CISSP – Domain 1 – Security and Risk Management

admin

Which of the following most closely resembles – “”seeks to prevent unauthorized modification of information?”

Integral

Integrity

Confidential

Secret

Integrity seeks to prevent unauthorized modification of information.

The goal of Integrity is to prevent unauthorized modification of information. The modification can be from an authorized person making an unauthorized, or simply erroneous, update. It could also be safeguarding an unauthorized person from making an update. Either way Integrity ensures there are no unauthorized changes to data. The cybersecurity professional needs to be aware of two types of integrity: data integrity and system integrity. Data integrity seeks to protect data; system integrity seeks to protect the computer system. ( Think a Redhat server. ) Getting back to the medical field, authorized individuals make unauthorized updates to patient information on a daily basis. Do a Google search for “die from wrong blood type”.

In a more down to earth example think of the many transactions that happen at a typical bank branch in a day.  Bank customers expect their transactions to be accurate.  The balance should always reconcile no matter how many transactions in a given month, or the value of the transactions.  The value of the funds withdrawn and the value of the funds deposited need to be consistent.  This is a function of integrity.

Several technologies exist that support preserving Integrity.  A digital signature provides for the authenticity of digital messages, which among other things, ensures that the message was not altered in transit.  A rather old technology that has been used in everything from transmission with modems to storing data in RAID 5 is parity bits.  Checksums are similar to parity bits.  A checksum is a block of digital data that is used to detect errors which may have been introduced during transmission or storage.  Each of these ensure Integrity of data for the user.

CISSP – Confidentiality

admin

Which of the following best represents the description – “seeks to prevent the unauthorized disclosure of information”?

So our choices for this questions are:

Confidentiality

Integrity

Secret

Private

The answer is ……. Confidentiality.

Confidentiality

The purpose of confidentiality is to inhibit the unauthorized disclosure of information, which makes Disclosure an opposite of Confidentiality. The cybersecurity professional must keep data secret. So we need to keep unauthorized people/systems from accessing data they have no business seeing. Many times confidentiality is associated with safeguarding PII or Personally Identifiable Information.  PII can take on many forms such as credit card information, social security number, drivers license number, or any number of other data that can personally identify an  individual.

Data must be safeguarded such that only users who have clearance, formal approval, and the need to know. Need to know is an interesting qualifier as some users withing an organization may have clearance to data but no real need to know. This happens frequently in top secret government locations. Without need to know, users are not allowed to see data they may have clearance to view.

Privacy is closely associated with Confidentiality. Numerous countries around the world have laws specifically geared to protecting the privacy of their citizens. The United States is not one of them. Instead there are a piece meal of regulations such as HIPAA, Sarbanes–Oxley, and Gramm–Leach–Bliley that provide a rudimentary foundation for privacy. The Health Insurance Portability and Accountability Act (HIPAA) is specific to the medial field. It requires medical providers keep the medical information of their patients private. To some extent it makes working with your provider more difficult as you have to specifically indicate who they can talk to about your condition, including your spouse. Now for some, I can see where that could be an issue. ( Think of a spouse that has something to hide, perhaps about certain of their activities. ) For me, it is just a pain that I have to fill out more paperwork, but the intent is Safeguarding Confidentiality.

CISSP – Domain 1 – Security and Risk Management

admin

What is the opposite of the CIA Triad in ?

 

disclose, alter, destroy

disclose, allow, deny

duplicate, allow, destroy

duped, allowed, mangled

 

We should probably start this reply with talking about what CIA should represent to the #cybersecurity professional.  CIA stands for Confidentiality, Integrity, and Availability.  So what would be the opposite? The best answer is disclose, alter, destroy as Twitter had issues when I tried to put in Disclosure, Alteration, and Destruction.  Let’s look at each of these a little closer.

Disclosure is “the action of making new or secret information known.” So what does that sound like we would be circumventing?  You guessed it:  Confidentiality.  Disclosure is the enemy of Confidentiality.

Alteration is “the act or process of altering; the state of being altered.”  Okay, it is a rather sucky definition.  It would be better if it said something like the opposite of Integrity, or even using a word other than “altering” like maybe changing, but that is what Merriam-Webster came up with.  What we can gather from this definition is – Alteration is the opposite of Integrity.

Which brings us to our last opposite.  What could possibly be the opposite of Availability?  Believe it or not it is Destruction.  I know it doesn’t line up quite as nicely as Confidential to Disclosure or Integrity to Alteration, but it is what it is.  The opposite of Availability is Destruction.

So you may be thinking, “Is it critical that I know the opposites of the CIA triad?”  The answer lies in where you want your cybersecurity career to go.  Are you thinking of taking the CISSP certification exam?  ( I would guess you are if you are reading this. ) If so, then h*ll yes you need to know DAD.  ( Notice: that is the acronym for Disclosure, Alteration, Destruction. )  I have seen this on numerous practice tests.  So take a few minutes and know what the acronym DAD stands for.

CISSP – Domain 1 – Security and Risk Management

admin

Security is based on 3 core principles. Which of the following is not one of them?

Confidentiality
Integrity
Availability
Accountability
Accountability is not part of the CIA triad.  Confidentiality, Integrity, and Availability make up the triad.  It is not unusual to see these referenced as Availability, Integrity, and Confidentiality or abbreviated as AIC.  Regardless of the order it is critical that the #CISSP candidate know them and have a thorough understanding of what they mean in the #cybersecurity world.

Confidentiality

The purpose of confidentiality is to inhibit the unauthorized disclosure of information. ( Guess what the opposite of confidentiality is.  That’s right: disclosure. )  The cybersecurity professional must keep data secret. So we need to keep unauthorized people/systems from accessing data they have no business seeing. Many times confidentiality is associated with safeguarding PII or Personally Identifiable Information.  PII can take on many forms such as credit card information, social security number, drivers license number, or any number of other data that can personally identify an  individual.

Integrity

The goal of Integrity is to prevent unauthorized modification of information. The modification can be from an authorized person making an unauthorized, or simply erroneous, update.  It could also be safeguarding an unauthorized person from making an update.  Either way Integrity ensures there are no unauthorized changes to data. The cybersecurity professional needs to be aware of two types of integrity: data integrity and system integrity. Data integrity seeks to protect data; system integrity seeks to protect the computer system. ( Think a Redhat server. )  Getting back to the medical field, authorized individuals make unauthorized updates to patient information on a daily basis.  Do a Google search for “die from wrong blood type”.

Availability

The third item in the cybersecurity triad is Availability.  Perhaps it is the least important as it does provide safeguards to the data or who can access the data, rather it ensure the information is available when required.  Many have come to appreciate the criticality of Availability after experiencing an DDOS attack.  Your data is no good if you cannot access it.  Therefore, Availability is fittingly included in the CIA triad.

Learn about Cybersecurity certification exams

admin

Welcome to an all new site for learning ways to pass Cybersecurity certification exams.  We will start with CISSP and CCSP.  We will move on to CCSK and Checkpoint CCSA/CCSE.  Stay tuned for lots of great content.

Now you may be thinking, “Why should I follow this BLOG?”  So I guess I owe it to you to give you a bit of background on me.  I have been taking ( and passing by the way ) IT certification tests since Novell was THE certification to get.  Now some of you may not know what, or who(m), Novell is.  Less I digress let me just say I have been passing, versus just taking, certification tests since around 1994.

I started with Novell to achieve Master Certified Novell Engineer or MCNE, yeah that is right MASTER.  It was an interesting title.  I then moved on to Microsoft.  I achieved the Microsoft Certified Systems Engineer plus Internet, or MCSE+I.  Next I took on Citrix.  Really Citrix was really easy.  I think it was like one test.  That was child’s play.  I moved on to Checkpoint and achieved Certified Checkpoint Security Administrator followed by Certified Checkpoint Security Engineer.  Again these were only one test each, so they weren’t really that difficult to achieve.  Nonetheless I was an MCNE, MCES+I, CSE, CCSA, and CCSE.  I was in pretty limited company.

I realized there may be others that would like to pass the CCSA and CCSE so I started writing practice exams for a company called Boson.  They had a nice marketplace where external consultants could add to the Boson library of tests.  I threw my hat, well not really my hat it was more of a hopeful request, into the ring and submitted test questions for Citrix and Checkpoint.  In just a few months I was selling hundreds of copies a month.  I also got good reviews.

So now many months, yeah really YEARS, later I launch my own site that will offer test questions for nothing.  Yeah long term I hope to get something out of this financially.  I read an article today entitled “The Power of Doing Things For The Right Reasons”.  You can check it out here – https://readwrite.com/2018/03/09/power-things-right-reasons/amp/ Maybe this a bit about helping others…