My Story Partners Podcasts Blog Resources Contact CISSP Training Program
Academy Login

Weekly CISSP Practice

Exam Questions

Week 28 - Question 2

Scenario: An internal audit shows that your company's VPN is using PPTP as a tunneling protocol. What is the primary security risk with this?

A.  High computational overhead

B.  Known vulnerabilities

C.  Limited platform support

D.  High latency

 

Answer:  B

Explanation:  

A. High Computational Overhead

Computational overhead refers to the amount of processing power (CPU) required to encrypt and decrypt traffic.

  • The Reality: PPTP actually has very low computational overhead compared to modern protocols like AES-based IPsec or OpenVPN. This is because its encryption (MPPE) is weak and simple. While low overhead sounds like a benefit, in security, it usually indicates a lack of robust cryptographic protection.

B. Known Vulnerabilities

PPTP was developed by a consortium (including Microsoft) in the 1990s and has since been thoroughly compromised.

  • Why it's the Answer: PPTP relies on the MS-CHAP v2 authentication protocol, which is susceptible to dictionary and brute-force attacks. Furthermore, the encryption method it uses (Microsoft Point-to-Point Encryption or MPPE) has known flaws that allow an attacker to intercept and decrypt the VPN traffic.

  • The Verdict: Major security agencies and vendors (including Apple and Microsoft) have deprecated PPTP because it no longer provides the Confidentiality or Integrity required for a secure tunnel.

C. Limited Platform Support

This is technically the opposite of the truth.

  • The Reality: Because it is so old, PPTP has broad platform support. Almost every operating system since Windows 95 has included a native PPTP client. However, modern mobile OSs (like iOS) have begun removing PPTP support entirely because it is so insecure.

D. High Latency

Latency refers to the delay in data transmission.

  • The Reality: PPTP is generally quite fast because it doesn't perform the complex cryptographic "handshaking" or heavy encryption that modern protocols do. If a network is experiencing high latency, switching away from PPTP to a more secure protocol would likely increase latency slightly, not decrease it.

Podcasts

Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.

Listen Podcasts

CISSP Cyber Training Academy

Tired of not knowing how to study for the CISSP Exam? 

Check out the CISSP Cyber Training Academy to help you on your journey!

Learn about the Academy!

CISSP Cyber Training - YouTube

Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.   

Check out channel