Even though I passed on the first try I wasn't entirely happy
with the experience.
Sent from my iPhone
On Sep 19, 2009, at 5:41 PM, Andrea Gatta <
<mailto:andrea.gatta at gmail.com> andrea.gatta at gmail.com> wrote:
So I guess I should actually watch out
for these sort of questions in the real exam...
Andrea
On Sun, Sep 20, 2009 at 12:28 AM, Mike
Archuleta < <mailto:mlarchuleta at gmail.com>
<mailto:mlarchuleta at gmail.com> mlarchuleta at gmail.com> wrote:
I remember this question. It is
the most correct answer based on wording. After realizing that answer
included placed with autorized users.
I think I argued with myself for
five minutes. Who places a database near authorized users? I put a
database in the data center with aal my servers and backup systems.
Sent from my iPhone
On Sep 19, 2009, at 5:19 PM,
Andrea Gatta < <mailto:andrea.gatta at gmail.com>
<mailto:andrea.gatta at gmail.com> andrea.gatta at gmail.com> wrote:
Well, same here.
Unfortunately the
question is from the official ISC2 guide, page 747 ;-)
Point is, any chance
they got it wrong ?
Andrea
On Sun, Sep 20, 2009 at
12:15 AM, Mike Archuleta < <mailto:mlarchuleta at gmail.com>
<mailto:mlarchuleta at gmail.com> <mailto:mlarchuleta at gmail.com>
mlarchuleta at gmail.com> wrote:
I would think
niether improve or reduce availability. I don't think if crypto as an
availability feature.
Sent from my
iPhone
On Sep 19, 2009,
at 5:06 PM, Andrea Gatta < <mailto:andrea.gatta at gmail.com>
<mailto:andrea.gatta at gmail.com> <mailto:andrea.gatta at gmail.com>
andrea.gatta at gmail.com> wrote:
Hi
there,
I am
wondering if anyone could shed a light on the following question (and
answer):
In terms
of databases, cryptography can:
- only
restrict and reduce availability
-
improve availability by allowing data to be easily placed where
authorized users can access it
-
improve availability by increasing the granularity of the access
controls
-
neither reduce or improve availability
As far
as the author of the question is concerned the correct answer is:
"improve availability by allowing data to be easily placed where
authorized users can access it"
The only
reason I can think of for the answer to have a sense is that
cryptography protects a resource from unauthorized users access through
the mean of concealing its content.
With a
very long shot one could say that the resource would be "available" just
to authorizaed users. Which means that this question uses "availability"
in a very extensive - and I would add divious - way.
As far
as I am concerned encryption does provide confidentiality and integrity
as natural security services.
Thoughts
?
Thanks
Andrea
_______________________________________________
cisspstudy mailing list
<mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
<mailto:cisspstudy at cccure.org> cisspstudy at cccure.org
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
cisspstudy
mailing list
<mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
<mailto:cisspstudy at cccure.org> cisspstudy at cccure.org
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
cisspstudy mailing list
<mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
cisspstudy at cccure.org
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
cisspstudy mailing list
<mailto:cisspstudy at cccure.org>
<mailto:cisspstudy at cccure.org> cisspstudy at cccure.org
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
cisspstudy mailing list
<mailto:cisspstudy at cccure.org>
cisspstudy at cccure.org
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
cisspstudy mailing list
<mailto:cisspstudy at cccure.org>
cisspstudy at cccure.org
<http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
cisspstudy mailing list
cisspstudy at cccure.org
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
cisspstudy mailing list
cisspstudy at cccure.org
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
cisspstudy mailing list
cisspstudy at cccure.org
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
_______________________________________________
cisspstudy mailing list
cisspstudy at cccure.org
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
------------------------------
Message: 2
Date: Mon, 21 Sep 2009 15:37:50 +0100
From: Andrea Gatta <andrea.gatta at gmail.com>
To: The CISSP Study Mailing list <cisspstudy at cccure.org>
Subject: Re: [Cisspstudy] Databases and cryptography
Message-ID:
<89ab1b610909210737l59ac1349g7f8b6bb6c6076429 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
The SANS material seems to be more "inline" with the ISC2 way of thinking.
At least SANS does mention where you need to just "swollow the peel" and
move on.
I have personally found a number of clear differences even when it comes to
things such as encryption methods, systems, types. I can't remember from the
top of my head but I bet I have found inconsistences between Shon Harris
book and the ISC2 guide.
The point is, Shon Harris is very good when it comes to drive the concept
home. Clearly the level of trickery of the CISSP exam - if it is true which
I don't know (yet) - might get in the way.
Andrea
On Mon, Sep 21, 2009 at 2:57 PM, Holland, Brandon <hollandb at frmaint.com>wrote:
> You're right, I can't seem to find anything anywhere in there as well.
> I have been studying Shon Harris mainly, but did study some SANS CISSP
> course material as well. I remember having a conversation about
> cryptography and availability with a CISSP (we have multiple) at work.
> The conclusion was confidentiality hinders availability... but that
> must've been wrong. (Or it definitely is for the test.)
>
> It's plain as day in the official guide:
> "Cryptography supports all three of the core principles of information
> security." The concept being by limiting access to only authorized
> individuals you are somehow making the system more available since
> unauthorized users can't get in to destroy the system.
>
> I can see that to some extent... but do you REALLY have to be authorized
> to break a system? Does a DOS require successful authentication - not
> normally.
>
> I KNOW I read this somewhere with the opposite outcome as the answer but
> not sure where it came from now.
>
> At least all this talk about it will have me remembering this answer on
> the test, even if I don't agree with it.
>
> Thanks,
> Brandon
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org
> [mailto:cisspstudy-bounces at cccure.org] On Behalf Of Jordan, Lemuel CTR
> Sent: Monday, September 21, 2009 8:26 AM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
>
> I just scanned through chapter 8 of the Shon Harris Book, and did not
> find
> any discussion on "availability". Do you happen to remember which area
> of
> the book you saw this about cryptography hurting availability.
>
> I plan to take the test in Nov or Dec, things like this make me worry
> also.
>
> Lem
>
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org
> [mailto:cisspstudy-bounces at cccure.org]
> On Behalf Of Holland, Brandon
> Sent: Monday, September 21, 2009 8:58 AM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
> That worries me. I plan on taking the test Nov or Dec, and now am
> wondering if I should effectively flush what I've learned from Shon
> Harris and read the ISC2 Official guide for those crazy "just for the
> test" answers like that. I am too lazy to look right now, but am SURE
> that the CISSP Shon Harris book I read says cryptography actually HURTS
> availability... because u are specifically limiting availability by
> obscuring the data. It's like another "hoop" you have to go through
> before having your data available. And if you can't get through it,
> your data is unavailable.
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org
> [mailto:cisspstudy-bounces at cccure.org] On Behalf Of Andrea Gatta
> Sent: Saturday, September 19, 2009 7:27 PM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
> Well, that is true. But just based on the fact that ISC2 looks very much
> concerned about keys get lost/corrupted.
>
> On the other hand the last answer - which is sadly the one I picked up -
> looks quite reasonable.
>
> As a note - looking at the crypto chapter in the ISC2 book it looks
> pretty clear that they consider availability as one one of the security
> services offered by cryptography (page 226). I am sure that availability
> is not mentioned as a crypto sec service in any other book (but I will
> look into it).
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at 1:15 AM, Mike Archuleta <mlarchuleta at gmail.com>
> wrote:
>
>
> Well if you follow the chain of thought from the last question.
> If a digruntled employee has access. YES
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 6:01 PM, Andrea Gatta
> <andrea.gatta at gmail.com> wrote:
>
>
>
> Another thing I have noticed with cryptography is that
> ISC2 tends to riconduct all risks/downsides if cryptography not to
> breach of disclosure as one would thing but instead to (again)
> availability, this time in the technical sense (below one example but I
> am sure I had others):
>
> What is the primary risk of using cryptographic
> protection for systems or data:
>
> - loss of the system means loss of all data
>
> - a hardware failure may lead to lost data or system
> integrity
>
> - a disgruntled user may lead to denial of service
>
> - an employee may may hide is activities from the
> security department
>
> Obviously (now) the third aswer is the correct one
>
> Andrea
>
>
>
>
>
>
> On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <
> <mailto:mlarchuleta at gmail.com> mlarchuleta at gmail.com> wrote:
>
>
> Oh yeah!!! The test really quizes you on subject
> matter. Even though I passed on the first try I wasn't entirely happy
> with the experience.
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 5:41 PM, Andrea Gatta <
> <mailto:andrea.gatta at gmail.com> andrea.gatta at gmail.com> wrote:
>
>
>
> So I guess I should actually watch out
> for these sort of questions in the real exam...
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at 12:28 AM, Mike
> Archuleta < <mailto:mlarchuleta at gmail.com>
> <mailto:mlarchuleta at gmail.com> mlarchuleta at gmail.com> wrote:
>
>
> I remember this question. It is
> the most correct answer based on wording. After realizing that answer
> included placed with autorized users.
>
> I think I argued with myself for
> five minutes. Who places a database near authorized users? I put a
> database in the data center with aal my servers and backup systems.
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 5:19 PM,
> Andrea Gatta < <mailto:andrea.gatta at gmail.com>
> <mailto:andrea.gatta at gmail.com> andrea.gatta at gmail.com> wrote:
>
>
>
> Well, same here.
>
> Unfortunately the
> question is from the official ISC2 guide, page 747 ;-)
>
> Point is, any chance
> they got it wrong ?
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at
> 12:15 AM, Mike Archuleta < <mailto:mlarchuleta at gmail.com>
> <mailto:mlarchuleta at gmail.com> <mailto:mlarchuleta at gmail.com>
> mlarchuleta at gmail.com> wrote:
>
>
> I would think
> niether improve or reduce availability. I don't think if crypto as an
> availability feature.
>
> Sent from my
> iPhone
>
>
> On Sep 19, 2009,
> at 5:06 PM, Andrea Gatta < <mailto:andrea.gatta at gmail.com>
> <mailto:andrea.gatta at gmail.com> <mailto:andrea.gatta at gmail.com>
> andrea.gatta at gmail.com> wrote:
>
>
>
> Hi
> there,
> I am
> wondering if anyone could shed a light on the following question (and
> answer):
>
> In terms
> of databases, cryptography can:
>
> - only
> restrict and reduce availability
>
> -
> improve availability by allowing data to be easily placed where
> authorized users can access it
>
> -
> improve availability by increasing the granularity of the access
> controls
>
> -
> neither reduce or improve availability
>
>
> As far
> as the author of the question is concerned the correct answer is:
> "improve availability by allowing data to be easily placed where
> authorized users can access it"
>
> The only
> reason I can think of for the answer to have a sense is that
> cryptography protects a resource from unauthorized users access through
> the mean of concealing its content.
>
> With a
> very long shot one could say that the resource would be "available" just
> to authorizaed users. Which means that this question uses "availability"
> in a very extensive - and I would add divious - way.
>
> As far
> as I am concerned encryption does provide confidentiality and integrity
> as natural security services.
>
> Thoughts
> ?
>
> Thanks
> Andrea
>
>
> _______________________________________________
>
> cisspstudy mailing list
>
> <mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
> <mailto:cisspstudy at cccure.org> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy
> mailing list
>
> <mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
> <mailto:cisspstudy at cccure.org> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
>
> <mailto:cisspstudy at cccure.org> <mailto:cisspstudy at cccure.org>
> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org>
> <mailto:cisspstudy at cccure.org> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org>
> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org>
> cisspstudy at cccure.org
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090921/8d56f200/attachment.html>
------------------------------
_______________________________________________
cisspstudy mailing list
cisspstudy at cccure.org
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
End of cisspstudy Digest, Vol 15, Issue 29
******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090921/8551f624/attachment-0001.html>
More information about the cisspstudy
mailing list