[Cisspstudy] Databases and cryptography
Sergio Pantoja
spantoja at gmail.com
Mon Sep 21 13:02:59 EDT 2009
IMHO, a exam may not lead to answer a question because they said so in a
book, i hope the exam really test your experience in the field and your
understanding of the security topics to help you have a broader/holistic
approach.
On Mon, Sep 21, 2009 at 12:45 PM, () <rlhj71 at yahoo.com> wrote:
> On page 219 of the ISC2 book, it states that "The cryptography domain
> addresses the principles, means, and methods of disguising information to
> ensure its integrity, confidentiality, and authenticity. UNLIKE THE OTHER
> DOMAINS, CRYPTOGRAPHY DOES NOT SUPPORT THE STANDARD OF AVAILABILITY."
>
> --- On *Mon, 9/21/09, cisspstudy-request at cccure.org <
> cisspstudy-request at cccure.org>* wrote:
>
>
> From: cisspstudy-request at cccure.org <cisspstudy-request at cccure.org>
> Subject: cisspstudy Digest, Vol 15, Issue 29
> To: cisspstudy at cccure.org
> Date: Monday, September 21, 2009, 10:38 AM
>
> Send cisspstudy mailing list submissions to
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> or, via email, send a message with subject or body 'help' to
> cisspstudy-request at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-request@cccure.org>
>
> You can reach the person managing the list at
> cisspstudy-owner at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-owner@cccure.org>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisspstudy digest..."
>
>
> Today's Topics:
>
> 1. Re: Databases and cryptography (Holland, Brandon)
> 2. Re: Databases and cryptography (Andrea Gatta)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 21 Sep 2009 08:57:24 -0500
> From: "Holland, Brandon" <hollandb at frmaint.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=hollandb@frmaint.com>
> >
> To: "The CISSP Study Mailing list" <cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> Subject: Re: [Cisspstudy] Databases and cryptography
> Message-ID:
> <58B3233454132D468C5F0D655003DA6411FDB100 at MAIL.frmaint.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=58B3233454132D468C5F0D655003DA6411FDB100@MAIL.frmaint.com>
> >
> Content-Type: text/plain; charset="us-ascii"
>
>
> You're right, I can't seem to find anything anywhere in there as well.
> I have been studying Shon Harris mainly, but did study some SANS CISSP
> course material as well. I remember having a conversation about
> cryptography and availability with a CISSP (we have multiple) at work.
> The conclusion was confidentiality hinders availability... but that
> must've been wrong. (Or it definitely is for the test.)
>
> It's plain as day in the official guide:
> "Cryptography supports all three of the core principles of information
> security." The concept being by limiting access to only authorized
> individuals you are somehow making the system more available since
> unauthorized users can't get in to destroy the system.
>
> I can see that to some extent... but do you REALLY have to be authorized
> to break a system? Does a DOS require successful authentication - not
> normally.
>
> I KNOW I read this somewhere with the opposite outcome as the answer but
> not sure where it came from now.
>
> At least all this talk about it will have me remembering this answer on
> the test, even if I don't agree with it.
>
> Thanks,
> Brandon
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> [mailto:cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>]
> On Behalf Of Jordan, Lemuel CTR
> Sent: Monday, September 21, 2009 8:26 AM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
>
> I just scanned through chapter 8 of the Shon Harris Book, and did not
> find
> any discussion on "availability". Do you happen to remember which area
> of
> the book you saw this about cryptography hurting availability.
>
> I plan to take the test in Nov or Dec, things like this make me worry
> also.
>
> Lem
>
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> [mailto:cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> ]
> On Behalf Of Holland, Brandon
> Sent: Monday, September 21, 2009 8:58 AM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
> That worries me. I plan on taking the test Nov or Dec, and now am
> wondering if I should effectively flush what I've learned from Shon
> Harris and read the ISC2 Official guide for those crazy "just for the
> test" answers like that. I am too lazy to look right now, but am SURE
> that the CISSP Shon Harris book I read says cryptography actually HURTS
> availability... because u are specifically limiting availability by
> obscuring the data. It's like another "hoop" you have to go through
> before having your data available. And if you can't get through it,
> your data is unavailable.
>
> -----Original Message-----
> From: cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> [mailto:cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>]
> On Behalf Of Andrea Gatta
> Sent: Saturday, September 19, 2009 7:27 PM
> To: The CISSP Study Mailing list
> Subject: Re: [Cisspstudy] Databases and cryptography
>
> Well, that is true. But just based on the fact that ISC2 looks very much
> concerned about keys get lost/corrupted.
>
> On the other hand the last answer - which is sadly the one I picked up -
> looks quite reasonable.
>
> As a note - looking at the crypto chapter in the ISC2 book it looks
> pretty clear that they consider availability as one one of the security
> services offered by cryptography (page 226). I am sure that availability
> is not mentioned as a crypto sec service in any other book (but I will
> look into it).
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at 1:15 AM, Mike Archuleta <mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>
> >
> wrote:
>
>
> Well if you follow the chain of thought from the last question.
> If a digruntled employee has access. YES
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 6:01 PM, Andrea Gatta
> <andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> wrote:
>
>
>
> Another thing I have noticed with cryptography is that
> ISC2 tends to riconduct all risks/downsides if cryptography not to
> breach of disclosure as one would thing but instead to (again)
> availability, this time in the technical sense (below one example but I
> am sure I had others):
>
> What is the primary risk of using cryptographic
> protection for systems or data:
>
> - loss of the system means loss of all data
>
> - a hardware failure may lead to lost data or system
> integrity
>
> - a disgruntled user may lead to denial of service
>
> - an employee may may hide is activities from the
> security department
>
> Obviously (now) the third aswer is the correct one
>
> Andrea
>
>
>
>
>
>
> On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <
> <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> wrote:
>
>
> Oh yeah!!! The test really quizes you on subject
> matter. Even though I passed on the first try I wasn't entirely happy
> with the experience.
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 5:41 PM, Andrea Gatta <
> <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> wrote:
>
>
>
> So I guess I should actually watch out
> for these sort of questions in the real exam...
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at 12:28 AM, Mike
> Archuleta < <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>
> >
> <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> wrote:
>
>
> I remember this question. It is
> the most correct answer based on wording. After realizing that answer
> included placed with autorized users.
>
> I think I argued with myself for
> five minutes. Who places a database near authorized users? I put a
> database in the data center with aal my servers and backup systems.
>
> Sent from my iPhone
>
> On Sep 19, 2009, at 5:19 PM,
> Andrea Gatta < <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>
> >
> <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> wrote:
>
>
>
> Well, same here.
>
> Unfortunately the
> question is from the official ISC2 guide, page 747 ;-)
>
> Point is, any chance
> they got it wrong ?
>
> Andrea
>
>
> On Sun, Sep 20, 2009 at
> 12:15 AM, Mike Archuleta < <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>
> >
> <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>
> >
> mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> wrote:
>
>
> I would think
> niether improve or reduce availability. I don't think if crypto as an
> availability feature.
>
> Sent from my
> iPhone
>
>
> On Sep 19, 2009,
> at 5:06 PM, Andrea Gatta < <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>
> >
> <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>
> >
> andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> wrote:
>
>
>
> Hi
> there,
> I am
> wondering if anyone could shed a light on the following question (and
> answer):
>
> In terms
> of databases, cryptography can:
>
> - only
> restrict and reduce availability
>
> -
> improve availability by allowing data to be easily placed where
> authorized users can access it
>
> -
> improve availability by increasing the granularity of the access
> controls
>
> -
> neither reduce or improve availability
>
>
> As far
> as the author of the question is concerned the correct answer is:
> "improve availability by allowing data to be easily placed where
> authorized users can access it"
>
> The only
> reason I can think of for the answer to have a sense is that
> cryptography protects a resource from unauthorized users access through
> the mean of concealing its content.
>
> With a
> very long shot one could say that the resource would be "available" just
> to authorizaed users. Which means that this question uses "availability"
> in a very extensive - and I would add divious - way.
>
> As far
> as I am concerned encryption does provide confidentiality and integrity
> as natural security services.
>
> Thoughts
> ?
>
> Thanks
> Andrea
>
>
> _______________________________________________
>
> cisspstudy mailing list
>
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy
> mailing list
>
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
>
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> _______________________________________________
> cisspstudy mailing list
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
>
> <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 21 Sep 2009 15:37:50 +0100
> From: Andrea Gatta <andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>
> >
> To: The CISSP Study Mailing list <cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> Subject: Re: [Cisspstudy] Databases and cryptography
> Message-ID:
> <89ab1b610909210737l59ac1349g7f8b6bb6c6076429 at mail.gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=89ab1b610909210737l59ac1349g7f8b6bb6c6076429@mail.gmail.com>
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> The SANS material seems to be more "inline" with the ISC2 way of thinking.
> At least SANS does mention where you need to just "swollow the peel" and
> move on.
>
> I have personally found a number of clear differences even when it comes to
> things such as encryption methods, systems, types. I can't remember from
> the
> top of my head but I bet I have found inconsistences between Shon Harris
> book and the ISC2 guide.
>
> The point is, Shon Harris is very good when it comes to drive the concept
> home. Clearly the level of trickery of the CISSP exam - if it is true which
> I don't know (yet) - might get in the way.
>
> Andrea
>
> On Mon, Sep 21, 2009 at 2:57 PM, Holland, Brandon <hollandb at frmaint.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=hollandb@frmaint.com>
> >wrote:
>
> > You're right, I can't seem to find anything anywhere in there as well.
> > I have been studying Shon Harris mainly, but did study some SANS CISSP
> > course material as well. I remember having a conversation about
> > cryptography and availability with a CISSP (we have multiple) at work.
> > The conclusion was confidentiality hinders availability... but that
> > must've been wrong. (Or it definitely is for the test.)
> >
> > It's plain as day in the official guide:
> > "Cryptography supports all three of the core principles of information
> > security." The concept being by limiting access to only authorized
> > individuals you are somehow making the system more available since
> > unauthorized users can't get in to destroy the system.
> >
> > I can see that to some extent... but do you REALLY have to be authorized
> > to break a system? Does a DOS require successful authentication - not
> > normally.
> >
> > I KNOW I read this somewhere with the opposite outcome as the answer but
> > not sure where it came from now.
> >
> > At least all this talk about it will have me remembering this answer on
> > the test, even if I don't agree with it.
> >
> > Thanks,
> > Brandon
> >
> > -----Original Message-----
> > From: cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> > [mailto:cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>]
> On Behalf Of Jordan, Lemuel CTR
> > Sent: Monday, September 21, 2009 8:26 AM
> > To: The CISSP Study Mailing list
> > Subject: Re: [Cisspstudy] Databases and cryptography
> >
> >
> > I just scanned through chapter 8 of the Shon Harris Book, and did not
> > find
> > any discussion on "availability". Do you happen to remember which area
> > of
> > the book you saw this about cryptography hurting availability.
> >
> > I plan to take the test in Nov or Dec, things like this make me worry
> > also.
> >
> > Lem
> >
> >
> > -----Original Message-----
> > From: cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> > [mailto:cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> ]
> > On Behalf Of Holland, Brandon
> > Sent: Monday, September 21, 2009 8:58 AM
> > To: The CISSP Study Mailing list
> > Subject: Re: [Cisspstudy] Databases and cryptography
> >
> > That worries me. I plan on taking the test Nov or Dec, and now am
> > wondering if I should effectively flush what I've learned from Shon
> > Harris and read the ISC2 Official guide for those crazy "just for the
> > test" answers like that. I am too lazy to look right now, but am SURE
> > that the CISSP Shon Harris book I read says cryptography actually HURTS
> > availability... because u are specifically limiting availability by
> > obscuring the data. It's like another "hoop" you have to go through
> > before having your data available. And if you can't get through it,
> > your data is unavailable.
> >
> > -----Original Message-----
> > From: cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>
> > [mailto:cisspstudy-bounces at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy-bounces@cccure.org>]
> On Behalf Of Andrea Gatta
> > Sent: Saturday, September 19, 2009 7:27 PM
> > To: The CISSP Study Mailing list
> > Subject: Re: [Cisspstudy] Databases and cryptography
> >
> > Well, that is true. But just based on the fact that ISC2 looks very much
> > concerned about keys get lost/corrupted.
> >
> > On the other hand the last answer - which is sadly the one I picked up -
> > looks quite reasonable.
> >
> > As a note - looking at the crypto chapter in the ISC2 book it looks
> > pretty clear that they consider availability as one one of the security
> > services offered by cryptography (page 226). I am sure that availability
> > is not mentioned as a crypto sec service in any other book (but I will
> > look into it).
> >
> > Andrea
> >
> >
> > On Sun, Sep 20, 2009 at 1:15 AM, Mike Archuleta <mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>
> >
> > wrote:
> >
> >
> > Well if you follow the chain of thought from the last question.
> > If a digruntled employee has access. YES
> >
> > Sent from my iPhone
> >
> > On Sep 19, 2009, at 6:01 PM, Andrea Gatta
> > <andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> wrote:
> >
> >
> >
> > Another thing I have noticed with cryptography is that
> > ISC2 tends to riconduct all risks/downsides if cryptography not to
> > breach of disclosure as one would thing but instead to (again)
> > availability, this time in the technical sense (below one example but I
> > am sure I had others):
> >
> > What is the primary risk of using cryptographic
> > protection for systems or data:
> >
> > - loss of the system means loss of all data
> >
> > - a hardware failure may lead to lost data or system
> > integrity
> >
> > - a disgruntled user may lead to denial of service
> >
> > - an employee may may hide is activities from the
> > security department
> >
> > Obviously (now) the third aswer is the correct one
> >
> > Andrea
> >
> >
> >
> >
> >
> >
> > On Sun, Sep 20, 2009 at 12:51 AM, Mike Archuleta <
> > <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> wrote:
> >
> >
> > Oh yeah!!! The test really quizes you on subject
> > matter. Even though I passed on the first try I wasn't entirely happy
> > with the experience.
> >
> > Sent from my iPhone
> >
> > On Sep 19, 2009, at 5:41 PM, Andrea Gatta <
> > <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> wrote:
> >
> >
> >
> > So I guess I should actually watch out
> > for these sort of questions in the real exam...
> >
> > Andrea
> >
> >
> > On Sun, Sep 20, 2009 at 12:28 AM, Mike
> > Archuleta < <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>
> >
> > <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> wrote:
> >
> >
> > I remember this question. It is
> > the most correct answer based on wording. After realizing that answer
> > included placed with autorized users.
> >
> > I think I argued with myself for
> > five minutes. Who places a database near authorized users? I put a
> > database in the data center with aal my servers and backup systems.
> >
> > Sent from my iPhone
> >
> > On Sep 19, 2009, at 5:19 PM,
> > Andrea Gatta < <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>
> >
> > <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> wrote:
> >
> >
> >
> > Well, same here.
> >
> > Unfortunately the
> > question is from the official ISC2 guide, page 747 ;-)
> >
> > Point is, any chance
> > they got it wrong ?
> >
> > Andrea
> >
> >
> > On Sun, Sep 20, 2009 at
> > 12:15 AM, Mike Archuleta < <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>
> >
> > <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> <mailto:mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>
> >
> > mlarchuleta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=mlarchuleta@gmail.com>>
> wrote:
> >
> >
> > I would think
> > niether improve or reduce availability. I don't think if crypto as an
> > availability feature.
> >
> > Sent from my
> > iPhone
> >
> >
> > On Sep 19, 2009,
> > at 5:06 PM, Andrea Gatta < <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>
> >
> > <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> <mailto:andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>
> >
> > andrea.gatta at gmail.com<http://us.mc1102.mail.yahoo.com/mc/compose?to=andrea.gatta@gmail.com>>
> wrote:
> >
> >
> >
> > Hi
> > there,
> > I am
> > wondering if anyone could shed a light on the following question (and
> > answer):
> >
> > In terms
> > of databases, cryptography can:
> >
> > - only
> > restrict and reduce availability
> >
> > -
> > improve availability by allowing data to be easily placed where
> > authorized users can access it
> >
> > -
> > improve availability by increasing the granularity of the access
> > controls
> >
> > -
> > neither reduce or improve availability
> >
> >
> > As far
> > as the author of the question is concerned the correct answer is:
> > "improve availability by allowing data to be easily placed where
> > authorized users can access it"
> >
> > The only
> > reason I can think of for the answer to have a sense is that
> > cryptography protects a resource from unauthorized users access through
> > the mean of concealing its content.
> >
> > With a
> > very long shot one could say that the resource would be "available" just
> > to authorizaed users. Which means that this question uses "availability"
> > in a very extensive - and I would add divious - way.
> >
> > As far
> > as I am concerned encryption does provide confidentiality and integrity
> > as natural security services.
> >
> > Thoughts
> > ?
> >
> > Thanks
> > Andrea
> >
> >
> > _______________________________________________
> >
> > cisspstudy mailing list
> >
> > <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy
> > mailing list
> >
> > <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> >
> > <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>>
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > <mailto:cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> >
> > <http://cccure.org/mailman/listinfo/cisspstudy_cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> >
> >
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090921/8d56f200/attachment.html
> >
>
> ------------------------------
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org<http://us.mc1102.mail.yahoo.com/mc/compose?to=cisspstudy@cccure.org>
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> End of cisspstudy Digest, Vol 15, Issue 29
> ******************************************
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
--
Sergio Pantoja H.
spantoja at gmail.com
System, Network and Security Administrator
Linux User register #239475
Mandrake Club Member
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090921/b0e2fd3f/attachment-0001.html>
More information about the cisspstudy
mailing list