6.3 Scenario Practice for Protection of Information Assets

Cryptography Scenarios

Symmetric encryption uses one shared secret key for both encryption and decryption (AES, 3DES). It is fast and well suited to bulk data, but its weakness is key distribution and management: every pair of communicating parties needs a secure way to share the key, and n users require roughly n(n-1)/2 keys. If the key leaks, all data it protected is exposed.

Asymmetric encryption (RSA, ECC) uses a mathematically linked public/private key pair. Anything encrypted with the public key can be decrypted only with the matching private key, and vice versa. This solves key distribution — you can publish your public key freely — but it is far slower, so real systems use a hybrid approach: asymmetric crypto exchanges a temporary symmetric session key, then symmetric crypto encrypts the bulk traffic. This is exactly what TLS does for HTTPS.

Hashing, signatures, and non-repudiation

Hashing (SHA-256) produces a fixed-length, one-way digest that detects any change to data — it gives integrity, not confidentiality, and cannot be reversed. A digital signature combines hashing and asymmetric crypto: the sender hashes the message and encrypts the hash with their private key. The recipient decrypts it with the sender's public key and recomputes the hash; a match proves integrity (unchanged), authentication (only the sender's private key could produce it), and non-repudiation (the sender cannot deny it).

Public key infrastructure (PKI) makes asymmetric keys trustworthy. A certificate authority (CA) issues X.509 digital certificates that bind an identity to a public key; a registration authority verifies identity; and certificate revocation lists (CRL) or OCSP publish revoked certificates. The auditor confirms keys are generated securely, stored protected (ideally in an HSM), rotated, and that revocation works.

Network and Endpoint Security Scenarios

Network controls layer to contain attacks. Read the stem for which layer is failing.

• Firewalls filter traffic by policy. Types range from packet-filtering (stateless, by IP/port) to stateful inspection (tracks connection state) to application-layer/proxy and next-generation firewalls (deep inspection, app awareness).
• IDS vs. IPS — an intrusion detection system is detective: it alerts on signatures or anomalies but does not block. An intrusion prevention system is preventive: it sits inline and can drop malicious traffic. If a stem wants attacks stopped automatically, the answer is IPS, not IDS.
• DMZ and segmentation — a demilitarized zone isolates internet-facing servers (web, mail) between two firewalls so a compromise there cannot reach the internal network. Network segmentation limits lateral movement, containing a breach to one zone.
• VPN — encrypts traffic over untrusted networks (IPsec, TLS) to protect data in transit for remote access.
• NAC (network access control) checks a device's posture (patching, antivirus) before admitting it to the network.
• Zero trust abandons the trusted-internal/untrusted-external model: it assumes breach, verifies every request explicitly, and enforces least privilege per session ("never trust, always verify").

Data in transit vs. at rest

A frequent trap pairs the wrong control with the wrong data state. Data in transit is protected by TLS/SSL and VPNs. Data at rest is protected by transparent data encryption (TDE), full-disk, or file-system encryption. Offering a VPN to fix unencrypted database files (at rest) is a classic distractor — and vice versa. Data loss prevention (DLP) inspects content to stop sensitive data leaving via email, web, or removable media, regardless of state.

Web, Email, and Wireless Scenario Cues

Application-layer scenarios round out Part A. For web applications, the auditor looks for HTTPS/TLS on all sensitive pages, input validation and output encoding against injection and cross-site scripting, and a web application firewall (WAF) in front of public apps. For email, sender-authentication records — SPF, DKIM, and DMARC — reduce spoofing and support anti-phishing, while S/MIME or PGP can sign and encrypt message bodies.

Wireless networks carry their own cues: the exam expects you to know that WEP is obsolete and broken, that WPA2/WPA3 with strong keys is the baseline, that open or hidden-SSID networks are not real protections, and that rogue access points and evil-twin attacks are detected through wireless monitoring and NAC. A frequent distractor offers SSID hiding or MAC filtering as adequate security; both are trivially bypassed and only deter casual users.

Reading the scenario for the right layer

The disciplined move in any scenario is to name the layer under attack first, then select the control that operates at that layer. Most wrong answers are real controls applied one layer away from the actual problem — encrypting in transit when the data is exposed at rest, or hardening passwords when the threat is network eavesdropping.