Helping Hand Questions for CISSP

The information owner is the person who has the authority and responsibility for the information within an Information System (IS). The information owner is responsible for the protection of information when it is shared with or provided to other organizations, such as by defining the classification, sensitivity, retention, and disposal of the information, as well as by approving or denying the access requests and periodically reviewing the access rights. The system owner, the authorizing official, and the security officer are not responsible for the protection of information when it is shared with or provided to other organizations, although they may have roles and responsibilities related to the security and operation of the IS. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 48; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 1: Security and Risk Management, page 40.

The primary goal of fault tolerance is to eliminate single point of failure, which is any component or resource that is essential for the operation or the functionality of a system or a network, and that can cause the entire system or network to fail or malfunction if it fails or malfunctions itself. Fault tolerance is the ability of a system or a network to suffer a fault but continue to operate, by adding redundant or backup components or resources that can take over or replace the failed or malfunctioning component or resource, without affecting the performance or the quality of the system or network. Fault tolerance can provide some benefits for security, such as enhancing the availability and the reliability of the system or network, preventing or mitigating some types of attacks or vulnerabilities, and supporting the audit and the compliance activities. Fault tolerance can be implemented using various methods or techniques, such as:

• Redundant Array of Independent Disks (RAID), which is a method or a technique of storing data on multiple disks or drives, using different levels or schemes of data distribution or replication, such as mirroring, striping, or parity, to improve the performance or the fault tolerance of the disk storage system, and to protect the data from disk failure or corruption.
• Failover clustering, which is a method or a technique of grouping two or more servers or nodes, using a shared storage device and a network connection, to provide high availability or fault tolerance for a service or an application, by allowing one server or node to take over or replace another server or node that fails or malfunctions, without affecting the service or the application.
• Load balancing, which is a method or a technique of distributing the workload or the traffic among multiple servers or nodes, using a device or a software that acts as a mediator or a coordinator, to improve the performance or the fault tolerance of the system or network, by preventing or mitigating the overload or the congestion of any server or node, and by allowing the replacement or the addition of any server or node, without affecting the system or network.

Isolation using a sandbox, single point of repair, and containment to prevent propagation are not the primary goals of fault tolerance, although they may be related or possible outcomes or benefits of fault tolerance. Isolation using a sandbox is a security concept or technique that involves executing or testing a program or a code in a separate or a restricted environment, such as a virtual machine or a container, to protect the system or the network from any potential harm or damage that the program or the code may cause, such as malware, viruses, worms, or trojans. Isolation using a sandbox can provide some benefits for security, such as enhancing the confidentiality and the integrity of the system or the network, preventing or mitigating some types of attacks or vulnerabilities, and supporting the audit and the compliance activities. However, isolation using a sandbox is not the primary goal of fault tolerance, as it is not a method or a technique of adding redundant or backup components or resources to the system or the network, and it does not address the availability or the reliability of the system or the network. Single point of repair is a security concept or technique that involves identifying or locating the component or the resource that is responsible for the failure or the malfunction of the system or the network, and that can restore or recover the system or the network if it is repaired or replaced, such as a disk, a server, or a router. Single point of repair can provide some benefits for security, such as enhancing the availability and the reliability of the system or the network, preventing or mitigating some types of attacks or vulnerabilities, and supporting the audit and the compliance activities. However, single point of repair is not the primary goal of fault tolerance, as it is not a method or a technique of adding redundant or backup components or resources to the system or the network, and it does not prevent or eliminate the failure or the malfunction of the system or the network. Containment to prevent propagation is a security concept or technique that involves isolating or restricting the component or the resource that is affected or infected by a fault or an attack, such as a malware, a virus, a worm, or a trojan, to prevent or mitigate the spread or the transmission of the fault or the attack to other components or resources of the system or the network, such as by disconnecting, disabling, or quarantining the component or the resource. Containment to prevent propagation can provide some benefits for security, such as enhancing the confidentiality and the integrity of the system or the network, preventing or mitigating some types of attacks or vulnerabilities, and supporting the audit and the compliance activities. However, containment to prevent propagation is not the primary goal of fault tolerance, as it is not a method or a technique of adding redundant or backup components or resources to the system or the network, and it does not ensure or improve the performance or the quality of the system or the network.

Attack trees are most useful for enumerating threats. Attack trees are graphical models that represent the possible ways that an attacker can exploit a system or achieve a goal. Attack trees consist of nodes that represent the attacker’s actions or conditions, and branches that represent the logical relationships between the nodes. Attack trees can help to enumerate the threats that the system faces, as well as to analyze the likelihood, impact, and countermeasures of each threat. Attack trees are not useful for determining system security scopes, generating attack libraries, or evaluating DoS attacks, although they may be used as inputs or outputs for these tasks. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Security Operations, page 499; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 4: Communication and Network Security, page 552.

Before performing the next step in an incident response, it must be considered or evaluated that removing the server from the network may prevent catching the intruder who has planted a backdoor. This is because the intruder may still be connected to the server or may try to reconnect later, and disconnecting the server may alert the intruder or lose the opportunity to trace the intruder’s source or identity. Therefore, it may be better to isolate the server from the network or monitor the network traffic to gather more evidence and information about the intruder. Notifying law enforcement, identifying who executed the incident, and copying the contents of the hard drive are not the factors that must be considered or evaluated before performing the next step, as they are either irrelevant or premature at this stage of the incident response. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Software Development Security, page 973; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 8: Security Operations, page 1019.