Objective 1 Flashcards
Which asymmetric encryption technique provides a comparable level of security with shorter key lengths, making it efficient for cryptographic operations?
DSA
ECC
Diffie-Hellman
RSA
ECC is the correct answer. Elliptic Curve Cryptography (ECC) provides a comparable level of security with shorter key lengths compared to other asymmetric encryption methods like RSA. This makes it more efficient in terms of computational power and storage requirements, which is particularly advantageous in resource-constrained environments like mobile devices.
DSA is incorrect because it is primarily used for digital signatures rather than encryption and does not specifically offer efficiency through shorter key lengths. Diffie-Hellman is also incorrect because, while it is used for secure key exchange, it is not primarily focused on shorter key lengths for comparable security. RSA is incorrect because, although it is widely used, it requires much longer key lengths than ECC to achieve the same level of security, making it less efficient.
Kelly Innovations Corp, an IT company, is implementing a process of encryption where two parties establish a shared secret for communication purposes. Which of the following MOST accurately describes this process?
Hashing
Asymmetric encryption
Key exchange
Symmetric encryption
Key exchange is the correct answer. The process of establishing a shared secret for communication purposes typically involves a key exchange mechanism, such as the Diffie-Hellman protocol. This allows two parties to securely agree on a symmetric key over an insecure channel, which is then used for encryption.
Hashing is incorrect because hashing does not involve shared secrets or encryption; it is used to ensure data integrity by creating a unique, fixed-size hash value for data. Asymmetric encryption is incorrect because it uses a pair of public and private keys for encryption and decryption, not a shared secret. Symmetric encryption is incorrect in this context because it uses the shared key for actual encryption and decryption but does not describe the process of establishing the shared key itself.
Lexicon, an AI company, wants to implement a security measure to identify and evaluate potential threats to their systems and networks. Which of the following is an example of a managerial security control that the company could implement?
Risk assessments
Intrusion detection system
Firewall
Security guards
Risk assessments are the correct answer. A risk assessment is a managerial security control because it involves identifying, analyzing, and evaluating potential threats and vulnerabilities to determine how they might impact the organization. This is a high-level process focused on planning and decision-making.
An intrusion detection system is incorrect because it is a technical security control that monitors and analyzes network traffic for suspicious activity. A firewall is also incorrect because it is another example of a technical control that enforces security policies by controlling incoming and outgoing network traffic. Security guards are incorrect because they are a physical security control, focusing on protecting physical assets rather than evaluating threats through managerial processes.
When sending an encrypted message to Dion Training, a client would use which of the following to ensure only Dion Training can decrypt and read the message?
Private key
Wildcard certificate
Key escrow
Public key
Public key is the correct answer. When sending an encrypted message to Dion Training, the client would use Dion Training’s public key to encrypt the message. Only Dion Training can decrypt it using their corresponding private key, ensuring the confidentiality of the communication.
Private key is incorrect because it is kept secret by Dion Training and is used to decrypt the message, not for the sender to encrypt it. A wildcard certificate is incorrect because it is used to secure multiple subdomains with SSL/TLS and is not directly related to encrypting messages for confidentiality. Key escrow is incorrect because it refers to storing and managing cryptographic keys securely, not to the encryption process itself.
Reginald, an IT Manager, is the owner of a file on a server and wants to grant his colleagues access to the file. He is the only one who can decide who is allowed access to the file and what actions they can perform on it. Which authorization model is being used in this scenario?
RBAC
MAC
ABAC
DAC
DAC is the correct answer. Discretionary Access Control (DAC) allows the owner of a resource, in this case, Reginald, to determine who has access to the file and what actions they can perform on it. This model provides flexibility and gives the resource owner full control over access permissions.
RBAC is incorrect because Role-Based Access Control assigns permissions based on roles within the organization rather than individual resource ownership. MAC is incorrect because Mandatory Access Control relies on predefined policies set by a central authority, not by the resource owner. ABAC is incorrect because Attribute-Based Access Control uses attributes like user characteristics or environmental factors to define access permissions, rather than granting access at the discretion of the owner.
At Kelly Innovations Corp., Sarah noticed that their core business application, which tracks customer orders, was not updating inventory levels accurately. A recent update seemed to have introduced a bug. Which of the following would offer the BEST solution?
Application rollback
Dependency check
Patch management
Application restart
Application rollback is the correct answer. Rolling back the application to a previous, stable version would resolve the issue by reverting the changes introduced by the buggy update, ensuring that inventory levels are updated accurately while the problem is addressed.
Dependency check is incorrect because it focuses on ensuring that all required software components or libraries are in place, but it would not directly fix an issue caused by the update itself. Patch management is incorrect because it involves applying updates to address security vulnerabilities or bugs, but in this case, the update introduced the problem rather than solving one. Application restart is incorrect because while it might temporarily clear minor glitches, it would not resolve a deeper issue caused by the update’s faulty implementation.
When considering the RSA algorithm, which description BEST captures its underlying mathematical property used for public key cryptography?
Hash function
Trapdoor function
Symmetric encryption
Digital signature
Trapdoor function is the correct answer. The RSA algorithm relies on a mathematical trapdoor function, which is easy to compute in one direction (encryption with the public key) but extremely difficult to reverse (decryption) without specific knowledge, such as the private key. This property makes RSA suitable for public key cryptography.
Hash function is incorrect because it refers to generating a fixed-size output from input data for integrity checks, not encryption or key exchange. Symmetric encryption is incorrect because RSA uses asymmetric cryptography, involving a public-private key pair instead of a shared secret. Digital signature is incorrect because, while RSA can be used to create digital signatures, this is an application of the algorithm, not its underlying mathematical property.
Reason and Rhyme, a tutoring service, has increased the security of its customers’ passwords. They have always converted passwords to fixed length sequences, but now they will do this process more than once to increase the amount of computing power and time it will take for an attacker to decode the password. What is this method known as?
Hashing
Key Stretching
Digital Signatures
Salting
Key stretching is the correct answer. Key stretching involves applying a hashing algorithm multiple times to a password, increasing the computational effort required for an attacker to crack it. This enhances security by making brute-force and dictionary attacks more time-consuming and resource-intensive.
Hashing alone is the process of converting passwords to fixed-length sequences, but it does not inherently involve applying the process multiple times. Digital signatures are used for verifying the authenticity and integrity of data, not for password protection. Salting adds a unique random value to each password before hashing to defend against rainbow table attacks, but it does not involve repeated hashing like key stretching does.
Trust Us is a company that acts as a trusted entity. They issue and manage security credentials and issue digital signature wrappers for public keys for message encryption. What type of company is Trust Us?
Root of Trust
Blockchain
Certificate Authority
Registration Authority
Certificate Authority (CA) is the correct answer. Trust Us acts as a trusted entity that issues and manages security credentials, including digital certificates that validate ownership of public keys. This ensures secure communication and establishes trust in digital transactions, which is the primary role of a Certificate Authority.
Root of Trust refers to a foundational component in a security architecture but does not specifically manage or issue public key certificates. Blockchain is a distributed ledger technology unrelated to the issuance and management of public key certificates. A Registration Authority (RA) works with a CA to handle user registration and verification but does not issue certificates directly, which is the CA’s role.
In the Zero Trust model, which of the following components focuses on making decisions about who can access what resources based on policies, identity verification, and threat analysis?
Policy-driven access control
Control Plane
Data Plane
Implicit trust zones
Control Plane is the correct answer. In the Zero Trust model, the Control Plane is responsible for making decisions about access to resources. It evaluates policies, verifies identities, and analyzes potential threats to determine whether access should be granted or denied. This ensures that access is granted dynamically based on contextual factors rather than assuming implicit trust.
Policy-driven access control describes the mechanism or approach used within the Control Plane but is not a standalone component. The Data Plane handles the actual transmission and processing of data but does not make access decisions. Implicit trust zones contradict the principles of Zero Trust, as this model explicitly avoids trusting any user or device by default.
Sweet as Thyme, a flavoring supplier, uses a peer to peer network which relies on a public ledger to ensure the integrity of transactions and to provide a permanent record of all transactions. What is this technology they are using called?
Digital Signatures
Key Stretching
Salting
Blockchain
Blockchain is the correct answer. Blockchain is a peer-to-peer network technology that uses a decentralized public ledger to record and verify transactions. It ensures integrity and transparency by providing a permanent, tamper-resistant record of all transactions, making it ideal for applications requiring trust without a central authority.
Digital Signatures are used for verifying authenticity and integrity of data but do not provide a public ledger or decentralized network. Key Stretching and Salting are cryptographic techniques used to enhance password security and are unrelated to maintaining a transaction ledger.
Which of the following is a part of Zero-Trust Architecture that manages user access based on their roles and responsibilities on the Control Plane?
Least privilege
Implicit deny
Policy-driven access control
Role-based access control
Policy-driven access control is a part of Zero Trust Architecture in which user access and permissions are set based on organizational policies, roles, or requirements, ensuring that users have the right level of access that aligns with their job functions or responsibilities. Role-based access control permissions are assigned based on predefined roles in an organization, and individuals are then assigned to those roles. In least privilege, users are given the minimum levels of access necessary to perform their job functions. Implicit deny means that if a condition is not explicitly met, access is denied by default. Least privilege, Role-based access control permissions, and implicit deny can be part of any security architecture and are not specific to Zero Trust Architecture.
Which type of symmetric encryption is BEST suited for scenarios where the total length of the message is not predetermined and encrypts data one byte or bit at a time?
Block cipher
AES256
Stream cipher
Initialization vector (IV)
Stream cipher is the correct answer. A stream cipher is a type of symmetric encryption designed to encrypt data one byte or bit at a time, making it ideal for scenarios where the total length of the message is not predetermined. Stream ciphers are particularly useful for real-time communication and applications where data is received or processed in a continuous stream.
Block cipher encrypts fixed-size blocks of data and is not well-suited for indefinite or unpredictable message lengths. AES256 is a specific implementation of a block cipher (AES) with a 256-bit key size, which follows the block cipher approach. Initialization vector (IV) is a random value used in encryption to ensure uniqueness but is not a type of encryption itself.
What part of PKI allows the storing of encrypted keys with a third party so keys can be recovered if they are lost?
Public key infrastructure
Key escrow
Key generation
Key exchange
Key escrow is the correct answer. In Public Key Infrastructure (PKI), key escrow involves storing encrypted private keys with a trusted third party to allow recovery if the keys are lost. This ensures that encrypted data can still be accessed even if the original key is unavailable.
Public key infrastructure refers to the overall system for managing public and private keys, not specifically the storage or recovery of keys. Key generation is the process of creating cryptographic keys, and key exchange refers to securely sharing encryption keys between parties, neither of which involve third-party storage for recovery.
Kelly Innovations LLC is keen on adopting technology to ensure the integrity and transparency of its financial transactions. They are looking for a solution where each transaction record is secured using cryptography, and the hash value of one record is used in the hash calculation of the next. Which of the following technologies would be MOST suitable for this requirement?
Digital watermarking
Public key infrastructure (PKI)
Symmetric encryption
Blockchain
The correct answer is Blockchain. Blockchain technology ensures the integrity and transparency of financial transactions by using cryptographic hashing to link each record (block) to the previous one, creating an immutable ledger. This makes it highly resistant to tampering and fraud, providing a secure and transparent way to track transactions.
The other options are incorrect. Digital watermarking is used to embed identifying information into digital media, not for securing financial transactions. Public Key Infrastructure (PKI) provides encryption and authentication through digital certificates but does not create an immutable transaction ledger. Symmetric encryption ensures data confidentiality but does not inherently provide transparency or transaction linking like blockchain does.
Which of the following types of certificates is issued by an entity using its own private key and is often used in internal or testing environments due to its lack of inherent trust in external systems?
CSR
Extended validation certificate
Self-signed certificate
Root certificate
The correct answer is Self-signed certificate. A self-signed certificate is issued and signed by the same entity using its own private key, making it useful for internal networks, testing environments, or development purposes. However, it lacks inherent trust in external systems because it is not issued by a recognized Certificate Authority (CA).
The other options are incorrect. A Certificate Signing Request (CSR) is not a certificate but a request sent to a CA to obtain a signed certificate. An Extended Validation (EV) certificate is a high-assurance certificate issued by a CA after thorough validation of the organization. A Root certificate is a trusted certificate issued by a CA and used to sign other certificates in the trust hierarchy.
You are making an appointment to get your hair cut. When you enter your personal data into the website for Dye My Darling, the data is placed in a database and paired with a smaller set of symbols that will represent your data. To access your personal data, your stylists’ computer will access the database. If an attacker gains access to the computer, they will only see the set of symbols, not your personal data. What method of concealment is Dye My Darling using?
Steganography
Encryption
Tokenization
Data Masking
The correct answer is Tokenization. Tokenization replaces sensitive data with a unique set of symbols (tokens) that have no meaningful value outside of the system. The actual data remains securely stored in a database, and only authorized systems can map the token back to the original data. This ensures that if an attacker gains access to the system, they will only see the tokens, not the real personal data.
The other options are incorrect. Steganography hides data within other media, such as images or audio files, rather than replacing it with tokens. Encryption transforms data into an unreadable format using a key, but the encrypted data can still be reversed using the correct decryption key. Data Masking obscures data by replacing certain portions with fictional values, often for non-production environments, but does not provide the same level of security as tokenization.
Neville, a security engineer, suggests his company create a fake document that appears to contain sensitive information in order to attract attackers. Which of the following is Neville suggesting be created?
Honeynet
Honeytoken
Honeypot
Honeyfile
The correct answer is Honeyfile. A honeyfile is a decoy document that appears to contain valuable or sensitive information, but it is actually designed to attract and detect unauthorized access. If an attacker interacts with the file, it triggers an alert, helping security teams identify potential threats.
The other options are incorrect. A honeynet is an entire network of decoy systems designed to lure attackers. A honeypot is a single system or service set up to attract and monitor attackers. A honeytoken is a piece of data, such as a fake credential or database entry, that triggers an alert when accessed or used.
Which of the following control types BEST characterizes a policy that requires employees to visibly display their badges within a facility, mainly to remind them of security expectations and discourage potential unauthorized access?
Directive Control
Deterrent Control
Detective Control
Corrective Control
The correct answer is “Deterrent Control.” A policy requiring employees to visibly display their badges primarily serves as a deterrent by discouraging unauthorized access and reinforcing security expectations.
While “Directive Control” involves policies and guidelines that direct behavior, it does not primarily function to discourage threats. “Detective Control” focuses on identifying security incidents after they occur, and “Corrective Control” is used to mitigate damage and restore systems after a security event.
Within Dion Training’s Zero Trust security infrastructure, which component is responsible for defining and managing security policies that dictate access controls?
Policy enforcement point
Client host
Authentication server
Policy administrator
The correct answer is “Policy administrator.” In a Zero Trust security infrastructure, the policy administrator is responsible for defining and managing security policies that dictate access controls. It determines whether access should be granted based on the organization’s policies.
“Policy enforcement point” enforces these decisions but does not define them. “Client host” refers to the endpoint device requesting access, and “Authentication server” is responsible for verifying user credentials but does not manage security policies.
When entering his password online, Ivan notices that each letter is quickly replaced by a dot. He finds this annoying and wishes that it wouldn’t happen. It has resulted in him entering the wrong password because there are as many dots as the number of characters in his password. What is Ivan observing?
Tokenization
Steganography
Encryption
Data Masking
The correct answer is Data Masking, because it replaces sensitive information, such as passwords, with symbols like dots or asterisks to protect user input from prying eyes.
The other answers are incorrect because encryption transforms data into a secure, unreadable format but does not simply replace characters with dots. Steganography hides data within other media rather than obscuring it directly. Tokenization substitutes sensitive data with non-sensitive equivalents but is used mainly for storage and transmission, not for password entry protection.
Which of the following is a corrective control?
Motion Sensor Lighting
Restoring Data from Backups
Implementing a Firewall
Security Awareness Training
The correct answer is Restoring Data from Backups, because corrective controls are designed to restore systems and data to a secure state after an incident occurs. Recovering lost data ensures continuity and mitigates the impact of data loss.
The other answers are incorrect because motion sensor lighting is a deterrent control, as it discourages unauthorized access. Implementing a firewall is a preventive control, as it blocks threats before they cause harm. Security awareness training is a preventive control, as it educates users to avoid security risks.
Dion Training is planning to expand its online services, including launching multiple subdomains for different courses. They want a single certificate that can secure all these subdomains. Which type of certificate should Dion Training consider?
CSR (Certificate Signing Request)
Self-signed certificate
Wildcard certificate
Third-party certificate
The correct answer is Wildcard certificate, because it allows an organization to secure multiple subdomains under a single domain using one certificate. This makes it ideal for Dion Training’s need to secure multiple course subdomains efficiently.
The other answers are incorrect because a CSR (Certificate Signing Request) is simply a request for a certificate and not an actual certificate type. A self-signed certificate is not issued by a trusted certificate authority and is generally not suitable for public-facing services. A third-party certificate is a broad term referring to any certificate issued by an external CA, but it does not specifically address the need for securing multiple subdomains.
A financial institution is seeking to secure its customer database to ensure that, even if a breach occurs, the stolen data remains unintelligible. Which of the following encryption levels would be the MOST appropriate to directly safeguard the contents of the database?
Full-disk encryption
Database level encryption
Volume encryption
File encryption
The correct answer is Database level encryption, because it encrypts the actual data stored within the database, ensuring that even if an attacker gains access to the database files, the contents remain unreadable without the decryption key.
The other answers are incorrect because full-disk encryption only protects data while the system is powered off and does not specifically secure individual database records. Volume encryption protects an entire storage volume but does not provide granular control over database contents. File encryption secures individual files but is not tailored for protecting structured data within a database.
After a recent compliance audit at GlobalTech Corp, it was found that certain business processes no longer align with the company’s documented policies and procedures. Emma, the Chief Compliance Officer, emphasized the importance of routinely updating these documents. Which of the following is the MOST important reason for updating documents and how they affect an organization’s current security posture?
To develop new products and services.
To ensure they remain relevant and compliant with evolving regulations.
To match them with recent modifications in business operations.
To keep the diagrams and specifications of each piece of equipment updated
The correct answer is to ensure they remain relevant and compliant with evolving regulations, because security policies and procedures must adapt to regulatory changes and industry standards to maintain compliance and mitigate risks effectively.
The other answers are incorrect because matching documents with business modifications is important but secondary to compliance, as business changes do not always impact security requirements. Developing new products and services is unrelated to maintaining security policies. Keeping equipment diagrams updated is a technical concern but does not directly affect overall security compliance.
