Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Good morning , it's Sean Gerber with CISSP Cyber Training and I hope you guys are all having a wonderful day today . Today is CISSP Exam Question Thursday . So , yes , today we're going to go over CISSP exam questions from the previous podcast that this is again on Thursday and the podcast we have on Monday .
This is to follow up on those specific the content that was there . These are the specific questions that you may see on the CISSP exam . Again , what I've stressed this before , as we've done before multiple times , is that these are not the questions that are word for word that you will see on the CISSP .
These are questions that are similar that you might see on the exam , but the ultimate goal of these questions is not to teach you the test . It's to teach you the overall concept so that you understand what the question is actually asking you of . They are not designed to give you hey , if you know this question , you will pass the exam .
No , they are not designed for that at all . They are designed just to give you a good understanding of what you can anticipate and what you might see on the exam . So this is the overall . This is Question Thursday , so we're going to go over questions 15 various questions that are considered that are over .
The last podcast focused on cryptography , but before we get started , we want to talk about an article that I saw as it relates to these actual topic that we're dealing with when it comes to cryptography .
Now , security intelligence has a product out there , or a blog post that's the CISOS guide to accelerating quantum safe readiness , and this is a great article around quantum and what you should be doing as a security professional , what you should be looking at Now .
I don't know if you all are aware that there's been a lot of hubbub up there that quantum will both have , obviously , promises and challenges as it relates to the encryption piece of this , and many people feel that there is a public risk to the public key encryption that's out there and available and they feel that it's the store later kind of concept .
I had heard this where , because they don't have the ability to crack the hashing algorithms at this point , they feel that what they can do is bad guys or gals can then steal all the content , store it for later and then be able to use quantum to crack the code and be able to break the encryption that's tied to it .
Now they're saying that future cryptography events obviously can , plot terms , might be able to break the public key algorithms such as we talked about Rivest , shamir , alderman , the RSA and also the elliptic curve , diffie-helman options that are available out there , and it potentially could leave it for being able to be decrypted .
They have this concept called the harvest now , decrypt later . I , yeah , I just probably butcher that within the beginning , but you , basically , you take it now , you steal it now , you decrypt it later , and I know the I shouldn't say no I'm aware of the NSA has done this .
I believe the other government entities are probably doing this as well , because their goal is that they've been able to get gobs of data amongst each of their other countries and they've been able to steal it over the years , and so , therefore , but it's encrypted , but rather than having to try to brute force that now , they will then turn around and store it
for later , with the goal that they'll be able to utilize it . Once the encryption keys are crackable , they'll be able to go and get access to it . So what a SISO should do and what a security professional should do is wanna understand what is the cryptography within your environment , observe the cryptography and then transform the cryptography .
When they talk about discovering it , you just you need to understand where it all resides within your organization , and they talk about having a cryptography bill of materials . This is your C-bomb , right , and I know a bomb . I hear people talk about bill of materials a lot .
They're talking about understanding the overall cryptography within your environment so that you know where it's at , and this would include the parts that are embedded within your organization , to also include third party products that might be doing that same type of aspect , those that you're used to create and validate digital signatures , all of those pieces , how the
applications are using crypto all of that you should be able to try to have some level of understanding on . Then the next part is observing it and then knowing how is it working within your organization , as we talked about in the last podcast , just putting in an IPsec tunnel that would be between two endpoints .
You would need to observe how is it being used ? No , so , one , you would know that you have these IPsec tunnels in place . Two , you'd observe where it's , how it's being used and where what data is transferring between it .
And the ultimate goal , then , is that to ensure that you understand it so that now , when they do this harvest , now , decrypt later you know the data that potentially is encrypted and you know that what they could be stealing from you .
So I've had it happen to me as a CISO where there's been data that's been stolen , when , in the past , many years ago , I've had data that was stolen from us , and in the case of doing that , you just assume that all that data is encrypted .
But when it's encrypted , the goal is that it will be in a situation where it won't be able to be re-established , right ? So , as you said now this is about , in a previous life , with the military , I had seen data that had been stolen , and as that data had been stolen , then you go okay , now , once they have it , will they be able to decrypt it ?
And the ultimate goal of this is that they hope they won't . But yeah , we'll see how that plays out in the future . I know that MIT came up with new quantum crypto guidelines on how you should work to make your environment more quantum protected , and I would recommend you go check that out as well , and that would help you understand it .
I've just looked at it .
I haven't actually dug deep into it myself , but it would help your organization to understand how to ensure that you have some level of quantum safe solutions in place as we go into the future , because it's a matter of time , especially , as we talked about in the last podcast , around some of these older systems like DES , for an example .
It's got 56-bit encryption which it already can be cracked now , but now you throw quantum into the mix , all of those things can be cracked relatively quickly , and I know the key pair that the MIT is recommending , I believe , is 2048 versus when we talked about SHA-256, .
They feel confident that the quantum will have the ability to wreak havoc on these lower-bit encryption technologies . So then the transform it again . Once you transform , you want to build out quantum safe solutions and it's important that you think about this from a long-term perspective . How would you do that ?
And you have time right now , but now is the time , as a security professional , to start considering how is quantum gonna play a factor within your organization ? All right , so let's go and get into the CISSP questions that we have planned for today . Question one which symmetric key encryption algorithm is current gold standard considered for applications ?
A , des , b , triple DES , c , blowfish or D AES ? Okay , so do you have what is the gold standard DES , triple DES , blowfish or AES ? And the answer is D AES . Aes offers the robust security and efficient performance that you're looking for as it relates to various pieces of security , and this was one that would be highly recommended .
Question two which hashing algorithm is considered insecure due to the collision of vulnerability due to collision vulnerabilities ? Okay , which hashing algorithm is considered insecure due to collision vulnerabilities ? A SHA-256, . B MD5 . C both SHA and MD5 , or D neither SHA or MD5 . And the answer is B MD5 .
Md5 suffers from weaknesses that allow attackers to create colliding message pairs , thus compromising the integrity of its verification abilities . Sha-256 does remain secure and therefore it is recommended for hashing . Question three what key size does RSA commonly use for encryption ? A 128 bits . B , 256 bits . C varies depending upon application . Or D .
Rsa is not typically used for encryption . Which key size does RSA commonly use for encryption ? That's the question , and the answer is D ? Rsa is not typically used for encryption .
It employs key sizes up to 2048 or higher for stronger encryption and it is capable of encryption , but technically it's commonly used for key exchange and digital signatures , so it is not typically used for encryption . What type of cryptography algorithm is best suited for securing communications on resource constrained devices such as wearables ?
Okay , again , if you're looking at a wearable , obviously that's like an IoT device . It would have a . You'd want something with a low bit or a low key , right ? So a low bit , a low amount of bits , a reduced amount of bits . I can't even say it , but you want less bits , so you want that .
If you're dealing with a wearable , a , aes , b , rsa , c , ecc or D , three DES Okay , so AES , rsa , ecc or three DES . Again , which algorithm is best suited for securing communications on resource constrained devices such as wearables ? And that would be ECC .
It offers comparable security to RSA , but with a smaller key size , making it much more efficient for these smaller type devices . Question five which protocol allows secure key exchange over an insecure channel without pre-shared secrets ? So , which protocol allows secure key exchange over an insecure channel without pre-shared secrets ?
A AES , b , diffie-helman , c Digital Signature Algorithm , d Al-Gamal . Which protocol allows secure key exchange over an insecure channel without a pre-shared secret ? A AES , b , diffie-helman , c . Digital Signature or Al-Gamal ? And the answer is B .
Diffie-helman enables two parties to establish a shared secret key even if their communication is intercepted , making it crucial for secure communication protocols such as TLS and SSH . Which advantage does asymmetric cryptography offer over symmetric cryptography ? A faster encryption decryption speeds . B non-repudiation and digital signatures .
C smaller key sizes or D more readily available hardware and acceleration Hardware acceleration Okay . Which advantage does asymmetric cryptography have over symmetric ? And the answer is B non-repudiation and digital signatures Okay . Asymmetric cryptography allows digital signatures ensuring non-repudiation obviously proof of ownership which is not achievable with symmetric algorithms .
Question seven which of the following is a common application used for hashing algorithms ? A password storage . B software download integrity verification . C data encryption or D blockchain technology . Which of the following is a common application used for hashing algorithms ? And the answer is B software download integrity verification .
So when you're doing integrity verification of downloads , a hashing algorithm is typically used . Why ? Because you want to ensure that what is downloaded is actually what you're getting .
So you'll see , often when you go to do a download , you'll have the hashing algorithm off to the side and then you can compare hashes on what you're downloading to ensure that you're getting what you are wanting . Which algorithm ? Question eight which algorithm is most vulnerable to brute force attacks due to its small key size ? A , aes , 256 . B , sha , 512 .
C , ecc , d , dez . Okay , so which algorithm is most vulnerable to brute force attacks due to its small key size ? And that is DEZ . Dez uses a 56-bit key , making it susceptible to being cracked with various attackers . So that's why you want to use stronger algorithms , such as AES and Shaw . Question 9 .
Which potential drawback does the key exchange in asymmetric cryptography have compared to symmetric cryptography ? A Lower performance due to complex calculations . B Subceptibility to man in the middle attacks . C Increased key management complexity or D All of the above ? And the answer is D All of the above .
A symmetric cryptography can be slower than symmetric due to intricate mathematical operations . It also requires careful management of public and private keys , increasing its complexity . Question 10 . D is using a combination of different cryptography algorithms recommended for secure systems . A To avoid vendor lock-in .
B To leverage the strengths of each algorithm for specific tasks . C To comply with industry regulations , or D To make system debugging easier . Why is a combination of different cryptography algorithms recommended in secure systems ? And the answer would be B To leverage the strengths of each algorithm for the specific tasks that are at hand .
So , if you're dealing with RSA , you're dealing with AES , you're dealing with SHA-256 , each of those will have different uses within your organization and therefore they can be used in a layered approach . Question 11 . Which organization publishes recommendations for secure cryptography use in the industry ? A FBI , b NIST , c ISC , squared , cissp or D NSA ?
And the answer is B NIST , see the National Institute of Standards and Technology does publish special publications , such as SP857 , which provides guidance on cryptography or cryptographic algorithms and their potential applications . Question 12 . What is the primary purpose of a digital signature in the context of cryptography ? A To encrypt data for secure storage .
B To guarantee data confidentiality . C To ensure data integrity and non-repudiation , or D To compress data for efficient transmission . What is the primary purpose of a digital signature in the context of cryptography ? And the answer is C To ensure data integrity and non-repudiation . Digital signatures primarily offer data integrity and non-repudiation .
They , by binding the message to the sender's private key , anyone can verify the message hasn't been tampered with and identifying the origin . This is all through the public key infrastructure , pki . Question 13 . When choosing cryptographic algorithm for cryptography , what is the primary purpose of and application ? What factors should be considered ?
A cost of implementation . B vendor support , availability . C security , strength and maturity of the algorithm . Again , the question is when choosing a cryptographic algorithm for an application , what factors should be considered ? And the answer is D all of the above . I don't think I forgot to mention that one .
It's all of the above Cost of implementation , vendor support , availability and security , strength and maturity of the algorithm . All of those should be considered as factors . Question 14 , what best practice should be followed to secure cryptographic keys in an environment ? A store the keys in plain text for easy access . B use the same key for multiple purposes .
C implement strong key generation , storage and rotation mechanisms . Or . D rely solely on software-based key management . What is the best practice should be followed in secure cryptographic keys in your environment ? And the answer is C implement strong key generation , storage and rotation mechanisms .
You wanna have all of that in place when you're dealing with keys and that's really a big factor as soon as you possibly can if you have some level of password management and you have keys in your environment . You wanna look at rotating them as much as you possibly can Within practice , right Within practical .
You wanna make sure that you're not just creating more work for yourself . But key rotation is an important factor in security . Which statement is true regarding forward security in cryptography ? What does so ? Basically , what does forward security do ? A it guarantees complete protection against decryption , even with compromised keys .
B it ensures past sessions cannot be decrypted if future sessions , future session keys are compromised . C it provides perfect security against all cryptographic attacks . Or D it is not relevant for modern , secure communication protocols . So , which statement is true regarding the forward secrecy in cryptography , and what is forward secrecy ?
Well , basically , forward secrecy is it ensures past sessions cannot be decrypted if future sessions keys are compromised . That's the ultimate goal . Is that it's mitigating damage from key exposure . Now , it's obviously not completely 100% gonna fix everything , but it will allow you to have some level of protection .
And again , all of this comes down to layering it right . We cannot guarantee that one thing is going to fix everything . You have to ensure that you have layers in place to ensure your protection is adequate . Okay , that's all I've got for you today . Again , this was CISSP Question Thursday . Head on over to CISSPcybertrainingcom .
Check out some of the great products I've got there . I've got some awesome stuff to help you pass the CISSP exam . The first time had another one come in . Today an individual just passed their CISSP and they're on their way to doing what they wanna do . So life is good . Catch out . I've got a mentoring and coaching program as well . It's available for you .
If you don't know what you wanna do with your life as far as cybersecurity and how to make the next step , check out my mentoring program . It is amazing .
Because I say that not because I'm amazing no , I'm not amazing at all but I'm saying that because the one thing I struggled with when it came to the CISSP and even cybersecurity in general is I didn't know what to do . I didn't know what was my best career .
I'll tell you that I've done I've been done it all , but I've done a lot of different things in security and I can give you some guidance and some direction around that . So go check out my mentoring program . It's definitely well worth it . You get all of my CISSP training plus .
You get access directly to me and I will set aside time specifically for you and we will have conversations and make sure that we get you on the right path for success . All right , I hope you have a wonderful day and we will catch you on the flip side , see you .