Brainscape Glossarry Flashcards

Question

# BYOD bring your own device

Answer 1

Security framework and tools to facilitate use of personally-owned devices to access corporate networks and data.

Answer 2

A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.

Answer 3

An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.

Answer 4

Reward scheme operated by software and web services vendors for reporting vulnerabilities.

Answer 5

Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers.

Answer 6

A systematic activity that identifies organizational risks and determines their effect on ongoing, mission-critical operations.

Answer 7

Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.

Answer 8

Devices can be physically secured against theft using cable ties and padlocks. Some systems also feature lockable faceplates, preventing access to the power switch and removable drives.

Answer 9

A web page or website to which a client is redirected before being granted full network access.

Answer 10

🎮 What is a CTF? A Capture the Flag (CTF) is a cybersecurity competition where players or teams solve hacking challenges to find hidden "flags" — strings like flag{you_got_it}.

Answer 11

Duplicating a smart card by reading (skimming) the confidential data stored on it. Also known as skimming.

Answer 12

🧠 Definition: Data Carving is a forensic technique used to recover files from raw data, such as a hard drive or memory dump, without relying on a file system. Even if the file system is corrupted, deleted, or missing — data carving digs the fragments out anyway. 🧩 How It Works: Data carving searches for file signatures (magic numbers) — patterns that mark the start and end of known file types. For example: A JPEG starts with FFD8 and ends with FFD9 A PDF starts with %PDF and ends with %%EOF The tool scans the raw data and “carves out” matching chunks that look like complete files. 📦 Why It’s Used: Scenario Use of Data Carving File system is deleted/corrupted Still extract files Files have been deleted or wiped Recover remnants from unallocated space Digital forensics investigation Find hidden/stolen/exfiltrated files Malware analysis Extract payloads from memory or disk 🛠️ Tools That Do It: Scalpel Foremost Autopsy/Sleuth Kit PhotoRec ⚠️ Limitations: No filenames or paths — just raw file contents May return fragmented or incomplete files Can generate false positives Works best on non-fragmented file systems (like FAT) 🎯 TL;DR: Data Carving = CSI for your hard drive. Even if the file system is toast, we can still find that PDF hiding in the ashes.

Answer 13

Linux command to view and combine (concatenate) files. The cat command = concatenate – it's used to view, combine, or create text files in Unix/Linux. --- 🐱 TL;DR cat = quick way to display file contents or combine multiple files. --- 📖 Basic Usage Command What It Does cat file.txt Prints contents of file.txt to the screen cat file1 file2 Prints both files one after the other cat > newfile.txt Creates a new file by letting you type content (press Ctrl+D to save and exit) cat file1 file2 > combined.txt Combines two files into a new one cat >> file.txt Appends typed input to an existing file --- 🧪 Example cat hello.txt Output: Hello, world! cat file1.txt file2.txt > all.txt Combines both files into one.

Answer 14

A not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations).

Answer 15

🔑 What is a Certificate Authority? A Certificate Authority (CA) is a trusted third party that issues digital certificates to verify identity on the internet. Think of it as the passport office of the internet: > Just like a passport proves who you are, a digital certificate proves a website or user's identity. --- 📜 What does a CA do? 1. Verifies identity of a website, person, or organization. 2. Issues a digital certificate (often X.509 format). 3. Helps establish trust in secure communications (like HTTPS). --- 🌐 Where you see it: When you go to https://, your browser checks the website’s certificate. That cert is signed by a CA your browser already trusts. --- 🧪 Behind the scenes: Uses public key infrastructure (PKI). The certificate contains: The public key The domain/identity CA's signature Expiration date --- 🚨 What happens if a CA is compromised? Instant trust crisis. Browsers revoke trust, causing errors like: > "Your connection is not private."

Answer 16

A list of certificates that were revoked before their expiration date.

Answer 17

🧾 What is a CSR? A Certificate Signing Request (CSR) is a file you send to a Certificate Authority (CA) when you want them to issue you a digital certificate. It’s like filling out an application form for your website’s digital passport. --- 🧰 What’s inside a CSR? The CSR contains: Field Description Public key Used to encrypt/decrypt data Common Name (CN) The domain name (e.g., www.example.com) Organization info Company name, location, etc. Email (optional) Digital signature Made with your private key, to prove you own it ⚠️ Private key is not included — keep it secret, keep it safe! --- 🔐 How it works: 1. You generate a public/private key pair. 2. You create the CSR with your public key and info. 3. You send the CSR to a CA. 4. CA verifies your identity and signs your cert. 5. You get back an SSL/TLS certificate. > TL;DR: A CSR is like a digital application for a security certificate. You send it to a CA to prove ownership of a domain and request a signed cert. 🔑 Public key goes in the CSR. 🔒 Private key stays with you

Answer 18

The record of evidence history from collection, to presentation in court, to disposal.

Answer 19

Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks. --- 🧾 What is CHAP? CHAP is an authentication method used mostly in PPP (Point-to-Point Protocol) connections (e.g., dial-up, some VPNs). It’s like a password handshake with surprise quizzes to make sure you're still legit during a connection. --- CHAP = a challenge-response login protocol used in older network connections. Think: “You say you're Bob? Solve this random puzzle first... and again later.” ✅ Better than plain text ❌ Obsolete in modern systems due to MD5 weaknesses.

Answer 20

The process by which the need for change is recorded and approved.

Answer 21

The process through which changes to the configuration of information systems are implemented, as part of the organization's overall configuration management efforts.

Answer 22

The output of a hash function. Checksum A checksum is a quick math summary of a file to detect errors during transmission or storage. > Think: “Did I drop any bits on the way?” Like totaling up the values of ingredients to make sure nothing was missed. Fast and simple 🧮 Common: CRC32, Adler-32, MD5 (originally used like this) 🎯 Used for: Error checking, file integrity ❌ Not secure – attackers can easily fake a matching checksum checksum asks, “Did I drop something?” A hash asks, “Did someone sneak in and change something?” 🔧 Checksum = basic error check. 🔒 Hash = secure data fingerprint.

Answer 23

Linux command for managing file permissions. chmod = change mode – it's a command used in Unix/Linux to set permissions on files or directories. 🛠️ TL;DR chmod controls who can read, write, or execute a file. Permissions are set for: User (u) – the owner Group (g) – the group the file belongs to Others (o) – everyone else 🔢 Numeric Mode You’ll often see it like this: chmod 755 filename Each digit = permissions for user/group/others, based on this table: Permission Value read (r) 4 write (w) 2 execute (x) 1 So: 7 = 4+2+1 = read/write/execute 5 = 4+0+1 = read/execute

Answer 24

Enterprise mobile device provisioning model where employees are offered a selection of corporate devices for work and, optionally, private use.

Answer 25

An encryption mode of operation where an exclusive or (XOR) is applied to the first plaintext block 🔐 Cipher Block Chaining (CBC) CBC = a block cipher mode of operation that encrypts data one block at a time, but chains each block to the one before it to add security. --- 🧠 TL;DR: CBC makes each block depend on the previous one. This hides patterns and increases confidentiality.

Answer 26

A Layer 5 firewall technology that tracks the active state of a connection, and can make decisions based on the contents of network traffic as it relates to the state of the connection. A circuit-level stateful inspection firewall is a fancy term for a firewall that: > 🧠 Remembers your connections, 🛡️ protects your traffic, and 🕵️‍♂️ watches for sketchy behavior at the session level. --- 🛠️ TL;DR Circuit-level = Watches the session handshake (e.g., TCP 3-way handshake) Stateful inspection = Remembers and tracks the state of active connections It doesn’t look inside the packets deeply — it just watches the connection like a bouncer checking IDs and wristbands, not searching backpacks --- 📦 What It Checks: Layer Example Check OSI Layer 4 TCP handshake complete? OSI Layer 5 Is the session valid and allowed? Connection table Is this part of an existing conversation? --- 🧩 Example in Action 1. You connect to a website → TCP handshake happens. 2. Firewall sees a legit outbound connection → adds it to its state table. 3. The response traffic from the website is allowed because it matches a tracked session. 4. Unexpected or forged traffic? Blocked. / difference with forward proxy: 🧠 TL;DR: > Circuit-level stateful inspection firewall and forward proxy can behave similarly… But they’re not the same thing. They both intercept and inspect connections, but their goals, layers, and visibility are different. --- ⚙️ Circuit-Level Stateful Firewall Main job: ✅ Track and allow/refuse sessions based on rules ✅ Focus on network-layer + session-layer behavior ❌ Doesn’t look into data or content Use case: Block unauthorized traffic Only allow "legit" sessions (like only outbound TCP 443) --- 🌐 Forward Proxy Main job: ✅ Act as the user’s representative to the internet ✅ Optionally log/filter/modify content ✅ Hide user's IP Use case: Anonymize or restrict browsing Enforce web filtering Bypass geographic blocks

Answer 27

An organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.

Answer 28

Think of it as a security guard for your cloud apps. --- 🧠 TL;DR: A CASB sits between your users and cloud services (like Google Workspace, Microsoft 365, Salesforce) to monitor, enforce, and secure cloud usage. --- 📦 What It Does Function Example 🕵️‍♂️ Visibility Who’s using which cloud apps, when, and how? 🛂 Access Control Enforce policies: block risky behavior (e.g., don’t upload sensitive files to Dropbox) 🔐 Data Security DLP: prevent sensitive data from being shared or leaked 🛡️ Threat Protection Detect malware, suspicious logins, shadow IT 📜 Compliance Help meet standards like HIPAA, GDPR, etc. 🧪 Analogy: > CASB is like airport security for your data flights: Scans your bags (files), checks your ID (user identity), and enforces rules before you can board (access the cloud).

Answer 29

Classifying the ownership and management of a cloud as public, private, community, or hybrid.

Answer 30

→ Provides security guidance to Cloud Service Providers (CSPs) and users → Publishes the Cloud Controls Matrix (CCM) and Enterprise Reference Architecture

Answer 31

Classifying the provision of cloud services and the limit of the cloud service provider's responsibility as software, platform, infrastructure,

Answer 32

A vendor offering public cloud service models, such as PaaS, IaaS, or SaaS. A cloud service model defines what type of services a cloud provider delivers to users — from raw infrastructure to complete apps. It’s all about what you're responsible for vs. what the provider manages.

Answer 33

Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice. Also known as ethics.

Answer 34

Potentially unsecure programming practice of using code originally written for a different context.

Answer 35

Code signing is the digital signature applied to software or scripts to prove: Who published it (authenticity) That it hasn't been altered (integrity) It’s like a wax seal on a letter — it proves who sent it and whether someone tampered with it

Answer 36

A predetermined alternate location where a network can be rebuilt after a disaster.

Answer 37

A collector is a network appliance or software that gathers, processes, and stores data from other devices — typically for monitoring, logging, or analysis. ✅ TL;DR: Collector = Traffic sniffer + data organizer Gathers logs, flow data, or telemetry from routers, switches, firewalls, endpoints, etc.

Answer 38

In cryptography, the act of two different plaintext inputs producing the same exact ciphertext output.

Answer 39

Command and Control (C2) refers to the communication link between a threat actor and a compromised system. It’s how attackers issue commands, receive stolen data, and maintain control over infected devices. C2 = Hacker’s remote control panel Let’s the attacker send instructions and receive data from compromised hosts (a.k.a. zombies or bots). 🔍 How It Works: Initial Compromise – Malware is installed on the victim’s system. C2 Beaconing – The infected host phones home (e.g., every 10 mins). C2 Link Established – Secure tunnel or stealthy protocol. Attack Continues – Attacker can exfiltrate data, move laterally, or trigger payloads.

Answer 40

The Common Access Card (CAC) is a smart card issued by the U.S. Department of Defense (DoD) to: Active-duty military personnel Reserve members DoD civilian employees Contractors It provides physical access to DoD facilities and logical access to DoD computer systems and networks. ✅ TL;DR: CAC = U.S. military ID + smart chip for secure computer access Used for authentication, digital signatures, and encryption 🧩 What's on the CAC? Feature Purpose 🛂 Personal info Name, rank, branch, DoD ID number 🔐 Smart chip Stores certificates for PKI functions ✍️ Digital certificates For signing and encrypting emails 📎 Barcode & photo For visual ID and scanning 🧱 CAC in Security+ Context: Part of multi-factor authentication: Something you have (CAC) + something you know (PIN) Supports PKI-based systems Used in federal government security models Helps enforce least privilege and non-repudiation

Answer 41

📛 What Is Common Name (CN) in X.500? The Common Name (CN) is a key attribute in the X.500 directory standard, used to identify a specific entity (like a user or server) in a distinguished name (DN) — a unique identifier used in digital certificates and LDAP directories. ✅ TL;DR: Common Name (CN) = The human-readable name of the object (e.g., a person or a domain name) Part of a larger Distinguished Name (DN) in X.500-style naming. Security+ Relevance: CN is part of PKI structure (Public Key Infrastructure) Used in certificate validation Critical in mutual TLS authentication Related to certificate spoofing if improperly validated

Answer 42

CVE = Common Vulnerabilities and Exposures 🛠️ TL;DR: A CVE is like a bug bounty ID tag for a security flaw. It's a unique identifier for a known cybersecurity vulnerability. Example: CVE-2023-23397 refers to a Microsoft Outlook vulnerability that allowed privilege escalation via calendar invites. --- 🔍 What It Really Means: Term Meaning Common Shared across organizations Vulnerability A weakness in software/hardware Exposure A configuration issue that may not be a bug, but still poses risk --- 🧩 CVEs Include: A CVE ID (like a serial number) A brief description A reference to patches, fixes, or advisories A severity score (often via CVSS – Common Vulnerability Scoring System) Example Breakdown: CVE-2021-44228 Year: 2021 Unique ID: 44228 This is the infamous Log4Shell vulnerability (Apache Log4j) Allowed remote code execution (RCE) Affected millions of apps worldwide

Answer 43

A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.

Answer 44

A cloud that is deployed for shared use by cooperating tenants. A community cloud is a cloud deployment model shared by multiple organizations with common goals, policies, or compliance requirements — such as security, mission, or industry regulations. ✅ TL;DR: Community Cloud = Cloud shared by a group with similar needs Not open to the public, but not private to just one org either Hosted on-prem or by a third party 🧱 Key Characteristics: Feature Description 👥 Shared use Used by multiple organizations (e.g., same industry or mission) 🎯 Common purpose Built around shared compliance, security, or business goals 🛠️ Joint management Can be managed by the orgs, a third party, or both 🔐 Restricted access Not open to general public or unrelated users 🧠 Real-World Analogy: Think of a private coworking space shared by law firms: They all need the same physical security, confidentiality, and legal resources — so they share costs and governance.

Answer 45

A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.

Answer 46

An image of text characters or audio of some speech that is difficult for a computer to interpret. CAPTCHAs are used for purposes such as preventing bots from creating accounts or submitting forms.

Answer 47

The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.

Answer 48

The three principles of security control and management. Also known as the information security triad. or AIC triad.

Answer 49

A type of virtualization applied by a host operating system to provision an isolated execution environment for an application. 📦 What Is Containerization? Containerization is a lightweight form of virtualization that packages an application and everything it needs to run — code, libraries, dependencies — into a single, portable unit called a container. ✅ TL;DR: Container = App + all its stuff, packed into a neat, portable box Runs consistently on any system that supports containers (like Docker) 🧱 Key Features: 🧬 Isolated - Runs independently from other apps and the host OS 🚚 Portable - “Build once, run anywhere” — from dev to production ⚡ Lightweight - Shares the host OS kernel — uses fewer resources than VMs ⚙️ Fast startup - Containers launch in seconds, not minutes 🔁 Scalable - Ideal for microservices and cloud-native deployments 🧠 Real-World Analogy: Imagine a shipping container: It doesn't matter whether it's on a truck, train, or ship — it’s self-contained and standardized, so it works anywhere.

Answer 50

A content filter is a security tool that blocks or restricts access to certain types of content based on predefined rules — typically to prevent exposure to malicious, inappropriate, or non-work-related material. 🔐 Security+ Relevance: Mitigates social engineering (e.g., phishing websites) Helps prevent malware downloads Enforces acceptable use policies (AUPs) Supports data loss prevention (DLP)

Answer 51

🧠 What Is Context-Aware Authentication? Context-aware authentication (also called adaptive authentication) adjusts the authentication process based on contextual information — like where, when, how, and from what device the user is trying to log in. ✅ TL;DR: Context-aware auth = Smart login system It decides if extra verification is needed based on suspicious or unusual conditions 🧱 What It Checks (the “context”): Context Signal Example Scenario 📍 Location Logging in from a foreign country ⏰ Time of access Login attempt at 3 AM when user usually works 9–5 🖥️ Device type New laptop or unrecognized phone 🌐 IP address Suspicious or blacklisted IP 📶 Network type Public Wi-Fi vs secure corporate network ⚙️ User behavior Unusual patterns or too many failed attempts 🧠 Real-World Analogy: Imagine your bank says: “You always log in from Missouri on a Windows PC at 8 PM — but now you're in Romania on an iPhone at 3 AM. Prove it’s you.” So it asks for extra MFA (like a code or fingerprint) just in case.

Answer 52

Continuous Delivery is a software development practice where code changes are automatically built, tested, and prepared for release to production at any time — with minimal manual intervention. ✅ TL;DR: Continuous Delivery = Always ready to deploy Code goes through automated testing & staging so it’s production-ready at all times. 🧱 Key Features of Continuous Delivery: Feature Benefit 🔁 Automated testing Catch bugs early 🏗️ Automated builds Fast, consistent packaging 🚦 Staging environment Final review area before release 🧑‍💻 Manual approval step Gives control over live releases 🧪 Difference vs. Continuous Deployment: Concept Deployment to Production Continuous Delivery Manual trigger Continuous Deployment Automatic after all tests pass

Answer 53

Software development method in which app and platform updates are committed to production rapidly. Continuous Deployment is a DevOps practice where every code change that passes automated tests is automatically pushed to production — no human approval required. ✅ TL;DR: Continuous Deployment = Fully automated go-live If the code passes tests, it deploys automatically to users. No staging, no manual review. Everything is automated. No stop at “manual approval.” 🧠 Real-World Analogy: Think of a high-speed pizza robot kitchen: The moment a pizza is fully baked and passes inspection, it’s boxed and shipped — no human touches it after the oven. 🔐 Security+ & DevSecOps Angle: Great for patching vulnerabilities quickly Requires strong automated security testing Increases speed, but must balance security + monitoring

Answer 54

Continuous Integration (CI) is a DevOps development practice where developers frequently merge code into a shared repository — and automated builds and tests are run immediately to catch problems early. ✅ TL;DR: Continuous Integration = Test every change, early and often Ensures that new code doesn’t break existing code and is always in a workable state. 🧠 Real-World Analogy: Imagine a giant group project where everyone adds parts to the same machine every few hours — CI makes sure each new piece fits perfectly before it’s bolted on.

Answer 55

Continuous Monitoring is a security and operations practice where systems, networks, and applications are constantly observed for signs of: Unauthorized access Performance issues Vulnerabilities Configuration drift Compliance violations It’s about real-time awareness and automated response. ✅ TL;DR: Continuous Monitoring = Always watching, always alert Helps detect threats, misconfigurations, or failures before they become disasters.

Answer 56

Control risk refers to the likelihood that existing security controls will fail to detect, prevent, or correct a threat or vulnerability — allowing a harmful event to occur. ✅ TL;DR: Control Risk = Risk that your defenses won’t work as expected Even with controls in place, there’s a chance they miss something or fail under pressure.

Answer 57

A Controller Area Network (CAN) bus is a robust, real-time communication system that allows microcontrollers and devices to communicate with each other without a host computer, commonly used in automotive and industrial systems. ✅ TL;DR: CAN Bus = In-vehicle communication highway Allows components like brakes, engine, and airbags to talk to each other instantly and reliably 🧱 Key Characteristics: Feature Description 🔗 Multi-master system All nodes can send and receive data ⚙️ No central controller Communication is peer-to-peer ⚡ Fast and real-time Speeds up to 1 Mbps (CAN FD goes even higher) 🔁 Message-based Devices send messages to the network, not directly to each other 🛡️ Error detection Built-in mechanisms to check and handle errors 🧠 Real-World Analogy: Imagine a group chat between all car components. Instead of whispering to each other directly, everyone broadcasts messages into the room, and only the relevant listeners act on them. 🚙 Where You’ll Find It: Industry Use Case Automotive Engine control, airbags, windows, sensors Industrial Factory robots, assembly line machines Aerospace Avionics and flight control systems Medical devices Communication between sensors and mon 🔐 Security Concerns: Issue Risk 🕵️ No built-in encryption Easy to eavesdrop with physical access 🎯 Broadcast model One compromised node can affect the whole bus 🔄 Spoofed messages Fake brake or airbag commands if not validated Used in vehicle cybersecurity topics (e.g., CAN injection attacks, car hacking).

Answer 58

COBO is a mobile device deployment model where the device is: Owned by the company Used only for work-related purposes Fully managed and locked down by IT 📱 Key Features of COBO: Feature Description 🧾 Company-owned - Purchased and issued by the organization 🚫 No personal use - Restricted to approved business apps and functions 🛠️ Fully managed - IT controls settings, software, and usage policies 🔒 Highly secure - Ideal for regulated or high-security environments 🛡️ Security+ Relevance: Benefit How It Helps 🔐 High security posture No personal apps = reduced attack surface 📋 Policy enforcement Easier to enforce encryption, MDM, patching 🧑‍⚖️ Compliance ready Ideal for industries with strict regulations 🚫 Data segregation No personal/work data mixing

Answer 59

Enterprise mobile device provisioning model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is permitted.

Answer 60

A corrective control is a type of security control that activates after a security incident has occurred — its job is to fix the problem, limit the damage, and restore systems to normal operations. of security control that acts after an incident to eliminate or minimize its impact.

Answer 61

Function of log 🔍 What Is Correlation in Log Analysis? Correlation in log analysis means linking events from different systems or sources to identify patterns, security incidents, or system issues that would be invisible if each log were reviewed in isolation. ✅ TL;DR: Correlation = Connecting the dots between logs that links log and state data to identify a pattern that should be logged or alerted as an event.

Answer 62

An encryption mode of operation where a numerical counter value is used to create a constantly changing IV. Counter Mode (CTR or CTM) is a block cipher mode of operation that turns a block cipher into a stream cipher by encrypting a sequence of incrementing counter values, then XORing the result with the plaintext to get the ciphertext. 🔄 How It Works: Generate a nonce (number used once) + a counter value. Encrypt the nonce+counter using the block cipher (e.g., AES). XOR the encrypted output with the plaintext to get ciphertext. Increment the counter, repeat for the next block. ➡️ Same process for decryption (XOR again with same keystream). 🧱 Key Features of CTR/CTM Mode: Feature Description ⚡ Fast - Allows parallel encryption/decryption (no chaining) 🔁 Symmetric operation - Same process for encryption & decryption 🎯 Stream-like - Great for encrypting variable-length data ❗ Nonce is critical - Reusing a nonce = catastrophic vulnerability 📦 Use Cases: High-speed bulk encryption Encrypting data in real time (e.g., VPNs, disk encryption) Applications that benefit from parallel processing _____ 🎯 Goal: You want to send a secret message: “HI” --- 🔐 Step 1: You and your friend share a secret key Let’s say your “lockbox” (AES) needs a secret key to work. Both of you know it ahead of time. --- 🔢 Step 2: You start a counter You agree to start with the number 1, and count up from there for each letter. --- 🧃 Step 3: You turn the counter into secret sauce (this is the "scrambled version") Here’s the trick: Instead of scrambling the message directly, you scramble the number 1 using your secret lockbox (AES + key). This gives you something random-looking, like: 🔐 "Z" This Z is now your keystream letter — you haven’t touched your real message yet. --- ✖️ Step 4: Mix the keystream with your message using XOR Your first message letter is "H". Now you combine "H" and "Z" using a rule called XOR (basically a rule that mixes letters based on their bits). The result is a new encrypted letter, let’s say: "K" --- 🔁 Step 5: Repeat for the next letter Increase the counter to 2 Scramble 2 → you get keystream letter "Y" Your message letter is "I" XOR "I" with "Y" → encrypted letter "N" --- 📬 Final Encrypted Message: “KN” You send "KN" to your friend. --- 🔓 How your friend decrypts it: 1. They use the same key 2. They start with counter = 1, scramble it → get "Z" 3. They XOR "K" with "Z" → get back "H" 4. Do the same with "N" and counter = 2 → get back "I" --- 🧠 Why this works: You’re using the block cipher (AES) to scramble predictable numbers (the counters) That scrambled output becomes a disposable key for each part of your message Since the counters go in order (1, 2, 3...), and the key never changes, your friend can recreate the exact same scrambled letters on their end XOR makes it all reversible --- TL;DR: > You scramble numbers like 1, 2, 3 with your secret key to get fake letters (keystream). Then you mix each of those with your message to hide it. Your friend uses the same key and same numbers to reverse the process.

Answer 63

An encryption protocol used for wireless LANs that addresses the vulnerabilities of the WEP protocol. --- What is CCMP? CCMP = Counter Mode with Cipher Block Chaining Message Authentication Code Protocol Yeah, it’s a mouthful. But here’s the simple version: > CCMP is the security system used in modern Wi-Fi (WPA2 and WPA3) to keep your wireless data private and tamper-proof. --- 🧠 Plain English Breakdown: Term What it Means Counter Mode (CTR) Encrypts your data in blocks by scrambling a counter number (you just learned this!) CBC-MAC Adds a Message Authentication Code (MAC) to detect tampering — like sealing a letter with a wax stamp Protocol Just means it's a set of rules that define how to do the encryption and authentication securely --- 🔐 What does CCMP protect? 1. Confidentiality — hides your data using AES in CTR mode (so no one can read your Wi-Fi traffic) 2. Integrity — uses CBC-MAC to detect if someone messed with the data 3. Replay Protection — counters stop hackers from re-sending old packets to trick your system --- 🏠 Where is CCMP used? WPA2-Personal (WPA2-PSK) WPA2-Enterprise WPA3 Basically: If you're using modern Wi-Fi, you’re using CCMP — it replaced the older, broken TKIP. --- TL;DR: > CCMP is the modern Wi-Fi bodyguard — it encrypts your data using AES and checks every message to make sure it hasn’t been tampered with.

Answer 64

🤖 What Is Credential Stuffing? Credential stuffing is a type of brute-force attack where an attacker takes username-password pairs stolen from one site and tries them on other websites — hoping the user reused the same credentials. ✅ TL;DR: Credential Stuffing = “Let’s see if this stolen login works anywhere else.” Uses real usernames + real passwords, just not necessarily for the site being attacked. 🧠 Real-World Analogy: A thief finds a key labeled "Apartment 7". Instead of trying to break into Apartment 7, they just go down the street trying that key on every other door. 🛡️ How to Defend Against It (Security+ Level): Control Description 🔐 Multi-Factor Authentication (MFA) Even if creds work, attacker can’t get in 🔄 Credential hygiene Don’t reuse passwords — use a password manager 📊 Behavioral analysis Monitor for odd logins (geo, IP, device) 🚧 Rate limiting / throttling Slow down login attempts 📵 Block known bad IPs Use threat intelligence feeds 🔍 Dark web monitoring Know when your org’s creds are leaked 🔐 Related Concepts: Term Description Password spraying One password, many users Brute-force Tries all possible passwords Dictionary attack Tries passwords from a known list Credential stuffing Real creds, wrong site

Answer 65

Biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance. 🎯 What is the Crossover Error Rate (CER)? The Crossover Error Rate, also called Equal Error Rate (EER), is a single number that tells you how accurate a biometric system is (like fingerprint scanners, facial recognition, retina scans, etc.). --- 🧠 CER is where two kinds of mistakes are equal: 1. False Acceptance Rate (FAR) > The system wrongly accepts an imposter as legit ("You’re not the real user, but I let you in") 2. False Rejection Rate (FRR) > The system wrongly rejects the real user ("You're the real user, but I don't believe you") 🔁 The CER is the point where FAR = FRR. --- 📉 Imagine Two Lines Crossing: One line shows how often imposters get in (FAR) One shows how often real users get blocked (FRR) As you adjust the system’s strictness, these lines move Where they cross? That’s the CER > 📌 The lower the CER, the better the biometric system. --- 🧪 Analogy: Imagine a nightclub bouncer with facial recognition goggles: If he’s too strict, real VIPs get denied (high FRR) If he’s too relaxed, fakes sneak in (high FAR) The Crossover Error Rate is the point where he messes up equally in both ways — and that tells us how reliable he is overall. --- TL;DR: > CER = where a biometric system’s false accepts and false rejects are equal. Lower CER = more accurate system.

Answer 66

A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser. Also known as client-side request forgery or CSRF.

Answer 67

What is XSS? > Cross-Site Scripting (XSS) is when a hacker sneaks malicious scripts (usually JavaScript) into a website so that other users unknowingly run that script in their browsers. --- 🧠 Think of it like this: > You go to a public bulletin board (a website) and post a harmless message. A hacker goes to that same board and posts a message that secretly says: “When someone reads this, run a script to steal their cookies.” Now, anyone who reads that message runs the malicious code in their browser — without knowing it. --- 🔍 Why it’s dangerous: It can steal session cookies, letting attackers hijack user accounts. It can redirect users to fake login pages (phishing). It can deface the site or trick users into clicking malicious content.

Answer 68

Crypto Erase is a data sanitation method that securely deletes data by detroying the encryptions keys used to protect it. That makes the data unreadable and unrecoverable: if that is still on the disk, it is meaningless ciphertext.

Answer 69

🧠 **Definition: Cuckoo** is an open-source automated malware analysis system that runs suspicious files in a virtualized environment (sandbox) and monitors what they do. Basically: “Let’s see what this sketchy file does when we lock it in a fake room and hit ‘Play.’” 🧪 What It Does: Cuckoo analyzes: Executables (.exe) PDFs, Office docs, scripts URLs, emails, even Android APKs 🧰 Output You Get: Human-readable report (HTML, JSON, etc.) Indicators of Compromise (IOCs) Network dumps (PCAP) Screenshots of malware in action Behavioral logs and timelines 🔐 Why It’s Important: Safe way to analyze unknown or suspicious files Helps reverse engineers, incident responders, threat hunters Can identify payloads, dropper behavior, C2 domains, etc. 🏗️ How It Works (Simplified): You submit a file. Cuckoo runs it inside a VM (Windows/Linux/Android). It monitors system behavior and logs everything. You get a detailed report of what happened. 🛡️ TL;DR: Cuckoo = “Malware daycare with security cameras.” You throw the suspicious file in, let it misbehave, and document everything it does in a safe sandbox.

Answer 70

🔍 What is curl? > curl stands for Client URL. It’s a command-line tool used to send and receive data from or to a URL, using protocols like HTTP, HTTPS, FTP, and more. --- 🧠 Plain English: > "curl is like opening a browser tab with your keyboard — you tell it what URL to go to and what to do there." --- 🛠️ Common Uses: Task Example 🔎 Get a web page curl https://example.com 📄 Save output to file curl -o page.html https://example.com 🚪 Send a POST request curl -X POST -d "name=Sev" https://api.site.com/form 🔑 Use API key or auth curl -H "Authorization: Bearer TOKEN" https://api.site.com/data 💬 Send JSON curl -X POST -H "Content-Type: application/json" -d '{"name":"Alpine"}' https://api.site.co 🎯 TL;DR: > curl is a versatile, text-based way to talk to websites and APIs. You can use it to test, download, upload, and debug web requests — all from the terminal.

Answer 71

The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources. Also known as threat intelligence.

Answer 72

🧠 Definition: Data at rest refers to any data stored on a device or medium that is not actively moving across a network. If it’s just sitting there — on a hard drive, SSD, USB stick, cloud storage, etc. — it’s data at rest.

Answer 73

When confidential or private data is read, copied, or changed without authorization. Data breach events may have notification and reporting requirements.

Answer 74

🧠 What is a Data Controller in data regulation? > A Data Controller is the person or organization that decides: What personal data is collected Why it’s collected How it will be used --- 🔍 Plain English: > A data controller is like the boss of personal data. They make the decisions about the purpose and means of processing the data. --- 📚 Used in: GDPR (General Data Protection Regulation – EU) UK Data Protection Act Other privacy frameworks --- 🧱 Responsibilities: Duty What it means ✅ Lawful basis Have a legal reason to collect/process data 📄 Transparency Tell users what’s being done with their data 🔐 Security Protect data from breaches or misuse 🗑️ Data minimization Don’t collect more than you need 🧽 Right to erasure Respect requests to delete personal data

Answer 75

🧠 What is a Data Custodian? > A Data Custodian is the person or team responsible for the safe storage, transport, and maintenance of data — but they don’t decide how or why the data is used. --- 🧹 Plain English: > A data controller says, "This is what data we collect and why." A data custodian says, "Got it — I’ll store and protect it." --- 🧱 Key Responsibilities: Task What it Means 💾 Data storage Ensures data is properly stored (e.g., databases, backups) 🔐 Security Applies controls like encryption, access permissions ♻️ Backups & recovery Maintains data availability and disaster recovery plans 🧼 Integrity & cleanliness Ensures data is accurate and uncorrupted 🧑‍💻 Technical enforcement Implements policies set by data owners/controllers --- 🧑‍🤝‍🧑 Compared to Others: Role What They Do Data Controller Decides what data is collected and why Data Processor Handles data for the controller (often external) Data Custodian Protects, stores, and manages data (often internal IT/security) > 💡 Analogy: The controller is the librarian choosing which books to collect. The custodian is the shelver/security team ensuring books are safe, organized, and available. --- 🧠 TL;DR: > A data custodian is the technical guardian of data — making sure it’s secure, available, and properly handled, but not deciding its purpose.

Answer 76

🕵️‍♂️ What is Data Exfiltration? > Data exfiltration is when sensitive data is stolen from a system and sent out to an unauthorized party — often secretly and without the victim knowing. --- 🧠 Plain English: > It’s like a thief sneaking sensitive documents out of a building, hiding them in their coat. In cyber terms, that “coat” might be: A hidden email A covert file transfer An encrypted message over a legit-looking connection

Answer 77

🔓 What is Data Exposure? > Data exposure happens when sensitive or private data is accidentally made accessible to unauthorized people — without necessarily being stolen. --- 🧠 Plain English: > It’s like leaving confidential files on a public bench — no one may have taken them yet, but they were left out where anyone could see.

Answer 78

🧭 What is Data Governance? > Data governance is the framework for how an organization manages, protects, and uses its data — to ensure it’s accurate, secure, consistent, and used properly. --- 🧠 Plain English: > It’s like setting the rules and responsibilities for how everyone handles and takes care of the company's data — from creation to deletion.

Answer 79

🧠 Definition: Data in processing refers to data that is actively being used, read, modified, or computed by a system. Think of it as: the moment your computer is actually doing something with the data. 🖥️ Where It Happens: RAM (Random Access Memory) CPU registers Application memory space Cloud compute environments 🔐 Security Challenges: Data in processing is often unencrypted while it's being used. That makes it vulnerable to: Memory scraping (e.g., malware scanning RAM) Side-channel attacks (e.g., Meltdown, Spectre) Insider threats (accessing in-memory data) Process injection attacks 🛡️ Protection Methods: Technique What It Does Trusted Execution Environments (TEEs) Isolate sensitive data (e.g., Intel SGX) Homomorphic encryption Enables computing on encrypted data (rare, resource-heavy) Access control & auditing Track who’s using what data Secure coding practices Prevent memory leaks and exploits ⚖️ Compared to Other Data States: State Description Example At Rest Stored and inactive File saved on disk In Transit Moving from one place to another Email being sent In Processing Being actively used or changed App editing a photo in memory 🧠 TL;DR: Data in Processing = “Live data doing live work.” It’s vulnerable in memory and needs real-time protection.

Answer 80

🧠 Definition: Data in transit refers to data actively moving between systems, devices, or networks — whether across the internet, a private network, or between components in the cloud. If it’s traveling, it’s data in transit. 🔐 Risks While in Transit: Eavesdropping (e.g., sniffing network traffic) Man-in-the-middle (MitM) attacks Session hijacking Data tampering or injection 🛡️ How to Protect Data in Transit: Method - Description Encryption (TLS/SSL, IPsec) - Protects data from being read/tampered VPNs - Secures data through encrypted tunnels HTTPS - Encrypts web traffic Secure email protocols - S/MIME, PGP Network segmentation/firewalls - Control and monitor traffic

Answer 81

A software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.

Answer 82

🧠 Definition: Data masking is the process of hiding real data by replacing it with fake but realistic-looking values — so it can be safely used in non-secure environments like development, testing, or training. You get the shape of the truth, not the actual truth. 📋 Example: Real Data (Production) Masked Data (Testing/Dev) John Smith, SSN: 123-45-6789 Jake Adams, SSN: 987-65-4321 Visa 4111-1111-1111-1111 Visa 5555-2222-3333-4444 🛠️ How It Works: Data masking can be: Static – Done once before copying to another environment (e.g., dev server) Dynamic – Masked on-the-fly as users access data (used for live systems) Masking techniques include: Technique Description Substitution: Replace real values with fake ones Shuffling Mix: real data within a column Nulling: out Replace with null or blanks Data variance: Slightly change numeric values Encryption: Use reversible encryption (rare for masking) 🔐 Why Use It? Benefit Purpose Protect: sensitive data Avoid exposure of real PII, PHI, etc. Enable: testing/dev safely Use realistic data without the risk Regulatory compliance: Meets GDPR, HIPAA, PCI-DSS requirements Reduce insider threat: No need to expose real production data 🚫 What It’s Not: ❌ Encryption: Encryption is reversible with a key. ❌ Tokenization: Tokenization maps real data to a token via a secure lookup. Data masking is **irreversible by design** — it's meant to obscure, not recover. 🧠 TL;DR: Data Masking = Real-looking fake data Great for devs. Useless for hackers.

Answer 83

🧠 Definition: Data minimization is the principle of collecting, using, and storing only the minimum amount of personal data necessary to achieve a specific purpose. If you don’t need it, don’t ask for it. If you don’t use it, don’t keep it. 🔐 Core Idea: Reduce privacy risk by limiting: What you collect How long you keep it Who has access Where it’s stored 📋 Example: Bad Practice Better Practice Asking for Social Security numbers on a newsletter signup Just collect name and email Keeping full user profiles of inactive accounts forever Delete or anonymize after 12 months Logging full IP addresses for basic analytics Use anonymized or truncated IPs 🛡️ Why It Matters: Benefit Why It's Important Reduces attack surface Less data = less to steal or leak Improves compliance Required under GDPR, CCPA, etc. Builds user trust Shows you value privacy Easier data management Fewer headaches for audits or cleanup ⚖️ Key Principles (GDPR-Inspired): Purpose Limitation: Collect data only for a clear, legitimate reason Data Minimization: Only the necessary data, no extras Storage Limitation: Don’t keep it longer than needed

Answer 84

🧠 Definition: A Data Owner is the person or role ultimately responsible for a set of data—its accuracy, security, usage, compliance, and access. Think of them as the "data landlord": they don’t necessarily manage every detail, but they make the rules. (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.

Answer 85

🧠 Definition: A Data Privacy Officer (DPO) is the person responsible for ensuring an organization handles personal data in compliance with data protection laws (like GDPR, HIPAA, or CCPA). Think of the DPO as your internal privacy watchdog — they protect individuals’ data rights and keep the organization legally and ethically aligned.

Answer 86

In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.

Answer 87

🧠 Definition: Data remnants are residual pieces of data that remain on storage devices after deletion, reformatting, or reimaging — often still recoverable unless properly wiped. You deleted the file, but the ghost of it is still lingering on the drive.Leftover information on a storage medium even after basic attempts have been made to remove that data. Also known as remnant.

Answer 88

🧠 Definition: Data sovereignty is the concept that data is subject to the laws and governance of the country where it is physically stored. If your data lives on a server in France, it's subject to French law — no matter where you are. 🌍 Why It Matters: Governments can enforce local privacy, surveillance, or access laws on data stored within their borders. Organizations must comply with regional regulations, even when using cloud services. 📋 Example: Situation Implication A U.S. company stores EU customer data in Germany Must follow GDPR Canadian health data is stored on U.S. cloud servers May be accessed under U.S. Patriot Act An Australian user’s data is mirrored in Singapore Could be subject to Singaporean privacy laws

Answer 89

🧠 Definition: A Data Steward is a person responsible for the day-to-day management and quality of data within an organization — ensuring it’s accurate, consistent, usable, and trusted. If the Data Owner is the landlord, the Data Steward is the property manager: they keep things organized, clean, and compliant. 🛠️ Core Responsibilities: Task Description Ensure data quality Fix duplicates, errors, and inconsistencies Apply data standards Enforce naming conventions, formats, and rules Monitor metadata Keep track of data definitions and attributes Support data governance Collaborate with data owners and custodians Manage lifecycle Ensure data is archived or deleted when appropriate Document data Create and maintain data dictionaries and catalogs 🔄 Key Difference from Other Roles: Role Focus Authority Data Owner Policy, risk, and access High Data Steward Data quality and usability Moderate Data Custodian Infrastructure and backups Operational

Answer 90

DHCP stands for Dynamic Host Configuration Protocol. 🧠 What it does (in plain terms): DHCP automatically gives devices on a network the info they need to connect — like handing out IP addresses, subnet masks, default gateways, and DNS server addresses without the user having to configure anything. 📦 Example: You bring your phone to a coffee shop → it joins the Wi-Fi → the DHCP server says: “Here’s your IP address (192.168.1.42), subnet mask, gateway, and DNS info. You’re good to go!” No manual setup needed. ---------- Imagine you walk into your favorite café (real network). Normally, the real barista (DHCP server) hands you: a table number (IP address), the Wi-Fi password (gateway), and the menu (DNS info). But today… There’s a fake barista standing near the counter. He jumps in first and says: “Oh hey! Sit at table 666, use this menu, and all your orders go through me!” That’s rogue DHCP in action. 🍳 So what’s DHCP Snooping? It’s the real manager saying: “Only my staff can take orders. Anyone else handing out tables or menus gets thrown out.” 🧠 Bottom line: Proofing = pretending to be legit to trick devices Rogue DHCP = pretending to be the network authority DHCP Snooping = the switch enforces trust and blocks the imposters

Answer 91

The dd command is a low-level data copying and conversion tool for Unix/Linux systems. Think of it as a digital scalpel — powerful, precise, and dangerous if misused. 🧠 TL;DR: dd stands for "dataset definition" or jokingly "destroy disk" (because one typo can wipe your system 😱).

Answer 92

An attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request or response traffic.

Answer 93

Code in an application that is redundant because it will never be called within the logic of the program flow. ⚠️ Why Dead Code Is Bad: Wastes memory and processing time Clutters the codebase (makes maintenance harder) Might confuse future developers (including future you) Can hide bugs ✅ How to Deal With It: Use linters (e.g., flake8, pylint, eslint) Static analysis tools (e.g., Vulture for Python) Refactor and delete with confidence (use version control!) 🧪 Bonus Metaphor: Dead code is like keeping expired groceries in the fridge. They’re not doing anything, and eventually, they just stink up the whole place. Want help finding dead code in a specific snippet? Paste it and I’ll analyze it for you.

Answer 94

Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack. -- Deauthentication and disassociation are two ways to forcibly kick a device off a Wi-Fi network — and they play a big role in wireless attacks and network management. 💥 TL;DR: Term What it does Layer Use case Disassociation Breaks the connection Layer 2 Graceful kick from AP Deauthentication Breaks the authentication Layer 2 Full boot + re-auth needed 🔍 What’s the Difference? Disassociation: Says: “We're no longer connected.” The device stays authenticated but isn’t associated with the AP anymore. Kind of like: “You’re still a member, but you’ve been logged out.” Deauthentication: Says: “You're no longer allowed here.” The device must re-authenticate from scratch. It’s harsher — like the network saying: "Get out and show your ID again if you want back in." 🧠 Why It Matters (Security Context): Both types of frames are: Unencrypted Spoofable Exploitable Attackers can use deauth/disassoc frames to: Knock users offline (DoS) Force reauthentication (for evil twin or handshake capture attacks) Make people reconnect to a rogue AP (Man-in-the-Middle setup) 🧪 Example Tools: aireplay-ng → sends deauth frames to grab handshake data. mdk4 or wifijammer → perform mass deauth attacks. 🧯 Protection: 802.11w (Management Frame Protection): encrypts/disables spoofable management frames. Modern WPA3 routers usually support it, but it’s still not universally adopted.

Answer 95

🔍 Deception Make the attacker think they’re winning… while you’re watching every step they take. In cybersecurity, deception = misdirection. It involves planting fake assets, services, or vulnerabilities to lure attackers into traps or delay them. Examples: Honeypots: Fake servers/services designed to look juicy to an attacker. Honeynets: Entire fake networks to observe attacker behavior. Decoy credentials or canary tokens: If used, they instantly alert defenders. Deceptive DNS entries or unused subdomains: Meant to catch scanning bots. Think of it like rigging a fake vault with a camera inside while the real treasures are hidden elsewhere. 🧨 Disruption Once you know where they are — cut the power, burn the bridge, yank the signal. Disruption is all about interrupting malicious activity, ideally without the attacker even knowing you’ve detected them. This can involve: Kicking attackers out or blocking their IPs. Isolating infected endpoints from the network. Triggering auto-recovery or failover systems to shut down attacks. Deploying countermeasures like rate-limiting, alerts, or endpoint protection rules. 🎯 In Practice Together, deception and disruption are often used in active defense or cyber threat hunting operations. The goal isn’t just to block attacks—it’s to observe, understand, and sabotage the enemy’s playbook. Imagine: A threat actor steals what they think are admin credentials. They try to use them on a decoy server. You’re notified. While they fumble around, you cut off their real access. You now know their IP, malware tools, and tactics. That's not just security. That's cyberjudo.

Answer 96

Default administrative and guest accounts configured on servers and network devices are possible points of unauthorized access.

Answer 97

🎯 Defense in Depth “Don’t put all your trust in a single moat. Build moats, walls, archers, traps, and secret tunnels with dragons.” 🛡️ What Is It? Defense in Depth (DiD) is a cybersecurity strategy that uses multiple layers of security controls to protect data, systems, and networks. The idea: if one layer fails, another stands in the way.

Answer 98

The process of rendering a storage drive inoperable and its data unrecoverable by eliminating the drive's magnetic charge.

Answer 99

In data 🔐 Deidentification “Scrub the fingerprints. Burn the name tag. Hide the trail — but keep the data.” 🧬 What Is It? Deidentification is the process of removing or obscuring personal identifiers from data so individuals can’t be readily identified. Used heavily in: 🏥 Healthcare (HIPAA compliance) 🔍 Research 🧪 Data science / AI 🔐 Privacy regulations (GDPR, CCPA) 🧹 Two Main Types: Method What it does Anonymization: Irreversible — all identifiers removed or altered; you can’t re-link to the person Pseudonymization: Reversible — replaces identifiers with fake ones (e.g., “Patient A123”), but there’s a key stored somewhere, methods and technologies that remove identifying information from data before it is distributed.

Answer 100

🧱 Demilitarized Zone (DMZ) “A buffer zone between your digital castle and the wild internet — where you let visitors knock, but never hand them the keys.” 🌐 What Is It? A DMZ in cybersecurity is a neutral network zone that sits between an internal network (safe) and an external one (risky) — usually the internet. It hosts public-facing services like websites, email servers, or DNS. It isolates these services from the internal network to limit exposure if they get hacked. 🛡️ Real-World Analogy Think of a castle: Outer wall = Internet-facing firewall Courtyard (DMZ) = Where visitors go; you're watching them closely Inner wall = Protects the royal chambers (internal network) If attackers breach the courtyard, they still can’t reach the throne room (your sensitive systems). 🧰 Common DMZ Setup Firewall 1 (External): Between internet and DMZ Firewall 2 (Internal): Between DMZ and internal network Or: 3-legged firewall with three interfaces (internet, internal, DMZ)

Answer 101

A Denial of Service (DoS) attack is a cyberattack aimed at making a system, service, or network unavailable to its intended users. It overwhelms the target with a flood of traffic or exploits vulnerabilities to crash it, causing slowdowns or total unavailability. 🧨 Types of DoS Attacks: Volume-Based Attacks Goal: Overwhelm bandwidth Examples: ICMP flood, UDP flood Analogy: Like a mob flooding a phone line—nobody else can get through. Protocol Attacks Goal: Exhaust server resources (e.g., firewalls, load balancers) Examples: SYN flood, Ping of Death, Smurf attack Analogy: Half-open handshakes left hanging until the server chokes. Application Layer Attacks Goal: Crash the application by mimicking legitimate behavior Examples: HTTP GET/POST flood, Slowloris Analogy: A slow, polite customer who never leaves the line, blocking others. 🤖 Distributed Denial of Service (DDoS) A DDoS attack uses multiple systems (often compromised machines, aka a botnet) to launch a coordinated flood. More powerful and harder to block. 🛡️ Defenses Against DoS/DDoS: Rate limiting Traffic filtering / IP blacklisting Firewalls and intrusion prevention systems CDNs (e.g., Cloudflare) to absorb traffic Redundancy and failover strategies Behavior-based detection systems 🔑 Key Goal: Disruption, not infiltration. No data is stolen—just access denied.

Answer 102

Deprovisioning is the process of removing access rights and resources from a user, device, or system when they no longer need them — typically when someone leaves a company, changes roles, or a service is decommissioned. 🔒 Why It Matters: Prevents unauthorized access Reduces attack surface Ensures compliance with security policies Cleans up unused accounts (a common insider threat vector) 🧩 Key Deprovisioning Tasks: Account Disabling or Deletion Email, VPN, system logins (e.g., Active Directory, cloud apps) Revoke Physical Access Badges, keys, building access Recover Company Property Laptops, phones, ID cards Reclaim Licenses or Subscriptions Software tools (e.g., Microsoft 365, Salesforce) Audit & Confirm Verify logs, revoke residual permissions, alert relevant teams 🧠 Real-World Analogy: Deprovisioning is like taking away a former employee’s keys, passwords, and parking spot. If you forget, they could walk back in at any time. ⚠️ Common Risks of Poor Deprovisioning: Orphaned accounts = backdoors for attackers Zombie permissions = excessive access lingering after role changes Data leakage = ex-employees using synced devices or cloud apps 🔐 Related Concepts: Provisioning: The opposite—granting access. Least Privilege: Principle behind giving the minimum access necessary, and revoking it as soon as it’s no longer needed. Access Lifecycle Management: Full cradle-to-grave process from onboarding to offboarding.

Answer 103

🧭 Destination (in networking) “Where the data is going — the final stop on its digital journey.” 💻 What It Means In networking, destination refers to the target device, IP address, or port where a data packet is supposed to arrive. Every packet has: A source (where it came from) A destination (where it’s going) 📨 In Context: Layer Example of a Destination IP Layer 192.168.1.100 (target IP address) Transport Layer Port 443 (HTTPS), Port 25 (SMTP) Application Layer www.example.com (web address) Physical Layer A specific MAC address in a local network 🧱 Simple Analogy: Mailing a letter: Source = Your home address Destination = The recipient’s address Port number = The apartment or room you want the letter to go to inside the building Protocol = Whether it’s regular mail, FedEx, or email 🔥 Example in Action: You click a link: Your device sends a packet to destination IP 142.250.190.36 (Google) Destination port: 443 (HTTPS) Data rides TCP/IP to the destination 🧠 TL;DR Destination = where the data is headed. From web pages to emails to streaming cat videos — everything you request is just packets trying to reach their final destination. Want a graphic? Or compare “destination” across layers of the OSI model?

Answer 104

🕵️‍♀️ Detective Control A detective control is a security measure that identifies and records unwanted or unauthorized activity after it occurs — unlike preventive controls, which aim to stop incidents from happening. 🔎 Purpose: Detect. Log. Alert. Respond. Detective controls don’t block, but they help uncover violations, breaches, or abnormal behavior so you can investigate and take action. 🧠 Examples of Detective Controls: Control Type Example System Logs Tracks login attempts and file access Security Cameras Record physical access Intrusion Detection Systems (IDS) Alerts on suspicious network traffic Audit Trails Show who did what, when Change Detection Software Alerts on unauthorized file or config changes SIEM Systems Aggregate and analyze logs for threats 🧩 Security+ Tip: If a control doesn't stop something but knows it happened and can report it = detective control.

Answer 105

🚨 Deterrent Control A deterrent control is a security measure designed to discourage malicious or unwanted behavior by making the consequences clear or the risk of being caught high. 🧠 Key Idea: It doesn't block or detect—it makes you think twice. 🧩 Purpose of Deterrent Controls: Reduce the likelihood of an attack or policy violation Leverage psychological pressure (fear of being caught, punished, or exposed) 🔎 Examples of Deterrent Controls: Control Type Example Signage “Area under surveillance” / “Employees monitored” Security Cameras (Visible) Presence alone deters trespassers or thieves Security Policies with Penalties Clear consequences for violations Badge/Uniform Checks Makes unauthorized entry harder and riskier Guard Presence Even unarmed guards deter intrusion or misbehavior 🛡️ Security+ Tip: If the control’s main job is to scare off, warn, or discourage, it’s deterrent — not preventive or detective.

Answer 106

💠 Diamond Model of Intrusion Analysis “What if a cyberattack was a crime scene — and you had a 4-point profile for every digital heist?” 🕵️ What Is It? The Diamond Model is a structured way to analyze cyber intrusions by mapping out four core elements — like a crime diagram — to help defenders understand and respond to threats more effectively. It was developed by the U.S. intelligence community and is used in threat intel, SOCs, and by red/blue teams. 🔷 The Four Corners of the Diamond 1. Corner What It Means Example Adversary Who’s attacking? (person/group/entity) “APT29” or “SomeGuy123” 2. Capability What are they using? (tools, malware, exploits) Cobalt Strike, RCE exploit 4. 3. Infrastructure Where is it coming from? (servers, domains, IPs) Malicious domain, bulletproof VPS 4.Victim Who/what is targeted? (user, org, system, region) An energy company, or "HR@company.com" These four nodes are linked: The Adversary uses Capability via Infrastructure to attack a Victim. 📌 Example: APT29 uses spearphishing with a Word macro (capability), sends it from a spoofed domain hosted on AWS (infrastructure), targeting a government agency (victim). 🔁 Pivoting and Expansion The Diamond Model supports pivoting: You can take any corner and expand it into new diamonds: Found a new victim? → Look for attacker overlap. Caught a tool? → Trace who else uses it. Discovered a C2 server? → What else is hosted there? It helps build attack graphs, correlate events, and attribute behaviors across campaigns. 🔐 Why It’s Useful Structured thinking: Great for intel analysts Incident correlation: Tie multiple incidents to one actor Threat attribution: Spot patterns across seemingly unrelated events 🧠 TL;DR The Diamond Model = CSI for cyberattacks. Four points: Who did it, how they did it, where they launched from, and who they hit.

Answer 107

📖 Dictionary Attack A dictionary attack is a type of password-cracking technique where an attacker tries a predefined list of possible passwords — usually common words, phrases, or leaked credentials — to guess a user's password. 🧠 How It Works: The attacker loads a “dictionary file” — a list of commonly used passwords, like: pgsql Copy Edit 123456 password qwerty letmein football monkey iloveyou admin The system hashes each of these guesses and compares it to the stored password hash. 💡 Key Features: Characteristic Value 🎯 Target Weak or common passwords 🛠️ Method Tries each word from a list 🧠 Assumption People use predictable passwords 🐢 Speed Faster than brute force (fewer guesses, smarter list) 🔓 Dictionary Attack vs. Brute Force: Feature Dictionary Attack Brute Force Attack Tries Common passwords only Every possible character combo Speed Faster Slower (exponential time) Smarts Wordlist-based Dumb but thorough Success High if user has weak password High if attacker has time and power 🔐 Defenses: Enforce strong password policies Use account lockout or rate limiting Implement multi-factor authentication (MFA) Use salted hashes to break precomputed attack methods (like rainbow tables) Monitor for login anomalies 🧠 Security+ Exam Tip: A dictionary attack is fast, targeted, and depends on users choosing bad passwords. Think: “Guessing from a cheat sheet”, not “guessing everything.”

Answer 108

💾 Differential Backup “Only save what changed since the last full backup — not everything, just the new crumbs.” 📦 What Is It? A differential backup copies all data changed since the last full backup — every time it runs. It's a middle ground between: 🔁 Full backup: Saves everything (slow, storage-heavy) 🧮 Incremental backup: Saves only what changed since the last backup (fast, but restore is more complex) 🧪 How It Works: Monday Full backup Everything Tuesday Differential Everything that changed since Monday Wednesday Differential Everything that changed since Monday Thursday Differential Everything that changed since Monday

Answer 109

🔐 Diffie-Hellman (DH) Key Exchange “Let’s agree on a secret in public — without anyone else figuring it out.” 🧠 What Is It? Diffie-Hellman is a key exchange protocol that lets two parties generate a shared secret key over an untrusted network, without actually sending the key. It's not an encryption algorithm by itself — it’s a way to safely create keys used in encryption (e.g., for TLS, VPNs, SSH). 🤝 Real-World Analogy: You and a friend each pick a secret color, mix it with a public color, and exchange the result. When you each mix your secret with the other person’s result, you both end up with the same final color — but an eavesdropper can’t reverse it. 🧮 How It Works (Simplified) Public numbers: Prime number p Base g (a generator) Alice picks secret a, computes A = g^a mod p Bob picks secret b, computes B = g^b mod p They exchange A and B Alice computes B^a mod p Bob computes A^b mod p 🔐 They both now share the same secret: g^(ab) mod p And the eavesdropper? They see A, B, g, and p, but without knowing a or b, they can't compute the secret. (This is hard due to the Discrete Logarithm Problem.) 💣 Vulnerabilities No authentication = vulnerable to Man-in-the-Middle attacks That’s why DH is often used with digital signatures or certificates 🧠 TL;DR Diffie-Hellman = Whispering a secret across a crowded room using math magic. It’s how your browser and a server shake hands without anyone else hearing. Want a visual with potion mixing? Or a hacker trying to eavesdrop with question marks?

Answer 110

A message digest encrypted using the sender's private key that is appended to a message to authenticate the sender and prove message integrity. 🔐 What Is It? A digital signature is a mathematical way to prove authenticity and integrity of a digital message or document. It’s like a secure wax seal for the internet, ensuring: ✅ Who sent it (authentication) 🔒 It hasn’t been changed (integrity) 🛑 It can’t be denied later (non-repudiation) 🧙 How It Works (Magical Edition) Hash the message (turn content into a unique fingerprint) Encrypt the hash with your private key → that’s your digital signature Send message + signature The receiver: Decrypts the signature using your public key Hashes the received message themselves Compares the two hashes If they match = ✅ message is authentic + untampered If not = ⚠️ altered or forged 🔁 Analogy: Imagine you write a letter, seal it with a unique wax stamp only you own, and give people the stamp mold so they can verify it's yours — but they can’t forge new stamps.

Answer 111

public key encryption standard used for digital signatures that provides authentication and integrity verification for messages. 🧮 Digital Signature Algorithm (DSA) “A mathematical spell that proves you wrote the message — even if the message is public.” 🖊️ What Is DSA? DSA stands for Digital Signature Algorithm — it’s a federal standard for creating digital signatures using asymmetric cryptography. It was introduced by NIST in 1991 and is part of the Digital Signature Standard (DSS). 🔐 Core Purpose: To allow someone to: Sign a message using a private key Let others verify the message using the public key 📬 Think of DSA like sealing an envelope with a private stamp, and letting anyone check the stamp’s authenticity — but no one can copy your stamp.

Answer 112

A network service that stores 📇 What Is a Directory Service? A directory service is like a digital phone book for your network — it stores and manages information about users, devices, groups, and access permissions in a structured, searchable way. 🧠 Definition: A directory service is a centralized database that helps organize and control access to resources in a networked environment. It stores information such as: Usernames & passwords Email addresses Group memberships Computer & printer names Access control policies 🧱 Examples of Directory Services: Directory Service Platform Notes Active Directory (AD) - Windows - Most common in enterprise environments LDAP (Lightweight Directory Access Protocol) -Cross-platform - The protocol many directory services use Azure AD - Cloud Microsoft’s cloud-based AD - OpenLDAP Linux Open-source directory service Apple Open Directory - macOS Apple’s version for macOS environments ⚙️ What Does It Do? Task - How Directory Service Helps Login/Authentication: Verifies who a user is Authorization: Grants access to files, apps, devices Group Policy: Enforces rules across user groups Central Management: Lets admins manage users/devices in one place 🏢 Real-World Analogy: Your company’s receptionist has a master list of every employee — their name, office, job title, department, and permissions. That’s what a directory service is for a computer network. 🔐 Why It's Important: Centralized identity and access control Supports single sign-on (SSO) Enforces security policies Simplifies user provisioning and deprovisioning information about all the objects in a particular network, including users, groups, servers, client computers, and printers.

Answer 113

i📂 What is Directory Traversal? Directory Traversal, also known as Path Traversal, is a type of attack where an attacker manipulates file paths to access files or directories outside the intended scope of a web application. 💣 The Goal: Trick the system into giving access to sensitive files like: /etc/passwd on Linux (user info) C:\Windows\System32\config\SAM on Windows (password hashes) Config files, logs, or source code 🧪 How It Works: The attacker enters a path like: bash ../../../etc/passwd Each ../ tells the system to “go up one folder.” If the server doesn't properly sanitize input, the attacker can climb the file tree and access files they shouldn’t. 🧱 Example: Imagine a website loads images like this: bash https://example.com/view?file=images/cat.jpg The attacker tries: bash https://example.com/view?file=../../../../etc/passwd If successful, the server returns the contents of a sensitive system file instead of a harmless image. 🚨 Impact: Unauthorized access to passwords, config files, backups Potential to execute code or escalate privileges Data breaches 🔐 Prevention: Mitigation Strategy - What It Does Input validation/sanitization: Remove or block ../ and similar patterns Use safe APIs: Access files by ID or name, not raw paths Least privilege principle: Web app can’t access sensitive system files Web application firewalls (WAF): Block common traversal attempts 🧠 TL;DR: Directory Traversal = “Hey web app, can I just peek outside the sandbox and grab your diary?”rectory.

Answer 114

🌪️ Disaster Recovery Plan (DRP) A Disaster Recovery Plan is a formal, documented strategy for restoring IT systems, data, and operations after a disruptive event — like a cyberattack, natural disaster, or critical system failure. 🎯 Goal: Resume critical business functions quickly and securely with minimal downtime and data loss. 📑 Key Components of a DRP: Risk Assessment & Business Impact Analysis (BIA) Identify threats (fire, flood, ransomware) Analyze what assets are critical and the impact if lost Recovery Objectives RTO (Recovery Time Objective): How fast must it be restored? RPO (Recovery Point Objective): How much data can we afford to lose? Backup Strategy Frequency (daily, hourly) Location (cloud, offsite, offline) Media (tape, disk, virtual snapshots) Recovery Procedures Step-by-step process for restoring systems, apps, and data Contact info for responsible personnel Checklists and escalation paths Alternative Facilities Cold Site – Empty shell with power/space Warm Site – Partially equipped (some hardware, maybe backup data) Hot Site – Fully functional duplicate, ready to go live immediately Roles & Responsibilities Who does what in a crisis? Communication Plan Internal team, stakeholders, vendors, customers Include templates for outage notices or status updates Testing & Maintenance Tabletop exercises, simulated failovers, regular reviews Keep it updated as systems evolve 🧠 Disaster Recovery vs Business Continuity: Aspect Disaster Recovery (DRP) Business Continuity (BCP) Scope IT systems & data Entire business operation Goal Restore tech Keep business running Timeframe After disaster During and after disruption 🛡️ Security+ Tip: DRP = Get the tech back up. BCP = Keep the business running, even if tech isn’t.

Answer 115

🧠 Definition: Discretionary Access Control (DAC) is an access control model where the resource owner decides who can access it and what they can do with it (read, write, execute, etc.). “My file, my rules” — that’s the spirit of DAC. (Pikachu: adorable, but access is dependant on relation)

Answer 116

🧠 Definition: Distinguished Encoding Rules (DER) is a strict, binary format used to encode data structures defined by ASN.1 (Abstract Syntax Notation One). It’s like XML for cryptography, but in compact, machine-readable binary — and only one valid way to encode each structure. 🧩 What It's Used For: Digital certificates (X.509) Cryptographic keys (RSA, ECC) Secure protocols like SSL/TLS, S/MIME, and PKCS 🔍 Why DER Exists: ASN.1 allows multiple valid encodings of the same data. DER removes that ambiguity by enforcing: One correct way to represent lengths No extra padding Ordered sets and fields This guarantees consistency, which is critical for: Digital signatures (so the data always hashes the same way) Certificate verification 📘 What you should know for Security+: Topic Area What You Need to Know X.509 Certificates They use DER and PEM encoding formats PEM vs DER PEM = Base64 + headers; DER = raw binary File Extensions .der, .cer, .crt, .pem, .key, .pfx Use Case DER is used when exact binary representation is needed (e.g., digital signatures) 🔍 Sample question-level knowledge: Which format encodes X.509 certificates in binary and is used for cryptographic consistency? A) PEM B) DER C) XML D) JSON ✅ Correct: B) DER TL;DR for Security+: Know what DER is, where it's used (certs), and how it's different from PEM — but you don’t need to encode/decode or memorize ASN.1 structure.

Answer 117

In cybersecurity, diversity refers to using a variety of systems, tools, vendors, and defenses — rather than relying on a single technology or uniform environment — to reduce the risk of widespread failure during an attack. 🧠 Core Idea: Homogeneity = single point of failure Diversity = layered, resistant, unpredictable defense 🧩 Types of Diversity That Build Resilience: Type Example Benefit Vendor Diversity Using different firewall, antivirus, and SIEM vendors Avoids mass failure from one vendor flaw OS Diversity Windows, Linux, macOS in different roles Prevents exploits from spreading uniformly Geographic Diversity Data centers in multiple regions Enhances disaster recovery and redundancy Team Diversity Multidisciplinary, multicultural perspectives Better threat modeling & creative problem solving Tool Diversity Multiple layers of detection and response (e.g., EDR + IDS) Increases detection accuracy and resilience 🧪 Security Analogy: A monoculture forest is wiped out by one disease. A diverse forest resists — some trees survive and keep the ecosystem running. Same with IT: One exploit shouldn’t bring down the whole ecosystem. ⚠️ Trade-Off: Diversity increases complexity and cost — so it must be strategically planned. Too much unmanaged diversity can lead to: Inconsistent policies Integration headaches Poor visibility 🔐 Security+ Angle: Diversity is a resilience strategy Ties into defense in depth, redundancy, and vendor risk management Shows up in business continuity and supply chain discussions

Answer 118

Domain hijacking is when someone illegally takes control of a domain name without the permission of the rightful owner. It's basically identity theft for websites — and it can have serious consequences. --- 🕵️‍♂️ What It Looks Like A company suddenly loses access to their website. Emails tied to the domain stop working. The domain points to a scam site or is listed for resale. WHOIS records are suddenly changed to an unknown entity. --- 🧠 How It Happens 1. Credential Theft Attacker steals the domain admin’s login credentials (via phishing, malware, or password reuse). They access the registrar account and transfer the domain elsewhere. 2. Social Engineering Attacker impersonates the owner to the domain registrar and tricks them into approving a domain transfer or account reset. 3. Registrar Vulnerabilities Exploiting weak security at the registrar level — e.g., no two-factor authentication (2FA), lax identity verification. 4. Expired Domains Owner forgets to renew, and the attacker snatches it during the grace period. --- 🔒 Prevention Tips Enable 2FA on your domain registrar account. Use a strong, unique password for registrar login. Lock your domain (many registrars offer this feature to prevent unauthorized transfers). Monitor WHOIS changes and domain DNS activity. Keep domain registration info current (email/phone) so you’re alerted to changes. Renew domains early, or set them to auto-renew. --- 📉 Why It Matters Domain hijacking can: Cripple your business (loss of web/email access) Harm your reputation (customers may be scammed) Be extremely hard (and expensive) to recover --- Want a metaphor? > Domain hijacking is like someone stealing your front door key, changing the locks, and pretending to be you — while you're stuck outside watching them host a scam party in your living room.

Answer 119

🧠 DNS Hijacking (a.k.a. DNS Redirection) DNS hijacking is an attack where a malicious actor alters the DNS resolution process to redirect users to fraudulent or malicious sites — even if they type the correct domain name. 🌐 DNS Recap: When you type www.example.com, your device asks a DNS server: "What’s the IP address for this domain?" DNS hijacking corrupts the answer. 🧨 How DNS Hijacking Works: Attack Type Description Local DNS Hijack Malware on the user’s device changes DNS settings Router Hijack Attacker changes DNS settings on your router (e.g., via default password) ISP-Level Hijack Some ISPs redirect DNS requests to custom pages (sometimes for ads) DNS Server Compromise Attacker hacks a real DNS server and changes the record for a domain Man-in-the-Middle (MITM) DNS traffic is intercepted and modified in transit 🧪 Example: You type bank.com → Malicious DNS resolves to 192.168.100.13 (a phishing page) instead of the real bank IP. You get tricked into entering your credentials. 🔐 Defenses Against DNS Hijacking: Defense Description Use Secure DNS (DoH/DoT) DNS over HTTPS or TLS encrypts DNS requests Configure trusted DNS Manually set Google (8.8.8.8) or Cloudflare (1.1.1.1) Firmware Security Change router passwords, update firmware Endpoint Protection Detects local malware altering DNS settings DNSSEC Adds digital signatures to DNS responses to verify authenticity 🔒 DNSSEC Analogy: Like receiving a signed, sealed envelope from DNS. If the signature doesn't match, don't trust the content. 🧠 Security+ Tip: DNS Hijacking = Altering where domain names point. It’s a recon, credential theft, or MITM vector. Always think redirection + deception.

Answer 120

☠️ DNS Poisoning (a.k.a. DNS Cache Poisoning) DNS poisoning is an attack where a DNS resolver's cache is tricked into storing fraudulent domain-to-IP mappings — so users are unknowingly redirected to malicious sites when visiting trusted domains. 🧠 Simple Summary: The attacker poisons the DNS cache with fake info, so the next time you visit bank.com, you get sent to their trap instead. 🧩 How DNS Poisoning Works: A DNS resolver asks upstream servers for the IP of example.com. The attacker races to respond first with a spoofed IP, like 192.0.2.66. If the fake response wins, the resolver caches the wrong IP. Every user querying that resolver gets sent to the malicious site — until the cache expires. ⚠️ Real-World Consequences: Phishing sites with legit-looking URLs Malware delivery MITM interception Massive trust erosion (think: poisoning Google's domain) 🧠 DNS Poisoning vs DNS Hijacking: Feature DNS Poisoning DNS Hijacking Focus Cache of a legit DNS server Control of device/router/DNS system Method Injects fake DNS records Redirects via malware/config tampering Scope Often widespread (affects many users) Can be local or network-specific Persistence Until cache expires or is purged Until settings are fixed 🔐 Defenses Against DNS Poisoning: ✅ DNSSEC (DNS Security Extensions) Authenticates DNS responses via digital signatures ✅ Randomized source ports & query IDs Makes spoofing harder ✅ Short TTLs and frequent cache flushing ✅ Trusted DNS resolvers (Cloudflare, Google) ✅ Monitoring for DNS anomalies 🧠 Security+ Exam Tip: DNS poisoning is a spoofing + recon + redirection tactic. It attacks the trust layer of the internet.

Answer 121

🔐 DNSSEC (Domain Name System Security Extensions) DNSSEC is a security extension for DNS that authenticates DNS responses using digital signatures — preventing DNS spoofing, poisoning, and man-in-the-middle attacks. 🧠 Core Problem: Traditional DNS = No authentication Anyone can spoof a reply. DNSSEC = “Prove that answer came from the real source.” 🧩 How DNSSEC Works: Zone Signing: Domain owner creates a private/public key pair DNS records (A, MX, CNAME, etc.) are digitally signed with the private key The DNS server serves both the record and a signature (RRSIG) Validation: When a resolver queries a DNSSEC-enabled domain: It receives the DNS record + the RRSIG It uses the public key (DNSKEY) to verify the signature If valid: 🟢 Trust it If invalid: 🔴 Reject it Chain of Trust: Starts from the root zone (.) Each level (TLD → domain) signs the next Like a signed passport passed down the DNS hierarchy 🔒 What DNSSEC Protects Against: Attack Type DNSSEC Defense DNS Spoofing ✅ Yes DNS Poisoning ✅ Yes MITM Attacks ✅ Yes (on DNS layer) Phishing Pages ❌ No (doesn’t check site content) DDoS ❌ No (DNSSEC can actually amplify it if misused) ⚠️ Limitations of DNSSEC: Doesn’t encrypt DNS traffic (use DoH/DoT for that) Can add complexity and misconfiguration risk Requires full resolver and domain support 🧠 Security+ Exam Tip: DNSSEC = Integrity + Authenticity for DNS responses. Not encryption. Think "signed records", not "hidden data."

Answer 122

🔽 Downgrade Attack A downgrade attack (a.k.a. version rollback attack) is when an attacker forces a system or protocol to fall back to an older, weaker, or less secure version — making it easier to exploit. 🧠 Core Idea: "Let’s talk in an old language I already know how to break." 🔓 How It Works: Two systems negotiate the strongest protocol they both support (e.g., during TLS handshake). The attacker intercepts or manipulates this negotiation. They trick one or both parties into agreeing on an outdated or vulnerable version (e.g., TLS 1.0 instead of TLS 1.3). Now the attacker can eavesdrop, modify, or decrypt the data — or exploit known bugs. 🧩 Real-World Examples: Attack Name Description POODLE (SSL downgrade) Forced TLS connections to fall back to SSL 3.0, which is vulnerable STARTTLS stripping In email, attacker downgrades encrypted connection to plaintext Weak cipher downgrade Forces use of export-grade or known weak ciphers 🎯 Target Protocols: TLS/SSL HTTPS SMTP / IMAP / POP3 VPNs Wireless protocols (e.g., WPA/WEP) 🛡️ Defenses: Control Description Disable legacy protocols Block SSL, TLS 1.0, and other old versions Use strict version enforcement No fallback allowed Use HSTS (HTTP Strict Transport Security) Prevents HTTPS downgrades Use modern cipher suites Avoid export-grade and weak encryption Patch & configure properly Downgrade resistance is often a config setting 🧠 Security+ Tip: Downgrade = attacker interferes with negotiation to force weak settings. It’s a form of protocol manipulation and usually part of a MITM strategy.

Answer 123

File containing data captured from system memory.

Answer 124

The social engineering technique of discovering things about an organization (or person) based on what it throws away.

Answer 125

🎭 DHCP Spoofing DHCP spoofing is an attack where a rogue device on the network pretends to be a legitimate DHCP server, handing out malicious IP configurations to clients. 🧠 Core Idea: The attacker becomes the fake traffic cop, directing everyone to bad routes. 🔁 How DHCP Works (Normally): A new device connects to the network. It sends a DHCP Discover (basically: “Can anyone give me an IP?”) A legit DHCP server responds with an IP lease, gateway, DNS, etc. Device joins the network with proper settings. 🧨 In a DHCP Spoofing Attack: Attacker sets up a rogue DHCP server. It responds faster than the real one. The victim’s machine accepts the attacker’s configuration, which may include: Fake default gateway → attacker’s machine (MITM) Fake DNS server → attacker controls domain resolution Bogus IP range → network chaos 🎯 Attacker Goals: Goal Outcome Man-in-the-middle Intercept and modify traffic Traffic redirection Send users to phishing/malware sites Network disruption IP conflicts or broken routing 🔐 Defenses Against DHCP Spoofing: Defense Technique Description DHCP Snooping (switch config) Only allows DHCP responses from trusted ports Port security Blocks unauthorized devices from joining the network 802.1X authentication Requires authentication before assigning network access Static IPs (in rare cases) Removes need for DHCP altogether 🧠 Security+ Tip: DHCP spoofing is a LAN-based attack that often sets up a MITM or DNS poisoning scenario. The keyword to watch for = “rogue DHCP server”.

Answer 126

🔐 EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) EAP-TLS is a highly secure authentication framework used in wireless networks and VPNs. It uses mutual certificate-based authentication over the EAP framework and TLS encryption. 🧠 Core Concept: EAP-TLS = “Prove your identity with a certificate”, not a password. It’s like a handshake where both sides show a passport before speaking. 📡 Where It’s Used: Enterprise Wi-Fi authentication (e.g., WPA2-Enterprise, WPA3-Enterprise) VPN access 802.1X authentication in wired and wireless networks 🔁 How EAP-TLS Works (Simplified Flow): Client (Supplicant) initiates authentication to a network. Authentication Server (e.g., RADIUS) sends a certificate request. Client sends its digital certificate → proves identity. Server sends its own certificate → proves it’s legit too. TLS handshake is completed → mutual trust established. Encrypted session begins → access is granted. 🔒 Key Features: Feature Details Mutual authentication Both client and server authenticate each other No passwords Uses X.509 certificates, not shared secrets Encryption Built-in via TLS handshake High security Resistant to dictionary, MITM, and phishing ⚠️ Limitations: Certificate management can be complex and costly Requires a PKI (Public Key Infrastructure) to issue, revoke, and manage certificates Not ideal for BYOD unless certificates are pre-deployed 🧠 Security+ Tip: EAP-TLS = strongest EAP method because it uses certificates, not passwords. Don’t confuse it with EAP-PEAP or EAP-TTLS, which wrap passwords in a TLS tunnel.

Answer 127

🔐 EAP-TLS: Extensible Authentication Protocol – Transport Layer Security EAP-TLS is an EAP authentication method that uses mutual TLS (Transport Layer Security) to securely authenticate both the client and the server using digital certificates. 🧠 Quick Definition: EAP-TLS is the most secure EAP method — it replaces passwords with certificates and uses TLS encryption to protect the entire exchange. 🔁 How EAP-TLS Works: The client (user/device) connects to the network. The server requests the client’s digital certificate. The client sends its certificate → proves identity. The server sends its own certificate → proves legitimacy. A TLS handshake establishes a secure session. If mutual authentication succeeds → access is granted. 🔐 Key Features of EAP-TLS: Feature Description Mutual Authentication Both client and server prove their identity Certificate-Based No passwords — uses X.509 certificates Built on TLS Strong encryption + integrity Enterprise-Grade Used in WPA2/WPA3-Enterprise, 802.1X networks ✅ Pros: Extremely strong security (resistant to MITM, replay, password cracking) Supports machine and user authentication Widely supported across enterprise systems ❌ Cons: Requires a PKI (Public Key Infrastructure) to issue/manage certs Complex to deploy and maintain (especially in BYOD environments) Not password-friendly — devices must have a valid certificate 📡 Common Use Cases: Enterprise Wi-Fi (WPA2/WPA3-Enterprise with 802.1X) VPN authentication Secure wired access in corporate networks 🧠 Security+ Exam Tip: EAP-TLS = strongest form of EAP — relies on certificates, not passwords. It’s the gold standard for secure enterprise authentication. 🔐 Is Anything Stronger Than EAP-TLS? In terms of wireless and remote authentication protocols? No. EAP-TLS is the gold standard. It offers: ✅ Mutual authentication ✅ Certificate-based identity (not passwords) ✅ TLS encryption ✅ Resistance to replay, MITM, and brute force attacks 🧱 Why EAP-TLS is Top-Tier: The only major EAP method that uses client + server certificates No shared secrets = no password to steal, spray, or guess Even quantum-resistant TLS versions are being prepared — EAP-TLS evolves with TLS

Answer 128

⚖️ 🔐 EAP-TTLS (Extensible Authentication Protocol – Tunneled Transport Layer Security) EAP-TTLS is an EAP method that provides secure user authentication by creating a TLS tunnel (like a private pipe) between the client and the authentication server — then sending credentials (like usernames and passwords) inside that encrypted tunnel. 🧠 Core Idea: Server proves itself with a certificate. Client authenticates inside the tunnel — usually with username/password. 🔁 How EAP-TTLS Works: Client connects to the network. Server sends its digital certificate. Client verifies the server’s identity. A TLS tunnel is created between client and server. Inside the tunnel, the client sends credentials (e.g., username + password, or token). Server authenticates the client. Secure access is granted. 🔒 Key Features of EAP-TTLS: Feature Description Server certificate only Only the server needs a digital certificate Client flexibility Client can use passwords, tokens, or inner EAP Encrypted tunnel Protects credentials in transit (via TLS) Less complex than EAP-TLS No client-side certs to manage ✅ Pros: Stronger than password-only methods (e.g., EAP-MD5, PAP) Doesn’t require a client certificate Supports many inner authentication methods Easier to deploy than EAP-TLS in BYOD environments ❌ Cons: Only the server is authenticated → no mutual authentication Still depends on password security Requires proper TLS config to avoid downgrade or MITM risk 📡 Use Cases: WPA2/WPA3-Enterprise networks Organizations with mixed devices or BYOD policies When client certificates are impractical If You’re Comparing: EAP Method Client Cert? Server Cert? Uses Passwords? Strength EAP-TLS ✅ Yes ✅ Yes ❌ No 🟢 Strongest PEAP (MSCHAPv2) ❌ No ✅ Yes ✅ Yes (inner) 🟡 Moderate EAP-TTLS ❌ No ✅ Yes ✅ Yes (inner) 🟡 Moderate EAP-FAST ❌ No ❌ Optional ✅ Yes (PAC files) 🟡 Moderate EAP-MD5 ❌ No ❌ No ✅ Yes 🔴 Weak 🚫 "Stronger" Options? Only in Different Categories: 🔒 Multi-factor Authentication (MFA) can complement EAP-TLS but doesn’t replace it. 🔑 FIDO2/WebAuthn is stronger for web auth, but it’s not part of EAP. 🧪 Post-quantum TLS (PQTLS) may evolve EAP-TLS in the future, but that’s theoretical for now. ✅ Bottom Line: EAP-TLS remains the strongest widely deployed authentication method in enterprise network security. If you want "stronger," you're talking layers (MFA, behavior analytics, device posture checks) — not a different EAP protocol.

Answer 129

East-West traffic refers to data communication that occurs within a single data center or network segment — typically between servers, virtual machines, containers, or applications inside the same trust zone. 🧠 Quick Analogy: East-West = side-to-side (internal to internal) North-South = top-to-bottom (user to server or server to internet) 🧩 Examples of East-West Traffic: Scenario Description Web server communicating with DB server Internal system-to-system traffic Microservices calling each other API-to-API calls in a service mesh VM talking to another VM on same subnet Hypervisor-internal communication Kubernetes pod traffic Inter-pod messaging inside a cluster 🚨 Security Risks: Most traditional defenses (like firewalls) focus on north-south traffic Once an attacker breaches the perimeter, east-west traffic is often unmonitored Enables lateral movement in the network (e.g., spreading ransomware) 🔐 How to Secure East-West Traffic: Technique Description Microsegmentation Apply strict rules between internal systems Zero Trust Network Access (ZTNA) Authenticate and authorize every request Internal firewalls Monitor intra-network traffic Network detection & response (NDR) Analyze east-west traffic patterns Least privilege access Minimize unnecessary communication paths 🧠 Security+ Tip: East-West = lateral traffic — attackers love it for moving quietly inside. Mention lateral movement, microsegmentation, or internal visibility in answers.

Answer 130

🛰️ Edge Computing Edge computing is a distributed computing model where data processing happens close to the source of data — at the “edge” of the network — instead of relying on a centralized cloud or data center. 🧠 Core Idea: Instead of sending all data to the cloud, process it locally, near where it's created. 🔧 Where’s the “Edge”? Layer Example Edge Device Smart camera, industrial sensor, IoT device Edge Gateway Local router or micro-server near devices Cloud/Data Center Central processing (fallback or archive) 🧩 Why Use Edge Computing? Benefit Description Low latency Faster response times — no round-trip to the cloud Bandwidth savings Reduces data sent over the internet Offline capability Works even with intermittent connectivity Real-time processing Critical for automation, AI, robotics, etc. Improved privacy Sensitive data stays local 📍 Use Cases: Smart cities (traffic sensors, surveillance) Industrial automation (predictive maintenance) Healthcare (real-time patient monitoring) Retail (smart checkout, in-store analytics) Autonomous vehicles (split-second decisions without cloud delay) 🔐 Security Implications: Risk Mitigation More attack surfaces Harden each edge node Physical tampering Use tamper detection + encryption Inconsistent updates Centralized patching systems Data loss/theft locally Use secure storage and transmission 🧠 Security+ Tip: Edge computing = decentralized, low-latency processing near the data source. Mention it when speed, bandwidth, or autonomy is key.

Answer 131

🧾 E-Discovery (Electronic Discovery) E-discovery is the process of identifying, collecting, preserving, and producing electronically stored information (ESI) during legal proceedings — such as lawsuits, investigations, audits, or regulatory compliance. 🧠 Core Idea: If it’s digital and might be relevant in court, you have to find it, preserve it, and produce it — without tampering. 📂 Types of ESI (Electronically Stored Information): Emails Chat logs and messaging apps (e.g., Slack, Teams) Documents (Word, PDFs, spreadsheets) Social media content Server logs Voicemail and video recordings Metadata (timestamps, author, IPs) 🔁 E-Discovery Workflow (Simplified): Information Governance → Set retention, classification, and access policies Identification → Locate potential sources of ESI Preservation → Ensure data is protected from alteration/deletion (legal hold) Collection → Extract data in a forensically sound manner Processing → Filter, de-duplicate, convert formats Review → Attorneys or analysts inspect for relevance, privilege, etc. Production → Present final set of ESI in usable format to court or regulators Presentation → Use evidence in hearings or trials ⚖️ Why It Matters in Cybersecurity & Compliance: Legal or regulatory mandates (GDPR, HIPAA, SOX, etc.) Insider threat and fraud investigations Data breach response and chain of custody Incident response documentation HR disputes and workplace misconduct 🛡️ Challenges: Volume: massive data sets Format: wide variety (structured/unstructured) Preservation: must avoid spoliation (evidence tampering) Privacy: redacting personal or sensitive data 🔐 Security+ Tip: E-discovery = digital evidence handling for legal/regulatory cases. Keywords: legal hold, chain of custody, metadata integrity.

Answer 132

🧮 Elasticity (in Cloud Computing) Elasticity refers to the ability of a cloud system to automatically scale resources up or down — on-demand — based on current workload needs. 🧠 Core Idea: When demand grows, add more resources. When demand shrinks, release them. Fast, automatic, efficient. 🔄 Elastic vs. Scalable: Concept Definition Key Difference Elasticity Automatic adjustment of resources in real time Think real-time flexibility Scalability The capacity to handle growth (manual or auto) Think long-term growth planning 📈 Example Use Case: An e-commerce site sees traffic spikes during Black Friday. With elasticity, the cloud platform adds more servers temporarily. After the sale, resources shrink automatically, reducing costs. 🧩 Benefits of Elasticity: ✅ Optimizes resource usage ✅ Lowers operational costs ✅ Improves performance and availability ✅ Adapts in real time to workload changes ☁️ Technologies That Enable Elasticity: Auto-scaling groups Load balancers Serverless platforms (e.g., AWS Lambda) Container orchestration (e.g., Kubernetes) 🧠 Security+ Tip: Elasticity = on-demand, automatic resource expansion or reduction Commonly associated with cloud computing and cost-efficiency.

Answer 133

🧮 Elasticity (in Cloud Computing) Elasticity refers to the ability of a cloud system to automatically scale resources up or down — on-demand — based on current workload needs. 🧠 Core Idea: When demand grows, add more resources. When demand shrinks, release them. Fast, automatic, efficient. 🔄 Elastic vs. Scalable: Concept Definition Key Difference Elasticity Automatic adjustment of resources in real time Think real-time flexibility Scalability The capacity to handle growth (manual or auto) Think long-term growth planning 📈 Example Use Case: An e-commerce site sees traffic spikes during Black Friday. With elasticity, the cloud platform adds more servers temporarily. After the sale, resources shrink automatically, reducing costs. 🧩 Benefits of Elasticity: ✅ Optimizes resource usage ✅ Lowers operational costs ✅ Improves performance and availability ✅ Adapts in real time to workload changes ☁️ Technologies That Enable Elasticity: Auto-scaling groups Load balancers Serverless platforms (e.g., AWS Lambda) Container orchestration (e.g., Kubernetes) 🧠 Security+ Tip: Elasticity = on-demand, automatic resource expansion or reduction Commonly associated with cloud computing and cost-efficiency.

Answer 134

🔐 ESP (Encapsulating Security Payload) ESP is a core protocol in the IPsec (Internet Protocol Security) suite. It provides confidentiality, integrity, and authentication for IP packets by encrypting and optionally authenticating the data being sent across a network. 🧠 Core Idea: ESP = Encrypt and protect data inside IP packets. It ensures no one can read or tamper with what’s inside. 📦 What ESP Protects: Feature Provided by ESP? Encryption ✅ Yes (confidentiality) Integrity ✅ Yes (detects tampering) Authentication ✅ Optional (proves sender) Anti-replay ✅ Yes (sequence numbers) Header protection ❌ No (IP header is still visible unless in tunnel mode) 🔁 Two Modes of ESP: Mode What Gets Protected Use Case Transport Encrypts payload only (not IP header) Host-to-host encryption Tunnel Encrypts entire original IP packet + adds new header VPNs, site-to-site tunnels 🔐 ESP in Action: Often used in VPNs (especially IPsec-based VPNs) Works with encryption algorithms like AES, ChaCha20 Adds ESP headers/trailers around the protected data 🚫 Not to Confuse With: Term Meaning ESP Encapsulating Security Payload (IPsec) AH Authentication Header — no encryption GRE Generic Routing Encapsulation — not secure SSL/TLS Used in HTTPS — different protocol stack 🧠 Security+ Tip: ESP = IPsec protocol that encrypts and optionally authenticates data If the question mentions confidentiality or VPN tunneling, think ESP, not AH.

Answer 135

🔚 EOSL – End of Service Life EOSL stands for End of Service Life, and it's an important term in IT asset management, cybersecurity, and risk planning. 🧠 Definition: EOSL is the point at which a hardware or software vendor stops all support, including: Security patches Technical assistance Firmware updates Bug fixes 🔥 Why EOSL Matters in Cybersecurity: Risk Impact ❌ No security patches Vulnerabilities remain unpatched → exploit risk ❌ No vendor support Can't escalate issues or get official fixes ❌ Compliance failure Violates industry standards (e.g., PCI-DSS, HIPAA) ❌ Increased downtime Failures take longer to resolve 📉 EOSL vs EOL (End of Life): Term Meaning EOL Product is no longer sold or developed EOSL All support ends — the product is fully retired 🔧 EOL = the product is on its way out 🚫 EOSL = it’s out. You're on your own.

Answer 136

🖥️ Endpoint Detection and Response (EDR) EDR is a cybersecurity solution that provides continuous monitoring, threat detection, and automated response for endpoints — like laptops, desktops, and servers. 🧠 Core Idea: EDR watches everything happening on endpoints and alerts, investigates, and responds to threats — often in real time. 🔍 What EDR Does: Function Description Monitor Tracks files, processes, user activity, network traffic Detect Uses signatures + behavior-based analytics to spot threats Investigate Provides forensics and context (e.g., what process ran, what it did) Respond Quarantine files, kill processes, isolate hosts, alert analysts Hunt Supports threat hunting (manual and automated) ⚙️ Core EDR Capabilities: Real-time telemetry collection Behavioral analysis (detects suspicious patterns) Machine learning for anomaly detection Indicators of Compromise (IOCs) and TTPs Forensic timeline reconstruction Automated playbooks / SOAR integration 🖥️ What’s an Endpoint? Any device connecting to a network: Workstations Laptops Servers Cloud-based VMs Mobile devices (in some cases) 🔐 Why EDR Matters: Without EDR With EDR Malware goes undetected Threats detected in real time Manual investigations Automated response + detailed forensics Slow detection (days/weeks) Fast containment (seconds/minutes) 🔁 EDR vs Antivirus vs XDR: Solution Scope Intelligence Antivirus Signature-based threat detection Limited EDR Behavior + real-time endpoint defense Advanced analytics XDR Extended detection across endpoints, email, cloud, etc. Correlated multi-source data 🧠 Security+ Tip: EDR = advanced, behavior-driven defense at the endpoint level. Key terms: telemetry, quarantine, threat hunting, real-time response.

Answer 137

🛡️ Endpoint Protection Platform (EPP) An Endpoint Protection Platform (EPP) is a security solution installed on endpoint devices (like laptops, desktops, and servers) to prevent, detect, and block threats — primarily before they execute. 🧠 Core Purpose: EPP = preventive security at the device level. Think of it as a modern antivirus + firewall + malware blocker all rolled into one. 🧩 What EPP Typically Includes: Capability Description Antivirus/Antimalware Signature and heuristic-based detection Host-based Firewall Controls inbound/outbound traffic at the device level Exploit Prevention Blocks techniques used in malware delivery/execution Device Control Manages USBs, printers, external devices App Control / Whitelisting Blocks unapproved or unknown applications Web Filtering Blocks access to malicious websites Basic Behavioral Analysis Detects known patterns of bad behavior 🖥️ EPP vs. EDR: Feature EPP (Protection) EDR (Detection + Response) Focus Prevention Detection + Investigation Action Blocks known threats Investigates complex attacks Threat Types Malware, ransomware, phishing Fileless malware, zero-days Real-time visibility ❌ Limited ✅ Full endpoint telemetry Response Mostly automated blocking Manual or automated response 🔐 EPP = First line of defense 🕵️ EDR = Second line of detection and analysis 🧠 Security+ Tip: EPP = preventative endpoint solution, focused on stopping known threats. Often paired with EDR for full protection + investigation capability. 🧪 Bonus: Modern EPPs often evolve into XDR (Extended Detection and Response), combining endpoint, email, identity, and network telemetry into one unified platform.

Answer 138

🏢 Enterprise Risk Management (ERM) Enterprise Risk Management (ERM) is a structured, organization-wide approach to identifying, assessing, responding to, and monitoring risks that could impact the achievement of business objectives — not just cybersecurity, but strategic, financial, operational, legal, and reputational risks as well. 🧠 Core Idea: ERM = Manage all major risks across the enterprise, not in silos. 📊 ERM Key Objectives: Identify and understand all categories of risk Ensure proactive rather than reactive management Align risk appetite with strategic goals Protect and create organizational value 🧩 Common Risk Categories in ERM: Category Examples Strategic Market shifts, mergers, brand damage Operational System failures, supply chain issues Financial Budget shortfalls, currency volatility Compliance/Legal Regulatory violations, lawsuits Cybersecurity/IT Data breaches, insider threats Reputational Public scandals, customer backlash 🔄 ERM Lifecycle (Simplified): Risk Identification → What could go wrong? Risk Assessment → How likely? How severe? Risk Response → Avoid, mitigate, transfer, or accept? Risk Monitoring & Reporting → Track changes and effectiveness Integration with Strategy → Align with goals, resources, culture 🛡️ ERM vs Traditional Risk Management: Aspect Traditional RM Enterprise RM (ERM) Scope Department-specific Organization-wide Focus Loss prevention Strategic decision-making Coordination Isolated Centralized and cross-functional Timeframe Short-term Long-term and continuous 🧠 Security+ Tip (and real-world relevance): ERM is about strategic alignment — cybersecurity risk fits within this larger business context. If a question involves governance, strategy, or organization-wide risk, ERM is the correct answer.

Answer 139

🎲 Entropy (in Cybersecurity & Cryptography) Entropy is a measure of randomness or unpredictability — especially important in cryptography, where high entropy ensures that keys, passwords, and random numbers are hard to guess or reproduce. 🧠 Core Idea: More entropy = more randomness = more security. Low entropy = predictable = weak = hackable. 🔐 Where Entropy Matters: Area Why Entropy Is Important Password Strength Randomized, longer passwords have higher entropy = harder to brute force Cryptographic Keys Keys must be unpredictable to resist attacks Random Number Generation Secure RNGs rely on high entropy sources Token Generation Session tokens, CSRF tokens must be non-guessable 📏 Entropy Measured In Bits: Entropy Bits Equivalent Security 20 bits Weak (guessable by brute force) 80+ bits Acceptable for most passwords 128+ bits Standard for cryptographic keys 256 bits Common for AES-256 encryption Example: A 4-digit PIN (0000–9999) = ~13 bits of entropy → easy to crack. 🧩 Entropy Sources: Type Example Reliability True Random Hardware noise, radioactive decay ✅ Strong Pseudo-random (PRNG) Algorithm-based (e.g., /dev/urandom) ⚠️ Needs good seed User input Mouse movement, keystroke timing Varies ⚠️ Entropy Failures = Security Failures: Weak password rules → low entropy Reusing PRNG seeds → predictable keys Poor token generation → session hijacking 🧠 Security+ Tip: Entropy = randomness = unpredictability Always aim for high entropy in cryptographic operations.

Answer 140

⚠️ Error Handling (in Cybersecurity & Software Development) Error handling refers to how systems respond to unexpected conditions or failures — like invalid input, broken connections, or internal crashes — without exposing sensitive information or compromising security. 🧠 Core Idea: Good error handling = graceful failure Bad error handling = leaks, crashes, or exploits 🔐 In Cybersecurity Context: Risk Bad Error Handling Can Lead To… Information disclosure Detailed error messages reveal server paths, DB structure, stack traces, or internal logic Injection attacks Poor input validation can let malicious code slip in Denial of Service Unhandled exceptions crash the app Bypass logic Logic errors or bad exception handling may allow privilege escalation or bypass authentication 🛡️ Best Practices for Secure Error Handling: Good Practice Why It Matters Generic user-facing errors Avoid leaking system details to attackers Detailed logging (server-side) Helps admins investigate issues without exposing info to users Catch and handle exceptions Prevent app crashes and unintended behavior Fail securely On failure, deny access rather than allow it Input validation & sanitization Prevent unexpected input from causing errors Use error codes instead of messages Safer for APIs and client communication 🚫 What NOT to Do: Displaying 500 Internal Server Error with stack trace Revealing file paths or database errors like: vbnet Copy Edit SQL Error: syntax error near 'DROP TABLE' Letting unhandled exceptions bubble up to users 🔐 Security+ Tip: Error messages should be informative to the admin, but opaque to the attacker. Keyword to remember: “fail securely.”

Answer 141

🔐 Escrow (in Cybersecurity and IT) Escrow is the process of storing critical digital assets — such as encryption keys, source code, or passwords — with a trusted third party, to be released only under predefined conditions. 🧠 Core Idea: Escrow = “Hold this sensitive thing in safekeeping until it's legally or operationally necessary to release it.” 🔑 Common Use Cases: Use Case Description Key Escrow A third party securely holds encryption keys, to allow recovery or access when needed (e.g., lost password, law enforcement subpoena) Source Code Escrow A developer deposits software code with a neutral party, in case the vendor goes out of business or fails to maintain it Password Escrow Critical credentials (e.g., for admin/root accounts) are stored securely for emergency use Certificate Authority Escrow Stores private keys for recovery or re-issuance purposes 🛡️ Security Benefits: Enables data recovery after lockouts Prevents single point of failure (e.g., if one admin loses access) Supports compliance (e.g., legal access to encrypted data) Protects against vendor failure or sabotage ⚠️ Risks and Concerns: Trust: The escrow agent must be secure and reliable Misuse: Governments or insiders may demand premature access Complexity: Must be carefully managed and audited Backdoor risk: If not properly secured, it introduces a weak link 🔐 Key Escrow Example (Simplified): User encrypts a hard drive with a private key That private key is encrypted and stored in escrow (e.g., with the IT security team) If the user forgets their password, IT can retrieve the key and restore access But access requires, say, 2 admin approvals (dual control) 🧠 Security+ Tip: Escrow = safekeeping of digital assets for emergency access If you see “encryption key recovery,” “vendor collapse,” or “disaster recovery,” think escrow.

Answer 142

🎭 Evil Twin Attack An evil twin is a type of wireless spoofing attack where a malicious actor sets up a fake Wi-Fi access point that mimics a legitimate one — tricking users into connecting so the attacker can steal data, perform man-in-the-middle (MITM) attacks, or deploy malware. 🧠 Core Idea: You think you're connecting to Starbucks_WiFi, but it's actually the attacker's fake clone watching everything you do. 🧩 How an Evil Twin Works: Attacker sets up a Wi-Fi hotspot with the same SSID as a real one. They boost the signal to make it more attractive. Victims connect automatically (or unknowingly) to the rogue AP. All traffic is intercepted, logged, modified, or redirected. Attacker might also serve a fake login page to steal credentials. 🧪 Real-World Example: Real Wi-Fi Evil Twin Airport_WiFi Airport_WiFi (attacker's AP) Captive portal asks for email Attacker mimics portal and steals credentials 🛡️ How to Defend Against Evil Twin Attacks: Defense Technique Description Use VPN Encrypts traffic even over malicious networks Turn off auto-connect Prevents devices from latching onto fake networks Use HTTPS Everywhere Reduces attack impact even if on evil network Enterprise WPA2/WPA3 Uses certificate-based authentication Wireless Intrusion Detection (WIDS) Detects rogue APs and suspicious activity User awareness Recognize risky hotspots and avoid entering creds 🧠 Security+ Tip: Evil twin = fake Wi-Fi AP used for eavesdropping or credential theft. Keywords: SSID spoofing, MITM, wireless phishing.

Answer 143

❌⭕ XOR (Exclusive OR) XOR is a logical operation that outputs true only when the inputs are different — and it’s heavily used in cryptography due to its reversible nature. Used in: Symmetric encryption algorithms (e.g., one-time pad, stream ciphers) Data obfuscation Checksums and error detection 🧠 Security+ Tip: If a question mentions bitwise encryption, reversibility, or one-time pad, think XOR. XOR is secure only when used with truly random, one-time keys — otherwise, it can be broken.

Answer 144

⚙️ Execution Control (a.k.a. Application Control or Execution Restriction) Execution control is a security mechanism that prevents unauthorized, untrusted, or malicious code from being executed on a system. It ensures that only approved software can run — reducing the risk of malware, ransomware, and insider threats. 🧠 Core Idea: Only the programs you explicitly trust are allowed to execute. Everything else is blocked or sandboxed. 🔐 Common Execution Control Techniques: Technique Description Allowlisting Only approved applications or binaries can run Blocklisting Known-bad apps/processes are blocked Code Signing Verification Only executables with valid digital signatures are allowed Script control Blocks unauthorized PowerShell, Python, batch scripts, etc. Application Sandboxing Runs apps in isolated environments to prevent system access File path restrictions Prevents running executables from specific directories (e.g., %TEMP%) User privilege enforcement Prevents non-admins from installing or executing certain apps 🧩 Examples of Execution Control Tools: AppLocker (Windows) Windows Defender Application Control (WDAC) SELinux policies (Linux) Endpoint Protection Platforms (EPPs) Mobile Device Management (MDM) app controls Third-party application control solutions (e.g., Carbon Black, CrowdStrike) 🛡️ Why It Matters in Cybersecurity: Benefit Description ✅ Stops zero-day threats Unknown malware can't run if not allowlisted ✅ Reduces insider abuse Blocks use of tools like Mimikatz, netcat, etc. ✅ Hardens critical systems Ideal for ATMs, kiosks, servers, etc. 🧠 Security+ Tip: Execution control = only trusted code runs Think allowlisting, code signing, script restrictions, or controlled environments.

Answer 145

Suite of tools designed to automate delivery of exploits against common software and firmware vulnerabilities. 💣 Exploitation Framework An exploitation framework is a toolkit used by attackers, red teamers, and penetration testers to identify vulnerabilities, develop payloads, and launch exploits against systems — often in an automated or modular way. 🧠 Core Idea: A Swiss Army knife for attackers: scan, exploit, payload, repeat. 🧩 Common Exploitation Frameworks: Framework Description Metasploit Most popular; modular; supports payloads, exploits, post-exploitation Cobalt Strike Commercial red-teaming suite; includes command & control (C2) capabilities Empire PowerShell-based post-exploitation (no longer officially maintained) Nmap + NSE While not a full framework, supports vulnerability scripting Core Impact / Immunity Canvas Commercial, GUI-based alternatives to Metasploit ⚙️ Typical Modules in an Exploitation Framework: Module Type Purpose Exploit Takes advantage of a specific vulnerability Payload What runs once the system is exploited (e.g., reverse shell) Encoder Obfuscates the payload to evade detection Listener Waits for incoming connections from compromised machines Post-Exploitation Tools for privilege escalation, persistence, data exfil 🔐 Why It Matters: Context Relevance Penetration Testing Used to simulate real-world attacks legally Red Teaming Tests detection and response capabilities Malware Analysis Understand how attackers package exploits Cybercrime Exploitation kits are used in real-world breaches 🧠 Security+ Tip: Exploitation framework = pre-built toolkit for launching and managing exploits. If you see Metasploit, payloads, or modular attacks in the question — this is it.

Answer 146

In risk calculation, the percentage of an asset's value that would be lost during a security incident or disaster scenario.

Answer 147

Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.

Answer 148

A port-based network access control (PNAC) mechanism that allows the use of EAP authentication when a host connects to an Ethernet switch.

Answer 149

A private network that provides some access to outside parties, particularly vendors, partners, and select customers. 🧠 Explanation: An Extranet is: A privately controlled portion of an internal network Made accessible to specific external users (like business partners, suppliers, or vendors) Often protected by authentication, VPNs, and firewalls Designed for collaboration or data sharing across organizational boundaries --- ❌ Why the others are incorrect: Option Why it's wrong Internet ❌ Public, global network — open to everyone MAN (Metropolitan Area Network) ❌ Describes a network size/scope, not access control or usage Intranet ❌ Private internal network used only within an organization — not accessible externally --- TL;DR: > 🔒 Intranet = internal only 🔐 Extranet = internal + invited outsiders 🌍 Internet = open to all

Answer 150

Failover in cybersecurity (and broader IT systems) refers to the automatic switching to a standby system or component when the primary system fails — it’s like having a spare tire ready to deploy the instant a blowout occurs. 🔐 In Cybersecurity Terms: Failover ensures security services remain operational even during outages, attacks, or failures. It’s part of high availability (HA) and business continuity planning. ✅ Common Failover Examples in Cybersecurity: Component Failover Mechanism Purpose 🔐 Firewalls Standby firewall activates if the primary one fails Maintains perimeter security 📡 VPN Gateways Traffic reroutes to backup gateway Keeps remote access secure 🔎 Intrusion Detection/Prevention Systems (IDS/IPS) Backup system takes over monitoring Continues threat detection 🔁 Authentication Servers (e.g., Active Directory) Redundant server handles login requests Prevents auth failure, avoids lockout ☁️ Cloud Services Traffic rerouted to a different region or instance Protects against DDoS or cloud provider issues 🧠 Why It Matters in Cybersecurity: Prevents security gaps: No coverage lapses during outages. Minimizes downtime: Attacks often exploit chaos; failover reduces exploitable moments. Ensures compliance: Many frameworks (like NIST, ISO 27001) require HA planning. Supports incident response: Keeps security tooling online during crises. 💡 TL;DR: Failover = your security infrastructure’s “backup bodyguard.” If the main one goes down, another one steps in without skipping a beat.

Answer 151

Fake telemetry in cybersecurity refers to the intentional generation or manipulation of system data (telemetry) to deceive, mislead, or test security systems or observers. 🧠 What Is Telemetry? Telemetry = automatic reporting of system data (e.g., logs, metrics, events) to help monitor performance, detect threats, or troubleshoot. Examples include: Process execution logs File access history Network traffic stats User login records 👻 What Is Fake Telemetry? Fake telemetry = false or crafted data made to: Evade detection (used by attackers) Test detection (used by defenders) Confuse threat actors (used in deception ops) 🕵️‍♂️ Used by Attackers: Cover tracks: Overwrite or spoof logs to look legitimate (e.g., edit PowerShell history) Delay detection: Inject plausible-but-fake event noise to hide real malicious actions Bypass security tools: Fool behavioral analytics or EDR into thinking nothing’s wrong 🧨 Example: A malware process alters its execution logs to mimic a trusted Windows binary. 🛡️ Used by Defenders: Deception: Feed fake credentials, systems, or logs to mislead attackers Threat detection: Send synthetic events to test whether SOC alerts are triggered Honeypots: Create entire fake environments rich in telemetry to attract and study intruders 🕸️ Example: A fake “finance.xlsx” file accessed at 3 AM triggers a silent alert to incident response. 🎭 TL;DR: Fake telemetry = forged system data used for trickery, cover, or testing. Hackers use it to hide. Defenders use it to trap.

Answer 152

🔐 False Acceptance Rate (FAR) – Explained Simply: False Acceptance Rate (FAR) is a biometric security metric that measures how often an unauthorized person is incorrectly accepted by a system as if they were legitimate. 🧠 In Plain Terms: FAR = How often the system says “yes” to the wrong person. It applies to systems using: Fingerprint scanners Face recognition Voice authentication Iris scanners Behavioral biometrics 🧪 Example: You have a fingerprint scanner on a secure door. Out of 1,000 unauthorized attempts, if 5 are incorrectly allowed in: FAR = 5 / 1000 = 0.005 = 0.5% 📉 Why It Matters: Low FAR = better protection against impersonation. But lowering FAR too much can increase FRR (False Rejection Rate) — where legitimate users get denied. There’s a trade-off between security (FAR) and usability (FRR). 📊 Related Metrics: Term Meaning FAR Wrong people accepted (Type II error) FRR Right people rejected (Type I error) EER (Equal Error Rate) Where FAR and FRR are equal — used to compare biometric systems fairly 🎯 TL;DR: False Acceptance Rate = “Whoops, I let in the intruder.” A critical measure in biometric system security. Lower is safer.

Answer 153

A false negative occurs when a real threat or condition is present, but the system fails to detect it. 🧠 In Simple Terms: False Negative = “All clear!” when it’s not.

Answer 154

🚨 False Positive – In Cybersecurity (and Life) A false positive happens when a system detects a threat that isn’t actually there. 🧠 In Plain Terms: False Positive = “Red alert!” but it’s just a toaster. 🔐 In Cybersecurity: Context False Positive Means Antivirus Flags a clean file as malware Intrusion Detection System (IDS) Marks normal traffic as malicious Email Filter Sends a legit email to spam SIEM Tool Raises alerts for normal behavior

Answer 155

❌ False Rejection Rate (FRR) – What It Means False Rejection Rate (FRR) is the rate at which a biometric security system incorrectly denies access to authorized users. 🧠 In Plain Terms: FRR = “No entry!”… even though it’s you. 🔐 Where You See It: FRR applies to biometric systems like: Fingerprint readers Facial recognition Voice ID Iris scanners 🧪 Example: Out of 1,000 valid user attempts, the system wrongly rejects 15: FRR = 15 / 1000 = 0.015 = 1.5% So 1.5% of the time, legit people get blocked. 🛑 Why It Matters: High FRR = frustration → users get locked out Too much friction = users disable or avoid security tools

Answer 156

🧲 Faraday Cage – Explained A Faraday cage is an enclosure made of conductive material that blocks electric fields and electromagnetic radiation from entering or escaping. ⚡ In Plain Terms: A Faraday cage is a signal-proof box. It keeps electromagnetic waves out (or in) by redistributing electric charges along its surface. 🔐 In Cybersecurity & Tech Use: Use Case Why It Matters Signal blocking Prevents hacking or tracking via Wi-Fi, GPS, Bluetooth, RFID EMP protection Shields sensitive electronics from electromagnetic pulses Forensics Prevents remote wiping of seized phones/devices Data protection Blocks wireless exfiltration of sensitive data RFID blocking wallets Prevent card skimming (contactless theft) 🧪 Example: You place a smartphone inside a metal box or wrap it in aluminum foil. Try calling or tracking it = nothing gets through. That’s a DIY Faraday cage. 🔬 How It Works: Made of conductive material (metal mesh or solid) When EM waves hit it, the cage redistributes the charge so the wave can't penetrate inside It works whether the wave comes from the outside or the device inside the cage The inside stays electromagnetically silent. 🎯 TL;DR: Faraday cage = a force field made of metal. Blocks signals. Stops leaks. Foils hackers. From wallets to war bunkers, it’s electromagnetic armor.

Answer 157

🌐 Federation – In Cybersecurity & Identity Management Federation is when multiple systems or organizations agree to trust each other’s identity authentication—so users can access resources across different domains without needing multiple logins. 🧠 In Plain Terms: Federation = "You vouch for them, I’ll let them in." 🔐 In Cybersecurity: Federated identity means a user's credentials from one system (or organization) can be used to access services in another. 📲 Real-World Examples: Scenario What's Happening Logging into Zoom with your Google account Zoom trusts Google's identity verification University students accessing Microsoft 365 using their campus login Microsoft trusts the university's identity system Single Sign-On (SSO) between apps One login works across many tools, even across orgs 🔐 Key Components: Identity Provider (IdP): The system that authenticates the user (e.g., Google, Azure AD) Service Provider (SP): The system or app the user wants to access (e.g., Salesforce) Trust relationship: SP trusts the IdP to confirm user identity 📦 Protocols Used: SAML (Security Assertion Markup Language) OAuth 2.0 OpenID Connect These are like passports for identity data — they let services verify who you are without seeing your password. 🎯 TL;DR: Federation = a passport system for digital identities. One trusted login gives access to many services — no juggling dozens of accounts.

Answer 158

🧵 Fibre Channel (FC) – What It Is Fibre Channel is a high-speed network technology used primarily to connect servers to shared storage in data centers — especially Storage Area Networks (SANs). 🧠 In Plain Terms: Fibre Channel = a turbo-fast expressway between servers and storage. Designed for blazing speed, low latency, and high reliability. 📡 Key Features: Feature Description 🚀 Speed Ranges from 1 Gbps to 128 Gbps (typically 8–32 Gbps today) 🔁 Topology Point-to-point, loop (legacy), or switched fabric 🔒 Reliability Very low error rates, ideal for critical storage operations 🔌 Medium Uses fiber optic or copper cabling (despite the name, it's not always fiber) 💾 Protocol Mostly carries SCSI commands over FC — so storage talks SCSI, but over Fibre Channel 🧱 Where It’s Used: Enterprise SANs Data centers High-performance computing Virtualization infrastructure (e.g., VMware environments) 🔄 Compared to Others: Protocol Use Case Notes Fibre Channel Dedicated SAN Fast, reliable, expensive iSCSI IP-based SAN Slower, cheaper, uses Ethernet SAS/SATA Direct storage Cheaper, but not networked ❓Why Not Use Ethernet? You could! And many do now with FCoE (Fibre Channel over Ethernet) or NVMe over Fabrics — but FC still dominates where dedicated, high-performance storage is mission-critical. 🎯 TL;DR: Fibre Channel = the VIP lane between servers and storage. Ultra-fast, super-reliable, and favored by serious data centers.

Answer 159

🔧 Field-Programmable Gate Array (FPGA) – What It Is A Field-Programmable Gate Array (FPGA) is a reconfigurable chip that can be programmed after manufacturing to perform specific hardware functions. 🧠 In Plain Terms: FPGA = a blank Lego board of circuits You decide what it becomes: a processor, a controller, an accelerator — anything hardware-level. ⚙️ Key Characteristics: Feature Description 🧠 Programmable logic blocks You define their behavior using code (HDL: VHDL or Verilog) 🔁 Reconfigurable Can be reprogrammed multiple times for different tasks ⚡ Parallel processing FPGAs can perform many operations simultaneously — unlike CPUs (which are sequential) 🚀 Low latency Hardware-level performance, faster than software-based solutions 📦 Used for Signal processing, encryption, AI acceleration, network hardware, custom protocols, etc. 🔐 In Cybersecurity: Use Case Why FPGAs? 🔒 Cryptographic processing Hardware-accelerated encryption/decryption (e.g. AES, RSA) 📶 Deep packet inspection Real-time traffic analysis in IDS/IPS systems 💣 Anti-reverse engineering Custom, obscure hardware logic that’s hard to tamper with 🛡️ Custom malware detection High-speed logic-based detection at the hardware level 🆚 FPGA vs Other Chips: Type Can You Reprogram It? Speed Flexibility FPGA ✅ (anytime) Fast Very high ASIC ❌ (fixed) Very fast None CPU ✅ (via software) Moderate High (in software) GPU ✅ (for data) High (for parallel tasks) High (within scope) 🎯 TL;DR: FPGA = “make-your-own hardware chip.” Fast, flexible, and reprogrammable — perfect for custom, high-speed tasks.

Answer 160

🗂️ File Integrity Monitoring (FIM) – What It Is File Integrity Monitoring (FIM) is a security control that tracks changes to critical files and alerts if something is added, removed, or modified — especially on systems where stability and security are vital. 🧠 In Plain Terms: FIM = your digital “tripwire” It tells you if someone touched, tampered with, or changed important files. 🔐 Why It Matters: Attackers often: Modify config files (e.g. /etc/passwd, registry keys) Inject backdoors Replace legitimate binaries with malicious ones FIM helps detect this early — before more damage is done. 🛡️ Key Features: Feature Purpose 📋 Baseline snapshot Records file hashes, permissions, size, etc. at a known-good state 👀 Continuous monitoring Watches for unauthorized changes 🔔 Alerting Sends real-time notifications if something is altered 🧾 Logging/auditing Keeps track of who changed what and when 🧠 Integration Often plugs into SIEMs, EDRs, and compliance tools 🧪 Real Examples: File/Item Monitored Why? /etc/shadow Holds Linux user passwords (hashed) C:\Windows\System32\drivers\etc\hosts Hackers might redirect URLs Web server configs (nginx.conf, .htaccess) Prevent unauthorized changes to server behavior Application files and DLLs Detects file replacement or malware injection PCI DSS scope files Required for compliance (e.g. log files, payment software) ⚖️ Compliance Tie-Ins: FIM is required or strongly recommended for: PCI DSS HIPAA SOX NIST 800-53 🧮 Common Tools: Tripwire AIDE (Advanced Intrusion Detection Environment) OSSEC CrowdStrike Falcon Wazuh 🎯 TL;DR: File Integrity Monitoring = your tamper alarm for sensitive files. If something sneaky changes, you’ll know — fast.

Answer 161

🔐 File Transfer Protocol Secure (FTPS) – What It Is FTPS stands for File Transfer Protocol Secure, a secure version of the classic FTP protocol. It adds SSL/TLS encryption to protect data in transit — like wrapping an armored cable around your old phone line. 🧠 In Plain Terms: FTPS = old-school FTP + SSL/TLS armor. It protects your username, password, and files from being snooped on during transfer. ⚙️ How It Works: Built on standard FTP (uses TCP port 21) Adds SSL/TLS encryption, just like HTTPS Can use: Implicit FTPS: Always encrypted (older style, typically port 990) Explicit FTPS: Starts unencrypted, then upgrades to secure (modern preferred) 🔐 What It Secures: Item Without FTPS With FTPS Username & password Sent in plain text 😬 Encrypted ✅ Files & commands Exposed to sniffing 😱 Protected by TLS ✅ ⚖️ FTPS vs Other Protocols: Protocol Encryption Port(s) Notes FTP ❌ None 21 Obsolete, insecure FTPS ✅ SSL/TLS 21 (explicit), 990 (implicit) Adds encryption to FTP SFTP ✅ SSH 22 Completely different protocol (based on SSH) HTTPS ✅ SSL/TLS 443 Often used for browser-based file transfer ⚠️ FTPS and SFTP are NOT the same! FTPS = FTP + TLS SFTP = SSH File Transfer Protocol (completely different) 🏛️ Common Use Cases: Secure file exchange with external vendors Compliant transfers in finance, healthcare, or government Legacy systems that require FTP but with encryption 🎯 TL;DR: FTPS = encrypted FTP. Keeps your file transfers safe from eavesdropping with SSL/TLS — but it’s still rooted in a legacy protocol.

Answer 162

🌫️ Fog Computing – What It Is Fog computing is a decentralized computing architecture where data, compute, storage, and applications are processed closer to the source (like IoT devices) — rather than relying entirely on the cloud. 🧠 In Plain Terms: Fog computing = a local “mini-cloud” near your devices. It reduces latency by handling data at the network edge, before it reaches the centralized cloud. 🏭 Where It Shows Up: Smart traffic lights processing data locally to reduce response time Industrial IoT machines analyzing sensor data on-site to detect failures Security cameras doing real-time face recognition locally before sending summaries to the cloud ⚙️ How It Works: Layer Role 🖧 Edge Devices Sensors, IoT gadgets, etc. — produce raw data 🌫️ Fog Nodes Local routers, gateways, micro data centers — process/analyze data nearby ☁️ Cloud Long-term storage, machine learning, big-picture analytics Fog nodes can: Pre-process data Make decisions locally Send only relevant info to the cloud 🆚 Fog vs Edge vs Cloud: Feature Edge Computing Fog Computing Cloud Computing Location Closest to the device (on-device or right next to it) Between edge and cloud (e.g. gateway or local server) Centralized, remote data centers Latency Lowest Low Higher Processing Device-level Local area (LAN) Global, high-scale Best for Instant decisions Real-time + aggregate logic Big data, long-term storage Think of edge = the sensor, fog = the local brain, cloud = the global HQ. 🔐 In Cybersecurity: Fog computing introduces new attack surfaces: More endpoints = more vulnerabilities Must secure local fog nodes, not just cloud Increases importance of network segmentation, data integrity, and zero-trust models 🎯 TL;DR: Fog computing = the cloud comes down to your neighborhood. Fast, local, efficient — perfect for IoT and time-sensitive applications.

Answer 163

🕵️‍♂️ Forensic Toolkit (FTK) – Explained Forensic Toolkit (FTK) is a digital forensics software suite developed by AccessData (now part of Exterro). It’s used by investigators to analyze, search, and preserve digital evidence from computers, phones, drives, and networks. 🧠 In Plain Terms: FTK = CSI for your hard drive. It helps forensic analysts dig through digital messes and find usable, admissible evidence. 🛠️ Core Capabilities: Feature What It Does 🔍 Index-based searching Super fast keyword searches through entire datasets (emails, documents, metadata) 💾 Image acquisition Forensic disk imaging and hashing to preserve original evidence (bit-for-bit) 🧩 File carving Recovers deleted or fragmented files 💬 Email analysis Parses Outlook, PST, MBOX, etc. 📱 Mobile forensics Analyze data from iOS and Android devices (when combined with additional modules) 🔐 Decryption & password cracking Can attempt to unlock protected files (with optional AccessData Password Recovery Toolkit) 🔗 Timeline & registry analysis Reconstruct user behavior, system activity, and file access history 📄 Case reporting Create legally admissible reports for court or internal investigations 💡 Common Use Cases: Insider threat investigations HR or legal cases involving inappropriate computer use Breach analysis Evidence collection for law enforcement Chain of custody documentation 🆚 FTK vs EnCase vs Autopsy: Tool Strengths FTK Fast indexing, good GUI, scalable for enterprise cases EnCase Industry gold standard for courts, deep file structure analysis Autopsy Open source, great for budget-sensitive teams or training 🧯 Bonus Tip: FTK is known for its strong GUI and multi-threaded processing, but it requires hefty resources (RAM, CPU, and storage). Many teams pair it with other tools (e.g. Volatility for memory analysis or Wireshark for network forensics). 🎯 TL;DR: Forensic Toolkit (FTK) = the Swiss Army knife of digital investigations. It helps find the who, what, when, where, and how of computer evidence — fast, forensically, and court-ready.

Answer 164

💾 Full Backup – What It Is A full backup is a type of data backup where every selected file and folder is copied in its entirety, regardless of whether it has changed since the last backup. 🧠 In Plain Terms: Full Backup = a complete snapshot of your data. Every file. Every time. No exceptions. 📦 Key Features: Feature Description 🗂️ Scope Backs up all data (not just new/changed files) 🕒 Time Slowest to run (lots of data) 💾 Storage Requires the most space ✅ Recovery Fast and simple to restore — everything is in one place 🔁 Usage Often scheduled weekly or monthly, with incrementals or differentials in between 🧪 Example: Monday: You do a full backup — 500 GB is copied. Tuesday: You do an incremental backup — only the 3 changed files are backed up. Friday: Something crashes. To recover: You restore the full backup from Monday Then add each incremental from Tue–Thu 🔄 Compared to Other Backup Types: Type What It Does Storage Use Backup Speed Restore Speed Full All data, every time High Slow Fast Incremental Only files changed since last backup Very low Very fast Slower Differential Only files changed since last full backup Medium Medium Faster than incremental 🛡️ In Cybersecurity: Full backups are critical for disaster recovery (e.g., ransomware, system failure) Must be stored securely (on-site + off-site or cloud) Should be encrypted, versioned, and regularly tested 🎯 TL;DR: Full backup = everything, every time. Heavy to run, but essential for reliable restoration.

Answer 165

🔐 Full Disk Encryption (FDE) – What It Is Full Disk Encryption (FDE) is a security method that encrypts the entire contents of a storage drive — every file, folder, and even free space — so that nothing can be read without proper authentication (like a password, key, or smart card). 🧠 In Plain Terms: FDE = Your whole drive is locked in a cryptographic vault. Power off the device? It’s unreadable without the key. 📦 What Gets Encrypted: Encrypted? Examples ✅ Files & folders Docs, images, videos ✅ Operating system System files, registry ✅ Temporary files Caches, pagefile, hibernation ✅ Free/unused space Prevents data recovery tools from finding deleted data 🔐 How It Works: When the drive is powered off, all data is scrambled using encryption (e.g., AES-256). On boot, the user authenticates (password, biometrics, TPM, etc.). If authenticated, the system decrypts data on the fly as it's read or written. When powered down or locked, the drive is unreadable again. 🧯 Why It Matters in Cybersecurity: Prevents data theft if a laptop is stolen or a hard drive is removed Mitigates insider threats and forensic recovery Helps meet compliance (HIPAA, GDPR, PCI DSS) 🧨 Without FDE, someone could boot from a USB stick and read your files in minutes. 🔄 Common FDE Solutions: Platform Tool Notes Windows BitLocker Uses TPM for key storage macOS FileVault 2 Native, user-friendly Linux LUKS/dm-crypt Flexible and open-source Cross-platform VeraCrypt Open-source, supports hidden volumes ⚠️ Considerations: Don’t forget your recovery key — no one can help you if you lose it FDE protects data at rest, but not data in use (e.g., while logged in) For best security: pair FDE with endpoint protection, BIOS passwords, and physical safeguards 🎯 TL;DR: Full Disk Encryption = the “everything lock.” If someone steals your laptop, all they get is cryptographic garbage — unless they know your secret.

Answer 166

🧪 Fuzzing – What It Is Fuzzing (or fuzz testing) is a software testing technique where random, unexpected, or malformed inputs are automatically thrown at a program to see if it crashes, hangs, or leaks information. 🧠 In Plain Terms: Fuzzing = digital chaos monkey testing your software. It throws junk at your program to see if it breaks — and how. 💥 What It's Looking For: Crashes Buffer overflows Memory leaks Unhandled exceptions Unexpected behavior Security vulnerabilities 🔍 How It Works: Target chosen: e.g. web app, parser, network protocol Input generation: The fuzzer mutates valid inputs or generates garbage Program runs with input: Outputs, logs, and crashes are monitored Crashes triaged: Developers investigate whether it’s a security risk 🧑‍💻 Example: Target = image viewer Fuzzer feeds in a corrupted .PNG file → 💥 Program crashes → 🔓 Devs discover it was vulnerable to a buffer overflow → 👨‍💻 Patch deployed 🔐 In Cybersecurity: Bug bounty programs and red teams use fuzzing to find 0-days Used to test: File parsers (PDF, image, video) Network protocols (DNS, FTP, HTTP) Web applications APIs Helps uncover unknown vulnerabilities before attackers do ⚒️ Popular Fuzzing Tools: Tool Use Case AFL (American Fuzzy Lop) General-purpose fuzzing, fast and efficient LibFuzzer In-process fuzzing for C/C++ apps OSS-Fuzz Google's fuzzing infrastructure for open-source Burp Suite Intruder Web fuzzing (forms, parameters, APIs) Peach Fuzzer Commercial tool for protocol/file fuzzing 🎯 TL;DR: Fuzzing = stress-testing software with gibberish to find the cracks. A powerful way to uncover bugs, crashes, and vulnerabilities — before the bad guys do.

Answer 167

🔐 Galois/Counter Mode (GCM) – What It Is Galois/Counter Mode (GCM) is a mode of operation for block ciphers (like AES) that provides both: Confidentiality (encryption) Integrity (authentication via a tag) It’s fast, secure, and widely used in modern cryptographic systems. 🧠 In Plain Terms: GCM = AES encryption with built-in tamper detection. It encrypts your data and also checks if anyone has messed with it. ⚙️ How It Works: GCM combines two functions: Counter (CTR) mode: Turns a block cipher (like AES) into a stream cipher for fast, parallel encryption. Galois field multiplication: Authenticates the ciphertext + additional data using polynomial math. 🧩 Key ingredients: Plaintext → Encrypted Additional Authenticated Data (AAD) → Not encrypted, but verified Authentication Tag → Ensures data wasn’t tampered with 📦 Output of GCM: Output Meaning 🧾 Ciphertext The encrypted message 🔐 Auth Tag A cryptographic fingerprint of the encrypted + additional data ✅ Verification step If the tag doesn’t match, decryption fails — data may be altered or forged 🔐 Why GCM Is Popular: Benefit Description ⚡ High performance Hardware-accelerated on most modern CPUs (e.g., AES-NI) 🛡️ Authenticated Encryption (AE) Encrypts + validates integrity in one pass 📱 Widely supported TLS 1.2+, SSH, IPsec, secure file storage, etc. 🔄 Parallelizable Faster than older modes like CBC 🧪 GCM vs CBC (Cipher Block Chaining): Feature GCM CBC Encryption speed Fast, parallel Slower, sequential Integrity/auth Yes (built-in tag) No (needs extra MAC) Common in TLS, secure APIs Legacy apps, older VPNs Padding Not needed Required, can cause issues (e.g. padding oracle attacks) 🎯 TL;DR: GCM = AES encryption with a built-in lie detector. It’s fast, secure, and ensures your data is safe and untouched.

Answer 168

Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements.

Answer 169

📍 Geofencing – What It Is Geofencing is a technology that creates a virtual geographic boundary (a "fence") around a real-world location. When a device enters or exits that area, it triggers a predefined action, like an alert, restriction, or automation. 🧠 In Plain Terms: Geofencing = digital tripwire around a location. If you cross the line, something happens — like a silent alarm, a lockout, or a welcome message. 📡 How It Works: A virtual perimeter is defined using GPS, RFID, Wi-Fi, or cellular data. A mobile device or system monitors whether a user enters or leaves that zone. When the boundary is crossed, a trigger occurs. 🔐 In Cybersecurity: Use Case Purpose 🛑 Access Control Block logins or app use outside authorized locations (e.g., no VPN access outside company HQ) 📍 Location-based authentication Require extra verification if user logs in from unfamiliar physical zones 🚨 DLP enforcement Restrict file access or sharing if device is taken off-premises 📦 Asset tracking Alert if a sensitive device leaves a secured zone 🧑‍💼 Employee monitoring Track field personnel within assigned zones (e.g., delivery zones, secure facilities) 📱 Other Applications: Retail: Trigger push notifications when customers approach a store Home automation: Lights turn on when you arrive home Fleet management: Monitor vehicles or restrict them to certain areas Parental control: Alert if a child leaves a safe zone ⚠️ Security + Privacy Concerns: Must secure location data against leaks or misuse Can be used for surveillance or micromanagement if not ethically deployed GPS spoofing or VPN use can sometimes bypass geofences 🎯 TL;DR: Geofencing = a virtual boundary with consequences. Cross it, and something triggers — for security, automation, or surveillance.

Answer 170

📍 Geolocation – What It Is Geolocation refers to the identification of a device's physical location in the real world using data like GPS, Wi-Fi, IP address, Bluetooth, or cellular networks. 🧠 In Plain Terms: Geolocation = “Where are you?” — answered by your device. It tells apps, websites, or systems where a user or asset is located — from general regions (like city/state) to precise coordinates (longitude/latitude). 🌐 How It Works: Method Accuracy Description 📡 GPS High (~5–10m) Uses satellites — ideal outdoors 🌐 IP Address Low (~city level) Based on internet routing — can be spoofed 📶 Wi-Fi Positioning Medium to high Detects nearby Wi-Fi networks and triangulates 📱 Cell Tower Triangulation Medium Uses mobile network signal strength 🔗 Bluetooth Beacons High (indoor) For indoor location within buildings 🔐 In Cybersecurity: Use Case Why It Matters 🔐 Location-based access control Block or allow login attempts based on geolocation 🚨 Anomaly detection Alert if login is from a suspicious or unexpected location ✈️ Travel rule enforcement Restrict access to systems based on country/region 🧭 Device tracking Track lost/stolen devices or suspicious movement 🎭 Spoof detection Identify VPNs, proxies, or GPS spoofing in fraud attempts 📱 Common Uses in Real Life: Maps & directions Ride-sharing apps (Uber, Lyft) Location tagging in social media Retail & targeted ads Emergency services (e.g., 911 location) ⚠️ Privacy Concerns: Can be used for tracking without consent Many apps collect more location data than necessary Must comply with privacy laws (e.g. GDPR, CCPA) 🔐 Best practice: Only collect what you need, and encrypt/store it responsibly. 🎯 TL;DR: Geolocation = your device saying “Here I am!” Crucial for navigation, security, and customization — but with serious privacy stakes.

Answer 171

🧵 grep Command – What It Is grep stands for Global Regular Expression Print. It's a powerful command-line utility used in Unix/Linux to search for patterns in text files or output streams. 🧠 In Plain Terms: grep = text detective. It finds lines that match a pattern — fast, flexible, and regex-friendly. 📦 Basic Syntax: bash Copy Edit grep [options] 'pattern' [file...] 🔍 Common Use Cases: Command What It Does grep "error" logfile.txt Finds all lines with “error” in logfile.txt `ps aux grep nginx` grep -i "login" auth.log Case-insensitive search for "login" grep -r "password" /etc/ Recursively search for "password" in /etc/ grep -v "debug" Shows lines that do NOT contain “debug” grep -n "timeout" Shows matching lines with line numbers `grep -E "fail error"` 🔧 Key Options: Option Meaning -i Ignore case -r Recursive through directories -v Invert match (show non-matching lines) -n Show line numbers -E Use extended regex (like egrep) -c Count matching lines -l List filenames with matches -A 3 Show 3 lines after each match -B 2 Show 2 lines before each match 🧪 Real-World Example: bash Copy Edit grep -i "unauthorized" /var/log/auth.log ✅ Checks for case-insensitive matches of the word "unauthorized" in your authentication log — useful in forensic and security checks. 🎯 TL;DR: grep = the Swiss Army knife of text search. It hunts down patterns, logs, and errors like a pro — one line at a time.

Answer 172

👥 Group Account – What It Is A group account refers to a shared user identity or a collection of user accounts that are assigned the same access rights or permissions within a system. Depending on context, the term can mean two different things: 🧭 1. Group Account (in Access Control / OS Permissions) A group that multiple user accounts are part of — used to manage access efficiently. 🛠 Example: In Linux: Group: developers Users: alice, bob, carol → All inherit same file permissions In Windows: Group: HR Assigned permissions to folders, apps, printers Users in that group automatically get those rights ✅ Benefits: Scalable access management Consistency in permissions Faster onboarding/offboarding (just add/remove users from the group) 👤 2. Group Account (Shared Login) — Less secure A single login shared by multiple people (e.g., "frontdesk", "intern", or "admin"). ❌ Security Risks: No individual accountability Difficult to audit actions Non-compliant with many security frameworks (e.g., PCI DSS, NIST) Risk of password leaks or abuse 🔐 Best Practice: Good Bad ✅ Use group membership to manage permissions ❌ Avoid shared logins (group identities) ✅ Assign roles via security groups ❌ Don't reuse admin credentials ✅ Enable logging per user ❌ Shared accounts = no individual audit trail 🎯 TL;DR: Group account = either a permission group or a shared login. Use groups to grant access. Avoid shared logins unless there's a rock-solid reason — and even then, log everything.

Answer 173

🏛️ Group Policy Object (GPO) – What It Is A Group Policy Object (GPO) is a collection of settings in Windows environments that allows administrators to control the behavior of user accounts and computers across a domain. 🧠 In Plain Terms: GPO = the rulebook pushed out to Windows machines from the domain controller. It tells them what they can, can’t, and must do. 📦 What You Can Control with GPO: Category Examples 🔐 Security settings Password complexity, account lockout, firewall rules 🖥️ Desktop environment Disable control panel, hide taskbar options, set wallpaper 🚫 Software restrictions Block apps (e.g., cmd.exe, PowerShell), prevent USB use 🔄 Startup/shutdown scripts Automate actions at login/logout 🧑‍💻 User rights Who can log on locally, access via RDP, shut down the system 📦 Software deployment Automatically install/uninstall applications 🧭 Where GPOs Live: Domain GPOs: Managed in Active Directory by sysadmins Local GPOs: Apply only to individual machines (e.g., a standalone PC) 🧱 GPO Structure: Part Description GPO The rule set itself Group Policy Container (GPC) Stored in Active Directory (logical part) Group Policy Template (GPT) Stored on disk (\\domain\SYSVOL) – actual files/scripts 🧩 Applied To: OUs (Organizational Units) Sites Domains Admins can link GPOs to any of these containers and use inheritance to apply policies across large groups of users or devices. ⚠️ Cybersecurity Use Cases: Threat GPO Defense 🐛 Lateral movement Disable admin shares and unused protocols via GPO 📥 USB exfiltration Block USB ports via device installation restrictions 🪪 Phishing risks Enforce MFA and limit password reuse policies 💣 Ransomware Disable macro scripts in Office, restrict PowerShell versions 🎯 TL;DR: GPO = centralized command and control for Windows devices. It’s how sysadmins lock things down, roll out rules, and enforce security at scale.

Answer 174

The process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits.

Answer 175

A Hardware Security Module (HSM) is a tamper-resistant physical device used to securely generate, store, and manage cryptographic keys. It’s like a digital Fort Knox for secrets. 🔐 TL;DR: HSM = A vault for encryption keys. It generates keys. It stores them securely. It performs cryptographic operations inside the device, so the keys never leave. 💡 What does an HSM do? Key Generation – Makes strong encryption keys using true random number generators. Key Storage – Stores them in hardware, not in software memory (far harder to steal). Encryption/Decryption – Performs cryptographic functions like signing or verifying. Access Control – Requires authenticated access (e.g., PINs, tokens, biometrics). Tamper Evidence/Resistance – Physically self-destructs or wipes keys if tampered with. 🔧 Common Use Cases Banking – Protecting PINs, credit card info, transaction signing. PKI (Public Key Infrastructure) – Storing root CA private keys. Cloud Services – AWS CloudHSM, Azure Key Vault with HSM-backed keys. Authentication – Protecting secrets used in token generation or certificate signing. Blockchain – Securing wallets and signing transactions. 🧱 HSM vs TPM vs Smartcard Device Primary Use Scope HSM Enterprise-grade crypto Servers, networks TPM System integrity, disk encrypt PC/laptop hardware Smartcard User authentication Personal ID, tokens

Answer 176

A Hash-Based Message Authentication Code (HMAC) is a cryptographic technique used to verify both the integrity and authenticity of a message. 🧠 TL;DR: HMAC = Hash + Secret Key = Trustworthy Message Check It ensures: The message hasn’t been tampered with (integrity ✅) The message came from someone who knows the secret key (authenticity ✅) 🔐 How it works: Sender and receiver share a secret key. Sender computes: ini Copy Edit HMAC = Hash(secret_key + message) Receiver does the same and compares: If HMACs match → Message is trusted. If not → Message was altered or came from an imposter. 📦 Example in Action: Let’s say you send an API request: Payload: {"amount":100} HMAC: sha256(key + payload) The server checks the HMAC. If it doesn’t match, it rejects the message—someone might have modified it. 🔁 HMAC vs Plain Hash: Hash HMAC Input Just data Data + secret key Output Hash only Authentication tag Secure? No auth Provides auth & integrity Tamper Check ❌ ✅ ✅ Common Algorithms: HMAC-SHA256 ← most widely used HMAC-SHA1 HMAC-SHA512 🔧 Used In: TLS/SSL – Secure web traffic IPsec – VPN security JWTs – Signed tokens APIs – Verifying requests Disk encryption tools – Key derivation

Answer 177

🧠 TL;DR: Hashcat = GPU-powered password hash cracker It takes a hashed password and tries to guess the original password using various techniques. 🔓 What Hashcat Does: You give it: A hash (like an MD5/SHA256 of a password) A wordlist, ruleset, or attack method Hashcat: Runs through guesses at insane speeds (especially with GPUs) Compares the hash of each guess with the target If matched → Cracked ✅ 💥 Key Features: Supports GPU acceleration (NVIDIA/AMD) Handles 150+ hash types: MD5, SHA1, SHA256, NTLM, bcrypt, PBKDF2, WPA2, etc. Works on Linux, Windows, macOS Extremely customizable: rules, masks, hybrid attacks, and more 🧨 Attack Modes: Mode Description Dictionary Try each word from a list Brute-force Try every possible combination Mask Use patterns (e.g. ?l?l?l?d?d!) Hybrid Combine wordlists + masks Rule-based Modify words (add digits, capitalize) Combinator Mix and match words from two lists ⚠️ Legal Use Only Hashcat is legal for ethical hacking, red teaming, and password recovery, but illegal if used to attack systems without permission. Always have explicit authorization.

Answer 178

A function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output. Also known as message digest.

Answer 179

The head command in Unix/Linux is used to display the first few lines of a file. By default, it shows the first 10 lines. 🧪 Use Cases: Quick preview of large log files Checking CSV headers Debugging script output Inspecting data files

Answer 180

In a Wi-Fi site survey, a diagram showing signal strength at different locations.

Answer 181

Heuristic analysis is a detection technique used in cybersecurity (especially in antivirus and intrusion detection systems) to identify previously unknown threats by analyzing behavior, structure, or patterns—not just known signatures. 🧠 TL;DR: Heuristic analysis = Smart guessing based on behavior and clues. Instead of asking “Is this malware on the known list?”, it asks: “Does this look or act like malware?” 🔬 How It Works: Code Emulation: The system runs the file in a virtual sandbox and watches what it tries to do. Does it try to rewrite system files? Does it open a network connection to a sketchy IP? Static Analysis: It scans the code without executing it. Suspicious function calls? Obfuscated code or known bad structures? Rule Matching: Uses pre-defined rules or AI/ML models to assign a risk score. 🔥 Example: A new executable tries to: Disable antivirus Inject code into system processes Create a hidden startup task Even if this file isn’t in the virus database, heuristic analysis flags it as suspicious. ✅ Pros: Detects zero-day threats Finds polymorphic or mutated malware Doesn’t rely on known signatures ❌ Cons: Can lead to false positives Needs tuning to balance sensitivity and accuracy 🧱 Used In: Antivirus and anti-malware software Endpoint Detection and Response (EDR) Intrusion Detection Systems (IDS) Email filters (detecting phishing attempts)

Answer 182

The property that defines how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.

Answer 183

An HMAC-based One-Time Password (HOTP) is a time-independent algorithm used for generating one-time passwords based on a shared secret key and a counter. It’s a foundational piece of 2FA (Two-Factor Authentication) and OTP tokens. 🧠 TL;DR: HOTP = HMAC + Counter = Code that works once, then expires 🔐 How it works: Shared secret key (K) is known to both the client (e.g. a token app) and the server. Counter (C) increments every time a new code is requested. HOTP generates: mathematica Copy Edit HOTP(K, C) = Truncate(HMAC-SHA1(K, C)) The output is a 6–8 digit one-time code. The code remains valid until used—it's not tied to the clock. 🕹️ Example Flow: You press a button on your hardware token or app. It generates a code like 837491. Server also computes the expected HOTP using the same secret key + counter. If the values match → Authenticated ✅ 🔁 Difference from TOTP: Feature HOTP TOTP Based on Counter Time (e.g., 30-second window) Expires? No (until used) Yes (usually every 30s) Use case Physical tokens, hardware Mobile apps (e.g., Google Auth) RFC RFC 4226 RFC 6238 🔐 Used In: Hardware tokens (e.g., RSA SecurID, YubiKey) 2FA systems VPN authentication Banking login devices

Answer 184

Homomorphic encryption is a type of encryption that allows computations to be performed directly on encrypted data without needing to decrypt it first. The result, when decrypted, is the same as if you'd operated on the plaintext. 🧠 TL;DR: Homomorphic Encryption = Math on locked boxes You can add, multiply, or process data while it's still encrypted—without ever opening the box. 🔐 Real-World Analogy: Imagine putting two numbers into locked boxes, giving them to someone, and they can: Add the two boxes Return a new locked box You unlock it and see the sum They never saw the numbers—but the math still worked. 🧮 Types of Homomorphism: Type Operations Allowed Example Partially One operation (e.g. only addition or only multiplication) RSA (multiplicative) Somewhat Limited operations before noise gets too big Early lattice schemes Fully (FHE) Unlimited operations Gentry’s scheme (2009), BFV, CKKS 🧠 Use Cases: Privacy-preserving cloud computing → Run queries on encrypted databases Secure machine learning → Model training on encrypted user data Electronic voting → Tally encrypted votes without decrypting individual ones Healthcare → Analyze encrypted patient data while preserving privacy Zero-trust systems → Delegate computation without giving away secrets ⚠️ Challenges: Very slow compared to normal operations High computational overhead Still mostly academic or niche production use (though progress is rapid) 🔧 Examples of Homomorphic Schemes: Paillier (additive homomorphism) ElGamal (multiplicative homomorphism) BFV, CKKS, BGV (modern FHE schemes based on lattices)

Answer 185

🐝 Honeypot vs Honeynet: What’s the Buzz? 🧠 TL;DR: Honeypot = A decoy system or resource designed to attract attackers so you can observe, study, and trap them. Honeynet = A network of honeypots, simulating a real network to analyze coordinated attacks and lateral movement. 🧨 Honeypot — “The Bait” A honeypot is a fake target: Might look like a vulnerable web server, a misconfigured database, or an unpatched workstation. It's isolated and monitored. Its only job is to attract attackers. 🔍 Why use it? Study attacker tools, techniques, and behavior (TTPs) Divert threats away from real systems Detect unauthorized access attempts 🕸️ Honeynet — “The Spiderweb” A honeynet is a network made of multiple honeypots: Mimics a full network with fake services (e.g. AD server, mail server, file shares) Enables deep behavioral analysis of: Internal recon Pivoting Persistence mechanisms ⚖️ Comparison Table Feature Honeypot Honeynet Scale Single decoy system Network of decoy systems Complexity Low to medium High Purpose Lure and monitor attacks Study full intrusion lifecycle Use case Detect port scanning, simple exploits Detect APTs, lateral movement Setup Easier Requires more planning & isolation 🚨 Warning: Both must be isolated from production systems to prevent attackers from using them as stepping stones. 🧰 Example Tools: Kippo / Cowrie – SSH honeypot Dionaea – Malware collection honeypot Honeyd – Simulates many types of systems MHN (Modern Honey Network) – Honeynet management

Answer 186

🧠 TL;DR: Horizontal privilege escalation = Becoming another regular user. You don’t gain more power—just access someone else’s stuff. 🔐 What is it? Horizontal privilege escalation is when an attacker: Starts as a low-level user, Then gains access to another user’s account at the same privilege level, But that account has different or sensitive data. 🚫 No admin rights needed—just the wrong mailbox, files, or records in the wrong hands. 🕷️ Real-World Scenarios: Bypassing session tokens to access another user's account Modifying user IDs in URLs (IDOR) → Insecure Direct Object Reference Tampering with cookies or JWTs to impersonate another user Accessing another patient’s health record in a poorly secured EHR system 🔓 Horizontal vs. Vertical Privilege Escalation: Type Description Example Horizontal Same level, different user data User A reads User B’s emails Vertical Lower to higher privilege level User becomes admin/root 🛡️ Prevention Tips: Enforce access control checks on every request Use secure session management Validate user ownership on all data access Implement role-based access control (RBAC) Log and monitor unusual access patterns

Answer 187

A software application running on a single host and designed to protect only that host. Also known as personal firewall.

Answer 188

A fully configured alternate network that can be online quickly after a disaster.

Answer 189

Arrangement of server racks to maximize the efficiency of cooling systems. Also known as cold/hot aisle.

Answer 190

Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).

Answer 191

A cloud deployment that uses both private and public elements.

Answer 192

dentity and Access Management (IAM) = The policies, tools, and technologies used to verify who you are (identity) and control what you can do (access). ✅ “Are you really Alice?” ✅ “Should Alice be allowed to open the vault?” 🔐 IAM = 2 Core Parts: Concept Description Example Identity Proving who you are Username + password, biometrics Access Controlling what you can access Files, databases, admin panels 🧱 Components of IAM: Identification – Username or unique ID Authentication – Verifying identity (password, token, MFA) Authorization – Granting permissions (what can you do?) Accounting – Logging and monitoring actions (audit trails) 🔧 Tools & Techniques: Feature Purpose Single Sign-On (SSO) One login for many apps Multi-Factor Authentication (MFA) Extra layer of login protection RBAC (Role-Based Access Control) Access by role (e.g., Manager vs Intern) Least Privilege Only the permissions you need Access Review / Recertification Regular cleanup of who can access what Federated Identity Trust identities from other orgs (e.g., Google login) 🔥 Why IAM Matters: Prevents unauthorized access Supports compliance (HIPAA, GDPR, PCI-DSS) Reduces insider threat risk Enables Zero Trust Architecture (“trust no one, verify always”) 🛡️ IAM in Security+ Context: Part of Domain 2: Identity & Access Management Covers: Directory services (e.g., LDAP, AD) Authentication protocols (Kerberos, RADIUS, SAML, OAuth) IAM policies and enforcement

Answer 193

🧠 TL;DR: Identity fraud = Someone pretending to be you to commit fraud They use your personal info to access money, benefits, or services you never authorized. 🕵️‍♂️ "Hello, I'm Jane Doe... Now hand me her tax refund, credit card, and medical coverage." 🔐 What Is Identity Fraud? It’s a form of identity theft where the stolen identity is actively used to: Open bank accounts or credit cards Take out loans or mortgages Commit healthcare fraud File fraudulent tax returns Access government benefits Even commit crimes under your name 🧱 Key Components: Element Example Stolen data Name, SSN, DOB, address, login creds Fraudulent use Applying for credit in your name Victim impact Ruined credit, debt, legal trouble 🚨 Common Types: Financial fraud (most common) Medical identity fraud (treatment billed in your name) Synthetic identity fraud (fake ID made from real + fake info) Criminal impersonation (arrested under your name) Child identity fraud (kids' SSNs misused—often undetected for years) 🕷️ How Identity Fraud Happens: Phishing emails Data breaches (Equifax, anyone?) Dumpster diving Stolen wallets or mail Public Wi-Fi sniffing Social engineering (pretending to be you on the phone) 🛡️ How to Protect Yourself: Use strong, unique passwords + MFA Shred documents with personal info Monitor credit reports (Equifax, Experian, TransUnion) Freeze your credit if needed Use identity monitoring services (some banks offer this for free) Be cautious on social media (no DOB, pet names, or hometowns) 🧾 If You're a Victim: Report to FTC via identitytheft.gov File a police report Contact affected banks and credit bureaus Place a fraud alert or credit freeze Document everything—create a recovery plan

Answer 194

ChatGPT said: 🧠 TL;DR: An Identity Provider (IdP) is a system or service that verifies your identity and issues authentication tokens so other systems can trust who you are—without making you log in again. 🪪 “Hey, I’m Google. I vouch for this user—let them in.” 🔐 What an Identity Provider Does: Authenticates users (username + password, MFA, biometrics) Issues identity assertions (tokens, SAML, OAuth, OpenID Connect) Manages identity lifecycle (create, update, disable accounts) Enables Single Sign-On (SSO) across apps 🧾 Example in Action: You try to access CoolApp.com. You click “Sign in with Google.” Google (the IdP) verifies your identity. Google sends a token to CoolApp proving you're authenticated. CoolApp logs you in without storing your password. 🧱 Common IdPs: IdP Notes Google SSO for many apps Microsoft Entra ID (formerly Azure AD) Enterprise identity provider Okta Cloud-based IAM/SSO provider Auth0 Developer-friendly IdP service Ping Identity Enterprise access management Facebook / Apple Social login IdPs 🧰 Protocols IdPs Use: Protocol Purpose SAML Enterprise SSO (XML-based) OAuth 2.0 Delegated access (not identity!) OpenID Connect Identity layer on top of OAuth2 LDAP / Kerberos Internal auth protocols 🌐 Related Terms: Relying Party (RP) = the app that trusts the IdP Federation = trust between multiple IdPs SSO = login once, access many services MFA = often enforced by the IdP Want a diagram, Security+ context, or to see how IdPs relate to Zero Trust Architecture or cloud access control? You said: identity provider in federated network ChatGPT said: 🧠 TL;DR: In a federated network, an Identity Provider (IdP) is the trusted authority that authenticates users within its domain and allows them to access resources across other domains—without needing to reauthenticate. 🔐 "Your home IdP vouches for you, so you're welcome here too." 🕸️ What’s a Federated Network? A federated identity system is when multiple organizations agree to trust each other's identity providers. Each org has its own IdP. Users can access external services using their internal credentials. Trust is established through standards and agreements, not shared databases. 🧾 Example: You work at University A. You want to use Library B's journal system. Instead of creating a new login: You choose “Login via your institution.” Select University A. University A’s IdP authenticates you. It sends a SAML assertion to Library B. You’re granted access based on the trust relationship. This is federation in action. 🧱 Identity Provider in Federated Systems: Role What It Does IdP (Identity Provider) Authenticates the user and vouches for their identity SP (Service Provider) Relies on the IdP’s assertion to grant access In some protocols, the SP is called the Relying Party (RP). 🔧 Standards That Make It Work: Protocol Description SAML 2.0 Widely used in enterprise federation OAuth 2.0 Delegated access (e.g., API tokens) OpenID Connect Identity layer over OAuth2 WS-Federation Microsoft-based federation 🔐 Benefits of Federated Identity: Fewer passwords to manage Seamless user experience across orgs Centralized user management Supports SSO and MFA consistently Crucial for Zero Trust and cloud access control 🌍 Real-World Examples: eduGAIN / InCommon (universities worldwide) GSuite federation with third-party apps Azure AD B2B federation with partner companies AWS IAM Identity Center supporting external IdPs

Answer 195

A standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication. 🔐 IEEE 802.1X — Explained in Plain English IEEE 802.1X is a port-based network access control method. Think of it as a security bouncer standing at each network port or Wi-Fi connection, checking IDs before letting devices onto the network. --- 🧠 How it Works (Three Characters in a Mini-Play): 1. Supplicant = The device (e.g., your laptop) trying to connect. 2. Authenticator = The network switch or Wi-Fi access point (the gatekeeper). 3. Authentication Server = Usually a RADIUS server that says "yes" or "no" after checking credentials. --- 🎬 Step-by-Step Flow: 1. Supplicant plugs in or connects. 2. The port is blocked (only allows 802.1X traffic at this point). 3. The Authenticator asks for credentials. 4. The Supplicant sends credentials to the Authenticator, which passes them to the Authentication Server. 5. If the server approves → full network access is granted. 6. If denied → no access granted. --- 🔒 What It Secures: Prevents unauthorized devices from joining the network—even if they plug in directly. Works with wired and wireless networks. Often used with certificates or usernames/passwords (EAP-TLS, PEAP, etc.). --- 🛑 What It Doesn't Do: It does not physically disable the port (like yanking the cable). It does not work alone—you need a RADIUS server and supporting infrastructure. It is more complex to set up than simpler methods like MAC filtering. --- TL;DR: IEEE 802.1X = Digital gatekeeper. It lets only authenticated users through the port, but the port is still "electrically alive" unless explicitly shut down. Great for secure environments, but not as absolute as physically unplugging a cable. 📘 IEEE 802 Security+ Cheat Sheet Standard - What It Covers - Why It Matters 802.1X - Port-based network access control -Controls device access to networks (wired/wireless) 802.11 -Wireless LAN (Wi-Fi) - Underpins WPA2, WPA3, and wireless security 802.3 - Ethernet (wired LAN) - Shows up in network architecture, not security directly 802.1Q - VLAN tagging - Supports network segmentation (Defense in Depth) 802.1D - Spanning Tree Protocol (STP) - Prevents Layer 2 switching loops (availability + resilience) 802.1AE - MACsec (Media Access Control Security) - Encrypts traffic at Layer 2 (rare but shows up in Zero Trust)

Answer 196

🧠 TL;DR: Implicit deny = “If it’s not explicitly allowed, it’s automatically denied.” It’s a default security stance: silence = rejection. 🛑 “We didn't say you could? Then you can't.” 🔐 What Is Implicit Deny? In access control systems (firewalls, ACLs, IAM policies), implicit deny means: Only actions that are explicitly allowed are permitted. Everything else is denied by default—even if no rule says "deny." 🧱 Where You’ll See It: System Example Firewalls No rule for port 3389? → Blocked automatically Access Control Lists (ACLs) No entry for user X? → Access denied IAM Policies (e.g., AWS) Not explicitly granted → Denied by default 802.1X No credentials presented → No network access 🛡️ Why It Matters: It’s a security best practice: Least privilege by default. Prevents accidental access when admins forget to add a rule. Forces intentional permission setting. 🧪 Real-World Analogy: You run a nightclub. Only people on the list get in. If someone shows up and isn’t on the list, you don’t need a “deny” rule. They just don’t get in. That’s implicit deny.

Answer 197

Specific procedures that must be performed if a certain type of event is detected or reported.

Answer 198

🧠 TL;DR: Incremental backup = Only backs up data that changed since the last backup (whether full or incremental). 💾 “Tell me what’s new since last time—nothing more.”

Answer 199

🧠 TL;DR: An Indicator of Compromise (IOC) is a forensic clue that shows a system might have been breached or attacked. 🕵️ “Footprints in the server logs = someone was here who shouldn’t be.” 🧱 What Counts as an IOC? IOCs are pieces of evidence—digital breadcrumbs—that help detect, track, or respond to threats. 🔍 Examples: IOC Type Example File hash SHA-256 of a known malware file IP address Outbound connection to a known malicious server Domain name Suspicious or newly registered domain Email artifacts Phishing email header or malicious link Registry changes Unknown autostart key for persistence Unusual traffic Sudden spikes to unknown geolocations New processes powershell.exe spawning from Excel System changes Disabled antivirus, altered host files 🧪 Why They Matter: Help detect intrusions early Support incident response and forensic analysis Enable threat intelligence sharing (via STIX/TAXII, etc.) 🔧 Tools That Use IOCs: SIEMs (e.g., Splunk, QRadar) EDR/XDR platforms Antivirus and threat hunting tools Firewall/IDS/IPS systems 🛡️ IOC vs IOA: Term Stands For Focus IOC Indicator of Compromise What happened IOA Indicator of Attack How it’s happening now IOC = Clue after the crime. IOA = Clue during the crime.

Answer 200

Methods of disguising the nature and purpose of buildings or parts of buildings.

Answer 201

🧠 TL;DR: An Industrial Control System (ICS) is a computer-based system used to monitor and control industrial processes, like power plants, water treatment, manufacturing lines, or oil pipelines. ⚙️ “It's the digital nervous system of the industrial world.” 🧱 Core ICS Components: Component Role SCADA Supervisory Control and Data Acquisition – controls widespread systems remotely (e.g. power grid) DCS Distributed Control System – controls localized systems (e.g. oil refinery, factory) PLC Programmable Logic Controller – rugged computers that control specific machines or sensors HMI Human-Machine Interface – screen/control panel operators use RTU Remote Terminal Unit – relays data to/from sensors over long distances ⚠️ ICS vs IT: Feature IT (Info Tech) ICS (Operational Tech) Focus Data integrity, confidentiality Availability and safety Update Cycle Frequent patching Updates rarely due to uptime demands Downtime Tolerance Acceptable Often zero tolerance 🛡️ ICS Security Concerns: Often run on legacy systems Air-gapped or isolated (but not always!) Vulnerable to attacks like: Stuxnet (targeted Iranian centrifuges) Industroyer (hit Ukraine power grid) TRITON (attacked safety systems in petrochemical plant) 🔐 Defending ICS: Use network segmentation and firewalls Limit remote access Deploy intrusion detection for OT protocols (like Modbus, DNP3) Follow NIST SP 800-82 – the ICS security bible

Answer 202

🧠 TL;DR: An Information Sharing and Analysis Center (ISAC) is a sector-specific hub that helps organizations share cyber threat intelligence and respond to emerging threats collaboratively. 🛰️ “Like a space station for threat info—each industry has its own orbit.” 🔐 What ISACs Do: Collect and share cybersecurity threats, vulnerabilities, and mitigation strategies Foster real-time collaboration between public and private sector entities Provide alerts, bulletins, and analysis tailored to a specific industry 🧱 Examples of ISACs: ISAC Name Sector FS-ISAC Financial Services MS-ISAC State, Local, Tribal Governments (U.S.) H-ISAC Health Sector E-ISAC Electricity Sector IT-ISAC Information Technology Auto-ISAC Automotive NG-ISAC Natural Gas There are dozens of ISACs, each tailored to critical infrastructure or key industries. 🔄 Who Participates? Private companies (banks, hospitals, utilities) Government agencies (e.g., DHS, FBI, NSA) Law enforcement International partners 📬 What They Share: IOCs (Indicators of Compromise) Zero-day vulnerabilities Tactics, Techniques, and Procedures (TTPs) Patch alerts and response guidance Sector-specific threat reports 🛡️ Why ISACs Matter: Promote early warning systems Help unify incident response efforts Enable cross-sector resilience Critical part of the NIST Cybersecurity Framework and CISA's national strategy

Answer 203

🧠 TL;DR: Infrastructure as a Service (IaaS) = Virtual hardware on demand Instead of buying physical servers, networking gear, and storage—you rent it all from the cloud. 🏗️ “You bring the software. We host the infrastructure.” 🧱 What IaaS Provides: Component Description Compute Virtual machines, CPU, RAM Storage Block/object storage (e.g., S3, Azure Blob) Networking Virtual switches, IPs, load balancers Firewalls Virtual security groups and ACLs You manage the OS, apps, and data. The cloud provider manages the hardware and virtualization layer. ☁️ IaaS Providers (Examples): Amazon EC2 (AWS) Microsoft Azure VMs Google Compute Engine IBM Cloud Infrastructure Oracle Cloud Infrastructure 🧩 IaaS vs PaaS vs SaaS: Layer IaaS PaaS SaaS You manage OS, apps, data Apps & data Just your usage Provider gives Servers, storage, networks Runtime, DB, app hosting Complete software Example AWS EC2, Azure VM Heroku, Google App Engine Google Workspace, Salesforce 🛡️ Why Use IaaS? Scalability – Spin up or down on demand Cost-effective – Pay-as-you-go model Disaster recovery – Fast redeployment in new regions Global reach – Data centers around the world 🧪 Security+ Relevance: Domain 3.7: Understand shared responsibility model You secure OS and above, provider secures physical & hypervisor

Answer 204

🧠 TL;DR: Infrastructure as Code (IaC) means managing and provisioning IT infrastructure (like servers, networks, databases) using code, not manual setup. 💾 “You write code to build the cloud, not click buttons in a GUI.” 🧱 What IaC Does: Automates infrastructure deployment Makes infrastructure version-controlled like software Enables repeatable, scalable, and error-free environments 🧰 Common IaC Tools: Tool Language Use Case Terraform HCL Cloud-agnostic provisioning AWS CloudFormation JSON/YAML AWS-native infrastructure Ansible YAML (Playbooks) Configuration + orchestration Puppet/Chef DSLs / Ruby Server config management Pulumi Python, TS, Go IaC using general-purpose languages 🔁 IaC Workflow: Write: Define infrastructure in code (YAML, HCL, etc.) Plan: See what changes will happen Apply: Provision the infrastructure Track: Version changes, roll back if needed 🛡️ Benefits: Speed: Deploy full environments in minutes Consistency: No "works on my machine" issues Version Control: Track changes with Git Scalability: Easily replicate infrastructure Disaster Recovery: Rebuild infra from code after failure ☁️ Security+ Relevance: Domain 3.7 (Cloud & Virtualization Concepts) IaC is often part of DevSecOps pipelines Can help enforce secure configurations by default

Answer 205

🧠 TL;DR: Inherent risk is the level of risk that exists before you apply any controls or safeguards. ⚠️ “How risky is this thing by default—if we did nothing to stop it?” 🧱 Definition: Inherent Risk = Raw risk The natural level of risk based on the activity itself, without accounting for mitigations like firewalls, encryption, or policies. 📉 Compared To: Term What It Means Inherent Risk Risk before controls Residual Risk Risk remaining after controls are applied Control Risk Risk that controls might fail to work properly 🔍 Example: Let’s say you store credit card info in a database. Inherent risk: High — valuable data + frequent attack target Controls added: Encryption, access control, auditing Residual risk: Medium to low — after safeguards are in place 🛡️ Why It Matters: Helps determine where to prioritize defenses Critical for risk assessments and compliance audits Shows how exposed you’d be in a worst-case scenario

Answer 206

A wireless attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.

Answer 207

An industry body comprising the main PKI providers, such as Verisign and Entrust, that was established with the aim of developing an open, strong authentication framework.

Answer 208

Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.

Answer 209

Coding vulnerability where unvalidated input is used to select a resource object, such as a file or database. 1

Answer 210

A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.

Answer 211

An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow.

Answer 212

The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.

Answer 213

In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.

Answer 214

Any federal agency interconnecting its IT system to a third-party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commit the agency and supplier to implementing security controls.

Answer 215

A comprehensive set of standards for information security, including best practices for security and risk management, compliance, and technical implementation.

Answer 216

A comprehensive set of standards for enterprise risk management.

Answer 217

Framework for creating a Security Association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree secure protocols and cipher suites to use to exchange data.

Answer 218

A set of open, non-proprietary standards that are used to secure data through authentication and encryption as the data travels across the network or the Internet.

Answer 219

A private network that is only accessible by the organization's own personnel.

Answer 220

A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.

Answer 221

An IDS that can actively block attacks.

Answer 222

Software consolidating management of multiple DHCP and DNS services to provide oversight into IP address allocation across an enterprise network.

Answer 223

Standards-based version of the Netflow framework.

Answer 224

An attack in which radio waves disrupt 802.11 wireless signals.

Answer 225

The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person's duties.

Answer 226

A hardened server that provides access to other hosts. Also known as jumpbox.

Answer 227

A single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.

Answer 228

Malicious software or hardware that can record user keystrokes.

Answer 229

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.

Answer 230

The process by which an attacker is able to move from one part of a computing environment to another.

Answer 231

VPN protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM.

Answer 232

An application attack that targets web-based applications by fabricating LDAP statements that are typically created by user input.

Answer 233

A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

Answer 234

An analysis of events that can provide insight into how to improve response processes in the future. Also known as after action report or AAR.

Answer 235

Cryptographic algorithms with reduced compute requirements that are suitable for use in resource-constrained environments, such as battery-powered devices.

Answer 236

A network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.

Answer 237

A method of implementing LDAP using SSL/TLS encryption.

Answer 238

Cisco Systems' proprietary EAP implementation.

Answer 239

A type of switch or router that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.

Answer 240

Linux utility that writes data to the system log.

Answer 241

A malicious program or script that is set to run under particular circumstances or in response to a defined event.

Answer 242

If broadcast traffic is allowed to continually loop around a network, the number of broadcast packets increases exponentially, crashing the network. Loop protection in switches (such as Spanning Tree Protocol), and in routers (Time To Live for instance) is designed to prevent this.

Answer 243

Proving the integrity and authenticity of a message by combining its hash with a shared secret.

Answer 244

A variation of an ARP poisoning attack where a switch's cache table is inundated with frames from random source MAC addresses.

Answer 245

Third-party provision of security configuration and monitoring as an outsourced service.

Answer 246

A category of security control that gives oversight of the information system.

Answer 247

Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).

Answer 248

The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.

Answer 249

In threat hunting, the concept that threat actor and defender may use deception or counterattacking strategies to gain positional advantage.

Answer 250

An attack when the web browser is compromised by installing malicious plug-ins or scripts, or intercepting API calls between the browser process and DLLs.

Answer 251

A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.

Answer 252

A secure entry system with two gateways, only one of which is open at any one time.

Answer 253

The longest period of time a business can be inoperable without causing irrevocable business failure.

Answer 254

The rating on a device or component that predicts the expected time between failures.

Answer 255

The average time a device or component is expected to be in operation.

Answer 256

The average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.

Answer 257

A UEFI feature that gathers secure metrics to validate the boot process in an attestation report.

Answer 258

Evaluates the data collection and statistical methods used by a quality management process to ensure they are robust.

Answer 259

An attack in which an attacker falsifies the factory-assigned MAC address of a device's network interface. Also known as MAC spoofing.

Answer 260

Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

Answer 261

Linux utility developed as part of the Coroner's Toolkit to dump system memory data to a file.

Answer 262

Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.

Answer 263

A software vulnerability that can occur when software does not release allocated memory when it is done using it, potentially leading to system instability.

Answer 264

A cryptographic hash function producing a 128-bit output.

Answer 265

Information stored or recorded as a property of an object, state of a system, or transaction.

Answer 266

A software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology.

Answer 267

A type of RAID that using two hard disks, providing the simplest way of protecting a single disk against failure. Data is written to both disks and can be read from either disk.

Answer 268

A business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.

Answer 269

Enterprise management function that enables control over apps and storage for mobile devices and other endpoints.

Answer 270

The process and supporting technologies for tracking, controlling, and securing the organization's mobile infrastructure.

Answer 271

Implementation of a block symmetric cipher, with some modes allowing secure encryption of a stream of data, with or without authentication for each block.

Answer 272

Cloud service providing ongoing security and availability monitoring of on-premises and/or cloud-based hosts and services.

Answer 273

A cloud deployment model where the cloud consumer uses multiple public cloud services.

Answer 274

An authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA.

Answer 275

Extension to SMS allowing digital data (picture, video, or audio) to be sent over a cellular data connection.

Answer 276

Overprovisioning controllers and cabling so that a host has failover connections to storage media.

Answer 277

Developed by Cisco from ATM as a means of providing traffic engineering (congestion control), Class of Service,

Answer 278

Developed by Cisco from ATM as a means of providing traffic engineering (congestion control), Class of Service, and Quality of Service within a packet switched, rather than circuit switched, network.

Answer 279

Low-power cellular networks designed to provide data connectivity to IoT devices.

Answer 280

Utility for reading and writing raw data over a network connection. Also known as netcat.

Answer 281

A standard for peer-to-peer (2-way) radio communications over very short (around 4") distances, facilitating contactless payment and similar technologies. NFC is based on RFID.

Answer 282

One of the best-known commercial vulnerability scanners, produced by Tenable Network Security. Also known as Tenable.

Answer 283

A Cisco-developed means of reporting network flow information to a structured database. NetFlow allows better understanding of IP traffic flows as used by different network applications and hosts.

Answer 284

A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.

Answer 285

A routing mechanism that conceals internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.

Answer 286

Provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers.

Answer 287

Advances in firewall technology, from app awareness, user-based filtering, and intrusion prevention to cloud inspection. Also known as layer 7 firewall.

Answer 288

Versatile port scanner used for topology, host, service, and OS discovery and enumeration.

Answer 289

An arbitrary number used only once in a cryptographic communication, often to prevent replay attacks.

Answer 290

An agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.

Answer 291

The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.

Answer 292

A routine that applies a common consistent format to incoming data so that it can be processed safely. Normalization is referred to in the context of log collection and software coding.

Answer 293

A challenge-response authentication protocol created by Microsoft for use in its products.

Answer 294

Software optimized for multiplatform log collection and aggregation.

Answer 295

A technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.

Answer 296

Numeric schema used for attributes of digital certificates.

Answer 297

The process of ensuring that all HR and other requirements are covered when an employee leaves an organization. Also known as exit interview.

Answer 298

In PKI, a CA (typically the root CA) that has been disconnected from the network to protect it from compromise.

Answer 299

The process of bringing in a new employee, contractor, or supplier.

Answer 300

Allows clients to request the status of a digital certificate, to check whether it is revoked.

Answer 301

Standards for implementing device encryption on storage devices.

Answer 302

Standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.

Answer 303

A charity and community publishing a number of secure application development resources.

Answer 304

An authentication layer that sits on top of the OAuth 2.0 authorization protocol.

Answer 305

Publicly available information plus the tools used to aggregate and search it.

Answer 306

A category of security control that is implemented by people.

Answer 307

A communications network designed to implement an industrial control system rather than data networking.

Answer 308

The automation of multiple steps in a deployment process.

Answer 309

The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.

Answer 310

Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem.

Answer 311

A firmware update delivered on a cellular data connection.

Answer 312

A network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.

Answer 313

A test that uses active tools and security utilities to evaluate security by simulating an attack on a system. A pen test will verify that a threat exists, then will actively test and bypass security controls, and will finally exploit vulnerabilities on the system. Also known as pentest.

Answer 314

Mechanism for encoding characters as hexadecimal values delimited by the percent sign.

Answer 315

A characteristic of transport encryption that ensures if a key is compromised the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions.

Answer 316

The ability of a threat actor to maintain covert access to a target host or network.

Answer 317

In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.

Answer 318

A smart card that meets the standards for FIPS 201, in that it is resistant to tampering and provides quick electronic authentication of the card's owner.

Answer 319

Windows file format for storing a private key and certificate data. The file can be password-protected.

Answer 320

Data that can be used to identify or contact an individual (or in the case of identity theft, to impersonate them).

Answer 321

An impersonation attack in which a request for a website, typically an e-commerce site, is redirected to a similar-looking, but fake, website.

Answer 322

A type of email-based social engineering attack, in which the attacker sends email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.

Answer 323

A type of security control that acts against in-person intrusion attempts.

Answer 324

A deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.

Answer 325

A computing method that uses the cloud to provide any platform-type services.

Answer 326

A checklist of actions to perform to detect and respond to a specific type of incident

Answer 327

Dial-up protocol working at layer 2 (Data Link) used to connect devices remotely to networks.

Answer 328

A software vulnerability that can occur when code attempts to read a memory location specified by a pointer, but the memory location is null. Also known as dereferencing.

Answer 329

A point-to-point topology is one where two nodes have a dedicated connection to one another. In a point-to-multipoint topology, a central node mediates links between remote nodes. Also known as Point-to-point.

Answer 330

A process in which a router takes requests from the Internet for a particular application (such as HTTP) and sends them to a designated host on the LAN. Also known as destination network address translation or DNAT.

Answer 331

Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch. Also known as switched port analyzer or SPAN.

Answer 332

Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

Answer 333

A switch (or router) that performs some sort of authentication of the attached device before activating the port.

Answer 334

Anticipating challenges to current cryptographic implementations and general security issues in a world where threat actors have access to significant quantum processing capability.

Answer 335

Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.

Answer 336

Advanced strip socket that provides filtered output voltage. A managed unit supports remote administration.

Answer 337

A command shell and scripting language built on the .NET Framework.

Answer 338

Passphrase-based mechanism to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.

Answer 339

Base64 encoding scheme used to store certificate and key data as ASCII text.

Answer 340

A cloud that is deployed for use by a single entity.

Answer 341

In asymmetric encryption, the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely. A private key can be used to encrypt data that can be decrypted by the linked public key or vice versa.

Answer 342

The use of authentication and authorization mechanisms to provide an administrator with centralized or decentralized control of user and group role-based privilege management.

Answer 343

The practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application.

Answer 344

A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems.

Answer 345

EAP implementation that uses a server-side certificate to create a secure tunnel for user authentication, referred to as the inner method.

Answer 346

Information that identifies someone as the subject of medical and insurance records, plus associated hospital and laboratory test results.

Answer 347

In digital forensics, being able to trace the source of evidence to a crime scene and show that it has not been tampered with.

Answer 348

A server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance. Also known as forward proxy. -- It’s called a proxy firewall because it acts as a middleman — or proxy — between your device and the internet. --- 🧠 TL;DR: > A proxy firewall hides your identity and inspects your data. It fetches data on your behalf and returns it to you, after checking it. --- 🔍 Why “Proxy”? You: “Hey, I want to access example.com” Proxy Firewall: “Cool, I’ll go get it for you. But first, I’ll scan it to make sure it’s clean.” Server: Never sees you directly — only the proxy. So: You → proxy firewall → internet Internet → proxy firewall → you Your real identity (like IP address) is shielded. --- 🔐 Benefits: ✅ Description Hides your IP Makes your system less targetable Deep inspection Can scan requests, URLs, files, etc. Filters per user or app Can block certain websites or detect malware Logging and caching Tracks usage and can reduce redundant traffic --- 🧪 Analogy: > A proxy firewall is like a personal assistant who screens all your calls and emails: Only clean, safe, relevant stuff gets through. 📡 Forward Proxy (Client-Side) > Think: "I want to browse, but I don’t want websites to know it’s me." Hides the user from the internet Makes web requests on behalf of the user Common in schools, corporations, or privacy tools (like Tor) 🧪 Analogy: > You ask a friend to go buy something embarrassing from the store so the cashier doesn’t know it’s for you. 🛡️ Use Cases: Block certain websites (e.g., YouTube at work) Bypass geo-restrictions Anonymity

Answer 349

Removing personal information from a data set to make identification of individuals difficult, even if the data set is combined with other sources.

Answer 350

A cloud that is deployed for shared use by multiple independent tenants.

Answer 351

During asymmetric encryption, this key is freely distributed and can be used to perform the reverse encryption or decryption operation of the linked private key in the pair.

Answer 352

Format that allows a private key to be exported along with its digital certificate.

Answer 353

Series of standards defining the use of certificate authorities and digital certificates.

Answer 354

Framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.

Answer 355

A mode of penetration testing where red and blue teams share information and collaborate throughout the engagement.

Answer 356

In data protection, the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented.

Answer 357

High-level programming language that is widely used for automation.

Answer 358

Policies, procedures, and tools designed to ensure defect-free development and delivery.

Answer 359

A risk analysis method that uses opinions and reasoning to measure the likelihood and impact of risk.

Answer 360

Systems that differentiate data passing over the network that can reserve bandwidth for particular applications. A system that cannot guarantee a level of available bandwidth is often described as Class of Service (CoS). Also known as CoS.

Answer 361

A risk analysis method that is based on assigning concrete values to factors.

Answer 362

Using quantum computing for cryptographic tasks, such as distributing keys or cracking (traditional) cryptographic systems. Quantum computing works on the principle that its units (qubits) have more properties than the bits used in "classical" computers, notably (and very crudely) that a qubit can have a probability of being 1 or 0 and that inspecting the value of one qubit can instantly determine that of others (entanglement).

Answer 363

A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.

Answer 364

Tool for speeding up attacks against Windows passwords by precomputing possible hashes.

Answer 365

A type of password attack where an attacker uses a set of related plaintext passwords and their hashes to crack passwords.

Answer 366

Open-source platform producing programmable circuit boards for education and industrial prototyping.

Answer 367

A type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks.

Answer 368

Opens a data stream for video and voice applications over UDP. The data is packetized and tagged with control information (sequence numbering and time-stamping).

Answer 369

In PKI, an account or combination of accounts that can copy a cryptographic key from backup or escrow and restore it to a subject host or user.

Answer 370

The longest period of time that an organization can tolerate lost data being unrecoverable.

Answer 371

The length of time it takes after an event to resume normal business operations and activities.

Answer 372

The "hostile" or attacking team in a penetration test or incident response exercise.

Answer 373

Specifications that support redundancy and fault tolerance for different configurations of multiple-device storage systems.

Answer 374

A group of characters that describe how to execute a specific search pattern on a given text.

Answer 375

In PKI, an authority that accepts requests for digital certificates and authenticates the entities making those requests.

Answer 376

Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.

Answer 377

A standard protocol used to manage remote and wireless authentication infrastructures.

Answer 378

Using a trigger device to send a BGP route update that instructs routers to drop traffic that is suspected of attempting DDoS.

Answer 379

An attack where the attacker intercepts some authentication data and reuses it to try to re-establish a session.

Answer 380

Automatically copying data between two processing systems either simultaneously on both systems (synchronous) or from a primary to a secondary location (asynchronous).

Answer 381

Risk that remains even after controls are put into place.

Answer 382

Dictates for how long information needs to be kept available on backup and archive systems. This may be subject to legislative requirements.

Answer 383

A type of proxy server that protects servers from direct contact with client requests. __ 🏰 Reverse Proxy (Server-Side) > Think: "I’m a website and want to hide my servers behind a shield." Hides the server from clients Clients send requests to the reverse proxy → it fetches data from actual server Used in load balancing, SSL termination, WAFs, and CDNs 🧪 Analogy: > You visit a company HQ and speak to a receptionist. The receptionist forwards your request to the right department — but you never see the departments directly. 🛡️ Use Cases: Load balance across multiple backend servers Protect internal server IPs Caching and compression Web Application Firewalls (WAF)

Answer 384

A maliciously spawned remote command shell where the victim host opens the connection to the attacking host.

Answer 385

Platform-independent advanced messaging functionality designed to replace SMS and MMS.

Answer 386

The response of determining that a risk is within the organization's appetite and no countermeasures other than ongoing monitoring is needed.

Answer 387

In risk mitigation, the practice of ceasing activity that presents risk.

Answer 388

In risk mitigation, the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Also known as risk reduction.

Answer 389

A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department 1 for reference by stakeholders. 2

Answer 390

The response of reducing risk to fit within an organization's risk appetite.

Answer 391

A document highlighting the results of risk assessments in an easily comprehensible format (such as a "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.

Answer 392

In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.

Answer 393

In ESA, a framework that uses risk assessment to prioritize security control selection and investment.

Answer 394

Named for its designers, Ronald Rivest, Adi Shamir, and Len Adelman, the first successful algorithm for public key encryption with a variable key length and block size.

Answer 395

A remote-controlled or autonomous robot capable of patrolling site premises or monitoring gateways.

Answer 396

An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.

Answer 397

In PKI, a CA that issues certificates to intermediate CAs in a hierarchical structure.

Answer 398

A class of malware that modifies system files, often at the kernel level, to conceal its presence.

Answer 399

A hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware.

Answer 400

Rules that govern how routers communicate and forward traffic between networks.

Answer 401

A nondiscretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.

Answer 402

An automated version of a playbook that leaves clearly defined interaction points for human analysis.

Answer 403

A security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to ("salting") each plaintext input.

Answer 404

A computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Communication links between the sandbox and the host are usually completely prohibited.

Answer 405

The process of thorough and completely removing data from a storage medium so that file remnants cannot be recovered.

Answer 406

The property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.

Answer 407

Utility that runs port scans through third-party websites to evade detection.

Answer 408

A dual-homed proxy/gateway server used to provide Internet access to other network nodes, while protecting them from external attack.

Answer 409

An inexperienced, unskilled attacker that typically uses tools or scripts created by others.

Answer 410

A UEFI feature that prevents unwanted processes from executing during the boot operation.

Answer 411

A method of sanitizing a drive using the ATA command set.

Answer 412

A secure version of the File Transfer Protocol that uses a Secure Shell (SSH) tunnel as an encryption method to transfer, access, and manage files.

Answer 413

A cryptographic hashing algorithm created to address possible weaknesses in MDA. The current version is SHA-2.

Answer 414

A remote administration and file-copy program that supports VPNs by using port forwarding, and that runs on TCP port 22.

Answer 415

A protocol that uses the HTTP over SSL protocol and encapsulates an IP packet with a PPP header and then with an SSTP header.

Answer 416

An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.

Answer 417

An email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications.

Answer 418

A computing method that enables clients to take advantage of information, software, infrastructure, and processes provided by a cloud vendor in the specific area of computer security.

Answer 419

An XML-based data format used to exchange authentication information between a client and a service.

Answer 420

A NIST framework that outlines various accepted practices for automating vulnerability scanning.

Answer 421

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.

Answer 422

The value assigned to an account by Windows and that is used by the operating system to identify that account.

Answer 423

A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.

Answer 424

A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.

Answer 425

Since version 4.3, Android has been based on Security-Enhanced Linux, enabling granular permissions for apps, container isolation, and storage segmentation.

Answer 426

A portion of a network where all attached hosts can communicate freely with one another.

Answer 427

A disk drive where the controller can automatically encrypt data that is written to it.

Answer 428

A digital certificate that has been signed by the entity that issued it, rather than by a CA.

Answer 429

Devising an AI/ML algorithm that can describe or classify the intention expressed in natural language statements.

Answer 430

A concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.

Answer 431

Developed from parallel SCSI, SAS represents the highest performing hard disk interface available.

Answer 432

A digital certificate that guarantees the identity of e-commerce sites and other websites that gather and store confidential information.

Answer 433

A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances.

Answer 434

In a web application, input data that is executed or validated as part of a script or process running on the server.

Answer 435

A host or network account that is designed to run a background service, rather than to log on interactively.

Answer 436

Operating procedures and standards for a service contract.

Answer 437

SSID = Service Set Identifier It’s the name of a Wi-Fi network that devices see when they scan for available wireless connections. > Think of it as the “network name on the menu” your device picks from when connecting to Wi-Fi.

Answer 438

A software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology.

Answer 439

A scheduling approach used by load balancers to route traffic to devices that have already established connections with the client in question. Also known as source IP affinity.

Answer 440

A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address.

Answer 441

Used to establish, disestablish, and manage VoIP and conferencing communications sessions. It handles user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/video), and session management and termination.

Answer 442

Web standard for using sampling to record network traffic statistics.

Answer 443

Computer hardware, software, or services used on a private network without authorization from the system owner.

Answer 444

An account with no credential (guest) or one where the credential is known to multiple persons.

Answer 445

Lightweight block of malicious code that exploits a software vulnerability to gain initial access to a victim system.

Answer 446

The process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.

Answer 447

A social engineering tactic to obtain someone's password or PIN by observing him or her as he or she types it in.

Answer 448

A network monitoring system that uses a predefined set of rules provided by a software vendor or security personnel to identify events that are unacceptable.

Answer 449

Protocol for monitoring and managing network devices. SNMP works over UDP ports 161 and 162 by default.

Answer 450

An XML-based web services protocol that is used to exchange messages.

Answer 451

Personal authentication mechanism for Wi-Fi networks introduced with WPA3 to address vulnerabilities in the WPA-PSK method.

Answer 452

The amount that would be lost in a single occurrence of a particular risk factor.

Answer 453

A component or system that would cause a complete interruption of a service if it failed.

Answer 454

An authentication

Answer 455

A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.

Answer 456

A device similar to a credit card that can store authentication information, such as a user's private key, on an embedded microchip.

Answer 457

A utility meter that can submit readings to the supplier without user intervention.

Answer 458

A form of phishing that uses SMS text messages to trick a victim into revealing information.

Answer 459

Software utility designed for penetration testing reporting and evidence gathering that can also run automated test suites.

Answer 460

A computing method that uses the cloud to provide application services to users.

Answer 461

APIs and compatible hardware/virtual appliances allowing for programmable network appliances and systems.

Answer 462

APIs for reporting configuration and state data for automated monitoring and alerting.

Answer 463

Coding resources provided by a vendor to assist with development projects that use their platform or API.

Answer 464

A spam attack that is propagated through instant messaging rather than email.

Answer 465

STP Trees = Prevent loops at the switch level (physical/logical topology) A switching protocol that prevents network loops by dynamically disabling links as needed. Purpose: Prevent loops in Ethernet networks. Tree: One Root Bridge at the top; all other switches connect via the best path. Analogy: Like a train system choosing the safest and most efficient tracks.

Answer 466

An email-based or web-based form of phishing which targets specific individuals.

Answer 467

VPN configuration where only traffic for the private network is routed via the VPN gateway.

Answer 468

Applying consistent names and labels to assets and digital resources/identities within a configuration management system.

Answer 469

Mechanism used to mitigate performance and privacy issues when requesting certificate status from an OCSP responder.

Answer 470

A type of threat actor that is supported by the resources of its host country's military and security services. Also known as nation state actor.

Answer 471

Field in a digital certificate allowing a host to be identified by multiple host names/subdomains.

Answer 472

A small chip card that identifies the user and phone number of a mobile device, via an International Mobile Subscriber Identity (ISMI).

Answer 473

A type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas.

Answer 474

In EAP architecture, the device requesting access to the network.

Answer 475

A two-way encryption scheme in which encryption and decryption are both performed by the same key. Also known as shared-key encryption.

Answer 476

A protocol enabling different appliances and software applications to transmit logs or event records to a central server.

Answer 477

A processor that integrates the platform functionality of multiple logical controllers onto a single chip.

Answer 478

Analysis of historical cyberattacks and adversary actions.

Answer 479

Linux utility for showing the last lines in a file.

Answer 480

Social engineering technique to gain access to a building by following someone who is unaware of their presence.

Answer 481

Tape media provides robust, high-speed, high-capacity backup storage. Tape drives and autoloader libraries can be connected to the SATA and SAS buses or accessed via a SAN.

Answer 482

A command-line packet sniffing utility.

Answer 483

A command-line utility that replays packets saved to a file back through a network adapter.

Answer 484

A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.

Answer 485

A mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard.

Answer 486

An AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management.

Answer 487

A hardware device inserted into a cable to copy frames for analysis.

Answer 488

Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot). Also known as hotspot.

Answer 489

a field is used to indicate a priority value for a layer 3 (IP) packet to facilitate Quality of Service (QoS) or Class of Service (CoS) scheduling.

Answer 490

Utility for gathering results from open source intelligence queries.

Answer 491

An access point that requires a wireless controller in order to function.

Answer 492

Vulnerabilities that arise from dependencies in business relationships with suppliers and customers.

Answer 493

The person or entity responsible for an event that has been identified as a security incident or as a risk.

Answer 494

Cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring.

Answer 495

Animated map showing threat sources in near real-time.

Answer 496

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.

Answer 497

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.

Answer 498

In forensics, identifying whether a time zone offset has been applied to a file's time stamp.

Answer 499

An improvement on HOTP that forces one-time passwords to expire after a short period of time.

Answer 500

In digital forensics, a tool that shows the sequence of file system events within a source image in a graphical format.

Answer 501

A physical or virtual item that contains authentication and/or authorization data, commonly used in multifactor authentication.

Answer 502

A deidentification method where a unique token is substituted for real data.

Answer 503

In cloud computing, a virtual router deployed to facilitate connections between VPC subnets and VPN gateways.

Answer 504

A security protocol that uses certificates for authentication and encryption to protect web communication.

Answer 505

The process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events or better understand past events.

Answer 506

A malicious software program hidden within an innocuous-seeming piece of software. Usually, the Trojan is used to try to compromise the security of the target computer. Also known as Trojan.

Answer 507

A protocol for exchanging cyber threat intelligence between organizations.

Answer 508

A protocol for exchanging cyber threat intelligence between organizations.

Answer 509

A specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information.

Answer 510

An attack—also called typosquatting—in which an attacker registers a domain name with a common misspelling of an existing domain, so that a user who misspells a URL they enter into a browser is taken to the attacker's website. Also known as URL hijacking.

Answer 511

Enterprise software for controlling device settings, apps, and corporate data storage on all types of fixed, mobile, and IoT computing devices.

Answer 512

All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.

Answer 513

Hardware plug to prevent malicious data transfer when a device is plugged into a USB charging point.

Answer 514

A system that can provide automated identification of suspicious activity by user accounts and computer hosts.

Answer 515

Policies and procedures to identify vulnerabilities and ensure security of the supply chain.

Answer 516

The user desktop and software applications provisioned as an instance under VDI.

Answer 517

A virtualization implementation that separates the personal computing environment from a user's physical computer.

Answer 518

A logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.

Answer 519

An attack where malware running in a VM is able to interact directly with the hypervisor or host kernel.

Answer 520

Configuration vulnerability where provisioning and deprovisioning of virtual assets is not properly authorized and monitored.

Answer 521

A private network segment made available to a single cloud consumer on a public cloud.

Answer 522

A secure tunnel created between two endpoints connected via an unsecure network (typically the Internet).

Answer 523

Code designed to infect computer files (or disks) when it is activated.

Answer 524

A human-based attack where the attacker extracts information while speaking over the phone or leveraging IPbased voice messaging services (VoIP).

Answer 525

Programming languages used to implement macros and scripting in Office document automation.

Answer 526

A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.

Answer 527

An evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system, as represented by information collected from the system.

Answer 528

The practice of using a Wi-Fi sniffer to detect WLANs and then either making use of them (if they are open/unsecured) or trying to break into them (using WEP and WPA cracking tools).

Answer 529

A location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.

Answer 530

An attack in which an attacker targets specific groups or organizations, discovers which websites they frequent, and injects malicious code into those sites.

Answer 531

"A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks"

Answer 532

An email-based or web-based form of phishing which targets senior executives or wealthy individuals.

Answer 533

Staff administering, evaluating, and supervising a penetration test or incident response exercise.

Answer 534

Standards for authenticating and encrypting access to Wi-Fi networks. Also known as WPA2, WPA3.

Answer 535

A feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN.

Answer 536

Forensics tool for Windows that allows collection and inspection of binary code in disk and memory images.

Answer 537

A legacy mechanism for encrypting data sent over a wireless connection.

Answer 538

A vulnerability in software that is unpatched by the developer or an attack that exploits such a vulnerability.

Answer 539

A method of sanitizing a drive by setting all bits to zero.

Answer 540

Low-power wireless communications open source protocol used primarily for home automation. ZigBee uses radio frequencies in the 2.4 GHz band and a mesh topology.

Answer 541

Low-power wireless communications protocol used primarily for home automation. Z-Wave uses radio frequencies in the high 800 to low 900 MHz and a mesh topology

Answer 542

Information about sessions between hosts that is gathered by a stateful firewall.

Answer 543

A technique used in firewalls to analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.

Answer 544

Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A SOC2 Type II report is created for a restricted audience, while SOC3 reports are provided for general consumption.

Answer 545

A technique for obscuring the presence of a message, often by embedding information within a file or other entity.

Answer 546

One of a set of precompiled database statements that can be used to validate input to a database.

Answer 547

A type of symmetric encryption that combines a stream of plaintext bits or bytes with a pseudorandom stream initialized by a secret key.

Answer 548

A software testing method that evaluates how software performs under extreme load.

Answer 549

A mechanism to account for unexpected error conditions that might arise during code execution. Effective error handling reduces the chances that a program could be exploited. 1

Answer 550

An attack that injects a database query into the input data directed at a server by accessing the client side of the application.

Answer 551

A framework for analyzing cybersecurity incidents.

Answer 552

🔐 What is EAP? EAP is a framework — not an authentication method itself — used to support multiple authentication methods over network connections like: Wi-Fi (especially WPA2/WPA3-Enterprise) VPNs 802.1X (used in enterprise wired/wireless networks) 🧩 Why “Extensible”? Because it supports many different methods (called EAP types), such as: EAP Type What It Uses Security Level EAP-TLS Digital certificates (client+server) 🔒🔒🔒 Very Strong EAP-TTLS Server cert + client password 🔒🔒 Strong PEAP Server cert + client password 🔒🔒 Strong EAP-FAST Protected access via PAC files 🔒 Moderate EAP-MD5 Username + password (no encryption) ❌ Weak (insecure) 🧠 Security+ Exam Tip: EAP = authentication framework that allows flexible methods like certificates, passwords, or tokens. Remember: EAP-TLS = most secure, EAP-MD5 = obsolete/insecure.

Brainscape Glossarry Flashcards

(576 cards)