EXAM 1 Flashcards
Passive reconnaissance
Passive reconnaissance focuses on gathering as much information from open sources such as social media, corporate websites, and business
Regulatory audit
A regulatory audit is a detailed security analysis based on existing laws or private guidelines. A regulatory audit commonly requires access to internal systems and data.
DMARC
(Domain-based Message Authentication Reporting and
Conformance) specifies the disposition of spam emails. The legitimate owner of the originating email domain can choose to have these messages accepted, sent to a spam folder, or rejected.
DKIM
DKIM (Domain Keys Identified Mail) provides a way to validate all digitally signed messages from a specific email server. DKIM does not determine how the receiving server categorizes these digitally signed
messages
What is the acronym of a predection of how often a repairable system will fail or what is the average time expected between outages.
MTBF Mean Time Between Failures
An MOA (Memorandum of Agreement)
An MOA (Memorandum of Agreement) is a formal document where both sides agree to a broad set of goals and objectives associated with the partnership.
What is a Deterrent control
A deterrent control does not directly stop an attack, but it may discourage an action; splash screen, front reception desk, warning signs.
deterrent discourages an intrusion attempt, but it doesn’t directly prevent the access. An application splash screen or posted warning sign would be categorized as a deterrent.
What is a Detective control
A detective control may not prevent access, but it can identify and record when an intrusion has occurred; for example, going through system logs and login reports, motion detectors.
An IPS can detect, alert, and log an intrusion attempt. The IPS could also be categorized as a preventive control, since it has the ability to actively
block known attacks.
What is a Directive control
A directive control is relatively weak control which relies on security compliance from the end users. Direct a user towards security compliance. “Authorized Personal Only”
COPE
A device that is COPE (Corporately Owned and Personally Enabled) is commonly purchased by the corporation and allows the use of the mobile device for both business and personal use. The use of a COPE device does not provide any policy management of the device.
What is a compensating control
Compensating controls are used to mitigate a vulnerability when an optimal security response may not be available. For example, if a company can’t deploy a patch for a vulnerability, they can revoke or limit application access until a patch is provided.
A compensating security control doesn’t prevent an attack, but it does restore from an attack using other means. In this example, the UPS (Uninterruptible Power Supply) does not stop a power outage, but it does provide alternative power if an outage occurs.
802.1X
802.1X uses a centralized authentication server, and this allows all users to use their corporate credentials during the login process.
What is Discretionary access
Discretionary access control is used in many operating systems, and this model allows the owner of the resource to control who has access.
Development lifecycle
A formal software development lifecycle defines the specific policies associated with the design, development, testing, deployment, and maintenance of the application development process.
hybrid cloud model
A hybrid cloud includes more than one private or public cloud. This adds additional complexity to the overall infrastructure, and it’s common to inadvertently apply different authentication options and user permissions
across multiple cloud providers.
A manufacturing company would like to track the progress of parts used on an assembly line
The ledger functionality of a blockchain can be used to track or verify components, digital media, votes, and other physical or digital objects.
administrator is downloading an updated version of her Linux distribution. The download site shows a link to the ISO and a SHA256 hash value, why?
Verifies that the file was not corrupted during
the file transfer Once the file is downloaded, the administrator can calculate the file’s SHA256 hash and confirm that it matches the value on the website.
What decreases threat level?
Mitigation decreases the threat level. This is commonly done through the use of additional security systems and monitoring, such as an NGFW (Next-Generation Firewall).
What is enumeration
Enumeration describes the detailed listing of all parts in a particular device. For a computer, this could include the CPU type, memory, storage drive details, keyboard model, and more.
security awareness campaign
A security awareness campaign often involves automated phishing attempts, and most campaigns will include a process for users to report a suspected phishing attempt to the IT security team.
SCAP
Automate the validation and patching of security issues
SCAP (Security Content Automation Protocol) focuses on the standardization of vulnerability management across multiple security tools. This allows different tools to identify and act on the same security criteria.
HSM
An HSM (Hardware Security Module) is a high-end cryptographic hardware appliance that can securely store keys and certificates for all devices.
ALE
ALE (Annual Loss Expectancy) is the financial loss over an entire 12-month period.
SLE
SLE (Single Loss Expectancy) describes the financial impact of a single event.
ARO
The ARO (Annualized Rate of Occurrence) is the number of times an event will occur in a 12-month period.
Worm
A worm is malware that can replicate itself between systems without any user intervention, so a spreadsheet that requires additional a user to click warning messages would not be categorized as a worm.
penetration test
A penetration test can be used to actively exploit potential vulnerabilities in a system or application. This could cause a denial of service or loss of data, so the best practice is to perform the penetration test during nonproduction hours or in a test environment
Technical controls
a control that has been implemented by using some kind of technical system; firewalls, antivirus.
managerial controls
are security policies to explain to users the best way to manage their data, etc.
operational controls
controls implemented by a person instead of systems; for example, security guards, awareness programs at work.
physical controls
controls that will limit someone’s access to a building, room, or device; guard shack, fences, badge readers are examples of physical controls
.
preventive control type
block access to a resource for example, firewall rule or a guard shack checking everyone identities.
Corrective control
Occurs after the event has been detected. for example, if a computer has been infected by ransomware and the drive has been encrypted, restoring it from a backup is a corrective control. Putting out a fire with a fire extinguisher, or calling law enforcement to manage a criminal activity.
Examples of ‘something you know”
passwords, PIN
Examples of “something you have”
smart cards, USB security key, hardware device token, software token, sms text messages.
something you are
biometric authentication , finger print, voice.
somewhere you are
based on your location
What is journaling
Journaling writes data to a temporary journal before writing the information to the database. If power is lost, the system can recover the last transaction from the journal when power is restored.
data owner
The data owner is accountable for specific data, so this person is often a senior officer of the organization
OSINT
OSINT (Open Source Intelligence) describes the process of obtaining information from open sources such as social media sites, corporate websites, online forums, and other publicly available locations.
Partially known environment
partially known environment test is performed when the attacker knows some information about the victim, but not all information is available. Which is different for a passive reconnaissance.
Passive reconnaissance is the process of gathering information from publicly available sites, such as social media or corporate websites.
asymmetric encryption
user in the accounting department would like to email a spreadsheet with sensitive information to a list of third-party vendors. Which of the following would be the BEST way to protect the data in this email?
Asymmetric encryption uses a recipient’s public key to encrypt data, and this data can only be decrypted with the recipient’s private key. This encryption method is commonly used with software such as PGP or GPG.
What is the acronym for the time required to repair a product or system after a failure.
MTTR Mean time to Repair
RTO
RTO (Recovery Time Objectives) define the minimum objectives required to get up and running to a particular service level.
What is the terminology to act honestly and in good faith which is often associated with third-party activities and tends to refer to internal activities.
Due Care
A fact about alert tuning
Monitoring systems are not always perfect, and many require ongoing tuning to properly configure alerts and notifications.
a fact about misinformation campaign
Misinformation campaigns are carefully crafted attacks that exploit social media and traditional media.
MD5 hashes due to collision problems
Two different messages share the same hash
A well-designed hashing algorithm will create a unique hash value for every possible input. If two different inputs create the same hash, the hash
algorithm has created a collision.
A security administrator has identified the installation of ransomware on a database server and has quarantined the system. Which of the following should be followed to ensure that the integrity of the evidence is maintained?
A chain of custody is a documented record of the evidence. The chain of custody also documents the interactions of every person who comes into
contact with the evidence to maintain the integrity.
E-discovery
E-discovery is the process of collecting, preparing, reviewing, interpreting, and producing electronic documents. However, e-discovery does not provide any additional integrity of the data.
Which of the following vulnerabilities would be the MOST significant security concern when protecting against a hacktivist
Lack of patch updates on an Internet-facing
database server. One of the easiest ways for a third-party to obtain information is through an existing Internet connection. A hacktivist could potentially exploit an unpatched server to obtain unauthorized access to the operating system and data.
UTM
A UTM (Unified Threat Management) appliance acts as a traditional firewall, and many UTMs may also include additional features such as intrusion prevention and content filtering. However, UTMs are not commonly used for protection of web-based applications.
WAF
A WAF (Web Application Firewall) is designed as a firewall for web-based applications. WAFs are commonly used to protect against application attacks such as injections, cross-site scripting, and invalid input types.
TPM
A TPM (Trusted Platform Module) is part of a computer’s motherboard, and it’s specifically designed to assist and protect with cryptographic functions. Full disk encryption (FDE) can use the burned-in TPM keys to verify the local device hasn’t changed, and there are security features in
the TPM to prevent brute-force or dictionary attacks against the full disk encryption login credentials.
Mandatory
Mandatory access control uses a series of security levels (i.e., public, private, secret) and assigns those levels to each object in the operating system. Users are assigned a security level, and they would only have access
to objects that meet or are below that assigned security level
Role based
Role-based access control assigns a user’s permissions based on their role in the organization. For example, a manager would have a different set of rights and permissions than a team lead.