Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rooks
Newcomer III
‎08-07-2024 04:28 PM
‎08-07-2024 04:28 PM

CISSP Review Questions

Hello All,

 

I'm reviewing some questions for CISSP exam preparation. I found answers for some of the questions are questionable and would like to find your take on this.  You feedback is very much appreciated.

 

I'm copied/mentioned some folks here that I encountered with or saw their feedbacks in other communities. Thank you all in advance.

 @rslade @dcontesti @denbesten  @funkychicken @Vigenere @Shannon @gidyn @alekos

 

 

Question 1. 

 

Johny needs to provide a set of minimum security requirements for email. What steps should he recommend for his organization to ensure that the email remains secure?

 

A.   All email should be encrypted

B.   All email should be encrypted and labelled

C.  Sensitive email should be encrypted and labelled

D.  Only highly sensitive email should be encrypted

 

 

Answer: Given answer is C. 

 

However, I think it should be A because the question is not mentioning anything to do with classification.

What do you think? 

 

Labels
Reply
0 Kudos
36 Replies
denbesten
Community Champion
‎08-07-2024 08:06 PM
‎08-07-2024 08:06 PM

Minimum is the key word here.  Encrypting all email is not a "minimum".

Reply
JoePete
Advocate I
‎08-08-2024 10:45 AM
‎08-08-2024 10:45 AM

My two cents:

 

Nowhere in RFC 2822 does the word "label" appear. Therefore, B and C are not secure under the concept of availability; there is no assurance that Johny's "labels" will be recognized or respected by a recipient. The problem with A and D is that it doesn't say how they are encrypted. If you're dealing with a PKI, now that is a pretty good idea. But if you are using DES with a password of "cat" that you share with everyone, then "encrypted" really doesn't mean much. The other issue with D is that if we read it literally (and apply the legal definition of Highly Sensitive Data) then we are excluding things like confidential data. So I would say A is the best answer but even that has its shortcomings.

 

Bear in mind that no matter the source, no "prep" question has appeared on the actual exam, and the folks who write those exam questions do not write prep questions. You're going to have some bad questions, especially on these test preps. Don't get hung up on them.

Reply
Rooks
Newcomer III
‎08-08-2024 07:39 PM
‎08-08-2024 07:39 PM

Thank you @denbesten.

 

I see how you're picking up the keyword. But with this the answer should be D, no?

 

I'm just concerned that it chose the option C that has label in it, but the question did not say anything about label.

 

Reply
0 Kudos
Rooks
Newcomer III
‎08-08-2024 07:48 PM
‎08-08-2024 07:48 PM

Thank you @JoePete . Appreciate the feedback and explanation.

 

Yes, for the very same reason (use of labels), I think the answer should by A.

 

 

Thanks for the heads up on source prep questions.

 

fyi - this question is from the latest edition Sybex. 

Reply
0 Kudos
Rooks
Newcomer III
‎08-09-2024 10:37 AM
‎08-09-2024 10:37 AM

Here's another question that I would like to see how you interpret, your answer and explanation please. Thank you!

 

Question 2.

 

Jerry is a cryptanalyst and is working on breaking a cryptographic algorithm's secret key. He has a copy of an intercepted message that is encrypted, and he also has a copy of the decrypted version of that message. He wants to use both the encrypted message and its decrypted plaintext to retrieve the secret key for use in decrypting other messages. what type of attack is Jerry engaging in?

 

A.  Chosen ciphertext

B.  Chosen plaintext

C.  Known plaintext

D.  Brute force

 

Answer: Given answer is C

 

However, I think it should be B because the attacker can see the copy of the encrypted and its decrypted message.

What do you think? 

Reply
0 Kudos
denbesten
Community Champion
‎08-09-2024 04:37 PM
‎08-09-2024 04:37 PM

Jerry is a cryptanalyst and is working on breaking a cryptographic algorithm's secret key. He has a copy of an intercepted message that is encrypted, and he also has a copy of the decrypted version of that message.

Jerry did not get to chose the plaintext, but he knows what it is.

Reply
denbesten
Community Champion
‎08-09-2024 04:43 PM
‎08-09-2024 04:43 PM

 but the question did not say anything about label.

Without a label, how would one know if the message requires encryption.

 

Don't get hung up on labeling. It need not be anything fancy.  It could be as simple as adding "confidential" to the subject line if that is what the involved people agree to.

 

Reply
0 Kudos
Rooks
Newcomer III
‎08-09-2024 06:04 PM
‎08-09-2024 06:04 PM

Thanks @denbesten.


Interpretation and understanding are the key in some cases to answer properly.

So, you think the answer given (C) is correct?

Reply
0 Kudos
Rooks
Newcomer III
‎08-10-2024 09:45 AM
‎08-10-2024 09:45 AM

Good question @denbesten "Without a label, how would one know if the message requires encryption."

 

I see now how/where you are coming from. Thx for clarifying. So, this labeling is a required component and implied. 

Reply
0 Kudos