CAS-005 CompTIA Exam Lab Questions

Encrypting patient data at rest is a critical requirement for healthcare providers to ensure compliance with regulations such as the Health Insurance Portability and Accountability Act (HIPAA). The primary business requirement fulfilled by this practice is the protection of patient privacy while supporting the portability of medical information. By encrypting data at rest, healthcare providers safeguard sensitive patient information from unauthorized access, ensuring that privacy is maintained even if the storage media are compromised. Additionally, encryption supports the portability of patient records, allowing for secure transfer and access across different systems and locations while ensuring that privacy controls are in place.

Forward secrecy (FS) ensures that past encrypted data remains secure even if encryption keys are compromised in the future. Itgenerates ephemeral session keys that are not reused.

Other options:

A (Tokenization) replaces sensitive data with tokens but does not prevent key compromise.

B (Key stretching) makes brute-force attacks harder but does not ensure secrecy after compromise.

D (Simultaneous Authentication of Equals – SAE) is used in WPA3 but is not related to past communication security.

Step by Step Explanation:

Understanding the Scenario: The question is about ensuring that an organization retains control over its encryption keys. It focuses on different key storage and management methods.

Analyzing the Answer Choices:

A. Encrypting using a key stored in an on-premises hardware security module (HSM): This is thebest option for maintaining complete control over encryption keys. An HSM is a dedicated, tamper-resistant hardware device specifically designed for secure key storage and cryptographic operations. Storing keys on-premises within an HSM ensures the organization has exclusive access.

The issue is tracing the original source of requests in a tiered architecture with a load balancer. The web server logs show internal IPs (192.168.1.10), not the external client IPs, because the load balancer forwards requests without preserving the source. Enabling theX-Forwarded-Forheader on the load balancer adds the client’s original IP to the HTTP request headers, allowing downstream servers to log it. This ensures traceability without altering the architecture significantly.

Option A:Correct—X-Forwarded-For is the standard solution for preserving client IPs through load balancers.

Option B:A Host-based Intrusion Detection System (HIDS) detects anomalies but doesn’t address IP traceability.

Option C:A trusted CA certificate fixes the self-signed warning but is unrelated to source tracking.

Option D:Stored procedures improve database security but don’t help with IP logging.

Option E:Storing $_SERVER['REMOTE_ADDR'] captures the loadbalancer’s IP, not the client’s, unless X-Forwarded-For is enabled.