nerdexam
ExamsCAS-002Questions#618
CompTIA

CAS-002 · Question #618

CAS-002 Question #618: Real Exam Question with Answer & Explanation

The correct answer is D: The company should use the method recommended by other respected information security. Cryptographic security must rely on publicly vetted, standards-based algorithms rather than proprietary or secret methods, regardless of the designer's expertise or credentials.

Question

Joe, the Chief Executive Officer (CEO), was an Information security professor and a Subject Matter Expert for over 20 years. He has designed a network defense method which he says is significantly better than prominent international standards. He has recommended that the company use his cryptographic method. Which of the following methodologies should be adopted?

Options

  • AThe company should develop an in-house solution and keep the algorithm a secret.
  • BThe company should use the CEO's encryption scheme.
  • CThe company should use a mixture of both systems to meet minimum standards.
  • DThe company should use the method recommended by other respected information security

Explanation

Cryptographic security must rely on publicly vetted, standards-based algorithms rather than proprietary or secret methods, regardless of the designer's expertise or credentials.

Common mistakes.

  • A. Keeping an in-house algorithm secret is 'security through obscurity,' a discredited practice because once the algorithm is reverse-engineered or leaked, all security is immediately compromised.
  • B. Using the CEO's unvetted encryption scheme introduces unacceptable risk because without rigorous public cryptanalysis there is no way to confirm the algorithm is free of exploitable weaknesses.
  • C. Mixing an unvetted proprietary algorithm with a standard weakens overall security because a hybrid cryptographic system is only as strong as its weakest component.

Concept tested. Cryptographic standards versus proprietary algorithm security

Reference. https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice