nerdexam
ExamsCAS-001Questions#410
CompTIA

CAS-001 · Question #410

CAS-001 Question #410: Real Exam Question with Answer & Explanation

The correct answer is B: HSM. A Hardware Security Module (HSM) is a dedicated, tamper-resistant hardware device specifically designed to generate, store, and protect cryptographic keys and digital certificates. In an SSL/TLS inspection scenario, the proxy uses an internal CA certificate to re-sign decrypted H

Question

An IT administrator has been tasked with implementing an appliance-based web proxy server to control external content accessed by internal staff. Concerned with the threat of corporate data leakage via web-based email, the IT administrator wants to decrypt all outbound HTTPS sessions and pass the decrypted content to an ICAP server for inspection by the corporate DLP software. Which of the following is BEST at protecting the internal certificates used in the decryption process?

Options

  • ANIPS
  • BHSM
  • CUTM
  • DHIDS
  • EWAF
  • FSIEM

Explanation

A Hardware Security Module (HSM) is a dedicated, tamper-resistant hardware device specifically designed to generate, store, and protect cryptographic keys and digital certificates. In an SSL/TLS inspection scenario, the proxy uses an internal CA certificate to re-sign decrypted HTTPS sessions. This CA private key is extraordinarily sensitive-if compromised, an attacker could impersonate any HTTPS site to internal users. An HSM stores the private key inside hardened hardware that prevents extraction, even by privileged administrators, and performs cryptographic operations internally so the key never leaves the device. NIPS (A) and HIDS (D) are intrusion detection/prevention tools, not key management solutions. UTM (C) is a multi-function network appliance. WAF (E) protects web applications. SIEM (F) aggregates and analyzes logs.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice