D430 Fundamentals of Information Security

Correct Answer

B. Preventing cryptographic reuse so a compromise of one operation does not affect other operations

Explanation

Perfect forward secrecy (PFS) is a concept in cryptography that ensures session keys used in secure communications are never compromised, even if a long-term key (like a server’s private key) is exposed in the future. The key principle of PFS is that the compromise of one session key will not affect the security of past sessions, ensuring that past communications remain secure even if current encryption keys are compromised.

Why other options are wrong

A. Using quantum random number generation to make decryption effectively impossible

This option relates to quantum cryptography, which is a different concept from perfect forward secrecy. Quantum random number generation might improve security, but it does not directly address the key issue of PFS, which is preventing the compromise of session keys even if long-term keys are exposed.

C. Implementing elliptic curve cryptographic algorithms with true random numbers

Elliptic curve cryptography (ECC) and the use of true random numbers can improve cryptographic security, but they are not the definition of perfect forward secrecy. PFS specifically involves ensuring that session keys cannot be derived from past or future key compromises, regardless of the cryptographic method used.

D. The use of NDAs and policy controls to prevent disclosure of company secrets

This option refers to non-disclosure agreements (NDAs) and organizational controls to safeguard information. While important in a corporate context, this is unrelated to the concept of perfect forward secrecy, which is a cryptographic principle for ensuring that session keys remain secure even if long-term keys are compromised.

Correct Answer

C. Availability, integrity, confidentiality, authentication and nonrepudiation.

Explanation

Information security is generally based on five core principles: availability, integrity, confidentiality, authentication, and nonrepudiation. These principles work together to ensure that information is accessible when needed (availability), accurate and unaltered (integrity), protected from unauthorized access (confidentiality), verified for authenticity (authentication), and that the sender cannot deny having sent the message (nonrepudiation). These principles cover the comprehensive security needs of information systems.

Why other options are wrong

A. Passwords, encryption, back up and policies

This is incorrect because while passwords, encryption, backups, and policies are important tools and strategies in information security, they do not represent the core principles. The core principles focus more on the goals of information security (e.g., confidentiality, integrity), not specific technologies or practices.

B. Availability, integrity and confidentiality

This is incorrect because it lacks authentication and nonrepudiation, which are also critical properties in ensuring a secure information system. The complete set of principles for information security includes all five: availability, integrity, confidentiality, authentication, and nonrepudiation.

D. Threats, controls and vulnerabilities

This is incorrect because threats, controls, and vulnerabilities refer to the challenges and management aspects of information security, not the foundational principles. These elements describe what security mechanisms must address but do not constitute the actual properties of information security.

Correct Answer

B. PFS ensures that each session key is unique and not derived from the server's private key, protecting past communications.

Explanation

Perfect Forward Secrecy (PFS) is a cryptographic feature that ensures each session generates its own unique key that is not dependent on the server's private key. Even if the server's private key is compromised in the future, past communications remain protected because the session keys are not derived from it. This enhances security by preventing the decryption of past communication sessions.

Why other options are wrong

A. PFS allows for the decryption of past traffic if the server's private key is compromised.

This statement is incorrect because PFS specifically prevents the decryption of past sessions, even if the server's private key is compromised. This is one of the key benefits of using PFS.

C. PFS requires the use of symmetric encryption for all data transmissions.

This statement is incorrect. While symmetric encryption may be used to encrypt the data itself during communication, PFS is primarily concerned with the generation of unique session keys for each session, not the type of encryption used for data transmission.

D. PFS eliminates the need for digital certificates in secure communications.

This statement is incorrect. PFS does not eliminate the need for digital certificates. Certificates are still used to authenticate the server, but PFS ensures that session keys are independently generated and do not rely on long-term private keys.

Correct Answers

A. It is used to securely store public and private keys for log on, e-mail signing and encryption, and file encryption.

D. It is a device that contains a microprocessor and permanent memory.

Explanation

Smart cards are commonly used to store sensitive information, such as public and private keys, for tasks such as logging into systems, email signing and encryption, and file encryption. These cards also contain a microprocessor and permanent memory to store and process information securely, ensuring that data is encrypted and cannot be easily extracted or altered.

Why other options are wrong

B. It is a device that works as an interface between a computer and a network.

This describes a network interface device or adapter, not a smart card. Smart cards interact directly with systems for authentication and data storage but do not act as a network interface.

C. It is a device that routes data packets between computers in different networks.

This describes a router, not a smart card. Smart cards are used for authentication and storing cryptographic data, not for routing network traffic.

Correct Answer

C. Continuous authentication

Explanation

Location-based authentication can be used to continuously verify a user's identity based on their geographic location, ensuring that access to systems or services remains valid while the user is within an acceptable location. This form of authentication helps maintain security without requiring the user to reauthenticate repeatedly, providing continuous security as long as the user's location matches the expected parameters.

Why other options are wrong

A. Static authentication

Static authentication is a one-time verification process, often based on credentials like passwords or PINs. Location-based authentication, by its nature, is dynamic and doesn't fit the concept of static authentication.

B. Intermittent authentication

Intermittent authentication would involve checking the user's identity at irregular intervals. Location-based authentication is more suited to continuous verification, rather than being checked intermittently.

D. Robust authentication

Robust authentication refers to using multiple factors or layers of security to ensure strong identification. While location-based authentication can be part of a robust authentication system, the primary characteristic of location-based authentication is continuous verification rather than merely robustness.

Correct Answer

B. A layered security architecture

Explanation

A layered security architecture is the most effective approach for ensuring confidentiality and integrity because it applies multiple security measures at different levels, offering protection against a variety of threats. This approach combines physical, network, application, and data-level security controls, ensuring that even if one layer is compromised, others will still provide protection. It helps secure archived data by addressing potential vulnerabilities in various parts of the system, including encryption, access control, and monitoring.

Why other options are wrong

A. A centralized security architecture

While a centralized security architecture can streamline management, it may create a single point of failure. In terms of securing sensitive data, relying solely on centralized security does not provide the same depth of defense as a layered approach, which involves multiple points of security checks.

C. A flat network architecture

A flat network architecture lacks segmentation, which makes it less effective for securing sensitive data. It does not provide the isolation or the layers of defense necessary to protect sensitive archived data effectively.

D. A perimeter-based security architecture

Perimeter-based security focuses primarily on external threats, such as unauthorized access from outside the network. However, it may not provide sufficient internal protections for sensitive archived data, especially if attackers have already bypassed the perimeter. Layered security provides a more comprehensive defense.

Correct Answer

B. Employing user's phone geolocation data to verify their credentials to access a secure website

Explanation

Using geolocation data from a user's phone to verify their credentials provides a more precise and practical method for location-based authentication. This technique is effective in confirming that the user is physically located in a trusted location, such as their home or workplace, before granting access to sensitive systems. It leverages a readily available technology that is secure and has minimal disadvantages compared to other methods.

Why other options are wrong

A. Pinpointing an individual user's terminal by tracing their IP address back to their physical location

This method has several disadvantages, including inaccuracies in pinpointing a user's physical location due to the use of VPNs or proxy servers. It also doesn't consider situations where the user may be traveling or using a different device, making it less reliable for authentication purposes.

C. Enforcing a mandatory "check in" policy on social media for users on remote access calls

This approach is not secure because it relies on social media platforms, which could be compromised or exploited. It also places a significant burden on users and opens up potential privacy issues, making it less practical for authentication purposes.

D. Activating location-based technology to operate a Virtual Private Network (VPN) gateway to restrict access to users from foreign countries

While this could prevent access from unauthorized locations, it is a restrictive and blunt approach. It limits access for legitimate users who may be traveling internationally or using mobile devices, and it could cause legitimate users to be blocked, making it a less efficient solution compared to using phone geolocation data.

Correct Answer

B. Password history

Explanation

Password history is a policy that prevents users from reusing old passwords for a specified number of password changes. This ensures that users do not recycle passwords, improving security by preventing the reuse of weak or compromised passwords.

Why other options are wrong

A. Password complexity

Password complexity policies require passwords to meet certain criteria, such as containing a mix of uppercase, lowercase, numbers, and special characters. While complexity is important for password strength, it does not prevent reusing old passwords.

C. Password expiration

Password expiration policies enforce the requirement that passwords must be changed after a certain period. However, expiration does not prevent the reuse of previous passwords, only the length of time a password can be used.

D. Maximum attempts

The maximum attempts policy limits the number of failed login attempts before locking an account or initiating additional security measures. This policy is related to account protection, not password reuse.

Correct Answer

B. To provide a centralized directory for user authentication and authorization

Explanation

LDAP (Lightweight Directory Access Protocol) is primarily used to provide a centralized directory service for managing user authentication and authorization. It allows organizations to store and query information about users, such as usernames, passwords, and roles, enabling efficient management of access to resources within the network. LDAP is essential for maintaining a secure and organized access control system within an enterprise.

Why other options are wrong

A. To encrypt sensitive data during transmission

This is incorrect because while LDAP can use encryption (such as LDAPS, the secure version of LDAP), its primary function is not to encrypt data but to provide directory services for authentication and authorization.

C. To monitor network traffic for suspicious activity

This is incorrect. Monitoring network traffic for suspicious activity is the role of intrusion detection systems (IDS) or network monitoring tools, not LDAP.

D. To serve as a firewall against unauthorized access

This is incorrect. A firewall is used to control and monitor incoming and outgoing network traffic, preventing unauthorized access. LDAP is not a firewall; it is a directory service for managing user access and credentials.