Module 6

If you lose your wallet or purse and it ends up in the wrong hands, several pieces of information could be used to do personal harm to you. These pieces of information include the following: Name and address Driver license number Credit card numbers Date of birth Which of the following classifications does this information fall into?

Personally identifiable information

To prevent server downtime, which of the following components should be installed redundantly in a server system?

Power supply

MTD

Identifies the length of time an organization can survive with a specified service, asset, or process down

What alternative term can be used to describe asymmetric cryptographic algorithms?

public key cryptography

A framework for all of the entities involved in digital certificates for digital certificate management is known as:

public key infrastructure

Which type of cryptographic algorithm takes an input string of any length, and returns a string of any requested variable length?

sponge

To obtain a digital certificate and participate in a Public Key Infrastructure (PKI), what must be submitted and where?

Identifying data and a certification request to the registration authority (RA)

When a sender encrypts a message using their own private key, what security service is being provided to the recipient?

Non-repudiation

A system failure has occurred. Which of the following restoration processes would result in the fastest restoration of all data to its most current state?

Restore the full backup and the last differential backup

Which of the following is the most frequently used symmetric key stream cipher?

Ron's Cipher v4 (RC4)

Which of the following does not or cannot produce a hash value of 128 bits?

SHA-1

Which of the following is the strongest hashing algorithm?

SHA-1

Select the secure alternative to the telnet protocol:

SSH

Telnet is inherently insecure because its communications is in plaintext and easily intercepted. Which of the following is an acceptable alternative to Telnet?

SSH

Which protocol does HTTPS use to offer greater security in web transactions?

SSL

You are purchasing a hard disk from an online retailer over the internet. What does your browser use to ensure that others cannot see your credit card number on the internet?

SSL

What form of cryptography is best suited for bulk encryption because it is so fast?

Symmetric key cryptography

Which of the following forms of cryptography is best implemented in hardware?

Symmetric stream

cryptographic hash:

A function that is one-way (nonreversible), has a fixed length output, and is collision resistant.

What is a PKI?

A hierarchy of computers for issuing certificates.

When Bob needs to send Alice a message with a digital signature, whose private key is used to encrypt the hash?

Bob's private key

Which of the following is a direct protection of integrity?

Digital signature

What is the most obvious means of providing non-repudiation in a cryptography system?

Digital signatures

If this information is disclosed, it could cause severe and permanent damage to military actions.

secret

Digital Signature

A mathematical scheme for demonstrating the authenticity of digital message or document.

Which of the following protocols can TLS use for key exchange? (Select two.)

-RSA -Diffie Hellman

Which of the following tools allow for remote management of servers? (Select two.)

-SSH -telnet

Which of the following protocols are often added to other protocols to provide secure transmission of data? (Select two.)

-TLS -SSL

If a birthday attack is successful, meaning the attacker discovers a password that generates the same hash as that captured from a user's login credentials, which of the following is true? (Select two.)

-a collision was discovered -the discovered password will allow the attacker to log in as the user, even if the discovered password is not the same as the user's password

You've used BitLocker to implement full volume encryption on a notebook system. The notebook motherboard does not have a TPM chip, so you've used an external USB flash drive to store the BitLocker startup key. You use EFS to encrypt the C:\Secrets folder and its contents. Which of the following is true in this scenario? (Select two.)

-by default only the user who encrypted the C:\Secrets\confidential.docx file will be able to open it - if the C:\secret\confidential docx file is copy to an external USB flash drive it will be saved in an unencrypted state

Which of the following are true of Triple DES (3DES)? (Select two.)

-uses a 168 bit key -is used in Ipsec

Your network performs a full backup every night. Each Sunday, the previous night's backup tape is archived. On a Wednesday morning, the storage system fails. How many restore operations will you need to perform to recover all of the data?

1

You've used BitLocker to implement full volume encryption on a notebook system. The notebook motherboard does not have a TPM chip, so you've used an external USB flash drive to store the BitLocker startup key. Which system components are encrypted in this scenario? (Select two.)

-C:\ volume -Master boot record

IPsec is implemented through two separate protocols. What are these protocols called? (Select two.)

-ESP -AH

The SHA-1 hashing algorithm creates a digest that is how many bits in length?

160 bits

Your network uses the following backup strategy: Full backups every Sunday night Differential backups Monday through Saturday nights On Thursday morning, the storage system fails. How many restore operations will you need to perform to recover all of the data?

2

You have been asked to implement a RAID 5 solution for your network. What is the minimum number of hard disks that can be used to configure RAID 5?

3

After the DES cipher was broken and no longer considered secure, what encryption algorithm was made as its successor?

3DES

Your network uses the following backup strategy: Full backups every Sunday night Incremental backups Monday night through Saturday night On a Thursday morning, the storage system fails. How many restore operations will you need to perform to recover all of the data?

4

What length SSL and TLS keys are generally considered to be strong?

4096

Which of the following cloud storage access services acts as a gatekeeper, extending an organization's security policies into the cloud storage infrastructure?

A cloud access security broker

You want email sent from users in your organization to be encrypted to make messages more secure. Which of the following is an option you can use to enhance the encryption of email messages?

A cryptographic service provider

Pulping

A method for removing all traces of ink from paper by using chemicals and then mashing the paper into pulp.

Symmetric Cryptography

A method of encryption that uses a single key for both encryption and decryption.

Asymmetric Cryptography

A method of encryption that uses two different yet mathematically related keys, one for encryption and one for decryption.

Data Producer

A person responsible for creating or capturing data. Most people in an organization are data producers.

Data Custodian

A person that is responsible for the quality of the data on a day-to-day basis.

Privacy Officer

A person who oversees data activities to ensure they are in compliance with government laws.

Data Consumer

A person who uses data.

Diffusion

A property of a cryptographic algorithm that identifies the amount of change to the ciphertext when there is a change in the input text.

Confusion

A property of a cryptographic algorithm that makes the relationship between the key and ciphertext as complex as possible.

PRNG:

A pseudo-random number generator is an algorithm used to generate a number that is sufficiently random for cryptographic purposes.

Encryption Key

A random string of bits used in an encryption algorithm to scramble and unscramble data.

Data Owner

A senior person in an organization with the authority to make decisions regarding the quality of data created, stored, consumed, and retired.

What type of key or keys are used in symmetric cryptography?

A shared private key

Which of the following best describes high amplification when applied to hashing algorithms?

A small change in the message results in a big change in the hash value.

Wiping

A software-based method of overwriting data to completely destroy all electronic data residing on a hard disk drive or other digital media.

rainbow table:

A table of precomputed hashes used to guess passwords by searching for the hash of a password.

Which standard was approved by NIST in late 2000 as a replacement for DES?

AES

You want to encrypt data on a removable storage device. Which encryption method would you choose to use the strongest method possible?

AES

Challenge Handshake Authentication Protocol (CHAP):

An authentication protocol that periodically reauthenticates.

Which of the following is a mathematical attack that targets the complexity of a cryptosystem's algorithm?

Analytic attack

symmetric cipher:

Any cryptographic algorithm that uses the same key to encrypt and decrypt. DES, AES, and Blowfish are examples.

A PKI is an implementation for managing which type of encryption?

Asymmetric

Generates two different yet mathematically related keys.

Asymmetric

Only the private key can be used to decrypt information.

Asymmetric

The public key can only be used to encrypt information.

Asymmetric

MTTR

Identifies the average amount of time necessary to repair a failed component or to restore operations

Which of the following statements is true when comparing symmetric and asymmetric cryptography?

Asymmetric key cryptography is used to distribute symmetric keys.

What does a differential backup do during the backup?

Backs up all files with the archive bit set and does not reset the archive bit.

What does an incremental backup do during the backup?

Backs up all files with the archive bit set and resets the archive bit.

If two different messages or files produce the same hashing digest, then a collision has occurred. Which form of cryptographic attack exploits this condition?

Birthday attack

You want a security solution that protects the entire hard drive and prevents access even if the drive is moved to another system. Which solution should you choose?

BitLocker

salt:

Bits added to a hash to make it resistant to rainbow table attacks.

This mode can encrypt or decrypt one fixed-length block.

Block Cipher Mode

What is a block cipher algorithm that operates on 64-bit blocks and can have a key length from 32 to 448 bits?

Blowfish

Which of the following attacks typically takes the longest amount of time to complete?

Brute force attack

Which of the following is used in conjunction with a local security authority to generate the private and public key pair used in asymmetric cryptography?

CSP

Which of the following conditions does not result in a certificate being added to the certificate revocation list?

Certificate expiration

A document that describes in detail how a CA uses and manages certificates, as well as how end users register for a digital certificate, is known as?

Certificate practice statement (CPS)

Your company produces an encryption device that lets you enter text and receive encrypted text in response. An attacker obtains one of these devices and starts inputting random plaintext to see the resulting ciphertext. Which type of attack is this?

Chosen plaintext

Each plaintext block is added to the previous cipher text block and then the result is encrypted with the key.

Cipher Block Chaining Mode

Each cipher text block is fed back into the encryption and then encrypts the next plaintext block.

Cipher Feedback Mode

Which of the following is a recovery site that may have electricity connected, but there are no servers installed and no high-speed data lines present?

Cold site

When two different messages produce the same hash value, what has occurred?

Collision

You create a new document and save it to a hard drive on a file server on your company's network. Then you employ an encryption tool to encrypt the file using AES. This activity is an example of accomplishing which security goal?

Confidentiality

Which of the following is considered an out-of-band distribution method for private key encryption?

Copying the key to a USB drive

Sender and recipient access a reliable counter that computes a new shared value each time a cipher text block is exchanged.

Counter Mode

Which of the following functions are performed by the TPM?

Create a hash of system components

Hashing algorithms are used to perform what activity?

Create a message digest

What is the primary function of the IKE protocol used with IPsec?

Create a security association between communicating partners.

asymmetric cipher:

Cryptographic algorithms that use two different keys one key to encrypt and another to decrypt. Also called public key cryptography.

Cryptography

Cryptographic protocols that remain secure and resistant to side channel attacks.

Which of the following encryption mechanisms offers the least security because of weak keys?

DES

Which of the following is the weakest symmetric encryption method?

DES

When you dispose of a computer or sell used hardware and it is crucial that none of the data on the hard disks can be recovered. Which of the following actions can you take to ensure that no data is recoverable?

Damage the hard disks so badly that all data remanence is gone.

Which of the following is a technology that tries to detect and stop sensitive data breaches, or data leakage incidents, in an organization?

Data loss prevention

You have a computer with three hard disks. A RAID 0 volume uses space on Disk 1 and Disk 2. A RAID 1 volume uses space on Disk 2 and Disk 3. Disk 2 fails. Which of the following is true?

Data on the RAID 1 volume is accessible; data on the RAID 0 volume is not.

Which type of password attack employs a list of pre-defined passwords that it tries against a login prompt or a local copy of a security accounts database?

Dictionary

Which backup strategy backs up only files that have the archive bit set, but does not mark them as having been backed up?

Differential

Which cryptography system generates encryption keys that could be used with DES, AES, IDEA, RC5, or any other symmetric cryptography solution?

Diffie-Hellman

Which key exchange requires Alice and Bob to each agree upon a large prime number and related integer?

Diffie-Hellman

At the end of the cryptographic process, output is generated. With one type of output, simple character changes in the plaintext will cause several characters to change in the cipher text. What type of output is this?

Diffusion

What is the U.S. federal government standard for digital signatures?

Digital Signature Algorithm

You manage your company's website. The Web1 server hosts the website. This server has the following configuration: Dual core processor Dual power supplies RAID 5 volume One RAID controller Two 1000 Mbps network adapters Which component is a single point of failure for the website?

Disk controller

Cloud storage is a virtual service, so the infrastructure is the responsibility of the storage provider. Access control should be set as a local file system would be, with no need for the provider to have access to the stored data. You are implementing the following measures to secure your cloud storage: Verifying that security controls are the same as in a physical datacenter. Using data classification policies. Assigning information into categories that determine storage, handling, and access requirements. Assigning information classification based on information sensitivity and criticality. Which of the following is another security measure you can implement?

Disposing of data when it is no longer needed by using specialized tools.

Which of the following security measures encrypts the entire contents of a hard drive?

DriveLock

What cryptographic method, first proposed in the mid-1980s, makes use of sloping curves instead of large prime numbers?

ECC

Implements the Diffie-Hellman key exchange protocol using elliptic curve cryptography

ECDH

Which of the following security solutions would prevent a user from reading a file that she did not create?

EFS

Which form of asymmetric cryptography is based upon Diffie-Hellman?

El Gamal

What block cipher mode of operation uses the most basic approach where the plaintext is divided into blocks, and each block is then encrypted separately?

Electronic Code Book

You would like to implement BitLocker to encrypt data on a hard disk, even if it is moved to another system. You want the system to boot automatically without providing a startup key on an external USB device. What should you do?

Enable the TPM in the BIOS

Which of the following DLP implementations can be used to monitor and control access to the physical devices on workstations or servers?

Endpoint DLP

Exist only for the lifetime of a specific communication session

Ephemeral keys

MTBF

Identifies the average lifetime of a system or component

Which of the following is an example of a statistical attack against a cryptosystem?

Exploiting a computer's inability to produce random numbers

Which of the following is an enhanced type of domain digital certificate?

Extended Validation

Which of the following is a secure alternative to FTP that uses SSL for encryption?

FTPS

DLP can be used to identify sensitive files in a file system and then embed the organization's security policy within the file. Which of the following DLP implementations travels with sensitive data files when they are moved or copied?

File-level DLP

Which backup strategy backs up all files from a computer's file system regardless of whether the file's archive bit is set or not and marks them as having been backed up?

Full

What is the main function of a TPM hardware chip?

Generate and store cryptographic keys

Your organization uses the following tape rotation strategy for its backup tapes: The first set of tapes is used for daily backups. At the end of each week, the latest daily backup tape is promoted to the weekly backup tape. At the end of each month, one of the weekly backup tapes is promoted to the monthly backup tape. What kind of backup tape rotation strategy is being used?

Grandfather

Google Cloud, Amazon Web Services, and Microsoft Azure are some of the most widely used cloud storage solutions for enterprises. Which of the following factors prompt companies to take advantage of cloud storage? (Select two.)

Growing demand for storage Need to bring costs down

Which of the following government acts protects medical records and personal health information?

HIPAA

Which TCP/IP protocol is a secure form of HTTP that uses SSL as a sublayer for security?

HTTPS

Which of the following protocols uses port 443?

HTTPS

Which of the following is used to verify that a downloaded file has not been altered?

Hash

Algorithm used for signature verification and data integrity checking.

Hashing

A birthday attack focuses on what?

Hashing algorithms

You have been asked to deploy a network solution that includes an alternate location where operational recovery is provided within minutes of a disaster. Which of the following strategies would you choose?

Hot site

Which of the following password attacks adds appendages to known dictionary words?

Hybrid

Which of the following symmetric cryptography systems does not support a variable block size?

IDEA

Which of the following network layer protocols provides authentication and encryption services for IP-based network traffic?

IPsec

You want to protect data on hard drives for users with laptops. You want the drive to be encrypted, and you want to prevent the laptops from booting unless a special USB drive is inserted. In addition, the system should not boot if a change is detected in any of the boot files. What should you do?

Implement BitLocker with a TPM.

Which form of cryptanalysis focuses on weaknesses in software, the protocol, or the encryption algorithm?

Implementation attack

If this information is disclosed, it could cause some harm, but not a national disaster.

sensitive but unclassified

Which of the following symmetric block ciphers does not use a variable block length?

International Data Encryption Algorithm (IDEA)

Which aspect of a certificate makes it a reliable and useful mechanism for proving the identity of a person, system, or service on the internet?

It is a trusted third-party.

When should a hardware device be replaced in order to minimize downtime?

Just before it's MTBF is reached

What common method is used to ensure the security and integrity of a root CA?

Keep it in an offline state from the network.

When an attacker decrypts an encoded message using a different key than was used during encryption, what type of attack has occurred?

Key clustering

In which type of attack does the attacker have access to both the plaintext and the resulting cipher text, but does not have the ability to encrypt the plain text?

Known plaintext

You have a web server on your network that hosts the public website for your company. You want to make sure that the website will continue to be available even if a NIC, hard drive, or other problem prevents the server from responding. Which solution should you implement?

Load balancing

You manage a server that runs your company website. The web server has reached its capacity, and the number of client requests is greater than the server can handle. You would like to find a solution so that a second server can respond to requests for website content. Which solution should you implement?

Load balancing

Which of the following is the weakest hashing algorithm?

MD5

Mary wants to send a message to Sam. She wants to digitally sign the message to prove that she sent it. Which key would Mary use to create the digital signature?

Mary's private key

MTTF

Measures the average time to failure of a system or component

When is the best time to apply for a certificate renewal?

Near the end of the certificate's valid lifetime

DLP can be implemented as a software or hardware solution that analyzes traffic in an attempt to detect sensitive data that is being transmitted in violation of an organization's security policies. Which of the following DLP implementations analyzes traffic for data containing such things as financial documents, social security numbers, or key words used in proprietary intellectual property?

Network DLP

How many keys are used with symmetric key cryptography?

One

Which technology was developed to help improve the efficiency and reliability of checking the validity status of certificates in large, complex environments?

Online Certificate Status Protocol

SHA-1 uses which of the following bit length hashing algorithms?

Only 160-bit

Which of the following are backed up during a differential backup?

Only files that have changed since the last full backup.

Which of the following are backed up during an incremental backup?

Only files that have changed since the last full or incremental backup.

Feeds the output blocks back to the block cipher.

Output Feedback Mode

Uses no deterministic algorithm when generating public keys

Perfect forward secrecy

Your disaster recovery plan calls for tape backups stored at a different location. The location is a safe deposit box at the local bank. Because of this, the disaster recovery plan specifies that you choose a method that uses the fewest tapes, but also allows you to quickly back up and restore files. Which backup strategy would best meet the disaster recovery plan for tape backups?

Perform a full backup once per week and a differential backup the other days of the week.

Above all else, what must be protected to maintain the security and benefit of an asymmetric cryptographic solution, especially if it is widely used for digital certificates?

Private keys

Which of the following is NOT a feature of the cloud storage model of data storage?

Provides access control to the file system stored in the cloud.

Which of the following data destruction techniques uses a punch press or hammer system to crush a hard disk?

Pulverizing

Degaussing

Purges a hard disk by exposing it to high magnetic pulses that destroys all of the data on the disk.

Which of the following disk configurations might sustain losing two disks? (Select two.)

RAID 0+1 RAID 1+0

What option is an advantage RAID 5 has over RAID 1?

RAID 5 improves performance over RAID 1.

Which of the following can be classified as a stream cipher?

RC4

Which version of the Rivest cipher is a block cipher that supports variable bit length keys and variable bit block sizes?

RC5

Which hash algorithm's primary design feature is two different and independent parallel chains of computation, the results of which are then combined at the end of the process?

RIPEMD

Which of the following algorithms are used in asymmetric encryption? (Select two.)

RSA Diffie-Hellman

Which form of alternate site is the cheapest, but may not allow an organization to recover before reaching their maximum tolerable downtime?

Reciprocal agreement

You have lost the private key that you have used to encrypt files. You need to get a copy of the private key to open some encrypted files. Who should you contact?

Recovery agent

What is the primary security feature that can be designed into a network's infrastructure to protect and support availability?

Redundancy

Which of the following is an entity that accepts and validates information contained within a request for a certificate?

Registration authority

Even if you perform regular backups, what must be done to ensure that you are protected against data loss?

Regularly test restoration procedures

You want to allow traveling users to connect to your private network through the internet. Users will connect from various locations, including airports, hotels, and public access points such as coffee shops and libraries. As such, you won't be able to configure the firewalls that might be controlling access to the internet in these locations. Which of the following protocols would be most likely to be allowed through the widest number of firewalls?

SSL

Mary wants to send a message to Sam so that only Sam can read it. Which key would be used to encrypt the message?

Sam's public key

A receiver wants to verify the integrity of a message received from a sender. A hashing value is contained within the digital signature of the sender. Which of the following must the receiver use to access the hashing value and verify the integrity of the transmission?

Sender's public key

SSL (Secure Sockets Layer) operates at which layer of the OSI model?

Session

Can be reused by multiple communication sessions

Static keys

Generates a single key that is used for both encryption and decryption.

Symmetric

If a message sender encrypts a message with a key and a message receiver decrypts it using the same key, which type of key exchange is taking place?

Symmetric

What technology uses a chip on the motherboard of the computer to provide cryptographic services?

TPM

An SSL client has determined that the Certificate Authority (CA) issuing a server's certificate is on its list of trusted CAs. What is the next step in verifying the server's identity?

The CA's public key must validate the CA's digital signature on the server certificate.

X.509:

The X.509 standard is the most widely used standard for digital certificates.

Non-Repudiation

The assurance that someone cannot deny something.

Which of the following best describes a side-channel attack?

The attack is based on information gained from the physical implementation of a cryptosystem.

Which action is taken when the private key associated with a digital certificate becomes compromised?

The certificate is revoked and added to the Certificate Revocation List.

Certificate revocation should occur under all but which of the following conditions?

The certificate owner has held the certificate beyond the established lifetime timer

When using SSL authentication, what does the client verify first when checking a server's identity?

The current date and time must fall within the server's certificate validity period.

Low Latency

The delay before a transfer of data begins to follow an instruction for its transfer.

Encryption

The process of converting information or data into an code to prevent unauthorized access.

Information Classification

The process of determining what information will be disclosed and how to disclose it to ensure an organization's privacy requirements.

Purging

The removal of sensitive data, making sure that the data cannot be reconstructed by any known technique.

The success of asymmetric encryption is dependent upon which of the following?

The secrecy of the key

Why are brute force attacks always successful?

They test every possible valid combination

How many keys are used with Public Key cryptography?

Two

How many keys are used with asymmetric (public key) cryptography?

Two

Which of the following are characteristics of ECC? (Select two.)

Uses a finite set of values within an algebraic field Asymmetric encryption

Pulverizing

Using a punch press or hammer system to destroy a data storage device.

Which of the following is not a countermeasure against dictionary attacks?

Using short passwords

If your mission-critical services have a maximum tolerable downtime (MTD) (or a recovery time objective [RTO]) of 36 hours, what is the optimum form of recovery site?

Warm

What type of cryptography uses two keys instead of just one, generating both a private and a public key?

asymmetric

You manage a website for your company. The website uses three servers configured in a cluster. Incoming requests are distributed automatically between the three servers. All servers use a shared storage device that holds the website contents. Each server has a single network connection and a single power supply. Considering the availability of your website, which component represents a single point of failure?

Website storage

collision:

When two different inputs into a cryptographic hash produce the same output, this is known as a collision.

Collision

When two or more inputs create the same ciphertext.

Sensitive data is monitored by the data loss prevention (DLP) system in four different states. Which of the following is NOT one of the states monitored by DLP?

While a file with sensitive data is being created.

Which standard is most widely used for certificates?

X.509

You have just downloaded a file. You create a hash of the file and compare it to the hash posted on the website. The two hashes match. What do you know about the file?

Your copy is the same as the copy posted on the website.

Which of the following is NOT an advantage of using cloud storage?

Your organization can purchase additional storage capacity when needed.

What type of trust model has a single CA that acts as a facilitator to interconnect all other CAs?

bridge trust

The lowest level of classified information used by the military. Release of this information could cause damage to military efforts.

confidential

What process will remove all private and public keys along with the user's identification information in the CA?

destruction

What type of trust model is used as the basis for most digital certificates used on the Internet?

distributed trust

Which of the following certificates verifies the identity of the entity that has control over the domain name?

domain validation digital certificate

At what stage can a certificate no longer be used for any type of authentication?

expiration

What term best describes when cryptography is applied to entire disks instead of individual files or groups of files?

full disk encryption

What type of cryptographic algorithm creates a unique digital fingerprint of a set of data?

hash

Could cause loss of life or social hardship.

high

Could cause operational harm such as loss of control or loss of public trust.

high

The sender's key is sent to a recipient using a Diffie-Hellman key exchange.

in-band distribution

The sender's key is sent to the recipient using public key cryptography.

in-band distribution

In cryptography, which of the five basic protections ensures that the information is correct and no unauthorized person or malicious software has altered that data?

integrity

Could cause personal embarrassment or inconvenience.

low

What is used to create session keys?

master secret

Could cause operational harm such as loss of confidence or damage to reputation.

medium

Could cause personal hardship or embarrassment.

medium

The sender's key is burned to a CD and handed to the recipient.

out-of-band distribution

The sender's key is copied to a USB drive and handed to the recipient.

out-of-band distribution

If this information is released, it poses grave consequences to national security.

top secret

This information can be accessed by the public and poses no security threat.

unclassified

Which of the following items are contained in a digital certificate? (Select two.)

validity period public key

What kind of digital certificate is typically used to ensure the authenticity of a web server to a client?

web server