2.0 - Architecture & Design

Question 1

List 6 Examples of

Configuration Management

Answer 1

• Network maps / diagrams
• Device diagrams
• Port maps
• Baseline configurations
• Standard naming conventions
• IP schemas

Question 2

Define

Data Sovereignty

Answer 2

• Laws associated with data depending on where it geographically resides
• Data that resides in a country is subject to the laws of that country
• Must comply with legal monitoring, court orders, etc.

Question 3

Define

GDPR

Answer 3

• “General Data Protection Regulation”
• A set of rules in the European Union

• Among other things, it specifies that data collected on EU citizens must be stored in
the EU

• Extensive and complex

Question 4

Define

Ciphertext

Answer 4

• Information that has been encrypted, in its encrypted form. The opposite of plaintext.

Question 5

Define

Confusion

Answer 5

• The difference between a plaintext and its cyphertext is the amount of confusion

Question 6

Define

Diffusion

Answer 6

• The difference between cyphertexts of plaintexts that are very similar

• Ex., two plaintexts that are identical except for one character should each produce
cyphertexts that are completely different. When they do, they have diffusion.

Question 7

How to protect data in-transit?

Answer 7

• Network-based protection including firewalls, IPS

* Transport encryption, such as TLS and IPsec

Question 8

How to protect data at-rest?

Answer 8

• Disk encryption, database encryption, and file- or folder-level encryption
• Access control lists, permission controls

Question 9

Define

Tokenization

Answer 9

• Replacing sensitive data with a non-sensitive placeholder
• Common with credit card processing, using a temporary token during payment that is only good for the one transaction.
• If intercepted by an attacker, the attacker only gets the token and not the sensitive data that it represents.
• The token is NOT a result of encryption or hashing. The original data and the token are not mathematically related.

Question 10

Define

IRM

Answer 10

• “Information Rights Management”
• Restrictions placed on a file or message to control how it is used

• Can restrict functions on a document such as ability to copy/paste, print, edit,
screenshot, etc.

• Can have different sets of rights for different users

Question 11

Define

DLP

Answer 11

• A system that monitors for sensitive data leaving the network, to prevent it.
• Can run on an endpoint, on the network, on the server, or cloud-based
• Can block custom defined data strings, file types, specific contents, etc.

Question 12

Define

SSL

Answer 12

• Secure Socket Layer

• Has been replaced by TLS, but TLS is still often referred to colloquially as SSL or
as SSL/TLS

Question 13

How can SSL/TLS inspection be performed?

Answer 13

• A device (usually a firewall) must sit in the middle of all secure information and act as a proxy.
• Endpoint devices must have a CA certificate installed for the middle device

Question 14

What typically causes older hashes to be retired?

Answer 14

• If it runs into collisions (different source data producing the same hash output)

Question 15

Define

API Injection

Answer 15

• An attack where the attacked injects data into an API message
• Often performed via an on-path attack or replay attack
• (API stands for “Application Programming Interface”)

Question 16

How can API be secured? (Four answers)

Answer 16

• Authentication
• Require secure protocols
• Limit authorization; the API should not have access to more than it absolutely needs
• Utilize a WAF to apply rules to API communication

Question 17

What does this stand for:

WAF

Answer 17

• Web Application Firewall

Question 18

Define

Hot Site

Answer 18

• An exact, or almost exact, replica of your primary site
• Contains all necessary hardware, infrastructure, etc.
• Has all data and applications synchronized in real-time from the primary site
• Serves as an immediately fail-over if the primary site goes down

Question 19

Define

Cold Site

Answer 19

• A failover location for when a primary site goes down
• Does not keep any hardware or staffing on hand
• Does not keep a live copy of data synchronized
• Would take a significant amount of time to get running if the primary site went down.

Question 20

Define

Warm Site

Answer 20

• A failover location that is not as equipped and ready as a hot site
• May have all necessary equipment, but it may not be powered on and data sync may not be in real time
• May take time to get brought online when needed

Question 21

Define

Honeynet

Answer 21

• Multiple honeypots on a network

• Can be used to observe multiple attackers, or see what an attack does between
multiple devices

Question 22

Define

Honeyfiles

Answer 22

• Bait for the honeynet / honeypot
• Files that you want the attacker to try to get, such as a file named passwords.txt
• An alert is triggered if the file is accessed, like a virtual bear trap

Question 23

Define

Fake Telemetry

Answer 23

• Attackers send fake data to a machine learning system in order to make malicious
malware appear benign

• Once the machine learning is trained on the fake telemetry, it will not detect the
malware

Question 24

Define

Sinkhole

Answer 24

• A DNS server that hands out incorrect IP Addresses
• If the DNS server hands out a non-routable address, then it’s a particular type of Sinkhole known as a Blackhole
• Can be malicious, if used by an attacker for a DOS, or to redirect traffic to a malicious site
• More often used for security purposes, to redirect known malicious domains to a benign IP address. It then collects info on devices that hit that benign IP address, since that identifies them as being infected.

Question 25

Define

HaaS

Answer 25

• Hardware as a Service

* Another, less common, name for IaaS

Question 26

Define

XaaS

Answer 26

• Anything as a Service
• A broad description of all cloud models
• Usually describes services delivered over the Internet, not locally hosted or managed
• Usually associated with a flexible, pay-what-you-use subscription-based pricing models with no up-front costs
• Any IT function can be changed into such a service

Question 27

Define

MSSP

Answer 27

• Managed Security Service Provider
• A specialized type of MSP that focuses on security
• Firewall management, patch management, security audits, emergency response, etc.

Question 28

List and Define

Cloud Deployment Models

Answer 28

• Public - available to everyone on the Internet (though your own data is still private)
• Community - several organizations share the same resources
• Private - your own virtualized data center
• Hybrid - a mix of public and private

Question 29

Define

Edge Computing

Answer 29

• Typically used of IoT devices
• The application processes its data on the actual device itself
• Nothing is stored or processed in the cloud
• E.g. You control a thermostat from an app on your phone, and the app communicates directly with that thermostat. The thermostat stores and processes data on its own device.

Question 30

Define

Fog Computing

Answer 30

• A cloud that is close to your data.
• Usually in reference to IoT
• A distributed cloud architecture
• Immediate and sensitive data can stay local, but some data and long-term analysis can be performed in the cloud

Question 31

Define

DaaS

Answer 31

• Desktop as a Service
• Usually for thin clients
• A form of VDI (Virtual Desktop Infrastructure), but DaaS is specifically a cloud-based service

Question 32

Define

Monolithic application

Answer 32

• A traditional application; large and does everything it needs within itself as a single application
• The application contains all decision-making processes
• User interface, logic, input and output are all in one application

Question 33

Define

Microservice Architecture

Answer 33

• A newer architecture for applications where its various services are separated into distinct “microservices”
• Each microservice is containerized, independent
• The microservices communicate to each other through APIs

Question 34

What are the advantages of Microservice Architecture? (Four answers)

Answer 34

• Scalable - can scale only the specific services that are needed
• Resilient - outages are contained to the specific microservice that fails
• Security and compliance - containment is built-in
• Coding - simpler because each microservice is coded and updated independently.

Question 35

Define

Serverless Architecture

Answer 35

• Applications are separated into individual, autonomous functions
• No OS needed, the app communicates directly to specialized processors
• The processors are known as “stateless compute containers” - processors designed to respond to API requests
• Since they are containerized, they can be scaled and removed as needed with little effort

Question 36

Define

FaaS

Answer 36

• Function as a Service

* Another name for Serverless Architecture provided as a cloud service

Question 37

Define

Transit Gateway

Answer 37

• Connects multiple VPCs to each other, and connects users to VPCs
• Essentially, a “cloud router”
• Commonly, users connect to their VPCs by using a VPN connection to the Transit Gateway

Question 38

Define

Resource Policy

Answer 38

• Policies for assigning permissions to cloud resources

* Ex., restricting data or API resources to a list of users or IP addresses

Question 39

Define

Multisourcing

Answer 39

• Deploying a cloud application to multiple cloud service providers for purposes of high availability
• If one provider goes down, your application stays up

Question 40

Define

SIAM

Answer 40

• Service Integration and Management
• A management console that integrates multiple cloud service provider’s platforms into a single interface
• Beneficial when multisourcing
• Every cloud provider has different processes for managing, deploying, etc., and the SIAM streamlines the process

Question 41

Define

Infrastructure as code

Answer 41

• Servers, networks, and applications described as code, so they can be deployed instantly without the need for configuration
• An important part of cloud computing

Question 42

Define

SDN

Answer 42

• Software Defined Networking
• An approach to network management that enables programmatic configuration
• Separates control pane from data pane
• Changes can be made dynamically, on the fly, no hardware changes or reboots needed.
• Centrally managed, open standards, vendor neutral
• Makes networking more like cloud computing than traditional network management

Question 43

Define

SDV

Answer 43

• Software Defined Visibility
• Provides visibility and real-time metrics to traffic flows in cloud computing
• Can include next-generation firewalls, web app firewalls, and a SIEM
• Needs to be aware of encapsulated and encrypted data, microservices, etc.

Question 44

Define

VM Sprawl

Answer 44

• The tendency for too many separate VMs to be running, since they are so easy to create
• Becomes difficult to deprovision when documentation is poor. Which VM is related to which application?

Question 45

Define

VM Escape

Answer 45

• An event or attack wherein a VM is able to interact with the host operating system or hardware, or other guest VMs
• VMs are supposed to be isolated and this should never happen. They rarely happen and are major security problems.

Question 46

Define

Staging

Answer 46

• The stage of application development after QA checks but before Production
• The application is deployed to a production-like environment, perhaps working with a copy of production data
• Performance, usability, and features are all tested

Question 47

Define

Secure Baselines

Answer 47

• Defines an application’s security environment: what is required to secure and maintain the security of the app
• All application instances must follow this baseline
• Firewall settings required for it to work and still be secure; patch levels of the application and OS; etc.

Question 48

Define

Integrity Measurement

Answer 48

• procedure that confirms that an application and its production environment match the security baseline
• Should be performed often, and errors should be immediately corrected

Question 49

Define

Scalability

Answer 49

• The ability for application instance(s) to increase the workload in a given infrastructure

Question 50

Define

Elasticity

Answer 50

• The ability for application instance(s) to increase and decrease available resources and instances as a workload changes

Question 51

Define

Orchestration

Answer 51

• The automation of provisioning and deprovisioning
• For application instances, servers, networks, switches, firewalls, and policies
• The automation can follow defined rules such as workload, schedule, etc.

Question 52

Define

Deprovisioning

Answer 52

• Removal of an application instance

* When deprovisioning, all security policies must be reverted: firewall rules, etc.

Question 53

Define

Stored Procedures

Answer 53

• When an application makes a database call, instead of sending the actual call (such as a SQL query), it only sends a “stored procedure.”
• The stored procedure is pre-configured on the database server, and the server uses it to produce the actual database call / query.
• This prevents a client from discovering the exact query, and potentially making any modifications to it.
• To really be secure, a stored procedure must be used for every possible database call that an application can perform.

Question 54

Define

Dead Code

Answer 54

• Code that exists in an application that performs some process but isn’t utilized
• Often a result of copying / reusing code, and not removing unnecessary parts
• All code is an opportunity for a security problem, so dead code should be removed

Question 55

Define

Code Obfuscation

Answer 55

• A developer deliberately making code difficult for humans to read, even though it performs the same function as a much simpler, readable code
• Helps prevent the search for security holes by making it more difficult to figure out what the code is doing.

Question 56

Define

Normalization

Answer 56

• modifying the format of input to bring it into a standardized format
• ex. adding and/or removing typed characters from a phone number so it gets stored in the following format, regardless of how it was typed in: (800) 555-1234

Question 57

Define

Validation Points

Answer 57

• Input validation can be performed either client-side, server-side, or both
• Using both is ideal
• If only using one, server-side is more secure because it prevents changes from being made after a client-side validation completes
• Client-side validation may be faster since it doesn’t require waiting for a response from the server.

Question 58

Define

SDK

Answer 58

• Software Development Kit
• Third-party code to extend the functionality of a programming language or provide pre-programmed functions
• Added by developers to their own code to speed up the process
• A security risk since the code was written by someone else. Requires extensive testing.

Question 59

Define

Software Diversity

Answer 59

• Systems and software that are functionally the same, but use different binary
• Makes them less susceptible to malware. It may infect one, but can’t infect all others in the same way.
• Accomplished by using varying complier paths when producing the binary

Question 60

Define

CI

Answer 60

• Continuous Integration
• A process where code is constantly being written and worked on, merged into a central repository throughout the day
• Requires the use of automated security checks to keep up with the constant changes

Question 61

Define

CD

Answer 61

Continuous Delivery:

• When the process of testing and releasing code / applications is automated.
• Automated security checks are performed during testing process, and the application is deployed into production with the click of a button.
• “Continuous Deployment,” also “CD,” is when it doesn’t even require human interaction to deploy into production, that is also automatic as long as security checks are passed.

Question 62

Define

Federation

Answer 62

• Providing network access to users based on a third-party’s authentication
• The third-party must have a trust relationship established
• Ex. logging into a third-party site by using your Facebook or Google account

Question 63

Define

Attestation

Answer 63

• Method of validating a device’s trusted identity.
• Ex., to confirm a remote user is on their company-assigned laptop when they try to connect via VPN
• Device provides a report to a verification server. Usually signed with the device’s TPM, and may include an IMEI or other unique hardware component identifier

Question 64

Define

TOTP

Answer 64

• Time-based One-Time Password
• Uses a secret key to generate codes based on the current time
• usually used for MFA

Question 65

Define

HOTP

Answer 65

• HMAC-based One-Time Password algorithm
• Single use passcode, usually used for MFA
• Similar to TOTP, but each code is only used once and goes to the next code in sequence, rather than being time-based

Question 66

Define

Static Code

Answer 66

• A code that never changes (at least not automatically).
• Ex., a PIN, such as for an ATM
• Traditional passwords are also examples of static codes

Question 67

Define

FAR

Answer 67

• False Acceptance Rate
• The likelihood that a biometic system will incorrectly approve an unauthorized user
• A high rate means that the sensitivity must be increased

Question 68

Define

FRR

Answer 68

• False Rejection Rate
• The likelihood that a biometic system will incorrectly reject an authorized user
• A high rate means that the sensitivity must be decreased

Question 69

Define

CER

Answer 69

• Crossover Error Rate
• Defines the overall accuracy of a biometric system
• The rate at which FAR and FRR are equal

Question 70

Define

AAA

Answer 70

• Authorization, Authentication, and Accounting
• The “Triple-A Framework”
• Identification (who are you: usually a username)
• Authentication (prove you are who you say you are: password and other authentication factors)
• Authorization (based on the last two, what access do you have)
• Accounting (logging activity and resources used)

Question 71

List Examples of

Factors of Authentication

(Three answers)

Answer 71

• Something you know (password)
• Something you have (phone, TOTP generator)
• Something you are (biometric)

Question 72

List Examples of

Attributes of Authentication

(Four answers)

Answer 72

• Somewhere you are (IP address, GPS data)
• Something you can do (handwriting, signature)
• Something you exhibit (gait analysis, typing analysis)
• Someone you know (Web of trust, digital signature)

Question 73

Define

Multipath I/O

Answer 73

• A form of redundancy in network-based storage systems
• Multiple network routes exist to get to the storage
• Ex. Multiple Fibre Channel interfaces with multiple switches

Question 74

Define

Generator

Answer 74

• Long-term power backup
• Requires fuel
• May be enough to power an entire building, or at least particular outlets marked as generator-powered
• Takes a few minutes to run once power is lost; use a battery UPS for the interim.

Question 75

Define

PDU

Answer 75

• Power Distribution Unit
• Provides multiple power outlets, usually in a rack
• Often networked and includes monitoring and control
• Remotely manage power capacity and remotely enable/disable individual outlets

Question 76

Difference between NAS and SAN?

Answer 76

• NAS is file-level access, SAN is block-level access
• SAN acts similar to a local storage device
• NAS requires overwriting an entire file if one part of it changes

Question 77

Define

Non-Persistence

Answer 77

• The ability for applications (usually cloud) to be built and torn down continuously
• Involves the ability to take snapshots, and revert or rollback to a known state

Question 78

Define

Restoration Order

Answer 78

• The order that must be followed when restoring an application or data
• Example, a database may need to be started up before an application can be
• Or, in backup, full backups and incremental backups must follow the correct restore order

Question 79

Define

Diversity

Answer 79

• The use of different technologies, OSs, vendors, controls, cryptographic ciphers, and CAs
• For the purpose of hardening security. Gives you options and makes you less prone to a single type of attack.

Question 80

Define

Embedded System

Answer 80

• Hardware and software designed together for a specific function
• Built with only one task in mind
• Often running on a SoC
• Ex. traffic light controllers; smart watches; medical devices

Question 81

Define

FPGA

Answer 81

• Field Programmable Gate Array
• An integrated circuit that can be configured and reconfigured after manufacturing
• Common in embedded systems
• An array of logic blocks that can be software-controlled, allowing a device to be reprogrammed without needing to replace hardware
• Common in infrastructure, such as switches, firewalls, and routers.

Question 82

Define

SCADA

Answer 82

• Supervisory Control and Data Acquisition System
• System allowing a PC to control industrial equipment
• Ex. for power generation systems, manufacturing, industrial devices, etc.
• Networked, but only internally. Requires extensive segmentation with no external access.

Question 83

Define

ICS

Answer 83

• Industrial Control System
• Essentially, another name for SCADA
• System allowing a PC to control industrial equipment
• Networked, but only internally. Requires extensive segmentation with no external access.

Question 84

List examples of

Embedded Systems

Answer 84

• IoT devices
• SCADA / ICS Systems
• Vehicle internal network and controls
• HVAC
• Drones
• Printers, scanners, faxes
• Surveillance systems

Question 85

Define

POTS

Answer 85

• Plain Old Telephone Service

* A new term for the same old, traditional, analog phone service

Question 86

Explain

RTOS

Answer 86

• Real-Time Operating System
• An OS with a deterministic processing schedule
• Typically used in certain types of embedded systems
• For systems that cannot wait for other processes, but must react immediately to live sensor data, and cannot be overridden
• Ex. anti-lock brake systems, industrial equipment, military environments
• Sensitive to security issues, as you must ensure the security does not interfere with or delay the process.
• It’s also difficult to know what kind of security is in place and running on such a system.

Question 87

Define

IMSI

Answer 87

• International Mobile Subscriber Identity
• Often contained in a SIM card
• Allows a mobile service provider to recognize the SIM card and add it to the cellular network
• provides authentication and contact information

Question 88

Define

Narrowband

Answer 88

• The use of a narrow range of frequencies rather than the full broadband signal
• Allows communication over a longer distance, and conserves frequency use
• Often used by IoT devices and SCADA equipment, particularly those that must communicate over long distances

Question 89

Define

Baseband

Answer 89

• The use of a single frequency to communicate, rather than a narrow or broadband
• Usually done over a single cable connection.
• Because it is a single frequency, the signal uses all bandwidth. Utilization is always either 0% or 100%.
• Therefore it is half-duplex. Communication can be bidirectional, but not at the same time on the same wire.

Question 90

What standards exist for Baseband communication?

Answer 90

• It is often over Ethernet, with the following standards:
• 100BASE-TX
• 1000BASE-TX
• 10GBASE-T
• The “BASE” in the Ethernet standard indicates baseband.

Question 91

Define

Zigbee

Answer 91

• An Open Standard for IoT networking
• An alternative to Wi-Fi and Bluetooth
• Longer range than Bluetooth, less power consumption than Wi-Fi
• All devices mesh together, to hop connections through each other to reach network infrastructure

Question 92

Define

IEEE 802.15.4 PAN

Answer 92

• The IEEE designation for Zigbee

* PAN indicates “Personal Area Network”

Question 93

What bands are used by Zigbee?

Answer 93

• In the USA, it uses the ISM Band (Industrial, Scientific, and Medical)
• 900 MHz and 2.4 GHz frequencies

Question 94

What are five common physical constraints of Embedded Systems?

Answer 94

• They usually have very limited resources and features
• Compute capability is very limited; therefore cryptographic capabilities
• Communication options are limited; networking requirements may be very specific
• Power is a common constraint, as they are often in the field and may not have access to a main power source
• Upgrade options are usually very limited or impossible

Question 95

What are five common security concerns for Embedded Systems?

Answer 95

• Adding or changing cryptography functionality may not be possible
• Ability to update / patch is usually very limited or not possible
• Security features are often an after-thought
• Authentication requirements may be non-existent, or very limited
• Direct access to the OS and software is often very limited or impossible, thus security cannot be verified

Question 96

Define

Bollard

Answer 96

• a post that is put in the middle or at the end of a road to keep vehicles off or out of a particular area

Question 97

Define

Duress alarm

Answer 97

• an alarm that is triggered by a panic button or similar method

Question 98

Define

Industrial Camouflage

Answer 98

• Concealing an secure facility in plain sight, blending it into the local environment and leaving it unmarked.

Question 99

Define

Robot Sentry

Answer 99

• Self-explanatory, but yes, they apparently exist, and they are on the exam.

Question 100

Define

Two-Person Integrity

Answer 100

• Method of guarding, where no single person has access to a physical asset
• Requires two people to grant access, which minimizes exposure to an attack

Question 101

Two-Person Control

Is also known as?

Answer 101

Another term for Two-Person Integrity

Question 102

Define

Juice-Jacking

Answer 102

• An attack on devices that use the same cable for both charging and transferring data (typically USB)
• A malicious device appears as a power charging source, but while charging, it is actually communicating with your device
• Either to steal data, or install malware

Question 103

Define

USB Data Blocker

Answer 103

• A USB adapter cable that allows voltage but prevents any data transfer
• i.e., your device can charge over this USB cable, but not communicate
• Prevents juice-jacking

Question 104

How to prevent juice-jacking?

Answer 104

• Only use your own power adapters

* Use a USB Data Blocker

Question 105

What are two security concerns regarding Faraday Cages?

Answer 105

• No all signal types can be blocked

* If access to mobile networks are restricted, then contingencies must be in place for emergency calls

Question 106

Define

Screened Subnet

Answer 106

• Apparently, the new name for a DMZ, though no one has ever heard anyone use this term.
• In reality, it’s just some bullshit that CompTIA is trying to invent to exert control.
• To quote Mean Girls, “Stop trying to make ‘fetch’ happen. It’s NOT going to happen.”

Question 107

Define

PDS

Answer 107

• Protected Distribution System
• A physically secured cabled network.
• Prevents cable taps
• Prevents a physical DoS of cutting cables

Question 108

Define

Air Gap

Answer 108

• A physical separation between networks
• Whereas most network environments are shared, and may only have virtualized or software separation, air gaps provide complete physical separation.

Question 109

What types of specialized networks often require Air Gaps?

Answer 109

• airplanes
• nuclear plants
• stock market networks
• power systems/SCADA

Question 110

Define

Degaussing

Answer 110

• The process of using a strong electromagnetic field to destroy data magnetically stored on a hard drive, rendering the drive unusable
• Also destroys the drive configuration data, so not only is the drive unreadable, it can never be reused

Question 111

Define

Pulping

Answer 111

• Placing shredded paper into a large tank to remove ink and break the paper down into pulp.
• Creates recycled paper, and ensures information on the original paper is unrecoverable.

Question 112

List four beneficial functions of cryptography.

Answer 112

• Confidentiality
• Authentication / access control
• Non-repudiation
• Integrity

Question 113

Define

Cipher

Answer 113

• The particular algorithm used to encrypt and/or decrypt

Question 114

Define

Cryptanalysis

Answer 114

• The art of cracking encryption
• Not just a job for the bad guys; researchers also work to find weaknesses in ciphers, as a flawed cypher is bad for everyone.

Question 115

Define

Key

Answer 115

• The secret information that is added to a cipher in order to encrypt plaintext
• Though ciphers are publicly known, the keys are secret
• The key is then required to decrypt the ciphertext
• Using larger keys, and/or multiple keys, increases the security of the cryptography

Question 116

Define

Key Stretching

Answer 116

• The process of making a weak key stronger by performing multiple encryption processes with it
• I.e., hashing a password, then hashing the hash of the password, and so on.
• Makes brute force attacks more difficult, as the attack would require reversing each stage of the hashes
• Adds security without needing a larger key.

Question 117

Key Strengthening is also known as?

Answer 117

• Another term for Key Stretching

Question 118

Define

Lightweight Cryptography

Answer 118

• New technology still in the process of development.
• Method of cryptography that has lower demands on CPU and power.
• Designed with IoT devices in mind.

Question 119

Define

Homomorphic Encryption

Answer 119

• Typically, encrypted data must be decrypted, then perform the function, then encryption is re-applied to the answer.
• Homomorphic Encryption is the process of using and performing calculations on data while it remains in an encrypted state.
• Allows data to remain securely stored in the cloud while still being utilized
• Allows users to utilize the data without being able to view it.

Question 120

Explain

Symmetric Encryption

Answer 120

• The same key is used to encrypt and decrypt
• Faster, less overhead than asymmetric encryption
• Does not scale well, and difficult to securely share the key

Question 121

Explain

Asymmetric Encryption

Answer 121

• A public key is used to encrypt, and a private key is used to decrypt.
• The keys are mathematically related, but the private key cannot be derived from the public key
• Requires significant work from the CPU

Question 122

Explain

Symmetric key from asymmetric keys

Answer 122

• You can combine your private key with a recipient’s public key to create a new, symmetric key
• That recipient likewise combines their private key with your public key, and produces that same symmetric key
• You now both have the same symmetric key, and can use symmetric encryption, without ever having to share your private keys or any symmetric key.
• This process is used by the Diffie-Hellman key exchange

Question 123

Explain

ECC

Answer 123

• Elliptic Curve Cryptography
• Uses curves instead of numbers to generate asymmetric encryption keys
• The keys are smaller than non-ECC encryption
• Smaller storage and transmission requirements
• Ideal for mobile and IoT devices

Question 124

Explain

Hashing

Answer 124

• A way to represent data as a short string of text, serving as a digital signature of that data
• A one-way trip, the data cannot be derived from the hash
• May be used to verify a downloaded file
• May be used to store passwords, so that your actual password is never stored in plaintext and can’t be derived

Question 125

Define

Perfect Forward Secrecy (PFS)

Answer 125

• A method of web server encryption that uses a different private key for every TLS session
• This way, if the private key is compromised, an attacker cannot decrypt all data for all sessions
• Uses Elliptic curve or Diffie-Hellman ephemeral
• The browser must support PFS (most modern browsers do)

Question 126

Define

Steganography

Answer 126

• Hiding information inside something else
• From Greek for “concealed writing”
• Not truly secure, but a form of “Security through obscurity”
• May be hidden in an image, an audio file, within other network traffic, etc.

Question 127

Define

Covertext

Answer 127

• In Steganography, the container image, document, or file for a hidden message.

Question 128

Explain

Quantum Computing

Answer 128

• Computers based on quantum physics
• An emerging technology
• Uses qubits instead of bits, which are super-positioned bits of 1s, 0s, and any combination in-between, at the same time
• Allows for searching, indexing, and simulating extremely quickly
• Theoretically will be able to quickly brute force all traditional cryptography.

Question 129

Explain

Quantum Communication

Answer 129

• If qubits are examined, they are changed. Therefore, you can be aware if your communication has been intercepted and observed.
• Especially useful for distribution of encryption keys. Both sides can verify they key. If it was observed en route, then it will have changed and won’t match what was sent.

Question 130

Define

Stream Cipher

Answer 130

• Encryption performed one bit or byte at a time.
• High-speed, low demands on resources
• Randomization is challenging, especially if multiple bytes are identical, so an IV is often added.

Question 131

Explain:

Block cipher

Answer 131

• Encrypts a fixed-length block of bytes at a time, often 64- or 128-bits in size
• If the final block does not fit, padding is added
• Each block is encrypted and decrypted separately
• Different methods of encrypting blocks are referred to as “Modes of operation”

Question 132

List four modes of operation for block cipher

Answer 132

• Electronic codebook
• Cipher Block Chaining
• Counter Mode
• Galois/Counter Mode

Question 133

Define

Electronic Codebook

Answer 133

• A mode of Block Ciphering

* Each block is encrypted with the same key; too simple for most use cases

Question 134

Define

Cipher Block Chaining

Answer 134

• A mode of Block Ciphering
• Each plaintext block is XORed with the previous cipher block
• (the first block uses an IV)

Question 135

Define

Counter Mode

Answer 135

• A mode of Block Ciphering

* Encrypts successive values of a counter, using the plaintext as part of the XOR to create the ciphertext

Question 136

Define

Galois/Counter Mode

Answer 136

• A mode of Block Ciphering that also applies authentication
• Combines Counter Mode with Galois authentication
• Very efficient at encrypting, and authenticates where the data came from
• Commonly used in packetized data, wireless communication, IPsec communication, TLS

Question 137

List four practical applications of Blockchain technology

Answer 137

• Payment processing
• Digital identification
• Supply chain monitoring
• Digital voting

Question 138

Explain:

OWASP

Answer 138

• Open Web Application Security Project
• International non-profit organization
• Provides free materials to promote and support web application security