Security regulations are changing dramatically in response to major breaches, and the implications for cybersecurity professionals are profound. Sean Gerber kicks off this episode with a career announcement, sharing his transition to independent consulting after 13 years with his previous employer—a move that highlights the evolving opportunities in the cybersecurity field.
The heart of this episode examines the recent UnitedHealthcare breach, where attackers targeted Change Healthcare, a critical system processing 15 billion healthcare transactions annually. The February ransomware attack led to a $22 million ransom payment and disrupted approximately half of all pharmacy operations across the United States. This incident serves as a perfect case study in critical infrastructure vulnerability and has triggered a significant regulatory response from the Biden administration, which is now promising "tough, mandatory cybersecurity standards" for the healthcare industry.
What does this mean for security professionals? Potentially stricter oversight, increased financial penalties, and perhaps most concerning—explicit executive liability for security failures. As Sean notes, these developments create an increasingly complex landscape where CISOs must navigate not just technical challenges but also regulatory expectations that might lack technical nuance.
The episode transitions into a comprehensive examination of CISSP exam questions covering Domain 3.6, focusing on message integrity, digital signatures, and cryptographic hashing functions. Through fifteen detailed questions and answers, Sean breaks down essential concepts like the difference between checksums and hashing functions, the evolution from SHA-1 to more secure algorithms, and the role of certificate authorities in public key infrastructure. These technical foundations aren't just academic—they're the building blocks of systems that, when implemented correctly, prevent exactly the kind of breach that hit UnitedHealthcare.
Ready to deepen your understanding of message integrity and prepare for the CISSP exam? Visit CISSP Cyber Training for videos, transcripts, and additional practice questions to help you master these critical concepts and advance your cybersecurity career.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started.
Hey, I'm Sean Gerber with CISSPCyber Training Podcast and I
hope you all are having awonderful day today.
Today is exam question Thursday, and we're going to get over
some awesome questions as itrelates to message integrity,
digital signatures and all thewonderful things that came out
of the last podcast we had onMonday.
But before we do, one quickquestion, one quick announcement
.
Actually, I am finally doneworking at my company that I
(00:51):
worked at for about 13 years andI'm out on my own.
So this is amazing, excitingand a bit terrifying.
So we're pretty excited aboutwhat's happening here at CISSP
Cyber Training, as well as thefact that I'm going to be able
to be a consultant and help alot of organizations with their
cybersecurity, whereas in thepast I was a little bit limited.
Great company, amazing company,but time to move on and do some
(01:13):
other things with my life, andI'm pretty excited about that.
But before we get started, Ijust want to quickly talk about
a recent article I saw todayrelated to UnitedHealthcare, and
so this is really out there forall of you CISSP candidates
that are working to get yourcertificate One because you feel
like you have to for yourcareer, but also maybe because
(01:36):
of the fact that your job may berequiring it due to regulations
that might be coming down thepipe, and this is a great
example of what you're going tosee.
More of this.
This is from the recent attackthat happened on UHC and change
pharmaceuticals or changemedical, something like that and
what it really came down to wasthey had a ransomware attack
(01:57):
that hit this change healthcareand they basically process
transactions for UnitedHealthcare, which is one of the
major largest insurancecompanies in the United States,
and they process around 15billion transactions annually,
which is a lot.
Right, that's a gob oftransactions that are occurring
and they got hit with aransomware attack and this
(02:18):
ransomware attack basicallybrought them to their knees and
this was back in the first partof February, if I'm not mistaken
and because of that, they hadended up paying a $22 million
ransom to get unstuck.
That was the ultimate goal ofit, and this is when Department
of Homeland Security came intothis and Department of Human
Services came in and theydecided that this needed to be
(02:40):
fixed.
So who knows who paid the bill,but bottom line is, it's a
critical infrastructure for theUnited States and therefore it
was a target by these attackersand, as a result, we see what
happened and it caused dramaticimpact to the United States and
our medical industry.
Most of the a big like 50% ofthe pharmacies within the United
(03:00):
States actually could not beprocessing insurance
transactions due to this attack.
So, as we see, it's a reallybig factor as it comes to when
you're talking infrastructureand critical infrastructure
itself.
Now, what the Bidenadministration is coming down to
is they're maintaining thiscomment about they're going to
establish tough, mandatorycybersecurity standards for the
(03:22):
healthcare industry.
Yeah, so if you're a securityperson, you're like me you're
going yikes.
I've talked to a friend of minewho's a CISO with a very large
Fortune 20 company, and a lot offolks that are in our space are
starting to think highly aboutgoing.
Well, do I want to be aconsultant?
Do I want to be a CISO?
What do I want to do?
Do I want to be an architect?
And one of the factors thatcame out of that conversation
(03:45):
was that the regulations arebecoming so onerous that, one,
you're not going to take risk,but, two, the fact that it puts
people like myself who wereformer CISOs kind of a little
bit in jeopardy.
So it's an interesting dynamic,that things that are happening
and somebody basically wantssomeone to hang that's the
ultimate goal is that they wantto prove that they're doing
(04:06):
something that is hard andsubstantial and making a
difference, rather than justkind of sweeping it under the
covers.
So it will be very, veryinteresting in the next few
years to see how this kind ofweight plays out.
One other part I think may haveplayed into some of this and
again I'm just guessing at thispoint.
I have no insider knowledge onany of that but there was a 2022
(04:28):
merger with Optum and ChangeHealthcare for about $13 billion
.
That's a lot of money and thatmerger occurred and it basically
that I mean, who knows how thatoccurred in the fact of the
security aspects around thisorganization.
But when you bring a big, largeorganization like that together
, I can tell you from experience, acquisitions are kludgy,
(04:50):
acquisitions are verychallenging and if you don't
have a good plan in place, evenif you do have a good plan in
place, there is a really goodchance that something bad could
happen.
So it will be totallyinteresting to see what's going
to occur of this.
One last comment I wanted tomake is there.
They made this.
This comment was in there aswell as I'm investigating
whether additional legislationis needed to bolster security in
(05:12):
the healthcare sector, which itis, including increasing
financial penalties and holdingcompany executives liable for
failing cybersecurity 101.
Yeah, that's scary, because Ijust need somebody that's up in
Washington DC telling me whatcybersecurity 101 is.
So, yeah, not so good.
So, anyway, this is aninteresting concept that's going
(05:32):
to be happening, that you'regoing to be paying attention to.
We're going to pay attention toit here at CISSP Cyber Training
and on the Reduce Cyber Riskpodcast that's going to be
coming out here very soon andit's going to be fun.
So, but let's enough of talkingabout that, let's get into
today's questions.
Okay, so here are the questionsand we are going to be talking
again.
We're in domain 3.6, gettinginto digital signatures, md5s,
(05:57):
shaw 1s, all that fun stuff.
So let us get started.
Question one which of thefollowing is the primary purpose
of a message integrity check?
A to confirm the sender'sidentity.
B to ensure that the message isnot altered.
C to compress the data fortransmission.
Or D to encrypt the messagecontent?
Again, which of the followingis the primary purpose of a
(06:18):
message integrity check, or MIC,and a message integrity check
is used to detect any changes inthe content.
So it is question B or answer B.
It is used to detect anychanges in the content of the
message and ensuring that hasnot been tampered with during
transmission.
Question two what is the maindifference between a checksum
and a cryptographic hashfunction?
(06:40):
Again, what is the maindifference between a checksum
and a cryptographic hashfunction?
A a checksum is used for errorchecking, while a hash function
is used for security purposes.
B a checksum is reversible,while a hash function is not.
C a checksum can only be usedonce, while the hash function
(07:00):
can be used multiple times.
And and then c a checksum isfaster to compute than a hash
function.
Again, what is the maindifference between a checksum
and a cryptographic hashfunction?
And the answer is a checksum isused for error checking, while
a hash function is used forsecurity purposes.
Checksums are generally used toverify the data's integrity
(07:20):
right and detect errors withinthat overall transmission, while
the hash functions are a secureway for you to verify the
integrity of the data and isresistant to potentially reverse
engineering again, resistant,not impervious, but resistant.
Question three which of thefollowing best describes a
cyclic redundancy check or a crc.
Answer a symmetric encryptionalgorithm.
(07:44):
B asymmetric encryptionalgorithms.
C an error detecting code.
Or.
D a digital signature algorithm.
Which of the following bestdescribes a CRC or a cyclical
redundancy check?
And the answer is C CRC is aerror detecting code.
Right, it's a checksum that'sused to detect accidental
(08:06):
changes to raw data in digitalnetworks and storage devices.
Question four why are collisionresistant properties important
in hashing algorithms?
A they ensure the hash valuecan be decrypted.
B they allow hash functions tobe reversible.
C they increase the speed ofthe hashing function.
(08:29):
Or, d they prevent the samehash value from being produced
by two different inputs.
So why are collision resistantproperties important in hashing
algorithms?
Okay, again, we talked aboutcollision.
Why would collision be bad?
You'd want things hitting eachother, so the answer would be D
they prevent the same hash valuefrom being produced by two
different inputs.
Again, collision resistance iscrucial because it makes
computational infeasible to findtwo distinct inputs that
(08:53):
produce the same hash output.
So therefore, it is unique, andif it's unique, that'll keep
you from having collisions.
Question five which of thefollowing secure hash algorithms
is considered deprecated due tothe vulnerabilities allowing
for collision attacks?
Now, we talked about this alittle bit in the podcast.
Md5 was one of them, but youdon't see MD5 on here, so which
(09:13):
one could it be?
So which of the followingsecure hash algorithms is
considered deprecated due to thevulnerabilities allowing for a
collision attack A SHA-1, b,sha-2, c, sha-3, or D all of the
above?
Okay.
So if you didn't know theanswer to this question, the
easiest way to guess would beobviously due to something that
(09:33):
is the oldest and that would becorrect.
Sha-1, which is A SHA-1, hasbeen deprecated due to
vulnerabilities of collisionattacks, where two different
inputs can produce the same hashvalue.
So SHA-1 is the deprecated one.
Question six what is thesignificance of a fixed length
digest in a cryptographichashing?
Okay, what is the significanceof a fixed length digest in a
(09:57):
cryptographic hashing?
So we talked about the digestand being 128, 512, and so forth
.
What is the significance of afixed length digest?
A it ensures a hash function isreversible.
B it guarantees the originalmessage can be reconstructed
from the digest.
A it ensures a hash function isreversible.
B it guarantees the originalmessage can be reconstructed
from the digest.
C it provides a consistentoutput size, which is essential
for security.
(10:17):
Or D it allows the digest to beeasily encrypted.
Again, fixed length digest.
What is the significance?
And it is C a fixed lengthdigest means that, no matter the
size of the input data, theoutput will always be the same,
which is crucial when you'remaintaining security, especially
as it relates to trying tounderstand the overall hash, and
(10:38):
it prevents the attacker fromdetecting the information about
the input based on the hashlength.
Question 7, which of thefollowing best describes the
purpose of a digital signature?
A to verify the sender'sidentity and ensure integrity of
the message.
B to encrypt the contents ofthe message.
C to provide a checksum forerror detection.
(10:58):
D to compress the data foreasier transmissions.
Okay, which of the followingbest describes the purpose of a
digital signature?
And it is A to verify theidentity and ensure the
integrity of the message.
Digital signatures are used toauthenticate the identity of a
sender and confirm the message,but that has not been altered.
(11:19):
Therefore, ensuring bothintegrity and non-repudiation
are in the communication path.
It is five o'clock in themorning so I'm sorry if my
tongue gets a little way for meand I can't quite speak,
apologize.
Question eight which informationdoes a digital certificate
typically contain?
Question eight is whichinformation does a digital
(11:40):
certificate typically contain Aa certificate holder's private
key.
C a certificate authority'sprivate key.
C the certificate holder'spublic key and identity
information.
Or.
D the encryption algorithm usedby the certificate holder.
Question 8 is what informationdoes a digital signature
(12:00):
typically contain?
And the answer is C thecertificate holder's public key
and identity information.
So, again, a digitalcertificate has a public key of
the individual and it's signedby a trusted certificate
authority which does not containthe private keys.
You don't want it to containthe private keys, remember?
Question nine which role doescertificate authority or a CA
(12:21):
play in the public keyinfrastructure, otherwise known
as PKI?
Which role does a CA play inPKI?
A it generates a public andprivate key pairs for the users.
B it acts as a trusted thirdparty to issue and manage
digital certificates.
C it encrypts the messages ofthe recipient's public key.
Or.
(12:41):
D it decrypts the messagesusing the sender's private key.
Okay, it doesn't do anythingwith the public and private key
as it relates to encryptingmessages.
So it could either be A or B,and it acts as a trusted third
party to issue and managedigital certificates.
That's the ultimate purpose.
It verifies the identity of thecertificate holder and the
association with their publickey.
(13:02):
Question 10.
Which of the following is acharacteristic of a SHA-2 hash
compared to a SHA-1?
Again, which of the followingcharacteristics of a SHA-2 hash
compares to that of a SHA-2 hashcompared to a SHA-1?
And which of the followingcharacteristics of a SHA-2 hash
compares to that of a SHA-1?
A they are less secure and moreprone to collisions.
B they have a shorter fixedlength output.
C they are faster to computeand easier to reverse.
(13:23):
Or D they offer improvedsecurity and are designed to be
more resistant to collisionattacks.
And the answer is D they offerimproved security and are
designed to be more resistant tocollision attacks.
And the answer is D they offerimproved security and are
designed to be more resistant tocollision attacks.
Hence a couple of questionsearlier.
And they include severalalgorithms with longer bit
lengths than a SHA-1.
So it is a much betteralgorithm.
(13:44):
Question 11.
Which significant advantage ofa SHA-3 over its predecessors?
Okay, why is SHA-3 better overits predecessors?
A it is designed based on adifferent cryptographic
structure called a spongeconstruction.
B it's using the samemathematical principles as SHA-1
and.
2 for easy integration.
C it produces shorter hashvalues for faster computation.
(14:05):
Or D it's less secure but moreefficient in terms of energy
consumption.
And what is the significantadvantage of SHA-3 over its
predecessors?
And that is A it's designed ondifferent cryptographic
structure called a spongeconstruction.
Question 12, how do digitalsignatures contribute to the
non-repudiation in electronictransactions?
A by ensuring the transactionis encrypted and end.
(14:28):
B by allowing the recipient toverify the sender's identity and
the integrity of the message.
C by providing timestamps thatindicate when the transaction
has occurred.
Or.
D confirming the transactionhas been approved by a
certificate authority.
So how do digital signaturescontribute to the
(14:50):
non-repudiation in electronictransactions?
So how do digital signaturescontribute to the
non-repudiation in electronictransactions?
And the answer is B by allowingthe recipient to verify the
sender's identity and theintegrity of the message.
Digital signatures bind thesigner and the document,
allowing the recipient to verifythe origin and integrity of the
(15:10):
message.
So that's the key around, thatit prevents the sender from
denying any involvement in theoverall transaction.
Question 13.
What is the purpose of acertificate revocation list A
CRL.
A To list all the certificatesissued by the certificate
authority.
B To store the public keys ofall certificate holders.
C To provide a list ofcertificates that have been
(15:33):
suspended or revoked.
Or D to encrypt communicationsbetween the client and the
servers.
Again, what is the purpose of aCRL, a certificate revocation
list?
And the answer is C to providea list of certificates that have
been suspended or revoked.
Again, they contain the serialnumbers, digital certificates
that have been revoked orsuspended and therefore
(15:54):
scheduled for expiration.
Question 14, in which scenariowould a hash function be
appropriate choice for ensuringdata integrity?
Again, which scenario would ahash function be an appropriate
choice for ensuring dataintegrity?
A to verify the integrity ofthe downloaded file.
B storing the user password andtheir database.
(16:17):
C detecting accidental changesin the data in a storage device.
Or D ensuring the authenticityof a software update.
So in which scenario would ahash function be appropriate
choice for ensuring dataintegrity?
And the answer is D.
Obviously, it can be used inall of those in different ways,
(16:38):
but the bottom line is it is themost appropriate would be D
ensuring the authenticity of asoftware update.
So, again, while hash functionsverify the integrity, they do
not authenticate the source.
Digital signatures, whichinclude hashing, should be used
to ensure both integrity andauthenticity of the software.
(17:00):
Last question Okay, the lastquestion which trust model in
PKI involves multiplecertificate authorities sharing
recognition of each other'scertificate, okay, and PKI
involves which multipleauthority you have?
Multiple certificateauthorities involved sharing
certificates.
How is that discovered?
How is that dealt with?
(17:20):
A hierarchical trust model, b,the web of trust model.
C, the cross-certificationtrust model.
Or D, the bridge trust model,okay, so if you didn't know,
just think about that a littlebit.
If you have multiplecertificates, what?
What would it be?
Cross-certification trust model, which would be?
The answer would be c in thecross-certification model, two
(17:40):
or more cas issue certificatesthat recognizes and validate
each other, allowing users indifferent pki schema to in to
basically trust each othercertificates.
Okay, that is all we have fortoday.
Head on over to CISSP CyberTraining.
You got all of this content isthere.
You get a lot of these videoswill be out there on my blog.
You'll have access to those,along with the transcripts.
(18:03):
You have access to thequestions.
You'll be able to see thoseyourselves.
You can listen to this podcastand have access to these
questions.
If you want, you can purchasemy products.
My products have all of thisinformation in them to include
all the videos and so forth.
You also have the ability,depending on what package you
purchase, to even get accessdirectly to me to help you.
Now that my life has changed alittle bit, I've got more time
(18:25):
available for this, I'm going tobe working again as a
consultant, helping people whatthey've got that's most
important and really here tohelp you all with CISSP, cyber
training and the future reducedcyber risk.
All right, have a wonderful day, guys, and we will catch you on
the flip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started.
Hey, I'm Sean Gerber with CISSPCyber Training Podcast and I
hope you all are having awonderful day today.
Today is exam question Thursday, and we're going to get over
some awesome questions as itrelates to message integrity,
digital signatures and all thewonderful things that came out
of the last podcast we had onMonday.
But before we do, one quickquestion, one quick announcement
.
Actually, I am finally doneworking at my company that I
(00:51):
worked at for about 13 years andI'm out on my own.
So this is amazing, excitingand a bit terrifying.
So we're pretty excited aboutwhat's happening here at CISSP
Cyber Training, as well as thefact that I'm going to be able
to be a consultant and help alot of organizations with their
cybersecurity, whereas in thepast I was a little bit limited.
Great company, amazing company,but time to move on and do some
(01:13):
other things with my life, andI'm pretty excited about that.
But before we get started, Ijust want to quickly talk about
a recent article I saw todayrelated to UnitedHealthcare, and
so this is really out there forall of you CISSP candidates
that are working to get yourcertificate One because you feel
like you have to for yourcareer, but also maybe because
(01:36):
of the fact that your job may berequiring it due to regulations
that might be coming down thepipe, and this is a great
example of what you're going tosee.
More of this.
This is from the recent attackthat happened on UHC and change
pharmaceuticals or changemedical, something like that and
what it really came down to wasthey had a ransomware attack
(01:57):
that hit this change healthcareand they basically process
transactions for UnitedHealthcare, which is one of the
major largest insurancecompanies in the United States,
and they process around 15billion transactions annually,
which is a lot.
Right, that's a gob oftransactions that are occurring
and they got hit with aransomware attack and this
(02:18):
ransomware attack basicallybrought them to their knees and
this was back in the first partof February, if I'm not mistaken
and because of that, they hadended up paying a $22 million
ransom to get unstuck.
That was the ultimate goal ofit, and this is when Department
of Homeland Security came intothis and Department of Human
Services came in and theydecided that this needed to be
(02:40):
fixed.
So who knows who paid the bill,but bottom line is, it's a
critical infrastructure for theUnited States and therefore it
was a target by these attackersand, as a result, we see what
happened and it caused dramaticimpact to the United States and
our medical industry.
Most of the a big like 50% ofthe pharmacies within the United
(03:00):
States actually could not beprocessing insurance
transactions due to this attack.
So, as we see, it's a reallybig factor as it comes to when
you're talking infrastructureand critical infrastructure
itself.
Now, what the Bidenadministration is coming down to
is they're maintaining thiscomment about they're going to
establish tough, mandatorycybersecurity standards for the
(03:22):
healthcare industry.
Yeah, so if you're a securityperson, you're like me you're
going yikes.
I've talked to a friend of minewho's a CISO with a very large
Fortune 20 company, and a lot offolks that are in our space are
starting to think highly aboutgoing.
Well, do I want to be aconsultant?
Do I want to be a CISO?
What do I want to do?
Do I want to be an architect?
And one of the factors thatcame out of that conversation
(03:45):
was that the regulations arebecoming so onerous that, one,
you're not going to take risk,but, two, the fact that it puts
people like myself who wereformer CISOs kind of a little
bit in jeopardy.
So it's an interesting dynamic,that things that are happening
and somebody basically wantssomeone to hang that's the
ultimate goal is that they wantto prove that they're doing
(04:06):
something that is hard andsubstantial and making a
difference, rather than justkind of sweeping it under the
covers.
So it will be very, veryinteresting in the next few
years to see how this kind ofweight plays out.
One other part I think may haveplayed into some of this and
again I'm just guessing at thispoint.
I have no insider knowledge onany of that but there was a 2022
(04:28):
merger with Optum and ChangeHealthcare for about $13 billion
.
That's a lot of money and thatmerger occurred and it basically
that I mean, who knows how thatoccurred in the fact of the
security aspects around thisorganization.
But when you bring a big, largeorganization like that together
, I can tell you from experience, acquisitions are kludgy,
(04:50):
acquisitions are verychallenging and if you don't
have a good plan in place, evenif you do have a good plan in
place, there is a really goodchance that something bad could
happen.
So it will be totallyinteresting to see what's going
to occur of this.
One last comment I wanted tomake is there.
They made this.
This comment was in there aswell as I'm investigating
whether additional legislationis needed to bolster security in
(05:12):
the healthcare sector, which itis, including increasing
financial penalties and holdingcompany executives liable for
failing cybersecurity 101.
Yeah, that's scary, because Ijust need somebody that's up in
Washington DC telling me whatcybersecurity 101 is.
So, yeah, not so good.
So, anyway, this is aninteresting concept that's going
(05:32):
to be happening, that you'regoing to be paying attention to.
We're going to pay attention toit here at CISSP Cyber Training
and on the Reduce Cyber Riskpodcast that's going to be
coming out here very soon andit's going to be fun.
So, but let's enough of talkingabout that, let's get into
today's questions.
Okay, so here are the questionsand we are going to be talking
again.
We're in domain 3.6, gettinginto digital signatures, md5s,
(05:57):
shaw 1s, all that fun stuff.
So let us get started.
Question one which of thefollowing is the primary purpose
of a message integrity check?
A to confirm the sender'sidentity.
B to ensure that the message isnot altered.
C to compress the data fortransmission.
Or D to encrypt the messagecontent?
Again, which of the followingis the primary purpose of a
(06:18):
message integrity check, or MIC,and a message integrity check
is used to detect any changes inthe content.
So it is question B or answer B.
It is used to detect anychanges in the content of the
message and ensuring that hasnot been tampered with during
transmission.
Question two what is the maindifference between a checksum
and a cryptographic hashfunction?
(06:40):
Again, what is the maindifference between a checksum
and a cryptographic hashfunction?
A a checksum is used for errorchecking, while a hash function
is used for security purposes.
B a checksum is reversible,while a hash function is not.
C a checksum can only be usedonce, while the hash function
(07:00):
can be used multiple times.
And and then c a checksum isfaster to compute than a hash
function.
Again, what is the maindifference between a checksum
and a cryptographic hashfunction?
And the answer is a checksum isused for error checking, while
a hash function is used forsecurity purposes.
Checksums are generally used toverify the data's integrity
(07:20):
right and detect errors withinthat overall transmission, while
the hash functions are a secureway for you to verify the
integrity of the data and isresistant to potentially reverse
engineering again, resistant,not impervious, but resistant.
Question three which of thefollowing best describes a
cyclic redundancy check or a crc.
Answer a symmetric encryptionalgorithm.
(07:44):
B asymmetric encryptionalgorithms.
C an error detecting code.
Or.
D a digital signature algorithm.
Which of the following bestdescribes a CRC or a cyclical
redundancy check?
And the answer is C CRC is aerror detecting code.
Right, it's a checksum that'sused to detect accidental
(08:06):
changes to raw data in digitalnetworks and storage devices.
Question four why are collisionresistant properties important
in hashing algorithms?
A they ensure the hash valuecan be decrypted.
B they allow hash functions tobe reversible.
C they increase the speed ofthe hashing function.
(08:29):
Or, d they prevent the samehash value from being produced
by two different inputs.
So why are collision resistantproperties important in hashing
algorithms?
Okay, again, we talked aboutcollision.
Why would collision be bad?
You'd want things hitting eachother, so the answer would be D
they prevent the same hash valuefrom being produced by two
different inputs.
Again, collision resistance iscrucial because it makes
computational infeasible to findtwo distinct inputs that
(08:53):
produce the same hash output.
So therefore, it is unique, andif it's unique, that'll keep
you from having collisions.
Question five which of thefollowing secure hash algorithms
is considered deprecated due tothe vulnerabilities allowing
for collision attacks?
Now, we talked about this alittle bit in the podcast.
Md5 was one of them, but youdon't see MD5 on here, so which
(09:13):
one could it be?
So which of the followingsecure hash algorithms is
considered deprecated due to thevulnerabilities allowing for a
collision attack A SHA-1, b,sha-2, c, sha-3, or D all of the
above?
Okay.
So if you didn't know theanswer to this question, the
easiest way to guess would beobviously due to something that
(09:33):
is the oldest and that would becorrect.
Sha-1, which is A SHA-1, hasbeen deprecated due to
vulnerabilities of collisionattacks, where two different
inputs can produce the same hashvalue.
So SHA-1 is the deprecated one.
Question six what is thesignificance of a fixed length
digest in a cryptographichashing?
Okay, what is the significanceof a fixed length digest in a
(09:57):
cryptographic hashing?
So we talked about the digestand being 128, 512, and so forth
.
What is the significance of afixed length digest?
A it ensures a hash function isreversible.
B it guarantees the originalmessage can be reconstructed
from the digest.
A it ensures a hash function isreversible.
B it guarantees the originalmessage can be reconstructed
from the digest.
C it provides a consistentoutput size, which is essential
for security.
(10:17):
Or D it allows the digest to beeasily encrypted.
Again, fixed length digest.
What is the significance?
And it is C a fixed lengthdigest means that, no matter the
size of the input data, theoutput will always be the same,
which is crucial when you'remaintaining security, especially
as it relates to trying tounderstand the overall hash, and
(10:38):
it prevents the attacker fromdetecting the information about
the input based on the hashlength.
Question 7, which of thefollowing best describes the
purpose of a digital signature?
A to verify the sender'sidentity and ensure integrity of
the message.
B to encrypt the contents ofthe message.
C to provide a checksum forerror detection.
(10:58):
D to compress the data foreasier transmissions.
Okay, which of the followingbest describes the purpose of a
digital signature?
And it is A to verify theidentity and ensure the
integrity of the message.
Digital signatures are used toauthenticate the identity of a
sender and confirm the message,but that has not been altered.
(11:19):
Therefore, ensuring bothintegrity and non-repudiation
are in the communication path.
It is five o'clock in themorning so I'm sorry if my
tongue gets a little way for meand I can't quite speak,
apologize.
Question eight which informationdoes a digital certificate
typically contain?
Question eight is whichinformation does a digital
(11:40):
certificate typically contain Aa certificate holder's private
key.
C a certificate authority'sprivate key.
C the certificate holder'spublic key and identity
information.
Or.
D the encryption algorithm usedby the certificate holder.
Question 8 is what informationdoes a digital signature
(12:00):
typically contain?
And the answer is C thecertificate holder's public key
and identity information.
So, again, a digitalcertificate has a public key of
the individual and it's signedby a trusted certificate
authority which does not containthe private keys.
You don't want it to containthe private keys, remember?
Question nine which role doescertificate authority or a CA
(12:21):
play in the public keyinfrastructure, otherwise known
as PKI?
Which role does a CA play inPKI?
A it generates a public andprivate key pairs for the users.
B it acts as a trusted thirdparty to issue and manage
digital certificates.
C it encrypts the messages ofthe recipient's public key.
Or.
(12:41):
D it decrypts the messagesusing the sender's private key.
Okay, it doesn't do anythingwith the public and private key
as it relates to encryptingmessages.
So it could either be A or B,and it acts as a trusted third
party to issue and managedigital certificates.
That's the ultimate purpose.
It verifies the identity of thecertificate holder and the
association with their publickey.
(13:02):
Question 10.
Which of the following is acharacteristic of a SHA-2 hash
compared to a SHA-1?
Again, which of the followingcharacteristics of a SHA-2 hash
compares to that of a SHA-2 hashcompared to a SHA-1?
And which of the followingcharacteristics of a SHA-2 hash
compares to that of a SHA-1?
A they are less secure and moreprone to collisions.
B they have a shorter fixedlength output.
C they are faster to computeand easier to reverse.
(13:23):
Or D they offer improvedsecurity and are designed to be
more resistant to collisionattacks.
And the answer is D they offerimproved security and are
designed to be more resistant tocollision attacks.
And the answer is D they offerimproved security and are
designed to be more resistant tocollision attacks.
Hence a couple of questionsearlier.
And they include severalalgorithms with longer bit
lengths than a SHA-1.
So it is a much betteralgorithm.
(13:44):
Question 11.
Which significant advantage ofa SHA-3 over its predecessors?
Okay, why is SHA-3 better overits predecessors?
A it is designed based on adifferent cryptographic
structure called a spongeconstruction.
B it's using the samemathematical principles as SHA-1
and.
2 for easy integration.
C it produces shorter hashvalues for faster computation.
(14:05):
Or D it's less secure but moreefficient in terms of energy
consumption.
And what is the significantadvantage of SHA-3 over its
predecessors?
And that is A it's designed ondifferent cryptographic
structure called a spongeconstruction.
Question 12, how do digitalsignatures contribute to the
non-repudiation in electronictransactions?
A by ensuring the transactionis encrypted and end.
(14:28):
B by allowing the recipient toverify the sender's identity and
the integrity of the message.
C by providing timestamps thatindicate when the transaction
has occurred.
Or.
D confirming the transactionhas been approved by a
certificate authority.
So how do digital signaturescontribute to the
(14:50):
non-repudiation in electronictransactions?
So how do digital signaturescontribute to the
non-repudiation in electronictransactions?
And the answer is B by allowingthe recipient to verify the
sender's identity and theintegrity of the message.
Digital signatures bind thesigner and the document,
allowing the recipient to verifythe origin and integrity of the
(15:10):
message.
So that's the key around, thatit prevents the sender from
denying any involvement in theoverall transaction.
Question 13.
What is the purpose of acertificate revocation list A
CRL.
A To list all the certificatesissued by the certificate
authority.
B To store the public keys ofall certificate holders.
C To provide a list ofcertificates that have been
(15:33):
suspended or revoked.
Or D to encrypt communicationsbetween the client and the
servers.
Again, what is the purpose of aCRL, a certificate revocation
list?
And the answer is C to providea list of certificates that have
been suspended or revoked.
Again, they contain the serialnumbers, digital certificates
that have been revoked orsuspended and therefore
(15:54):
scheduled for expiration.
Question 14, in which scenariowould a hash function be
appropriate choice for ensuringdata integrity?
Again, which scenario would ahash function be an appropriate
choice for ensuring dataintegrity?
A to verify the integrity ofthe downloaded file.
B storing the user password andtheir database.
(16:17):
C detecting accidental changesin the data in a storage device.
Or D ensuring the authenticityof a software update.
So in which scenario would ahash function be appropriate
choice for ensuring dataintegrity?
And the answer is D.
Obviously, it can be used inall of those in different ways,
(16:38):
but the bottom line is it is themost appropriate would be D
ensuring the authenticity of asoftware update.
So, again, while hash functionsverify the integrity, they do
not authenticate the source.
Digital signatures, whichinclude hashing, should be used
to ensure both integrity andauthenticity of the software.
(17:00):
Last question Okay, the lastquestion which trust model in
PKI involves multiplecertificate authorities sharing
recognition of each other'scertificate, okay, and PKI
involves which multipleauthority you have?
Multiple certificateauthorities involved sharing
certificates.
How is that discovered?
How is that dealt with?
(17:20):
A hierarchical trust model, b,the web of trust model.
C, the cross-certificationtrust model.
Or D, the bridge trust model,okay, so if you didn't know,
just think about that a littlebit.
If you have multiplecertificates, what?
What would it be?
Cross-certification trust model, which would be?
The answer would be c in thecross-certification model, two
(17:40):
or more cas issue certificatesthat recognizes and validate
each other, allowing users indifferent pki schema to in to
basically trust each othercertificates.
Okay, that is all we have fortoday.
Head on over to CISSP CyberTraining.
You got all of this content isthere.
You get a lot of these videoswill be out there on my blog.
You'll have access to those,along with the transcripts.
(18:03):
You have access to thequestions.
You'll be able to see thoseyourselves.
You can listen to this podcastand have access to these
questions.
If you want, you can purchasemy products.
My products have all of thisinformation in them to include
all the videos and so forth.
You also have the ability,depending on what package you
purchase, to even get accessdirectly to me to help you.
Now that my life has changed alittle bit, I've got more time
(18:25):
available for this, I'm going tobe working again as a
consultant, helping people whatthey've got that's most
important and really here tohelp you all with CISSP, cyber
training and the future reducedcyber risk.
All right, have a wonderful day, guys, and we will catch you on
the flip side, see ya.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com