CCT 125: Practice CISSP Questions - Integrity Unhashed through Ensuring Message Authenticity with the CISSP (D3.6)

Embark on a transformative journey with me, Sean Gerber, as I share the pivotal moment of venturing into full-time cybersecurity consulting after a significant chapter of my career. It's a time of change and opportunity, not just for me but for the entire cybersecurity landscape, as we witness the shockwaves of a ransomware attack on Change Healthcare and its repercussions on entities like UnitedHealthcare. In this episode, we peel back the layers of this incident to reveal the harsh realities and potential regulatory upheavals that could redefine industry standards and hold executives' feet to the fire. Get ready for an essential discussion on the intersection of cybersecurity and accountability and how it impacts us as professionals in the field.

As we navigate these turbulent waters, we also unravel the complexities of checksums and cryptographic hash functions. Understand why CRCs can't keep your data under wraps and the vital importance of collision resistance in hashing algorithms. We go beyond basic error detection and step into a world where digital signatures and certificates are the sentinels guarding our digital identities. This deep dive into the technical underpinnings of cybersecurity doesn't just prepare you for the CISSP exam; it arms you with the knowledge to fortify your data against the evolving threats in the cyber realm. Tune in and bolster your defenses with insights from the forefront of cybersecurity.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started.

Speaker 2: 0:26 

Hey all, sean Gerber with CISSP's Cyber Training Podcast and I hope you all are having a wonderful day today. Today is exam question Thursday, and we're going to get over some awesome questions as it relates to message integrity, digital signatures and all the wonderful things that came out of the last podcast we had on Monday. But before we do one quick question, one quick announcement. Actually, I am finally done working at my company that I worked at for about 13 years and I'm out on my own. So this is amazing, exciting and a bit terrifying. So we're pretty excited about what's happening here at CISSP Cyber Training, as well as the fact that I'm going to be able to be a consultant and help a lot of organizations with their cybersecurity, whereas in the past I was a little bit limited. Great company, amazing company, but time to move on and do some other things with my life, and I'm pretty excited about that. But before we get started, I just want to quickly talk about the recent article I saw today related to UnitedHealthcare. So this is really out there for all of you CISSP candidates that are working to get your certificate one because you feel like you have to for your career, but also maybe because of the fact that your job may be requiring it due to regulations that might be coming down the pipe, and this is a great example of what you're going to see more of this. This is from the recent attack that happened on UHC and change pharmaceuticals or change medicals, something like that, and what it really came down to was they had a ransomware attack that hit this change healthcare and they basically process transactions for UnitedHealthcare, which is one of the major largest insurance companies in the United States, and they process around 15 billion transactions annually, which is a lot right, that's like gov of transactions that are occurring, and they got hit with a ransomware attack, and this ransomware attack basically brought them to their knees and this was back in the first part of February, if I'm not mistaken and because of that, they had ended up paying a $22 million ransom to get unstuck. That was the ultimate goal of it, and this is when Department of Homeland Security came into this and Department of Human Services came in and they decided that this needed to be fixed. So who knows who paid the bill, but bottom line is it's a critical infrastructure for the United States and therefore it was a target by these attackers and, as a result. We see what happened and it caused dramatic input impact to the United States and our medical industry. Most of the big, like 50% of the pharmacies within the United States actually could not be processing insurance transactions due to this attack. So, as we see, it's a really big factor as it comes to when you're talking infrastructure and critical infrastructure itself.

Speaker 2: 3:14 

Now, what the Biden administration is coming down to is they're maintaining this comment about they're going to establish tough, mandatory cybersecurity standards for the healthcare industry. Yeah, so if you're a security person, you're like me, you're going yikes. I've talked to a friend of mine who's a CISO the very large Fortune 20 company and a lot of folks that are in our space are starting to think highly about going. Well, do I want to be a consultant? Do I want to be a CISO? What do I want to do? Do I want to be an architect? And one of the factors that came out of that conversation was that the regulations are becoming so onerous that, one, you're not going to take risk, but, two, the fact that it puts people like myself who were former CISOs kind of a little bit in jeopardy. So it's an interesting dynamic that things that are happening and somebody basically wants someone to hang. That's the ultimate goal is that they want to prove that they're doing something that is hard and substantial and making a difference, rather than just kind of sweeping it under the covers. So it will be very, very interesting in the next few years to see how this kind of weight plays out.

Speaker 2: 4:19 

One other part, I think may have played into some of this and again, I'm just guessing at this point. I'm not have no insider knowledge on any of that but there was a 2022 merger with Optum and Change Healthcare for about $13 billion. That's a lot of money and that merger occurred and it basically that I mean, who knows how that occurred in the fact of the security aspects around this organization. But when you bring a big, large organization like that together, I can tell you from experience, acquisitions are klugey, acquisitions are very challenging and if you don't have a good plan in place, even if you do have a good plan in place there is a really good chance that something bad could happen. So it will be totally interesting to see what's going to occur of this.

Speaker 2: 5:03 

One last comment I wanted to make is they made this this comment was in there as well as I'm investigating whether additional legislation is needed to bolster security in the healthcare sector, which that is including increasing financial penalties and holding company executives liable for failing cybersecurity 101. Yeah, that's scary, because I just need somebody that's up in Washington DC telling me what cybersecurity 101 is. So, yeah, that's so good. So, anyway, this is an interesting concept that's going to be happening that you're going to be paying attention to. We're going to pay attention to it here at CISP, cyber training and on the reduce cyber is podcast. That's going to be coming out here very soon and it's going to be fun.

Speaker 2: 5:43 

So, but let's enough talking about that, let's get into today's questions. Okay, so here are the questions that we are going to be talking again. We're in domain three, dot six, getting a digital signatures, md fives and Shaw ones, all that fun stuff. So let us get started. Question one which of the following is the primary purpose of a message integrity check? A to confirm the sender's identity, be to ensure that the message is not altered, see to compress the data for transmission. Or D to encrypt the message content. Again, which of the following is the primary purpose of a message integrity check? Or Mick, and the message integrity check is used to detect any changes in the content. So it is question B or answer B. It is used to detect any changes in the content of the message and ensuring that it's not been tampered with during transmission.

Speaker 2: 6:35 

Question two what is the main difference between a check sum and a cryptographic hash function? Again, what is the main difference between a check sum and a cryptographic hash function? A check some is used for error checking, while a hash function is used for security purposes. B a checksum is reversible, while a hash function is not. C a check sum can only be used once, while the hash function can only can be used multiple times. And then C a checksum is faster to compute than a hash function. Again, what is the main difference between a check sum and a cryptographic hash function? And the answer is a check some is used for error checking, while a hash function is used for security purposes. Check sums are generally used to verify the data's integrity right and detect errors within that very overall transmission, while the hash functions are designed a secure way for you to verify the integrity of the data and is resistant to potentially reverse engineering. Again, resistant, not impervious, but resistant.

Speaker 2: 7:35 

Question three which of the following best describes a cyclic redundancy check or a CRC? Answer A symmetric encryption algorithm. B asymmetric encryption algorithms. C an error detecting code or. D a digital signature algorithm. Which of the following best describes a CRC or a cyclical redundancy check? And the answer is C CRC is a error detecting code. Right, it's a checksum that's used to detect accidental changes to raw data in digital networks and storage devices.

Speaker 2: 8:10 

Question four why are collision resistant properties important in hashing algorithms? A they ensure the hash value can be decrypted. B they allow hash functions to be reversible. C they increase the speed of the hashing function. Or, d they prevent the same the hash value from being produced by two different inputs. So why are collision resistant properties important in hashing algorithms? Okay, again, we talked about collision. Why would collision be bad? You want things hitting each other, so the answer would be D they prevent the same hash value from being produced by two different inputs. Again, collision resistance is crucial because it makes computational computational infeasible to find two distinct inputs that produce the same hash output. So therefore, it is unique. And if it's unique, that'll keep you from having collisions.

Speaker 2: 8:59 

Question five which of the following secure hash algorithms is considered deprecated due to the vulnerabilities allowing for collision attacks? Now, we talked about this a little bit in the podcast. Md5 was one of them, but you don't see MD5 on here, so which one could it be? So which of the following secure hash algorithms is considered deprecated due to the vulnerabilities allowing for a collision attack A, sha1, b, sha2, c, sha3, or D? All of the above? Okay. So if you didn't know the question, answer this question. The easiest way to guess would be, obviously due to something that is the most or the oldest, and that would be correct Shaw one, which is a Shaw one, has been deprecated due to vulnerabilities of collision attacks, where two different inputs can produce the same hash value. So Shaw one is the deprecated one.

Speaker 2: 9:47 

Question six what is the significance of a fixed-length digest in a cryptographic hashing? Okay, what is the significance of a fixed-length digest in a cryptographic hashing? So we talked about the digest and being 128, 512 and so forth. What is the significance of a fixed-length digest? A it ensures a hash function is reversible. B a guarantees the original message can be reconstructed from the digest. C it provides a consistent output size, which is essential for security. Or D, it allows the digest to be easily encrypted. Again, fixed-length digest. What is the significance? And it is C. A fixed-length digest Means that no matter the size of the input data, the output will always be the same, which is crucial when you're maintaining security, as especially as it relates to trying to understand the overall hash, and it Detects or it prevents the attackers from detecting the information about the input based on the hash link.

Speaker 2: 10:44 

Question seven which of the following best describes the purpose of a digital signature? A To verify the sender's identity and ensure integrity of the message. B to encrypt the contents of the message. C to provide a checksum for error detection. D to compress the data for easier transmissions. Okay, which the following best describes the purpose of a digital signature? And it is a to verify the identity and ensure the integrity of the message. Right, digital signals are taking. Digital signatures are used to authenticate the identity of a sender and confirm the message, but that has not been altered there. If I, ensuring both integrity and non-repudiation are in the communication path, it is five o'clock in the morning so I'm sorry if my tongue gets a little way for me and I can't quite speak. Apologize.

Speaker 2: 11:33 

Question eight, which is which information does the digital certificate typically contain? Question eight is which information does a digital certificate typically contain? A certificate holders private key see a certificate authorities private key. See the certificate of full holders. Public key and Identity information. Or D the encryption algorithm used by the certificate holder.

Speaker 2: 11:58 

Question eight is what information does a digital signature typically contain? And the answer is C the certificate holders public key and identity Information. So again, a digital certificate. Well, as a public key of the individual, and it's signed by a trusted certificate authority which does not contain the private keys. You don't want it to contain the private keys, remember? Question nine which role does certificate authority or a CA play in the public key infrastructure, otherwise known as peak K? I? Which role does the CA play in PKI? A it generates a public and private key pairs for the users. B it acts as a trusted third party to issue and manage digital certificates. See, it encrypts the messages of the recipients public key. Or D, it decrypts the messages using the sender's private key. Okay, doesn't do anything with the public private key as it relates to encrypting messages. So it could either be a or B, and it acts as a trusted third party to issue and manage digital certificates. That's the ultimate purpose. That verifies the identity of the certificate holder and the association with their public key.

Speaker 2: 13:02 

Question 10 which of the following is a characteristics of a Shaw to hash compared to a Shaw one? In which of the following characteristics of a Shaw to hash compares to that of a Shaw one? A they are less secure and more prone to collisions. B they have a shorter fixed length output, see. They are faster to compute and easier to reverse. Or D they offer improved security and are designed to be more resistant to collision attacks. And the answer is D they offer improved security and are designed to be more resistant to collision attacks. Hence a couple questions earlier. And they include several algorithms with no with longer bit lengths than a Shaw one. So Is a much better algorithm. Question 11 which significant advantage of a Shaw three over its predecessors? Okay, why is SHA-3 better over its predecessors? A it is designed based on a different cryptographic structure called a sponge construction. B it's used as the same mathematical principles as SHA-1 and 2 for easy integration. C it produces shorter hash values for faster computation. Or D it's less secure but more efficient in terms of energy consumption. And what is the significant advantage of SHA-3 over its predecessors? And that is A it's designed on different cryptographic structure called a sponge construction.

Speaker 2: 14:20 

Question 12, how do digital signatures contribute to the non-repudiation in electronic transactions? A by ensuring the transaction is encrypted and N. B by allowing the recipient to verify the sender's identity and the integrity of the message. C by providing timestamps that indicate when the transaction has occurred. Or. D confirming the transaction has been approved by a certificate authority. So how do digital signatures contribute to the non-repudiation in electronic transactions? And the answer is B by allowing the recipient to verify the sender's identity and the integrity of the message. Okay, digital signatures by and the signer and the document allowing the recipient to verify the origin and integrity of the message. So that's the key around, that it prevents the sender from denying any involvement in the overall transaction.

Speaker 2: 15:15 

Question 13, what is the purpose of a certificate revocation list? A, c, r, l. A to list all the certificates issued by the certificate authority. B to store the public keys of all certificate holders. C to provide a list of certificates that have been suspended or revoked. Or. D to encrypt communications between the client and the servers. Again, what is the purpose of a C, r, l, a certificate revocation list? And the answer is C to provide a list of certificates that have been suspended or revoked. Again, they contain the serial numbers, digital certificates that have been revoked or suspended and therefore scheduled for expiration.

Speaker 2: 15:56 

Question 14, in which scenario would a hash function be appropriate choice for ensuring data integrity? Again, which scenario would a hash function be an appropriate choice for ensuring data integrity? A to verify the integrity of the downloaded file. B storing the user's password and their database. C detecting accidental changes in the data in a storage device. Or D ensuring the authenticity of a software update. So in which scenario would a hash function be appropriate choice for ensuring data integrity? And the answer is D. Obviously, it can be used in all of those in different ways, but the bottom line is it is. The most appropriate would be D ensuring the authenticity of a software update. So, again, while hash functions verify the integrity, they do not authenticate the source. Digital signatures, which include hashing, should be used to ensure both integrity and authenticity of the software.

Speaker 2: 16:59 

Last question, okay, the last question. Which trust model in PKI involves multiple certificate authorities sharing recognition of each other's certificate? Okay, in PKI, involves which multiple authority, multiple certificate authorities, involved sharing certificates? How is that discovered? How has that dealt with? A hierarchical trust model. B the web of trust model. C the cross certification trust model, or D, the bridge trust model. Okay, so, if you didn't know, just think about that a little bit. If you have multiple certificates, what would it be? Cross certification trust model, which would be? The answer would be C. In the cross certification model, two or more CAs issue certificates that recognizes and validate each other, allowing users in different PKI schema to basically trust each other's certificates. Okay, that is all we have for today.

Speaker 2: 17:54 

Head on over to CISSP Cyber Training. You got all of this. Content is there. You got a lot of these videos will be out there on my blog. You'll have access to those, along with the transcripts. You have access to the questions. You can go. You'll be able to see those yourselves. You can listen to this podcast and have access to the questions. If you want, you can purchase my products. My products have all of this information in them to include all the videos and so forth. You also have the ability to depend on what package you purchase to even get access directly to me to help you. Now that my life has changed a little bit, I've got more time available for this, I'm gonna be working again as a consultant, helping people protect what they've got. That's most important and really here to help you all with CISSP, cyber Training and the future reduced cyber risk. All right, have a wonderful day, guys, and we will catch you on the flip side, see ya.