Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
Alright , let's get started . Let's go . Cybersecurity knowledge . All right , let's get started . Good morning , it's Sean Gerber with CISSP Cyber Training and I hope you guys are all having a wonderful day today . Today is CISSP exam question Thursday .
So , yes , today we're going to go over CISSP exam questions from the previous podcast that this is again on Thursday and the podcast we have on Monday . This is to follow up on those specific the content that was there . These are the specific questions that you may see on the CISSP exam .
Again , what I've stressed this before , as we've done before multiple times , is that these are not the questions that are word for word that you will see on the CISSP . These are questions that are similar that you might see on the exam , but the ultimate goal of these questions is not to teach you the test .
It's to teach you the overall concept so that you understand what the question is actually asking you of . They are not designed to give you hey , if you know this question , you will pass the exam . No , they are not designed for that at all .
They are designed just to give you a good understanding of what you can anticipate and what you might see on the exam . So this is the overall . This is question Thursday . So we're going to go over questions 15 various questions that are considered that are over .
The last podcast focused on cryptography , but before we get started , we want to talk about an article that I saw as it relates to this actual topic that we're dealing with when it comes to cryptography .
Now Security Intelligence has a product out there , or a blog post that's the CISO's Guide to Accelerating Quantum Safe Readiness , and this is a great article around quantum and what you should be doing as a security professional , what you should be looking at Now .
I don't know if you all are aware that there's been a lot of hubbub out there that Quantum will both have , obviously , promises and challenges , as it relates to the encryption piece of this , and many people feel that there is a public risk to the public key encryption that's out there and available and they feel that it's the store later kind of concept .
I heard this where , because they don't have the ability to crack the hashing algorithms at this point , they feel that what they can do is bad guys or gals can then steal all the content , store it for later and then be able to use quantum to crack the code and be able to break the encryption that's tied to it .
Now they're saying that future cryptography events obviously quantum , might be able to break the public key algorithms such as we talked about Rivest , shamir , alderman , the RSA and also the elliptic curve , diffie-hellman options that are available out there , and it potentially could leave it for being able to be decrypted .
They have this concept called the harvest now , decrypt later . Yeah , I just probably butchered that at the beginning , but you basically , you take it now , you steal it now , you decrypt it later , and I know the I shouldn't say I know I'm aware of the NSA has done this .
I believe that other government entities are probably doing this as well , because their goal is that they've been able to get gobs of data amongst each of their other countries and they've been able to steal it over the years , and so , therefore , but it's encrypted , but rather than having to try to brute force that now .
They will then turn around and store it for later , with the goal that they'll be able to utilize it . Once the encryption keys are crackable , they'll be able to go and get access to it .
So what a CISO should do and what a security professional should do is one , understand what is the cryptography within your environment , observe the cryptography and then transform the cryptography .
When they talk about discovering it , you need to understand where it all resides within your organization , and they talk about having a cryptography bill of materials , your C-BOM right , and I know a BOM . I hear people talk about bill of materials a lot .
They're talking about understanding the overall cryptography within your environment so that you know where it's at , and this would include the parts that are embedded within your organization , to also include third-party products that might be doing that same type of aspect those that you're used to create and validate digital signatures , all of those pieces , how the
applications are using crypto all of that you should be able to try to have some level of understanding on . Then the next part is observing it and then knowing how is it working within your organization . As we talked about in the last podcast , just putting in an IPsec tunnel that would be between two endpoints .
You would need to observe how is it being used . So , one , you would know that you have these IPsec tunnels in place . Two , you'd observe how it's being used and what data is transferring between it .
And the ultimate goal then is that to ensure that you understand it , that now , when they do this harvest now , decrypt later you know the data that potentially is encrypted and you know that what they could be stealing from you .
So I've had it happen to me as a CISO where there's been data that's been stolen , when , in the past , many years ago , I've had data that was stolen from us , and in the case of doing that , you just you assume that all that data is encrypted .
But when it's encrypted , the goal is that it will be in a situation where it won't be able to be reestablished , right . So I should say now , as I said , so , but in a previous life with the military , I had seen data that had been stolen and as that data had been stolen , then you go okay , now , once they have it , will they be able to decrypt it ?
And the ultimate goal of this is that they hope they won't . But yeah , we'll see how that plays out in the future . I know MIT came up with new quantum crypto guidelines on how you should work to make your environment more quantum protected , and I would recommend you go check that out as well , and that would help you understand . I've just looked at it .
I haven't actually dug deep into it myself , but it would help your organization to understand how to ensure that you have some level of quantum safe solutions in place as we go into the future , because it's a matter of time , especially , as we talked about in the last podcast , around some of these older systems like DES , for an example .
It's got 56-bit encryption which it already can be cracked now , but now you throw quantum into the mix , all of those things can be cracked relatively quickly and I know the key pair that the MIT is recommending , I believe , is 2048 , versus when we talked about SHA-256, .
They feel confident that the quantum will have the ability to wreak havoc on these lower bit encryption technologies . So then , to transform it again . Once you transform , you want to build out quantum safe solutions and it's important that you think about this from a long-term perspective . How would you do that ?
And you have time right now , but now is the time , as a security professional to start considering how is quantum going to play a factor within your organization ? All right , so let's go and get into the CISSP questions that we have planned for today . Question one which symmetric key encryption algorithm is current gold standard considered for applications ?
A DES , b , triple DES , c , blowfish or D AES ? Okay , so do you have what is the gold standard ? Des , triple DES , blowfish or AES ? And the answer is D AES . Aes offers the robust security and efficient performance that you're looking for as it relates to various pieces of security , and this was one that would be highly recommended .
Question two which hashing algorithm is considered insecure due to collision vulnerabilities ? Okay , which hashing algorithm is considered insecure due to collision vulnerabilities ? A SHA-256 . B MD5 . C both SHA and MD5 . A shah 256 , b md5 . C both shah and md5 , or d neither shah or md5 . And the answer is b md5 .
Md5 suffers from weaknesses that allow attackers to create colliding message pairs , thus compromising the integrity of its verification abilities . Shah 256 does remain secure and therefore it is recommended for hashing . Question three what key size does RSA commonly use for encryption ? A 128 bits , b , 256 bits . C varies depending upon application . Or D .
Rsa is not typically used for encryption . Which key size does RSA commonly use for encryption ? That's the question , and the answer is D ? Rsa is not typically used for encryption .
It employs key sizes up to 2048 or higher for stronger encryption and it is capable of encryption , but technically it's commonly used for key exchange and digital signatures , so it is not typically used for encryption . What type of cryptography algorithm is best suited for securing communications on resource-constrained devices such as wearables ?
Again , if you're looking at a wearable obviously that's like an IoT device You'd want something with a low bit or a low key , right ? So a low bit , a low amount of bits , a reduced amount of bits .
I can't even say it , but you want less bits , so you want that if you're dealing with a wearable A , aes , b , rsa , c , ecc or D , 3des Okay , so AES , rsa , ecc or 3DES . Again , which algorithm is best suited for securing communications on resource-constrained devices such as wearables ? And that would be ECC .
It offers comparable security to RSA , but with a smaller key size , making it much more efficient for these smaller type devices . Question five which protocol allows secure key exchange over an insecure channel without pre-shared secrets ? So , which protocol allows secure key exchange over an insecure channel without pre-shared secrets ?
A , aes , b , diffie-hellman C digital signature algorithm . D Algamal . Which protocol allows secure key exchange over an insecure channel without a pre-shared secret ? A AES , b , diffie-hellman C Digital signature or Al Gamal ? And the answer is B .
Diffie-hellman enables two parties to establish a shared secret key even if their communication is intercepted , making it crucial for secure communication protocols such as TLS and SSH . Which advantage does asymmetric cryptography offer over symmetric cryptography ? A Faster encryption decryption speeds . B Non-repudiation and digital signatures .
C Smaller key sizes or D More readily available hardware and acceleration . B smaller key sizes or D more readily available hardware and acceleration hardware acceleration Okay . Which advantage does asymmetric cryptography have over symmetric ? And the answer is B non-repudiation and digital signatures Okay .
Asymmetric cryptography allows digital signatures ensuring non-repudiation obviously proof of ownership which is not achievable with symmetric algorithms . Question seven which of the following is a common application used for hashing algorithms ? A password storage . B software download integrity verification . C data encryption or D blockchain technology .
Which of the following is a common application used for hashing algorithms ? And the answer is B software download integrity verification . So when you're doing integrity verification of downloads , a hashing algorithm is typically used . Why ? Because you want to ensure that what is downloaded is actually what you're getting .
So you'll see it often when you go to do a download , you'll have the hashing algorithm off to the side and then you can compare hashes on what you're downloading to ensure that you're getting what you are wanting . Question eight which algorithm is most vulnerable to brute force attacks due to its small key size ? A , aes-256 . B . Sha-512 . C , ecc , d , des .
Okay , so which algorithm is most vulnerable to brute force attacks due to its small key size ? And that is DES . Des uses a 56-bit key , making it susceptible to being cracked with from various attackers . So that's why you want to use stronger algorithms such as aes and shaw .
Question nine which potential drawback does the key exchange in asymmetric cryptography have compared to symmetric cryptography ? A lower performance due to complex calculations . B . Susceptibility to man-in-the-middle attacks . C Increased key management complexity . Or D . All of the above ? And the answer is D All of the above .
Asymmetric cryptography can be slower than symmetric due to intricate mathematical operations . It also requires careful management of public and private keys , increasing its complexity . Question 10 . Why is using a combination of different cryptography algorithms recommended for secure systems ? A To avoid vendor lock-in .
B To leverage the strengths of each algorithm for specific tasks . C To comply with industry regulations , or . D To make system debugging easier . Y is a combination of different cryptography algorithms recommended in secure systems , and the answer would be B to leverage the strengths of each algorithm for the specific tasks that are at hand .
So , if you're dealing with RSA , you're dealing with AES , you're dealing with SHA-256 , each of those will have different uses within your organization and therefore they can be used in a layered approach . Question 11 . Which organization publishes recommendations for secure cryptography use in the industry ? A FBI , b NIST , c ISC , squared , cissp or D NSA ?
And the answer is B NIST . Obviously , the National Institute of Standards and Technology does publish special publications , such as SP-857 , which provides guidance on cryptography or cryptographic algorithms and their potential applications . Question 12 . What is the primary purpose of a digital signature in the context of cryptography ? A to encrypt data for secure storage .
B to guarantee data confidentiality . C to ensure data integrity and non-repudiation . Or D to compress data for efficient transmission . What is the primary purpose of a digital signature in the context of cryptography ? And the answer is C to ensure data integrity and non-repudiation digital signatures . Digital signatures primarily offer data integrity and non-repudiation .
They , by binding the message to the sender's private key , anyone can verify the message hasn't been tampered with and identifying the origin . This is all through the public key infrastructure , pki . Question 13 when choosing P-K-I . Question 13 . When choosing cryptographic algorithm for an application , what factors should be considered ?
A cost of implementation , b vendor support , availability . C security , strength and maturity of the algorithm . Again , the question is when choosing a cryptographic algorithm for an application , what factors should be considered ? And the answer is D all of the above . I don't think I forgot to mention that one .
It's all of the above Cost , implementation , vendor support , availability and security , strength and maturity of the algorithm . All of those should be considered as factors . Question 14 , what best practice should be followed to secure cryptographic keys in an environment ? A Store the keys in plain text for easy access . B Use the same key for multiple purposes .
C Implement strong key generation , storage and rotation mechanisms . Or . D Rely solely on software-based key management . What is the best practice should be followed in secure cryptographic keys in your environment ? And the answer is C implement strong key generation , storage and rotation mechanisms .
You want to have all that in place when you're dealing with keys and that's really a big factor as soon as you possibly can if you have some level of password management and you have keys in your environment . You want to look at rotating them as much as you possibly can Within practice , right Within practical .
You want to make sure that you're not just creating more work for yourself , but key rotation is an important factor in security . Which statement is true regarding forward security in cryptography ? So , basically , what does forward security do ? A it guarantees complete protection against decryption , even with compromised keys .
B it ensures past sessions cannot be decrypted if future session keys are compromised . C it provides perfect security against all cryptographic attacks . Or D it is not relevant for modern , secure communication protocols . So , which statement is true regarding the forward secrecy in cryptography ? And what is forward secrecy ?
Well , basically , forward secrecy is it ensures past sessions cannot be decrypted if future sessions keys are compromised . That's the ultimate goal . Is that it's mitigating damage from key exposure . Now , it's obviously not completely 100% going to fix everything , but it will allow you to have some level of protection .
And again , all this comes down to layering it right . You cannot guarantee that one thing is going to fix everything . You have to ensure that you have layers in place to ensure your protection is adequate . Okay , that's all I've got for you today . Again , this was CISSP Question Thursday . Head on over to CISSPCyberTrainingcom .
Check out some of the great products I've got there . I've got some awesome stuff to help you pass the CISSP exam . The first time had another one come in . Today an individual just passed their CISSP and they're on their way to doing what they want to do . So life is good . I've got a mentoring and coaching program as well . It's available for you .
If you don't know what you want to do with your life as far as cybersecurity and how to make the next step , check out my mentoring program . It is amazing . Because I say that , not because I'm amazing no , I'm not .
I'm not amazing at all but I'm saying that because the one thing I struggled with when it came to the CISSP and even cybersecurity in general is I didn't know what to do . I didn't know what was my best career . I'll tell you that I've done it .
I haven't done it all , but I've done a lot of different things in security and I can give you some guidance and some direction around that . So go check out my mentoring program . It's definitely well worth it . You get all of my CISSP training plus .
You get access directly to me and I will set aside time specifically for you and we will have conversations and make sure that we get you on the right path for success . All right , I hope you have a wonderful day and we will catch you on the flip side , see ya .