Carla’s organization recently suffered a data breach when an employee misplaced a laptop containing sensitive customer information. Which one of the following controls would be least likely to prevent this type of breach from reoccurring in the future?

1. Full disk encryption
2. File encryption
3. File integrity monitoring
4. Data minimization

Margot is considering the use of a self-signed certificate to reduce the costs associated with maintaining a public-facing web server. What is the primary risk associated with the use of self-signed certificates?

1. Self-signed certificates use weak encryption.
2. Self-signed certificates are not trusted by default.
3. Self-signed certificates have short expiration periods.
4. Self-signed certificates cannot be used with most browsers.

Which one of the following cryptographic systems is most closely associated with the Web of Trust?

1. RC4
2. SHA
3. AES
4. PGP

Kevin is an internal auditor at a major retailer and would like to ensure that the information contained in audit logs is not changed after it is created. Which one of the following controls would best meet his goal?

1. Cryptographic hashing
2. Data loss prevention
3. File encryption
4. Certificate management

Greg is designing a defense-in-depth approach to securing his organization’s information and would like to select cryptographic tools that are appropriate for different use cases and provide strong encryption. Which one of the following pairings is the best use of encryption tools?

1. SSL for data in motion and AES for data at rest
2. VPN for data in motion and SSL for data at rest
3. TLS for data in motion and AES for data at rest
4. SSL for data in motion and TLS for data at rest

Max is the security administrator for an organization that uses a remote access VPN. The VPN depends upon RADIUS authentication, and Max would like to assess the security of that service. Which one of the following hash functions is the strongest cryptographic hash protocol supported by RADIUS?

1. MD5
2. SHA 2
3. SHA-512
4. HMAC

Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it?

1. Man-in-the-middle, VPN
2. Packet injection, encryption
3. Sniffing, encryption
4. Sniffing, TEMPEST

For questions 8–10, please refer to the following scenario.

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations.

What civilian data classifications best fit this data?

1. Unclassified, confidential, top secret
2. Public, sensitive, private
3. Public, sensitive, proprietary
4. Public, confidential, private

What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it?

1. Classification
2. Symmetric encryption
3. Watermarks
4. Metadata

What type of encryption should you use on the file servers for the proprietary data, and how might you secure the data when it is in motion?

1. TLS at rest and AES in motion
2. AES at rest and TLS in motion
3. VPN at rest and TLS in motion
4. DES at rest and AES in motion

The following diagram shows a typical workstation and server and their connections to each other and the Internet. For questions 11–13, please refer to this diagram.

Which letters on this diagram are locations where you might find data at rest?

1. A, B, and C
2. C and E
3. A and E
4. B, D, and F

What would be the best way to secure data at points B, D, and F?

1. AES-256
2. SSL
3. TLS
4. 3DES

What is the best way to secure files that are sent from workstation A via the Internet service (C) to remote server E?

1. Use AES at rest at point A, and use TLS in transit via B and D.
2. Encrypt the data files and send them.
3. Use 3DES and TLS to provide double security.
4. Use full disk encryption at A and E, and use SSL at B and D.

What scenario describes data at rest?

1. Data in an IPSec tunnel
2. Data in an e-commerce transaction
3. Data stored on a hard drive
4. Data stored in RAM

What problem with FTP and Telnet makes using SFTP and SSH better alternatives?

1. FTP and Telnet aren’t installed on many systems.
2. FTP and Telnet do not encrypt data.
3. FTP and Telnet have known bugs and are no longer maintained.
4. FTP and Telnet are difficult to use, making SFTP and SSH the preferred solution.

Information maintained about an individual that can be used to distinguish or trace their identity is known as what type of information?

1. Personally identifiable information (PII)
2. Personal health information (PHI)
3. Social Security number (SSN)
4. Secure identity information (SII)

Match each of the numbered data elements shown here with one of the lettered categories. You may use the categories once, more than once, or not at all. If a data element matches more than one category, choose the one that is most specific.

For question 18, please refer to the following scenario.

The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit.

What encryption technology would be appropriate for HIPAA documents in transit?

1. BitLocker
2. DES
3. TLS
4. SSL

What encryption algorithm is used by both BitLocker and Microsoft’s Encrypting File System?

1. Blowfish
2. Serpent
3. AES
4. 3DES

Which attack helped drive vendors to move away from SSL toward TLS-only by default?

1. POODLE
2. Stuxnet
3. BEAST
4. CRIME

What security measure can provide an additional security control in the event that backup tapes are stolen or lost?

1. Keep multiple copies of the tapes.
2. Replace tape media with hard drives.
3. Use appropriate security labels.
4. Use AES-256 encryption.

Joe works at a major pharmaceutical research and development company and has been tasked with writing his organization’s data retention policy. As part of its legal requirements, the organization must comply with the U.S. Food and Drug Administration’s Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement?

1. It ensures that someone has reviewed the data.
2. It provides confidentiality.
3. It ensures that the data has not been changed.
4. It validates who approved the data.

What protocol is preferred over Telnet for remote server administration via the command line?

1. SCP
2. SFTP
3. WDS
4. SSH

What methods are often used to protect data in transit?

1. Telnet, ISDN, UDP
2. BitLocker, FileVault
3. AES, Serpent, IDEA
4. TLS, VPN, IPSec

Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme?

1. 3DES
2. AES
3. Diffie–Hellman
4. Blowfish

Which one of the following is not considered PII under U.S. federal government regulations?

1. Name
2. Social Security number
3. Student ID number
4. ZIP code

What encryption algorithm would provide strong protection for data stored on a USB thumb drive?

1. TLS
2. SHA1
3. AES
4. DES

What type of encryption is typically used for data at rest?

1. Asymmetric encryption
2. Symmetric encryption
3. DES
4. OTP

Fred is preparing to send backup tapes off-site to a secure third-party storage facility. What steps should Fred take before sending the tapes to that facility?

1. Ensure that the tapes are handled the same way the original media would be handled based on their classification.
2. Increase the classification level of the tapes because they are leaving the possession of the company.
3. Purge the tapes to ensure that classified data is not lost.
4. Decrypt the tapes in case they are lost in transit.

Ed has been asked to send data that his organization classifies as confidential and proprietary via email. What encryption technology would be appropriate to ensure that the contents of the files attached to the email remain confidential as they traverse the Internet?

1. SSL
2. TLS
3. PGP
4. VPN

Chris wants to verify that a software package that he downloaded matches the original version. What hashing tool should he use if he believes that technically sophisticated attackers may have replaced the software package with a version containing a backdoor?

1. MD5
2. 3DES
3. SHA1
4. SHA 256

What name is given to the random value added to a password in an attempt to defeat rainbow table attacks?

1. Hash
2. Salt
3. Extender
4. Rebar

Which one of the following is not an attribute of a hashing algorithm?

1. They require a cryptographic key.
2. They are irreversible.
3. It is very difficult to find two messages with the same hash value.
4. They take variable-length input.

Susan would like to configure IPsec in a manner that provides confidentiality for the content of packets. What component of IPsec provides this capability?

1. AH
2. ESP
3. IKE
4. ISAKMP

For questions 35–38, please refer to the following scenario.

Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.

If Alice wants to send Bob an encrypted message, what key does she use to encrypt the message?

1. Alice’s public key
2. Alice’s private key
3. Bob’s public key
4. Bob’s private key

When Bob receives the encrypted message from Alice, what key does he use to decrypt the message?

1. Alice’s public key
2. Alice’s private key
3. Bob’s public key
4. Bob’s private key

Which one of the following keys would Bob not possess in this scenario?

1. Alice’s public key
2. Alice’s private key
3. Bob’s public key
4. Bob’s private key

Alice would also like to digitally sign the message that she sends to Bob. What key should she use to create the digital signature?

1. Alice’s public key
2. Alice’s private key
3. Bob’s public key
4. Bob’s private key

Which one of the following cryptographic goals protects against the risks posed when a device is lost or stolen?

1. Nonrepudiation
2. Authentication
3. Integrity
4. Confidentiality

How many bits of keying material does the Data Encryption Standard use for encrypting information?

1. 56 bits
2. 64 bits
3. 128 bits
4. 256 bits

Florian and Tobias would like to begin communicating using a symmetric cryptosystem, but they have no prearranged secret and are not able to meet in person to exchange keys. What algorithm can they use to securely exchange the secret key?

1. IDEA
2. Diffie-Hellman
3. RSA
4. MD5

Which one of the following is not one of the basic requirements for a cryptographic hash function?

1. The function must work on fixed-length input.
2. The function must be relatively easy to compute for any input.
3. The function must be one way.
4. The function must be collision free.

How many possible keys exist for a cipher that uses a key containing 5 bits?

1. 10
2. 16
3. 32
4. 64

What cryptographic principle stands behind the idea that cryptographic algorithms should be open to public inspection?

1. Security through obscurity
2. Kerckhoff’s principle
3. Defense in depth
4. Heisenburg principle

Alice sent a message to Bob. Bob would like to demonstrate to Charlie that the message he received definitely came from Alice. What goal of cryptography is Bob attempting to achieve?

1. Authentication
2. Confidentiality
3. Nonrepudiation
4. Integrity

Sherry conducted an inventory of the cryptographic technologies in use within her organization and found the following algorithms and protocols in use. Which one of these technologies should she replace because it is no longer considered secure?

1. MD5
2. 3DES
3. PGP
4. WPA2

Tom is a cryptanalyst and is working on breaking a cryptographic algorithm’s secret key. He has a copy of an intercepted message that is encrypted, and he also has a copy of the decrypted version of that message. He wants to use both the encrypted message and its decrypted plaintext to retrieve the secret key for use in decrypting other messages. What type of attack is Tom engaging in?

1. Chosen ciphertext
2. Chosen plaintext
3. Known plaintext
4. Brute force

What standard governs the creation and validation of digital certificates for use in a public key infrastructure?

1. X.509
2. TLS
3. SSL
4. 802.1x

Alan intercepts an encrypted message and wants to determine what type of algorithm was used to create the message. He first performs a frequency analysis and notes that the frequency of letters in the message closely matches the distribution of letters in the English language. What type of cipher was most likely used to create this message?

1. Substitution cipher
2. AES
3. Transposition cipher
4. 3DES

The Double DES (2DES) encryption algorithm was never used as a viable alternative to the original DES algorithm. What attack is 2DES vulnerable to that does not exist for the DES or 3DES approach?

1. Chosen ciphertext
2. Brute force
3. Man-in-the-middle
4. Meet-in-the-middle

Raj is selecting an encryption algorithm for use in his organization and would like to be able to vary the strength of the encryption with the sensitivity of the information. Which one of the following algorithms allows the use of different key strengths?

1. Blowfish
2. DES
3. Skipjack
4. IDEA

Howard is choosing a cryptographic algorithm for his organization, and he would like to choose an algorithm that supports the creation of digital signatures. Which one of the following algorithms would meet his requirement?

1. RSA
2. DES
3. AES
4. Blowfish

In Transport Layer Security, what type of key is used to encrypt the actual content of communications between a web server and a client?

1. Ephemeral session key
2. Client’s public key
3. Server’s public key
4. Server’s private key

Chris is designing a cryptographic system for use within his company. The company has 1,000 employees, and they plan to use an asymmetric encryption system. How many total keys will they need?

1. 500
2. 1,000
3. 2,000
4. 4,950

Todd wants to add a certificate to a certificate revocation list. What element of the certificate goes on the list?

1. Serial number
2. Public key
3. Digital signature
4. Private key

Alison is examining a digital certificate presented to her by her bank’s website. Which one of the following requirements is not necessary for her to trust the digital certificate?

1. She knows that the server belongs to the bank.
2. She trusts the certificate authority.
3. She verifies that the certificate is not listed on a CRL.
4. She verifies the digital signature on the certificate.

Which one of the following would be a reasonable application for the use of self-signed digital certificates?

1. E-commerce website
2. Banking application
3. Internal scheduling application
4. Customer portal

Quantum Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quantum can use to protect these tapes?

1. Locked shipping containers
2. Private couriers
3. Data encryption
4. Media rotation

Alice is designing a cryptosystem for use by six users and would like to use a symmetric encryption algorithm. She wants any two users to be able to communicate with each other without worrying about eavesdropping by a third user. How many symmetric encryption keys will she need to generate?

1. 6
2. 12
3. 15
4. 30

Sally is using IPsec’s ESP component in transport mode. What important information should she be aware of about transport mode?

1. Transport mode provides full encryption of the entire IP packet.
2. Transport mode adds a new, unencrypted header to ensure that packets reach their destination.
3. Transport mode does not encrypt the header of the packet.
4. Transport mode provides no encryption; only tunnel mode provides encryption.

Which one of the following cryptographic algorithms supports the goal of nonrepudiation?

1. Blowfish
2. DES
3. AES
4. RSA

Andrew believes that a digital certificate belonging to his organization was compromised and would like to add it to a Certificate Revocation List. Who must add the certificate to the CRL?

1. Andrew
2. The root authority for the top-level domain
3. The CA that issued the certificate
4. The revocation authority for the top-level domain

Attackers who compromise websites often acquire databases of hashed passwords. What technique can best protect these passwords against automated password cracking attacks that use precomputed values?

1. Using the MD5 hashing algorithm
2. Using the SHA-1 hashing algorithm
3. Salting
4. Double-hashing

Barry recently received a message from Melody that Melody encrypted using symmetric cryptography. What key should Barry use to decrypt the message?

1. Barry’s public key
2. Barry’s private key
3. Melody’s public key
4. Shared secret key

Skip needs to transfer files from his PC to a remote server. What protocol should he use instead of FTP?

1. SCP
2. SSH
3. HTTP
4. Telnet