Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started .
Hey all , sean Gerber with CISSP's Cyber Training Podcast and I hope you all are having a wonderful day today . Today is exam question Thursday , and we're going to get over some awesome questions as it relates to message integrity , digital signatures and all the wonderful things that came out of the last podcast we had on Monday .
But before we do one quick question , one quick announcement . Actually , I am finally done working at my company that I worked at for about 13 years and I'm out on my own . So this is amazing , exciting and a bit terrifying .
So we're pretty excited about what's happening here at CISSP Cyber Training , as well as the fact that I'm going to be able to be a consultant and help a lot of organizations with their cybersecurity , whereas in the past I was a little bit limited .
Great company , amazing company , but time to move on and do some other things with my life , and I'm pretty excited about that . But before we get started , I just want to quickly talk about the recent article I saw today related to UnitedHealthcare .
So this is really out there for all of you CISSP candidates that are working to get your certificate one because you feel like you have to for your career , but also maybe because of the fact that your job may be requiring it due to regulations that might be coming down the pipe , and this is a great example of what you're going to see more of this .
This is from the recent attack that happened on UHC and change pharmaceuticals or change medicals , something like that , and what it really came down to was they had a ransomware attack that hit this change healthcare and they basically process transactions for UnitedHealthcare , which is one of the major largest insurance companies in the United States , and they process
around 15 billion transactions annually , which is a lot right , that's like gov of transactions that are occurring , and they got hit with a ransomware attack , and this ransomware attack basically brought them to their knees and this was back in the first part of February , if I'm not mistaken and because of that , they had ended up paying a $22 million ransom to get
unstuck . That was the ultimate goal of it , and this is when Department of Homeland Security came into this and Department of Human Services came in and they decided that this needed to be fixed .
So who knows who paid the bill , but bottom line is it's a critical infrastructure for the United States and therefore it was a target by these attackers and , as a result . We see what happened and it caused dramatic input impact to the United States and our medical industry .
Most of the big , like 50% of the pharmacies within the United States actually could not be processing insurance transactions due to this attack . So , as we see , it's a really big factor as it comes to when you're talking infrastructure and critical infrastructure itself .
Now , what the Biden administration is coming down to is they're maintaining this comment about they're going to establish tough , mandatory cybersecurity standards for the healthcare industry . Yeah , so if you're a security person , you're like me , you're going yikes .
I've talked to a friend of mine who's a CISO the very large Fortune 20 company and a lot of folks that are in our space are starting to think highly about going . Well , do I want to be a consultant ? Do I want to be a CISO ? What do I want to do ? Do I want to be an architect ?
And one of the factors that came out of that conversation was that the regulations are becoming so onerous that , one , you're not going to take risk , but , two , the fact that it puts people like myself who were former CISOs kind of a little bit in jeopardy . So it's an interesting dynamic that things that are happening and somebody basically wants someone to hang .
That's the ultimate goal is that they want to prove that they're doing something that is hard and substantial and making a difference , rather than just kind of sweeping it under the covers . So it will be very , very interesting in the next few years to see how this kind of weight plays out .
One other part , I think may have played into some of this and again , I'm just guessing at this point . I'm not have no insider knowledge on any of that but there was a 2022 merger with Optum and Change Healthcare for about $13 billion .
That's a lot of money and that merger occurred and it basically that I mean , who knows how that occurred in the fact of the security aspects around this organization .
But when you bring a big , large organization like that together , I can tell you from experience , acquisitions are klugey , acquisitions are very challenging and if you don't have a good plan in place , even if you do have a good plan in place there is a really good chance that something bad could happen .
So it will be totally interesting to see what's going to occur of this .
One last comment I wanted to make is they made this this comment was in there as well as I'm investigating whether additional legislation is needed to bolster security in the healthcare sector , which that is including increasing financial penalties and holding company executives liable for failing cybersecurity 101 .
Yeah , that's scary , because I just need somebody that's up in Washington DC telling me what cybersecurity 101 is . So , yeah , that's so good . So , anyway , this is an interesting concept that's going to be happening that you're going to be paying attention to . We're going to pay attention to it here at CISP , cyber training and on the reduce cyber is podcast .
That's going to be coming out here very soon and it's going to be fun . So , but let's enough talking about that , let's get into today's questions . Okay , so here are the questions that we are going to be talking again . We're in domain three , dot six , getting a digital signatures , md fives and Shaw ones , all that fun stuff . So let us get started .
Question one which of the following is the primary purpose of a message integrity check ? A to confirm the sender's identity , be to ensure that the message is not altered , see to compress the data for transmission . Or D to encrypt the message content . Again , which of the following is the primary purpose of a message integrity check ?
Or Mick , and the message integrity check is used to detect any changes in the content . So it is question B or answer B . It is used to detect any changes in the content of the message and ensuring that it's not been tampered with during transmission . Question two what is the main difference between a check sum and a cryptographic hash function ?
Again , what is the main difference between a check sum and a cryptographic hash function ? A check some is used for error checking , while a hash function is used for security purposes . B a checksum is reversible , while a hash function is not . C a check sum can only be used once , while the hash function can only can be used multiple times .
And then C a checksum is faster to compute than a hash function . Again , what is the main difference between a check sum and a cryptographic hash function ? And the answer is a check some is used for error checking , while a hash function is used for security purposes .
Check sums are generally used to verify the data's integrity right and detect errors within that very overall transmission , while the hash functions are designed a secure way for you to verify the integrity of the data and is resistant to potentially reverse engineering . Again , resistant , not impervious , but resistant .
Question three which of the following best describes a cyclic redundancy check or a CRC ? Answer A symmetric encryption algorithm . B asymmetric encryption algorithms . C an error detecting code or . D a digital signature algorithm . Which of the following best describes a CRC or a cyclical redundancy check ? And the answer is C CRC is a error detecting code .
Right , it's a checksum that's used to detect accidental changes to raw data in digital networks and storage devices . Question four why are collision resistant properties important in hashing algorithms ? A they ensure the hash value can be decrypted . B they allow hash functions to be reversible . C they increase the speed of the hashing function .
Or , d they prevent the same the hash value from being produced by two different inputs . So why are collision resistant properties important in hashing algorithms ? Okay , again , we talked about collision . Why would collision be bad ?
You want things hitting each other , so the answer would be D they prevent the same hash value from being produced by two different inputs . Again , collision resistance is crucial because it makes computational computational infeasible to find two distinct inputs that produce the same hash output . So therefore , it is unique .
And if it's unique , that'll keep you from having collisions . Question five which of the following secure hash algorithms is considered deprecated due to the vulnerabilities allowing for collision attacks ? Now , we talked about this a little bit in the podcast . Md5 was one of them , but you don't see MD5 on here , so which one could it be ?
So which of the following secure hash algorithms is considered deprecated due to the vulnerabilities allowing for a collision attack A , sha1 , b , sha2 , c , sha3 , or D ? All of the above ? Okay . So if you didn't know the question , answer this question .
The easiest way to guess would be , obviously due to something that is the most or the oldest , and that would be correct Shaw one , which is a Shaw one , has been deprecated due to vulnerabilities of collision attacks , where two different inputs can produce the same hash value . So Shaw one is the deprecated one .
Question six what is the significance of a fixed-length digest in a cryptographic hashing ? Okay , what is the significance of a fixed-length digest in a cryptographic hashing ? So we talked about the digest and being 128 , 512 and so forth . What is the significance of a fixed-length digest ? A it ensures a hash function is reversible .
B a guarantees the original message can be reconstructed from the digest . C it provides a consistent output size , which is essential for security . Or D , it allows the digest to be easily encrypted . Again , fixed-length digest . What is the significance ? And it is C .
A fixed-length digest Means that no matter the size of the input data , the output will always be the same , which is crucial when you're maintaining security , as especially as it relates to trying to understand the overall hash , and it Detects or it prevents the attackers from detecting the information about the input based on the hash link .
Question seven which of the following best describes the purpose of a digital signature ? A To verify the sender's identity and ensure integrity of the message . B to encrypt the contents of the message . C to provide a checksum for error detection . D to compress the data for easier transmissions .
Okay , which the following best describes the purpose of a digital signature ? And it is a to verify the identity and ensure the integrity of the message . Right , digital signals are taking . Digital signatures are used to authenticate the identity of a sender and confirm the message , but that has not been altered there .
If I , ensuring both integrity and non-repudiation are in the communication path , it is five o'clock in the morning so I'm sorry if my tongue gets a little way for me and I can't quite speak . Apologize . Question eight , which is which information does the digital certificate typically contain ?
Question eight is which information does a digital certificate typically contain ? A certificate holders private key see a certificate authorities private key . See the certificate of full holders . Public key and Identity information . Or D the encryption algorithm used by the certificate holder . Question eight is what information does a digital signature typically contain ?
And the answer is C the certificate holders public key and identity Information . So again , a digital certificate . Well , as a public key of the individual , and it's signed by a trusted certificate authority which does not contain the private keys . You don't want it to contain the private keys , remember ?
Question nine which role does certificate authority or a CA play in the public key infrastructure , otherwise known as peak K ? I ? Which role does the CA play in PKI ? A it generates a public and private key pairs for the users . B it acts as a trusted third party to issue and manage digital certificates .
See , it encrypts the messages of the recipients public key . Or D , it decrypts the messages using the sender's private key . Okay , doesn't do anything with the public private key as it relates to encrypting messages . So it could either be a or B , and it acts as a trusted third party to issue and manage digital certificates . That's the ultimate purpose .
That verifies the identity of the certificate holder and the association with their public key . Question 10 which of the following is a characteristics of a Shaw to hash compared to a Shaw one ? In which of the following characteristics of a Shaw to hash compares to that of a Shaw one ? A they are less secure and more prone to collisions .
B they have a shorter fixed length output , see . They are faster to compute and easier to reverse . Or D they offer improved security and are designed to be more resistant to collision attacks . And the answer is D they offer improved security and are designed to be more resistant to collision attacks . Hence a couple questions earlier .
And they include several algorithms with no with longer bit lengths than a Shaw one . So Is a much better algorithm . Question 11 which significant advantage of a Shaw three over its predecessors ? Okay , why is SHA-3 better over its predecessors ? A it is designed based on a different cryptographic structure called a sponge construction .
B it's used as the same mathematical principles as SHA-1 and 2 for easy integration . C it produces shorter hash values for faster computation . Or D it's less secure but more efficient in terms of energy consumption . And what is the significant advantage of SHA-3 over its predecessors ?
And that is A it's designed on different cryptographic structure called a sponge construction . Question 12 , how do digital signatures contribute to the non-repudiation in electronic transactions ? A by ensuring the transaction is encrypted and N . B by allowing the recipient to verify the sender's identity and the integrity of the message .
C by providing timestamps that indicate when the transaction has occurred . Or . D confirming the transaction has been approved by a certificate authority . So how do digital signatures contribute to the non-repudiation in electronic transactions ? And the answer is B by allowing the recipient to verify the sender's identity and the integrity of the message .
Okay , digital signatures by and the signer and the document allowing the recipient to verify the origin and integrity of the message . So that's the key around , that it prevents the sender from denying any involvement in the overall transaction . Question 13 , what is the purpose of a certificate revocation list ? A , c , r , l .
A to list all the certificates issued by the certificate authority . B to store the public keys of all certificate holders . C to provide a list of certificates that have been suspended or revoked . Or . D to encrypt communications between the client and the servers . Again , what is the purpose of a C , r , l , a certificate revocation list ?
And the answer is C to provide a list of certificates that have been suspended or revoked . Again , they contain the serial numbers , digital certificates that have been revoked or suspended and therefore scheduled for expiration . Question 14 , in which scenario would a hash function be appropriate choice for ensuring data integrity ?
Again , which scenario would a hash function be an appropriate choice for ensuring data integrity ? A to verify the integrity of the downloaded file . B storing the user's password and their database . C detecting accidental changes in the data in a storage device . Or D ensuring the authenticity of a software update .
So in which scenario would a hash function be appropriate choice for ensuring data integrity ? And the answer is D . Obviously , it can be used in all of those in different ways , but the bottom line is it is . The most appropriate would be D ensuring the authenticity of a software update .
So , again , while hash functions verify the integrity , they do not authenticate the source . Digital signatures , which include hashing , should be used to ensure both integrity and authenticity of the software . Last question , okay , the last question . Which trust model in PKI involves multiple certificate authorities sharing recognition of each other's certificate ?
Okay , in PKI , involves which multiple authority , multiple certificate authorities , involved sharing certificates ? How is that discovered ? How has that dealt with ? A hierarchical trust model . B the web of trust model . C the cross certification trust model , or D , the bridge trust model . Okay , so , if you didn't know , just think about that a little bit .
If you have multiple certificates , what would it be ? Cross certification trust model , which would be ? The answer would be C . In the cross certification model , two or more CAs issue certificates that recognizes and validate each other , allowing users in different PKI schema to basically trust each other's certificates . Okay , that is all we have for today .
Head on over to CISSP Cyber Training . You got all of this . Content is there . You got a lot of these videos will be out there on my blog . You'll have access to those , along with the transcripts . You have access to the questions . You can go . You'll be able to see those yourselves . You can listen to this podcast and have access to the questions .
If you want , you can purchase my products . My products have all of this information in them to include all the videos and so forth . You also have the ability to depend on what package you purchase to even get access directly to me to help you .
Now that my life has changed a little bit , I've got more time available for this , I'm gonna be working again as a consultant , helping people protect what they've got . That's most important and really here to help you all with CISSP , cyber Training and the future reduced cyber risk .
All right , have a wonderful day , guys , and we will catch you on the flip side , see ya .