Concepts Flashcards

Question

What is Crypto-Malware?

Answer 1

This is a malware designed to encrypt files on a system (without being authorized to do so). This renders the files unusable, sometimes permanently, and sometimes until a ransom is paid.

Answer 2

This is malware that helps attackers to mine cryptocurrency illegally.

Answer 3

This form of malware performs certain actions and extracts ransom from a user. Whenever money is demanded, then it is ransomware.

Answer 4

This is similar to viruses in that they try to penetrate computer systems and networks and then create a new copy of themselves on the penetrated system. Worms do not need to bind to another piece of code to reproduce. Worms are network-based problems. They can also travel without human interaction and can survive on their own.

Answer 5

It is a stand-alone program installed by an authorized user, yet it has hs malicious functionality.

Answer 6

This is a form of malware specifically designed to modify the operation of an operating system in some way to facilitate non-standard functionality. A rootkit can do everything an operating system can do, and has a lot of power to perform the malicious activity and avoid detection. Sometimes this is done by hiding files, affecting application performance, etc. Rootkits include firmware, library, virtual, kernel, and application layers.

Answer 7

A keylogger is a software that is designed to record all keystrokes typed by a user. Keyloggers turn into malware when the user is unaware of them and is not under the user's control.

Answer 8

This is software that supports itself through advertising. It appears free to the user, but is self-paid through paid commercials.

Answer 9

Spyware is software that "spies" on its users by recording and/or reporting their activities. This could include keylogging, recording how a user uses a program, browser history, etc.

Answer 10

A bot is a software program that acts under the control of another program. A bunch of these bots is called a botnet, which can be used for anything from bitcoin mining to distributed computing projects. Uses range from customer service to influential political opinions.

Answer 11

A RAT is a Remote Access Trojan, a set of tools designed to provide the ability to covert surveillance and or ability to gain unauthorized access to a target system. Or defined as a type of malware that controls a system through a remote work connection.

Answer 12

This is malware that sits idle for a period of time until they are activated. They can be triggered by an event or specific time or date.

Answer 13

It is a way into a system to gain access without using proper channels. It is usually a backdoor into a system.

Answer 14

These are indicators that a system has been compromised by authorized activity. The behavior of a system after it has been infected with malware provides forensic clues about the type of malware.

Answer 15

This is when a hacker has access to both plaintext and encrypted copies of a message, and this allows them to crack the encryption and decrypt other messages.

Answer 16

Since password and username authentication is everywhere, and because people have so many credentials to remember, they try not to complicate things. They reuse passwords and easy-to-find information (pet names, etc) to create passwords. Or they use common passwords, "abc123".

Answer 17

These are pre-computed lookup tables of hash values for a given password. The exam has a number of questions about the "fastest way" to crack a password. The answer is through Rainbow Tables as the hashes have already been provided. One can mitigate this by using salting, which adds a random set of characters to make a hash harder to guess or calculate.

Answer 18

These are like Rainbow Tables, will need a little more assembly. A dictionary will have many possible passwords, which can be then combined or modified to generate passwords for you to test. Kali's RockYou dictionary is an example, and these dictionaries can be used alongside tools like fcrackzip.

Answer 19

This is an attack where all the passwords of a list are tried.

Answer 20

These attacks exploit math problems in cryptographic methods, like hashes. In normal hashes, one input is to have one output. When hash values are duplicated or

Answer 21

These attacks capitalize on older versions of software with backward compatibility issues.

Answer 22

These attacks happen with a capture of a series of packets or communications and then a replay of those messages to achieve authentication.

Answer 23

This is where attackers exploit vulnerabilities to deny authorized users access to specific functions or an entire system.

Answer 24

These are Denial of Service attacks using multiple computers.

Answer 25

This is when an attacker themselves in the middle between two communication hosts. The attacker observes all traffic then can forward traffic to the intended recipient. This can also be utilized through session hijacking, where an attacker steals a cookie and uses it for false authentication.

Answer 26

This occurs when an input buffer is overwritten with more data than it can handle. As a result, user input spills into other parts of memory. this make it possible for attacker to crash programs and overwrite data. Also often allow for higher level of escalation.

Answer 27

In this vulnerability, an attacker can inject data to be interpreted or executed by an application for malicious purposes.

Answer 28

This is where an attacker is using a script in their input. If run immediately and not maintained is a non-persistent xss attack. If stored on the backend and then used against others later, it is called a persistent attack.

Answer 29

This is an attack when an end-user is used to perform actions on a web application in which the user is authenticated. This attack utilities a cookie that is sent between we applications.

Answer 30

This simply means starting an ordinary privilege level and reaching the root or administration level. This can be done by stealing the credentials or with the help of other attacks on processes running with elevated privileges.

Answer 31

When inquiries of the ARP table are received, the ARP table does not normally include verification. In this type of attack, an attacker can quickly provide false data in response. This is called ARP poisoning and results in a bad address of the malicious address.

Answer 32

This refers to the use of a protocol in such a way that it applifies results by using multiple machines.

Answer 33

DNS poisoning or spoofing is where a DNS record is changed. This results in incorrectly diverted traffic.

Answer 34

Domain hijacking is simply the unauthorized act of changing the registration of a domain name.

Answer 35

This is similar to Man in the middle. MitB attacks involve malware that modifies the behavior of the browser through helpers or extensions.

Answer 36

A zero day vulnerability is which there is no prior knowledge beyond the Hacker or vendor.

Answer 37

Replay attacks occur when an attacker detects a communication between two parties and replays it at a later time. This could cause a 2nd authentication not intended. The best ways to fight these are encryption and timestamps.

Answer 38

This is when an attacker captures the hash value, which allows them to be able to authenticate connection without actually knowing the password.

Answer 39

Where elements of the website cause the user to click something that isn't wanted. A real-life example, someone subscribes to a service through a clickjacking and then needs to make a lot of phone calls to fix everything.

Answer 40

Also called TCP/IP hijacking, where an attacker takes control of an existing session between a client and a server. Since the user is already authenticated, the attacker can continue with all privileges after the attack is complete. They could also use a DoS attack against the original client to keep them busy.

Answer 41

URL hijacking is a class of attacks that manipulate or alter a URL. This could include typos or misleading the user into thinking that they are clicking the correct URL. This could also involve malware. The typo squat is where attackers take advantage of common typos. Political candidates face this threat all the time.

Answer 42

This isvan attack that changes drivers and therefore driver's behavior. This is done by shimming, which is inserting another level of code between the driver and the operating system. This is a way developers facilitate future enhancements, but it also opens Backdoor.

Answer 43

Phishing refers to making it appear that a request is coming from a different than it really is. Typically this means impersonating a known or trusted source.

Answer 44

This refers to changing a MAC address to bypass security checks looking for a specific MAC address.

Answer 45

Changing the "from" field when sending IP packets.

Answer 46

When an attacker sends a spoofed packet to a broadcast address on a network, that packet will be distributed to all users on the network. Typically this means that other devices will send an echo reply to the request. The (spoofed) sender of the original echo-request packet now receives many responses.

Answer 47

One can spoof a package from one system to another system that already trusts the source. When system admins should configure firewalls to not allow packets from outside the network masquerading as packets from inside the network.

Answer 48

The TCP three-way handshake generates two sequence numbers. These numbers are required for future communication. So if you are off the network, it is more difficult to see (and therefore spoof) packet sequence numbers.

Answer 49

These are attacks where traffic is recorded between the endpoints and the wireless access point. Once recorded, the messages can be replayed to authenticate, perform a transaction, etc.

Answer 50

Initialization vectors are used in wireless systems as a "scrambling element" at the beginning of connections. Therefore, these attacks are attempts to find the IV and use it to undermine the encryption. The IV is sent in clear text and is only 24 bits long, which means it likely repeats every few hours.

Answer 51

This attack uses replacement hardware. Devices connect to access points that are the "best" connection options, and inadvertently get attached to evin twins.

Answer 52

This is similar to an evil twin. An attacker can use an unauthorized access point to persuade users to login, enter credentials, etc.

Answer 53

This refers to the blocking of wireless or radio signals and the denial of service. It is illegal, so don't do it.

Answer 54

WPS = Wi-Fi Protected Service This is a wireless security standard designed for easy Wi-Fi setup. Unfortuntely, the PIN used is susceptible to brute force attacks.

Answer 55

A bluetooth-related attack, which involves the unuthorized sending of messages to a Bluetooth-enabled device.

Answer 56

Bluesnarfing is a bluetooth-related attack that involved information theft.

Answer 57

This is radio frequency identification. RFID tags can be passive or active. Active tags have their own power source, while passive tags are powered by Radio Frequency fields. RFIDs are increasingly used for authentication, building access, etc.

Answer 58

NFC = Near Field Communication. It is a wireless protocol that allows devices to talk in a very short range (about 4 inches). This is increasingly popular in mobile payment systems (touch to pay).

Answer 59

These are attacks which disassociate or disconnect a device from the network. The Wi-Fi framework includes a "de-authorization" frame that could be sent to a device to remove it from a network. This can lead to a denial of service attack for which attackers can listen to reconnection messages and try to steal a password

Answer 60

This refers to the blocking of wireless or radio signals and the denial of service. This happens a lot in the military.

Answer 61

This is a wireless security standard designed for easy Wi-Fi setup. Unfortunately, the pin it uses is susceptible to brute force attacks.

Answer 62

This involves the unauthorized sending of messages to a Bluetooth enabled device.

Answer 63

This is a Bluetooth related attack that involves informational theft (rather than sending unwanted information).

Answer 64

Radio frequency ID tags can be active or passive and are used for authentication purposes.

Answer 65

This is Near Field Communication, a wireless protocol that allows devices to talk in very short range (about 4 inches).

Answer 66

Dissolution attacks mean disconnecting (or disassociating) a device from the network, and may include the "de-authentication" frame.

Answer 67

These are errors that occur when "the output of a function depends on the sequence or timing on the inputs." If the inputs do not occur in order or are scheduled, errors occur. There are ways to work around this with locks etc. Race conditions can be used to lock down a program or system.

Answer 68

End of Life refers to a system that no longer works as expected. Many vulnerabilities detected after after the end of life cycle bevause there is often no support for fixes or patches.

Answer 69

This is when there is no support available if a firm keeps using software after the end of its life, or is used in a way not covered, and they are responsible for all risks.

Answer 70

These are vulnerabilities that occur when a system is running inside another system and often do not receive normal system updates.

Answer 71

Avoid sharing debugging information with the outside world. Capture info to a protected log file, not the console.

Answer 72

These create overflow problems, XSS, XRSF, cross-paths, injection problems and more.

Answer 73

This is a factory user name and password that often leaves default credentials, which are easy to crack.

Answer 74

Any type of configuration that weakens the security posture of an organization or its systems.

Answer 75

These users just break their computers, often bypassing controls or unsafe behavior.

Answer 76

It is when a software program consumes all the resources available on a system.

Answer 77

This falls into social engineering, it is when hackers can exploit vulnerable business practices like HR not consulting with IT, or not verifying purchase orders before sending a check.

Answer 78

When an administrator accidentally makes configuration errors, or when user accounts have "too much" access.

Answer 79

When users try to launch implementation software or poor implementation of a known cryptographic algorithm.

Answer 80

It is when the user is asked to enter input but the programmer does not verify or limit the length of input, a buffer overflow may occur, this means that other areas of memory will be overwritten.

Answer 81

DDoS = distributed denial of service attacks Using multiple systems to take down a target.

Answer 82

When the computer software where does not manage the memory usage properly.

Answer 83

This is an input valudation attack that takes advantage of programs that don't validate the length of inputs. This is both from programming errors and weaknesses of programming languages.

Answer 84

Refers to an integer that "rolls over" once the maximum value is reached. Depending on the integer, it can pass to "0" or to a negative number, which can cause logic errors.

Answer 85

This is like an "index" of variables. When de-referencing, we lose the index of where information is, often resulting in program crashes as information becomes misplaced or over-written.

Answer 86

Adding a DLL (digital link library / somrtimes executible) to the program at run-time. The DLL either has a vulnerability to exploit or is maliscious.

Answer 87

This is the expansion of systems over time where growth exceeds understanding and documentation. Note, the foundation of a comprehensife security program is understanding al of the resources available and how they are connected.

Answer 88

Structural weaknesses translate into vulnerabilities and increased risk from a systematic way. I.e. a non-segmented network allowing users to travel throughout it with ease.

Answer 89

When certificate or key mismangement exists, aka by not managing these keys effectively, they can be stolrn or lost.

Answer 90

It is a new or not yet patched vulnerability. There often is no patch created yet.

Answer 91

It is a simulated attack on a system by a hypothetical "malicious outsider". It is meant to help identify vulnerabilities of a system.

Answer 92

Gathering information about a topic without sending traffic to a target, like using search engines. These also use passive tools like wireshark or tripwire.

Answer 93

Gathering information aboit a target by actively engaging or interacting directly with a target. Nmap is an active tool and can be detected by the defender.

Answer 94

It is where an attacker gains access to a system and then uses that system to attack or scan other systems within that network.

Answer 95

After reconaissance, it is simply demonstrating that a vulnerability is actually present and exploitable, but not "developing" the vulneranility.

Answer 96

To try harder.

Answer 97

Moving from a normal and assigned user account (and priviledges) to higher levels. This is done by exploiting vulnerabilies or stealing credentials.

Answer 98

It is the penetration tester using predefined information delivered by an organization to test more complex features of a system.

Answer 99

To simulate an attack and test the software within the network without prior knowledge of internal data or infrastructure knowldge. Many times, developers find new problems because they are not evaluating by a predefined set of rules.

Answer 100

A mix of white and black box testing. An evaluator may have some information about a system but that information is incorrect.

Answer 101

Scanning a system for vulnerabilities. It is the process of scanning sysyems for holes, weaknesses, and problems. The goal is to find the weaknesses before the attackers.

Answer 102

Existing, not zero-day.

Answer 103

These are often found during vulnerability scanning, like weak passwords or default credentials being used.

Answer 104

With intrusive, it meand that data can be changed. With non-intrusive it means that data within the system is not changed. It is often the choice of the customer.

Answer 105

Credentialed scans mean attacker receives the credentials ahead of time.

Answer 106

When a scan turns up a vulnerability that doesn't actually exist,or not reporting one that does exist, callrd a false negative.

Answer 107

They provide the means for users to access web pages or other data and are therefore subject to attack.

Answer 108

These are the interfaces to the applications used to perform tasks or the physical hardware.

Answer 109

These are three servers that run messaging platforms, email servers, database servers, and more.

Answer 110

These are switches, routers, hubs, firewalls, and other special devices.

Answer 111

Is a security principle that uses several different security features to increase the level of security.

Answer 112

This means having more suppliers.

Answer 113

It is multi-layered security in administrative and technical controls or policies to guide user actions

Answer 114

These controls are those that operate in the system through technical intervention like passwords, logical access control, AV, firewalls, IPS / IDS, etc.

Answer 115

They allow layers of defense in an organization, and the innermost layers have maximum protection.

Answer 116

It is a semi-secure area that is protected from the rest of the internet by an external firewall, and the trusted area by an internal firewall. This zone can gace web servers, remote access servers, and external email servers.

Answer 117

An externsion of a selected part of a corporate intranet to external partners. It involves both privacy and security.

Answer 118

A network that exsists entirely within the trusted zone of a network. This signifies that it is under the security control of the system administrators. If intranet users need to access external information, a proxy server must be used to mask the location of the requester.

Answer 119

The transmission of data over radio waves rather tgan physical cables. These networks can be concentrated and radial (a primary access point and wireless clients connecting to this AP) or a mesh network.

Answer 120

It is a "fake" network, designed to look like the real one and thus attract attackers.

Answer 121

It is a network segment that is isolated from the rest of the systems that guests should never have access to.

Answer 122

Network Address Translation is used to translate private, non-routable IP addresses into public, routable IP addresses. It can be to compensate for the lack of available IP address spaces. Not all systems require all IP addresses to be routable. It is best if your organization's topology is hidden from outsiders.

Answer 123

Port Address Translation. Allows internal private addresses to share a single external IP address.

Answer 124

Is a mesh topology in which systems can send packets to each other without a central router or switch. It is an easy and cheap direct method of communication yet it is more difficult to manage traffic and security statistics.

Answer 125

Sections of a network that are logically isolated from the rest of the network. Four ways of segmentation include physical and logical segmentation, virtualization, and air gap.

Answer 126

Uses seperate physical equipment for each type of traffic. Switches, routers, and cables are separate and more $$$.

Answer 127

Completed by using a VLAN, (virtual implementation of a LAN).

Answer 128

A collection of devices with similar communication needs and functions that work with a single switch.

Answer 129

Provides logical isolation of the server while allowing physical co-location.

Answer 130

When there is no data path between two networks that are not connected in any way except by physical air gap. This can ve broken when someone uses a USB or other medium to transfer info out.

Answer 131

These acquire data can can be network- or host-based.

Answer 132

Essentially hubs for multiple sensors. Collected data often goes to other systems.

Answer 133

These systems take collected data and compare it to known models. When traffic is routed "around" the sensors, then the engine won't see it.

Answer 134

These examine packets on a network interface and filter them based on source/destination, ports, protocols, and more. These filters must be placed inline with sensors.

Answer 135

These are servers that act a as bridge between clients and other systems. For this to work, the proxy must be in the natural flow of traffic.

Answer 136

These are devices that determine whether or not traffic can pass through according to a set of rules. They need to be inline with the traffic they are regulating and are typically placed between network segments.

Answer 137

These accept multiple VPN connections and terminate them at a single network point. Wherever this termination occurs, it is best to be on a network segment that allows all users to connect directly.

Answer 138

These help SSL / TLS encryption at scale. They must be placed between servers and the requestors for a server.

Answer 139

These help distribute incoming traffic across multiple servers. The load balancer must reside between the server that provides that service and the requestors for a server.

Answer 140

This helps protect against DDoS attacks, so it must be outside the area it is protecting. It would be the first device to find a packet on its way from the internet over a network (assuming the device was present).

Answer 141

These provide connectivity for many other switches. This is a many-to-one connection. In must be older than the "many" devices.

Answer 142

It is a way to copy traffic running in a port. The can be a problem if the traffic is very heavy.

Answer 143

This is an abstraction of the operating system layer so that multiple operating systems can be hosted on a single piece of hardware. These are low-level program that allow multiple operating systems to run simultaneously on a single host.

Answer 144

This hyper visor is running directly on the hardware. It is called native or embedded hypervisor.

Answer 145

This hypervisor runs on a host operating system and is common for consumers, like VMware.

Answer 146

These are virtual environments where parts of an operating system is separate from the kernel. This allows multiple instances of an application simultaneously. These are like virtual machines, but are for applications.

Answer 147

The is when an attacker or malware can escape or move from one virtual machine to another machine using an underlying operating system.

Answer 148

This is storage over a network. It enables better performance, availability, reliability, scalability, and flexibility.

Answer 149

Software as a service. This allows providers to deliver software to end users from the cloud rather than having users download software allowing simple updates and integration.

Answer 150

Platform as a service, as offering an IT platform in the cloud. Good for scalable applications, it could work for something like a database service.

Answer 151

Infrastructure as a service. Claud-based systems that allow organizations to pay for scalable IT infrastructure instead of building their own data centers.

Answer 152

Resources for your organization only. It is more expensive although it has less risk of exposure.

Answer 153

The is when a cloud service is provided on a system that is open to public use. It has the least amount of security checks.

Answer 154

This is when multiple organizations share a cloud environment for a specific, shared purpose.

Answer 155

This is a mix of community, private, and public environments that are often segregated to protect confidential and private data from public or community use.

Answer 156

Virtual Desktop Infrastructure. This allows someone to use any machine to access information hosted on the cloud.

Answer 157

Cloud Access Security Broker. This is a service that enforces security policies between your cloud service and your clients. This lets customers know they are using a cloud service securely.

Answer 158

No acronym. This is the outsourcing of security functions. It is a third-party vendor offering a wide range of security specialties. This allows scalability without the infrastructure.

Answer 159

It is a linear process where once one phase is completed another phase starts. It tends to break easily.

Answer 160

This process focuses on small and quick increases in functionality. The two subcategories are scrum and XP. Scrum is process-based while XP focuses on "user stories". Each adds functionality to a product iteratively.

Answer 161

A buzzword that refers to the combination of development and operations. This often takes care of large-scale systems. Automating tasks, allows us to focus on the most important and urgent items. I.e. Routine security processes can be automated.

Answer 162

This occurs when one continuously updates and improves a production code base, and is mixed with automated testing and development in the mix. I.e. Making a routine and incremental changes can help with safety. Well-documented changes allow tracing for any sort of problem.

Answer 163

It is a process of defining metrics, measuring success against them, and then taking future snapshots of system health. And rinsing and repeating.

Answer 164

Systems that once implemented are never modified. If there are problems or an update is needed, a completely new system replaces the older one. This can simplify difference and tracking issues.

Answer 165

The use of code to build systems programmatically rather than with manual configuration. This helps maintain settings and configurations and simplifies things as systems get larger and more complex.

Answer 166

Thus tracks the versions of a product that is being worked on during any stage like development, staging, or production.

Answer 167

This is the way an organizations manages the versions currently in use and also manages changes as they are released.

Answer 168

The process by which you assign privileges and permissions to a user.

Answer 169

Reverse revocation of permissions.

Answer 170

It is when errors when an attacker forces errors into an exception-handling state, these errors are caught and handled in a compilation routine and then safely reported in a log file.

Answer 171

By validating user inputs we help mitigate attacks like buffer overflows, XSS, XSRF, path traversal, and more. If the input does not make sense with the rules, it is probably a standardized request.

Answer 172

This is the process of taking the lead and creating the simplest form of the string before continuing.

Answer 173

These are pre-compiled methods for use in databases. This helps prevent users from trying to run SQL injections because the procedures for storing entry data is standardized.

Answer 174

This is applying a digital signature to a code. It has two purposes. 1) It provides end users with a means to verify the integrity of code, and 2) it provides evidence of the origin of the software.

Answer 175

Purposely not exposing more information versus necessary and hiding information purposely from attackers.

Answer 176

This is the process of re-using code that is checked and discarding code that no longer has a purpose. Dead code still can be run, but the results are not utilized anywhere.

Answer 177

Server-side validation is the most secure when it is performed on the server. Endpoints or clients can be easily compromised prior to validation.

Answer 178

This is a set of actions used to control and coordinate the memory of a computer. This includes freeing up memory after use. If not done properly, we can get a memory leak (vulnerability).

Answer 179

These are controlled libraries to reuse code.

Answer 180

This is losing control of the data.

Answer 181

Code should be reviewed before going into production to find bugs and weaknesses before an attacker does.

Answer 182

This is the process by which code is inspected. It can be done dynamically (while executing code) or statically (without executing code).

Answer 183

This is done using automated tools. Any system including the unit, subsystem, system, and full application level is a candidate for static testing.

Answer 184

Performed by running code on the target system or in an emulator.

Answer 185

It is an isolated environment that allows administrators to run untrusted or unverified code.

Answer 186

Code testing is verifying that code meets functional requirements. Validation checks if the program specifications capture the customer's requirements. Verification checks whether the software meets the specifications of the model.

Answer 187

It is code written in a language and then transformed into a compiler into executable code. This means that it can be optimized and run faster at runtime.

Answer 188

This is when code is compiled at run time. This is slower because the interpreter handles the transformation on the fly, but it also is more flexible when changes are needed

Answer 189

This refers to all security functions used to prevent unauthorized access to a computer system or network. Access is the ability of a subject (process, user, etc) to interact with an object (file, data, etc). access controls determine what a user can do or cannot do, as long as they are already authenticated.

Answer 190

An array, but this becomes cumbersome for larger organizations. Larger firms use Access Control Lists (ALCs).

Answer 191

Mandatory Access Control. This is used in environments with different levels of security classification. This is a method of restricting access to objects based on the sensitivity (represented by a tag) of the information contained as objects and a form of authorization of subjects to access information of that sensitivity. MAC uses least privilege or "need to know".

Answer 192

Discretionary Access Control. This is a way to restict access to objects based on the identity of the subjects and/or groups to which they belong. Controls are discretional in the sense that a subject with certain access permission can pass that permission (sometimes indirectly) to another subject. DAC uses ACLs.

Answer 193

Attribute-based access control. This is like role-based access control, and also allows Boolean Logic. Attributes can be attributed to users, environmental, and objects.

Answer 194

Role-based access control. This grants or restricts permissions based on a user's role. or Rules-based access control. Uses ACL to determine if access should be granted. Follows logic-based rules.

Answer 195

This is the process of enforcing and defining who has physical access to a system.

Answer 196

These are electronic cards that allow entry through electronic gates. Sometimes these are used with pins.

Answer 197

Same as an electronic card or proximity card, usually associated with pin numbers.

Answer 198

Items used for security utilizing body parts like eyes, fingerprints and handscans.

Answer 199

False Rejection Rate This is the rate at which false rejections happen.

Answer 200

False Acceptance Rate Falsely accrptince people or users that should not be accepted.

Answer 201

These are also security devices that include something you "have" and are often utilized along with two-factor authentication.

Answer 202

It is a means of proving identity by showing a certificate, like a smartcard or a digital certificate.

Answer 203

It is a set of processes and mechanisms involved to prevent unauthorized access or or alterattion of file systems. The file system must be able to differentiate access at the user level. First you would need an access control level and yhen need to set read/write/execute permissions.

Answer 204

Same security conceprs, just for databases, with user access levels and defined or associated permissions.

Answer 205

These systems quickly return to normal after some kind of outage.

Answer 206

It is the methods and tools used to perform tasks that would otherwise be performed manually by humans, thus improving efficiency and precision, and reducing risks.

Answer 207

Security Content Automation Protocol. This are standards and protocols related to automation for vulnerability management.

Answer 208

Describes a system in which monitoring is embedded rather than being an external event or action.

Answer 209

This is validation of the configuration of a system against security standards.

Answer 210

These are master recipes that aee used to create servers, programs, systems, and more. They allow "fast and error-free creation of configurations, connecting services, testing, deployment, and more." Templates are based on master images of a system and also provide clean backups of operating systems and applications. This does not apply to data.

Answer 211

A system that doesn't need a backup, because changes to systems are not permament, so when a user logs off, all new files are removed.

Answer 212

A pre-defined full patched image of a given system.

Answer 213

These are "instant save points" in time. Usually used for virtual machines. They are a form of backup that allows an administrator to restore a system to an earliee point in time.

Answer 214

Reverting to a previous good configuration of a system.

Answer 215

Storing a virtual machine or operating system on an external device. It is called a live boot because it contains a complete boot system. This is useful for task specific operations like forensics, incident response and more.

Answer 216

It is the ability to dynamically increase the workload capacity of a system by using on demand hardware resources to increase scalability.

Answer 217

It is a desgn element that enables a system to scale to larger workloads

Answer 218

The transparent allocation of requests through a variety of resources. This directly addresses the issue of security availability for a given system.

Answer 219

This is the use of multiple independent elements to perform a critical function so that if one component fails, then another can take its place.

Answer 220

It is a measure of a system's ability to provide uninterrupted access to data and services, even in the event of failure or interruption. Fault tolerance is a design goal to achieve high availability.

Answer 221

Redundant Array of Independent Disks. This is a way to take data that is normally stored in one location and storing it across multiple disks. Options = RAID 0 to 5, RAID 6, RAID 10.

Answer 222

Computer systems that have a specific purpose and exist within a larger mechanical and/or electrical system.

Answer 223

Supervisory Control and Data Acquisition. Systems designed to control automated systems in cyber-physical environments. Aka Industrial Control Systems (ICS)?

Answer 224

Internet of things. Anything that has a microcontroller connected to the web so that it can controlled remotely. Devicrs usually have a network interface and a computing platform. From a security standpoint, they are not secure.

Answer 225

Devices we can wear like Fitbits or trackers. These run RTOS Linux systems usually.

Answer 226

Systems on a Chip. A complete miniaturized computer system on a single integrated circuit. Designed to provide full functionality of a computibg platform on a single chip, including graphical and network display functions. Popular in mobile computing environments.

Answer 227

Real time operating systems. Designed for systems where processing must occur in real-time and data cannot be quered or buffered for a significant period of time. In general, most general purpose operating systems are multitasking by design.

Answer 228

These are small implantable devices or instruments for measuring vital signs.

Answer 229

Cars have embedded systems on their motherboards. These control things such as brakes, air bags, and more

Answer 230

Unmanned aerial vehicles. These devices srrughle wuth software updates due to he highly regulated, and they pose a security risk because they need to controlled through remote network access.

Answer 231

It is a physical and logical seperation of a network from all other networks.

Answer 232

It prevents tailgating by having two doors in a space that you can't keep open at the same time. Both doors require an access card or token.

Answer 233

It is looking over the schoulder of anotger to see their screen.

Answer 234

They are a means of protection against electromagnetic interference.

Answer 235

It is the science of hiding (encrypting) information.

Answer 236

The process of analyzing cipher-text and other information in an attempt to translate the ciphertext into plain text.

Answer 237

This is when both the sender and receiver have the same key. Although sending the key safely can present problems.

Answer 238

Twofish, 3DES, AES, Blowfish, RC4

Answer 239

It is where the sender and receiver each have a private key which they keep to themselves, and have a public key which they can share. Each key is mathematically related to each other. Keys are often distributed through certificates.

Answer 240

This is an algorythm where the sender and receiver openly choose a point on the curve and tgen individually derive the keys from that point. Ideal for lower-power phones.

Answer 241

It is a special mathematical function that performs one-way encryption. It is easy to do, but nearly impossible to reverse engineer.

Answer 242

They are vulnerable to collision attacks, which means the attacker encounters two different messages that have the same value; this means integrity is lost; it can't be proven that they started with correct/original value.

Answer 243

MD2, MD4, MD5, SHA-1, SHA-256, SHA-384, SHA-512

Answer 244

It is the addition of high entropy data aka random characters to make it more difficult for attcker to determine origjnal data.

Answer 245

Initialization vectors, used to help achieve randomness with deterministic inputs.

Answer 246

To protect the integrity and confidentiality of data

Answer 247

It is a cryptographic implementation intended to prove the authenticity and identity of a specific message. It uses public key kryptography.

Answer 248

The principal that statistical analysis of plaintext and ciphertext are related; a change in one character in plain text = multiple changes in ciphertext.

Answer 249

The principal that one character change in plain text must correspond to multiple changes in the ciphertext.

Answer 250

When each character in the ciphertext must depend on different parts of the key; this has to do with the randomness of an output.

Answer 251

This is when two different inputs have the same outputs.

Answer 252

The science of hiding data within other data. Often times this is hiding information in a picture.

Answer 253

This masks an item so it is unreadable, but still usable.

Answer 254

As blocks, meaning we can transpose data and replace operations. By transmission, we can send encryption through other media.

Answer 255

This is the strength of the key, which helps determine the strength of the crypto operation.

Answer 256

This is a symmetric key for encrypting messages during a communication session.

Answer 257

These are keys that are used only once after generation.

Answer 258

It is a key owned by a public key system in which a key derived from another key is not compromised, even if the original key is compromised in the future.

Answer 259

Using an algorithm where the attacker has to decode the algorithm and find the key.

Answer 260

Cryptographic Service Provider. A software library that implements cryptographic functions.

Answer 261

This is used to protect data in transit.

Answer 262

This is used for the protection of data at rest.

Answer 263

This refers to situations that have extreme low time limits, often requiring special cryptographic functions that can deliver results quickly.

Answer 264

The ability to resume normal operations after an external disruption.

Answer 265

Things like phones that also use ECC for calculations.

Answer 266

Protecting data from unauthorized reading.

Answer 267

When it is shown that data has not been tampered with.

Answer 268

Protecting something from casual observation.

Answer 269

It is a property that allows you to prove the identity of a party (user, hardware, etc).

Answer 270

The ability to verify that a message has been sent or received in such a way that the sender or recipient cannot contest the sending or receiving.

Answer 271

They are a defined set of rules that allow different components to have a "common language" for exchanging commands and data. This allows the development of interoperable devices.

Answer 272

These are protocols that have built-in security mechanisms.

Answer 273

It is Domain Name Service System Security Extensions. Extension of DNS tool, which enables origin authentication, denial of authenticated existence, and data integrity. Uses case: domain name resolution. Port 53

Answer 274

Domain Name Service Translates domain names to IP addresses Uses port 53

Answer 275

Secure Shell This is an encrypted, remote terminal connection program used to make remote connections to a server. Use case: remote server access Port 22

Answer 276

Single/Multipurpose Internet Mail Extensions. It is a standard for the transmission of binary data by email (attachments must be exchanged with the correct encoding). Attachments are sent in clear text so attackers can hear. It is a standard for public-key encryption and MIME data signals in emails. Use case = Email

Answer 277

Secure Real Time Transport Protocol. This is a network protocol used for the secure delivery of audio and video messages over IP networks. SRTP use UDP? SRTP is not a transport, it is simply the encryption of the RTP to secure it, hence the S before RTP. It provides encryption, authentication, and message integrity, as well as replay production. Use case=Voice and Video Streaming No port.

Answer 278

Lightweight Directory Access Protocol - Secure. It is the main protocol used to transmit directory information. Port used = 636

Answer 279

The implementation of FTP over an encrypted SSL / TLS channel. Use case = file transfer. Port = 989 and 990

Answer 280

This is FTP over SSH. Use case= file transfer Ports = 22

Answer 281

Simple Network Transfer Protocol. This is a standard for managing devices on IP-based networks. Versions 1 and 2 are cosnidered unsafe. Version 3 was developed to address these security vulnerabilities. Use cases = network data management; network address assignment. Ports = 161 and 162

Answer 282

Secure Sockets Layer. An application of cryptographic technology developed for transport layer protocols on the web. SSL has been superseded by TLS, but people still use the term. Use cases = protection of other protocols i.e. HTTP > HTTPS Ports = does not have standard ports, depending on the protocol being protected. I.e. 443 for HTTPS.

Answer 283

Hypertext Transfer Protocol. This is used to transmit HTTP traffic. HTTPS is protected by HTTP with SSL/TLS. Use case = web Ports = 443

Answer 284

Protocols for email servers. Refers to POP3 and IMAP over an SSL / TLS session Use cases = email. Portalns = 995 for Secure POP3 and 993 for Secure IMAP.

Answer 285

Network Time Protocol. This is the standard for time synchronization between servers. It has no security features, although you can use it in conjunction with a TLS tunnel.

Answer 286

It is an automatic insertion of random data into a computer program. It is used to find vulnerabilities of the people who developed the program and of the attackers.

Answer 287

Cross-Site Request Forgery (XSRF). The browser of the victim is compromised and transmits unauthorized commands to the website. The likelihood of this attack can be reduced by requesting tokens on web pages containing forms, special authentication techniques, scanning XML files, and sending cookies twice instead of once, verifying that both cookies sent match.

Answer 288

Ths is an attack where an attacker inserts malicious scripts in a web page with hopes of gaining accessing session cookies, elevated privileges, and other information stored by a user's web browser. This code is generally injected from a separate "attack site".It can also be manifested as an embedded Javascript image tag or HTML object.

Answer 289

This is the process of establishing the common minimum requirements of a company. It could be a group of computers or all the computers on a network. When a new computer joins the domain, the common minimum requirements are installed and applied automatically. The common baseline is to change default configurations, remove unwanted software, services, and games, and enable firewalls and other security features.

Answer 290

This is protecting an application by disabling unnecessary services, disabling unused accounts, removing unnecessary applications, and more.

Answer 291

Any softwre is inherently vulnerable. These are updates which typically address any known vulnerabilities.

Answer 292

1) develop the security policy. 2) Run the host software reference. 3) Configure security and operating system settings. 4) Distribute the configuration. 5) Implement patch management.

Answer 293

This is software that can scan a computer for infections, as well as monitor computer activity, and scan new documents that may contain a virus. The software contains a virus signature file for comparison with the software scanning tool.

Answer 294

This is a method of using filtering software to compare a list of blacklisted senders with the emails received.

Answer 295

A pop-up is a small web browser that appears on the website being viewed. Most pop-ups are created by advertisers and start as soon as a new website is visited. Pop-up blockers are often part of a package known as anti-spyware that helps prevent computers from being infected with different types of spyware.

Answer 296

There is a process of implementing software updates and patches from time to time. These updates typically address any known vulnerabilities. Therefore it is very crucial to apply these updates.

Answer 297

This runs as a program, on a local system to protect it from attacks.

Answer 298

This is physical security that involves protecting the hardware of the host system, especially portable computers, netbooks, and portable tablets that can be easily stolen.

Answer 299

This is the software that requires a password to unlock the screen and use the device.

Answer 300

This allows the owner of a device to send a remote wipe signal to the phone to remove all data from the phone.

Answer 301

This automatically locks your smartphone or mobile device when the user is away from it.

Answer 302

Utilization of encryption to prevent eavesdropping on conversations.

Answer 303

Global positioning system. This locates the device with the software implemented.

Answer 304

Passwords that consist of at least eight characters and various types of characters, such as uppercase, lowercase, numbers, and symbols.

Answer 305

It is a software or hardware item used to enforce network security policies on all network connections.

Answer 306

Network Address Translation. It is an IPv4 technique used to link privately to public IP addresses.

Answer 307

Using packet information, like destination and source ports, addresses, and protocols as items to filter against.

Answer 308

I:t is similar to network policy restrictions.

Answer 309

Access Control Lists. It is a list of users and their allowed actions.

Answer 310

These fire walls scan traffic and block or allow within application traffic.

Answer 311

These scan network activity, IP addresses, and ports.

Answer 312

These firewalls filter packets based on the individual packets themselves.

Answer 313

These filter packets based on the full context of a given network connection.

Answer 314

If traffic is not explicitly allowed, then it is denied.

Answer 315

This is a device that manages multiple VPN conversations on a network while keeping them isolated from each other. VPNs can be remote-access or site-to-site.

Answer 316

It is a set of protocols for the secure exchange of packets at the network layer (layer 3). IPsec is used in VPN to establish connections.

Answer 317

This means that the data, as well as the source and destination addresses are encrypted.

Answer 318

This is an established combination of algorithms, keys, and so on. An SA is a one-way coversation.

Answer 319

Authentication header. This is a type of header extension that ensures the integrity of the data and the authentication of the data source.

Answer 320

These are VPNs that do not route all traffic through the VPN. This is meant to avoid battlenecks.

Answer 321

When all traffic goes through a VPN.

Answer 322

Network Intrusion Protection System Network Intrusion Detection System. One system provides the scanning and another system provides the remediation.

Answer 323

This means that the intrusion detection system detects intrusions based on definitions of known signatures.

Answer 324

In-line IDS = it monitors the data as it flows through the device, which means it copies the data and examines it offline. In-band IDS means one examines data and takes action within the system.

Answer 325

Network traffic management devices are used to connect different network segments. Routers use access control lists to determine whether or not a packet should be permitted to enter a network.

Answer 326

Switches connect devices to each other by moving packets.

Answer 327

A proxie aka proxy server is a way of filtering traffic and can be used for security by intercepting a client's requests and forwarding them to the intended destination.

Answer 328

These devices divide traffic across multiple resources and help avoid overloading a server and increase fault tolerances. 1) Active-passive = a balancer where one system is balancing everything, with another system ready to intervene if there is a failure.. 2) Active-active = a balancer with a system where all balancers are active all the time.

Answer 329

WAP = the entry and exit point for wireless network signals to and from a network.

Answer 330

These are access points that include authentication, encryption, and channel management features.

Answer 331

They are event logs, firewall logs security, and applications logs, all in one place.

Answer 332

Events or behaviors that can be correlated basd on time, common events, and more.

Answer 333

This means that you can set up rules to alert you based on certain patterns. SIEMMS can also have automatic reactions.

Answer 334

This is mapping events in one time zone to another time zone.

Answer 335

Data Loss Prevention. Method to detect and prevent unauthorized data transfers within an organization. I.e. USB blocks.

Answer 336

Network Access Control. Cicso's management methodology. It enforces policies based on the network administrator and verifies policy settings, software updates, etc.

Answer 337

Network Access Protection Microsoft's management methodology. This measures the system integrity of connected machines. Metrics include operating system patch level, virus protection, and system policies.

Answer 338

These are machines that process email packets over a network. The also manage data loss, filter spam, and handle encryption.

Answer 339

These gateways filter spam by clacklisting spam sources by domain or IP address (or whitelist). They can filter by keywords as well. More sophisticated checks include delays, reverse DNS checks, or callback checks. Additionally, agents like Gmail can "learn" from their users as they flag messages as "spam".

Answer 340

These are layer2 devises and connect two separate network segments. This is good to know because segregation of traffic can keep confidential information more segregated.

Answer 341

These allow one to control traffic. They are effectively a man-in-the-middle attack and decrypt the information, review it, then re-crypt it and forward it back.

Answer 342

These are machines designed to handle various protocols, including translating from one protocol to another. Useful for organizations that use a lot of voice or video signals.

Answer 343

Hardware Security Modules. These are devices intended to manage or store cryptographic keys. They can also help with other hashing, encryption, or digital signing features.

Answer 344

Wired Equivalent Protocol. This uses as passcode to encrypt data during transmission, using an RC4 stream passcode. It has a length of 24 bits, regardless of the length of the key. This can cause the weakness of WEP, through key reuse. If an attacker waits long enough and acquires enough data, they can determine the key.

Answer 345

Wi-Fi Protected Access. This is WEP with the addition of Temporal Key Integrity Protocol (TKIP). TKIP combines the shared key with the MAC address of the card to create a new key, but WPA has no forward privacy protection, so without a VPN, if someone knows a shared key, they can listen in on traffic.

Answer 346

Temporal Key Integrity Protocol. Is a temporary measure to replace WEP without having to replace legacy hardware. This is no longer considered safe from hackers.

Answer 347

Wi-Fi Protected Access 2. It is also known as IEEE 802.11i. It uses AES block code as the encryption protocol.

Answer 348

(Encrypted Block) Chain Counter Mode [Protocol] - Message Authentication Code. It is like AES, but requires new hardware.

Answer 349

These are methods used by wireless networks to provide remote authentication services.

Answer 350

Extensible Authentication Protocol. This is a protocol for wireless networks that is baed on the authentication methods used in Point-to-Point Protocol.

Answer 351

Protected EAP. developed to secure EAP communication by encapsulating it with TLS.

Answer 352

Extensible Authentication Protocol - Flexible Authentication through Secure Tunnel. It uses the secure access credentials that are used to establish a TLS tunnel. This tunnel is then used to pass the client's credentials for verification.

Answer 353

Extensible Authentication Protocol with TLS. This means that the attacker must also have client-side certificate key to break the TLS channel.

Answer 354

The is TLS protocol with a EAP tunnel. This enables legacy authentication protocols such as PAP (Password Authentication Protocol).

Answer 355

An authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router.

Answer 356

This server determines which other RADIUS servers to send the user's credentials to, and from there, they will be authenticated and authorized to join the network.

Answer 357

Pre-Shared Key. If a key is not large enough, it can be easily forced open.

Answer 358

Wi-Fi Protected Setup. Designed to make wireless network setup easier for home users. Unfortunately an 8-digit pin is easy to access by brute force, so it is best to disable.

Answer 359

The management of applications allowed on devices and the necessary permissions included in the category of application management.

Answer 360

Control over what content is allowed or available on phones or within apps on phones.

Answer 361

Allows the ability to erase the data stored on a device and restore it to factory settings.

Answer 362

GPS and RFID technology can be used to create a virtual fence around certain areas. When the phone "knows" you are within that area, you can enable/disable the function, send alerts, and more.

Answer 363

Using the GPS to locate a phone and inform others.

Answer 364

This is a screen that prompts a passcode or PIN to use a device.

Answer 365

These are services that send information to a phone without the phone asking for it. Push notifications allow the transfer of external information to the device, thus creating some security implications.

Answer 366

The oil residue from our fingers give away past patterns.

Answer 367

The use of fingerprints, facets, etc as phone authentication.

Answer 368

Using contextual information such as who the user is, where the phone is, and how it is connected determines what actions or resources to follow.

Answer 369

Logical separation of memory within a phone.

Answer 370

This is the division of the phone memory into a series of containers. This can allow the separation of personal and business information.

Answer 371

Then is when the full device is encrypted.

Answer 372

This is bypassing the operating system checks; usually in Androids.

Answer 373

When a user increases the privilege level of itself to avoid normal checks of an operating system.

Answer 374

This is adding apps without using authorized app stores.

Answer 375

Changing the device firmware from its original configuration. This can cause security holes.

Answer 376

Breaking the connection on a mobile phone with a certain phone carrier.

Answer 377

When the GPS location is embedded in a file like a photo.

Answer 378

Bring Your Own Device. Benefits include minimizing costs to the organization and the ability for employees to have a single device. Disadvantages include limited corporate contol.

Answer 379

Choose Your Own Device. Benefits = Employees gert to choose their own device.

Answer 380

Company-owned, personally entrusted or licensed. The organization provides devices to employees who have chosen and paid.

Answer 381

The process of assigning a computer identification to a specific user, computer network, or computing process.

Answer 382

The process of verifying an identity that has already been established in a computer system.

Answer 383

The process of allocating resource usage by account for purpose of tracking resource usage. It is also very useful for forensics after a security incident has occurred.

Answer 384

1) Something You Are: refers to biometrics. 2) Something You Own: security tokens and other items that a user physically owns. 3) Something You Know: a password, PIN, or answers to "challenge" questions. 4) Something You Do: An action you perform in a unique way. 5) Somewhere You Are: Your locations, as determined by GPS and other locations.

Answer 385

Accounts that are used to run processes that do not require human intervention to start, complete, or manage. I.e. batch jobs.

Answer 386

These are usually administrator or root-level accounts.

Answer 387

The process of limiting a user's ability to interact with the computer system.

Answer 388

The idea is that privileges should be limited to what a user/application/process needs to perform its tasks and nothing else.

Answer 389

Adding or removing people to a project.

Answer 390

An administrator should periodically check that user accounts on a system are necessary, justified, and represent real people who are still employed.

Answer 391

It is a routine check of all the attributes of an account.

Answer 392

This is where the system restricts accounts to access or privileges during non-business hours. Location-based policies also restrict access or privileges.

Answer 393

This process is to determine if all users are still employed and/or require them to re-authenticate.

Answer 394

It s the set of processes, software, and services use to store, manage and record the use of user credentials.

Answer 395

Lightweight Directory Access Protocol Used to manage user authentication and authorization and to control access to Active Directory objects.

Answer 396

It is a network authentication protocol designed for client/server environments. It involves securely exchanging symmentric keys on an insecure network.

Answer 397

In a Windows network, NT LAN Manager is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager, an older Microsoft product. Aka Windows Challenge / Response This is a response protocol and encrypter challenge to authenticate a user. It is considered weak and outdated.

Answer 398

Terminal Access Controller Access Control System./ This is another client/service protocol operating on TCP, part 49, for identification, authorization, authentication, and accounting.

Answer 399

Challenge Handshake Authentication Protocol. This provides authentication for a peer-to-peer connection and a periodic request / response handshake.

Answer 400

Microsoft Challenge Handshake Authentication Protocol. Microsoft version of CHAP.

Answer 401

Password Authentication Protocol. A two-way handshake with established authentication. This tech is deprecated since the info is sent unencrypted.

Answer 402

Remote Authentication Dial-In User Service. Connectionless protocol using UDP, ports 1818 and 1813. Another protocol that handles authorization, authentication, and accounting. Supports authentication for PPP, PAP, CHAP, Unix login, and others.

Answer 403

Security Assertion Markup Language. A method of authentication and authorization for users in a way that allows single sign-on. Based on XML.

Answer 404

OpenID Connect handles authentication and is based on OAuth2.0 This is best solution for new web and mobile projects. With OpenID, a 3rd party handles authentication, so you don't have to sign up for other accounts. OAuth (open authentication) is a protocol that enables secure token-based authorization on the internet. Like OpenID, it is suitable for web, mobile devices, etc.

Answer 405

Another SSO service that enables identity-based federated authentication and authorization across networks. Built using SAML.

Answer 406

Protocols provide tokens to users. These secure token services are responsible for renewing, issuing, validating, and canceling these security tokens. Once a client is successfully authenticated, it sends the tokens along with each request to provide its identity to the server.

Answer 407

Public Key Infrastructure. All components of secure communication like software, hardware, applications, algorithms, users, policies, services, etc. These components properly facilitate public key cryptography like digital signatures, etc. All components are certificate-centric.

Answer 408

The digital framework that carries the public keys. The use of certificates allows people to communicate and know that the messages they receive really come from the alleged sender.

Answer 409

Registration Authorities. Authority body that provides certificates once identification is obtained.

Answer 410

Certification Authorities. The trusted authority certifies people's identity and creates electronic documents that indicate that people are who they say they are. The electronic document resulting is called a digital certificate and establishes an association between the identity of the subject and a public key.

Answer 411

These describe how identities are verified, how certificates are generated and managed, etc.

Answer 412

These CAs work in hierachical models and also work to transfer trust between different CAs.

Answer 413

If a private key is jeopardized, the corresponding certificate must be revoked, which the CA can do. CAs render a list of all revoked certificates in a certification revocation list (CRL).

Answer 414

Online Status Certificate Protocol. A request and response protocol that obtains the serial number of a validated certificate for a client and campares it to CRLs.

Answer 415

A temporary revocation of a certificate by a CA.

Answer 416

Certificate Signing Request. This is a request made to a CA that contains a public key and other information necessary to generate a certificate.

Answer 417

It is a digital document that links the identity of an individual to a public key. X.509 is the latest version.

Answer 418

1) Version number X.409 2) certificate holder aka "subject" 3) public key 4) The CA issuing the certificate aka "issuer" 5) Certificate serial number 6) Dates in which it is valid for its use aka "validity" 7) Approved for certified use 8) Signature algorithm 9) Extensions 10) private and public keys 11) private keys

Answer 419

Public Key Infrastructures must be online at least part of the time so that customers can consult them. For security reasons, many PKIs are taken offline and made available only when necessary

Answer 420

This describes the process of combining related items to reduce communication steps (like lean steps).

Answer 421

This is a reconstruction of systems, people, applications, protocols, technologies and policies that work together to provide a certain level of protection. For devices in two different trusted domains to communicate, their certificate authorities must form a trust relationship aka asking for a certificate to form a bond.

Answer 422

This is when trust models and certificates are intertwined to the end result of a root certificate, configured as a trust anchor through the client software.

Answer 423

This is where a CA is not subordinate to another CA, and there is no reliable anchor bwtween the CAs. Instead, the CAs certify the public key with each other. It is also called cross-certification and creates a two-way trust.

Answer 424

This is where hierarchical models can be linked via a cross-certification model or peer-to-peer. One other option is to have a bridge CA that handles cross-certification.

Answer 425

A system that allows a third party to keep your private key, as well as to store it on her hardware. This is common for law enforcement and corporations because it allows them to bypass encryption or when employees lose their private keys.

Answer 426

A linear "chain of trust" from one certificate to another, to another, and more.

Answer 427

1) End entity (host) Certificates 2) CA certificate 3) Cross-certification certifiacte 4) policy certificate

Answer 428

These certificates are issued by a CA to a specific subject like a user, website, firewall, etc.

Answer 429

This is a self-signed certificate (for a root CA), or it can be a signed by a higher CA.

Answer 430

It is a self-signed certificate (for a root CA) or it can be signed by a higher CA.

Answer 431

It is when independent CAs establish a peer-to-peer trust relationship.

Answer 432

This is used to provide centrally controlled policy information to PKI clients.

Answer 433

These are certificates that allow application signing and show compliance with policy restrictions.

Answer 434

This is like a root CA, which must be self-signed since there are superior authorities.

Answer 435

These are certificates that bind identities to keys and provide means of authentication for computers.

Answer 436

These are used to identify users emails.

Answer 437

This is a certificate that forms the initial foundation of trust in a chain of trust.

Answer 438

These certificates identify users and also end-entity certificates.

Answer 439

These are used for software and HTTPS websites to provide a high level of trust regarding the identity of the sender.

Answer 440

This is a low-trust way to validate someone has control over a DNS domain. This does not necessarily prove someone's identity.

Answer 441

.pfx, .p12, .der, .pem, .crt, .cer, .p7b

Answer 442

Privacy-protected email. One of the most common formats for issuing certificates. This model supports multiple digital certificates, including a certificate chain. File tyes include .cer, .crt, .pem, .key

Answer 443

The certificate file extension for Windows systems.

Answer 444

This is a certificate file extension used for both public and private keys.

Answer 445

Is a tool designed to capture and analyze wired or wireless traffic that passes through a given communication channel. Sometimes this is called a packet sniffer, network analyzer, or packet analyzer. For this to work, one must put a network interface into promiscuous mode.

Answer 446

This is a packet or protocol analyzer that listens to all packets, not just those addressed to it.

Answer 447

Switched port analyzer. Contrary to the name, this analyzer copies traffic, which is then sent to a designated port for traffic capture and analysis. These can also be an important component of an IDS or IPS.

Answer 448

A tool for probing ports on a network. The tool will inform the user which ports are open, aka "listening", which are closed, and which are filtered. One example is Nmap.

Answer 449

These are tools attackers use to find weak passwords. Administrators could also use them to test the integrity of their users' passwords and to detect problems early.

Answer 450

These are programs designed to scan a system for problems. These problems can include configuration errors, old software versions, etc. Application vulnerability scanners look for problems in a particular application.

Answer 451

Security Content Automation Protocol. It is a protocol to manage information related to security configurations and validate them in an automated way.

Answer 452

These are sets of tools designed to help attackers exploit systems. Some of these tools include automation. The most famous is Metasploit.

Answer 453

These are tools to get rid of data. These allow systems to be destroyed, deleted, or identified for destruction.

Answer 454

aka Stego, often found in CTF. This is the science of hiding messages in other content.

Answer 455

A fake server designed to look like the real thing meant to be a trap for attackers. A honeynet is a network equivalent of a honeypot.

Answer 456

self-explanatory

Answer 457

A technique in which you collect information about a service through banners. These banners show the types of services, versions, etc like HTTP, FTP, SMTP, and TELNET banner broadcast services.

Answer 458

Passive instruments do not interact with the system to allow detection. Active tools interact in a discoverable way.

Answer 459

It is an echo request to a machine to determine if communication is possible.

Answer 460

It is a Windows command to trace the path a packet takes on the network.

Answer 461

This shows the network connections to or from a system.

Answer 462

Allows a DNS query for a specific address.

Answer 463

It queries or manipulates the ARP table of a device. Address Resolution Protocol is one of the most important protocols of the network layer in the OSI model which helps in finding the MAC(Media Access Control) address given the IP address of the system i.e. the main duty of the ARP is to convert the 32-bit IP address(for IPv4) to 48-bit address i.e. the MAC address

Answer 464

It manipulates network interfaces on a system (internet protocol settings.

Answer 465

It is a command-line protocol analyzer that allows you to examine packets from a network connection or a logged file.

Answer 466

It is a network scanner and for mapping.

Answer 467

It is used to read and write over network connections using TCP or UDP.

Answer 468

Checks files for matches to known malware signatures and warns users.

Answer 469

This performs an integrity check on downloaded files to ensure that the file has not been tampered with and that you downloaded file you intended to.

Answer 470

It is a firewall on a single-host system.

Answer 471

This is a business practice where you specify which applications can run on a system. It is useful to help fight malware.

Answer 472

Removable media controls prevent data from being transferred from a system to a removable media location, such as a USB. This prevents risk of data exfiltration from a system. Also carries the rist of malware entering the system.

Answer 473

These tools allow the user to match known malware patterns and find indicators of compromise on a system.

Answer 474

These allow administrators to track software in an organization and whether or not it has been updated. Alerts can also be generated for users.

Answer 475

Unified Threat Management. All-in-one services inccluding firewalls, IDS, IPS, anti -malware, content filtering and more.

Answer 476

Data loss prevention. This helps defend against attacks in which a program is loaded into the data store and then executed.

Answer 477

It is a set of ste[s that an organization takes in the response to any abnormal situation with respect to the operation of information systems..

Answer 478

Defining a series of incident categories and types, helps planners and rescuers know how to react. Automation and scripts can be quickly deployed to include service interruption, malware delivery, phishing attacks, data filtration, and more.

Answer 479

Defining who is allowed to do what helps streamline processes when accidents occur. The more we plan, the more we can be prepared.

Answer 480

1) Preparation 2) identification 3) containment 4) eradication 5) recovery 6) lessons learned.

Answer 481

This is the first stage and takes place before the accident. It covers all the planning.

Answer 482

This occurs when a team member believes an incident has occurred and reports back to the team for further investigation.

Answer 483

This is the set of actions to limit the accident to the least number of machines. I.e. disconnection of nodes or hosts from the network.

Answer 484

This is the elimination of a problem, usually while it is still contained. This also prevents re-infection.

Answer 485

This is the process of returning affected resources to normal business functions and restoring normal business operations.

Answer 486

This is process improvement and determining what went well and what did not.

Answer 487

This involves the process of recovering from events that disrupt normal operations.

Answer 488

Data center with backup information.

Answer 489

Fully configured environments that are ready almost immediately. These have ready-to-use or almost ready-touse backups.

Answer 490

Partially configured site, may take a few days to get up to speed and fully operational.

Answer 491

Data centers that have the basics for backup; can takes weeks to become fully operational.

Answer 492

To provide valid and non-currupted data in case the original data is damaged or lost

Answer 493

1) Differential: This saves only the files that have changed since the last full backup. 2) Incremental: This saves files that have changed since the last full backup or the last incremental backup. 3) Snapshot: A copy of virtual machine. 4) Full, a full copy of machine data.

Answer 494

Best to keep backups in separate locations. Have the most recent copy locally, but other backup copies are far enough away and safe from local disasters.

Answer 495

1) CPU, cache, and registry components. 2) Routing tables, ARP caches, process tables, and kernel statistics. 3) Network connections and data streams in real-time. 4) RAM 5) Temporary file system and swap space 6) Data on the hard disk. 7) Remotely logged data 8) Data stored on storage and backup media.

Answer 496

This shows who obtained the evidence, where it was stored, where it was obtained, and who had control of the evidence. For each step, you must record, who, what, when what, and how the custody happened.

Answer 497

That means that once an organization is aware of the need to retain evidence for a court case, it protects that evidence.

Answer 498

When collecting evidence, make sure that all steps including who, where, and how are considered when the process of data acquisition.

Answer 499

Proof has to be: 1) Enough, that is to say, definitely convincing. 2) Competent, which means one is legally qualified. 3) Relevant, which means it must be related to the case at hand.