Tip #12: Learning various levels of data classification

Data classification from public (open) to top secret (only a few can access) levels and the classification procedures (first step to the last).

Domain: Asset Security, Security and Risk Management.

Subdomain: Information and asset classification.

Subject background: Classification of information can be for the government and for the private/public-sector companies. Clearly, the private and public sector companies are not governed by the politicians or the government and thus can have their own classification system and need not conform to any single rule. Moreover, the classification system for private industry can be different from one company to the other.

Analysis: From the verbiage, we note that all the data will always be on the cloud. The cloud data and its privacy are taken care of by the cloud provider. The computer operators do not store anything on computer memory. This means if someone hacks into the computer, they cannot access any data since the data is on the cloud and not on the computer itself. Operators access the cloud with two-point authentication, which makes it difficult for hackers to further dig into the cloud. Thus, the computer used to access the cloud is just a mere instrument and will not store anything. Unless someone decides to access the cloud, this computer can be used for even word processing and checking the news on internet.

Statement: Removing the unnecessary verbiage, the statement can be rephrased as follows:

A government organization decides to migrate to cloud computing. All the data will be stored ONLY on the cloud. The cloud data when disclosed can cause “serious damage” to the country, and its confidentiality is taken care of by the cloud computing provider.

Question: A government organization decides to store data ONLY on the cloud. The operators access data on the cloud via a two-step authentication procedure. What classification levels should these computers BEST belong?

Solution: Option C is the correct answer. Option A is wrong because the Top Secret classification causes grave damage, and it does not fit the statement given. Option B is wrong because the “Secret” data classification, when disclosed, causes “serious damage,” but the data is on the cloud and the secrecy is taken care of by cloud provider. The cloud is also accessed separately from the machine. Option D is wrong in that there is no such known classification in the US government.

Tip #13: Understanding roles in data classification and data management

Differentiate clearly between who classifies data and who implements the business rules, custody, transport, and storage. Other important words are data warehouse, data mart, and data roles used in day-to-day business.

Domain: Asset Security.

Subdomain: Database security, Data roles, Data ownership, Custodians.

Subject background: Data security is paramount, and each stakeholder associated with data needs to have a different and minimally required permission to protect it while handling. Any data leaks will finally have an adverse reaction on the functioning of an organization since 1) data leaks are difficult to detect, 2) data leaks can be internal or external, and 3) there can be natural disasters and unforeseen circumstances that may cause data leaks. Some NIST documents describe data roles and the duty of each role in protecting the data.

Things to Remember

Data Owner: Usually the boss of the organization is called the data owner. The eventual responsibility of the data remains with the data owner, despite the fact that many stakeholders handle the data. Data owners classify data and decide how to handle it.

Data Custodian: They handle data in the day-to-day operations. Data custodians implement rules that are framed by data owners. They protect, store, back up, and retrieve data in the proper format as required by the rules set by the data owners.

System Owner: System owners are people who own the system that processes the data. System owners have to design and guard the security of a system that handles the data. System owners can be typically the same as data owners but can be different too.

Business Owner: These people own business processes. Processes are conducted on the systems and are guarded by system owners. They can be group project managers below the CEO or another C-level manager.

Data Processor: A data processor is a system or a person who processes the data, per the privileges assigned to them.

Data Controller: This is a person or an entity that controls the data. Anyone who is collecting data and passing it around is a controller. How the controlled data is processed is the job of data processor described earlier. Safe Harbor deals with both the data processor and data controller.

Administrators: These are a group of people who decide what data should go to certain people. In other words, they grant permissions on data to the users. Administrators assign privileges to users.

Users: These are end users who utilize the data to complete a task given to them.

Remember that these roles are given to people depending on their “need to know” and their privilege level, with “least privilege” as the norm. Also, the privileges can be escalated or removed as and when people move around in, join, or leave an organization.

Datamart: This is used for a single application or a single department.

Data warehouse: This houses various applications’ data (enterprise-wide depth for data).

Analysis: Reading the question, it is easy to see that there are several distractors in the question itself. The names of custodians, administrators, controllers, and processors are put in the question to inform the test taker to divert attention. In fact, once the words “data classification” appear in a question, the test taker should immediately remember that the question is directly linked with a “data owner.” It is possible for the question to also ask about other roles of the data, but classification basically is the job of the data owner or the CEO. Remember that the CEO can assign this classification job to another C-level manager (such as a CIO, COO), but the CEO has the ultimate responsibility for breach of data since the CEO remains the owner of the data and decides the classification levels.

Statement: The auditor found the wrong classification of data on various systems. Who should the auditor address the problems encountered during the audit about data classification levels?

Question: Removing the verbiage, we can easily deduce the following cryptic question and quickly find the answer to the question:

Who should the auditor address about data classification levels?

Solution: Data classification is the job of data owner. Whether the data owner is a CEO or another C-level manager, it does not matter. Therefore, the answer is option A.

Data administrators set up passwords, privileges, and controls on the data but do not classify the data. Data custodians follow orders of the data owners and do the daily backup and take care of the day-to-day duties of the data. Data processors only can process data given to them and cannot classify it. Ultimately, it is the CEO who will be held responsible for the data classification and the discrepancies in the audit because the CEO owns the data.

Tip #14: Know the rules and regulations that govern the United States, European Union, and overseas data sharing

Remember the details of Safe Harbor and the GDPR.

Domain: Security and Risk Management.

Subdomain: Security, Overseas data sharing, US and EU data sharing regulations and protection, etc., Data and system ownership.

Subject background: Like the United States has data privacy rules, the European Union has its own privacy laws. Simply stated, Safe Harbor is a paradigm or concept on how US-based companies can comply with the EU privacy laws. In other words, Safe Harbor principles state how a non-European entity or company can comply with a European entity about the privacy of data (belonging to EU citizens, companies, etc.). As of May 2018, Safe Harbor has been replaced by the General Data Protection Regulation (GDPR). GDPR is the most important regulation in data protection in the past 20 years.

Analysis: Any company with a website has to know that the website is accessible from all over the world. Any data collected from EU citizens has to follow the Safe Harbor and GDPR regulations. Even if the data collected is only a small amount of PII, the GDPR rules still apply. This is the main reason why a small pop-up keeps appearing on websites telling the users that the website may store cookies that may contain some personal information of the user, such as the computer location, browsing habits, etc.

Statement: The question's verbiage can be shortened as follows:

A social engineering website that stores the username and passwords, location of the person (resident country and the city), the user’s job, tastes in food, and occasionally personal hobbies was recently reported to the EU that the user’s PII is not well-protected by the site. The company’s legal team argued that the company did not break any laws of Safe Harbor or GDPR.

Question: A social engineering website was recently reported to the European Union that the user’s PII is not well-protected. Is the company violating any laws of PII?

Solution: The simplest answer is yes since any information collected from the user can directly or indirectly lead to the user’s other data, which can ultimately pave the way for finding more information about the user. Option A is wrong since the GDPR is not a directive but a regulation. Option C is wrong because employing a DPO alone is not the solution. Option D is wrong for the same reason since both a DPO and data protection are important. Option B, therefore, is the correct answer.

Tip #15: Know the newly introduced privacy laws of the European Union, European Economic Area, and the related GDPR

General Data Protection Regulation (GDPR) , is a new regulation aimed at protecting the privacy for all individuals under European Union and European Economic Area (EEA). Failure to follow the regulation can have very adverse effect in the form of fines.

Domain: Asset Security, Security Engineering, and Security Operations.

Subdomain: Protecting privacy, Privacy concerns and limitation of use, Data retention, Handling requirements, Protect data in transit, Resource protection techniques.

Subject background: Data protection and privacy for all individuals in the European Union was implemented via the GDPR in May 2018. The GDPR also addresses exporting data from/to the EU and EEA. It basically states that those who control the personally identifiable information (PII) must implement appropriate technical and organizational measures to implement data protection principles. Business processes should implement pseudonymization and anonymization to protect the PII when and where appropriate.

Data processors must clearly indicate how they data is collected, used, and stored. Subjects can request a copy of the data collected by the businesses. Businesses must report data breaches within 72 hours if the breach had any effect on the PII or privacy. Public authorities and core businesses must employ a data protection officer (DPO) .

Things to Remember

Analysis: Reading the question, it becomes clear that it is asking about GDPR and the rights of a subject under the GDPR regulations. EU and EEA formulated the rules, but it is businesses that have to take care of implementing the GDPR. So, the first sentence of the question is generally a superfluous statement.

Statement: Data protection and privacy for all individuals in the European Union (EU) addresses exporting of data from/to the EU and EEA.

Question: Under the GDPR, which of the following is one of the rights of data subject?

Solution: Clearly, option C is a better fit than rest of the answers given. The EU and EEA are law makers and political bodies that make the laws. One cannot and do not sue those since these organizations do not handle the data. A subject’s data is handled by a business (for example, a credit card company), which has to give option of opt-in and opt-out to a subject. Importantly, opt-in and opt-out are the rights of a subject, and a subject can choose when to opt in and when to opt out at their discretion. Thus, options A and B are wrong. Option D is wrong because consent can be given at any time and taken away at any other time as well, not just at first time. But a subject can always opt in and opt out.

Tip #16: Remember various levels of protection and the ring structure

Remember the protection rings 0, 1, 2, and 3 and where they operate, what they contain, and what they envelope for IT systems that may include mainframe systems or desktop stand-alone systems.

Domain: Security Engineering, Asset Security.

Subdomain: Trusted processes, CPU and IT system security, Protecting privacy.

Subject background: Figure 2-1 gives an idea of protection rings.

Things to Remember

The protection rings 0 to 3 and what they contain can be remembered with the acronym KODA as follows:

Ring 0 – Kernel (K): Contains the lowest and safest levels of keepings things protected. This includes kernel or the bare-bones file system that keeps the IT system up and running. But the kernel alone cannot contain everything and needs other items to be built around it for a normal user to work and operate.

Ring 1 – Operating system (O): This level is a step above the kernel where somewhat expert users can operate and do restricted work. Disk formatting, file allocation, and permissions go in this ring and help other users.

Ring 2 – Drivers (D): This level stores the device drivers, like the driver files for various applications, hardware, and how they interact with the operating system. Depending on the operating system, the drivers change as well.

Ring 3 – Applications (A): Databases and applications like Microsoft Word, Excel, etc., go in this level. This level is most accessible to a general user, and there is not much protection offered. This is the area where you let users log in and do generic work like checking email or browsing a website to check the daily news.

For rings 0 to 3, the protection goes from most secure (ring 0) to least secure (ring 3).

Simply because ring 0 is the most secure protection level does not mean everything can be stored at that level.

Analysis: We can easily deduce that the situation in the question refers to a DBA accessing the database at the operating system level.

Statement: A lot of verbiage can be removed from the question since most of it is a description of how the DBA is accessing the database and at what level. It can be read as follows:

The database administrator (DBA) can go to the operating system’s command-line interface (CLI) and operate the database securely.

Obviously, the DBA is not accessing the DB at the kernel level or at the device driver level. Thus, options B and C are wrong. The DBA can access the database at ring 3, which is the application level, but note that the question says the DBA is working at the CLI, which falls at the operating system level. So we can easily remove the distractors and come to a conclusion about the correct answer.

Question: If the DBA operates at the command-line interpreter (CLI), what level or protections rings does he access?

Solution: The command-level interpreter (CLI) is the operating system level where a user can access operating system commands over the kernel. This level is not available to all, and if available, it is restricted with limited permissions. Thus, the correct answer is option D.

Tip #17: Learn to remember the types of disk storage and their mechanisms

Understand different RAID types and their uses.

Domain: Security Operations, Software Security, Network Security.

Subdomain: Memory management, Asset security, Data and system ownership.

Subject background: Redundant Array or Independent Disks (RAID) is a concept for providing memory sufficiently and without fail for IT systems so that the systems align with the security concept of continuous availability. These RAID disks are designed and provided for an IT system to make sure that the asset (whether it is a database, a running program, or a backup) is available without fail. For RAID, a series of physical disks are provided to make sure that the IT system is available continuously. The disks may be placed in the same physical location or dispersed over an area, but the IT system and the user would not know the difference. For a user, whatever level of RAID is used, it will appear as a single disk. When using RAID, data can be written on a single disk, two disks, or several disks with some data on each disk. The front-end user, though, will never know where the data is exactly stored. The front-end user cannot also decide where the data must be stored. It is not even necessary for the user to know how to optimize the disk storage. In other words, how RAID is designed and maintained is a background process a front end user should never have to worry about.

Figure 2-2 give details of different RAID levels.

Analysis: Reading the question, it may appear challenging, but in reality it is a simple statement of what the organization has decided to do. The organization has decided to pick RAID 6 as their choice over RAID 5. All we need to know now are the advantages of RAID 6 over RAID 5 and if there is an additional disk cost involved.

Statement: Notice that when we read the verbiage, it becomes clear that none of the first few sentences was required to ask the actual question. All the question asks is the advantage of RAID 6 over RAID 5.

Question: Which of the following options BEST describes the additional price the organization has to pay for the RAID 6 over RAID 5, and what advantage will the organization get for selecting RAID 6?

Solution: From Table 2-3, we note that RAID 6 uses parity data twice in two different disks. Thus, to store a second parity, we need an additional disk. Other than the second parity block, RAID 5 and RAID 6 are essentially the same. The advantage of adding a second parity is that if the first parity block data is corrupted or lost, we will still be able to recover data from the second parity block. Option D is obviously wrong since we will not buy an additional disk without getting any advantage from it. Likewise, option A is wrong since RAID 5 and RAID 6 do differ. Option B is slightly tricky since we do not have an additional disk, and it may be possible to create a partition on existing disk for second parity. But the question, like most of the CISSP questions, is asking for the BEST answer from the given four choices.

Thus, the correct answer is option C.

Tip #18: Understand different types of computer memory addressing schemes (machine level)

Different types of memory addressing schemes such as direct, base, indexed, etc., make memory access easy when doing programming at machine level. The addressing schemes allow accessing the memory directly or with an indirect method without knowing the data stored at a location. These addressing schemes are useful at machine level coding and at processor level.

Domain: Security and Risk Management, Asset Security, Security Engineering.

Subdomain: Memory protection, Types of addressing in memory.

Subject background: Machine-level and assembly-level languages use the format of “opcode {operand} {operand}….{operand}” to run instructions. These operands can be registers, memory locations, data, or anything the assembly language can allow. When data is being read from or loaded into the memory, it can be addressed in a variety of ways. These ways are called addressing modes/schemes of the memory.

Things to Remember

Immediate addressing usually has the letter “I” in the opcode. It looks for the data in the operand, as in MVI C 40x. Here the instruction is to “move data immediately into register C.” And the data to move into the register C is 40 hexadecimal. Since the data is immediately following the instruction/opcode, this is called immediate addressing.

Let’s consider now that the data 40x is in another memory location, say at the “4389 7623” address. This is the address of the memory where our data 40x is stored. To load this data into a register, we use an instruction like “MOV C, “memory address” or in this case “MOV C, [4389 7623].” So the data 40x stored at the location specified [4389 7623] will be moved to register C. Since we are indirectly giving the data location (rather than the data itself), this called indirect addressing . Moving data from a location into the register is sometimes called register indirect addressing. If a memory location is used instead of a register, then it is simple indirect addressing.

Offset addressing is where an offset value is added to the existing address. The resulting address is from where data will be obtained. An example is illustrated here:

MVI reg1 “4389 7623” means move the address 4389 7623 into register1.

MV reg2 reg1 34 means add 34 offset to the address in reg1 and move the data from the resulting address into register 2. This means we get data from location “4389 7657” (which is 4389 7623 + 34) into register 2. Also note that in this example the first instruction is immediate addressing and the second instruction is offset addressing. This is sometimes also called displacement or relative addressing.

Register direct addressing is when the contents of one register are added/modified/loaded to another. We do not know the contents of either register, but when we want to add those contents, we use register addressing. An example is ADD B, C. The contents of register C are added to register B.

Indexed addressing happens when an address is specified relative to an address that is in an index register. The index register basically contains the base address, and any offset is added to the index to fetch data from the resulting (index + off set) address. An example instruction looks like this:

MOV Reg1, [Reg2+Reg3]

Reg 2 usually has the fixed base address. Reg 3 has the offset. Thus, by giving the offset value only, we can move the data from the resulting address to register 1. This is useful when arrays are used. Let’s assume we have an array with 100 elements and we know the starting address of the array (base address). When we want to move the 79^th array element, what we can do is give the instruction as MOV reg1, [reg2+79]. Since reg2 already contains the base address (whatever it is), the data from the resulting address of [base address plus 79 offset] will be moved to register 1.

Auto-increment addressing happens when data is moved/added from one location to another and the second location is incremented “after” the data is moved/added/modified otherwise. The following example illustrates the process:

MOV reg1, [reg2]+d

The content of register 2 is an address. That address holds some data (say 40x). The data 40x is moved into register 1, and after the move, the contents of the address are incremented by one (default) or a value specified (d). If a value is not specified, the default is 1.

Auto-decrement addressing is similar to auto-increment except that the data is decremented before the data is moved/added/modified otherwise. An example is MOV reg1, [reg2]-d.

Note that both auto-increment and auto-decrement can be used before and after, as follows:

MOV reg1, +[reg2]+d means increment the value AFTER moving.

MOV reg1, -[reg2]-d means decrement BEFORE moving. Notice that the placement of + or – before or after the operand to decide whether increment or decrement happens before or after.

Note that when we execute an instruction “ADD R1, R2” the movement of data is always from right to the left. It means contents of register R2 are added to contents of register R1. This results in changes to contents of R1. But contents of R2 will remain the same after the instruction is executed.

Analysis: Note that the verbiage is giving details of where the base address for the index and offset are stored. When all these are stored in registers, there is really no point in using any number or address locations directly. If we can remember that point, we can directly come to a conclusion and pick the correct answer.

Statement: The base index address of the array is in register 2. The value of the 32^nd array member d(4*8) is required to be loaded into register 1 using offset 32 stored in register 3.

Question: With the base index address in register 2, if the value of the 32^nd array member is required to be loaded into register 1 using offset 32 stored in register 3, what instruction correctly can do this using indexed addressing?

Solution: Note that the correct answer is option B. Options A, C, and D are wrong because they are using a value in the operand, but the verbiage states that the operands and offset are all stored in registers.

Tip #19: Two options of choosing to stay in or stay out have a very subtle difference

Clearly understand the difference between opt-in and opt-out options.

Domains: Security Engineering and Asset Security.

Subdomains: Data retention, Data security controls, Data handling requirements, Security architectures, Designs, etc.

Subject background: It is a common practice for organizations to collect information from users when the user orders a product either via a website or in person. The data collected can be public or private, and depending on what is collected, the organization is responsible for handling the information collected. Several laws and regulations - either private or public, kick in once data is collected. These include but are not limited to state, federal, and the newly introduced European Union’s GDPR. While some organizations collect data before asking the consumers’ permission to use it, others collect data and assume they can use it by default unless otherwise the customer objects to its use. Opt-in is a way of a consumer to choose whether they want to allow the organization to use the data collected. In opt-in, an organization cannot use the data collected for any use without the consumer opting in. Opt-out is a way organizations assume the data collected from consumer is free to use unless the customer tells the organization that they no longer want the organization to use their data. In short, opt-in is consumer-driven, whereas opt-out is organization-driven.

Things to Remember

Opt-in and opt-out usually are encountered by the consumers while creating an account on a website or while filling forms at a retail store where the user has to either check a box or uncheck a box. In opt-in, the user has to physically check a box and give consent telling the organization that using his data for uses other than collected is OK. In opt-out, a user may have to 1) uncheck a box that was automatically checked by the company by default (the company assumes the consumer is OK with this), 2) send a personal email to the organization telling them to stop using the consumer’s data and stop the marketing blitz of their data and/or stop sending junk emails, or 3) go to the organization’s designated website and inform the organization to stop using data or unsubscribe. For opt-out, some organizations make it easy to get out, but others make it difficult by asking several questions, directing the user to a couple of websites and so on.

Analysis: A checked box, whether enabled or disabled, is an indication of automatic opt-in. This means that the user is giving automatic permission for the company to share the information. If the box is disabled, it also means that the company will NOT provide email account to the user unless otherwise the opt-in is granted to the organization. That’s how the “Register” button is programmed to work. If the user does not want to give the automatic option, for this particular website, there may not be any other way to provide free email service. The option that “may” work later is to call the company or email them to indicate that the user is opting out. That may take several days. In this case, the button indicates that the user must opt-in and may opt-out later in other ways.

Statement: While registering for a free email account, a user is required to enter a username; password (twice); and personal information such as age, date of birth, and gender. Before clicking the “Register” button at the bottom of the page, the user notices a checkbox that is automatically checked and disabled.

Question: What does the checked and disabled box MOST appropriately indicate to the user, directly or otherwise?

Solution: The answer is option D. Option A is not correct since the user did not purposefully check the opt-in box. Option B is not correct because the user did not send an email or uncheck a box. Option C is not correct too since one can register for email with the checkbox showing as checked and disabled. Note the wording in the question “MOST appropriately.” There could be more than one correct answer, but the test taker has to pick the most accurate answer.

Tip #20: Learn to distinguish various types of memories and their use in a computer

Understand different memory types such as SRAM, DRAM, EPROM, EEPROM, Flash HDD, CD-ROM, ROM, and RAM.

Domain: Asset Security, Security Engineering.

Subdomain: Data retention, Types of memory, Backup and restore, Common system components, Security vulnerabilities, Threats.

Subject background: Memory in the computer systems of any IT system can be of two types: volatile memory or permanent memory. Volatile memory is also called random access memory (RAM), which is accessible for read and write and works at high speeds. RAM works as storage for programs to run when the processor needs. Therefore, to run more programs, usually more RAM is necessary. But when the power goes out, all the data in RAM is erased, which is why it gets the name as volatile memory.

ROM or read-only memory is the other type of memory that can hold the data for a long time or permanently. DVDs and CD-ROMs are examples of ROM. They are written once but read many times. But small flash drives or thumb drives that can be written and read many times are also considered partly as ROMs since they can retain data for a longer time without having to refresh with an active power connection.

Analysis: Once the question talks about memory, anything related to hard disk, ROM, or flash is irrelevant since memory means it is RAM that is required to load the programs. Thus, the question is only asking what type of RAM the IT systems can be put with so the total price is economical to the company. Also note that there is no such thing as SROM mentioned in option D.

Statement: A company wants to update all its desktop computers with more memory. The cost to upgrade the memory is a factor, and the company wants reliable memory for an economical price.

Question: The company wants reliable memory for an economical price; what is the best solution the company can implement across all the desktop and laptop computers?

Solution: The straightaway answer is option C. Option A is wrong since hard disk is not what memory (asked in the question) stands for. Option B is wrong since flash memory is a backup type of device and not main RAM used in desktop or laptop computers. Option D is wrong because there is no such thing as SROM. DRAM is the best and cheapest solution for either desktop or laptop.

Tip #21: Learn the intricacies of mathematical operators used for modulo and division in cryptography

Understand how the modulo (%) and division (/) operators work. These operators are extensively used in cryptography and in ciphers.

Domains: Asset Security, Security Engineering, Communications, and Network Security.

Subdomain: Data security controls, Cryptography.

Subject background: The modulo function is represented by MOD and sometimes also used in math with %. Substitution ciphers and running key ciphers use the modulo operator. Adding a 3 (or any other number) to shift a value and then obtaining the modulo of the resulting value is a common method. For the CISSP certification exam, it is necessary to know how the MOD function works and how cryptography uses the integer division.

Many programming languages use the / operator as an integer division unless the variables used in the division are decimal point variables called decimals or floating-point variables.

The modulo used on two variables X and Y is indicated as X%Y, and integer division used on those is indicated as X/Y.

Things to Remember

Analysis: If we consider a couple of values for X and Y, we can easily find the solution for this question. The options we can choose for X and Y are X < Y, X > Y when the division is a perfect integer division with zero remainder. When X=Y, the modulo always evaluates obviously to zero.

Case 1: X > Y. Assume X = 13, Y = 3. For these values, the modulo evaluates as 13%3, which has a value of 1.

Option A evaluates as 13 – (13/3) = 13 – 4 = 11. Option B evaluates as 3 – (13/3) = 3 – 4 = -1. Option C evaluates as (13/3) – (3/13) = 4 – 0 = 4. Option D evaluates as 13 – ( (13/3)*3). Remember that the inner parentheses, 13/3, is an integer division that evaluates as 4. Thus, we have 13 – (4*3) = 13 – 12 = 1, and option D is correct when X > Y.

Case 2: X < Y. Assume X = 7, Y = 11. For these values, the modulo evaluates as 7%11 = 7.

If we check the options given, option A evaluates to 7 – (7/11) = 7 – 0 = 7; option B evaluates to 11 – (7/11) = 11 – 0 = 11; option C evaluates to (7/11) – (11/7) = 0 – 1 = -1; and option D evaluates to 7 – ( (7/11)*7 ). Since there is integer division inside the parentheses, we get the value as 7 – (0*7) = 7- 0 = 7. Both options A and D are correct answers for this instance.

Case 3: X and Y have a perfect division. Consider X = 125 and Y = 5. X/Y gives us 25, and X%Y evaluates as 0. Checking the options again, option A evaluates as 125 – (125/5) = 125 – 25 = 100. Option B evaluates as 5 – (125/5) = 5 – 25 = -20. Option C evaluates as (125/5) – (5/125) = 25 – 0 = 25. Option D evaluates as 125 – ( (125/5) * 5) ) = 125 – (25*5) = 125 – 125 = 0. Again, here we conclude that option D is the correct answer.

There are many other options, but these three cases will be sufficient to answer the question.

Statement: Which of the following functions is the BEST equivalent of X%Y?

Since we are aware of the symbols %, /, and *, which stand for modulo, integer division, and multiplication, the first sentence is just that – a statement of facts. The second sentence of the question is asking for the BEST equivalent of X%Y. In other words, in the absence of a mod function, how can we derive the modular value, if values X and Y are given?

Question: Which of the following functions is the BEST equivalent of X%Y?

Solution: Notice that from the analysis section case 2, we found there are two possible solutions, option A and option D. But option A does not work for cases 1 and 3. That’s why we always have to choose the BEST answer where all cases fit comfortably.

Please also note that when there is a double parentheses as in option D, the inner parentheses and the multiplication take precedent first followed by the outer ones. See Table 2-4.

Tip #22: Understanding the methods of physical and virtual destruction of information/data by various methods

Understand data destruction and erasure methods, both physical and virtual either manually or with software/hardware.

Domain: Asset Security, Security and Risk Management.

Subdomain: Data handling requirements, Marking, Labeling and destruction.

Subject background: Deleting files, pictures, or any data from hard disk, may not delete data permanently. Data remanence is a continuous problem on computers, memory chips, hard drives, and even paper copies. Several methods are required for each medium for the data to be completely erased or physically destructed. Data handling such as labeling, marking, storage, and destruction are part of the data life cycle and asset security.

Analysis: Notice that the statement says that the company has several forms of media, such as paper, magnetic, and disks. Paper files put in the trash are not safe since anyone can pull them from the trash and steal the data (dumpster diving). Erasure must be properly done, and clearing data seven times will only work on one media. Since the organization has different media, one method does not fit these media. The options are all talking about one type of destruction or several types that may not suit all media. Note that the media will be given away for reuse. So, the erasing methods must ensure that the media is really, completely and reliably erased.

Statement: A company wants to destroy older magnetic tapes, hard disks, and some paper files. The company proposes to do a process of erasing data by overwriting the media five times and reformatting the hard disks four times. The paper files will be put in the trash for recycling.

Question: A company wants to destroy older magnetic tapes, hard disks, and some paper files. As a security expert, what do you think is wrong with these procedures?

Solution: The obvious answer is option D since none of the other methods given in the distractors of options A, B, and C is sufficient for various media that need to be cleaned up.

Tip #23: Securing devices with personal electronic certificates and private and public keys

Learn about Public Key Infrastructure/Certificate Authority (PKI/CA), public and private keys, and certificate publishing.

Domain: Security Engineering, Asset Security.

Subdomain: Cryptography, Key infrastructure, Certificate authority, Public Key Infrastructure (PKI).

Subject background: Public key cryptography deals with public and private keys and how to manage those keys. Asymmetric algorithms that can generate the public and private keys deal with key pairs, do the exchange of keys, and can generate digital signatures. Key pairs can be used with the Advanced Encryption Standard (AES) for authentication, encryption, and electronic signature as well.

Asymmetric algorithms are used to create public and private key pairs. A message that is sent with one key can only be opened with the other key. The same key will not work for both creating/writing and reading. This means if a user creates an email message and encrypts with his private key, other people can only decrypt the message with the user’s public key.

Public and private keys are functions of large prime numbers.

Encryption creates cipher text from normal text, and decryption creates a normal text from encrypted text.

Salt is a random number used in the encryption process.

A prime number is defined as a number that has only two factors: 1 and the number itself. Examples are 11, 17, 23, etc.

PKI is a group of formats, programs, data, protocols, associated protocols, etc. PKI is created for a wide range of people to exchange messages, data, and other details.

PKI creates and maintains a level of trust among users who in turn trust the infrastructure.

PKI uses a public key certificate (PKC) and has an X.509 standard for its certificates. PKI can work with different authentication tools among different networks as well.

PKI contains keys, authorities, users, and users’ certificates.

A certificate authority (CA) is a trusted third party that allows people to communicate in a secure way. CA issues digital certificates for each user and maintains them.

A private key is known only to the user. But a user’s public key is known to all others who communicate with that user.

A CA can be internal or external to an organization. Examples of trusted external CAs are Entrust and VeriSign, which are typically used for credit card processing on the Internet.

The main responsibility of CAs is to create and maintain digital certificates.

When a certificate is revoked or made invalid, it is stored in a certificate revocation list (CRL) .

There are several reasons to create an entry in CRL. One is the expiration of certificates, and the others are a user leaving an organization voluntarily and a user’s certificate being compromised by a hacking attack.

The Online Certificate Status Protocol (OCSP) is also used instead of CRL.

The registration authority (RA) performs registration duties.

Analysis: Note that the question is asking what a new user David should do FIRST. When a user joins an organization, his first step is to request for a certificate since the organization has its own CA. Sending email or exchange of information and all that comes much later once the CA issues a certificate.

But how does the new user apply for a certificate? It is through the registration authority that the user confirms his identity and initiates a process for new certificate.

Statement: An organization has created its own certificate authority (CA).

We can easily remove the verbiage used and re-coin the question as follows:

Question: If a new user David wants to send an email to another user named John, what should David do FIRST?

Solution: Option B is the correct answer. Option A looks tempting, but the CA does not confirm identity or checks. It just issues certificates. To apply for that certificate, David will need the RA. Option C is wrong because the CRA is used for people whose certificates have been invalidated or revoked. Option D is not the FIRST thing David needs to do and is thus wrong too.

Tip #24: Learning the detailed life spans of intellectual properties such as documents and inventions

Remember the time frames for each of the types of trade documents, intellectual property, etc.

Domain: Asset security, Security and Risk Management.

Subdomain: Intellectual properties, Protection of data/trade secrets.

Analysis: Observe that the player is trying to put more than one business into market and needs several things to be registered. The easiest of these is an autobiography that will be automatically protected under copyright laws. There is no registration required for copyrights. The tennis racket is a tangible product as well, and it needs a patent for the innovative design. The energy drink has a mixture the player alone probably knows and needs a trade secret. It need not be registered but needs to be protected with utmost care. If we know these facts, the question is easy to answer.

Statement: A T-shirt is given freely, and it appears from the question that the player does not want to worry about it since it is being given freely if anyone purchases a racket, book, or the drink. Removing the verbiage we can find the following:

Question: A tennis player has a new idea for an energy drink, an idea for a book to write his autobiography, and a new design for a tennis racket. What should the player register for to protect the BEST interests of his businesses?

Solution: Licenses are given for a product after the product is already in the market and when the original inventor wants to expand his marketing territory to larger areas. The license does not apply immediately to a new product. Licenses do not also apply to books. Thus, options B and C are wrong choices. Books also do not carry patents since the writing is considered a type of copyright material. Thus, option D can be easily eliminated. This gives the correct answer as option A.