EC-COUNCIL EC-COUNCIL Certifications 312-50V12 Questions & Answers

• Question 21:

  An ethical hacker is testing a web application of a financial firm. During the test, a 'Contact Us' form's input field is found to lack proper user input validation, indicating a potential Cross-Site Scripting (XSS) vulnerability. However, the application has a stringent Content Security Policy (CSP) disallowing inline scripts and scripts from external domains but permitting scripts from its own domain. What would be the hacker's next step to confirm the XSS vulnerability?

  A. Try to disable the CSP to bypass script restrictions

  B. Inject a benign script inline to the form to see if it executes

  C. Utilize a script hosted on the application's domain to test the form

  D. Load a script from an external domain to test the vulnerability

  Correct Answer: C

  The hacker's next step to confirm the XSS vulnerability would be to utilize a script hosted on the application's domain to test the form. This is because the application's CSP allows scripts from its own domain, but not from inline or external

  sources. Therefore, the hacker can try to inject a payload that references a script file on the same domain as the application, such as:

  where script.js contains some benign code, such as alert('XSS') or print('XSS'). If the script executes in the browser, then the hacker has confirmed the XSS vulnerability. Otherwise, the CSP has blocked the script and prevented the XSS

  attack. The other options are not feasible or effective for the following reasons:

  A. Try to disable the CSP to bypass script restrictions: This option is not feasible because the hacker cannot disable the CSP on the server side, and the browser enforces the CSP on the client side. The hacker would need to modify the

  browser settings or use a browser extension to disable the CSP, but this would not affect the victim's browser or the application's security. B. Inject a benign script inline to the form to see if it executes: This option is not effective because the

  application's CSP disallows inline scripts, meaning scripts that are embedded in the HTML code. Therefore, the hacker would not be able to inject a script tag or an event handler attribute that contains some code, such as:

  or The CSP would block these scripts and prevent the XSS attack. D. Load a script from an external domain to test the vulnerability: This option is not effective because

  the application's CSP disallows scripts from external domains, meaning scripts that are loaded from a different domain than the application. Therefore, the hacker would not be able to inject a script tag that references a script file on another

  domain, such as:

  The CSP would block these scripts and prevent the XSS attack.

  References:

  1: Content Security Policy (CSP) - HTTP | MDN

  2: What is Content Security Policy (CSP) | Header Examples | Imperva

  3: Content-Security-Policy (CSP) Header Quick Reference

  4: What is cross-site scripting (XSS)? - PortSwigger

  5: Cross Site Scripting (XSS) | OWASP Foundation

  6: The Impact of Cross-Site Scripting Vulnerabilities and their Prevention

  7: XSS Vulnerability 101: Identify and Stop Cross-Site Scripting

• Question 22:

  As part of a college project, you have set up a web server for hosting your team's application. Given your interest in cybersecurity, you have taken the lead in securing the server. You are aware that hackers often attempt to exploit server

  misconfigurations.

  Which of the following actions would best protect your web server from potential misconfiguration- based attacks?

  A. Performing regular server configuration audits

  B. Enabling multi-factor authentication for users

  C. Implementing a firewall to filter traffic

  D. Regularly backing up server data

  Correct Answer: A

  The action that would best protect your web server from potential misconfiguration-based attacks is performing regular server configuration audits. A server configuration audit is a process of reviewing and verifying the security settings and parameters of the server, such as user accounts, permissions, services, ports, protocols, files, directories, logs, and patches. A server configuration audit can help you to identify and fix any security misconfigurations that may expose your server to attacks, such as using default credentials, enabling unnecessary services, leaving open ports, or missing security updates. A server configuration audit can also help you to comply with the security standards and best practices for your server, such as the CIS Benchmarks or the OWASP Secure Configuration Guide. The other options are not as effective as option A for the following reasons:

  B. Enabling multi-factor authentication for users: This option is not relevant because it does not address the server misconfiguration issue, but the user authentication issue. Multi-factor authentication is a method of verifying the identity of the users by requiring them to provide two or more pieces of evidence, such as a password, a code, or a biometric factor. Multi-factor authentication can enhance the security of the user accounts and prevent unauthorized access, but it does not prevent the server from being attacked due to misconfigured settings or parameters3.

  C. Implementing a firewall to filter traffic: This option is not sufficient because it does not prevent the server from being misconfigured, but only limits the exposure of the server to the network. A firewall is a device or software that monitors and controls the incoming and outgoing network traffic based on predefined rules. A firewall can protect the server from external attacks by blocking or allowing certain ports, protocols, or IP addresses. However, a firewall cannot protect the server from internal attacks or from attacks that exploit the allowed traffic. Moreover, a firewall itself can be misconfigured and cause security issues4. D. Regularly backing up server data: This option is not preventive but reactive, as it does not protect the server from being attacked, but only helps to recover the data in case of an attack. Backing up server data is a process of creating and storing copies of the data on the server, such as files, databases, or configurations. Backing up server data can help you to restore the data in case of data loss, corruption, or deletion due to an attack. However, backing up server data does not prevent the server from being attacked in the first place, and it does not fix the security misconfigurations that may have caused the attack5. References:

  1: Server Configuration Audit - an overview | ScienceDirect Topics

  2: Secure Configuration Guide - OWASP Foundation

  3: Multi-factor authentication - Wikipedia

  4: Firewall (computing) - Wikipedia

  5: Backup - Wikipedia

• Question 23:

  During a penetration testing assignment, a Certified Ethical Hacker (CEH) used a set of scanning tools to create a profile of the target organization. The CEH wanted to scan for live hosts, open ports, and services on a target network. He used Nmap for network inventory and Hping3 for network security auditing. However, he wanted to spoof IP addresses for anonymity during probing. Which command should the CEH use to perform this task?

  A. Hping3 -110.0.0.25 --ICMP

  B. Nmap -sS -Pn -n -vw --packet-trace -p- --script discovery -T4

  C. Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 -flood

  D. Hping3-210.0.0.25-p 80

  Correct Answer: C

  The command C. Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 -flood is the correct one to spoof IP addresses for anonymity during probing. This command sends SYN packets (-S) to the target IP 192.168.1.1 with a spoofed source IP (-a)

  192.168.1.254 on port 22 (-p) and floods the target with packets (-flood). This way, the CEH can hide his real IP address and avoid detection by the target's firewall or IDS12. The other commands are incorrect for the following reasons:

  A. Hping3 -110.0.0.25 --ICMP: This command sends ICMP packets (-ICMP) to the target IP 10.0.0.25, but does not spoof the source IP. Therefore, the CEH's real IP address will be exposed to the target. B. Nmap -sS -Pn -n -vw --packettrace -p- --script discovery -T4: This command performs a stealthy SYN scan (-sS) on all ports (-p-) of the target without pinging it (-Pn) or resolving DNS names (-n). It also enables verbose output (-v), packet tracing (-packet-trace), and

  discovery scripts (-script discovery) with an aggressive timing (-T4). However, this command does not spoof the source IP, and in fact, reveals more information about the scan to the target by using packet tracing and discovery scripts. D.

  Hping3-210.0.0.25-p 80: This command sends TCP packets (default) to the target IP 10.0.0.25 on port 80 (-p), but does not spoof the source IP. Therefore, the CEH's real IP address will be exposed to the target.

  References:

  1: Master hping3 and Enhance Your Network Strength | GoLinuxCloud

  2: Spoofing Packets with Hping3 - YouTube

• Question 24:

  Your company, Encryptor Corp, is developing a new application that will handle highly sensitive user information. As a cybersecurity specialist, you want to ensure this data is securely stored. The development team proposes a method where data is hashed and then encrypted before storage. However, you want an added layer of security to verify the integrity of the data upon retrieval. Which of the following cryptographic concepts should you propose to the team?

  A. Implement a block cipher mode of operation.

  B. a digital signature mechanism.

  C. Suggest using salt with hashing.

  D. Switch to elliptic curve cryptography.

  Correct Answer: B

  A digital signature mechanism is a cryptographic concept that you should propose to the team to verify the integrity of the data upon retrieval. A digital signature mechanism works as follows: A digital signature is a mathematical scheme that allows the sender of a message to sign the message with their private key, and allows the receiver of the message to verify the signature with the sender's public key. A digital signature provides two security services: authentication and non-repudiation. Authentication means that the receiver can confirm the identity of the sender, and non-repudiation means that the sender cannot deny sending the message. A digital signature mechanism consists of three algorithms: key generation, signing, and verification. Key generation produces a pair of keys: a private key for the sender and a public key for the receiver. Signing takes the message and the private key as inputs, and outputs a signature. Verification takes the message, the signature, and the public key as inputs, and outputs a boolean value indicating whether the signature is valid or not. A digital signature mechanism can be implemented using various cryptographic techniques, such as hash-based signatures, RSA signatures, or elliptic curve signatures. A common method is to use a hash function to compress the message into a fixed-length digest, and then use an asymmetric encryption algorithm to encrypt the digest with the private key. The encrypted digest is the signature, which can be decrypted with the public key and compared with the hash of the message to verify the integrity. A digital signature mechanism can ensure the integrity of the data upon retrieval, because: A digital signature is unique to the message and the sender, and it cannot be forged or altered by anyone else. If the message or the signature is modified in any way, the verification will fail and the receiver will know that the data is corrupted or tampered with. A digital signature is independent of the encryption or hashing of the data, and it can be applied to any type of data, regardless of its format or size. The encryption or hashing of the data can provide confidentiality and efficiency, but they cannot provide integrity or authentication by themselves. A digital signature can complement the encryption or hashing of the data by providing an additional layer of security. The other options are not as suitable as option B for the following reasons:

  A. Implement a block cipher mode of operation: This option is not relevant because it does not address the integrity verification issue, but the encryption issue. A block cipher mode of operation is a method of applying a block cipher, which is

  a symmetric encryption algorithm that operates on fixed-length blocks of data, to a variable-length message. A block cipher mode of operation can provide different security properties, such as confidentiality, integrity, or authenticity,

  depending on the mode. However, a block cipher mode of operation cannot provide a digital signature, which is a form of asymmetric encryption that uses a pair of keys3 . C. Suggest using salt with hashing: This option is not sufficient

  because it does not provide a digital signature, but only a hash value. Salt is a random value that is added to the input of a hash function, which is a one-way function that maps any data to a fixed-length digest. Salt can enhance the security

  of hashing by making it harder to perform brute-force attacks or dictionary attacks, which are methods of finding the input that produces a given hash value. However, salt cannot provide a digital signature, which is a two-way function that

  uses a pair of keys to sign and verify a message .

  D. Switch to elliptic curve cryptography: This option is not specific because it does not specify a digital signature mechanism, but only a type of cryptography. Elliptic curve cryptography is a branch of cryptography that uses mathematical

  curves to generate keys and perform operations. Elliptic curve cryptography can be used to implement various cryptographic techniques, such as encryption, hashing, or digital signatures. However, elliptic curve cryptography is not a digital

  signature mechanism by itself, but rather a tool that can be used to create one .

  References:

  1: Digital signature - Wikipedia

  2: Digital Signature: What It Is and How It Works | Kaspersky

  3: Block cipher mode of operation - Wikipedia

  4: Block Cipher Modes of Operation - an overview | ScienceDirect Topics : Salt (cryptography) - Wikipedia

  5: What is Salt in Cryptography? | Cloudflare

  6: Elliptic-curve cryptography - Wikipedia

  7: Elliptic Curve Cryptography: What It Is and How It Works | Kaspersky

• Question 25:

  During a recent vulnerability assessment of a major corporation's IT systems, the security team identified several potential risks. They want to use a vulnerability scoring system to quantify and prioritize these vulnerabilities. They decide to use the Common Vulnerability Scoring System (CVSS). Given the characteristics of the identified vulnerabilities, which of the following statements is the most accurate regarding the metric types used by CVSS to measure these vulnerabilities?

  A. Temporal metric represents the inherent qualities of a vulnerability

  B. Base metric represents the inherent qualities of a vulnerability

  C. Environmental metric involves the features that change during the lifetime of the vulnerability

  D. Temporal metric involves measuring vulnerabilities based on a_ specific environment or implementation

  Correct Answer: B

  The base metric represents the inherent qualities of a vulnerability, according to the Common Vulnerability Scoring System (CVSS). CVSS is a framework that numerically characterizes the severity of software vulnerabilities between the range of 0-10. CVSS consists of three metric groups: Base, Temporal, and Environmental. The base metric group captures the characteristics of a vulnerability that are constant over time and across user environments. The base metric group consists of six sub-metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and Impact. The impact sub-metric further consists of three sub-metrics: Confidentiality, Integrity, and Availability. The base metric group produces a score ranging from 0 to 10, which reflects the intrinsic and fundamental properties of a vulnerability12. The other options are not correct for the following reasons:

  A. Temporal metric represents the inherent qualities of a vulnerability: This option is incorrect because the temporal metric group captures the characteristics of a vulnerability that change over time due to events external to the vulnerability.

  The temporal metric group consists of three sub-metrics: Exploit Code Maturity, Remediation Level, and Report Confidence. The temporal metric group modifies the base score to reflect the current state of the vulnerability, such as the

  availability of exploit code, the existence of patches or workarounds, and the degree of verification of the vulnerability report12. C. Environmental metric involves the features that change during the lifetime of the vulnerability: This option is

  incorrect because the environmental metric group captures the characteristics of a vulnerability that are relevant and unique to a user's environment. The environmental metric group consists of three sub-metrics:

  Modified Attack Vector, Modified Attack Complexity, and Modified Privileges Required. The environmental metric group also allows the user to assign importance values to the impact sub-metrics: Confidentiality Requirement, Integrity

  Requirement, and Availability Requirement. The environmental metric group modifies the base and temporal scores to reflect the impact of the vulnerability on the user's specific environment, such as the network configuration, the security

  objectives, and the asset value.

  D. Temporal metric involves measuring vulnerabilities based on a specific environment or implementation: This option is incorrect because the temporal metric group does not involve measuring vulnerabilities based on a specific environment

  or implementation, but rather on the factors that change over time due to events external to the vulnerability. The environmental metric group, not the temporal metric group, involves measuring vulnerabilities based on a specific environment

  or implementation, as explained in option C.

  References:

  1: What is CVSS - Common Vulnerability Scoring System - SANS Institute

  2: Common Vulnerability Scoring System - Wikipedia

• Question 26:

  An IT security team is conducting an internal review of security protocols in their organization to identify potential vulnerabilities. During their investigation, they encounter a suspicious program running on several computers. Further examination reveals that the program has been logging all user keystrokes. How can the security team confirm the type of program and what countermeasures should be taken to ensure the same attack does not occur in the future?

  A. The program is a Trojan; the tearm should regularly update antivirus software and install a reliable firewall

  B. The program is spyware; the team should use password managers and encrypt sensitive data

  C. The program is a keylogger; the team should employ intrusion detection systems and regularly update the system software

  D. The program is a keylogger; the team should educate employees about phishing attacks and maintain regular backups

  Correct Answer: C

  A keylogger is a type of spyware that can record and steal consecutive keystrokes (and much more) that the user enters on a device. Keyloggers are a common tool for cybercriminals, who use them to capture passwords, credit card numbers, personal information, and other sensitive data. Keyloggers can be installed on a device through various methods, such as phishing emails, malicious downloads, or physical access. To confirm the type of program, the security team can use a web search tool, such as Bing, to look for keylogger programs and compare their features and behaviors with the suspicious program they encountered. Alternatively, they can use a malware analysis tool, such as Malwarebytes, to scan and identify the program and its characteristics. To prevent the same attack from occurring in the future, the security team should employ intrusion detection systems (IDS) and regularly update the system software. An IDS is a system that monitors network traffic and system activities for signs of malicious or unauthorized behavior, such as keylogger installation or communication. An IDS can alert the security team of any potential threats and help them respond accordingly. Regularly updating the system software can help patch any vulnerabilities or bugs that keyloggers may exploit to infect the device. Additionally, the security team should also remove the keylogger program from the affected computers and change any compromised passwords or credentials. References: Keylogger | What is a Keylogger? How to protect yourself How to Detect and Remove a Keylogger From Your Computer Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) What is a Keylogger? | Keystroke Logging Definition | Avast Keylogger Software: 11 Best Free to Use in 2023

• Question 27:

  During a red team engagement, an ethical hacker is tasked with testing the security measures of an organization's wireless network. The hacker needs to select an appropriate tool to carry out a session hijacking attack. Which of the following tools should the hacker use to effectively perform session hijacking and subsequent security analysis, given that the target wireless network has the Wi-Fi Protected Access-preshared key (WPA-PSK) security protocol in place?

  A. FaceNiff

  B. Hetty

  C. Droidsheep

  D. bettercap

  Correct Answer: D

  bettercap is a tool that can perform session hijacking attacks on wireless networks, among other network security and penetration testing tasks. bettercap can capture and manipulate network traffic, perform man-in-the-middle attacks, spoof and sniff protocols, inject custom payloads, and more. bettercap can perform session hijacking attacks on wireless networks that use the WPA- PSK security protocol by exploiting the four-way handshake process that occurs when a client connects to a wireless access point. The four-way handshake is used to establish a shared encryption key between the client and the access point, based on the pre-shared key (PSK) that is configured on both devices. However, the four-way handshake also exposes some information that can be used to crack the PSK offline, such as the nonce values, the MAC addresses, and the message integrity code (MIC) of the packets2. bettercap can capture the four-way handshake packets using its Wi-Fi module and save them in a file. The file can then be fed to a tool like Hashcat or Aircrack-ng to crack the PSK using brute force or dictionary attacks. Once the PSK is obtained, bettercap can use it to decrypt the wireless traffic and perform session hijacking attacks on the clients connected to the access point3. Therefore, bettercap is an appropriate tool to carry out a session hijacking attack on a wireless network that uses the WPA-PSK security protocol. References: bettercap: the Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks How the WPA2 Enterprise Wireless Security Protocol Works Cracking WPA/WPA2 Passwords with Bettercap and Hashcat

• Question 28:

  A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for offline cracking. But the attacker was stopped before he could complete his attack. The system administrator needs to investigate and remediate the potential breach. What should be the immediate step the system administrator takes?

  A. Perform a system reboot to clear the memory

  B. Delete the compromised user's account

  C. Change the NTLM password hash used to encrypt the ST

  D. Invalidate the TGS the attacker acquired

  Correct Answer: D

  A Kerberoasting attack is a technique that exploits the Kerberos authentication protocol to obtain the password hash of a service account that has a Service Principal Name (SPN). An attacker can request a service ticket (TGS) for the SPN using a valid user's ticket (TGT) and then attempt to crack the password hash offline. To prevent the attacker from using the TGS to access the service, the system administrator should invalidate the TGS as soon as possible. This can be done by changing the password of the service account, which will generate a new password hash and render the old TGS useless. Alternatively, the system administrator can use tools like Mimikatz to purge the TGS from the memory of the domain controller or the client system. Performing a system reboot, deleting the compromised user's account, or changing the NTLM password hash used to encrypt the ST are not effective ways to invalidate the TGS, as they do not affect the encryption of the TGS or the validity of the TGT. References: EC-Council CEHv12 Courseware Module 11: Hacking Webservers, page 11-24 What is a Kerberoasting Attack? ?CrowdStrike How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX

• Question 29:

  As a budding cybersecurity enthusiast, you have set up a small lab at home to learn more about wireless network security. While experimenting with your home Wi-Fi network, you decide to use a well-known hacking tool to capture network

  traffic and attempt to crack the Wi-Fi password. However, despite many attempts, you have been unsuccessful. Your home Wi-Fi network uses WPA2 Personal with AES encryption.

  Why are you finding it difficult to crack the Wi-Fi password?

  A. The Wi-Fi password is too complex and long

  B. Your hacking tool is outdated

  C. The network is using an uncrackable encryption method

  D. The network is using MAC address filtering.

  Correct Answer: C

  The network is using an uncrackable encryption method, which makes it difficult to crack the Wi-Fi password. WPA2 Personal with AES encryption is the strongest form of security offered by Wi-Fi devices at the moment, and it should be used for all purposes. AES stands for Advanced Encryption Standard, and it is a symmetric-key algorithm that uses a 128-bit, 192-bit, or 256-bit key to encrypt and decrypt data. AES is considered to be uncrackable by brute force attacks, as it would take an impractical amount of time and computational power to try all possible key combinations. Therefore, unless you have access to the Wi-Fi password or the encryption key, you will not be able to decrypt the network traffic and crack the password. The other options are not correct for the following reasons:

  A. The Wi-Fi password is too complex and long: This option is not relevant because the Wi-Fi password is not directly used to encrypt the network traffic. Instead, the password is used to generate a Pre-Shared Key (PSK), which is then used to derive a Pairwise Master Key (PMK), which is then used to derive a Pairwise Transient Key (PTK), which is then used to encrypt the data. Therefore, the complexity and length of the password do not affect the encryption strength, as long as the password is not easily guessed or leaked34. B. Your hacking tool is outdated: This option is not plausible because even if your hacking tool is outdated, it would not affect your ability to capture the network traffic and attempt to crack the password. The hacking tool may not support the latest Wi-Fi standards or protocols, but it should still be able to capture the raw data packets and save them in a file. The cracking process would depend on the encryption algorithm and the key, not on the hacking tool. D. The network is using MAC address filtering: This option is not feasible because MAC address filtering is a technique that restricts network access and communication to trusted devices based on their MAC addresses, which are unique identifiers assigned to network interfaces. MAC address filtering can prevent unauthorized devices from joining the network, but it cannot prevent authorized devices from capturing the network traffic. Moreover, MAC address filtering can be easily bypassed by spoofing the MAC address of an allowed device56. References:

  1: What is AES Encryption and How Does it Work? | Kaspersky

  2: AES Encryption: Everything You Need to Know | Comparitech

  3: How Does WPA2 Work? | Techwalla

  4: How Does WPA2 Encryption Work? | Security Boulevard

  5: What is MAC Address Filtering? | Definition, Types and Examples - Fortinet

  6: How to Bypass MAC Address Filtering on Wireless Networks - Null Byte ::WonderHowTo

• Question 30:

  You are a cybersecurity specialist at CloudTech Inc., a company providing cloud-based services. You are managing a project for a client who wants to migrate their sensitive data to a public cloud service. To comply with regulatory requirements, the client insists on maintaining full control over the encryption keys even when the data is at rest on the cloud. Which of the following practices should you implement to meet this requirement?

  A. Use the cloud service provider's encryption services but store keys on-premises.

  B. Use the cloud service provider's default encryption and key management services.

  C. Rely on Secure Sockets Layer (SSL) encryption for data at rest.

  D. Encrypt data client-side before uploading to the cloud and retain control of the encryption keys.

  Correct Answer: D

  The best practice to meet the client's requirement is to encrypt data client- side before uploading to the cloud and retain control of the encryption keys. This practice is also known as client-side encryption or end-to-end encryption, and it involves encrypting the data on the client's device using a software or hardware tool that generates and manages the encryption keys. The encrypted data is then uploaded to the cloud service, where it remains encrypted at rest. The encryption keys are never shared with the cloud service provider or any third party, and they are only used by the client to decrypt the data when needed. This way, the client can maintain full control over the encryption keys and the security of the data, even when the data is stored on a public cloud service12. The other options are not as optimal as option D for the following reasons:

  A. Use the cloud service provider's encryption services but store keys on- premises: This option is not feasible because it contradicts the client's requirement of maintaining full control over the encryption keys. Using the cloud service provider's encryption services means that the client has to rely on the cloud service provider to generate and manage the encryption keys, even if the keys are stored on-premises. The cloud service provider may have access to the keys or the ability to decrypt the data, which may compromise the security and privacy of the data. Moreover, storing the keys on-premises may introduce additional challenges, such as key distribution, synchronization, backup, and recovery3. B. Use the cloud service provider's default encryption and key management services: This option is not desirable because it violates the client's requirement of maintaining full control over the encryption keys. Using the cloud service provider's default encryption and key management services means that the client has to trust the cloud service provider to encrypt and decrypt the data on the server-side, using the cloud service provider's own encryption keys and mechanisms. The cloud service provider may have access to the keys or the ability to decrypt the data, which may compromise the security and privacy of the data. Furthermore, the cloud service provider's default encryption and key management services may not meet the regulatory requirements or the security standards of the client4. C. Rely on Secure Sockets Layer (SSL) encryption for data at rest: This option is not sufficient because SSL encryption is not designed for data at rest, but for data in transit. SSL encryption is a protocol that encrypts the data as it travels over the internet between the client and the server, using certificates and keys that are exchanged and verified by both parties. SSL encryption can protect the data from being intercepted or modified by unauthorized parties, but it does not protect the data from being accessed or decrypted by the cloud service provider or any third party who has access to the server. Moreover, SSL encryption does not provide the client with any control over the encryption keys or the security of the data. References:

  1: Client-side encryption - Wikipedia

  2: What is Client-Side Encryption? | Definition, Benefits and Best Practices | Kaspersky

  3: Cloud Encryption Key Management: What You Need to Know | Thales

  4: Cloud Encryption: How It Works and How to Use It | Comparitech : What is SSL Encryption and How Does it Work? | Norton