Example 1: The Stolen Laptop (BitLocker Saves the Day)
Scenario: A hospital employee leaves their laptop in their car. The car is broken into. The laptop is stolen.
Without BitLocker: The thief removes the hard drive, connects it to another computer, and reads all the patient files. HIPAA breach. $1.9M fine.
With BitLocker + TPM: The thief connects the drive to another machine. The data is unreadable encrypted content. Without the BitLocker key (stored in the original laptop's TPM), decryption is impossible. No breach β just the cost of replacing a laptop.
With BitLocker + TPM: The thief connects the drive to another machine. The data is unreadable encrypted content. Without the BitLocker key (stored in the original laptop's TPM), decryption is impossible. No breach β just the cost of replacing a laptop.
Key point: Full-disk encryption protects data-at-rest against physical theft. Even removing the drive and connecting it elsewhere yields nothing readable.
Example 2: Column-Level vs. Transparent Encryption
Scenario: A healthcare database has 10 million patient records. Columns include: PatientID, FirstName, LastName, DOB, DiagnosisCode, SSN, BillingAmount. The compliance team requires SSN and DiagnosisCode to be encrypted. The analytics team needs to run fast queries on Name and DOB fields.
Option A β Transparent encryption: Entire database encrypted. All queries decrypt everything β massive overhead for the analytics team's frequent name/DOB lookups.
Option B β Column-level encryption: Only SSN and DiagnosisCode columns encrypted. Name, DOB, PatientID remain plaintext. Analytics queries run at full speed. Decryption only happens when SSN or DiagnosisCode values are specifically requested.
Option B β Column-level encryption: Only SSN and DiagnosisCode columns encrypted. Name, DOB, PatientID remain plaintext. Analytics queries run at full speed. Decryption only happens when SSN or DiagnosisCode values are specifically requested.
Key point: Column-level encryption provides targeted protection where it matters while preserving performance for non-sensitive data.
Exam Scenario 1: "Which encryption protects a stolen hard drive?"
Question: An employee's laptop is stolen. Which technology would BEST protect the data on the hard drive from being read by the thief?
A) EFS (Encrypting File System)
B) HTTPS
C) BitLocker
D) IPsec
Answer: C β BitLocker
BitLocker provides full-volume encryption that makes the entire drive unreadable without the decryption key. EFS (A) only encrypts individual files β other files remain readable. HTTPS (B) protects data in transit, not at rest. IPsec (D) is for network traffic.
A) EFS (Encrypting File System)
B) HTTPS
C) BitLocker
D) IPsec
Answer: C β BitLocker
BitLocker provides full-volume encryption that makes the entire drive unreadable without the decryption key. EFS (A) only encrypts individual files β other files remain readable. HTTPS (B) protects data in transit, not at rest. IPsec (D) is for network traffic.
Exam Scenario 2: "Site-to-site VPN vs. client VPN"
Question: Two corporate offices need to be permanently connected with encrypted traffic between them. Which solution is MOST appropriate?
A) SSL/TLS client VPN for all employees
B) Site-to-site VPN using IPsec
C) HTTPS on all servers
D) Full-disk encryption on all servers
Answer: B β Site-to-site VPN with IPsec
Site-to-site VPNs connect two network locations permanently using IPsec. Client VPNs (A) are for individual remote users, not office-to-office. HTTPS (C) and disk encryption (D) don't create network tunnels between sites.
A) SSL/TLS client VPN for all employees
B) Site-to-site VPN using IPsec
C) HTTPS on all servers
D) Full-disk encryption on all servers
Answer: B β Site-to-site VPN with IPsec
Site-to-site VPNs connect two network locations permanently using IPsec. Client VPNs (A) are for individual remote users, not office-to-office. HTTPS (C) and disk encryption (D) don't create network tunnels between sites.
Exam Scenario 3: "Key stretching"
Question: A security engineer wants to make password hashing more resistant to brute-force attacks. They configure the system to hash the password, then hash the result, then hash that result β repeating many times. What is this technique?
A) Key escrow
B) Salting
C) Key stretching / key strengthening
D) Key rotation
Answer: C β Key stretching
Repeatedly hashing a value (hash of hash of hash) forces attackers to perform the same chain of hashes for every brute-force attempt β making each attempt more expensive. This "stretches" the computation time, significantly slowing brute-force attacks.
A) Key escrow
B) Salting
C) Key stretching / key strengthening
D) Key rotation
Answer: C β Key stretching
Repeatedly hashing a value (hash of hash of hash) forces attackers to perform the same chain of hashes for every brute-force attempt β making each attempt more expensive. This "stretches" the computation time, significantly slowing brute-force attacks.