Assess Encryption And Data Protection Methods
Help Questions
CPA Information Systems and Controls (ISC) › Assess Encryption And Data Protection Methods
A company uses TLS (Transport Layer Security) to protect data transmitted between its web application and users' browsers. This control primarily addresses which security concern?
Ensuring that the web application code is free from vulnerabilities.
Preventing unauthorized users from logging into the web application.
Protecting data in transit from interception and tampering by encrypting communications between the client and server.
Protecting data stored on the company's database servers from unauthorized access.
Explanation
TLS encrypts data as it travels across the network, protecting it from interception (eavesdropping) and modification (man-in-the-middle attacks) during transmission. Answer B is correct. TLS does not protect stored data (A), manage authentication (C), or secure application code (D).
Which of the following correctly describes the primary difference between encryption and hashing?
Hashing protects data in transit while encryption protects data at rest.
Encryption is reversible with the appropriate key; hashing is a one-way function that cannot be reversed.
Hashing uses a key while encryption does not.
Encryption is faster than hashing and is therefore preferred for all data protection use cases.
Explanation
Encryption transforms data in a reversible way using a key; decryption recovers the original. Hashing produces a fixed-length digest that cannot be reversed to recover the original data. Answer C is correct. Speed comparison (A) is not the defining difference. Hashing typically does not use a secret key (B). Both can apply to data at rest or in transit (D).
A company implements full-disk encryption on all employee laptops. This control primarily protects against which threat?
Unauthorized access to data if the laptop is lost or stolen.
Malware installed on the laptop through phishing emails.
Interception of data transmitted from the laptop to the internet.
Unauthorized remote access to the laptop over the network.
Explanation
Full-disk encryption protects data stored on the device from being read if the laptop is physically lost or stolen, since the data is unreadable without the encryption key. Answer C is correct. Full-disk encryption does not prevent malware (A), remote access attacks (B), or data interception in transit (D).
In asymmetric encryption, which key is used to encrypt data that only the intended recipient should be able to read?
A symmetric key generated for each session.
The sender's private key.
The recipient's public key.
The recipient's private key.
Explanation
To send a confidential message, the sender encrypts it with the recipient's public key. Only the recipient, who holds the corresponding private key, can decrypt it. Answer B is correct. Encrypting with the private key (A, C) produces a digital signature (authentication), not confidentiality. Session keys (D) describe hybrid encryption, not pure asymmetric encryption.
Data loss prevention (DLP) tools are primarily designed to:
Monitor, detect, and prevent the unauthorized transmission or exfiltration of sensitive data outside the organization.
Encrypt all data stored on employee workstations and servers.
Authenticate users before they access sensitive data systems.
Recover deleted or corrupted data from damaged storage media.
Explanation
DLP solutions inspect data in motion (email, web), at rest (stored files), and in use (clipboard, USB) to identify and block unauthorized transmission of sensitive data such as PII, financial data, or intellectual property. Answer A is correct. Encryption (B), authentication (C), and data recovery (D) are separate controls.
Which of the following represents a key management best practice?
Storing encryption keys in the same location as the encrypted data to simplify recovery.
Storing encryption keys separately from the encrypted data and rotating keys on a defined schedule.
Using the same encryption key for all systems and data types to simplify management.
Sharing encryption keys with all employees who might need access to encrypted data.
Explanation
Key management best practice requires storing keys separately from encrypted data (compromising both together defeats encryption), rotating keys periodically to limit exposure, and controlling key access tightly. Answer B is correct. Storing keys with data (A) undermines encryption. Using one key everywhere (C) means a single compromise exposes all data. Broad key sharing (D) eliminates access control.
A Certificate Authority (CA) in a PKI system is responsible for:
Generating symmetric encryption keys for each secure communication session.
Storing encrypted copies of all private keys issued to users.
Monitoring network traffic for unauthorized use of digital certificates.
Issuing, validating, and revoking digital certificates that bind public keys to verified identities.
Explanation
A CA is the trusted third party that issues digital certificates after verifying the identity of the applicant, and maintains certificate revocation lists (CRLs) for compromised or expired certificates. Answer D is correct. CAs do not generate symmetric keys (A), store private keys (B), or monitor network traffic (C).
Tokenization as a data protection technique differs from encryption in that:
Tokenization replaces sensitive data with a non-sensitive placeholder (token) with no mathematical relationship to the original data, requiring a secure token vault to retrieve the original.
Tokenization uses stronger mathematical algorithms than encryption.
Tokenization can only be applied to numeric data fields such as credit card numbers.
Tokenization is reversible using publicly available tools without a key.
Explanation
Tokenization substitutes a sensitive value with a random token stored in a separate secure vault; unlike encryption, there is no algorithm to reverse a token without accessing the vault. Answer B is correct. Tokenization is not mathematically stronger or weaker than encryption (A). It requires vault access to reverse (C). It applies to various data types (D).
Which of the following correctly describes a 'man-in-the-middle' attack and the encryption control that most directly prevents it?
An attacker installs malware on a target system; endpoint encryption prevents this by protecting stored data.
An attacker intercepts communications between two parties; digital certificates and TLS mutual authentication prevent this by verifying the identity of communicating parties.
An attacker guesses encryption keys through brute force; longer key lengths prevent this by increasing computational complexity.
An attacker steals a private key; certificate revocation prevents this by invalidating the stolen key.
Explanation
A MITM attack intercepts communications between parties. TLS with digital certificates prevents MITM by enabling each party to verify the other's identity, preventing an attacker from impersonating a legitimate endpoint. Answer A is correct. Malware (B) is an endpoint threat. Brute-force key guessing (C) is a separate attack. Key theft and revocation (D) are different scenarios.
Which of the following represents the most significant risk of using outdated or weak encryption algorithms (such as DES or RC4)?
Outdated algorithms require more processing power, slowing down systems.
Outdated algorithms are not compatible with modern operating systems.
Regulatory agencies may assess fines for using non-standard encryption, regardless of actual security impact.
Advances in computing power make weak algorithms vulnerable to brute-force or known attacks, potentially exposing encrypted data.
Explanation
Weak encryption algorithms (DES, RC4) have known vulnerabilities or insufficient key lengths that modern computing power can exploit, making the encrypted data recoverable by attackers. Answer B is correct. Performance (A) is a secondary concern. Compatibility (C) may be an issue but is not the primary risk. Regulatory fines (D) may result but are a consequence of the security risk, not the risk itself.