Wednesday, December 27, 2017

Launch of CISSP Computerized Adaptive Testing (CAT)




(ISC) ² has introduced Computerized Adaptive Testing (CAT) for all English CISSP exams worldwide beginning 19th Dec 2017.

Important Points:

1.The exam outline remains the same. You do not need to change any reading or study material.
2. The exam time has been halved. The exam is now 3 hours long and not 6 hours.
3. No of questions have been reduced to 125 from 250. [ 25 questions are for research purposes. They will not be explicitly marked. ]
4. The CAT is only for English CISSP takers. No change in other languages.
5. The exam cost (699 USD) and the retake policy remains the same.

How will it work?

Each candidate taking the CISSP exam will start with a question that is well below the passing standard. Based on your response, the scoring algorithm will present you with a more difficult question if you answered the previous question correctly or an easy questions if you answered the previous question incorrectly. The computer will try to judge your ability and knowledge based on your responses and thus present a more precise and clear picture to the ISC2.

What it means for you?
  • Candidates may focus on the previous question's response basis whether the next question is difficult or easy.This can lead to loss of focus during the exam.
  • Easy or Difficult? – Let me assure you that if you know your stuff and your concepts, there’s no stopping you irrespective of any format.
  • There will be NO option to flag, review or revisit any questions. It will be a do or die situation for you. Answer it and move on.
  • The pass percentage will not change. You need a score of 700 out of 1000 to pass the exam.
  • You will be able to take tea breaks, as usual, however, the timer will not stop for the break.
  • It will be really important for you to take an early lead in the exam. Since the test is adaptive, if you answer the first few questions incorrectly, it will become really difficult to score above 700.
  • The test time has been halved which will really help the candidate. 6 hours is an extremely long and toll-taking exam time which affects the brain and thinking capability.
  • The exam results will be declared immediately after the exam. No waiting!!!

In case you have given the CISSP exam in the new format, it would be great if you could share your experience in the comments section below.


For more updates and FAQs you may refer: https://www.isc2.org/certifications/CISSP/CISSP-CAT

Saturday, September 30, 2017

Launch of Practice Questions


It has been some time since I have written on my blog. I was thinking of how to help all the aspirants of these exams. When I prepared for the SSCP and the CISSP exams, I found that there was a dearth of FREE practice questions on the internet.
Hence, it is a humble attempt by me to ensure that you get a lot of practice questions to practice for FREE. I have not segregated the questions by any exams. It is imperative that you attempt the question irrespective of the fact that whether it is easy or difficult. The practice questions will be updated every week.

Looking forward to your support and comments to improve the content on this website.

I'm also working on the video course for SSCP which will be uploaded in a few days. 

Tuesday, August 15, 2017

What to expect in SSCP exam?

It’s the D-Day and you are ready for the exam. Days of hard work will now be put to test. You have prepared hard and are ready to take the exam. So what to expect in SSCP exam? Read on to find out.

Quick Pointers:

  • Check you have kept 2 identification cards.
  • The ID cards must have a signature on them. One of them must be an address proof.
  • You have the booking confirmation from Pearson Vue.
  • Reach the center 30-40 minutes in advance.
  • Attempt all questions. The wrong answers don’t count against you.

Know Your Enemy

SSCP is a 3-hour long exam offered by (ISC)2. It has 125 questions which are based on 7 domains. 

Following are the domains along with their weight:

1. Access Controls (16%)
2. Security Operations and Administration (17%)
3. Risk Identification, Monitoring, and Analysis (12%)
4. Incident Response and Recovery (13%)
5. Cryptography (9%)
6. Network and Communications Security (16%)
7. Systems and Application Security (17%)

Many people are experts only in 1 or 2 domains. It is important to understand that (ISC)2 wants you to have an understanding of all these aspects in this exam. If you are feeling this is too much, you would like to read Quick Tips for the SSCP exam.

Although SSCP is not like the CISSP exam, yet it is a difficult exam. The exam material and blogs out there are very less in comparison to the extensive coverage done on CISSP. Having given the exam myself and passed in the first attempt, I will share with you the challenges and strategy for the exam.

3 Hour long exam – You have 125 questions to attempt. Mathematically speaking, you have precisely 1.44 minutes for each question. This gets reduced to 88 seconds per question if you decide to take a break of 10 minutes each, two times in the exam. You need to do time management accordingly.

Mock Tests – There is not even an iota of similarity to the level of questions which you attempt in mock tests in comparison to the real test. Do not just depend on those mock or sample test papers. They are only a good preparation tool.

Experience – I had just 1.5 years of experience before appearing for this exam. Even if you do have enough experience for this exam, not to worry. If your concepts are clear, you will be able to clear the exam.

Let the Games Begin

You are sitting in front of the screen, where you are being asked to sign the NDA. Remember, you need to sign the NDA within 5 minutes. 

Quick Pointers:
  • ISC2 has a huge bank of questions so the questions asked in your exam will be totally different from my exam.
  • As soon as you accept the NDA, your exam will begin.
  • There is a timer which shows 180 minutes. There is an option to flag the question. 
  • Questions will be from all the domains. Do not fall prey to mock tests which may focus only on some of the domains.
  • The questions will NOT be difficult. They will only be tricky. You need to choose the best option from the choices given. Even though you may find that all the options are correct or wrong, but the best one needs to be chosen.
  • Do NOT answer the questions basis the best practices in your organization. 
It’s a personal choice as to how you want to attempt this exam. I am sharing my exam strategy with you. The point I wish to make here is you should aim for attempting all the questions and flag and review it.

Answer & Flag – Glance through every question as soon as possible and if you know it, answer it. If you have a doubt, flag it. Try to answer all the questions or just glancing it in around 100 minutes. Time is very important.

Review Flagged – You have finished viewing all the questions. Now it’s time to review all the flagged ones. Take your time and read it again and again. Try to understand the question and more importantly the choices presented to you. 
I found this activity extremely helpful as it helped me answer a lot of questions.

Review ALL – I know you are tired. But it’s time for that final blow. If you have time, review all of them. If you have a doubt even at the last moment, not to worry. Read it again and try to understand what made you think about this alternate choice.

Checking, double checking and triple checking your answers will help you to squeeze every mark you can out of the exam, and it could be one question that makes all the difference between a pass and a fail!

If you are still preparing for this exam, read “How to pass the SSCP exam in First Attempt”.

Remember, it’s a difficult exam no matter whatever people say and hence staying focused and calm will be the key to slaying this beast and come out victorious.

Would love to hear your experiences in the comment(s) section below. Sharing is Caring :)

If you like this blog, please share and subscribe for more updates.


Tuesday, August 8, 2017

What to expect in CISSP exam?


It’s the D-Day and you are nervous… Your heart is beating fast or you are extremely calm. You are just having nice thoughts or extremely petrified as to what will happen in the exam. Everyone faces unique challenges in preparing for the exam. Now that you have done the preparation and revision and are ready to face the beast; read on to find out what ammunition you need to slay this beast… 

Know Your Enemy

Much is available on blogs and ISC2 website detailing what will be the CISSP exam all about. You will have 250 questions to be answered in 6 hours. Many argue that CISSP is not that tough as people portray it. It's only who has experienced this exam can share the real challenges of this exam. 

So here are the real challenges which I faced:

Vastness – It is rightly said “CISSP is an inch deep and mile wide” exam. The enormity of the domains and the material associated with is huge. But hey, you have already prepared and are appearing for the exam. So why to talk about it now? The enormity creates a problem in mind sometimes. Remain calm. There is no substitute for going with a calm mind and coolly slaying the beast.

6 Long Hours – Let do a mathematical calculation here to explain to you that 6 long hours are not so long. 250 questions in 360 minutes. 1 question in 1.44 minutes. Sounds fun? If you take a break, say, 10 minutes (2 times), it becomes 1.36 minutes or just 96 seconds.

Nerves of Steel – You need to have nerves of steel as concentrating for 6 long hours is not a child’s play. The first 2-3 hours are tolerable, but after that, the fatigue starts creeping in. My simple advice – Don’t be harsh on yourself. Take breaks of even 5 minutes after regular intervals to come with a fresh mind again.

Cost – The CISSP exam costs around 599USD or around 39000 in INR. Spending this money for an exam is no joke, so there is always a pressure on you that in case you get killed yourself by this beast, the money goes down the drain. 

No Similarity to any Mock Exam – The questions in the real exam do not have even an iota of similarity to the practice exams available on any website or book(s). The play of words by ISC2 will surely trick you, so the trick is to understand what the question actually asks and which choice is the best one.

Take a break? Kit Kat? – Although you should take regular breaks, but remember, the time goes on. So don’t start having lunches or music breaks in there. Thinking long on the toilet seat can also cost you dearly. So best is to take small breaks…and munch a KitKat and come back. You can enjoy after you have cleared the exam.

Know your center – CISSP exam is scheduled at a Pearson Vue Center. It is recommended that you visit the center once before the exam to find out its real location. Don’t depend on Google Maps or something else. On the D-Day, this surely helps. Reach the center early. Don’t come crashing with papers flying around at the last moment begging them to allow you in the exam hall.

Party’s Started

So now you have given your palm prints and photograph and are sitting in front of the exam screen. What to do now? Read on to find out.

It’s a personal choice as to how you want to attempt this exam. I am sharing my exam strategy with you. The point I wish to make here is you should aim for attempting all the questions and flag and review it.

Some pointers before that:
1. There is no negative marking in this exam. So attempt all the questions.
2. If you have even an iota of doubt in your answer. FLAG IT. No extra cost in that!

So the strategy now:

Answer & Flag – Glance through every question as soon as possible and if you know it, answer it. If you have a doubt, flag it. Try to answer all the questions or just glancing it in around 120-150 minutes. Time is very important.

Review Flagged – You have finished viewing all the questions. Now it’s time to review all the flagged ones. Take your time and read it again and again. Try to understand the question and more importantly the choices presented to you. 
I found this activity extremely helpful as it helped me answer a lot of questions.

Review ALL – I know you are tired. But it’s time for that final blow. If you have time, review all of them. If you have a doubt even at the last moment, not to worry. Read it again and try to understand what made you think about this alternate choice.
Checking, double checking and triple checking your answers will help you to squeeze every mark you can out of the exam, and it could be one question that makes all the difference between a pass and a fail!

I highly recommend reading “Quick Tips for the CISSP exam” to help you better understand how to overcome the challenges listed above.

If you are still preparing for this exam, read “How to pass the CISSP exam in First Attempt”.

Remember, it’s a difficult exam no matter whatever people say and hence staying focused and calm will be the key to slaying this beast and come out victorious.

Would love to hear your experiences in the comment(s) section below. Sharing is Caring :)

If you like this blog, please share and subscribe for more updates.

Sunday, August 6, 2017

How to Pass SSCP Exam in the First Attempt



Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2. When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam. 

Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field.

What is SSCP?

You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are not graded, you need to score 700 for 100 questions. These “research” questions will not be explicitly mentioned/marked, so attempt all the questions. There is a total of 7 domains which are tested in this examination.

Following are the domains along with their weight:

1. Access Controls (16%)
2. Security Operations and Administration (17%)
3. Risk Identification, Monitoring, and Analysis (12%)
4. Incident Response and Recovery (13%)
5. Cryptography (9%)
6. Network and Communications Security (16%)
7. Systems and Application Security (17%)

Many people are experts only in 1 or 2 domains. It is important to understand that (ISC)2 wants you to have an understanding of all these aspects in this exam. If you are feeling this is too much, you would like to read Quick Tips for the SSCP exam.

How to pass the exam in the first attempt?

Remember, there is no shortcut to passing this exam. It is not as rigorous and difficult as the CISSP exam but this exam is still difficult and you need to prepare well to pass this exam. So the only solution to passing this exam is understanding the concepts (don’t cram the definitions) and practice as much as you can. 

If you have no experience in the field of information security, it is really important for you to understand everything and watch videos if you do not understand by reading theoretically. If you have some experience or lots of it, don’t be overconfident. The exam tests your understanding of all these domains and it is rare that you are an expert in all these domains.

So accept your weakness and practice all the domains. I took around 3-4 months to prepare for this exam. Last 1 month was spent in practicing and only practicing. 
Revision is the key to everything. Practice exams don’t work if you just attempt questions and do not work on the weak areas. Practice and revision will surely make you pass this exam in the first attempt.

How to prepare for SSCP?

Way back in 2014, when I cleared this exam, there was not much available either on the internet or as study material. The story is different now. It is important to keep in mind that you should have a primary source of study and others which you can just refer for a detailed understanding or solve the practice questions.

I had referred the 1st edition of SSCP AIO guide by Darril Gibson. The second edition of the book is now available. There are a lot of other sources available for this exam as listed below:


Remember, there is no alternative to hard work and studying (no matter whatever book you study)
It is important to prepare a plan to study, when to study and what to study. In case you are working, you need to identify as to when you can study. Identifying your strengths and weaknesses and working on them when you study is important to pass this exam.

Set Targets… & Pieces of advice

It is really important that you set your targets and achieve them. Set your targets by weeks or by domains as it suits you. I cannot tell how to set your targets as it involves a lot of parameters. 
The point I wish to make here is that in case you are not focused on achieving the targets which you fix for yourself and take the preparation casually, you’ll feel the pain while attempting the real exam.

An important piece of advice for you, my dear friend, is that, no matter which book or practice exam you study, NO practice exam or mock test is even a pinch close to the real exam.
If you are learning to run and think by practicing all the mock tests you can top the marathon, the exam will question you how good you can fly. Do NOT think that by getting 90% score in mock tests, you will definitely clear the exam.

It ultimately boils down to only one fact that how good your concepts are. Mock test will only broaden your thinking and understanding of these concepts. So it is important to clear all the misconceptions in your mind.

Another important advice (if you are already working in this field) – Do Not apply what happens in your organization to this exam. Most professionals make this mistake of thinking and answering questions based on their experience and what happens in their organization.

Your organization may be the best in its business, but it has made its own policies and ways of handling problems. Remember, whether its SSCP or CISSP, you need to go with an open mind as it focusses on testing your concepts, not your organizations’.

The D-Day

Go with a very clear and calm mind for the exam. Reach the center early and take appropriate rest the day before. 
1. When you will reach the Pearson Vue center, you will be given a set of instructions to read. These instructions are different from the NDA to be signed for the SSCP exam. In case you have any queries regarding the instructions, feel free to ask the proctors. They are friendly and helpful.
2. Your photograph and palm scans will be taken before beginning the exam.
3. Do not forget to carry two identification cards having signatures on both the proofs.

So all the best for your exam. Do not forget to read Quick Tips for the SSCP exam

If you like this article, do not forget to share and subscribe. Also, share your comments in the comment section below.

Monday, July 24, 2017

CISSP vs SSCP Certification


                                     


Basis
CISSP
SSCP
Offered by
Length of the exam
6 hours
3 hours
Number of questions
250
125
Question Format
Multiple choice + Drag & Drop + Hotspot Questions
Multiple Choice Questions
Passing Grade
700 out of 1000
700 out of 1000
Exam Availability
English, French, German, Brazilian Portuguese, Spanish,
Japanese, Simplified Chinese, Korean, Visually impaired
English, Japanese, and Brazilian Portuguese
Testing Center
Number of Domains
8
7
Domains ( Weightage)
1. Security and Risk Management (16%)
2. Asset Security (10%)
3. Security Engineering (12%)
4. Communications and Network Security (12%)
5. Identity and Access Management (13%)
6. Security Assessment and Testing (11%)
7. Security Operations (16%)
8. Software Development Security (10%)
1. Access Controls (16%)
2. Security Operations and Administration (17%)
3. Risk Identification, Monitoring, and Analysis (12%)
4. Incident Response and Recovery (13%)
5. Cryptography (9%)
6. Network and Communications Security (16%)
7. Systems and Application Security (17%)
Experience Requirement
Candidates must have a minimum of 5 years cumulative paid full-time work experience in 2 or more of the 8 domains of the CISSP CBK. Earning a 4-year college degree or regional equivalent or an additional credential from the (ISC) ² approved list will waive 1 year of the required experience. Only a 1-year experience exemption is granted for education.
Candidates must have a minimum of 1 year cumulative paid full-time work experience in 1 or more of the 7 domains of the SSCP CBK.
Accreditation
CISSP was the first credential in the field of information security to meet the stringent requirements of ANSI/
ISO/IEC Standard 17024.
SSCP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard 17024.
Cost
599 USD
250 USD
Difficulty
9/10
5/10
Acceptability
Gold Standard
Less Known
Resources to study

Sunday, July 16, 2017

[Opinion] Will Machine Learning in Cyber Security open a Pandora’s Box?


Machine Learning is the buzz word nowadays. Huge numbers of courses on machine learning have mushroomed online and companies are running after professionals who are an expert in that. As per Udacity, which has developed a course on machine learning in collaboration with Google defines it as “Machine learning represents a key evolution in the fields of computer science, data analysis, software engineering, and artificial intelligence.”

Wiki, however, explains it in a better manner rather than just throwing jargons. It says that machine learning gives "computers the ability to learn without being explicitly programmed.” Much understandable!! In simpler terms, computers start learning processes and develop a deduction capability rather than just perform what it is programmed to do.

When such machines are made to learn to defend our networks and organizations from an information security point of view,  good and bad things will happen. Read on....

According to an article published in Techcrunch, “The darker side of machine learning” gives us a glimpse of how a facial recognition app used in Russia can be used to identify who has a profile on VK.com, the social media platform known as “Russian Facebook”. Your privacy goes for a toss with applications such as Findface and no extra points for guessing that it is a simple application of machine learning.

The Threat Detection Business

The cyber security business is of billions of dollar and there is no doubt as to why cyber security startups are able to raise millions of dollars quickly as compared to others. Machine learning and AI is being explored to its full potential according to an article published in Computerworld UK. The article titled “Machine learning in cyber security: what is it and what do you need to know?” gives an interesting understanding of how vendors of the security business across the world are jumping the bandwagon and in order to outdo each other, are trying to come out with products based on machine learning.

“Many Eyes” is what the CSO at Vectra Networks calls it and says “You can use machines to observe the network continuously in real time, and correlate that across hundreds of millions, to trillions, of events on a daily basis.

“A traditional approach from a security practitioner perspective is to take logs, drop them into some central database, and then, offline, mine that data for events that we have a feeling might be there,” he says. "What machine learning offers is that all of the work can be done in real time, live in a network wire and without that human oversight.”

Thanks to the article, we get to know the thoughts of Andrew Gardner, senior director of machine learning at Symantec, explains that where machine learning will really help is in scale and automation. Think of the difference, he says, between two humans playing chess and two computers playing chess. And the computers can play each other at very high speeds.

"One thing that's useful for is it allows us to do predictive testing,” he says. "We can, in a sandbox, use AI machine learning in the same way that an attacker might do, to predict and explore possible exploits on a scale that humans just can't achieve.”

The Fear of the Unknown

Human beings always fear what they do not understand or know. We have gone to great lengths to understand and decipher every large or small thing in this world and others.
The vendors are trying to paint a rosy picture and they are adamant to prove that machine learning will be the panacea to all the problems. “Machines will be able to identify the unknown attacks and will be able to protect you from the unknown”.
The article at Computer world UK further highlights the point of Vectra's Gunter Ollman who warns that professional attackers are studying machine learning very closely – and many of them are already data scientists.

"This is no different from 10 years ago when behavioral learning systems came out that the bad guys invested their own time, and they found ways to detect and bypass the sandboxing technologies,” he says. "I expect we'll see that same level of thought and actions going into machine learning and artificial intelligence.”

Companies today want a one stop solution which is ready to defend them from the unknown. Why does everyone forget that the professional attackers use those same tools and mechanisms to create more sinister attacks? Are we ready for it?

The world is already grappling with new attacks every day. Are we truly ready for something which the vendors or machine learning enthusiasts tell us is going to solve all our problems rather and creating more difficult ones?

Wanna cry made a lot of people cry… the hospitals in the UK were the most affected. We, the governments, the cyber security professionals, CERTs etc. were not able to much about it other than just giving sermons as to your systems should be patched all the time. How that you should use the latest products and enable antivirus protection and so on…
We were not able to defend ourselves against these known attacks … are we really ready to defend us against the unknown?

Is Machine Learning the solution?

YES and NO. Why Yes? Because ultimately we will have to use it as the data points generated will be too huge to handle in coming years. We will have so complex mechanism and things in place that we would need machines to come to our rescue.

Why Not? As 451's Adrian Sanabria says “We know from experience that attacks will simulate what info sec vendors are doing. Machine learning models depend on a degree of likeness, so if attackers find a way to produce malware that looks significantly different from what models expect, machine learning-based detection methods could become ineffective overnight.

Rather than just jumping on the new buzzword and falling for slick marketing, it is important for us to push the software vendors to integrate security from the design phase and not patch it later on. We need professionals who can defend against the known attacks and software developers who design and integrate security into every aspect of the software.
Multiple layers of protection or onion security are the best bet today.
It is important that we understand and give time for machine learning to mature and then allow it to defend our networks…

What do you think about it?

Wednesday, July 12, 2017

Quick Tips for SSCP Exam


Let me say “All the best” to you, before I start giving you tips for the SSCP exam. These tips are not mandatory to follow, but will surely help you to manage and crack the exam.

Systems Security Certified Practitioner (SSCP) is a three-hour long exam which contains 125 questions. You can call this as the younger brother of CISSP. I gave this exam in July 2014 and passed in the first attempt.

You have to schedule an exam through (ISC)website which further takes you to booking the exam at a Pearson Vue center.
  1. Reach the exam center approximately 45 minutes in advance before your scheduled time. This will help you to settle down. Start early so as to reach early rather than waiting on the way thinking whether you will reach on time or not.
  2. When you will reach the Pearson Vue center, you will be given a set of instructions to read. These instructions are different from the NDA to be signed for the SSCP exam. In case you have any queries regarding the instructions, feel free to ask the proctors. They are friendly and helpful.
  3. Your photograph and palm scans will be taken before beginning the exam.
  4. Do not forget to carry two identification cards having signatures on both the proofs.
      Now, when your exam starts, do keep the following in mind. These tips will surely help you.

  1. You will be greeted with an NDA before you begin the exam. Read the NDA – you have 5 minutes to do so. 
  2. Failure to accept this will forfeit your exam money and you will not be allowed to further move ahead in the exam.Post the successful acceptance of the NDA, your exam begins.
  3. You have a timer which shows 180 minutes you have for the examination and a “Flag for review” option whereby you can  flag the questions which you are unsure of at the moment for further review.
  4. Try to make a strategy to solve the 125 questions. 25 questions are reserved for research purposes. Hence you need to answer 100 questions in order to get a 70% score.
  5. I followed the following strategy. It is always better to follow your own plan basis your strengths and weaknesses.
  6. It is extremely important that you go through all the 125 questions at least once in around 1.5 hours. I glanced through all the questions and answered 90 questions in one go and took around 1.5 hours. I used the “Flag for review” option whole heartedly. 
  7. Although the three-hour long exam is not as strenuous as the CISSP exam, you still need to maintain your focus for three hours. 
  8. Remain calm, if you do not know the answer to a lot of questions in the first go, then flag them. This is perfectly normal. Don’t stress yourself.
  9. I used the next 1 hour to solve those questions which I had flagged for review or had left unanswered. The remaining 1/2 hour was focused on reviewing those questions which I was extremely unsure of or confused between two options as they both seemed likely.
  10. There is no negative marking in the exam. So it is recommended that you answer all the questions.
  11. As soon as the time is over, the exam automatically finishes and you are greeted with a message that the time has finished. You may call the proctor in case there is any issue which you face during the exam.
  12. You can collect the exam result from the main desk. Remember, you are never confident when you walk out from the exam hall to the main desk. 
  13. Most people I have met either discount the importance of the SSCP credential or don’t know about it. It is important to remember the fact that SSCP is no small feat in itself. You need to have a minimum of 1 year of experience in information security field. 
  14. SSCP does tell the world that you are interested in learning and having a basic knowledge of the concepts of information security. As a practitioner, this exam allows you to gain a holistic understanding of a lot of security concepts.

     If you reached here, let me thank you for reading this article. If you are preparing to give the exam; all the very best. If you have passed the exam and would like to share your tips with everyone, feel free to comment below. Remember “sharing is caring”!!

Monday, July 10, 2017

What is CIA?

The Three Pillars – CIA

Anything in Information security ultimately boils down to ensuring that either or all of three pillars is ensured. These three pillars are – Confidentiality, Integrity, and Availability.



It is thus extremely important that you understand the meaning of these terms. From an exam perspective, a lot many questions will be focused on identifying the following:
  1. Which of three pillars is violated?
  2. Which of the three pillars is ensured if a certain action is taken?
  3.  What will a certain control ensure to provide or protect?

Even from an organizational perspective, all the policies, procedures, standards and guidelines are made to ensure that the three pillars of information security are catered for.
So, let’s understand these concepts now.
Before I begin, let’s be very clear that I’m not going to write down the definitions provided by any agency or organization. You can get them in any book and they are mostly as clear as mud. It is important to study these definitions too, however, from an exam perspective, simple is the best.

The focus here is only to explain you the concepts in the simplest manner.

Confidentiality – “Unauthorized disclosure should not happen” – These five words are more than sufficient for you to answer any question.

Integrity- “Unauthorized modification should not happen”

Availability – “Information be available at the right time to the right people”

Now let’s apply the above definitions to a variety of scenarios. You’ll notice that these definitions work in every scenario.

Scenario: You have an account with ABC bank; you deposit a sum of 1000Rs into the bank. The bank clerk accesses your account and deposits the money. You have been issued a debit card having a PIN (personal identification number) which is to be kept secret. You now go shopping and try to use a debit card for spending 500Rs from your account. 

Try to answer the following questions now basis the definitions explained above:

Q1. The clerk tries to access your account and withdraws a sum of 200Rs from your account without your permission. Which of three pillars is violated?

Answer – Since unauthorized access has happened, confidentiality is violated.

Q2. When you access your account, you are not able to log in and check your balance. Which of the three pillars is affected in this case?

Answer – Since you are not able to access your account at the time you want, Availability is affected here.

 Q3. When you are finally able to log in, you notice that instead of 1000Rs as deposited, you only have 800Rs in your account. Which pillar has fallen?

Answer – The integrity of the account is questioned here as unauthorized modification has happened.

If you have understood the concepts above, now try to answer the following questions and mention your answers in the comments section below. Answers to these questions will follow in the next blog post.

Which of the three pillars will be affected in these scenarios?
Q1. The shopkeeper notices the PIN which you enter.
Q2. The server is not responding and you are not able to do the transaction.
Q3. The transaction stops mid-way and your account is debited, however, the merchant does not get the money.
Q4. You get a message from the bank citing that someone has hacked into your account.
Q5. You click on the link provided in the message and find that the bank’s site is not accessible.
Q6. You call up the bank and the bank resets your account password without your permission.