Domain 1: General Security Concepts Review — 9 of 61

Domain 1 – Section B Review: Zero Trust and Cryptography

Security+ Domain 1 — General Security Concepts Section B — Zero Trust and Cryptography Review 10 Questions

This section integrates:

  • Zero Trust Architecture
  • Change Management in Security
  • Cryptographic Concepts
  • Public Key Infrastructure (PKI)

Security+ expects you to understand how zero trust principles, operational procedures, and cryptographic mechanisms work together in modern environments.

1. Zero Trust Principles in Practice

Zero trust eliminates implicit trust. Every access request is verified regardless of location or network segment.

Never trust, always verify.
Assume breach. Verify explicitly. Use least privilege.

Core zero trust components:

  • Policy engine and policy administrator make access decisions.
  • Control plane manages policy; data plane carries traffic.
  • Microsegmentation limits lateral movement.
  • Continuous authentication replaces one-time login trust.

Zero trust does not mean zero access. It means access is granted based on real-time verification of identity, device health, and context.

2. Change Management and Security Impact

Every change introduces risk. Change management ensures changes are authorized, tested, and documented.

Uncontrolled change is the leading cause of outages and security gaps.
  • Change advisory boards review impact before implementation.
  • Rollback plans must exist before changes go live.
  • Configuration baselines define the known-good state.
  • Unauthorized changes are security incidents.

When a scenario describes a system failure after an update, think change management first — not malware.

3. Cryptographic Concepts and Application

Cryptography protects data through mathematical transformation:

  • Symmetric encryption (AES) — same key encrypts and decrypts. Fast, used for bulk data.
  • Asymmetric encryption (RSA, ECC) — key pairs. Public key encrypts, private key decrypts.
  • Hashing (SHA-256) — one-way function producing a fixed-length digest. Verifies integrity.
Symmetric for speed. Asymmetric for key exchange and signatures.
Hashing for integrity. Never confuse encryption with hashing.

Key management is often more important than the algorithm itself. A strong algorithm with poor key management is still vulnerable.

4. PKI and Certificate Management

PKI provides the trust framework for digital certificates:

  • Certificate Authority (CA) issues and signs certificates.
  • Certificate Revocation Lists (CRL) and OCSP verify certificate validity.
  • Certificate pinning prevents man-in-the-middle attacks.
  • Certificate expiration requires proactive renewal processes.

When a browser displays a certificate warning, the issue is trust chain validation — not encryption failure.

Section B Decision Pattern

When unsure in Domain 1 Section B:

  1. Default to least privilege and continuous verification.
  2. Trace the trust chain when certificates are involved.
  3. Match the cryptographic tool to the problem (confidentiality vs. integrity vs. authentication).
  4. Treat unauthorized changes as security events.
  5. Remember: zero trust is a model, not a product.

Section B – Practice Questions

Question 1

A company implements microsegmentation across its data center. An authenticated user on the HR VLAN attempts to access a finance database and is denied. Which zero trust principle is being enforced?

A. Least privilege
B. Implicit deny
C. Defense in depth
D. Separation of duties

Answer & reasoning

Correct: A

In zero trust, users are granted only the minimum access required for their role. The HR user has no business need for the finance database, so access is denied. Microsegmentation enforces least privilege at the network level.

Question 2

A web server's SSL certificate expires, and users receive browser warnings. The certificate uses a valid algorithm and was issued by a trusted CA. What is the MOST likely cause?

A. The encryption algorithm is deprecated
B. The certificate was revoked by the CA
C. The certificate validity period has ended
D. The server's private key was compromised

Answer & reasoning

Correct: C

The scenario explicitly states the certificate expired. Certificate expiration is the most common cause of browser trust warnings. The algorithm is valid and the CA is trusted, so revocation and deprecation are not the issue.

Question 3

An administrator deploys a firewall rule change during a maintenance window. The next morning, users cannot access a critical application. What should have been prepared as part of change management?

A. An incident response plan
B. A risk acceptance form
C. A penetration test
D. A rollback procedure

Answer & reasoning

Correct: D

Change management requires a rollback procedure so that if a change causes problems, the previous configuration can be restored quickly. This is standard practice before any production change.

Question 4

Two parties need to establish a shared secret key over an insecure network. Neither party has exchanged keys before. Which cryptographic technique is MOST appropriate?

A. AES-256 encryption
B. SHA-256 hashing
C. Diffie-Hellman key exchange
D. Digital signature verification

Answer & reasoning

Correct: C

Diffie-Hellman allows two parties to generate a shared secret over an insecure channel without transmitting the key itself. AES requires a pre-shared key, hashing does not establish keys, and digital signatures verify identity but do not create shared secrets.

Question 5

A zero trust architecture requires continuous validation. A user's laptop fails a device health check mid-session. What should the policy engine do?

A. Revoke or reduce access based on the updated trust score
B. Log the event and notify the help desk
C. Allow access to continue until the session expires
D. Require the user to change their password

Answer & reasoning

Correct: A

Zero trust requires continuous verification. When a device health check fails, the policy engine must re-evaluate and adjust access in real time. Allowing continued access contradicts the core principle. Password changes do not address device health.

Question 6

A developer needs to verify that a downloaded software package has not been tampered with. The vendor publishes a SHA-256 hash alongside the download. What should the developer do?

A. Decrypt the package using the hash
B. Compute the hash of the downloaded file and compare it to the published hash
C. Use the hash as a decryption key
D. Submit the hash to the vendor's CA for validation

Answer & reasoning

Correct: B

Hashing verifies integrity. The developer computes the hash of the downloaded file and compares it to the known-good hash. If they match, the file has not been altered. Hashes are not encryption keys and cannot be used for decryption.

Question 7

An organization discovers that a server configuration was changed outside the approved change management process. How should this be classified?

A. A routine maintenance task
B. A configuration drift event
C. A security incident
D. A performance optimization

Answer & reasoning

Correct: C

Unauthorized changes bypass the controls that ensure changes are reviewed, tested, and documented. Any change made outside the approved process is a security incident because it introduces unvalidated risk and indicates a control failure.

Question 8

A company uses asymmetric encryption to secure email. An employee sends a confidential message. Which key does the sender use to encrypt the message?

A. The sender's private key
B. The sender's public key
C. The recipient's private key
D. The recipient's public key

Answer & reasoning

Correct: D

In asymmetric encryption, the sender encrypts with the recipient's public key. Only the recipient's private key can decrypt the message. This ensures confidentiality — only the intended recipient can read it.

Question 9

A zero trust implementation includes a policy decision point (PDP) and a policy enforcement point (PEP). Where does the access decision get made?

A. At the PEP
B. At the PDP
C. At the firewall
D. At the identity provider

Answer & reasoning

Correct: B

The policy decision point (PDP), which includes the policy engine and policy administrator, makes the access decision. The policy enforcement point (PEP) enforces that decision. The PDP decides; the PEP acts.

Question 10

A client application connects to a server and receives a digital certificate. The client checks the certificate against the CA's certificate revocation list and finds no entry. What does this confirm?

A. The certificate is encrypted with a strong algorithm
B. The certificate will not expire
C. The server's private key has not been compromised
D. The certificate has not been revoked by the issuing CA

Answer & reasoning

Correct: D

A CRL check confirms whether the CA has revoked the certificate. If the certificate is not on the CRL, it has not been revoked. This does not guarantee the private key is safe, that the algorithm is strong, or that the certificate will not expire.

Domain 1 Capstone Capstone Review: GENERAL SECURITY CONCEPTS