comptia security Flashcards

Question

TPM

Answer 1

trusted platform module provides full drive encryption

Answer 2

corporate owned personally enabled mobile device deployment model = MDM mobile device mgmt that gives centralized control over COPE --> BYOD, CYOD

Answer 3

choose your own device a mobile device deployment model employees can connect their personally owned device to the network as long as the device is on a preapproved list =storage segmentation to protect company data on mobile devices owned by users

Answer 4

interconnection security agreement specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities: BETWEEN ANY FEDERAL AGENCY AND A THIRD PARTY INTERCONNECTING THEIR SYSTEMS

Answer 5

annual (annualized) loss expectancy the expected loss for a year it is used to measure risk with ARO and SLE in a quantitative risk assessment SLE x ARO = ALE

Answer 6

annual (annualized) rate of occurrence the number of times a loss is expected to occur in a year it is used to measure risk with ALE and SLE in a quantitative risk assessment

Answer 7

single loss expectancy the monetary value of any single loss used to measure risk with ALE and ARO in a quantative risk assessment SLE x ARO = ALE

Answer 8

secure/multipurpose internet mail extensions popular standard used to secure email provides: confidentiality integrity authentication non-repudiation

Answer 9

type of monitoring used on intrusion detection and intrusion prevention systems detects attacks based on KNOWN ATTACK PATTERNS documented as attack signatures - signature based IDS systems use signatures similar to antivirus software a unique identifier is established about a known threat so that the threat can be identified in the future

Answer 10

security information and event mgmt attempts to look at security events throughout the organisation

Answer 11

copying an app package to mobile device useful to developers when testing apps

Answer 12

driver manipulation method uses additional code to modify the behaviour of a driver

Answer 13

open source federated identity solution

Answer 14

secure hash algorithm hashing function used to provide INTEGRITY versions: SHA-1, SHA-2, SHA-3 hash is an alphanumeric string created by executing a hashing algorithm against data (file or message) hashing algo creates a fixed-length, IRREVERSIBLE output if the data never changes, the resulting hash will always be the same by comparing hashes created at two different times, you can determine if the original data is still the same if the hashes are the same, the data is the same

Answer 15

secure file transfer protocol TCP port 22 an extension of SSH (secure shell) used to encrypt FTP traffic

Answer 16

an attack that attempts to impersonate a user by capturing and using a session ID session IDs are store in COOKIES!!

Answer 17

self-encrypting drive

Answer 18

process that checks and validates system files during the boot process TPM typically uses a secure boot process it is a security system offered by UEFI it is designed to prevent a computer from being hijacked by a malicious OS under secure book UEFI is configured with digital certs from valid OS vendors the system fw checks the OS boot loader using the stored certificate to ensure that the OS vendor has digitally signed it this prevents a boot loader that has been changed by malware or an OS installed without authorization from being used. the TPM can also be invoked to compare hashes of key system state data (boot fw, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit

Answer 19

security assertion markup language XML-based standard used to exchange authentication and authorization information between different parties SAML provides SSO for web-based application

Answer 20

software defined network uses sw and virtualization technologies to replace hw routers SDNs separate the data and control planes

Answer 21

lightweight directory access protocol used to communicate with directories such as microsoft active directory it identifies objects with query strings using codes such as CN=Users and DC=GetCertifiedGetAhead

Answer 22

lightweight directory access protocol secure used to encrypt LDAP traffic with TLS

Answer 23

short vertical posts that act as a baricade block vehicles but not ppl

Answer 24

heating ventilation air conditioning - physical security control that increases availability by regulating airflow within DCs and server rooms

Answer 25

recovery time objective the max amount of time it should take to restore a system after an outage it is derived from the max allowable outage time identified in the BIA

Answer 26

a key stretching algorithm used to protect pwds bcrypt salts pwds with additional bits before encrypting them with Blowfish this thwarts rainbow table attacks

Answer 27

bussiness impact analysis includes info on potential losses

Answer 28

disaster recovery plan includes methods to recover from an outage

Answer 29

AES - advanced encryption standard DES - data encryption standard RC4 - Rivest Cipher 4

Answer 30

provides integrity for digital signatures and other data hash=checksum hashing verifies integrity for data such as email, d/l files, and files stored on a disk hash is a number created with a hashing algorithm HASHES ARE ONE-WAY FUNCTIONS

Answer 31

is a hash of the message encrypted with the senders private key but the encryption doesnt provide integrity the digital signature provides non-repudiation which doesnt provide integrity

Answer 32

secure hash algorithm version 2 is used for integrity

Answer 33

elliptic curve cryptography has minimal overhead and is often used with mobile devices for encryption

Answer 34

1) PBKDF2 = pwd-based key derivation function 2 2) bcrypt that salt pwds with additional bits to protect agains brute force attempts

Answer 35

online certificate status protocol provides real time responses to validate certs issues by a Certificate Authority (CA)

Answer 36

certificate revocation list includes a list of revokes certs

Answer 37

digital signature algorithm creates a digital signature

Answer 38

hash based message authentication code creates a hash Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography. How does HMAC differ from hashing? A hash lets you verify only the authenticity of the data (i,. e., that the data you received is what was originally sent). An HMAC lets you verify both the authenticity and the originator of the data. A hash doesn't use a key. Why is HMAC more secure than general hashing? The strength of HMAC lies in its combination of both a secret key and a hash function. The secret key adds a layer of security by ensuring that only those with the key can generate or verify an HMAC. This aspect is particularly important in scenarios where confidentiality and data integrity are critical.

Answer 39

acceptable use policy informs users of their responsibilities when using an organisations equipment

Answer 40

utilizes information that a person would know eg name of a first pet and use it to change the users pwd --> Sarah Palin example

Answer 41

is a pwd attack that uses a DB of precalculated hashes - PBKDF2 and bcrypt thwart rainbow table attacks

Answer 42

- secure real-time transport protocol - used to encrypt and provide authentication for RTP traffic - used for audio/video streaming

Answer 43

group od servers configured as honeypots

Answer 44

provides port-based authentication and can authenticate clients clients that cant authenticate (eg guests) can be redirected to the guest network which grants them Internet access but not access to the internal network

Answer 45

network address translation translates private IP addresses to public IP addresses

Answer 46

protected extensible authentication protocol an extension of EAP sometimes used with 802.1x PEAP requires a cert on the 802.1x server

Answer 47

privacy enhanced mail common format for PKI certs it can use either CER (ASCII) or DER (binary) formats and can be used for almost any type of certs

Answer 48

Linux command used to change the root directory often used for sandboxing

Answer 49

linux admins use it to change permissions for files

Answer 50

full disk encryption

Answer 51

self-encrypting drive a drive that includes the hw and sw necessary to encrypt a hard drive - users typically enter credentials to decrypt and use the drive

Answer 52

runtime code = code that is interpreted when it is executed compiled code = has been optimized by an application and converted into an executable file

Answer 53

remote authentication dial-in user service

Answer 54

domain name system

Answer 55

dynamic host configuration protocol

Answer 56

supervisory control and data acquisition system

Answer 57

commonly create backdoors

Answer 58

eg email targeting users in the same organisation

Answer 59

similar to phishing - but uses telephone technology

Answer 60

method used to prevent brute force attacks to discover pwds

Answer 61

locks an account after the wrong pwd is guessed too many times

Answer 62

domain name system poisoning attempts to redirect web browsers to malicious URLs

Answer 63

attempts to capture packets to impersonate one of the parties in an online session

Answer 64

service level agreement between a company and a vendor that stipulates performance expectations such as min uptime and max downtime levels

Answer 65

business partners agreement

Answer 66

memorandum of understanding or memorandum of agreement - a type of agreement that defines responsibilities of each party - compare with ISA

Answer 67

interconnection security agreemenr specifies technical and security requirements for connections between two or more entities

Answer 68

a command-line tool to show and manipulate ARP (address resolution protocol) cache

Answer 69

an attack that misleads systems about the actual MAC address of the system

Answer 70

cross-site scripting attack protection against: - input validation - WAF: web application firewall = monitors, filters, and or blocks HTTP traffic to a web server

Answer 71

organising tables and columns in a DB to reduce redundant data and improve overall DB performance

Answer 72

useful for remotelly administering servers but it doesnt collect and analyze packets - can be used for banner grabbing and will provide info on the operating system

Answer 73

can capture traffic sent over a network and identify the type of traffic , the source of the traffic and protocol flags used within individual packets to EXAMINE PACKETS used to VIEW DATA sent in CLEAR TEXT

Answer 74

the capability of a system to suffer a fault, but continue to operate the system can tolerate the fault as if it never occurred

Answer 75

RAID stands for Redundant Array of Inexpensive (Independent) Disks. row cost solution for fault tolerance for disks RAID increases data availability

Answer 76

round-robin is one of the methods used in load balancing

Answer 77

a file containing precomputed hashes for character combination rainbow tables are used to discover pwds

Answer 78

a key stretching technique designed to protect against brute force and rainbow table attacks

Answer 79

pwd based key derivation function 2 both (bcrypt as well) salt the pwd with additional bits bcrypt- based on Blowfish

Answer 80

means that the ciphertext is significantly different than the plaintext

Answer 81

ensures that small changes in the plaintext result in large changes in the ciphertext

Answer 82

attempt to hide data or make sth unclear

Answer 83

hashing algorithm vulnerability a has vulnerability that can be used to discover pwds a hash collision occurs when two different pwds CREATE THE SAME HASH

Answer 84

elliptic curve diffie-hellman ephemeral allows entities to negotiate encryption keys securely over a public network

Answer 85

cloud access security broker - sw tool that enforces cloud-based security requirements - placed between the organisation's resources and the cloud - monitors all network traffic - can enforce security policies

Answer 86

counter mode a mode of operation used for encryption that combines IV with a counter the combined result is used to encrypt blocks

Answer 87

a security mechanism used by some web sites to PREVENT WEB SITE IMPERSONATION web sites provide clients with a list of PUBLIC KEY HASHES clients store the list and use it to validate the web site

Answer 88

the process of appending a digitally signed OCSP response to a certificate it reduces the overall OCSP traffic sent to a CA

Answer 89

a characteristic of encryption key ensuring THAT THE KEYS ARE RANDOM perfect forward secrecy methods do not use DETERMINISTIC ALGORITHMS

Answer 90

HMAC-MD5 HMAC-SHA1 HMAC= hash-based message authentication code

Answer 91

MD5 SHA HMAC RIPEMD

Answer 92

race integrity promitives evaluation message digest

Answer 93

secure hash algorithm

Answer 94

message digest 5

Answer 95

initialization vector provides a starting value for a cryptographic algorithm it is a fixed-size random or pseudo-random number that helps create random encryption keys ideally the IV should be large enough so that the algorithm doesnt reuse the same IV and re-create the same encryption keys

Answer 96

remote authentication dial-in user service encrypts pwd packets uses shared keys for symmetric encryption when users authenticate, RADIUS servers and clients use the shared key to encrypt and decrypt data exchanged in a CHALLENGE/RESPONSE session without the shared key, clients are unable to decrypt the data and respond appropriately

Answer 97

recovery time objective = the amount of time it takes to identify a problem and then perform recovery eg restore from back up or switch in an alternative system

Answer 98

recovery point objective the amount of data loss that a system can sustain measured in time if a virus destroys a DB an RPO of 24 hours means that the data can be recovered from a backup copy to a point not more than 24 hours before the DB was infected

Answer 99

mean time between failure expected lifetime of a product before it fails and must be replaced or repaired

Answer 100

mean time to repair mean time to recover is a measure of the time taken to correct a fault to restore the system to full operation often specified in the maintenance contracts

Answer 101

most severe issue that may exist in a virtualized environment the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to a different virtual machines

Answer 102

the residual representation of digital data that remains even after attempts have been made to remove it or erase it

Answer 103

when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively

Answer 104

moving a virtual machine from one physical hardware environment to the other

Answer 105

system logging protocol port 514 is a way network devices can use a standard message format to communicate with a logging server designed to make it easy to monitor network devices devices can use a syslog agent to send out notification messages

Answer 106

used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records "set type=ns" tells nslookup only reports information on name servers "set type=mx" -> info only about mail exchange servers

Answer 107

results from the combination of a THREAT and a VULNERABILITY

Answer 108

bussiness continuity plan

Answer 109

logs into a system and retrieve their configuration information

Answer 110

relies on external resources for config settings that can be altered or incorrect

Answer 111

is an extension to TACACS = terminal access controller access control system developed as a proprietary protocol by Cisco

Answer 112

REMOTE AUTHENTICATION DIAL-in USER SERVICE is a networking protocol that operates on port 1812 and provides centralized Authentication Authorization Accounting mgmt for users who connect and use a network service

Answer 113

a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT

Answer 114

challenge-handshake authentication protocol is used to authenticate a user or network host to an authenticating entity AUTHENTICATION PROTOCOL DOES NOT PROVIDE AUTHORIZATION OR ACCOUNTING SERVICES

Answer 115

round-robin

Answer 116

a scheduling method used with load balancers it uses the clients IP address to ensure the client is redirected to the same server during a session

Answer 117

one of the federated identity solutions open source and freely available includes Open libraries written in C++ and Java

Answer 118

open standard for authorization instead of creating a diff account for each web site you access, you can often use the same account that you have created with Google, FB, paypal etc

Answer 119

works with OAuth 2.0 allows clients to verify the identity of end users without managing their credentials exemple Skyscanner - after logging using FB credentials Skyscanner provides more personalized experience for the users is used for authentication on the Internet, not internal networks!!!

Answer 120

trivial file transfer protocol port 69

Answer 121

simple mail transfer protocol port 25

Answer 122

domain name service protocol port 53

Answer 123

insecure direct object references cybersecurity issue when a web app developer uses an identifier for direct access to an object but provides no additional access control and/or authorization checks

Answer 124

sw vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events those events fail to execute in the order and timing intended by the developer - hacker gamer example !!

Answer 125

internet message access protocol a TCP/IP application protocol that provides a means for a client to access email messages stored in a mailbox on a remote server using TCP port number 143 unlike POP3 messages persist on the server after the client has d/l them IMAP also supports mailbox mgmt functions such as creating subfolders and access to the same mailbox by more than one client at the same time

Answer 126

attempts to access a pointer that references an object at a particular memory location

Answer 127

wired equivalent privacy an older mechanism for encrypting data sent over a wireless connection uses 24-bit initialization vector to secure its pre-shared key replaced by WPA -wifi protected access that uses RC4 cipher and a temporal key integrity protocol (TKIP) replaced by WPA2 after the completion of the 802.11i security standard uses improved AES cipher with counter mode with cipher-block chaining message authentication protocol CCMP for encryption replaced by WPA3 most secure wireless encryption method uses the simultaneous authentication of equals SAE to increase the security of preshared keys provides the enhanced open mode WPA3 Enterprise mode supports AES with the Galois/counter mode protocol GCMP-256 for the highest levels of encryption

Answer 128

a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware sw on a remote server

Answer 129

used to capture the hard disks required information to support a forensic investigation it would not detect malware during the systems boot-up process

Answer 130

determines which programs will be loaded when the operating system is initially booted

Answer 131

accept avoid mitigate or transfer

Answer 132

file transfer protocol port 20 and 21

Answer 133

is the process of removing personally identifiable information from data sets so that the ppl whom the data describe remain anonymous

Answer 134

combining diff methods such as the dictionary and brute force methods into a single tool

Answer 135

embeds an RFID chip into the card or badge when the user swipes their card over the reader, it sends an RF signal that uniquely identifies the cards holder RFID - radio-frequency identifcation systems

Answer 136

attacks against radio-frequency identification systems such as eavesdropping replay DoS

Answer 137

physical security access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens

Answer 138

virtual desktop infrastructure

Answer 139

virtual private cloud

Answer 140

user and entity behaviour analytics can provide an automated identification of suspicious activity by user accounts and computer hosts

Answer 141

attribute-based access control provides most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes info such as the group membership, the OS being used or even the machines IP could be considered when granting or denying access

Answer 142

order in which you should collect evidence

Answer 143

process that an organization uses to perserve all forms of potentially relevant information when litigation is pending or reasonably anticipated

Answer 144

you need to use 802.1x for the protocol the IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network this defines port security the users identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server

Answer 145

the worlds most popular open-source scanning utility

Answer 146

the services console allows to disable or enable Windows services

Answer 147

used to copy files, disks, and partitions, and it can also be used to create forensic disk images

Answer 148

proprietary vulnersbility scanner developed by Tenable it does contain the ability to conduct a port scan, its primary role is as a VULNERABILITY SCANNER

Answer 149

provides mutual authentication of the client and the server - because its using TLS

Answer 150

knowledge - sth you know possession - sth you have biometric - sth you are action - sth you do location - somewhere you are

Answer 151

protected health information any info that identifies so as the subject of medica and insurance records, plus their associated hospital and laboratory test results this type of data is protected by the Health Insurance Portability and Accountability Act = HIPAA it requires notification of thr individual, the Secretary of the US Department of Health and Human Services -HHS, and the media if more than 500 individuals are affected in the case of a data breach

Answer 152

the PCI DSS information security standard

Answer 153

walking around a build while locating WIRELESS networks and devices it will not help find a WIRED ROGUE DEVICE on wired network - checking valid MAC addresses against a known list - scanning for new systems or devices - physically surveying for unexpected systems can be used to find rogue devices on a WIRED NETWORK

Answer 154

internet control message protocol

Answer 155

diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems

Answer 156

process of gathering data, normally user credentials

Answer 157

statement of work

Answer 158

master service agreement parties agree to the terms that wil govern future transactions/future agreements

Answer 159

service level agreement outlines the detailed terms under which a service is provided including reasons the contract may be terminated

Answer 160

is the process of harvesting an account's cached credentials when the user logs in to a single sign-on

Answer 161

a Kerberos ticket that can grant other tickets in an Active Directory environment attackers who can createna golden ticket can use it to grant admin access to other domain members even to domain controllers

Answer 162

an umbrella term for variety of attack types compromising host credentials

Answer 163

attackers compromise one central host - the pivot that allows them to spread out to other hosts that would otherwise be inaccessible

Answer 164

carrier-sense multiple access with collision avoidance is a network multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by beginning transmission only after the channel is sensed to be idle

Answer 165

indicators of compromise

Answer 166

used to wipe magnetic media

Answer 167

tabletop exercise: RED TEAM - the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker BLUE TEAM - consists of system administrators, cybersecurity analysts and network defenders

Answer 168

microsoft endpoint configuration mgmt provides remote control patch mgmt sw distribution OS deployment network access protection hw & sw inventory

Answer 169

sw as a service any sw or application provided to users over a network such as the internet eg Gmail

Answer 170

10.x.x.x 172.16-31.x.x 192.168.x.x

Answer 171

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1][2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Answer 172

common vulnerability score system

Answer 173

open-source intelligence --> refers to legally gathered information from free, public sources = information found on the internet

Answer 174

Transmission Control Protocol Transmission Control Protocol (TCP) is a communications standard that enables application programs and computing devices to exchange messages over a network. It is designed to send packets across the internet and ensure the successful delivery of data and messages over networks.

Answer 175

full disk encryption

Answer 176

common vulnerabilities & exposures

Answer 177

indicators of compromise: telltale signs that an attcack has taken place may include: - file signatures - log patterns - etc - may be found in file and code repositories

Answer 178

open source threat inteligence

Answer 179

cybersecurity & infrastructure security agency

Answer 180

A forward proxy deals with client traffic, regulating and securing it. In contrast, a reverse proxy shields servers by handling client requests, ensuring they reach the right server, and returning the results to clients, who are unaware of the server's direct involvement.

Answer 181

Tunnel Mode provides end-to-end security by encrypting the entire IP packet, while Transport Mode only encrypts the payload of the packet. Another difference is the use case: Tunnel Mode is used for connecting entire networks, while Transport Mode is used for host-to-host communication.

Answer 182

real-time operating systems specialized OS designed for embedded systems (with limited resources) that require precise timing and deterministic behavior - provide real-time scheduling (certain tasks will be completed within a specific timeframe --> critical for medical devices and automotive systems - designed to be lightweight and efficient, with a small memory footprint and low processing overhead

Answer 183

SOAR (security orchestration, automation and response)

Answer 184

chown is an abbreviation for “changing owner”, which is pretty self-explanatory. While chmod handles what users can do with a file once they have access to it, chown assigns ownership. As you may have noticed, none of the chmod commands we discussed above changed who owns the files we're working with.

Answer 185

The dd command is one of the most powerful and versatile tools in the Linux operating system. Often referred to as “data duplicator” or “disk destroyer,” dd is a command-line utility that can copy and convert data at a low level. Its capabilities range from creating disk images to performing data recovery operations.

Answer 186

A Cuckoo Sandbox is a tool that is used to launch malware in a secure and isolated environment, the idea is the sandbox fools the malware into thinking it has infected a genuine host. The sandbox will then record the activity of the malware and then generate a report on what the malware has attempted to do while in this secure environment. Cuckoo is an open source automated malware analysis system. It's used to automatically run and analyze files and collect comprehensive analysis results that outline what the malware does while running inside an isolated operating system.

Answer 187

What is Network Interface Card (NIC) Teaming? Network Interface Card (NIC) teaming combines multiple network interface cards to work together as a single unit. Doing this gives us a few advantages: Increased bandwidth: The biggest advantage is the extra throughput you achieve with multiple interfaces. NIC teaming can help in the following ways: 1) Bandwidth. Network bandwidth is a connection's maximum total data transfer rate. NIC teaming aggregates two or more NICs, increasing the bandwidth. 2) Redundancy. One connection to one switch is a single point of failure. Teaming supports multiple connections. Is NIC teaming the same as LACP? There are two main kinds of NIC teaming: 1) Switch dependent. Also referred to as LACP, 802.3ad, or Dynamic Link Aggregation, this teaming method uses the LACP protocol to understand the teaming topology. Three NIC teaming configurations are available. 1) Switch independent teaming—Used when a switch does not support NIC teaming. 2) Static teaming—Used for a switch that supports teaming but must be configured manually. 3) LACP teaming—Used for a switch that supports LAN Aggregation Control Protocol (LACP).

Answer 188

a mandatory access control scheme Mandatory access control is a centrally-managed access system. MAC assigns each network user a security level. It also assigns objects on the network with security attributes such as clearance levels and group identities. Users with the right security credentials can access protected objects. Mandatory access control (MAC) is a security strategy that restricts the ability individual resource owners have to grant or deny access to resource objects in a file system. What is the difference between mandatory and discretionary access control? The main difference between discretionary access control and mandatory access control is the key factor of controlling resource access. In discretionary access control, access is controlled by the resource users, while in mandatory access control, access is controlled by the system. It isnt used to control access to administrator accounts!!

Answer 189

Access Control Models and Methods | Types of Access Control There are four types of access control methods: 1) Mandatory Access Control (MAC), 2) Role-Based Access Control (RBAC), 3) Discretionary Access Control (DAC), and 4) Rule-Based Access Control (RBAC or RB-RBAC). A method is chosen based on the level of access needed by each user, security requirement, infrastructure, etc.

Answer 190

A differential backup strategy only copies data changes since the last full backup. An incremental data backup strategy copies data changes since the last backup.

Answer 191

DESCRIBE HOW A CONTROL WORKS 1) technical - uses hw, sw, fw to reduce risk 2) managerial - administrative in function, documented in orgs security policy - focus on managing risk!! 3) operational: help ensure that the day-to-day operations of an orgs comply with the security policy // implemented by operational staff 4) physical: locks, fences, security guards

Answer 192

DESCRIBE THE GOAL THAT THE CONTROL IS TRYING TO ACHIEVE preventive deterrent - to discourage detective corrective - to restore normal operations after an inc occurs compensating - are alternative controls when a primary control is not feasible directive - provide instructions to individuals on how they should handle security-related situations that arise

Answer 193

fault tolerance and redundancies, such as RAID failover clusters backups generators PATCHING: ensuring systems stay available is by keeping them up-to-date with patches

Answer 194

adds duplication to critical systems and provides FAULT TOLERANCE --> a system with fault tolerance can tolerate a fault goal to remove SPOF 1) disk redundancies: fault-tolerant disks: 1.1 RAID-1 (mirroring), 1.2 RAID-5 (striping with parity), 1.3. RAID-10 (striping with a mirror) all these allow a system to continue to operate even if a disk fails 2) server r.: FAILOVER CLUSTERS 3) network r.. 3.1 LOAD BALANCING (e.g. high-volume website); 3.2 NIC (network interface card) teaming: provides redundancy and increased bandwidth by putting two or more network cards in a single server 4) power r. 4.1 UPSs 4.2 power generators

Answer 195

to be able to increase the capacity to meet new demand adding more servers to existing one --> horizontal scaling vertical scaling: doesn't add more servers but more RESOURCES: memory, processing power to individual servers // there is a limit based on the system (e.g. when a server only supports max 32GB of RAM)

Answer 196

automates scalability by having the system add and remove resources as needed

Answer 197

physical, preventive and deterrent control

Answer 198

technical & preventive control

Answer 199

encryption antivirus sw IDSs & IPSs firewalls least privilege (individuals&processes are granted only the privileges they need to perform their assigned tasks or functions, but no more --> privileges are combination of rights & permissions)

Answer 200

are administrative in function documented in orgs security policy these controls use planning and assessment methods to review the orgs ability to reduce and manage risk 1) risk assessments 1.1) quantitative risk assessment - uses cost and asset values to quantify risk based on monetary values 1.2) qualitative risk assessment - categorizes risk based on probability and impact 2) vulnerability assessments - attempts to discover current vulnerabilities

Answer 201

--> help ensure that the day-to-day operations of an orgs comply with the security policy --> implemented by operational staff (instead of systems) 1) awareness & training // pwd security, clean desk policy, understand phishing etc 2) configuration & change management 3) media protection // USB flash drives, external & internal drives, backup tapes

Answer 202

https://csrc.nist.gov/publications/sp800 The National Institute of Standards and Technology is part of the U.S. Department of Commerce - they publish Special Publications (SPs) in the 800 series --> important reference for security community - SP 800-53: Security and Privacy Controls for Information Systems and Organizations --> 3 chapters discuss security controls + 3 appendices --> Appendix C: provides details on hundreds of individual security controls divided into 20 different families

Answer 203

1) hardening 1.1) disabling unnecessary ports and services 1.2.) implementing secure protocols 1.3) keeping a system patched 1.4) using strong pwds along with a robust pwd policy 1.5) disabling default and unnecessary accounts 2) training 3) security guards 4) account disablement process 5) IPS - Intrusion Prevention System can block malicious traffic before it reaches a network 6) change management processes - help prevent outages from configuration changes

Answer 204

some physical security controls used to deter threats: 1) warning signs 2) login banners

Answer 205

preventive & deterrent

Answer 206

1) log monitoring 2) SIEM systems --> Security information and event management systems 3) security audit 4) video surveillance --> CCTV (that is also a deterrent control) 5) motion detection 6) IDS

Answer 207

attempts to reverse the impact of an incident or problem after it has occurred purpose --> getting things back to normal as quickly as possible --> they restore the confidentiality, integrity, and/or availability 1) backups and system recovery 2) incident handling processes: defines steps to take in response to security incidents: 2.1) incident response policy 2.2) incident response plan

Answer 208

employees have to use smart cards when authenticating to a system to allow new employees to access the network and still maintain a high level of security the org might choose to implement TOTP (Time-based One-Time Pwd) as a compensating control --> which still provides a strong auth solution

Answer 209

are designed to provide instruction to individuals on how they should handle security-related situations that arise (not technical mechanisms) 1) policies, standards, procedures, and guidelines: step -by-step guidance on achieving a goal 2) change management

Answer 210

operational directive preventive

Answer 211

preventive technical control

Answer 212

physical technical control

Answer 213

viewable using WINDOWS EVENT VIEWER 1) Security log // functions as a security, an audit and an access log 2) System log 3) Application log

Answer 214

on routers, fws, web servers, network IDS/IPSs logging all traffic // logging all traffic that the device blocks // or both

Answer 215

Copy on Write

Answer 216

Time-of-Use type of race condition that occurs when an attacker can change the state of a system resource between the time it is checked and the time it is used

Answer 217

Time-of-Check

Answer 218

Time-of-Evaluation type of race condition that involves the manipulation of data or resources during the time window when a system is making a decision or evaluation

Answer 219

mutually exclusive flag that acts as a gatekeeper to a section of code so that only one thread can be processed at a time

Answer 220

occurs when two or more processes are unable to proceed because each is waiting for the other to release a resource

Answer 221

software vulnerability where the outcome depends on the timing of events not matching the developer's intended order

Answer 222

TOC --> Time-of-Check TOU --> Time-of-Use TOE --> Target\time-of-Evaluation

Answer 223

users can use locks and mutexes to lock resources while a process is being run

Answer 224

- unauthorized access - data breaches - system disruptions

Answer 225

unauthorized access data theft malware infections denial of service attacks social engineering

Answer 226

1) hardening the system 2) patching 3) enforcing baseline configurations 4) decommissioning old and insecure assets 4) creating isolation of segmentation for devices

Answer 227

- bluesnarfing - bluejacking - bluebugging - bluesmark - blueborne

Answer 228

side loading jailbreaking insecure connection methods (wifi & bluetooth)

Answer 229

1) patch management 2) mobile device mgmt solutions 3) preventing sideloading and rooting of devices

Answer 230

1) unpatched systems 2) zero-day Vulnerabilities 3) misconfigurations 4) data exfiltration 5) malicious updates

Answer 231

1) patching 2) encryption of data 3) utilizing host-based firewalls 4) configuring access controls and permissions 5) configuration management 6) installing endpoint protection 7) implementing Host-Based IPS 8) Requiring the Use of Application Allow Lists

Answer 232

Security vulnerability that targets web applications that process XML data (extensible markup language) ======================== to protect your server when it receives XML data: Input Validation Input Sanitization Encryption (TLS) *************************** otherwise it is vulnerable to snooping spoofing request forgery injection of arbitrary code

Answer 233

web security vulnerability where malicious scripts are injected into web pages viewed by other users / to compromise the site's visitors it gets you to run some kind of a malicious script that bypasses normal security mechanisms

Answer 234

Web security exploit that focuses on an attacker who attempts to trick a user

Answer 235

sw vulnerability that occurs when a program writes more data to a memory buffer that it can hold ======================== occurs when data exceeds allocated memory, potentially enabling unauthorized access or code execution ========================== buffer owerflow attacks in IT are being used as the initial vector!!, causing 85% of data breaches

Answer 236

sw vulnerability that occurs when multiple processes or threads in a concurrent system access shared resources or data simultaneously - this can lead to unpredictable outcomes

Answer 237

specialized form of software stored on hardware device, like a router or a smart thermostat, that provides low-level control for the device's specific hardware

Answer 238

occurs when an attacker impersonates a device to trick a user into connecting

Answer 239

exploits Bluetooth protocol vulnerabilities to intercept and alter communications between devices without either party being aware

Answer 240

an attacker sends unsolicited messages often as a prank or to test the vulnerabilities

Answer 241

unauthorized to steal contacts call logs text messages

Answer 242

make calls send text messages access the internet

Answer 243

denial of service, causes device to crash or become unresponsible

Answer 244

infects the device over the air without any intervention from the user

Answer 245

1) turned off when not in use 2) device set to NON DISCOVERABLE mode by default 3) regularly updating to the latest fw to address any known vulnerability 4) only pairing with known and trusted devices 5) always using unique PINs or passkeys 6) being cautious of unsolicited connection requests 7) using encryption for sensitive data transfers

Answer 246

Insecure Pairing Device Spoofing On-Path Attacks

Answer 247

Sideloading Jailbreaking and Rooting Insecure connection methods

Answer 248

the practice of installing applications on a device from unofficial sources which actually bypasses the device's default app store

Answer 249

process that gives users escalated privileges on the devices and allows users to circumvent the built-in security measures provided by the devices --> usually done for the purposes of customization

Answer 250

- avoid open Wi-Fi and unknown Bluetooth pairings for security (use your own data cellular connection) - long, strong, and complex password - 802.1x authentication methods

Answer 251

Mobile Device Management Solution used to conduct patching of the devices by pushing any necessary updates to the devices to ensure that they are always equipped with the latest security patches + standardized configuration

Answer 252

Structured Query Language Select, Insert, Delete, Update ======================= the attacker enters the injection parameter: by entering data modifying cookies changing POST data Using HTTP headers ========================= how to prevent it: 1) input validation 2) use a web application firewall (between the client and the web server)

Answer 253

XML encodes entities that expand to exponential sites, consuming memory on the host and potentially crashing it

Answer 254

An attack that embeds a request for a local resource

Answer 255

that is going to be an XML question

Answer 256

1) Attacker identifies an input validation vulnerability within a trusted website 2) Attacker crafts a URL to perform code injection against the trusted website (and spread the link via email, post etc) 3) The trusted site returns a page containing the malicious code injected 4) Malicious code runs in the client's browser with permission level as the trusted site

Answer 257

1) defacing the trusted website 2) stealing the user's data 3) intercepting data or communications 4) installing malware on client's system

Answer 258

This type of attack only occurs when it's launched and happens once

Answer 259

Allows an attacker to insert code into the backend database used by that trusted website

Answer 260

Exploits the client's web browser using client-side scripts to modify the content and layout of the web page ========================== DOM XSS runs with the logged in user's privileges of the local system

Answer 261

its a DOM based xross site scripting

Answer 262

enables web applications to uniquely identify a user across several different actions and requests by server-side tracking by cookie tracking

Answer 263

- persistent - non-persistent (session)

Answer 264

resides in memory and is used for a very short period of time (deleted afterwards)

Answer 265

stored in the browser cache until either deleted by a user or expired

Answer 266

type of spoofing attack where the attacker disconnects a host and then replaces it with his or her own machine by spoofing the original host IP

Answer 267

type of spoofing attack where the attacker attempts to predict the session token in order to hijack the session --> session tokens need to be generated using a non-predictable algorithm

Answer 268

Malicious script is used to exploit a session started on another site within the same web browser

Answer 269

1) use user-specific tokens in all form submissions 2) add randomness and prompt for additional information (passwords - MFA) 3) Require users to enter their current password when changing their password

Answer 270

a temporary storage area where a program stores its data

Answer 271

a memory region where a program stores the return addresses from function calls

Answer 272

Occurs when an attacker can execute their malicious code by overwriting the return address (in the stack)

Answer 273

took a pic

Answer 274

ASLR Address Space Layout Randomization A security measure that randomizes memory addresses, making buffer overflow attacks harder for attackers

Answer 275

A fundamental operation in programming, and the vulnerabilities arise from unsafe or concurrent usage, particularly in scenarios involving race conditions

Answer 276

Popular 2016 exploit, showcasing a race condition exploitation

Answer 277

1) denial of service 2) amplified distributed denial of service 3) reflected distributed denial of service

Answer 278

1) DNS cache poisoning 2) DNS amplification attacks 3) DNS tunneling 4) Domain hijacking 5) DNS zone transfer attacks

Answer 279

1) account lockouts 2) concurrent session utilization 3) blocked content 4) impossible travel 5) resource consumption 6) resource inaccessibility 7) out of cycle logging 8) published documents that you have been hacked 9) missing log files

Answer 280

The Internet Control Message Protocol (ICMP) is a network layer protocol used by network devices to diagnose network communication issues. ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner. Is ICMP the same as ping? ICMP is one of the protocols of the TCP/IP suite. The ICMP echo request and the ICMP echo reply messages are commonly known as ping messages.

Answer 281

a) ping flood (ICMP echo - ICMP internet control message protocol) --> to prevent: many organisations are simply blocking ECHO replies and having firewalls dropping these requests / attackers gets a request timeout message b) SYN Flood / an attacker will initiate multiple TCP sessions but never complete the three-way handshake --> to prevent this from occurring 1) FLOOD GUARDS can be installed in the network (can be a feature in some routers & firewalls) 2) Timeout can be configured on those half open requests after a period of time (say 10, 15, 30 seconds) 3) IPS

Answer 282

ping flood (ICMP echo - ICMP internet control message protocol) --> to prevent: many organisations are simply blocking ECHO replies and having firewalls dropping these requests / attackers gets a request timeout message

Answer 283

an attacker will initiate multiple TCP sessions but never complete the three-way handshake --> to prevent this from occurring

Answer 284

1) FLOOD GUARDS can be installed in the network (can be a feature in some routers & firewalls) 2) Timeout can be configured on those half open requests after a period of time (say 10, 15, 30 seconds) 3) IPS

Answer 285

an attack which exploits a security flaw by reflashing a firmware, permanently breaking networking device

Answer 286

a large number of processes is created to use up a computer's available processing power (not a worm because - only inside the processor's cache on a single computer)

Answer 287

specialized DDoS that allows an attacker to initiate DNS request from a spoof IP address to flood a website

Answer 288

1) Blackholing/Sinkholing: attacking IP addresses are identified and its traffic routed to a non-existent server through a null interface - this will stop the attack / attackers can move to a new IP and restart the attack all over again / only a temporary solution 2) IPS / for smaller scale attacks as you need a lot of processing power to handle a big DDoS 3) ELASTIC CLOUD INFRASTRUCTURE / one of the most effective methods, where you can scale up when the demand increases, you can ride out a DDoS attack --> very expensive when you scale up specialized clouds providers that have taken to on this challenge to ride out DDoS attacks: CLOUDFLARE AKAMAI