CISSP Exam - Question 275

An inference as the attacker used several pieces of generic nonsensitive information to determine or learn specific sensitive value.

The question says - What type of database attack. "D" Data mining is not an attack. So, am going with "A" on this one.

Imma say inference. Because it’s a cust service rep. I doubt he knows many sql commands. Could be wrong.

It’s aggregation attack , an employee simply adds non sensitive pieces of info to create sensitive information . There is no deduction . Inference and aggregation are always very close and confusing.

B. Aggregation. Aggregation is a technique that involves combining data from different sources or levels of granularity to infer sensitive information that is not directly accessible1. For example, a customer service employee might be able to access individual sales records for each customer, but not the total sales figures for each quarter. However, by aggregating the sales records by date, product, or region, the employee might be able to estimate the quarterly sales results before they are officially released2. An inference attack is a technique that involves analyzing data to gain knowledge about a subject or database without directly accessing it3. For example, an inference attack might use statistical methods, machine learning models, or logical reasoning to deduce sensitive information from seemingly innocuous data. An inference attack does not necessarily involve aggregation, and it might target individual records rather than aggregate values.

The CISSP Official Study Guide includes a direct correlation: "A commonly cited example of an inference attack is that of the accounting clerk at a large corporation who is allowed to retrieve the total amount the company spends on salaries for use in a top-level report but is not allowed to access the salaries of individual employees. The accounting clerk often has to prepare those reports with effective dates in the past and so is allowed to access the total salary amounts for any day in the past year. Say, for example, that this clerk must also know the hiring and termination dates of various employees and has access to this information. This opens the door for an inference attack. If an employee was the only person hired on a specific date, the accounting clerk can now retrieve the total salary amount on that date and the day before and deduce the salary of that particular employee—sensitive information that the user would not be permitted to access directly."

The type of database attack that would allow a customer service employee to determine quarterly sales results before they are publicly announced is Inference. Inference is a type of database attack in which an attacker uses available data to infer or deduce additional sensitive information. In the given scenario, the customer service employee might have access to some data in the database that could provide clues about the quarterly sales results. By analyzing this data, the employee might be able to infer the actual sales results before they are publicly announced. Aggregation is a type of attack in which an attacker combines multiple sources of data to gain access to sensitive information. Polyinstantiation is a type of attack in which an attacker creates multiple instances of an object with different security levels, causing a breach of integrity. Data mining is a process of analyzing data to discover patterns and relationships. In conclusion, Inference is the type of database attack that would allow a customer service employee to determine quarterly sales results before they are publicly announced.

Data mining can be used for a wide range of purposes, including market research and fraud detection, but it does not involve a specific attack on a database to gain unauthorized access to information.

The customer service employee could have access to weekly/monthly sales data, and could easily aggregate/combine those data to determine the quarterly numbers.

An Inference Attack is a data mining technique performed by analyzing data in order to illegitimately gain knowledge about a subject or database. A subject's sensitive information can be considered as leaked if an adversary can infer its real value with a high confidence. https://en.wikipedia.org/wiki/Inference_attack

A, use non sensitive information to gain the sensitive information

The most correct is what they want. Thus I’d go with A which is a more precise data mining.

Inference requires thinking and correlation part. And this is what the question scenario about. Inference is the ability to derive information that is not explicitly available. ! Data mining is requires special tools to analyze, human themselves cannot do it. Aggregation is when individual pieces of data are combined to create a bigger picture that may have greater sensitivity than individual parts.

D. Data mining Data mining is the process of discovering patterns and knowledge from large data sets. In this scenario, a customer service employee could use data mining techniques to extract information from the organization's database, such as quarterly sales results, before they are publicly announced. This would allow the employee to gain unauthorized access to sensitive information, potentially giving them an unfair advantage over other employees or external parties.

In summary, inference is about making generalizable conclusions about a population from a sample, while aggregation is about summarizing and simplifying complex data sets into summary values or categories.

A. Inference Inference attacks involve an attacker making educated guesses or inferences about sensitive information by analyzing less sensitive data or clues that are available to them. In this scenario, the employee may use their access to less sensitive data or information within the database to infer or deduce quarterly sales results that have not yet been publicly announced.

Answer is A. Aggregating information to discover new information. inference.