cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PuettK
Newcomer III

Re: CISSP questions

Data dictionaries are specific to the data field as length, type, required etc. This is a good description of data dictionaries https://www.bridging-the-gap.com/data-dictionary/

rslade
Influencer II

Re: CISSP questions

Oh, and, just to make sure that you know, "blockchain" is not the answer.

 

Unless the question is "stupidest 'magic security technology' buzzphrase in the last decade."


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
AhmedAnas
Viewer II

Re: CISSP questions

I would like to thank you for your great effort, I have one question, why do you consider role-based access control as discretionary access control.

 

Sybex and other references consider role-based access control and rule-based access control as non-discretionary access control.

 

Can you elaborate this more?

 

Thanks again, Your questions and answers are really helpful.

 

 

 

 

AhmedAnas
Viewer II

Re: CISSP questions

Thanks Again, I am also confused here one more time,

 

Sybex and other references consider role-based access control and rule-based access control as non-discretionary access control.

 

Can you clear this for me a little more

 

I do appreciate your effort.

 

Thanks,

 

 

 

 

PuettK
Newcomer III

Re: CISSP questions

think of it this way - you are "tagged" with a role i.e. domain admin.  If the user is placed in a role or rule based control for domain admin - you as the user have no say it it - therefore non-discretionary.  

rslade
Influencer II

Re: CISSP questions

> AhmedAnas (Viewer) posted a new reply in Exams on 09-05-2020 12:41 PM in the

> I would like to thank you for your great effort, I have one question, why do you
> consider role-based access control as discretionary access control.   Sybex and
> other references consider role-based access control and rule-based access
> control as non-discretionary access control.   Can you elaborate this more?

OK, if I have said anywhere that role-based access control and discretionary access
control are equivalent, I apologize. They aren't the same thing at all. Role-based
access control is a form of managing or administering an existing access control
system, in terms of assigning permissions *or* clearances. Thus role-based access
control can be used with either MAC or DAC. (Historically, the first papers to
describe mandatory access control did seem to assume a form of role-based access
control, but you only have to look at ACL groups to see that role-based methods
can be used with DAC.)

Sybex is, once again, wrong or incomplete. NDAC is a rather ancient (by now)
structure that relies on a central office. As such, yes, it could use either role or
rule-based systems, but isn't tied to them.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Even if you are a minority of one, the truth is the truth. - Gandhi
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Re: CISSP questions

Which of the following is NOT an effective deterrent against a database inference
attack?

a. Partitioning
b. Small query sets
c. Noise and perturbation
d. Cell suppression

Answer: b.

OK, over the years I have found that a lot of people get this one wrong.

First off, let's get rid of a and d. Database inference attacks are an old and
established threat against database systems, and are not subject to many defences.
Partitioning and cell suppression may not help much, but they do help.

Now we are left with small query sets (b) and noise and perturbation (c). Lots of
people choose noise and perturbation, because, well, noise. We don't want to
introduce errors into our databases, do we? That has to be the worst (and therfore,
in the wording of this question, right) answer.

The thing is that small query sets are, specifically, one of the tools that you do use
to mount inference attacks. So small query sets are, specifically, NOT an
effective deterrent against a database inference attack.

And what about noise and perturbation? Well, if you are really, seriously,
concerned about inference attacks, introducing small sources of noise and
perturbation (very carefully) *is* a very effective protection. (Which reminds
me: I'd better add that as a slide for my homomorphic encryption presentation on
Friday ...
https://community.isc2.org/t5/C/V/m-p/38219 )

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Perhaps it is our imperfections that make us so perfect for one
another! - Jane Austen
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
PuettK
Newcomer III

Re: CISSP questions

Would agree - the key is the interface - think of this as what is truly an interface - forward facing - watch the answers

 

damann1
Viewer II

Re: CISSP questions

@rslade 


Thanks for taking the time to post sample questions. 

 I had taken many practice tests but was still unsure if I was ready to take the exam.  I was wrong on several of the sample questions but, I gained the confidence that I understood the principals and decided to take the exam.

I found the advice in your explanations was helpful.  I did come across one question that gave a definition and I had my understanding of the word. But when I looked at the answers, I hadn’t seen any of them mentioned before in my studies.  It gave me a slight chuckle when I thought " just because you don't know it, doesn't make it the right answer."  I was stuck choosing an answer I didn’t know.

To add something to this thread, I would say that the above statement and think of “initial steps” probably got me a couple of right answers.

 

 

 

 

rslade
Influencer II

Re: CISSP questions

Expert systems are commonly used to automate security log reviews for

a. user profiling.
b. intrusion detection.
c. system baselining.
d. access modeling

Answer: b.

(Reference: Caelli, Longley, and Shain, Information Security Handbook, Stockton
Press, 1991, pg 67)

Discussion:

Answer a - wrong - user profiling deals with user information not intrusion.
Answer b- correct - intrusion detection software is used to review security logs.
Answer c - wrong - system baselining is usually not done in security reviews.
Answer d - wrong - fabricated answer.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
No, it is a very interesting number, it is the smallest number
expressible as a sum of two cubes in two different ways.
Srinivasa Ramanujan (1887-1920), Indian mathematician. The
mathematician G. H. Hardy had referred to the number '1729' as
'dull'
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468