ISC CISSP Certified Information Systems Security Professional Exam Dumps and Practice Test Questions Set 10 Q181-200

Visit here for our full ISC CISSP exam dumps and practice test questions.

Question 181:

Under Domain 1, what is the main objective of adopting a Zero Trust architecture?

A) To eliminate network encryption needs
B) To assume breach and continuously verify all access requests regardless of origin
C) To trust internal users implicitly
D) To bypass authentication for local resources

Answer: B) To assume breach and continuously verify all access requests regardless of origin.

Explanation:

Zero Trust assumes no implicit trust based on network location. Continuous verification, micro-segmentation, and least privilege ensure secure access across hybrid environments.

Question 182:

Under Domain 2, what is a key security consideration when using cloud storage for sensitive data?

A) Reducing encryption strength to improve performance
B) Using strong client-side encryption before uploading data
C) Disabling authentication for convenience
D) Sharing access keys among teams

Answer: B) Using strong client-side encryption before uploading data.

Explanation:

Encrypting data locally before transmission ensures cloud providers cannot access plaintext, supporting confidentiality and regulatory compliance.

Question 183:

Under Domain 3, which cryptographic algorithm is most vulnerable to quantum computing attacks?

A) AES
B) SHA-3
C) RSA
D) ChaCha20

Answer: C) RSA.

Explanation:

Quantum algorithms such as Shor’s algorithm can efficiently factor large integers, undermining RSA and other public-key cryptosystems relying on prime factorization.

Question 184:

Under Domain 4, what is the main purpose of implementing micro-segmentation in a cloud environment?

A) To reduce storage redundancy
B) To restrict lateral movement between workloads
C) To improve DNS resolution
D) To enhance virtualization speed

Answer: B) To restrict lateral movement between workloads.

Explanation:

Micro-segmentation divides cloud networks into isolated zones, ensuring even if one workload is compromised, others remain protected through granular policy enforcement.

Question 185:

Under Domain 5, which authentication factor does a biometric fingerprint scanner represent?

A) Something you have
B) Something you know
C) Something you are
D) Somewhere you are

Answer: C) Something you are.

Explanation:

Biometrics like fingerprints, facial recognition, or iris scans identify users based on inherent physical characteristics unique to each individual.

Question 186:

Under Domain 6, what is the primary difference between vulnerability management and patch management?

A) Patch management identifies threats; vulnerability management deploys updates
B) Vulnerability management identifies and prioritizes risks; patch management implements fixes
C) Both terms are interchangeable
D) Patch management is only for hardware

Answer: B) Vulnerability management identifies and prioritizes risks; patch management implements fixes.

Explanation:

Vulnerability management is a broader process that includes detection, analysis, prioritization, and remediation, while patch management focuses specifically on deploying updates to resolve vulnerabilities.

Question 187:

Under Domain 7, what is the function of a continuity of operations plan (COOP)?

A) To recover IT systems only
B) To ensure essential business functions continue under all circumstances
C) To document daily system backups
D) To define software testing procedures

Answer: B) To ensure essential business functions continue under all circumstances.

Explanation:

A COOP ensures mission-critical operations persist through disruptions by defining alternate processes, resource reallocation, and continuity measures.

Question 188:

Under Domain 8, which secure software development practice helps identify vulnerabilities by executing the application in real time?

A) Static testing
B) Dynamic analysis
C) Code review
D) Configuration management

Answer: B) Dynamic analysis.

Explanation:

Dynamic analysis is a software testing methodology used to evaluate the behavior of an application during execution. The correct answer to the question is option B: dynamic analysis. This approach focuses on identifying vulnerabilities, errors, or performance issues while the program is running, providing insight into how the system behaves in a live environment. Understanding why dynamic analysis is the correct choice requires examining each of the four options in detail.

A) Static testing
Static testing, also known as static analysis, examines code, documentation, or design without executing the program. It identifies potential issues such as coding errors, syntax violations, or security vulnerabilities early in the development lifecycle. Static testing is valuable for preventing problems before the application is run, but it cannot detect runtime behaviors such as memory leaks, race conditions, or real-time input validation failures. While useful for early detection, static testing does not provide the dynamic insights that running the application offers.

B) Dynamic analysis
This is the correct answer. Dynamic analysis involves executing the software and monitoring its behavior in real-time. It can identify vulnerabilities such as buffer overflows, SQL injection, cross-site scripting, and other runtime issues that may not be apparent through static analysis alone. Dynamic analysis tools simulate attacks, monitor memory usage, and observe system interactions under different conditions, enabling developers and security professionals to detect issues that could be exploited in production. Unlike static testing, which analyzes code in isolation, dynamic analysis evaluates the interaction between the code, operating environment, and external inputs. This makes it particularly effective for uncovering complex runtime vulnerabilities and understanding the actual impact of potential threats.

C) Code review
Code review is a manual or automated process where developers examine source code to identify errors, bugs, or security issues. While code review can catch coding mistakes, enforce coding standards, and improve code quality, it is typically limited to human observation or automated pattern detection. Code review cannot execute the application or observe its runtime behavior, making it insufficient for detecting dynamic issues that only manifest during program execution. Therefore, while code review is a critical part of software quality assurance, it does not replace dynamic analysis for runtime vulnerability detection.

D) Configuration management
Configuration management involves tracking and controlling changes to software, hardware, and documentation throughout the system lifecycle. It ensures consistency, prevents unauthorized modifications, and facilitates version control. Although configuration management supports overall software integrity and reliability, it is not a testing methodology and does not provide any direct insight into runtime vulnerabilities or system behavior. It is primarily an administrative and process control function rather than a security testing technique.

In conclusion, dynamic analysis is the correct choice because it evaluates software behavior during execution, uncovering vulnerabilities and runtime issues that static testing, code review, or configuration management cannot detect. Static testing examines code without execution, code review focuses on human evaluation of the source code, and configuration management maintains control over changes, but only dynamic analysis provides actionable insight into how the application responds to real-world inputs, making it essential for effective security and performance testing.

Dynamic analysis complements static testing and code review, providing a comprehensive approach to software security and reliability by addressing both the theoretical and practical aspects of program behavior. This makes option B the most appropriate choice for identifying vulnerabilities in live environments.

Question 189:

Under Domain 1, which governance document defines acceptable and unacceptable user behaviors on organizational systems?

A) Security Charter
B) Acceptable Use Policy (AUP)
C) Disaster Recovery Plan
D) Risk Register

Answer: B) Acceptable Use Policy (AUP).

Explanation:

An AUP defines how employees may access and use company technology resources responsibly, ensuring compliance and accountability.

Question 190:

Under Domain 2, what is a key challenge of applying data sovereignty principles in multinational organizations?

A) Excessive encryption use
B) Differing national privacy laws governing data storage and processing locations
C) Lack of classification systems
D) Excessive redundancy

Answer: B) Differing national privacy laws governing data storage and processing locations.

Explanation:

In today’s interconnected world, organizations increasingly rely on cloud services, data centers, and international operations to store, process, and transmit data. While these advances offer operational efficiency, scalability, and flexibility, they also introduce complex challenges related to data privacy and compliance. The correct answer is option B: differing national privacy laws governing data storage and processing locations. Understanding why this is the correct choice requires analyzing each of the four options in detail.

A) Excessive encryption use
Encryption is a fundamental tool for protecting data confidentiality and integrity. While improper or overuse of encryption may lead to operational overhead or system performance issues, it is not inherently a compliance or legal challenge. Encryption, when implemented correctly, is a best practice for securing sensitive data. Excessive encryption may create complexity in key management or system performance, but it does not create the regulatory or legal conflicts that differing privacy laws impose on organizations handling international data.

B) Differing national privacy laws governing data storage and processing locations
This is the correct answer. Organizations operating across multiple countries often face a complex landscape of privacy and data protection laws, each with unique requirements regarding where data can be stored, how it can be processed, and the legal rights of data subjects. For example, the European Union’s General Data Protection Regulation (GDPR) imposes strict rules on the transfer of personal data outside the EU, requiring mechanisms such as standard contractual clauses, binding corporate rules, or adequacy decisions. Meanwhile, other countries, such as China or Russia, mandate that certain categories of personal or critical data remain within national borders. These differences can create significant operational and compliance challenges for multinational organizations, including the need to design data storage architectures that meet the strictest applicable regulations, implement legal agreements for cross-border transfers, and maintain continuous monitoring of regulatory changes. Failing to comply with these laws can result in severe fines, legal liability, and reputational damage, making differing national privacy laws one of the most critical challenges in modern information security and data management.

C) Lack of classification systems
Data classification systems categorize information based on sensitivity, regulatory requirements, and business value, allowing organizations to apply appropriate controls for confidentiality, integrity, and availability. While a lack of data classification can lead to poor security controls and inefficient resource allocation, it is an internal management issue rather than an external compliance or regulatory challenge. Organizations can mitigate internal risks by implementing classification policies, but the complexity arising from differing national privacy laws exists independently of internal classification practices.

D) Excessive redundancy
Redundancy involves creating additional copies of data or systems to ensure availability and reliability. While excessive redundancy can lead to increased storage costs or operational inefficiencies, it does not pose the same legal or compliance risks as national privacy law conflicts. Redundancy decisions are largely technical and operational in nature, focusing on disaster recovery, business continuity, and fault tolerance, rather than meeting legal obligations for data residency or cross-border transfers.

In conclusion, the primary challenge related to international data storage and processing is navigating differing national privacy laws. While excessive encryption, lack of classification systems, and excessive redundancy are important considerations in information security and data management, they do not create the complex regulatory and legal constraints imposed by privacy laws across jurisdictions. Organizations must carefully design their systems, contracts, and operational procedures to comply with local laws while enabling global operations.

This often involves implementing hybrid cloud architectures, geo-fencing data storage, negotiating data transfer agreements, and continuously monitoring regulatory changes to ensure compliance. By contrast, encryption, classification, and redundancy focus on internal security, operational efficiency, and resilience, not the legal and compliance challenges that arise from international data privacy requirements. Therefore, differing national privacy laws governing data storage and processing locations present the most significant challenge in a global data management context, making option B the correct choice.

Addressing these challenges requires a combination of legal, technical, and administrative controls, highlighting the importance of cross-functional collaboration between legal, IT, and security teams in multinational organizations. It emphasizes that compliance in a global environment is as much about understanding and adhering to jurisdictional requirements as it is about implementing technical safeguards.

Question 191:

Under Domain 3, which of the following is an advantage of elliptic curve cryptography (ECC) over RSA?

A) Requires longer key lengths for the same strength
B) Requires lower computational power for equivalent security
C) Provides weaker integrity
D) Is incompatible with mobile devices

Answer: B) Requires lower computational power for equivalent security.

Explanation:

ECC achieves comparable strength to RSA with shorter keys, offering faster computations and reduced storage needs, especially advantageous in constrained environments.

Question 192:

Under Domain 4, which type of firewall filters traffic at the application layer and can inspect payloads?

A) Packet filtering firewall
B) Circuit-level gateway
C) Application proxy firewall
D) Stateful inspection firewall

Answer: C) Application proxy firewall.

Explanation:

An application proxy firewall, also known as an application-level gateway, is a type of firewall that operates at the application layer of the OSI model, inspecting and controlling traffic based on the content of the messages rather than just the headers or basic connection information. The correct answer is option C: application proxy firewall. This type of firewall provides granular control over network traffic, allowing organizations to enforce security policies for specific applications, detect malicious content, and prevent protocol-based attacks. Understanding why this is the correct choice requires examining each of the four options in detail.

A) Packet filtering firewall
A packet filtering firewall operates at the network and transport layers of the OSI model. It examines packet headers, source and destination IP addresses, port numbers, and protocol types to determine whether to allow or block traffic. While packet filtering firewalls are fast and efficient for basic network filtering, they have limited ability to inspect the content of the traffic or understand the context of an application session. They cannot differentiate between legitimate and malicious application-layer commands if they use the correct ports and protocols. For example, a packet filtering firewall might allow HTTP traffic through port 80 but would not detect an attack embedded within the HTTP payload. Therefore, packet filtering firewalls are not sufficient for application-level security, making them less suitable than an application proxy firewall for scenarios requiring deep inspection.

B) Circuit-level gateway
A circuit-level gateway operates at the session layer of the OSI model. It monitors TCP or UDP handshakes and validates that connections are legitimate before allowing data to flow between internal and external hosts. Circuit-level gateways provide security by establishing virtual circuits and ensuring session integrity, but they do not inspect the content of the application messages themselves. While they can prevent certain types of unauthorized connections, they cannot detect application-specific threats or enforce fine-grained security policies based on content, commands, or user behavior. As a result, circuit-level gateways provide an intermediate level of security, but they lack the detailed content inspection capabilities of application proxy firewalls.

C) Application proxy firewall
This is the correct answer. Application proxy firewalls act as intermediaries between clients and servers for specific applications, such as HTTP, FTP, SMTP, or DNS. They receive client requests, inspect and validate the contents of the requests, and then forward them to the destination server if deemed safe. By operating at the application layer, these firewalls can understand the context of the communication, enforce detailed security policies, and detect protocol-specific attacks, such as SQL injection or command injection attempts. Application proxy firewalls can also provide user authentication, logging, and content filtering, making them highly effective for controlling sensitive network traffic. They are particularly valuable in environments where strict security is required for specific applications, as they allow administrators to block malicious commands or malformed messages without affecting other traffic types.

D) Stateful inspection firewall
Stateful inspection firewalls, also known as dynamic packet-filtering firewalls, operate at the network and transport layers but maintain a state table to track active connections. They monitor the state of each connection and allow or deny packets based on the connection state and security policies. While stateful inspection provides better security than basic packet filtering by considering the context of connections, it still does not inspect the contents of application-layer messages. It cannot detect malicious payloads or application-specific attacks, making it less effective than an application proxy firewall for application-layer security.

In conclusion, an application proxy firewall is the most suitable choice for environments that require detailed inspection and control of traffic at the application layer. Packet filtering firewalls are fast and effective for basic traffic control, circuit-level gateways provide session-level validation, and stateful inspection firewalls track connection states, but none of these can provide the deep inspection and content-specific security features offered by an application proxy firewall. By understanding the content and context of application traffic, application proxy firewalls can enforce granular security policies, detect sophisticated attacks, and provide strong protection for critical applications, making option C the correct answer.

This makes application proxy firewalls particularly valuable in enterprise networks where threats often target specific applications rather than the network as a whole. Their ability to provide authentication, logging, and content filtering at the application level ensures that security policies are consistently enforced, reducing the risk of exploitation and improving overall network security posture.

Question 193:

Under Domain 5, what does the principle of separation of duties help prevent?

A) Performance bottlenecks
B) Conflicts of interest and fraud
C) Data loss from redundancy
D) Poor encryption practices

Answer: B) Conflicts of interest and fraud.

Explanation:

Segregation of duties (SoD) is a fundamental principle in information security and internal controls that ensures no single individual has complete control over all aspects of a critical process. The primary goal of SoD is to reduce the risk of errors, fraud, and conflicts of interest by distributing responsibilities among multiple individuals. The correct answer to the question is option B: conflicts of interest and fraud. Understanding why this is the correct choice requires examining each of the four options in detail.

A) Performance bottlenecks
Performance bottlenecks occur when a system, process, or workflow slows down due to limited resources, inefficient design, or excessive demand on a particular component. While performance bottlenecks can affect the efficiency and productivity of operations, they are unrelated to the primary purpose of segregation of duties. SoD is focused on distributing responsibilities to reduce risks, not on optimizing system performance or resource utilization. Although SoD may indirectly influence workflow efficiency, its core purpose is to safeguard against misuse, not to improve speed or performance.

B) Conflicts of interest and fraud
This is the correct answer. Segregation of duties is implemented to prevent a single individual from having the ability to execute and conceal fraudulent activities without detection. For example, in a financial context, separating the roles of invoice approval, payment processing, and account reconciliation ensures that no single employee can manipulate the system for personal gain without collusion. By dividing critical responsibilities among multiple employees, organizations reduce the risk of conflicts of interest, where personal incentives may interfere with professional duties, and prevent fraud from occurring undetected. Segregation of duties also enhances accountability, as each step in a process is monitored and verified by a different individual. This approach is widely recognized as a best practice in frameworks such as COSO, ISO 27001, and SOX compliance, where mitigating the risk of internal fraud and conflicts of interest is a key objective.

C) Data loss from redundancy
Data loss from redundancy refers to the risk of losing information due to multiple copies, improper backup procedures, or system failures. While data redundancy management is an important aspect of information security, it is addressed through strategies such as backup systems, disaster recovery planning, and replication controls. Segregation of duties does not directly prevent data loss from redundancy; instead, it focuses on controlling who has authority to perform sensitive operations and how those operations are verified. Data loss prevention and SoD are complementary but address different aspects of organizational risk.

D) Poor encryption practices
Poor encryption practices occur when cryptographic methods are implemented incorrectly, keys are mismanaged, or outdated algorithms are used. While weak encryption can compromise data confidentiality and integrity, segregation of duties is not designed to address encryption issues. Proper encryption practices fall under technical controls and information security policies, whereas SoD is an administrative control designed to limit the risk of misuse, error, or fraudulent activity through the allocation of responsibilities. Segregation of duties can indirectly support encryption management by separating key management responsibilities, but its primary purpose is the mitigation of conflicts of interest and fraud, not the enforcement of cryptographic security.

In summary, the main objective of segregation of duties is to reduce the risk of conflicts of interest and fraudulent behavior by ensuring that critical tasks and responsibilities are divided among multiple individuals. While performance bottlenecks, data loss from redundancy, and poor encryption practices are important security and operational considerations, they are addressed through other controls and processes. SoD strengthens internal controls, enhances accountability, and protects organizational assets by preventing any single individual from having unchecked authority over sensitive operations. This makes option B the most accurate and relevant choice.

By implementing segregation of duties, organizations not only reduce the potential for fraud but also create a culture of checks and balances, where multiple individuals verify and validate each step of a critical process. This layered approach increases transparency, deters malicious activity, and ensures that conflicts of interest are minimized. It is particularly critical in financial management, access control, system administration, and other areas where a single person with full authority could exploit the system for personal or unauthorized gain. Ultimately, segregation of duties is a key administrative control that addresses human risk factors directly, making conflicts of interest and fraud its primary concern.

Question 194:

Under Domain 6, what is the main benefit of continuous monitoring?

A) Detecting vulnerabilities and anomalies in near real time
B) Reducing network segmentation needs
C) Eliminating patching
D) Enhancing encryption key lengths

Answer: A) Detecting vulnerabilities and anomalies in near real time.

Explanation:

Intrusion detection and monitoring systems play a critical role in maintaining the security of information systems by identifying potential threats, vulnerabilities, and anomalies. The correct answer to the question is option A: detecting vulnerabilities and anomalies in near real time. This functionality allows organizations to respond quickly to potential attacks, minimize damage, and maintain the integrity, confidentiality, and availability of their systems. Understanding why this is the correct choice requires examining each of the four options.

A) Detecting vulnerabilities and anomalies in near real time
This is the correct answer. Modern security monitoring systems, including intrusion detection systems (IDS) and intrusion prevention systems (IPS), are designed to continuously monitor network traffic, system logs, and application activities to identify unusual behavior or known attack patterns. By detecting anomalies and vulnerabilities in near real time, organizations can proactively respond to threats before they escalate into full-scale security incidents. For example, if an unusual login pattern or unexpected data transfer is detected, the system can alert security teams immediately, enabling rapid investigation and mitigation. This proactive approach is essential in modern cybersecurity, where threats are increasingly sophisticated and time-sensitive.

B) Reducing network segmentation needs
Network segmentation is a technique that divides a network into separate zones to limit lateral movement by attackers and improve security control. While segmentation is an important security practice, it is unrelated to the primary function of detection systems. Intrusion detection systems do not replace the need for segmentation; instead, they complement it by providing visibility and alerts within each network segment. Therefore, reducing segmentation needs is not a function of detecting vulnerabilities or anomalies.

C) Eliminating patching
Patching is the process of updating software or systems to fix security vulnerabilities or improve functionality. While monitoring systems can identify vulnerable systems or suspicious activity, they cannot eliminate the need to apply patches. Regular patching remains a fundamental part of cybersecurity hygiene to address known vulnerabilities. Detection systems enhance security by identifying risks, but they do not substitute for proactive patch management.

D) Enhancing encryption key lengths
Encryption key length determines the strength of cryptographic protection for data. While longer keys can increase security, detection systems do not inherently change or enhance key lengths. Encryption is focused on protecting data in transit or at rest, whereas intrusion detection is focused on monitoring activity to detect unauthorized behavior. Enhancing key lengths is unrelated to the core function of vulnerability or anomaly detection.

In conclusion, the primary purpose of modern security monitoring and intrusion detection systems is to detect vulnerabilities and anomalies in near real time. While practices such as network segmentation, patching, and encryption are critical components of a robust security strategy, they serve different functions. Detection systems provide immediate visibility into threats and irregular activities, enabling organizations to respond quickly and effectively, reducing the likelihood of successful attacks and minimizing potential damage. This makes option A the correct choice.

Question 195:

Under Domain 7, what is the purpose of tabletop exercises?

A) To test backup systems under load
B) To simulate incidents in a discussion-based format for evaluating response procedures
C) To test automated failover systems
D) To train only senior executives

Answer: B) To simulate incidents in a discussion-based format for evaluating response procedures.

Explanation:

Tabletop exercises allow participants to review roles, communications, and decision-making in simulated scenarios without disrupting actual operations.

Question 196:

Under Domain 8, what is the goal of secure coding frameworks like OWASP ASVS?

A) To automate network scanning
B) To provide standardized security requirements and validation guidelines for applications
C) To manage cloud deployment costs
D) To define encryption algorithms

Answer: B) To provide standardized security requirements and validation guidelines for applications.

Explanation:

OWASP ASVS establishes measurable criteria for secure development, testing, and verification, ensuring consistency across projects and reducing vulnerabilities.

Question 197:

Under Domain 1, which risk management document records identified risks, their impact, likelihood, and mitigation status?

A) Risk Matrix
B) Risk Register
C) Control Catalog
D) Incident Log

Answer: B) Risk Register.

Explanation:

A risk register is a critical tool in risk management that documents, tracks, and monitors identified risks, along with the corresponding mitigation plans and risk owners. The correct answer is option B: Risk Register. It serves as a central repository for all risks affecting an organization’s projects, systems, or operations, helping stakeholders make informed decisions and prioritize resources effectively. Understanding why a risk register is the correct choice requires examining each of the four options.

A) Risk Matrix
A risk matrix is a visual tool used to evaluate and categorize risks based on their likelihood and impact. It is often used to assess and prioritize risks, typically represented in a grid format where one axis represents probability and the other represents impact. While a risk matrix is valuable for analysis and decision-making, it is not a comprehensive documentation tool. It does not track risk ownership, mitigation steps, or ongoing monitoring, which are the primary functions of a risk register.

B) Risk Register
This is the correct answer. A risk register is a detailed document that lists all identified risks in a project or organization, along with key attributes such as risk descriptions, potential impacts, likelihood, severity, risk owners, mitigation strategies, and status updates. It provides a structured way to monitor and control risks throughout their lifecycle, ensuring accountability and visibility. Risk registers facilitate communication among stakeholders, support audits and compliance efforts, and help organizations allocate resources to address the most critical risks. By maintaining an up-to-date risk register, organizations can track progress on mitigation efforts, identify emerging risks, and make proactive decisions to minimize negative impacts. The risk register is therefore an essential element of a mature risk management process.

C) Control Catalog
A control catalog is a repository of security controls, policies, and standards that an organization can implement to manage risks. It typically includes technical, administrative, and physical controls but does not document specific risks, their likelihood, or mitigation plans for individual projects. A control catalog is a reference tool rather than a tracking or monitoring system for actual risks, so it cannot replace the functionality provided by a risk register.

D) Incident Log
An incident log records actual events, security breaches, or operational incidents as they occur. While incident logs are useful for post-incident analysis, root cause investigation, and compliance reporting, they are reactive in nature. A risk register, on the other hand, is proactive, documenting potential risks before they occur and tracking mitigation plans to prevent or reduce their impact. Incident logs do not provide a forward-looking risk management perspective.

In conclusion, a risk register is the correct choice because it provides a centralized, structured, and ongoing record of risks, their potential impacts, mitigation strategies, and ownership. While a risk matrix helps prioritize risks, a control catalog lists possible controls, and an incident log documents events after they occur, only a risk register combines identification, tracking, monitoring, and management of risks in a single, comprehensive tool. This makes option B the most appropriate and effective instrument for proactive risk management.

Question 198:

Under Domain 2, what control ensures data integrity during transmission?

A) Encryption alone
B) Checksums or message authentication codes (MACs)
C) Data compression
D) Key escrow

Answer: B) Checksums or message authentication codes (MACs).

Explanation:

Ensuring the integrity of data in transit or at rest is a critical aspect of information security. Integrity refers to the assurance that data has not been altered, tampered with, or corrupted either intentionally or accidentally. The correct answer is option B: checksums or message authentication codes (MACs). These techniques provide mechanisms to detect unauthorized changes and ensure that data remains consistent and trustworthy. Understanding why this is the correct choice requires examining each of the four options.

A) Encryption alone
Encryption protects the confidentiality of data by converting it into an unreadable format that can only be decrypted with the appropriate key. While encryption ensures that unauthorized parties cannot easily access the data, it does not inherently guarantee integrity. Encrypted data could still be modified or corrupted in transit, and without additional mechanisms such as checksums or MACs, the recipient may not detect the tampering. Therefore, encryption alone is insufficient to provide data integrity.

B) Checksums or message authentication codes (MACs)
This is the correct answer. Checksums are simple mathematical values computed from data that allow detection of accidental errors or modifications during transmission. For example, a CRC (Cyclic Redundancy Check) appended to a file can reveal whether data has been altered in transit. Message authentication codes, on the other hand, combine cryptographic hashing with a secret key to provide both integrity and authentication. A MAC ensures that the message was not only unaltered but also originated from a legitimate sender who possesses the secret key. These techniques are widely used in network protocols, secure communications, and file integrity checks, providing robust mechanisms to detect changes or tampering.

C) Data compression
Data compression reduces the size of files or transmitted messages to improve storage efficiency or reduce bandwidth consumption. While compression may change the data’s format or representation, it does not provide any protection against unauthorized modification. Compressed data is still susceptible to tampering, and compression itself does not include mechanisms for integrity verification. Therefore, compression is unrelated to ensuring data integrity.

D) Key escrow
Key escrow is a process in which cryptographic keys are stored with a trusted third party to allow recovery or access under certain conditions. Key escrow relates primarily to key management and regulatory or legal access requirements. While it may support availability or compliance objectives, key escrow does not provide any mechanism to verify that data has not been altered or tampered with, making it irrelevant for ensuring integrity.

In conclusion, checksums and message authentication codes (MACs) are the correct choice for ensuring data integrity. Encryption protects confidentiality but does not inherently detect changes, compression reduces data size without verifying integrity, and key escrow focuses on key management rather than data verification. Checksums and MACs provide a reliable and efficient way to detect accidental or malicious modifications, ensuring that the recipient can trust the accuracy and authenticity of the data they receive. This makes option B the most appropriate answer for verifying and maintaining data integrity.

 

Question 199:

Under Domain 3, which cryptographic process provides non-repudiation?

A) Hashing
B) Digital signatures
C) Symmetric encryption
D) Key wrapping

Answer: B) Digital signatures.

Explanation:

Digital signatures are a cryptographic mechanism used to verify the authenticity, integrity, and non-repudiation of electronic messages or documents. The correct answer is option B: digital signatures. They are widely used in secure communications, software distribution, and electronic transactions to ensure that data has not been altered in transit and that the sender’s identity can be trusted. Understanding why digital signatures are the correct choice requires examining each of the four options.

A) Hashing
Hashing is a process that converts data into a fixed-size string of characters, often referred to as a hash value or digest. Hashing is commonly used for data integrity checks, password storage, and indexing. While hashes can indicate whether data has been modified, they do not provide information about the sender’s identity. On their own, hashes cannot offer authentication or non-repudiation, which are critical aspects addressed by digital signatures.

B) Digital signatures
This is the correct answer. Digital signatures combine hashing and asymmetric cryptography to provide authentication, integrity, and non-repudiation. When creating a digital signature, the sender generates a hash of the message and encrypts it using their private key. The recipient can then decrypt the signature using the sender’s public key and compare the resulting hash with a hash generated from the received message. If the two hashes match, it confirms that the message has not been altered and that it originated from the claimed sender. Digital signatures are widely used in email security (e.g., S/MIME), software distribution, legal documents, and blockchain transactions, providing strong assurance of both origin and integrity.

C) Symmetric encryption
Symmetric encryption uses the same key for both encryption and decryption. While it ensures confidentiality by protecting data from unauthorized access, symmetric encryption does not provide authentication or non-repudiation. Anyone with access to the shared key can encrypt or decrypt messages, making it unsuitable for verifying the sender’s identity or ensuring that the message has not been tampered with by an unauthorized party. Digital signatures, in contrast, rely on asymmetric keys, which provide these guarantees.

D) Key wrapping
Key wrapping is a cryptographic technique used to securely encrypt one or more cryptographic keys with another key, usually to protect key material during transport or storage. While key wrapping ensures the confidentiality and integrity of encryption keys, it does not provide message-level authentication or non-repudiation. Key wrapping is a supportive mechanism in secure systems but does not fulfill the broader role of a digital signature.

In conclusion, digital signatures are the correct choice because they provide authentication, integrity verification, and non-repudiation for electronic data. Hashing ensures integrity but cannot verify the sender’s identity, symmetric encryption ensures confidentiality without authentication, and key wrapping protects key material but does not authenticate messages. Digital signatures uniquely combine these security functions, making them essential for trusted electronic communication and secure transactions.

Question 200:

Under Domain 4, what technology enables centralized authentication for remote network access?

A) RADIUS
B) DHCP
C) SNMP
D) FTP

Answer: A) RADIUS.

Explanation:

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol used to provide centralized authentication, authorization, and accounting (AAA) for users connecting to a network. The correct answer to the question is option A: RADIUS. This protocol is widely deployed in enterprise networks to manage access control and enforce consistent security policies across multiple devices and services. Understanding why RADIUS is the correct choice requires examining each of the four options.

A) RADIUS
RADIUS is specifically designed to centralize the process of authenticating users, authorizing their access levels, and accounting for their activities on a network. It enables organizations to control who can connect to network resources, determine what services they are allowed to access, and log usage for auditing or billing purposes. RADIUS is commonly used in scenarios such as remote access VPNs, wireless networks, and enterprise switches or routers. The centralized architecture allows administrators to enforce consistent authentication policies across all access points and network devices, simplifying security management while improving accountability and compliance. RADIUS supports multiple authentication methods, including passwords, digital certificates, and multi-factor authentication, providing flexibility and strong security for enterprise environments.

B) DHCP
Dynamic Host Configuration Protocol (DHCP) is used to dynamically assign IP addresses and other network configuration parameters to devices on a network. While DHCP is essential for efficient network management and ensuring devices can communicate on the network, it does not provide authentication or authorization services. DHCP does not control access to network resources or track user activity, making it unrelated to AAA functions, which is the role of RADIUS.

C) SNMP
Simple Network Management Protocol (SNMP) is used for network management and monitoring. It allows administrators to gather information about devices, monitor performance, and configure network components remotely. While SNMP is useful for managing network infrastructure, it does not authenticate users, control access to resources, or maintain usage logs for accounting purposes. SNMP focuses on device management rather than user-level access control.

D) FTP
File Transfer Protocol (FTP) is used for transferring files between clients and servers over a network. FTP provides basic authentication and file access functionality but does not provide centralized authentication, authorization, or accounting across a network. FTP lacks the AAA capabilities, policy enforcement, and logging features that RADIUS provides for enterprise environments.

In conclusion, RADIUS is the correct answer because it is designed to provide centralized authentication, authorization, and accounting for network access. DHCP, SNMP, and FTP serve other network functions—address assignment, device management, and file transfer—but do not offer the comprehensive AAA framework required to manage secure access for users across multiple network devices and services. By using RADIUS, organizations can ensure consistent security policies, enforce access control, and maintain detailed logs for auditing and compliance purposes.