CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 245: Practice CISSP Questions - Hashing - Ensuring Message Authenticity with the CISSP (D3.6)
Security regulations are changing dramatically in response to major breaches, and the implications for cybersecurity professionals are profound. Sean Gerber kicks off this episode with a career announcement, sharing his transition to independent consulting after 13 years with his previous employer—a move that highlights the evolving opportunities in the cybersecurity field.
The heart of this episode examines the recent UnitedHealthcare breach, where attackers targeted Change Healthcare, a critical system processing 15 billion healthcare transactions annually. The February ransomware attack led to a $22 million ransom payment and disrupted approximately half of all pharmacy operations across the United States. This incident serves as a perfect case study in critical infrastructure vulnerability and has triggered a significant regulatory response from the Biden administration, which is now promising "tough, mandatory cybersecurity standards" for the healthcare industry.
What does this mean for security professionals? Potentially stricter oversight, increased financial penalties, and perhaps most concerning—explicit executive liability for security failures. As Sean notes, these developments create an increasingly complex landscape where CISOs must navigate not just technical challenges but also regulatory expectations that might lack technical nuance.
The episode transitions into a comprehensive examination of CISSP exam questions covering Domain 3.6, focusing on message integrity, digital signatures, and cryptographic hashing functions. Through fifteen detailed questions and answers, Sean breaks down essential concepts like the difference between checksums and hashing functions, the evolution from SHA-1 to more secure algorithms, and the role of certificate authorities in public key infrastructure. These technical foundations aren't just academic—they're the building blocks of systems that, when implemented correctly, prevent exactly the kind of breach that hit UnitedHealthcare.
Ready to deepen your understanding of message integrity and prepare for the CISSP exam? Visit CISSP Cyber Training for videos, transcripts, and additional practice questions to help you master these critical concepts and advance your cybersecurity career.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go cybersecurity knowledge.
Speaker 2:All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training Podcast and I hope you all are having a wonderful day today. Today is exam question Thursday, and we're going to get over some awesome questions as it relates to message integrity, digital signatures and all the wonderful things that came out of the last podcast we had on Monday. But before we do, one quick question, one quick announcement. Actually, I am finally done working at my company that I worked at for about 13 years and I'm out on my own. So this is amazing, exciting and a bit terrifying. So we're pretty excited about what's happening here at CISSP Cyber Training, as well as the fact that I'm going to be able to be a consultant and help a lot of organizations with their cybersecurity, whereas in the past I was a little bit limited. Great company, amazing company, but time to move on and do some other things with my life, and I'm pretty excited about that. But before we get started, I just want to quickly talk about a recent article I saw today related to UnitedHealthcare, and so this is really out there for all of you CISSP candidates that are working to get your certificate One because you feel like you have to for your career, but also maybe because of the fact that your job may be requiring it due to regulations that might be coming down the pipe, and this is a great example of what you're going to see.
Speaker 2:More of this. This is from the recent attack that happened on UHC and change pharmaceuticals or change medical, something like that and what it really came down to was they had a ransomware attack that hit this change healthcare and they basically process transactions for United Healthcare, which is one of the major largest insurance companies in the United States, and they process around 15 billion transactions annually, which is a lot. Right, that's a gob of transactions that are occurring and they got hit with a ransomware attack and this ransomware attack basically brought them to their knees and this was back in the first part of February, if I'm not mistaken and because of that, they had ended up paying a $22 million ransom to get unstuck. That was the ultimate goal of it, and this is when Department of Homeland Security came into this and Department of Human Services came in and they decided that this needed to be fixed. So who knows who paid the bill, but bottom line is, it's a critical infrastructure for the United States and therefore it was a target by these attackers and, as a result, we see what happened and it caused dramatic impact to the United States and our medical industry. Most of the a big like 50% of the pharmacies within the United States actually could not be processing insurance transactions due to this attack. So, as we see, it's a really big factor as it comes to when you're talking infrastructure and critical infrastructure itself.
Speaker 2:Now, what the Biden administration is coming down to is they're maintaining this comment about they're going to establish tough, mandatory cybersecurity standards for the healthcare industry. Yeah, so if you're a security person, you're like me you're going yikes. I've talked to a friend of mine who's a CISO with a very large Fortune 20 company, and a lot of folks that are in our space are starting to think highly about going. Well, do I want to be a consultant? Do I want to be a CISO? What do I want to do? Do I want to be an architect? And one of the factors that came out of that conversation was that the regulations are becoming so onerous that, one, you're not going to take risk, but, two, the fact that it puts people like myself who were former CISOs kind of a little bit in jeopardy. So it's an interesting dynamic, that things that are happening and somebody basically wants someone to hang that's the ultimate goal is that they want to prove that they're doing something that is hard and substantial and making a difference, rather than just kind of sweeping it under the covers. So it will be very, very interesting in the next few years to see how this kind of weight plays out.
Speaker 2:One other part I think may have played into some of this and again I'm just guessing at this point. I have no insider knowledge on any of that but there was a 2022 merger with Optum and Change Healthcare for about $13 billion. That's a lot of money and that merger occurred and it basically that I mean, who knows how that occurred in the fact of the security aspects around this organization. But when you bring a big, large organization like that together, I can tell you from experience, acquisitions are kludgy, acquisitions are very challenging and if you don't have a good plan in place, even if you do have a good plan in place, there is a really good chance that something bad could happen. So it will be totally interesting to see what's going to occur of this.
Speaker 2:One last comment I wanted to make is there. They made this. This comment was in there as well as I'm investigating whether additional legislation is needed to bolster security in the healthcare sector, which it is, including increasing financial penalties and holding company executives liable for failing cybersecurity 101. Yeah, that's scary, because I just need somebody that's up in Washington DC telling me what cybersecurity 101 is. So, yeah, not so good. So, anyway, this is an interesting concept that's going to be happening, that you're going to be paying attention to. We're going to pay attention to it here at CISSP Cyber Training and on the Reduce Cyber Risk podcast that's going to be coming out here very soon and it's going to be fun.
Speaker 2:So, but let's enough of talking about that, let's get into today's questions. Okay, so here are the questions and we are going to be talking again. We're in domain 3.6, getting into digital signatures, md5s, shaw 1s, all that fun stuff. So let us get started. Question one which of the following is the primary purpose of a message integrity check? A to confirm the sender's identity. B to ensure that the message is not altered. C to compress the data for transmission. Or D to encrypt the message content? Again, which of the following is the primary purpose of a message integrity check, or MIC, and a message integrity check is used to detect any changes in the content. So it is question B or answer B. It is used to detect any changes in the content of the message and ensuring that has not been tampered with during transmission.
Speaker 2:Question two what is the main difference between a checksum and a cryptographic hash function? Again, what is the main difference between a checksum and a cryptographic hash function? A a checksum is used for error checking, while a hash function is used for security purposes. B a checksum is reversible, while a hash function is not. C a checksum can only be used once, while the hash function can be used multiple times. And and then c a checksum is faster to compute than a hash function. Again, what is the main difference between a checksum and a cryptographic hash function? And the answer is a checksum is used for error checking, while a hash function is used for security purposes. Checksums are generally used to verify the data's integrity right and detect errors within that overall transmission, while the hash functions are a secure way for you to verify the integrity of the data and is resistant to potentially reverse engineering again, resistant, not impervious, but resistant.
Speaker 2:Question three which of the following best describes a cyclic redundancy check or a crc. Answer a symmetric encryption algorithm. B asymmetric encryption algorithms. C an error detecting code. Or. D a digital signature algorithm. Which of the following best describes a CRC or a cyclical redundancy check? And the answer is C CRC is a error detecting code. Right, it's a checksum that's used to detect accidental changes to raw data in digital networks and storage devices.
Speaker 2:Question four why are collision resistant properties important in hashing algorithms? A they ensure the hash value can be decrypted. B they allow hash functions to be reversible. C they increase the speed of the hashing function. Or, d they prevent the same hash value from being produced by two different inputs. So why are collision resistant properties important in hashing algorithms? Okay, again, we talked about collision. Why would collision be bad? You'd want things hitting each other, so the answer would be D they prevent the same hash value from being produced by two different inputs. Again, collision resistance is crucial because it makes computational infeasible to find two distinct inputs that produce the same hash output. So therefore, it is unique, and if it's unique, that'll keep you from having collisions.
Speaker 2:Question five which of the following secure hash algorithms is considered deprecated due to the vulnerabilities allowing for collision attacks? Now, we talked about this a little bit in the podcast. Md5 was one of them, but you don't see MD5 on here, so which one could it be? So which of the following secure hash algorithms is considered deprecated due to the vulnerabilities allowing for a collision attack A SHA-1, b, sha-2, c, sha-3, or D all of the above? Okay. So if you didn't know the answer to this question, the easiest way to guess would be obviously due to something that is the oldest and that would be correct. Sha-1, which is A SHA-1, has been deprecated due to vulnerabilities of collision attacks, where two different inputs can produce the same hash value. So SHA-1 is the deprecated one.
Speaker 2:Question six what is the significance of a fixed length digest in a cryptographic hashing? Okay, what is the significance of a fixed length digest in a cryptographic hashing? So we talked about the digest and being 128, 512, and so forth. What is the significance of a fixed length digest? A it ensures a hash function is reversible. B it guarantees the original message can be reconstructed from the digest. A it ensures a hash function is reversible. B it guarantees the original message can be reconstructed from the digest. C it provides a consistent output size, which is essential for security. Or D it allows the digest to be easily encrypted. Again, fixed length digest. What is the significance? And it is C a fixed length digest means that, no matter the size of the input data, the output will always be the same, which is crucial when you're maintaining security, especially as it relates to trying to understand the overall hash, and it prevents the attacker from detecting the information about the input based on the hash length.
Speaker 2:Question 7, which of the following best describes the purpose of a digital signature? A to verify the sender's identity and ensure integrity of the message. B to encrypt the contents of the message. C to provide a checksum for error detection. D to compress the data for easier transmissions. Okay, which of the following best describes the purpose of a digital signature? And it is A to verify the identity and ensure the integrity of the message. Digital signatures are used to authenticate the identity of a sender and confirm the message, but that has not been altered. Therefore, ensuring both integrity and non-repudiation are in the communication path. It is five o'clock in the morning so I'm sorry if my tongue gets a little way for me and I can't quite speak, apologize.
Speaker 2:Question eight which information does a digital certificate typically contain? Question eight is which information does a digital certificate typically contain A a certificate holder's private key. C a certificate authority's private key. C the certificate holder's public key and identity information. Or. D the encryption algorithm used by the certificate holder. Question 8 is what information does a digital signature typically contain? And the answer is C the certificate holder's public key and identity information. So, again, a digital certificate has a public key of the individual and it's signed by a trusted certificate authority which does not contain the private keys. You don't want it to contain the private keys, remember?
Speaker 2:Question nine which role does certificate authority or a CA play in the public key infrastructure, otherwise known as PKI? Which role does a CA play in PKI? A it generates a public and private key pairs for the users. B it acts as a trusted third party to issue and manage digital certificates. C it encrypts the messages of the recipient's public key. Or. D it decrypts the messages using the sender's private key. Okay, it doesn't do anything with the public and private key as it relates to encrypting messages. So it could either be A or B, and it acts as a trusted third party to issue and manage digital certificates. That's the ultimate purpose. It verifies the identity of the certificate holder and the association with their public key.
Speaker 2:Question 10. Which of the following is a characteristic of a SHA-2 hash compared to a SHA-1? Again, which of the following characteristics of a SHA-2 hash compares to that of a SHA-2 hash compared to a SHA-1? And which of the following characteristics of a SHA-2 hash compares to that of a SHA-1? A they are less secure and more prone to collisions. B they have a shorter fixed length output. C they are faster to compute and easier to reverse. Or D they offer improved security and are designed to be more resistant to collision attacks. And the answer is D they offer improved security and are designed to be more resistant to collision attacks. And the answer is D they offer improved security and are designed to be more resistant to collision attacks. Hence a couple of questions earlier. And they include several algorithms with longer bit lengths than a SHA-1. So it is a much better algorithm.
Speaker 2:Question 11. Which significant advantage of a SHA-3 over its predecessors? Okay, why is SHA-3 better over its predecessors? A it is designed based on a different cryptographic structure called a sponge construction. B it's using the same mathematical principles as SHA-1 and. 2 for easy integration. C it produces shorter hash values for faster computation. Or D it's less secure but more efficient in terms of energy consumption. And what is the significant advantage of SHA-3 over its predecessors? And that is A it's designed on different cryptographic structure called a sponge construction.
Speaker 2:Question 12, how do digital signatures contribute to the non-repudiation in electronic transactions? A by ensuring the transaction is encrypted and end. B by allowing the recipient to verify the sender's identity and the integrity of the message. C by providing timestamps that indicate when the transaction has occurred. Or. D confirming the transaction has been approved by a certificate authority. So how do digital signatures contribute to the non-repudiation in electronic transactions? So how do digital signatures contribute to the non-repudiation in electronic transactions? And the answer is B by allowing the recipient to verify the sender's identity and the integrity of the message. Digital signatures bind the signer and the document, allowing the recipient to verify the origin and integrity of the message. So that's the key around, that it prevents the sender from denying any involvement in the overall transaction.
Speaker 2:Question 13. What is the purpose of a certificate revocation list A CRL. A To list all the certificates issued by the certificate authority. B To store the public keys of all certificate holders. C To provide a list of certificates that have been suspended or revoked. Or D to encrypt communications between the client and the servers. Again, what is the purpose of a CRL, a certificate revocation list? And the answer is C to provide a list of certificates that have been suspended or revoked. Again, they contain the serial numbers, digital certificates that have been revoked or suspended and therefore scheduled for expiration.
Speaker 2:Question 14, in which scenario would a hash function be appropriate choice for ensuring data integrity? Again, which scenario would a hash function be an appropriate choice for ensuring data integrity? A to verify the integrity of the downloaded file. B storing the user password and their database. C detecting accidental changes in the data in a storage device. Or D ensuring the authenticity of a software update. So in which scenario would a hash function be appropriate choice for ensuring data integrity? And the answer is D. Obviously, it can be used in all of those in different ways, but the bottom line is it is the most appropriate would be D ensuring the authenticity of a software update. So, again, while hash functions verify the integrity, they do not authenticate the source. Digital signatures, which include hashing, should be used to ensure both integrity and authenticity of the software.
Speaker 2:Last question Okay, the last question which trust model in PKI involves multiple certificate authorities sharing recognition of each other's certificate, okay, and PKI involves which multiple authority you have? Multiple certificate authorities involved sharing certificates. How is that discovered? How is that dealt with? A hierarchical trust model, b, the web of trust model. C, the cross-certification trust model. Or D, the bridge trust model, okay, so if you didn't know, just think about that a little bit. If you have multiple certificates, what? What would it be? Cross-certification trust model, which would be? The answer would be c in the cross-certification model, two or more cas issue certificates that recognizes and validate each other, allowing users in different pki schema to in to basically trust each other certificates. Okay, that is all we have for today.
Speaker 2:Head on over to CISSP Cyber Training. You got all of this content is there. You get a lot of these videos will be out there on my blog. You'll have access to those, along with the transcripts. You have access to the questions. You'll be able to see those yourselves. You can listen to this podcast and have access to these questions. If you want, you can purchase my products. My products have all of this information in them to include all the videos and so forth. You also have the ability, depending on what package you purchase, to even get access directly to me to help you. Now that my life has changed a little bit, I've got more time available for this, I'm going to be working again as a consultant, helping people what they've got that's most important and really here to help you all with CISSP, cyber training and the future reduced cyber risk. All right, have a wonderful day, guys, and we will catch you on the flip side, see ya.
