Question 1: A security team discovers that a company stores passwords as unsalted MD5 hashes. An attacker who steals the database could most efficiently crack passwords using which attack?
Question 2: An administrator wants to verify that a software package downloaded from a vendor website has not been tampered with. What should they compare?
Question 3: Which operation does the sender perform to create a digital signature on a document?
Question 4: A CFO digitally signs a purchase authorization email. Three days later, she denies ever sending it. What property of digital signatures defeats her claim?
Question 5: Why is salting necessary when hashing passwords for storage?
Matching: Hash & Signature Concepts
Match each term to its definition.
TERM
DEFINITION
Performance Task
A hospital is auditing its authentication and software integrity controls. Current state: (1) passwords stored as unsalted SHA-1 hashes, (2) no verification of software packages before deployment to 500 servers, (3) no protection against insider modification of critical configuration files. Design improvements for all three issues.
1. Password storage improvement:
Migrate from unsalted SHA-1 to bcrypt or Argon2 (with automatic unique salt per user). Process: at each user's next login, hash the entered password with bcrypt and store the bcrypt hash (replacing the old SHA-1 hash). Force all users to log in within 30 days β at that point, all hashes are migrated. bcrypt provides: automatic salting (unique per user), slow hashing (~200ms per attempt vs. millions/second for SHA-1), and tunable cost factor for future-proofing.
2. Software package verification:
Implement hash verification for all software deployments. Process: obtain SHA-256 hashes from vendor package manifests or HTTPS download pages. Before deployment to any server, compute SHA-256 of the downloaded package and compare to the vendor-published hash. If mismatch β do not deploy β investigate. Automate this check in the deployment pipeline so it cannot be skipped. For vendor packages with code signing certificates, verify the digital signature as well β this additionally confirms the publisher identity.
3. Configuration file integrity monitoring:
Deploy a File Integrity Monitor (FIM) on all 500 servers. Initial setup: hash all critical configuration files (web server configs, database configs, OS system files, authentication configs) to create a baseline. FIM checks all monitored files on a schedule (every 15 minutes recommended). Any hash change triggers an immediate alert to the security team with: which file changed, when, and what changed. Review alerts promptly β configuration drift may indicate insider modification, malware, or unauthorized change management bypass. Store FIM baselines in a tamper-evident, append-only log system.