Jay Ranade CISSP Axioms
Sample CISSP Axioms III
20. Longer key (e.g. 256 bit key) provides stronger encryption than a smaller key even with multiple rounds of encryption (e.g. DES)
21. SSL’s (secure socket layer) primary use is to authenticate the server to the client and not client to the server. SSL protocol was developed by Netscape to secure Internet client-server transactions. Web pages using the SSL protocol start with HTTPS. SSL can be used with applications such as Telnet, FTP and email protocols
22. DES is used for commercial applications and describes the DEA (Data Encryption Algorithm). It uses 64-bit block size and uses a 56-bit key
23. The Rijndael algorithm has resistance against all known attacks, has design simplicity, has code compactness on a wide variety of platforms, and its key size can be of 128, 192 or 256 bits
24. A digital signature is a value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity.
25. A digital envelope is a combination of encrypted data and its encryption key in an encrypted form that has been prepared for use of the recipient
26. IDEA cipher algorithm operates on 64-bit plaintext blocks and uses a 128 bit key
27. A hash algorithm produces a message digest. It becomes a digital signature ONLY after it is signed with sender’s private key
28. Visual surveillance or recording devices such as closed circuit television are used in conjunction with guards in order to enhance their surveillance ability and to record events for future analysis or prosecution.
29. When events are monitored (by guards), it is considered preventative whereas recording of events is considered detective in nature.
Sample CISSP Axioms II
11. It is important that disaster recovery identify alternate processes (e.g. workaround) that can be put in place while the system is not available.
12. The functions of a critical system can only be replaced by identical capabilities.
13. List of successful and unsuccessful activities would be most useful to management following recovery plan test results
14. Incremental backups only backup changed data (changes archive bit to not backup again if not changed). Differential backups backup all data since the last full backup (does not reset archive bit), and full backups backup all selected data, regardless of archive bit, and resets the archive bit.
15. Although the incremental backup is fastest to backup, it is usually more time consuming for the restore process.
16. Alternate routing is a method of routing information via an alternate medium such as copper cable or fiber optics. This involves use of different networks, circuits or end points should the normal network be unavailable
17. Last mile circuit protection is a redundant combination of local carrier T1s, microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster.
18. Long haul network diversity is diverse long-distance network utilizing T1 circuits among the major long-distance carriers. It ensures long-distance access should any one carrier experience a network failure
19. The Key Exchange Algorithm (KEA) is defined as a key agreement algorithm that is similar to the Diffie-Hellman algorithm, uses 1024-bit asymmetric keys, and was developed and formerly classified at the secret level by the NSA.
Sample CISSP Axioms:
1. The data custodian is given the responsibility for the maintenance and protection of data. This role is usually the responsibility of the IT department, and normally done by the database administrator (DBA)
2. The data owner is ultimately responsible for the protection and use of the data but will delegate the responsibility of day-to-day maintenance to the data custodian (again the DBA)
3. Residual risk is "The security risk that remains after controls have been implemented"
4. "Weakness of an asset which can be exploited by a threat" is vulnerability.
5. "The result of unwanted incident", when a threat exploits a vulnerability, is called the impact
6. Many important issues in computer security involve human users, designers, implementers, and managers. A broad range of security issues relates to how these individuals interact with the computers and the access and authorizations that they need to do their jobs.
7. Since operational controls address security methods focusing on mechanisms primarily implemented and executed by people (as opposed to systems), security of personnel is considered a form of operational control.
8. Integrity is also the guarantee that the message sent is also the message received, and that the message was not intentionally or unintentionally altered in between
9. Integrity is defined as making sure that the data has not been changed unintentionally, due to an accident or malice
10. The criticality of the operations that are affected by the disaster is the basis for computing the window of time for recovery of processing capabilities (called RTO). The nature of a disaster is not the basis for determining RTO.