CySA+ 100 Flashcards
What are the three key objectives of information security?
Confidentiality, integrity, and availability (CIA)
Risk exists at the intersection of _______ and _________.
Threats and vulnerabilities.
What is the overall risk rating for a risk that has medium likelihood and high impact?
High
What type of system controls access to a network based on criteria such as time of day, location, device type, and system health?
Network access control (NAC)
What are the three networks typically connected to a triple-homed firewall?
The Internet, an internal network, and a DMZ
What is the TCP port for the HTTP protocol?
80
What is the TCP port for the HTTPS protocol?
443
What are the four types of firewalls?
Packet filters, stateful inspection firewalls, next-generation firewalls, and web application firewalls.
______ may be used to apply settings to many different Windows systems at the same time.
Group Policy Objects (GPOs)
What are the four phases of penetration testing?
Planning, Discovery, Attack, and Reporting
What type of software can you use to enumerate the services that are accepting network connections on a remote system without probing that system for vulnerabilities?
Port scanner
What is the range of well-known ports?
0–1023
What is the range of registered ports?
1024–49151
What is the most commonly used port scanner?
nmap
What Cisco logging level indicates a critical event?
2
What service is responsible for resolving domain names to IP addresses?
DNS
What tool can be used to determine the path between two systems over the Internet?
Traceroute or tracert, depending on the operating system
What service allows you to look up the registered owner of a domain name?
whois
What type of data analysis looks for differences from expected behaviors?
Anomaly analysis
What type of data analysis predicts threats based on existing data?
Trend analysis
What regulation requires vulnerability scans for organizations involved in credit card processing?
PCI DSS
What regulation requires vulnerability scanning for federal government agencies?
FISMA
What type of vulnerability scan leverages read-only access to the scan target?
Credentialed scan
What term is used to describe an organization’s willingness to tolerate risk?
Risk appetite
What type of account should be used to perform credentialed vulnerability scans?
Read-only account
What function is performed by QualysGuard, Nessus, Nexpose, and OpenVAS?
Vulnerability scanning
What is the purpose of Nikto and Acunetix?
Web application scanning
What criteria should be used in prioritizing the remediation of vulnerabilities?
Criticality, difficulty, severity, and exposure
What industry-standard system is used to assess the severity of security vulnerabilities?
CVSS
What are the CVSS score ranges?
Under 4.0 is low, 4.0–5.9 is medium, 6.0–9.9 is high, and 10.0 is critical.
What is the term used to describe when a scanner reports a vulnerability that does not really exist?
False positive
What type of vulnerability allows an attacker to place more data into an area of memory than is allocated for a specific purpose?
Buffer overflow
What type of attack seeks to increase the level of access that an attacker has to a targeted system?
Privilege escalation
What type of attack allows an attacker to run software of his or her choice on the targeted system?
Arbitrary code execution
What is the current secure standard for providing HTTPS encryption?
TLS 1.2 or later
In what type of attack does the attacker sends spoofed DNS requests to a DNS server that are carefully designed to elicit responses that are much larger in size than the original requests?
DNS amplification
What term is used to describe any observable occurrence in a system or network that relates to a security function?
Security event
What term is used to describe a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices?
Security incident
What are the phases of incident response?
Preparation; Detection & Analysis; Containment, Eradication, & Recovery; and Post-Incident Activity
What type of documents provide the detailed, tactical information that CSIRT members need when responding to an incident?
Procedures
What document serves as the cornerstone of an organization’s incident response program?
Incident Response Policy
What type of threat consists of highly skilled and talented attackers focused on a specific objective?
Advanced Persistent Threat (APT)
What are the types of impact used to describe the scope of a security incident?
Functional impact, economic impact, and recoverability effort
What are the common attack vectors for security incidents?
Common attack vectors for security incidents include external/removable media, attrition, the web, email, impersonation, improper usage, loss or theft of equipment, and other/unknown sources.
What Linux command displays processes, memory utilization, and other detail about running programs?
top or ps
What term is used to describe traffic sent to a command and control system by a PC that is part of a botnet?
Beaconing
What Windows tool provides information on memory, CPU, and disk use?
Perfmon
What protocol is used to gather information about and manage network devices?
SNMP
What Linux command allows you to list the files that are open by processes on a system?
lsof
What type of information is found in network flow data?
Flow data provides information about the source and destination IP address, protocol, and total data sent.
What protocol is used to ensure that all security devices on a network have synchronized clocks?
NTP
What tool can administrators use to determine the maximum bandwidth available on a network connection?
iPerf
What is the purpose of FTK, EnCase, SIFT, and the Sleuth Kit (TSK)?
Forensic toolkits
What type of device is designed to copy drives for forensic investigation, and then provide validation that the original drive and the content of the new drive match?
Forensic drive duplicator
Where can forensic analysts turn to find point-in-time information from prior actions on a Windows system?
Volume shadow copies
Where can forensic analysts turn to find information about logins, service start/stop events, and evidence of applications being run on a Windows system?
Event logs
What Linux utility is commonly used to clone drives in RAW format?
dd
What type of device can ensure that attaching a drive to a forensic copy device or workstation does not result in modifications being made to drive, thus destroying the forensic integrity of the process?
Write blocker
What Linux kernel modules allow forensic access to physical memory?
fmem and LiME
What tool provides a list of USB devices that have been connected to a Windows system?
USB Historian
What is the first action that incident responders should take after identifying a potential incident?
Contain the damage
Network segmentation, isolation, and removal of affected systems are examples of ___________ strategies
Containment
Once responders have contained the damage caused by an incident they should move on to __________ and ________ steps.
Eradication and recovery
At the conclusion of a cybersecurity incident response effort, CSIRT members should conduct a formal ____________ session.
Lessons learned
What activities should always occur to validate an incident recovery effort?
Verify user accounts, verify permissions, verify logging, and conduct vulnerability scans.
What are the three options available for the secure disposition of media containing sensitive information?
Clear, purge, and destroy
What is the focus of the recovery phase of incident response?
Restoring normal operations
____________ is a time-consuming investigative task that often distracts incident responders and results in dead ends.
Identifying the attackers
________ are high-level statements of management intent.
Policies
_______ outline what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.
Data retention policies
________ provide mandatory requirements describing how an organization will carry out its information security policies.
Standards
__________ are detailed, step-by-step processes that individuals and organizations must follow in specific circumstances.
Procedures
_________ provide best practices and recommendations related to a given concept, technology, or task.
Guidelines
Many exception processes require the use of ___________________ to mitigate the risk associated with exceptions to security standards.
Compensating controls
What law includes security and privacy rules for protected health information?
HIPAA
What law applies to the financial records of publicly traded companies?
Sarbanes–Oxley
__________ provides the same level of protection to all systems or networks.
Uniform protection
What type of controls include firewalls, intrusion detection and prevention systems, network segmentation, and authentication and authorization systems?
Technical (or logical) controls
What type of controls involve processes and procedures like those found in incident response plans, account creation and management, as well as awareness and training efforts?
Administrative (or managerial) controls
What type of controls include locks, fences, and other controls that control or limit physical access, as well as controls like fire extinguishers that can help to prevent harm to property?
Physical controls
_____________ are intended to stop an incident from occurring by taking proactive measures to stop the threat
Preventive controls
A _______ is often used when services or systems need to be exposed to lower trust areas
DMZ
___________ is important to ensure continuity for roles, regardless of the reason a person leaves your organization.
Succession planning
What are the three types of views that can commonly be taken to review a security architecture design?
Operational views, technical views, and logical views
What term is used to describe the set of claims made about an individual or account holder that are made about one party to another party?
Identities
What are the three elements of the AAA framework?
Authentication, authorization, and accounting
What is the purpose of TACACS+, RADIUS, and Kerberos?
Authentication
What authorization standard is used by many websites to allow users to share elements of their identity or account information while authenticating via the original identity provider?
OAuth
In Kerberos, what type of ticket allows complete access to the Kerberos connected systems, including creation of new tickets, account changes, and even falsification of accounts or services?
Ticket Granting Ticket (TGT)
What service is the core identity store and AAA service in most Windows-centric organizations?
Active Directory
__________ is the steady accrual of additional rights over time as account owners change roles, positions, or responsibilities.
Privilege creep
What are the steps of the account life cycle?
Create account and set password; provision services; modify and maintain account; disable account; retire and deprovision account.
What are the stages of the software development life cycle?
Planning, Requirements, Design, Coding, Testing, Training and Transition, Ongoing Operations and Maintenance, End-of-Life Decommissioning
The _______ phase of the SDLC includes actual coding of the application.
Development
What are the three types of system environments commonly used in organizations?
Development, Test, and Production
In the _______ software development model, each phase follows sequentially and phases do not overlap.
Waterfall
The _______ software development model is an iterative and incremental process.
Agile
During the _______ phase of software development, security practitioners may be asked to participate in initial assessments or cost evaluations.
Feasibility
____________ is a form of structured, formal code review intended to find a variety of problems during the development process.
Fagan inspection
What testing technique involves sending invalid or random data to an application to test its ability to handle unexpected data?
Fuzz testing or fuzzing
