exam2 x2

Question 1

explain hashing

Answer 1

Hashing provides a one-way cryptographic algorithm that allows for the secure storage of passwords.

Question 2

explain digital signatures

Answer 2

Digital signatures use hashing and asymmetric encryption to ensure integrity
and non-repudiation of data.

Question 3

explain data encryption

Answer 3

-Data encryption is a way of translating data from plaintext (unencrypted) to ciphertext (encrypted)

-Data encryption ensures that information can be securely transmitted from a
source to a destination.

Question 4

explain key escrow

Answer 4

Key escrow is commonly used as a method of storing decryption keys with a
trusted third-party

Question 5

briefly describe certificate authorities

Answer 5

Certificate authorities are used as a method of trusting a certificate. If a
certificate has been signed by a trusted CA, then the certificate owner can also
be trusted.

Question 6

briefly describe Perfect forward secrecy

Answer 6

Perfect forward secrecy uses temporary encryption keys that change between
sessions. This constant switching of keys makes it more difficult for a third-party to decrypt the data.

Question 7

briefly explain data sovereignty

Answer 7

Data sovereignty
• Data sovereignty
– Data that resides in a country is subject to
the laws of that country
– Legal monitoring, court orders, etc.
• Laws may prohibit where data is stored
– GDPR (General Data Protection Regulation)
– Data collected on EU citizens must be stored in the EU
– A complex mesh of technology and legalities
• Where is your data stored?
– Your compliance laws may prohibit
moving data out of the country

Question 8

briefly explain data masking

Answer 8

Data masking
• Data obfuscation
– Hide some of the original data
• Protects PII
– And other sensitive data
• May only be hidden from view
– The data may still be intact in storage
– Control the view based on permissions
• Many different techniques
– Substituting, shuffling, encrypting, masking out, etc.

Question 9

briefly explain data at rest

Answer 9

Data at-rest
• The data is on a storage device
– Hard drive, SSD, flash drive, etc.
• Encrypt the data
– Whole disk encryption
– Database encryption
– File- or folder-level encryption
• Apply permissions
– Access control lists
– Only authorized users can access the data

Question 10

briefly explain data in transit

Answer 10

Data in-transit
• Data transmitted over the network
– Also called data in-motion
• Not much protection as it travels
– Many different switches, routers, devices
• Network-based protection
– Firewall, IPS
• Provide transport encryption
– TLS (Transport Layer Security)
– IPsec (Internet Protocol Security)

Question 11

briefly explain data in use

Answer 11

Data in-use
• Data is actively processing in memory
– System RAM, CPU registers and cache
• The data is almost always decrypted
– Otherwise, you couldn’t do anything with it
• The attackers can pick the decrypted information
out of RAM
– A very attractive option
• Target Corp. breach - November 2013
– 110 million credit cards
– Data in-transit encryption and data at-rest encryption
– Attackers picked the credit card numbers out of the
point-of-sale RAM

Question 12

briefly explain tokenization

Answer 12

Tokenization
• Replace sensitive data with a non-sensitive placeholder
– SSN 266-12-1112 is now 691-61-8539
• Common with credit card processing
– Use a temporary token during payment
– An attacker capturing the card numbers
can’t use them later
• This isn’t encryption or hashing
– The original data and token aren’t mathematically related
– No encryption overhead

Question 13

briefly explain Information Rights Management (IRM)

Answer 13

Information Rights Management (IRM)
• Control how data is used
– Microsoft Office documents, 
email messages, PDFs
• Restrict data access to unauthorized persons
– Prevent copy and paste
– Control screenshots
– Manage printing
– Restrict editing
• Each user has their own set of rights
– Attackers have limited options

Question 14

A transportation company is installing new wireless access points in their
corporate offices. The manufacturer estimates that the access points will
operate an average of 100,000 hours before a hardware-related outage.
Which of the following describes this estimate?
❍ A. MTTR
❍ B. RPO
❍ C. RTO
❍ D. MTBF

Answer 14

The Answer: D. MTBF
The MTBF (Mean Time Between Failures) is the average time expected
between outages. This is usually an estimation based on the internal device
components and their expected operational lifetime.
The incorrect answers:
A. MTTR
MTTR (Mean Time to Repair) is the time required to repair a product or
system after a failure.
B. RPO
RPO (Recovery Point Objectives) define how much data loss would be
acceptable during a recovery.
C. RTO
RTO (Recovery Time Objectives) define the minimum objectives required
to get up and running to a particular service level.

Question 15

An organization has traditionally purchased insurance to cover a
ransomware attack, but the costs of maintaining the policy have increased
above the acceptable budget. The company has now decided to cancel the
insurance policies and deal with ransomware issues internally. Which of
the following would best describe this action?
❍ A. Mitigation
❍ B. Acceptance
❍ C. Transference
❍ D. Risk-avoidance

Answer 15

The Answer: B. Acceptance
Risk acceptance is a business decision that places the responsibility of the
risky activity on the organization itself.
The incorrect answers:
A. Mitigation
If the organization was to purchase additional backup facilities and update
their backup processes to include offline backup storage, they would be
mitigating the risk of a ransomware infection.
C. Transference
Purchasing insurance to cover a risky activity is a common method of
transferring risk from the organization to the insurance company.
D. Risk-avoidance
To avoid the risk of ransomware, the organization would need to
completely disconnect from the Internet and disable all methods that
ransomware might use to infect a system. This risk response technique
would most likely not apply to ransomware.

Question 16

briefly describe the risk management strategy Acceptance.

Answer 16

– A business decision; we’ll take the risk!

Question 17

briefly describe the risk management strategy Risk-avoidance.

Answer 17

– Stop participating in a high-risk activity

Question 18

briefly describe the risk management strategy Transference.

Answer 18

– Buy some cybersecurity insurance

Question 19

briefly describe the risk management strategy Mitigation.

Answer 19

– Decrease the risk level

– Invest in security systems

Question 20

Which of the following would limit the type of information a company 
can collect from their customers?
❍ A. Minimization
❍ B. Tokenization
❍ C. Anonymization
❍ D. Masking

Answer 20

The Answer: A. Minimization
Data minimization is a guideline that limits the amount of collected
information to necessary data. This guideline is part of many data
privacy regulations, including HIPAA (Health Insurance Portability and
Accountability Act) and GDPR (General Data Protection Regulation).
The incorrect answers:
B. Tokenization
Tokenization replaces sensitive data with a non-sensitive placeholder.
Tokenization is commonly used for NFC (Near-Field Communication)
payment systems.
C. Anonymization
Anonymization changes data to remove or replace identifiable
information. For example, an anonymized purchase history database might
change the first and last names to random values but keep the purchase
information intact.
D. Masking
Data masking hides some of the original data to protect sensitive
information.

Question 21

A security administrator has identified a DoS attack against the
company’s web server from an IPv4 address on the Internet. Which of
the following security tools would provide additional details about the
attacker’s location? (Select TWO)
❍ A. tracert
❍ B. arp
❍ C. ping
❍ D. ipconfig
❍ E. dig
❍ F. netcat

Answer 21

The Answer: A. tracert and E. dig
Tracert (traceroute) provides a summary of hops between two devices. In
this example, tracert can be used to determine the local ISP’s IP addresses
and more information about the physical location of the attacker. The
dig (Domain Information Groper) command can be used to perform a
reverse-lookup of the IPv4 address and determine the IP address block
owner that may be responsible for this traffic.
The incorrect answers:
B. arp
The arp (Address Resolution Protocol) command shows a mapping of IP
addresses to local MAC addresses. This information doesn’t provide any
detailed location information outside of the local IP subnet.
C. ping
The ping command can be used to determine if a device may be connected
to the network, but it doesn’t help identify any geographical details.
D. ipconfig
The ipconfig command shows the IP address configuration of a local
device, but it doesn’t provide any information about a remote computer.
F. netcat
Netcat reads or writes information to the network. Netcat is often used as
a reconnaissance tool, but it has limited abilities to provide any location
information of a device.

SY0-601, Objective 4.1 - Reconnaissance Tools Part 1

Question 22

The network design of an online women’s apparel company includes a
primary data center in the United States and secondary data centers in
London and Tokyo. Customers place orders online via HTTPS to servers
at the closest data center, and these orders and customer profiles are then
centrally stored in the United States data center. The connections between
all data centers use Internet links with IPsec tunnels. Fulfillment requests
are sent from the United States data center to shipping locations in the
customer’s country. Which of the following should be the CIO’s MOST
significant security concern with this existing network design?
❍ A. IPsec connects data centers over public Internet links
❍ B. Fulfillment requests are shipped within the customer’s country
❍ C. Customer information is transferred between countries
❍ D. The data centers are located geographically distant from each other

Answer 22

The Answer: C. Customer information is transferred between countries
Data sovereignty laws can mandate how data is handled. Data that resides
in a country is usually subject to the laws of that country, and compliance
regulations may not allow the data to be moved outside of the country.
The incorrect answers:
A. IPsec connects data centers over public Internet links
Connecting remote locations using IPsec tunnels over public Internet
connections is a common method of securely linking sites together. If
someone was to capture the data traversing these links, they would find
that all of the data was encrypted.
B. Fulfillment requests are shipped within the customer’s country
There are no significant security issues associated with shipments within
the same country.
D. The data centers are located geographically distant from each other
A best practice for many international organizations is to have data centers
in geographically diverse locations to minimize the impact of any single
data center outage.

Question 23

briefly describe SAE

Answer 23

In cryptography, Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method.

Question 24

A government transport service has installed access points that support
WPA3. Which of the following technologies would provide enhanced
security for PSK while using WPA3?
❍ A. 802.1X
❍ B. SAE
❍ C. WEP
❍ D. WPS

Answer 24

The Answer: B. SAE
WPA3 (Wi-Fi Protected Access 3) enhances the PSK (Pre-Shared Key)
authentication process by privately deriving session keys instead of sending
the key hashes across the network.
The incorrect answers:
A. 802.1X
802.1X is a standard for authentication using AAA (Authentication,
Authorization and Accounting) services. 802.1X is commonly used in
conjunction with LDAP, RADIUS, or a similar authentication service.
C. WEP
WEP (Wired Equivalent Privacy) is an older wireless encryption
algorithm that was ultimately found to have cryptographic vulnerabilities.
D. WPS
WPS (Wi-Fi Protected Setup) is a standard method of connecting devices
to a wireless network without requiring a PSK or passphrase.

More information:
SY0-601, Objective 3.4 - Wireless Cryptography
https://professormesser.link/601030401

Question 25

Jack, a security administrator, has been tasked with hardening all of
the internal web servers to prevent on-path attacks and to protect the
application traffic from protocol analysis. These requirements should be
implemented without changing the configuration on the client systems.
Which of the following should Jack include in his project plan?
(Select TWO)
❍ A. Add DNSSEC records on the internal DNS servers
❍ B. Use HTTPS over port 443 for all server communication
❍ C. Use IPsec for client connections
❍ D. Create a web server certificate and sign it with the internal CA
❍ E. Require FTPS for all file transfers

Answer 25

The Answer: B. Use HTTPS over port 443 for all server communication,
and D. Create a web server certificate and sign it with the internal CA
Using the secure HTTPS (Hypertext Transfer Protocol Secure) protocol
will ensure that all network communication is protected between the web
server and the client devices. If someone manages to capture the network
traffic, they would be viewing encrypted data. A signed certificate from a
trusted internal CA (Certificate Authority) allows web browsers to trust
that the web server is the legitimate server endpoint. If someone attempts
an on-path attack, the certificate presented will not validate and a warning
message will appear in the browser.
The incorrect answers:
A. Add DNSSEC records on the internal DNS servers
DNSSEC (Domain Name System Security Extensions) records are useful
to validate the IP address of a device, but they would not prevent an
on-path attack. DNSSEC also doesn’t provide any security of the network
communication itself.
C. Use IPsec for client connections
IPsec (IP Security) would provide encrypted communication, but it is not
commonly used between a web client and web server. It would also require
additional configuration changes on the client devices.
E. Require FTPS for all file transfers
Web server communication occurs with HTTP or the encrypted HTTPS
protocols. The FTPS (File Transfer Protocol Secure) protocol is not
commonly used between web clients and servers.

More information:
SY0-601, Objective 3.1 - Secure Protocols
https://professormesser.link/601030101

Question 26

A security administrator is updating the network infrastructure to support
802.1X authentication. Which of the following would be the BEST
choice for this configuration?
❍ A. LDAP
❍ B. HTTPS
❍ C. SNMPv3
❍ D. MS-CHAP

Answer 26

The Answer: A. LDAP
LDAP (Lightweight Directory Access Protocol) is a common protocol
to use for centralized authentication. Other protocols such as RADIUS,
TACACS+, or Kerberos would also be valid options for 802.1X
authentication.
The incorrect answers:
B. HTTPS
HTTPS (Hypertext Transfer Protocol Secure) is commonly used to
encrypt web server communication. HTTPS is not an authentication
protocol.
C. SNMPv3
SNMPv3 (Simple Network Management Protocol version 3) is used to
manage servers and infrastructure devices. SNMP is not an authentication
protocol.
D. MS-CHAP
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
was commonly used to authenticate devices using Microsoft’s Point-toPoint Tunneling Protocol (PPTP). Security issues related to the use of
DES (Data Encryption Standard) encryption in MS-CHAP eliminate it
from consideration for modern authentication.

Question 27

A security manager believes that an employee is using their laptop to
circumvent the corporate Internet security controls through the use of
a cellular hotspot. Which of the following could be used to validate this
belief? (Select TWO)
❍ A. HIPS
❍ B. UTM appliance logs
❍ C. Web application firewall events
❍ D. Host-based firewall logs
❍ E. Next-generation firewall logs

Answer 27

The Answer: A. HIPS and D. Host-based firewall logs
If the laptop is not communicating across the corporate network, then
the only evidence of the traffic would be contained on the laptop itself. A
HIPS (Host-based Intrusion Prevention System) and host-based firewall
logs may contain information about recent traffic flows to systems outside
of the corporate network.
The incorrect answers:
B. UTM appliance logs
A unified threat management appliance is commonly located in the core of
the network. The use of a cellular hotspot would circumvent the UTM and
would not be logged.
C. Web application firewall events
Web application firewalls are commonly used to protect internal web
servers. Outbound Internet communication would not be logged, and
anyone circumventing the existing security controls would also not be
logged.
E. Next-generation firewall logs
Although a next-generation firewall keeps detailed logs, any systems
communicating outside of the normal corporate Internet connection
would not appear in those logs.

Question 28

briefly describe NetFlow logs

Answer 28

NetFlow information can provide a summary of network traffic,
application usage, and details of network conversations. The NetFlow logs
will show all conversations from this device to any others in the network.

Question 29

briefly describe Asymmetric encryption

Answer 29

Asymmetric encryption uses different keys for encryption and decryption.

Question 30

briefly describe Key escrow

Answer 30

Key escrow is when a third-party holds the decryption keys for your data.

Question 31

Briefly describe Out-of-band key exchange

Answer 31

Keys can be transferred between people or systems over the network (inband) or outside the normal network communication (out-of-band).