CompTIA import Flashcards
What are the properties of a secure information processing system?
Confidentiality, integrity, and availability (and non-repudiation)
What term is used to describe the property of a secure network where a sender cannot deny having sent a message?
Non-repudiation
A company provides a statement of deviations from framework best practices to a regulator. What process has the company performed?
Gap analysis
What process within an access control framework logs actions performed by subjects?
Accounting
What is the difference between authorization and authentication?
Authorization means granting the account that has been configured for the user on the computer system the right to make use of a resource. Authorization manages the privileges granted on the resource. Authentication protects the validity of the user account by testing that the person accessing that account is who they say they are.
How does accounting provide non-repudiation?
A user’s actions are logged on the system. Each user is associated with a unique computer account. As long as the user’s authentication is secure and the logging system is tamperproof, they cannot deny having performed the action.
You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?
It is a technical type of control (implemented in software) and acts as a preventive measure.
A company has installed motion-activated floodlighting on the grounds around its premises. What class and function is this security control?
It would be classed as a physical control, and its function is both detecting and deterring.
A firewall appliance intercepts a packet that violates policy. It automatically updates its access control list to block all further packets from the source IP. What TWO functions did the security control perform?
Preventive and corrective
If a security control is described as operational and compensating, what can you determine about its nature and function?
The control is enforced by a person rather than a technical system, and the control has been developed to replicate the functionality of a primary control, as required by a security standard.
A multinational company manages a large amount of valuable intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can be used to manage such important and complex security requirements?
A security operations center (SOC)
A business is expanding rapidly, and the owner is worried about tensions between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues?
Development and operations (DevOps) is a cultural shift within an organization to encourage more collaboration between developers and systems administrators. DevSecOps embeds the security function within these teams as well.
Which of the following would be assessed by likelihood and impact: vulnerability, threat, or risk?
Risk. To assess likelihood and impact, you must identify both the vulnerability and the threat posed by a potential exploit.
True or false? Nation-state actors only pose a risk to other states.
False. Nation-state actors have targeted commercial interests for theft, espionage, and extortion.
You receive an email with a screenshot showing a command prompt at one of your application servers. The email suggests you engage the hacker for a day’s consultancy to patch the vulnerability. How should you categorize this threat?
If the consultancy is refused and the hacker takes no further action, it can be classed as for financial gain only. If the offer is declined and the hacker then threatens to sell the exploit or to publicize the vulnerability, then the motivation is criminal.
Which type of threat actor is primarily motivated by the desire for political change?
Hacktivist
Which three types of threat actor are most likely to have high levels of funding?
State actors, organized crime, and competitors
A company uses stock photos from a site distributing copyright-free media to illustrate its websites and internal presentations. Subsequently, one of the company’s computers is found infected with malware that was downloaded by code embedded in the headers of a photo file obtained from the site. What threat vector(s) does this attack use?
The transmission vector is image based, and the use of a site known to be used by the organization makes this a supply chain vulnerability (even though the images are not paid for). It’s not stated explicitly, but the attack is also likely to depend on a vulnerability in the software used to download and/or view or edit the photo.
A company’s systems are disrupted by a ransomware attack launched via a vulnerability in a network monitoring tool used by the company’s outsourced IT management. Aside from a software vulnerability, what part of the company’s attack surface has been used as a threat vector?
This is a supply chain vulnerability, specifically arising from the company’s managed service provider (MSP).
A company uses cell phones to provide IT support to its remote employees, but it does not maintain an authoritative directory of contact numbers for support staff. Risks from which specific threat vector are substantially increased by this oversight?
Voice calls: the risk that threat actors could impersonate IT support personnel to trick employees into revealing confidential information or installing malware
The help desk takes a call, and the caller states that she cannot connect to the e-commerce website to check her order status. She would also like a username and password. The user gives a valid customer company name but is not listed as a contact in the customer database. The user does not know the correct company code or customer ID. Is this likely to be a social engineering attempt, or is it a false alarm?
This is likely to be a social engineering attempt. The help desk should not give out any information or add an account without confirming the caller’s identity.
A purchasing manager is browsing a list of products on a vendor’s website when a window opens claiming that antimalware software has detected several thousand files on their computer that are infected with viruses. Instructions in the official-looking window indicate the user should click a link to install software that will remove these infections. What type of social engineering attempt is this, or is it a false alarm?
This is a social engineering attempt utilizing a watering hole attack and brand impersonation.
Your CEO calls to request market research data immediately be forwarded to their personal email address. You recognize their voice, but a proper request form has not been filled out and use of third-party email is prohibited. They state that normally they would fill out the form and should not be an exception, but they urgently need the data to prepare for a roundtable at a conference they are attending. What type of social engineering techniques could this use, or is it a false alarm?
If social engineering, this is a CEO fraud phishing attack over a voice channel (vishing). It is possible that it uses deep fake technology for voice mimicry. The use of a sophisticated attack for a relatively low-value data asset seems unlikely, however. A fairly safe approach would be to contact the CEO back on a known mobile number.
A company policy states that any wire transfer above a certain value must be authorized by two employees, who must separately perform due diligence to verify invoice details. What specific type of social engineering is this policy designed to mitigate?
Business email compromise
Which part of a simple cryptographic system must be kept secret—the cipher, the ciphertext, or the key?
In cryptography, the security of the message is guaranteed by the security of the key. The system does not depend on hiding the algorithm or the message (security by obscurity).
Considering that cryptographic hashing is one way and the digest cannot be reversed, what makes hashing a useful security technique?
Because two parties can hash the same data and compare digests to see if they match, hashing can be used for data verification in a variety of situations, including password authentication. Hashes of passwords, rather than the password plaintext, can be stored securely or exchanged for authentication. A hash of a file or a hash code in an electronic message can be verified by both parties.
Which security property is assured by symmetric encryption?
Confidentiality—symmetric ciphers are generally fast and well suited to bulk encrypting large amounts of data.
What are the properties of a public/private key pair?
Each key can reverse the cryptographic operation performed by its pair but cannot reverse an operation performed by itself. The private key must be kept secret by the owner, but the public key is designed to be widely distributed. The private key cannot be determined from the public key, given a sufficient key size.
What is the process of digitally signing a message?
A hashing function is used to create a message digest. The digest is then signed using the sender’s private key. The resulting signature can be verified by the recipient using the sender’s public key and cannot be modified by any other agency. The recipient can calculate their own digest of the message and compare it to the signed hash to validate that the message has not been altered.
How does a subject go about obtaining a certificate from a CA?
In most cases, the subject generates a key pair, adds the public key along with subject information and certificate type in a certificate signing request (CSR), and submits it to the CA. If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.
What cryptographic information is stored in a digital certificate?
The subject’s public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.
What extension field is used with a web server certificate to support the identification of the server by multiple specific subdomain labels?
The subject alternative name (SAN) field. A wildcard certificate will match any subdomain label.
What are the potential consequences if a company loses control of a private key?
It puts both data confidentiality and identification and authentication systems at risk. Depending on the key usage, the key may be used to decrypt data with authorization. The key could also be used to impersonate a user or computer account.
You are advising a customer about encryption for data backup security and the key escrow services that you offer. How should you explain the risks of key escrow and potential mitigations?
Escrow refers to archiving the key used to encrypt the customer’s backups with your company as a third party. The risk is that an insider attack from your company may be able to decrypt the data backups. This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator.
What mechanism informs clients about suspended or revoked keys?
Either a published certificate revocation list (CRL) or an Online Certificate Status Protocol (OCSP) responder
You are providing consultancy to a firm to help them implement smart card authentication to premises networks and cloud services. What are the main advantages of using an HSM over server-based key and certificate management services?
A hardware security module (HSM) is optimized for this role and so presents a smaller attack surface. It is designed to be tamper evident to mitigate against insider threat risks. It is also likely to have a better implementation of a random number generator, improving the security properties of key material.
In an FDE product, what type of cipher is used for a key encrypting key?
Full-disk encryption (FDE) uses a secret symmetric key to perform bulk encryption of a disk. This data encryption key (DEK) is protected by a Key Encryption Key (KEK). The KEK is an asymmetric cipher (RSA or ECC) private key.
True or False? Perfect Forward Secrecy (PFS) ensures that a compromise of a server’s private key will not also put copies of traffic sent to that server in the past at risk of decryption.
True. PFS ensures that ephemeral keys are used to encrypt each session. These keys are destroyed after use.
Why does Diffie-Hellman underpin Perfect Forward Secrecy (PFS)?
Diffie-Hellman allows the sender and recipient to derive the same value (the session key) from some other pre-agreed values. Some of these are exchanged, and some kept private, but there is no way for a snooper to work out the secret just from the publicly exchanged values. This means session keys can be created without relying on the server’s private key and that it is easy to generate ephemeral keys that are different for each session.
True or false? It is essential to keep a salt value completely secret to prevent recovery of a password from its hash.
False. The salt does not have to be kept secret, though it should be generated randomly.
Which property of a plaintext password is most effective at defeating a brute force attack?
The length of the password. If the password does not have any complexity (if it is just two dictionary words, for instance), it may still be vulnerable to a dictionary-based attack. A long password may still be vulnerable if the output space is small or if the mechanism used to hash the password is faulty.
A user maintains a list of commonly used passwords in a file located deep within the computer’s directory structure. Is this secure password management?
No. This is security by obscurity. The file could probably be easily discovered using search tools.
What policy prevents users from choosing old passwords again?
Enforce password history/block reuse and set a minimum age to prevent users from quickly cycling through password changes to revert to a preferred phrase.
True or false? An account requiring a password, PIN, and smart card is an example of three-factor authentication.
False. Three-factor authentication also includes a biometric-, behavioral-, or location-based element. The password and PIN elements are the same factor (something you know).
What methods can be used to implement location-based authentication?
You can query the location service running on a device or geolocation by IP. You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.
Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?
Error rates (false acceptance and false rejection), throughput, and whether users will accept the technology or reject it as too intrusive or threatening to privacy
True or false? When implementing smart card login, the user’s private key is stored on the smart card.
True. The smart card implements a cryptoprocessor for secure generation and storage of key and certificate material.
How does OTP protect against password compromise?
A one-time password mechanism generates a token that is valid only for a short period (usually 60 seconds), before it changes again. This can be sent to a registered device or generated by a hard token device. This sort of two-step verification means that a threat actor cannot simply use the compromised password to access the user’s account.
What is the difference between security group- and role-based permissions management?
A group is simply a container for several user objects. Any organizing principle can be applied. In a role-based access control system, groups are tightly defined according to job functions. Also, a user should (logically) only possess the permissions of one role at a time.
In a rule-based access control model, can a subject negotiate with the data owner for access privileges? Why or why not?
This sort of negotiation would not be permitted under rule-based access control; it is a feature of discretionary access control.
What is the process of ensuring accounts are only created for valid users, only assigned the appropriate privileges, and that the account credentials are known only to the valid user?
Provisioning or onboarding
What is the policy that states users should be allocated the minimum sufficient permissions?
Least privilege
A threat actor was able to compromise the account of a user whose employment had been terminated a week earlier. They used this account to access a network share and exfiltrate important files. What account vulnerability enabled this attack?
While it’s possible that lax password requirements and incorrect privileges may have contributed to the account compromise, the most glaring problem is that the terminated employee’s account wasn’t deprovisioned. Since the account was no longer being used, it should not have been left active for a threat actor to exploit.
What is the purpose of implementing LDAP?
A Lightweight Directory Access Protocol (LDAP)-compatible directory stores information about network resources and users in a format that can be accessed and updated using standard queries.
True or false? The following string is an example of a distinguished name: CN=ad, DC=515support,DC=com.
True.
True or false? In order to create a service ticket, Kerberos passes the user’s password to the target application server for authentication.
False. Only the KDC verifies the user credential. The Ticket Granting Service (TGS) sends the user’s account details (SID) to the target application for authorization (allocation of permissions), not authentication.
You are consulting with a company about a new approach to authenticating users. You suggest there could be cost savings and better support for multifactor authentication (MFA) if your employees create accounts with a cloud provider. That allows the company’s staff to focus on authorizations and privilege management. What type of service is the cloud vendor performing?
The cloud vendor is acting as the identity provider.
You are working on a cloud application that allows users to log on with social media accounts over the web and from a mobile application. Which protocols would you consider, and which would you choose as most suitable?
Security Assertion Markup Language (SAML) and OAuth. OAuth offers better support for standard mobile apps so is probably the best choice.
A company’s network contains client workstations and database servers in the same subnet. Recently, this has enabled attackers to breach the security of the database servers from a workstation compromised by phishing malware. The company has improved threat awareness training and upgraded antivirus software on workstations. What other change will improve the security of the network’s design, and why?
The network architecture should implement network segmentation to put hosts with the same security requirements within segregated zones. At layer 2, the workstation and database servers should be placed on separate switches or placed in separate virtual LANs (VLANs). At layer 3, these segments can be identified as separate subnets.
A company must store archived data with very high confidentiality and integrity requirements on the same site as its production network systems. What type of architecture will best protect the security requirements of the archive host?
The host can be physically isolated by configuring it with no networking connections, creating an air-gap.
Following a data breach perpetrated by an insider threat actor, a company has relocated its on-premises servers to a dedicated equipment room. The equipment room has a lockable door, and the servers are installed to lockable racks. Access to keys is restricted to privileged administrators and subject to sign-out procedures. True or false? These security principles reduce the attack surface.
True. The attack surface exists at different network layers and includes physical access. Physically restricting access to server hardware is an important element in reducing the attack surface and mitigating insider threat.
A company wants to upgrade switches to enforce device authentication. Which framework, standard, or protocol must the switch models support?
The switches must support the IEEE 802.1X standard. The Remote Authentication Dial-In User Service (RADIUS) protocol and Extensible Authentication Protocol (EAP) framework are used within this, but it is 802.1X that is specific to authenticating when connecting to a switch port (and Wi-Fi access points).
Two companies are merging and want to consolidate employees at a single site. Neither company’s on-premises networks have space toadd the 100 desktops required. Which consideration factor does the current architecture model fail to address?
Scalability is the consideration that an architecture should be able to expand to meet additional requirements or workloads.
True or False? As they protect data at the highest layer of the protocol stack, application-based firewalls have no basic packet filtering functionality.
False. All firewall types can perform basic packet filtering (by IP address, protocol type, port number, and so on).
A proxy server implements a gateway for employee web and email access and is regularly monitored for compromise. If any compromise is detected, the proxy must enter a fail state that prevents further access. What type of fail mode is required?
A fail-closed mode is required. Fail-open mode preserves access and availability.
You need to deploy an appliance WAF to protect a web server farm without making any layer 3 addressing changes. Is WAF functionality supported by appliances and, if so, what device attribute should the appliance support?
A web application firewall (WAF) can be implemented as an appliance or as software running on a general host. The device must support transparent mode. It could either use layer 2 bridging or a layer 1 inline (“bump-in-the-wire”) mode.
What IPS mechanism can be used to block traffic that violates policy without also blocking the traffic source?
The intrusion prevention system (IPS) can be configured to reset connections that match rules for traffic that are not allowed on the network. This halts the potential attack without blocking the source address.
True or false? When deploying a non-transparent proxy, clients must be configured with the proxy address and port.
True. The clients must either be manually configured or use a technology such as proxy auto-configuration (PAC) to detect the appropriate settings.
What is meant by scheduling in the context of load balancing?
The algorithm and metrics that determine which node a load balancer picks to handle a request
True or false? A TLS VPN can only provide access to web-based network resources.
False. A Transport Layer Security (TLS) VPN uses TLS to encapsulate the private network data and tunnel it over the network. The private network data could be frames or IP-level packets and is not constrained by application-layer protocol type.
What IPsec mode would you use for data confidentiality on a private network?
Transport mode with Encapsulating Security Payload (ESP). Tunnel mode encrypts the IP header information, but this is unnecessary on a private network. Authentication Header (AH) provides message authentication and integrity but not confidentiality.
What is the main advantage of IKEv2 over IKEv1?
Rather than just providing mutual authentication of the host endpoints, IKEv2 supports a user account authentication method, such as Extensible Authentication Protocol (EAP).
What value confirms the identity of an SSH server to a client?
The server’s public key. This is referred to as the host key. Note that this can only be trusted if the client trusts that the public key is valid. The client might confirm this manually or using a certificate authority.
Server A is configured to forward commands over SSH to a pool of database servers. The database servers do not accept SSH connections from any other source. What type of configuration does Server A implement?
Server A is a jump server. A jump server is a specially hardened device designed as a single point of entry for management and administration traffic for a group of application or database servers in a secure zone. This is designed to make monitoring and securing connections to the secure zone easier and more reliable.
What is a public cloud?
A solution hosted by a third-party cloud service provider (CSP) and shared between subscribers (multi-tenant). This sort of cloud solution has the greatest security concerns.
What type of cloud solution could be used to implement a SAN?
This would usually be described as infrastructure as a service (IaaS).
