Practice Exam ยท Chapters 12โ€“15

Exam: Encryption in Depth

Encrypting Data ยท Key Exchange ยท Encryption Technologies ยท Obfuscation โ€” 20 scored questions + 2 scenario questions.

Chapters 12โ€“15 Practice Exam
๐Ÿ“ 20 scored questions โฑ๏ธ 30-minute target ๐ŸŽฏ Pass threshold: 80% (16/20)
Time remaining
30:00
Part A โ€” Multiple Choice (Questions 1โ€“20)
Ch 12 ยท Encrypting Data
Question 1 of 20
An employee's laptop is stolen. The attacker removes the hard drive and connects it to a different computer as an external USB drive. Which technology ensures the data remains completely unreadable?
โœ… C โ€” BitLocker full-disk encryption protects data at rest regardless of how the drive is accessed โ€” even when removed and connected to another computer. EFS (B) only protects specific folders, not the full drive. A Windows password (D) protects the OS login, not the raw disk data โ€” trivially bypassed by booting from external media.
Ch 12 ยท Encrypting Data
Question 2 of 20
A database stores customer records including names, public shipping addresses, and Social Security Numbers. The security team wants to encrypt SSNs without adding decryption overhead to every query on non-sensitive fields. What is the best approach?
โœ… B โ€” Column-level encryption targets exactly the sensitive data. Only queries that retrieve the SSN field incur decryption overhead โ€” queries for names or addresses operate on plaintext. Full-disk encryption (A) and TDE (C) encrypt everything, including non-sensitive data, adding overhead to every operation.
Ch 12 ยท Encrypting Data
Question 3 of 20
Two corporate branch offices need a permanent encrypted network connection that protects ALL traffic between them โ€” including non-web protocols, database replication, and VoIP. Which technology is designed for this?
โœ… C โ€” Site-to-site IPsec VPN creates a persistent encrypted tunnel between two network gateways โ€” all traffic between the networks flows through it automatically, covering every protocol. Client VPNs (B) are for individual remote users connecting to one office, not office-to-office traffic. TLS (A) and SSH (D) only encrypt specific applications, not all traffic.
Ch 12 ยท Encrypting Data
Question 4 of 20
AES encryption is fully documented in public NIST publications โ€” anyone can read every step of the algorithm. Why doesn't this make AES-encrypted data vulnerable?
โœ… B โ€” Kerckhoffs's Principle: a cryptosystem should be secure even if everything except the key is publicly known. Publishing algorithms allows expert cryptanalysis โ€” algorithms that survive decades of scrutiny (like AES, published 2001) are far more trustworthy than secret algorithms. With AES-256, the key space is 2256 โ€” brute force is computationally impossible regardless of knowing the algorithm.
Ch 12 ยท Encrypting Data
Question 5 of 20
A password storage system hashes a password, then hashes the result, repeating this 10,000 times before storing the final hash. What security technique does this represent?
โœ… C โ€” Key stretching (also called key strengthening). Algorithms like bcrypt and Argon2 are deliberately designed to be computationally expensive. An attacker attempting 1 billion password guesses must run the full 10,000-iteration chain for each โ€” multiplying their time cost by 10,000. Salting (A) is a separate technique that adds uniqueness; key stretching adds computation cost.
Ch 13 ยท Key Exchange
Question 6 of 20
A government agency distributes encryption keys to field offices by sending encrypted USB drives via bonded courier, completely separate from the network that will use the keys. What key exchange method is this?
โœ… C โ€” Out-of-band key exchange. Out-of-band means the key is delivered through a completely separate channel from the communication channel that will use it. Physical courier, phone calls, and in-person meetings are classic out-of-band methods. In-band (A) means the key exchange happens over the same channel that will carry encrypted data โ€” the channel must then be protected during that exchange.
Ch 13 ยท Key Exchange
Question 7 of 20
A security architect configures a web server to use ECDHE cipher suites. An attacker records all TLS traffic to the server for a year. Two years later, the attacker breaches the server and steals the server's private key. Can the attacker now decrypt the recorded traffic?
โœ… B โ€” Forward secrecy. ECDHE generates a fresh ephemeral key pair per session. The session key is derived from a combination of both sides' ephemeral public keys โ€” not the server's long-term private key. After the session ends, ephemeral keys are discarded. Even with the server's private key, an attacker cannot reconstruct the ephemeral keys or the session keys from recorded traffic. This is the defining security property of ECDHE over static RSA key exchange.
Ch 13 ยท Key Exchange
Question 8 of 20
What is the primary advantage of ECDHE over classic DHE when both provide equivalent forward secrecy?
โœ… B. Both DHE and ECDHE provide forward secrecy through ephemeral Diffie-Hellman keys. The difference is mathematics: ECDHE operates on elliptic curves, which are denser in security per bit. A 256-bit ECDHE key is computationally equivalent to a ~3072-bit DHE key. Shorter keys mean faster handshakes, less CPU, and lower latency โ€” significant for high-traffic HTTPS servers.
Ch 14 ยท Encryption Technologies
Question 9 of 20
A payment processor must protect the cryptographic keys used to encrypt cardholder data, per PCI-DSS requirements. The keys must be stored in a tamper-responsive device that destroys key material if physical tampering is detected. Which technology satisfies this specific requirement?
โœ… C โ€” HSM (Hardware Security Module). HSMs are purpose-built, tamper-responsive devices for protecting cryptographic keys at enterprise scale. PCI-DSS explicitly requires HSMs for key protection in payment processing environments. Tamper-responsive means the device actively destroys key material if physical intrusion is detected โ€” not just tamper-resistant (harder to open), but tamper-responsive (responds to tampering by destroying secrets). TPMs (A) are built into motherboards and are tamper-resistant but not designed for enterprise key management scale.
Ch 14 ยท Encryption Technologies
Question 10 of 20
A laptop protected by BitLocker with TPM is stolen. The attacker removes the hard drive and installs it in their own computer with a different motherboard and TPM. What happens when they boot from the stolen drive?
โœ… A. The TPM seals the BitLocker volume key against specific Platform Configuration Register (PCR) values โ€” measurements of the boot firmware, bootloader, and OS configuration taken during setup. When the drive is installed in a different machine, the PCR measurements are different. The TPM will not release the volume key because the measurements don't match. BitLocker falls back to requiring the 48-digit recovery key, which the attacker doesn't have.
Ch 14 ยท Encryption Technologies
Question 11 of 20
An organization has 400 applications across 300 servers, each managing its own encryption keys stored in local configuration files. They want to enforce key rotation schedules, centrally audit all key access, and prevent applications from having long-term access to raw key material. What should they implement?
โœ… C โ€” KMS. A Key Management System provides centralized key lifecycle management: generation, storage, distribution, rotation, and revocation. Applications authenticate to the KMS to request keys at runtime โ€” they never store keys locally. The KMS enforces rotation policies, logs every access, and can revoke access for any application immediately. One HSM (A) doesn't solve the management and distribution problem across 300 servers.
Ch 14 ยท Encryption Technologies
Question 12 of 20
An investigator seizes an iPhone with a valid court order. Even with Apple's full cooperation, Apple states they cannot decrypt the device's contents. What architectural feature explains why this is truthful?
โœ… B โ€” Secure Enclave. Apple's Secure Enclave is a hardware-isolated coprocessor that generates and stores cryptographic keys that never leave the enclave in plaintext. The device encryption key is derived by combining the user's passcode with hardware keys burned into the Secure Enclave during manufacturing. Apple does not store, escrow, or have access to these hardware keys. Without the user's passcode, even Apple cannot derive the key.
Ch 15 ยท Obfuscation
Question 13 of 20
A security analyst discovers an insider threat who embedded pages of a confidential contract inside JPEG images by modifying the least significant bits of pixel color values before emailing the images to a personal account. The DLP system never flagged the emails. What technique was used?
โœ… B โ€” LSB (Least Significant Bit) steganography. In an 8-bit color image, changing the last bit of each pixel's RGB value produces an imperceptible color change but encodes data at 1 bit per channel per pixel. A 3MB JPEG can conceal tens of kilobytes of data invisibly. DLP systems scan for keywords and file types โ€” they cannot detect data hidden in image pixel values without steganalysis. The stealthy, carrier-based nature is the defining feature of steganography.
Ch 15 ยท Obfuscation
Question 14 of 20
An e-commerce platform replaces every customer credit card number with a random 16-character token stored in its database. When a recurring charge is processed, the token is sent to a secure vault system that retrieves and forwards the real card number to the payment processor. What technique does this implement?
โœ… C โ€” Tokenization. The credit card number is replaced by a meaningless token with no algorithmic relationship to the real number. The mapping lives only in the token vault โ€” a secure system outside the application's scope. This dramatically reduces PCI-DSS scope: the application, database, and application servers never handle or store real card numbers, only tokens. Unlike encryption, tokenization cannot be reversed by algorithm โ€” vault access is required.
Ch 15 ยท Obfuscation
Question 15 of 20
A development team is given a copy of the production customer database for testing. All SSNs have been replaced with randomly generated numbers of identical format, names replaced with fictional names, and email addresses replaced with fake addresses. These replacements are permanent in the test copy โ€” the real data is not involved at runtime. What technique was applied?
โœ… C โ€” Static data masking. Static masking creates a new persistent copy of the dataset with sensitive values replaced by realistic but fake substitutes. The original production data is unchanged; the masked copy is safe for development use. Dynamic masking (A) operates at runtime on the real data โ€” the database still contains real values, just not shown to certain users. Static masking produces a separate dataset with no real data.
Ch 15 ยท Obfuscation
Question 16 of 20
A banking call center application displays customer account numbers as "****-****-****-3847" on the agent's screen. The application queries the real account number from the database to process transactions, but the full number never appears on the agent's monitor. What technique is this?
โœ… C โ€” Dynamic data masking. The real data is in the database โ€” dynamic masking intercepts it at the presentation layer and applies role-based substitution in real-time. Call center agents see only the last four digits; fraud investigators may see the full number; batch processing systems see the full number for transaction processing. The database is unchanged โ€” the masking is a runtime policy, not a data transformation.
Ch 12 ยท Encrypting Data
Question 17 of 20
Why is symmetric encryption used for bulk data encryption (files, disk, network traffic) rather than asymmetric encryption, even though asymmetric encryption provides additional capabilities like digital signatures?
โœ… C. Asymmetric operations (RSA, ECC) involve complex mathematical operations (modular exponentiation, elliptic curve point multiplication) that are thousands of times slower than symmetric operations (AES uses simple substitution/permutation on fixed-size blocks). This is why TLS uses asymmetric cryptography only for the handshake (key exchange and authentication) and then switches to AES for all actual data encryption. Using RSA to encrypt a 1GB file would be impractically slow.
Ch 13 ยท Key Exchange
Question 18 of 20
What two properties must a session key have to provide the security guarantees expected from it?
โœ… C โ€” Random and temporary. A session key must be: (1) Random โ€” derived from high-entropy sources so it cannot be predicted or brute-forced. (2) Temporary/Ephemeral โ€” used for one session, then discarded. Reusing a session key creates patterns that can be exploited cryptanalytically, and a compromise of the key exposes all sessions that used it. A new random key per session limits the blast radius of any compromise to that one session.
Ch 14 ยท Encryption Technologies
Question 19 of 20
A TPM chip performs "measured boot" during system startup. What security property does this provide?
โœ… B โ€” Measured boot. During each boot stage, the TPM records a SHA hash of the firmware/bootloader/OS into Platform Configuration Registers (PCRs). These measurements are chained โ€” each stage hashes itself plus the previous PCR value. If a rootkit or bootloader malware modifies any boot component, its hash changes, producing different PCR values than what was sealed during setup. Remote attestation can then compare reported PCRs against expected values to detect compromise.
Ch 15 ยท Obfuscation
Question 20 of 20
A security consultant is asked whether tokenization or encryption is more appropriate for reducing PCI-DSS audit scope for stored credit card numbers. Which is the correct guidance and why?
โœ… B. This is a key exam distinction. If you store encrypted card numbers, those systems are still in PCI scope โ€” the encrypted data is still "cardholder data" (just protected). Auditors must verify your encryption is adequate. Tokenization stores tokens that have zero relationship to the real card number โ€” they are not cardholder data at all. Systems storing only tokens are entirely out of PCI scope, drastically reducing audit burden and compliance cost. Encryption protects data; tokenization removes data from scope.
Part B โ€” Scenario Questions (unscored โ€” self-assess)
Ch 12โ€“13 ยท Scenario
Scenario Question A
A mid-sized consulting firm is moving to a fully remote workforce. Currently, employees access file servers and databases over the internet with no VPN, sensitive project documents are stored on unencrypted laptops, and all encryption is "application-level only" (HTTPS for web apps). Three remote employees have had laptops stolen in the past year. Design a layered encryption strategy covering data at rest, data in transit, and key exchange.
Data at rest โ€” laptop and endpoint encryption:
Deploy BitLocker with TPM on all company laptops. TPM seals the volume key to the device's hardware measurements โ€” a stolen drive removed from the laptop is unreadable. Store BitLocker recovery keys in Azure AD or a central recovery server (not locally). Result: the three stolen laptops would have yielded zero readable data.

Data at rest โ€” file server and database:
File servers: enable full-disk encryption on server volumes (BitLocker/LUKS). For databases containing client PII or project confidential data: column-level encryption on sensitive fields. This protects against storage media theft and limits breach impact even if the server OS is compromised.

Data in transit โ€” remote access:
Deploy a site-to-site IPsec VPN between the company's cloud infrastructure and any fixed office locations. For remote employees: enforce a client VPN (IKEv2/IPsec or WireGuard) โ€” all corporate traffic flows through the VPN tunnel, not the open internet. Enforce VPN-before-resource: no access to file servers or databases without an active VPN session.

Key exchange โ€” TLS hardening:
Configure all servers to require TLS 1.2+ and restrict cipher suites to those with forward secrecy (ECDHE or DHE-based). This ensures that recorded VPN or HTTPS traffic cannot be decrypted even if a server's private key is later stolen. Disable static RSA key exchange. All certificates via a trusted CA (not self-signed).

Key management:
Do not store encryption keys in application config files. Use a KMS or secrets manager for all application key material, with audit logging. BitLocker recovery keys centrally managed. Laptop encryption keys protected by TPM โ€” employees cannot export them.
Ch 14โ€“15 ยท Scenario
Scenario Question B
A retail company processes 40,000 credit card transactions daily. They currently store raw card numbers in their database, encryption keys in plaintext application config files on web servers, and developers have read access to the full production database including card numbers for "debugging purposes." The company is facing a PCI-DSS audit. Identify the three most critical problems and design a remediation for each.
Problem 1 โ€” Raw card numbers in the database (scope explosion):
The entire application stack โ€” web servers, application servers, database servers, developer workstations โ€” is in PCI scope because real card data flows through all of them. Remediation: implement tokenization. Replace card numbers with tokens at the point of capture (payment gateway integration). The application and database store only tokens โ€” never the real PAN. Systems handling only tokens are out of PCI scope. For processing recurring charges, the token vault (a PCI-compliant third party or internal vault on isolated infrastructure) handles card retrieval. Result: the audit scope shrinks from the entire stack to just the token vault.

Problem 2 โ€” Encryption keys in plaintext config files:
Anyone with file system access to a web server can read the encryption keys. A single compromised server exposes all keys, decrypts all data. Remediation: remove all keys from config files immediately. Deploy a KMS or secrets manager (HashiCorp Vault, AWS KMS). Application servers authenticate to the KMS at startup to retrieve keys โ€” keys are never written to disk. For the keys themselves, back the KMS with an HSM to meet the PCI-DSS requirement for hardware-protected key storage. Implement key rotation quarterly, automated through the KMS. Audit log every key access.

Problem 3 โ€” Developer access to production card data:
Developers should never have access to real cardholder data. This violates least privilege and PCI requirement 7. Remediation: apply static data masking to create a developer database copy โ€” replace all PANs with format-preserving fake numbers, replace names with fictional data. Developers work exclusively against the masked copy. For production debugging, deploy dynamic data masking on the production database โ€” developers see masked output while transaction processing systems see real data. Remove developer direct database access from production entirely; all production queries go through the application layer with role-based access controls.
โ† Exam: Ch 6โ€“11 Next Exam: Ch 16โ€“18 โ†’
โ€”
Pass threshold: 80% (16 / 20 correct)
โ† Ch 6โ€“11 Exam Next: Ch 16โ€“18 Exam โ†’