Trick 1: "EFS and BitLocker protect against the same threats." True or False?
FALSE β they protect against different threat scenarios.
BitLocker: Protects against physical drive theft. If someone removes the drive and connects it to another machine, they see unreadable data. Protects the ENTIRE volume.
EFS: Protects against unauthorized access by other users on the SAME machine. Another logged-in user can't open your EFS-encrypted files. But if someone physically steals the drive AND can authenticate as you (or extract your certificate), EFS is not enough.
For laptops that might be stolen, BitLocker is the answer. EFS is supplemental for multi-user file server scenarios.
BitLocker: Protects against physical drive theft. If someone removes the drive and connects it to another machine, they see unreadable data. Protects the ENTIRE volume.
EFS: Protects against unauthorized access by other users on the SAME machine. Another logged-in user can't open your EFS-encrypted files. But if someone physically steals the drive AND can authenticate as you (or extract your certificate), EFS is not enough.
For laptops that might be stolen, BitLocker is the answer. EFS is supplemental for multi-user file server scenarios.
Trick 2: "HTTPS protects data stored on the web server." True or False?
FALSE β HTTPS only protects data IN TRANSIT.
HTTPS encrypts the communication channel between the browser and the server. Once data arrives at the server and is stored to disk or database, HTTPS provides zero protection. The server stores data in whatever format the application dictates β encrypted or not.
To protect data on the server at rest, you need BitLocker (drive encryption) or database encryption β completely separate from HTTPS.
HTTPS encrypts the communication channel between the browser and the server. Once data arrives at the server and is stored to disk or database, HTTPS provides zero protection. The server stores data in whatever format the application dictates β encrypted or not.
To protect data on the server at rest, you need BitLocker (drive encryption) or database encryption β completely separate from HTTPS.
Trick 3: "DES and AES are both acceptable encryption algorithms for sensitive data." True or False?
FALSE β DES should not be used for sensitive data.
DES (Data Encryption Standard) uses a 56-bit key β too short by today's standards. DES can be brute-forced. It was officially deprecated decades ago.
AES (Advanced Encryption Standard) replaced DES and is the current standard. AES-128 is the minimum; AES-256 is recommended for high-security applications.
On the Security+ exam: if DES appears as an option, it's almost never the right answer for new implementations.
DES (Data Encryption Standard) uses a 56-bit key β too short by today's standards. DES can be brute-forced. It was officially deprecated decades ago.
AES (Advanced Encryption Standard) replaced DES and is the current standard. AES-128 is the minimum; AES-256 is recommended for high-security applications.
On the Security+ exam: if DES appears as an option, it's almost never the right answer for new implementations.
Trick 4: "IPsec is used for both site-to-site VPNs and client VPNs." Is this accurate?
Partially true β but the primary association is site-to-site.
IPsec CAN be used for both. However:
- Site-to-site VPNs β IPsec is the primary/standard association
- Client VPNs β SSL/TLS is the primary association (more firewall-friendly, no special client config)
Prof. Messer specifically states: "If you're connecting two sites together, we commonly use IPsec to provide VPN connectivity" and "client-based VPNs using SSL or TLS."
On the exam, map: two offices connecting = IPsec; remote user connecting = SSL/TLS.
IPsec CAN be used for both. However:
- Site-to-site VPNs β IPsec is the primary/standard association
- Client VPNs β SSL/TLS is the primary association (more firewall-friendly, no special client config)
Prof. Messer specifically states: "If you're connecting two sites together, we commonly use IPsec to provide VPN connectivity" and "client-based VPNs using SSL or TLS."
On the exam, map: two offices connecting = IPsec; remote user connecting = SSL/TLS.
Trick 5: "Key stretching makes encryption stronger by improving the algorithm." True or False?
FALSE β key stretching doesn't improve the algorithm; it increases the computational cost of brute-force attacks.
The algorithm itself is unchanged. Key stretching repeatedly applies a hash function to slow down the process of testing each candidate key during a brute-force attack. The attacker must perform the same chain of operations for every candidate β multiplying their time.
It's specifically useful for password-derived keys, where the password might be short (and thus guessable). Key stretching makes "password123" take as long to crack as if it were a much longer random key.
The algorithm itself is unchanged. Key stretching repeatedly applies a hash function to slow down the process of testing each candidate key during a brute-force attack. The attacker must perform the same chain of operations for every candidate β multiplying their time.
It's specifically useful for password-derived keys, where the password might be short (and thus guessable). Key stretching makes "password123" take as long to crack as if it were a much longer random key.
Performance Task: A healthcare company stores patient records in three locations: a MySQL database on a Linux server, laptops used by traveling nurses, and a web portal accessible from the internet. For each, identify the appropriate encryption technology and explain why.
Model Answer:
1. MySQL database (Linux server):
- Sensitive columns (SSN, diagnosis, billing): column-level encryption β protects PHI while keeping performance acceptable for non-sensitive queries
- Server storage: Linux full-disk encryption (LUKS) β protects physical drive if server is stolen or decommissioned
2. Traveling nurse laptops:
- Full-disk encryption β BitLocker (Windows) or equivalent. Physical theft is the primary risk. The entire drive must be unreadable without authentication
- Client VPN (SSL/TLS) β when connecting remotely to the healthcare network, all traffic encrypted back to the datacenter
3. Web portal:
- HTTPS/TLS β all browser-to-server communication encrypted (patient login, forms, data retrieval)
- Server-side: the portal should store minimal data; what it does store should be encrypted at rest (covered by the database and server disk encryption above)
Complete layered answer: At-rest (disk + DB) + In-transit (HTTPS + VPN) + In-database (column-level) = HIPAA-compliant layered encryption architecture.
1. MySQL database (Linux server):
- Sensitive columns (SSN, diagnosis, billing): column-level encryption β protects PHI while keeping performance acceptable for non-sensitive queries
- Server storage: Linux full-disk encryption (LUKS) β protects physical drive if server is stolen or decommissioned
2. Traveling nurse laptops:
- Full-disk encryption β BitLocker (Windows) or equivalent. Physical theft is the primary risk. The entire drive must be unreadable without authentication
- Client VPN (SSL/TLS) β when connecting remotely to the healthcare network, all traffic encrypted back to the datacenter
3. Web portal:
- HTTPS/TLS β all browser-to-server communication encrypted (patient login, forms, data retrieval)
- Server-side: the portal should store minimal data; what it does store should be encrypted at rest (covered by the database and server disk encryption above)
Complete layered answer: At-rest (disk + DB) + In-transit (HTTPS + VPN) + In-database (column-level) = HIPAA-compliant layered encryption architecture.