Security + Risk / Cryptography / PKI

Secure POP mail transmissions use which standard port number? A. 995 B. 110 C. 993 D. 443

A. 995

Which PKI component does the CA use to digitally sign issued certificates? A. Private key B. Public key C. CRL D. OCSP

A. Private key

Which public key cryptographic design can use smaller keys while maintaining cryptographic strength? A. CBC B. S/MIME C. ECC D. IPSec

C. ECC ---- C. Elliptic curve cryptography uses a set of points for a curve over a finite field instead of using prime number factoring for encryption. This allows for smaller key lengths, which minimizes required compute power. ECC small keys have the strength of much longer keys. For example, a 256-bit ECC key is equivalent to a 3072-bit RSA key. A, B, and D are incorrect. CBC is a mode of operation that can be used by a block cipher; the current plain text data block being processed is added to the previous encrypted block and the combined items are then encrypted. SMTP mail transfer traffic can be encrypted and digitally signed through the S/MIME protocol, which requires SMTP hosts to be configured with a PKI certificate. IPSec is a network security protocol.

Which network security protocol can encrypt all network traffic using a single configuration? A. TLS B. SSL C. IPSec D. HTTPS

C. IPSec

How do client devices trust the TLS certificate used by an HTTPS web server? A. Key escrow B. Stapling C. Pinning D. Certificate chaining

D. Certificate chaining -- D. The PKI chain of trust, also referred to as certificate chaining, is based on digital signatures written to issued certificates by a root or intermediary CA. For example, if a user device trusts RootCA1, then the user device trusts all certificates issued directly or indirectly by RootCA1. Pinning is a technique used to associate hosts with their public keys.

2. Which one of the following is responsible for implementing the data classification and security controls? Data owner Data custodian Data privacy officer Data controller

Data owner

3. Which data classification type contains data that would have a severe impact to the organization were it exposed, that should not be broadly shared internally or externally, and that should be tightly controlled? Public Proprietary Confidential Sensitive

Sensitive ch 14

1. Your organization uses the private and public labels to classify data, as the internal security policy details how data should be protected based on the classification label. The decision was made to add an additional "proprietary" label. Which is the most likely reason this was done? To create more searchable data To provide better data classification To clarify data that should not be shared outside the organization To reduce costs

To provide better data classification

Which of the following items are stored within a user PKI certificate? (Choose two.) A. Public key B. Intermediary CA C. CRL D. Expiration date

A. Public key D. Expiration date

Which service is provided by DNSSEC? A. Confidentiality B. Integrity C. Network address allocation D. Availability

B. Integrity

Which of the following is a cryptographic stream cipher? A. AES B. DES C. Blowfish D. RC4

D. RC4 ---- D. The Rivest Cipher 4 (RC4) algorithm is a stream cipher, meaning that data is encrypted 1 byte at a time instead of an entire data block (more than 1 byte) being encrypted at once. A, B, and C are incorrect. Advanced Encryption Standard (AES), Digital Encryption Standard (DES), and Blowfish are all block ciphers.

Which statements regarding PKI certificates are correct? (Choose two.) A. A certificate can be used for more than one cryptographic purpose. B. A 2048-bit key is considered weak. C. Certificates cannot be issued to routers. D. Certificates have an expiry date.

A. A certificate can be used for more than one cryptographic purpose. D. Certificates have an expiry date. (Public Key Infrastructure) ---- A and D. PKI certificates can be used for multiple purposes such as message encryption, digital signatures, and file encryption. Certificates have an expiry date upon which the certificate is no longer valid. B and C are incorrect. Although key length is not the only factor determining encryption strength, a 2048-bit key is not considered weak. Certificates can be issued to network infrastructure devices such as switches and routers for the purpose of client-to-network authentication, device-to-device authentication, or the decryption of network traffic.

Which of the following are symmetric encryption block ciphers? (Choose two.) A. AES B. CBC C. RC5 D. RC4

A. AES C. RC5 Cipher block chaining (CBC) is a mode of operation that can be used by a block cipher; the current plain text data block being processed is added to the previous encrypted block, and the combined items are then encrypted; then this is repeated. The RC4 algorithm is a stream cipher, meaning that data is encrypted 1 byte at a time instead of an entire data block (more than 1 byte) being encrypted at once.

Which cryptographic operations use an asymmetric private key? (Choose two.) A. Creating a digital signature B. Verifying a digital signature C. Encrypting a message D. Decrypting messages

A. Creating a digital signature D. Decrypting messages -------- A and D. Digital signatures assure the recipient of a message that it is authentic and has not been modified. The message sender's private key is used to create a digital signature thus constituting nonrepudiation; the sender cannot deny having sent and signed the message because only the sender has access to their private key. Private keys are also used to decrypt messages, such as e-mail messages. B and C are incorrect. Private keys create a digital signature and the related public key is used to verify the signature. The sender of an encrypted message must have access to the public key of message recipients in order to encrypt the message for them.

Which PKI verification processes can best mitigate the creation of phishing web sites by scammers? (Choose two.) A. Extended validation B. Domain validation C. CRL D. OSCP

A. Extended validation B. Domain validation --- A and B. Certification authorities perform various degrees of verification against CSRs. Domain validation certificates are easy to acquire. CAs require only that you prove DNS domain ownership such as through creating a DNS record in your domain with CA specified values, or through receipt of an e-mail message sent to the DNS domain owner. Before issuing extended validation certificates, CAs perform more tasks to ensure that the organization is genuine, such as by verifying organization details, whether the business is registered, and so on. Both types of certificates provide HTTPS security. C and D are incorrect. A CRL provides expired certificate serial numbers to ensure that expired certificates are not trusted. The OCSP enables the verification of the validity of a single certificate instead of an entire list of all expired certificates.

Which types of keys are all commonly required when connecting via HTTPS to an e-commerce web site? A. Public, private, and session B. Public and private C. Public only D. Private only

A. Public, private, and session

Which of the following is a valid CA signing algorithm? A. SHA 256 B. AES C. DES D. IKE

A. SHA 256 --- SHA 256 bits can be used by CAs to digitally sign certificates they issue, thus establishing a chain of trust. B, C, and D are incorrect. The listed algorithms are encryption or key exchange algorithms, not algorithms used specifically for digital signatures. AES is a symmetric block encryption cipher. Block ciphers encrypt entire data blocks as opposed to individual bytes of data. The older DES is rarely used these days because of its small key length (64 bits); instead AES 128 or 256 is used. Key exchange refers to two end-points communicating over a network to generate a unique session key. Diffie-Hellman is a key exchange algorithm used by network security protocols such as Internet key exchange (IKE).

After importing a user certificate file to an e-mail program, a user finds she cannot digitally sign sent e-mail messages. What are some possible reasons for this? (Choose two.) A. The certificate was not created for e-mail usage. B. The private key is not in the certificate. C. The public key is not in the certificate. D. The CA signature is not in the certificate.

A. The certificate was not created for e-mail usage. B. The private key is not in the certificate.

Which cryptographic operations use a public key? (Choose two.) A. Verifying digital signatures B. Encrypting messages C. Creating digital signatures D. Decrypting messages

A. Verifying digital signatures B. Encrypting messages

4. Which of the following is the monetary loss that can be expected for an asset from risk over a year? ALE SLE ARO BIA

ALE (ALE - monetary loss that can be expected for an asset from risk over a year) (ARO - the likelihood of a risk occurring within a year)

13. A recent audit revealed that most of the organization is not properly handling sensitive data correctly. To address this shortcoming, your organization is implementing computer security awareness training. What type of control is this? Logical Administrative Detective Physical

Administrative

Which PKI options can be used check for certificate validity? (Choose two.) A. Stapling B. CRL C. RA D. OSCP

B. CRL D. OSCP --- A CRL provides expired certificate serial numbers to ensure that expired certificates are not trusted. The OCSP enables verification of the validity of a single certificate instead of an entire list of all expired certificates as CRLs do.

You are a Windows administrator that uses PowerShell scripts to manage Windows devices over the network. Only trusted scripts should run on hosts. What should you configure? A. Intermediate CA B. Code-signing certificate C. Certificate signing request D. Registration authority

B. Code-signing certificate

You are providing consulting services to a legal firm that has a PKI. The firm would like to enable document workflow where documents are sent electronically to the appropriate internal employees. You are asked whether there is a way to prove that documents were sent from the user listed in the FROM field. Of the following, what would you recommend? A. File encryption B. Digital signatures C. E-mail encryption D. Certificate revocation list

B. Digital signatures --- B. A digital signature is created from a private key and is used to verify the authenticity and integrity of the message using the related public key. A, C, and D are incorrect. File and e-mail encryption provide confidentiality but not message authenticity and integrity. A CRL is a list of certificate serial numbers that have been revoked (not expired) for reasons such as a user leaving the organization or a lost or stolen user smartphone containing a certificate.

Which cryptographic technique allows the analysis of data without first decrypting it? A. Lightweight encryption B. Homomorphic encryption C. Entropy D. Blockchain

B. Homomorphic encryption --- B. Homomorphic encryption provides data confidentiality and is a computationally expensive cryptographic technique that allows encrypted data to be analyzed without fully decrypting it. Decrypting data, while it is accessed, presents a risk of unauthorized access while in a decrypted state. A, C, and D are incorrect. Lightweight encryption requires less compute power than traditional encryption algorithms and is well suited for mobile devices. In cryptography, entropy provides randomness, such as when generating key pairs. Blockchain provides a distributed public ledger of transactions that cannot be modified. Because the blockchain of transactions is managed by thousands of computers, it is not controlled by a single central organization or government.

You are configuring SNMPv3 authentication. Which of the following hashing algorithms are available? A. MD5, RSA B. MD5, SHA C. SHA, AES D. AES, 3DES

B. MD5, SHA ------- A, C, and D are incorrect. These items contain encryption algorithms that are not used for authentication. Rivest Shamir Adleman (RSA) is an asymmetric encryption standard, the AES algorithm is a symmetric block cipher, and 3DES is an older encryption standard whose use has diminished in favor of AES.

Which PKI component verifies the identity of certificate requestors before a certificate is issued? A. Public key B. RA C. Private key D. CRL

B. RA --- RAs are often referred to as intermediate CAs; they have the ability to accept certificate requests and either issue certificates or validate the request for issuance by another CA.

You are reviewing network perimeter firewall rules for the firewall public interface and notice allowances for incoming UDP port 161 and TCP port 443 traffic. What type of traffic will be allowed through the firewall public interface, assuming default ports are being used? (Choose two.) A. SFTP B. SNMPv3 C. FTPS D. HTTPS

B. SNMPv3 D. HTTPS

You need to reduce the amount of network traffic directed at CAs by OSCP clients. What should you configure? A. CSR B. Stapling C. CRL D. Pinning

B. Stapling --- B. To reduce the amount of queries sent directly to CAs, OCSP stapling is initiated by a certificate holder to the CA, and the response is cached and then provided to client queries. A CSR is generated by a subject that would like an issued certificate, and it contains information about the requestor such as company name, user contact information, web site URL, and user e-mail address, as well as a public key.

Which encryption algorithms can SNMPv3 use? A. AES, MD5 B. SHA-256, 3DES C. 3DES, AES D. MD5, 3DES

C. 3DES, AES

Which security technique associates a host with its related public key? A. CRL B. OSCP C. Certificate pinning D. FQDN

C. Certificate pinning --- C. Pinning is a technique used to associate hosts with their public keys. This can be done by client-side applications, including web browsers, that keep a copy, or a hash, of a host's public key. This is checked by the client app when server connectivity is initiated. A, B, and D are incorrect. A CRL provides expired certificate serial numbers to ensure that expired certificates are not trusted. The OCSP enables verification of the validity of a single certificate instead of an entire list of all expired certificates. Fully qualified domain names (FQDNs) are friendly names such as http://www.mheducation.ca/ that map to their associated IP addresses.

You are responsible for enabling TLS on a newly installed e-commerce web site. What should you do first? (Choose the best answer.) A. Install the web server digital certificate. B. Enable TLS on the web server. C. Create a CSR and submit it to a CA. D. Configure HTTPS on the web server to use port 443.

C. Create a CSR and submit it to a CA. ---- Depending on which tool is used, acquiring a publicly trusted server certificate for an e-commerce site begins with generating a public/private key pair, filling out information such as company name and web server URL, and providing the public key to the CA; this is a certificate signing request (CSR). A, B, and D are incorrect. If the site is new, the web server certificate will not yet exist. Most web servers will already have TLS support enabled, but even if this web server doesn't, enabling it will not achieve anything if a certificate isn't available to be used during a connection request. The web server cannot be configured to use port 443 for HTTPS until a server certificate is installed.

Your web server hosts the www.corp.com and info.corp.com DNS names. Both sites require HTTPS. Which configuration meets the stated requirement while requiring the least amount of administrative effort? A. Install two certificates; one for each DNS name. B. Install a certificate revocation list on the web server host. C. Install a subject alternative name certificate on the web server host. D. Configure IPSec for the web server host.

C. Install a subject alternative name certificate on the web server host. --- C. A subject alternative name (SAN) certificate enables you use one certificate to secure hosts with different names, such as www.corp.com and info.corp.com.

You are developing Microsoft PowerShell scripts to automate network administration tasks. The .PS1 script files need to be digitally signed and trusted to run on computers in your environment. You have already acquired a code-signing PKI certificate. You need to back up your private key. Which file format should you choose during export? (Choose two.) A. DER B. PEM C. PFX D. CER E. P12 F. P7B

C. PFX E. P12

You are planning your SMTP mail system so that mail transfers are encrypted. Which protocol should you use? A. NTS B. SRTP C. S/MIME D. LDAPS

C. S/MIME ---- C. Mail traffic can be encrypted and digitally signed through the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol, which requires SMTP hosts to be configured with a PKI certificate.

You are evaluating a secure network management solution that will be used to monitor and configure network infrastructure devices remotely. Which of the following is the best choice? A. SFTP B. FTPS C. SNMPv3 D. HTTPS

C. SNMPv3 ----- The Simple Network Management Protocol (SNMP) version 3 supports authenticated and encrypted messages when remotely monitoring and managing devices running an SNMP agent such as routers, switches, and server operating systems. SNMP normally uses UDP port 161.

Users complain that they receive an untrusted web site warning in their web browsers when connecting to a HTTPS-enabled intranet web server, but not when they connect over HTTP. What is the most likely reason this is happening? A. Users have not yet authenticated to the web site. B. The web site is blocked by a content-filtering firewall. C. The web server is using a self-signed certificate. D. User devices do not have a client certificate installed.

C. The web server is using a self-signed certificate. --- C. HTTPS web server connectivity requires a PKI certificate installed on the server; HTTP does not. If the certificate is self-signed, meaning not issued by a trusted third-party issuer, then web browsers will present a security warning to users when they attempt to connect to the site.

Which IPSec configuration mode encapsulates origin IP packets? A. ESP B. AH C. Tunnel D. Transport

C. Tunnel --- C. IPSec tunnel mode can place an entire IP packet within another IP packet (encapsulation) and encrypt that payload. A, B, and D are incorrect. ESP can be used in both IPSec tunnel and transport modes to provide message authentication and confidentiality through encryption. Authentication Header provides only message authentication and not encryption. IPSec tunnel mode is used for IPSec VPNs where packet encapsulation is use, whereas transport mode encrypts the IP packet payload and does not use encapsulation.

An HTTPS-secured web site requires that you restrict some workstations from making a connection. Which option is the most secure? A. Configure the web site to allow connections only from the IP addresses of valid workstations. B. Configure the web site to allow connections only from the MAC addresses of valid workstations. C. Configure the web site to use user authentication. D. Configure the web site to require client-side certificates.

D. Configure the web site to require client-side certificates. --- A, B, and C are incorrect. The listed options are not as secure as client-side PKI certificates. IP addresses and MAC addresses are much easier to spoof than a certificate, and the requirement is to restrict workstations, not users, to the web site.

For security and performance reasons, you would like IP phone VoIP traffic to be isolated from regular TCP/IP network traffic. Which network protocol will allow this end result? A. IPSec B. S/MIME C. SSH D. DHCP

D. DHCP ---- D. You can configure DHCP vendor-class options to identity the type of device making a DHCP request (IP phone), and then assign IP settings such as IP address range and default gateway. A, B, and C are incorrect. IPSec is a network security protocol that can be configured to authenticate and encrypt network traffic, including establishing a VPN tunnel. SMTP mail transfer traffic can be encrypted and digitally signed through the S/MIME protocol, which requires SMTP hosts to be configured with a PKI certificate. SSH is an encrypted remote management protocol that uses TCP port 22.

Which of the following is never stored with a digital certificate? A. Public key B. Private key C. Digital signature of issuing CA D. IP address of CA server

D. IP address of CA server --- D. The IP address of the issuing CA server is not stored in an issued certificate. A, B, and C are incorrect. The listed items are all valid items that can be stored with a certificate. With a PKI, public and private key pairs are associated with a specific certificate. With some CA issued certificates, installing a certificate, such as one used for HTTPS on a web server, also installs the related private key automatically. Sharing a certificate with others for purposes such as e-mail encryption means only the public key is included.

When users connect to an intranet server by typing https://intranet.corp.local, their web browser displays a warning message stating the site is not to be trusted. How can this warning message be removed while maintaining security? A. Configure the web server to use HTTP instead of HTTPS. B. Install the intranet server private key on all client workstations. C. Use TCP port 443 instead of TCP port 80. D. Install the trusted root certificate in the client web browser for the issuer of the intranet server certificate.

D. Install the trusted root certificate in the client web browser for the issuer of the intranet server certifica

Which benefit is derived from using a HSM to carry out cryptographic operations as opposed to a standard operating system such as Microsoft Windows? A. Ability to store cloud-generated certificates B. Ability to enable IPSec tunnel mode C. Lower cost D. Lower computational latency

D. Lower computational latency (HSM) is a tamper-proof dedicated appliance that can securely store cryptographic keys and perform cryptographic operations. Offloading these tasks from a Microsoft Windows computer results in lower computational latency, since dedicated firmware is generally faster and more reliable than a general purpose operating system.

Which type of key is used by an IPSec VPN configured with a pre-shared key (PSK)? A. Public B. Private C. Asymmetric D. Symmetric

D. Symmetric ----- D. With symmetric encryption, the same key is used for encryption and decryption. The IPSec VPN PSK must be configured on both ends of the VPN tunnel. A, B, and C are incorrect. PSKs do not use asymmetric encryption, which uses public and private key pairs. With asymmetric encryption, the public key encrypts and the related private key decrypts.

You have configured LDAP over SSL (LDAPS) with default settings to secure directory service queries across subnets. Which port must be open on the subnet firewall? A. TCP 389 B. TCP 22 C. TCP 25 D. TCP 636

D. TCP 636 ---- D. Lightweight Directory Access Protocol Secure (LDAPS) uses a PKI certificate to secure LDAP connections over the network and uses TCP port 636. LDAP is used to connect to and query a centralized network directory service database such as Microsoft Active Directory. A, B, and C are incorrect. LDAP uses TCP and UDP ports 389, SSH uses TCP port 22, and SMTP uses TCP port 25.

Your company has registered DNS domains such as corp.com and info.corp.com. You need to ensure that web servers for these DNS domains use secured HTTPS, and you must also ensure that future subdomains of corp.com are supported for HTTPS with the least amount of administrative effort. What should you deploy? A. A certificate for each current and future web site B. RA C. SAN certificate D. Wildcard certificate

D. Wildcard certificate --- D. Wildcard certificates are similar to SAN certificates in that a single certificate can be used to secure multiple DNS domain names, such as www.corp.com and info.corp.com. The primary difference between wildcard certificates and SAN certificates is that wildcard certificates, such as for *.corp.com, would allow future subdomains under corp.com to be secured. SAN certificates use hard-coded DNS domain names.

10. Your organization currently runs an operating system for which software developed after the end of last month may no longer work or even be installable. Which of the following best describes this milestone for the operating system? ISA EOL NDA MOU

EOL

5. Your manager needs to know, for budgetary purposes, the average life span for each of the firewall appliances. Which of the following should you provide? MTBF RPO RTO MTTF

MTTF

9. Which of the following legally binding controls should you consider in order to protect sensitive information from being improperly disclosed by a third-party vendor you are hiring for consulting work in the organization? DLP SOP Separation of Duties NDA

NDA

7. Which of the following equations best represents the proper assessment of exposure to danger? Risk = Threat × Vulnerability × Impact Impact = Risk × Threat × Vulnerability Vulnerability = Threat × Risk × Impact Threat = Risk × Impact × Vulnerability

Risk = Threat × Vulnerability × Impact

8. Say that you work for a cloud service provider. Prior to signing off on a purchase order for a new security cloud service, a prospective customer wants to understand the nature of what you are providing and what levels of service in regard to performance and uptime your service offers. What should you provide the prospective customer? ISA MOU BPA SLA

SLA

6. An organization is increasingly subject to compliance regulations and is making strong efforts to comply with them but is still concerned about issues that might occur. Management decides to buy insurance to help cover the costs of a potential breach. Which of the following risk response techniques is the organization using? Avoidance Transference Acceptance Mitigation

Transference