1.During a regular Audit it was found that Web server, database server and file server had same password. What could be the possible reason

a.Passwords were not changed
b.Systems trusted each other
c.Separation of duties was violated.

2. For vulnerability scanning is owner of the targets permission necessary.
3. What would a tester ask for testing
a.credentials of the system
b.Details of Vulnerabilities to be tested.

3.Does data mining give description of data.

4. Why would CISSP need to update themselves with latest laws
a.To protect data misuse
b.To protect intellectual property.
5. Which is specifically made for session replay or Man in middle attack SSL or PGP

6. Controls should be focused or flexible ?

let me try and give some answers as per me:

1. Seperation of duty : since all three are having same password, this could be the case because same user was attending to all the three:

2. Owners permission is necessary as the vulnerability testing may lead to loss of some data, shutting down of pc/server or something which would affect the user.

3. when you are doing intrusion detection, u can only test known vulnerabilities.

4. data mining will give u the end picture not the intermediate components.

5. Your Intellectual property you have to protect for your own sake, wether law is there or not. New laws are coming up which are more concerned with privacy. SO data misuse may be right.

6. Controls are flexible in business and focussed in military/sensitive area.

these are my thoughts.. any one have anything else to say.