Hello All,
I'm reviewing some questions for CISSP exam preparation. I found answers for some of the questions are questionable and would like to find your take on this. You feedback is very much appreciated.
I'm copied/mentioned some folks here that I encountered with or saw their feedbacks in other communities. Thank you all in advance.
@rslade @dcontesti @denbesten @funkychicken @Vigenere @Shannon @gidyn @alekos
Question 1.
Johny needs to provide a set of minimum security requirements for email. What steps should he recommend for his organization to ensure that the email remains secure?
A. All email should be encrypted
B. All email should be encrypted and labelled
C. Sensitive email should be encrypted and labelled
D. Only highly sensitive email should be encrypted
Answer: Given answer is C.
However, I think it should be A because the question is not mentioning anything to do with classification.
What do you think?
Minimum is the key word here. Encrypting all email is not a "minimum".
My two cents:
Nowhere in RFC 2822 does the word "label" appear. Therefore, B and C are not secure under the concept of availability; there is no assurance that Johny's "labels" will be recognized or respected by a recipient. The problem with A and D is that it doesn't say how they are encrypted. If you're dealing with a PKI, now that is a pretty good idea. But if you are using DES with a password of "cat" that you share with everyone, then "encrypted" really doesn't mean much. The other issue with D is that if we read it literally (and apply the legal definition of Highly Sensitive Data) then we are excluding things like confidential data. So I would say A is the best answer but even that has its shortcomings.
Bear in mind that no matter the source, no "prep" question has appeared on the actual exam, and the folks who write those exam questions do not write prep questions. You're going to have some bad questions, especially on these test preps. Don't get hung up on them.
Thank you @denbesten.
I see how you're picking up the keyword. But with this the answer should be D, no?
I'm just concerned that it chose the option C that has label in it, but the question did not say anything about label.
Thank you @JoePete . Appreciate the feedback and explanation.
Yes, for the very same reason (use of labels), I think the answer should by A.
Thanks for the heads up on source prep questions.
fyi - this question is from the latest edition Sybex.
Here's another question that I would like to see how you interpret, your answer and explanation please. Thank you!
Question 2.
Jerry is a cryptanalyst and is working on breaking a cryptographic algorithm's secret key. He has a copy of an intercepted message that is encrypted, and he also has a copy of the decrypted version of that message. He wants to use both the encrypted message and its decrypted plaintext to retrieve the secret key for use in decrypting other messages. what type of attack is Jerry engaging in?
A. Chosen ciphertext
B. Chosen plaintext
C. Known plaintext
D. Brute force
Answer: Given answer is C
However, I think it should be B because the attacker can see the copy of the encrypted and its decrypted message.
What do you think?
Jerry is a cryptanalyst and is working on breaking a cryptographic algorithm's secret key. He has a copy of an intercepted message that is encrypted, and he also has a copy of the decrypted version of that message.
Jerry did not get to chose the plaintext, but he knows what it is.
but the question did not say anything about label.
Without a label, how would one know if the message requires encryption.
Don't get hung up on labeling. It need not be anything fancy. It could be as simple as adding "confidential" to the subject line if that is what the involved people agree to.
Thanks @denbesten.
Interpretation and understanding are the key in some cases to answer properly.
So, you think the answer given (C) is correct?
Good question @denbesten "Without a label, how would one know if the message requires encryption."
I see now how/where you are coming from. Thx for clarifying. So, this labeling is a required component and implied.