2. Which of the following IT platforms most often face a single point-of-failure situation?
a. Desktop computers
b. Local-area networks
c. Servers
d. Websites
2. b. A local-area network (LAN) is owned by a single organization; it can be as small as two PCs attached to a single hub, or it may support hundreds of users and multiple servers. LANs are subject to single point-of-failures due to threats to cabling system, such as cable cuts, electromagnetic and radio frequency interferences, and damage resulting from fire, water, and other hazards. As a result, redundant cables may be installed when appropriate. Desktop computers, servers, and websites do not face single point-of-failure problems as LANs do, but they have problems in backing up data and storing the data at an offsite location. The other three choices need data backup policies, load balancing procedures, and incident response procedures.
3. Which of the following security principles does not work effectively?
a. Security-by-rules
b. Security-by-obscurity
c. Deny-by-default
d. Data-by-hiding
3. b. Security-by-obscurity is a countermeasure principle that does not work effectively in practice because attackers can compromise the security of any system at any time. This means trying to keep something secret when it is not does more harm than good.
The other three choices work effectively. Security-by-rules and data-by-hiding are commonly accepted security principles. Deny-by-default is blocking all inbound and outbound traffic that has not been expressly permitted by firewall policy.
4. Which of the following provides key cache management to protect keys used in encrypted file system (EFS)?
a. Trusted computer system
b. Trusted platform module chip
c. Trusted computing base
d. Trusted operating system
4. b. The trusted platform module (TPM) chip, through its key cache management, offers a format for protecting keys used in encrypted file system (EFS). The TPM chip, which is a specification, provides secure storage of keys on computers. The other three choices do not provide key cache management.
5. In the encrypted file system (EFS) environment, which of the following is used to secure the storage of key encryption keys on the hard drive?
a. Trusted computer system
b. Trusted platform module chip
c. Trusted computing base
d. Trusted operating system
5. b. Using the trusted platform module (TPM) chip, the key encryption keys are securely stored on the TPM chip. This key is also used to decrypt each file encryption key. The other three choices do not provide secure storage of the key encryption key.
6. Which of the following provides additional security for storing symmetric keys used in file encryption to prevent offline exhaustion attacks?
a. Encrypt the split keys using a strong password.
b. Store the random keys on the computer itself or on the hardware token.
c. After a key split, store one key component on the computer itself.
d. After a key split, store the other key component on the hardware token.
6. a. When a key is split between the hardware token and the computer, an attacker needs to recover both pieces of hardware to recover (decrypt) the key. Additional security is provided by encrypting the key splits using a strong password to prevent offline exhaustion attacks.
7. Which of the following storage methods for file encryption system (FES) is the least expensive solution?
a. Public key cryptography standard
b. Key encryption key
c. Hardware token
d. Asymmetric user owned private key
7. a. The file encryption system (FES) uses a single symmetric key to encrypt every file on the system. This single key is generated using the public key cryptography standard (PKCS) from a user’s password; hence it is the least expensive solution. Key encryption key is relatively a new technology where keys are stored on the same computer as the file. It utilizes per-file encryption keys, which are stored on the hard disk, encrypted by a key encryption key. The asymmetric user owned private key utilizes per-file encryption keys, which are encrypted under the file owner’s asymmetric private key. It requires either a user password or a user token.
