GIBSON REMEMBER

Answer 1

The CIA Triad is the foundation of everything we do in
cybersecurity. It’s one of the essential concepts listed in the
Security+ exam objectives, and you should be very familiar with it
when you take the exam. As you learn about different security
threats and controls throughout this book, try to relate each of
them to one or more of the three goals of confidentiality,
integrity, and availability.

Answer 2

Confidentiality ensures that data is only viewable by authorized
users. The best way to protect the confidentiality of data is by
encrypting it. This includes any type of data, such as PII, data in
databases, and data on mobile devices. Access controls help
protect confidentiality by restricting access.

Answer 3

Integrity verifies that data has not been modified. Loss of
integrity can occur through unauthorized or unintended changes.
Hashing algorithms, such as SHA, calculate hashes to verify
integrity. A hash is simply an alphanumeric string created by applying a hashing algorithm to a file or message. You can then
later run the same algorithm on the data and you should get the
same hash value. By comparing the hashes, you can verify that
there haven’t been any changes (authorized or unauthorized) to
the data. If the hashes are the same, the data is unchanged. If
the hash has changed, the data has changed.

Answer 4

Availability ensures that systems are up and operational when
needed and often addresses single points of failure. You can
increase availability by adding fault tolerance and redundancies,
such as RAID, failover clusters, backups, and generators.

Answer 5

Redundancy and fault tolerance methods increase the availability
of systems and data. Scalability refers to manually adding servers
to a service or resources to a system to meet new demand.
Elasticity refers to automatically adding or removing resources as needed.

Answer 6

Risk is the likelihood that a threat will exploit a vulnerability. Risk
mitigation reduces the chances that a threat will exploit a
vulnerability or reduces the risk’s impact by implementing security
controls.

Answer 7

You may find all this talk of categories and types a little
confusing. Remember that every control you encounter will
belong to at least one category and at least one type. For
example, a firewall is a technical control because it uses
technology to achieve its goals. It is also a preventive control
because its goal is to stop unwanted traffic from entering the
network, preventing an incident from occurring.

Answer 8

Managerial controls are administrative in function and
documented in security policies. Operational controls are
implemented by people who perform the day-to-day operations to
comply with an organization’s overall security plan.

Answer 9

Security controls are categorized as managerial (documented in
written policies), operational (performed in day-to-day
operations), technical (implemented with technology), or physical
(impacting the physical world).

Answer 10

Technical controls use technology to reduce vulnerabilities. Some
examples include encryption, antivirus software, IDSs, IPSs,
firewalls, and the least privilege principle. Physical security and
environmental controls include motion detectors and fire
suppression systems.

Answer 11

Preventive controls attempt to prevent security incidents.
Hardening systems modifies the basic configuration to increase
security. Security guards can prevent unauthorized personnel
from entering a secure area. Change management processes help
prevent outages from configuration changes. An account
disablement process ensures that accounts are disabled when a
user leaves the organization.

Answer 13

Identification occurs when a user claims an identity, such as with
a username or email address. Authentication occurs when the
user proves the claimed identity (such as with a password) and
the credentials are verified (such as with a password). Access
control systems provide authorization by granting access to
resources based on permissions granted to the proven identity.
Logging provides accounting.

Answer 14

Complex passwords use a mix of character types. Strong
passwords use a mix of character types and have a minimum
password length of at least eight characters. A password
expiration identifies when a password must be changed.

Answer 15

Account lockout policies thwart some password attacks, such as
brute force and dictionary attacks. Many applications and devices
have default passwords. These should be changed before putting
the application or device into service.

Answer 16

Smart cards are often used with two-factor authentication where
users have something (the smart card) and know something
(such as a password or PIN). Smart cards include embedded
certificates used with digital signatures and encryption. They are Smart cards are often used with two-factor authentication where
users have something (the smart card) and know something
(such as a password or PIN). Smart cards include embedded
certificates used with digital signatures and encryption. They are

Answer 17

HOTP and TOTP are open-source standards used to create onetime-use passwords. HOTP creates a one-time-use password that
does not expire until it is used, and TOTP creates a one-time
password that expires after 30-60 seconds. Both can be used as
software tokens for authentication.

Answer 18

The third factor of authentication (something you are, defined
with biometrics) is the strongest individual authentication factor.
Biometric methods include fingerprint recognition, vein pattern
matching, retinal and iris scans, facial recognition, voice
recognition, and gait analysis.

Answer 19

Iris and retina scans are the strongest biometric methods
mentioned in this section. Iris scans are commonly preferred over
retinal scans because retinal scans are intrusive and may reveal
private medical concerns. Facial recognition and gait analysis can
bypass the enrollment process when used for identification
instead of authorization

Answer 20

Using two or more methods in the same factor of authentication
(such as a PIN and a password) is single-factor authentication.
Two-factor authentication uses two different authentication
factors, such as using a hardware token and a PIN. Multifactor
authentication uses two or more factors.

Answer 21

Passwordless authentication is not necessarily multifactor
authentication. You can use a single something you have or
something you are factor to use passwordless authentication.

Answer 22

Privileged access management (PAM) systems implement
stringent security controls over accounts with elevated privileges
such as administrator or root-level accounts. Some capabilities
include allowing authorized users to access the administrator
account without knowing the password, logging all elevated
privilege usage, and automatically changing the administrator
account password.

Answer 23

Requiring administrators to use two accounts, one with
administrator privileges and another with regular user privileges,
helps prevent privilege escalation attacks. Users should not use
shared accounts.

Answer 24

An account disablement policy identifies what to do with accounts
for employees who leave permanently or are on a leave of
absence. Most policies require administrators to disable the
account as soon as possible so that ex-employees cannot use the
account. Disabling the account ensures that data associated with
it remains available. Security keys associated with an account
remain available when the account is disabled, but the security
keys (and data they encrypted) are no longer accessible if it is
deleted.

Answer 25

Usage auditing records user activity in logs. A usage auditing
review looks at the logs to see what users are doing and it can be
used to re-create an audit trail. Permission auditing reviews help
ensure that users have only the access they need and no more
and can detect privilege creep issues.

Answer 26

SAML is an XML-based standard used to exchange authentication
and authorization information between different parties. SAML
provides SSO for web-based applications.

Answer 27

It’s easy to get confused about what OAuth does because the
name is ambiguous! Remember that the “Auth” in OAuth stands
for authorization, not authentication!

Answer 28

A role-based access control scheme uses roles based on jobs and
functions. A roles and permissions matrix is a planning document
that matches the roles with the required privileges.

Answer 29

Group-based privileges reduce the administrative workload of
access management. Administrators put user accounts into
security groups and assign privileges to the groups. Users within
a group automatically inherit the privileges assigned to the group.

Answer 30

Rule-based access control is based on a set of approved
instructions, such as an access control list. Some rule-BAC
systems use rules that trigger in response to an event, such as
modifying ACLs after detecting an attack or granting additional
permissions to a user in certain situations.

Answer 31

The DAC scheme specifies that every object has an owner, and
the owner has full, explicit control of the object. Microsoft NTFS uses the DAC scheme.

Answer 32

The MAC scheme uses sensitivity labels for users and data. It is
commonly used when access needs to be restricted based on a
need to know. Sensitivity labels often reflect classification levels
of data and clearances granted to individuals.

Answer 33

The ABAC scheme uses attributes defined in policies to grant
access to resources. It’s commonly used in software-defined
networks (SDNs).

Answer 34

You can use a memory trick to remember the order of the OSI
layers – make a sentence that has words starting with the seven
letters of the model layers in order. My personal favorite is “Please
Do Not Throw Sausage Pizza Away!” Other people use “All People
Seem To Need Data Processing.” You can choose whatever works for you.

Answer 35

Secure Shell (SSH) encrypts traffic over TCP port 22 and is used
to transfer encrypted files over a network. Transport Layer
Security (TLS) is a replacement for SSL and is used to encrypt
many different protocols, including browser-based connections
using HTTPS. Secure FTP (SFTP) uses SSH to encrypt traffic. FTP
Secure (FTPS) uses TLS to encrypt traffic.

Answer 36

SMTP, POP3, and IMAP4 are primary email protocols. Well-known
ports for encrypted and unencrypted traffic (respectively) are:
SMTP uses ports 25 and 587, POP3 uses 110 and 995, IMAP4
uses 143 and 993. HTTP and HTTPS use ports 80 and 443,
respectively.

Answer 37

Directory services, such as Microsoft Active Directory Domain
Services (AD DS), provide authentication and authorization
services for a network. AD DS uses LDAP, encrypted with TLS
when querying the directory.

Answer 38

Administrators connect to servers remotely using protocols such
as Secure Shell (SSH) and the Remote Desktop Protocol (RDP). In
some cases, administrators use virtual private networks to
connect to remote systems.

Answer 39

OpenSSH is a suite of tools that simplifies the use of SSH to
connect to remote servers securely. The ssh-keygen command
creates a public/private key pair, and the ssh-copy-id command
copies the public key to a remote server. The private key must
always stay private.

Answer 40

Port security includes disabling unused ports and limiting the
number of MAC addresses per port. A more advanced
implementation is to restrict each physical port to only a single
specific MAC address.

Answer 41

Broadcast storm and loop prevention such as STP or RSTP is
necessary to protect against switching loop problems, such as
those caused when two ports of a switch are connected.

Answer 42

Routers and stateless firewalls (or packet-filtering firewalls)
perform basic filtering with an access control list (ACL). ACLs
identify what traffic is allowed and what traffic is blocked. An ACL
can control traffic based on networks, subnets, IP addresses,
ports, and some protocols. Implicit deny blocks all access that has
not been explicitly granted. Routers and firewalls use implicit
deny as the last rule in the access control list.

Answer 43

Administrators use SNMPv3 to manage and monitor network
devices, and SNMP uses UDP ports 161 and 162. SNMPV3
encrypts credentials before sending them over the network and is
more secure than earlier versions.

Answer 44

Host-based firewalls provide protection for individual hosts, such
as servers or workstations. Network-based firewalls run on
dedicated hardware and provide protection for an entire network.
You should use host-based firewalls and network-firewalls
together to achieve a defense-in-depth approach to network
security.

Answer 45

Firewalls use a deny any any, deny any, or a drop all statement at
the end of the ACL to enforce an implicit deny strategy. The
statement forces the firewall to block any traffic that wasn’t
previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.

Answer 46

A stateless firewall blocks traffic using only an ACL, and a stateful
firewalls use ACLs as well but also consider the state of the
packet within a session. Web application firewalls provide strong
protection for web servers. They protect against several different
types of attacks, focusing on web application attacks.

Answer 47

A screened subnet (sometimes called a DMZ) is a buffer zone between the Internet and an internal network. It allows access to
services while segmenting access to the internal network. In
other words, Internet clients can access the services hosted on
servers in the screened subnet, but the screened subnet provides
a layer of protection for the intranet (internal network).

Answer 48

NAT translates public IP addresses to private IP addresses and
private IP addresses back to public. A common form of NAT is
Port Address Translation. Dynamic NAT uses multiple public IP
addresses, while static NAT uses a single public IP address.

Answer 49

An air gap isolates one network from another by ensuring there is
physical space (literally a gap of air) between all systems and
cables.

Answer 50

Virtual local area networks (VLANs) separate or segment traffic on
physical networks, and you can create multiple VLANs with a
single switch. A VLAN can logically group several different
computers together or logically separate computers without
regard to their physical location. VLANs are also used to separate
traffic types, such as voice traffic on one VLAN and data traffic on
a separate VLAN.

Answer 51

A proxy server forwards requests for services from a client. It
provides caching to improve performance and reduce Internet
bandwidth usage. Transparent proxy servers accept and forward
requests without modifying them. Non-transparent proxy servers
use URL filters to restrict access to certain sites. Both types can
log user activity

Answer 52

A unified threat management (UTM) appliance combines multiple
security controls into a single appliance. It can inspect data
streams and often includes URL filtering, malware inspection, and
content inspection components. Many UTMs include a DDoS
mitigator to block DDoS attacks.

Answer 53

A jump server is placed between different security zones and
provides secure access from devices in one zone to devices in the
other zone. It can provide secure access to devices in a screened
subnet from an internal network.

Answer 54

A HIDS can monitor all traffic on a single host system such as a
server or a workstation. In some cases, it can detect malicious
activity missed by antivirus software.

Answer 55

A NIDS console is installed on a network appliance. Sensors are
installed on network devices such as switches, routers, or
firewalls to monitor network traffic and detect network-based
attacks. You can also use taps or port mirrors to capture traffic. A
NIDS cannot monitor encrypted traffic and cannot monitor traffic
on individual hosts.

Answer 56

Signature-based detection identifies issues based on known attacks or vulnerabilities. Signature-based detection systems can
detect known attack types. Trend-based IDSs (also called
anomaly-based) can detect unusual activity. They start with a
performance baseline of normal behavior and then compare
network traffic against this baseline. When traffic differs
significantly from the baseline, the system sends an alert.

Answer 57

A false positive incorrectly indicates an attack is occurring when
an attack is not active. A high incidence of false positives
increases the administrator’s workload. A false negative is when
an attack occurs, but the system doesn’t detect and report it.
Administrators often set the IDS threshold high enough to
minimize false positives but low enough that it does not allow
false negatives.

Answer 58

An intrusion prevention system (IPS) is a preventive control. It is
placed in-line with traffic. An IPS can actively monitor data
streams, detect malicious content, and stop attacks in progress. It
can also be used internally to protect private networks.

Answer 59

An IPS is placed in-line with the traffic and can detect, react to,
and prevent attacks. An IDS monitors and responds to an attack.
It is not in-line but instead collects data passively (also known as
out-of-band).

Answer 60

Honeypots and honeynets attempt to deceive attackers and
disrupt attackers. They divert attackers from live networks and
allow security personnel to observe current methodologies
attackers are using. A honeyfile is a file with a name (such as
password.txt) that will attract the attacker’s attention. A
honeytoken is a fake record inserted into a database to detect
data theft.

Answer 61

MAC filtering can restrict wireless network access to specific
clients. However, an attacker can use a sniffer to discover allowed
MAC addresses and circumvent this form of network access
control. It’s relatively simple for an attacker to spoof a MAC
address

Answer 62

A site survey examines the wireless environment to identify
potential problem areas. A heat map shows wireless coverage and
dead spots if they exist. Wireless footprinting gives you a detailed
diagram of wireless access points, hotspots, and dead spots
within an organization.

Answer 63

WPA2-PSK uses a pre-shared key and does not provide individual
authentication. Open mode doesn’t use security and allows all
users to access the AP. Enterprise mode is more secure than
Personal mode, providing strong authentication. Enterprise mode
uses an 802.1X server (implemented as a RADIUS server) to add
authentication.

Answer 64

WPA2 supports CCMP (based on AES) and replaced earlier
wireless cryptographic protocols. WPA3 uses Simultaneous
Authentication of Equals (SAE) instead of a pre-shared key (PSK)
used with WPA2.

Answer 65

Enterprise mode requires an 802.1X server. EAP-FAST supports
PACs. PEAP and EAP-TTLS require a certificate on the 802.1X
server. EAP-TLS also uses TLS, but it requires certificates on both
the 802.1X server and each of the clients. An 802.1X server
provides port-based authentication, ensuring that only authorized
clients can connect to a device or a network. It prevents rogue
devices from connecting.

Answer 66

A disassociation attack effectively removes a wireless client from
a wireless network, forcing it to re-authenticate. WPS allows users
to configure a wireless device by entering an eight-digit PIN
and/or pressing buttons on the device. A WPS attack guesses all
possible PINs until it finds the correct one. It will typically
discover the PIN within hours and use it to discover the
passphrase.

Answer 67

Rogue access points are often used to capture and exfiltrate data.
An evil twin is a rogue access point using the same SSID (or a
similar SSID) as a legitimate access point. A secure AP blocks
unauthorized users, but a rogue access point provides access to
unauthorized users.

Answer 68

Bluejacking is the unauthorized sending of text messages to a
nearby Bluetooth device. Bluesnarfing is the unauthorized access
to, or theft of information from, a Bluetooth device. Ensuring
devices cannot be paired without manual user intervention
prevents these attacks and placing them in Faraday cages will
prevent pairing.

Answer 69

Administrators use war driving techniques as part of a wireless
audit. A wireless audit checks a wireless signal footprint, power
levels, antenna placement, and encryption of wireless traffic.
Wireless audits using war driving can detect rogue access points
and identify unauthorized users. War flying is similar to war
driving, but it uses planes or drones instead of cars.

Answer 70

A virtual private network (VPN) provides remote access to a
private network via a public network. VPN concentrators are
dedicated devices used for VPNs. They include all the services
needed to create a secure VPN supporting many clients.

Answer 71

IPsec is a secure encryption protocol used with VPNs.
Encapsulating Security Payload (ESP) provides confidentiality, integrity, and authentication for VPN traffic. IPsec uses Tunnel
mode for VPN traffic and can be identified with protocol ID 50 for
ESP. It uses IKE over port 500. A full tunnel encrypts all traffic
after a user has connected to a VPN. A split tunnel only encrypts
traffic destined for the VPN’s private network.

Answer 72

Network access control (NAC) includes methods to inspect clients
for health, such as having up-to-date antivirus software, and can
restrict access of unhealthy clients to a remediation network. You
can use NAC for VPN clients and internal clients.

Answer 73

PAP authentication uses a password. A significant weakness is
that PAP sends the information across a network in cleartext,
making it susceptible to sniffing attacks. CHAP is more secure
than PAP because CHAP doesn’t send passwords over the
network in cleartext.

Answer 74

RADIUS and TACACS+ provide centralized authentication.
RADIUS only encrypts the password by default but can be used
with EAP to encrypt entire sessions. TACACS+ encrypts the entire
session by default and can be used with Kerberos.

Answer 75

Virtualization allows multiple virtual servers to operate on a single
physical server providing increased cybersecurity resilience with
lower operating costs. Keeping systems up to date with current
patches is the best protection from VM escape attacks.

Answer 76

A master images provides secure starting points for systems.
Administrators sometimes create them with templates or with
other tools to create secure baselines. They then use integrity
measurements to discover when a system deviates from the
baseline.

Answer 77

Patch management procedures ensure that operating systems,
applications, and firmware are up-to-date with current patches.
This protects systems against known vulnerabilities. Change
management defines the process and accounting structure for
handling modifications and upgrades. The goals are to reduce
risks related to unintended outages and provide documentation
for all changes.

Answer 78

An application allow list is a list of authorized software, and it
prevents users from installing or running software that isn’t on
the list. An application block list is a list of unauthorized software
and prevents users from installing or running software on the list.

Answer 79

Full disk encryption (FDE) protects all of the contents of a disk
using encryption. This may be done with specialized software or it
may be done using specialized hardware, known as selfencrypting drives (SED).

Answer 80

A Trusted Platform Module (TPM) is a hardware chip included in
many desktops and laptops. It provides full disk encryption
support and features a secure boot process and remote
attestation. The endorsement key is a unique asymmetric key pair
burned into the TPM chip that provides a hardware root of trust.

Answer 81

A hardware security module (HSM) is a removable or external
device that can generate, store, and manage keys used in
asymmetric encryption. Many server-based applications use an
HSM to protect keys. A microSD HSM is an HSM device installed
on a microSD card and can be installed on any device with a
microSD or SD slot.

Answer 82

Data exfiltration is the unauthorized transfer of data out of a
network. Data loss prevention (DLP) techniques and technologies
can block the use of USB devices to prevent data loss and
monitor outgoing network traffic for unauthorized data transfers.

Answer 83

The primary methods of protecting the confidentiality of data is
with encryption and strong access controls. Database column
encryption protects individual fields within a database.

Answer 84

Applications such as web-based email provided over the Internet
are Software as a Service (SaaS) cloud-based technologies.
Platform as a Service (PaaS) provides customers with a fully
managed platform, including hardware, operating systems, and
limited applications. The vendor keeps systems up to date with
current patches. Infrastructure as a Service (IaaS) provides
customers with access to hardware in a self-managed platform.

Answer 85

Public cloud services are available to any customer who wishes to
use them. Private clouds are available for only one organization.
Two or more organizations with shared concerns can share a
community cloud. A hybrid cloud is a combination of two or more
cloud deployment models.

Answer 86

A managed security service provider (MSSP) is a third-party
vendor that provides security services for an organization. A
managed service provider (MSP) provides any IT services needed
by an organization, including security services provided by an
MSSP.

Answer 87

A cloud based DLP can enforce security policies for data stored in
the cloud, such as ensuring that Personally Identifiable
Information (PII) is encrypted.

Answer 88

A cloud access security broker (CASB) is a software tool or service
deployed between an organization’s network and the cloud
provider. It provides security by monitoring traffic and enforcing
security policies. A next-generation secure web gateway (SWG)
provides proxy services for traffic from clients to Internet sites,
such as filtering URLs and scanning for malware.

Answer 89

Corporate-owned, personally enabled (COPE) devices are owned
by the organization, but employees can use them for personal
reasons. A bring your own device (BYOD) policy allows employees
to connect their own personal devices to the corporate network. A
choose your own device (CYOD) policy includes a list of approved
devices that employees can purchase and connect to the
network.

Answer 90

Mobile device management (MDM) tools help enforce security
policies on mobile devices. This includes the use of storage
segmentation, containerization, and full device encryption to
protect data. Containerization is useful when using the BYOD model. They also include enforcing strong authentication methods
to prevent unauthorized access.

Answer 91

Remote wipe sends a signal to a lost or stolen device to erase all
data. Geolocation uses Global Positioning System (GPS) and can
help locate a lost or stolen device. Geofencing creates a virtual
fence or geographic boundary and can be used to detect when a
device is within an organization’s property. GPS tagging adds
geographical data to files such as pictures. Context-aware
authentication uses multiple elements to authenticate a user and
a mobile device.

Answer 92

Tethering and mobile hotspots allow devices to access the
Internet and bypass network controls. Wi-Fi Direct is a standard
that allows devices to connect without a wireless access point or
wireless router. MDM tools can block access to devices using
tethering, mobile hotspot, or Wi-Fi Direct to access the Internet.

Answer 93

A supervisory control and data acquisition (SCADA) system has
embedded systems that control an industrial control system
(ICS), such as one used in a power plant or water treatment
facility. Embedded systems are also used for many special
purposes, such as medical devices, automotive vehicles, aircraft,
and unmanned aerial vehicles (UAVs).

Answer 94

An embedded system is any device that has a dedicated function
and uses a computer system to perform that function. It includes
any devices in the Internet of Things (IoT) category, such as
wearables and home automation systems. Some embedded
systems use a system on a chip (SoC).

Answer 95

An advanced persistent threat (APT) refers to an organized and
sophisticated group of threat actors. Nation-states (governments)
sponsor them and give them specific targets and goals. Organized
crime groups are organized individuals involved in crime. Their
primary motivation is money.

Answer 96

An unskilled attacker uses existing computer scripts or code to
launch attacks. These unskilled attackers typically have very little
expertise, sophistication, and funding. A hacktivist launches
attacks as part of an activist movement or to further a cause. An
insider is anyone with legitimate access to an organization’s
internal resources, such as an employee of a company. DLP
solutions can prevent users from writing data to external media
devices.

Answer 97

Different types of attackers have different attributes. The major
differences are whether an attacker comes from an internal or
external source, the resources and funding available to the
attacker and the attacker’s level of sophistication and capability.

Answer 98

You need to know the common threat actor motivations when you
take the Security+ exam. The motivations listed by CompTIA
include data exfiltration, service disruption, blackmail, financial
gain, philosophical/political beliefs, ethical hacking, revenge,
espionage, and war.

Answer 99

Attackers use many different threat vectors to gain access to an
organization. So far, we’ve discussed message-based, imagebased, and file-based attack vectors as well as voice calls,
removable devices, vulnerable software, unsecure networks, open
service ports, default credentials, and the supply chain. Later in
this chapter, we’ll discuss human vectors and social engineering
attacks.

Answer 100

Shadow IT refers to unauthorized systems or applications used
within an organization without authorization or approval.

Answer 101

A logic bomb executes in response to an event, such as when a
specific application is executed, or a specific time arrives.

Answer 102

A Trojan appears to be something useful but includes a malicious
component, such as installing a backdoor on a user’s system.
Many Trojans are delivered via drive-by downloads. They can also
infect systems with fake antivirus software, pirated software,
games, and browser extensions.

Answer 103

Keyloggers capture a user’s keystrokes and store them in a file.
This file can be automatically sent to an attacker or manually
retrieved depending on the keylogger. Spyware monitors a user’s
computer and often includes a keylogger

Answer 104

Rootkits have system-level or kernel access and can modify
system files and system access. Rootkits hide their running processes to avoid detection with hooking and similar techniques.
Tools that can inspect RAM can discover these hidden hooked
processes.

Answer 105

Ransomware is a type of malware that takes control of a user’s
system or data. Criminals then attempt to extort payment from
the victim. Ransomware often includes threats of damaging a
user’s system or data if the victim does not pay the ransom, and
attackers increasingly target hospitals, cities, and other larger
organizations.

Answer 106

Malware includes a wide variety of malicious code, including
viruses, worms, Trojans, ransomware, and more. A virus is
malicious code that attaches itself to an application and runs
when the application is started. A worm is self-replicating and
doesn’t need user interaction to run.

Answer 107

Social engineering uses social tactics to trick users into giving up
information or performing actions they wouldn’t normally take.
Social engineering attacks can occur in person, over the phone,
while surfing the Internet, and via email.

Answer 108

A social engineer can gain unauthorized information just by
looking over someone’s shoulder. This might be in person, such as
when a user is at a computer or remotely using a camera. Screen
filters help prevent shoulder surfing by obscuring people’s view
unless they are directly in front of the monitor.

Answer 109

Tailgating is a social engineering tactic that occurs when one user
follows closely behind another user without using credentials.
Access control vestibules (sometimes called mantraps) allow only
a single person to pass at a time. Sophisticated mantraps can
identify and authenticate individuals before allowing access.
Dumpster divers search through trash looking for information.
Shredding or burning papers instead of throwing them away
mitigates this threat.

Answer 110

Spam is unwanted email. Phishing is malicious spam. Attackers
attempt to trick users into revealing sensitive or personal
information or clicking on a link. Links within email can also lead
unsuspecting users to install malware.

Answer 111

A spear phishing attack targets specific groups of users. It could
target employees within a company or customers of a company.
Digital signatures provide assurances to recipients about who sent
an email and can reduce the success of spear phishing. Whaling
targets high-level executives or impersonates high-level
executives.

Answer 112

Vishing is a form of phishing that uses the phone system or VoIP.
Some vishing attempts are fully automated. Others start as
automated calls, but an attacker takes over at some point during
the call. Smishing is a form of phishing using text messages.

Answer 113

Antivirus software detects and removes malware, such as viruses,
Trojans, and worms. Signature-based antivirus software detects
known malware based on signature definitions. Heuristic-based
antivirus software detects previously unknown malware based on
behavior.

Answer 114

Many of the reasons that social engineers are effective are
because they use psychology-based techniques to overcome
users’ objections. These techniques include representing
themselves as authority figures, using intimidation, faking
scarcity, creating a sense of urgency, establishing familiarity, and
creating a sense of trust.

Answer 115

A distributed denial-of-service (DDoS) attack is an attack from
multiple computers against a single target. DDoS attacks typically
include sustained, abnormally high network traffic and usage of
memory and processor time resulting in resource exhaustion.
Major variants of DDoS attacks include reflected attacks, which
involve using third-party servers to redirect traffic to the target,
and amplified attacks, which combine reflection techniques with
amplification to generate an even greater volume of traffic
directed at the target.

Answer 116

An on-path attack is a form of active eavesdropping. It captures
data from two other computers in a session. When secure
channels are used, the on-path system may use certificates that
aren’t issued by a CA and will generate certificate warnings. SSH
gives a warning if previously established keys have changed.

Answer 117

A DNS poisoning attack attempts to modify or corrupt DNS data.
Pharming is also an attack on DNS, and it manipulates the DNS
name resolution process. A primary indicator of both attacks is
that a user tries to go to one website but is taken to a different
website.

Answer 118

In a domain hijacking attack, an attacker changes a domain name
registration without permission from the owner.

Answer 119

Replay attacks capture data in a session to impersonate one of
the parties in the session. Timestamps, sequence numbers, and
multi-factor authentication are effective countermeasures against
replay attacks.

Answer 120

The lack of input validation is one of the most common security
issues on web-based applications. Input validation verifies the
validity of inputted data before using it, and server-side validation
is more secure than client-side validation. Input validation
protects against many attacks, such as buffer overflow, SQL
injection, dynamic link library injection, and cross-site scripting
attacks.

Answer 121

Error and exception handling helps protect the operating system’s
integrity and controls the errors shown to users. Applications
should show generic error messages to users but log detailed
information.

Answer 122

Static code analysis examines the code without running it. In a
manual review, a developer goes through the code line by line,
looking for vulnerabilities. Dynamic code analysis checks the code
while it is running. Fuzzing techniques send random strings of
data to applications looking for vulnerabilities.

Answer 123

A secure development environment includes multiple stages.
Stages are completed in separate non-production environments.
Quality assurance methods are used in each of the stages.

Answer 124

Attackers use SQL injection attacks to pass queries to back-end
databases through web servers. Many SQL injection attacks use
the code ‘ or 1=1 to trick the database server into providing
information. Input validation techniques and stored procedures
help prevent SQL injection attacks

Answer 125

Buffer overflows occur when an application receives more data
than it can handle or receives unexpected data that exposes
system memory. Buffer overflow attacks often include NOP
instructions (such as 0x90) followed by malicious code. When
successful, the attack causes the system to execute the malicious
code. Input validation helps prevent buffer overflow attacks.

Answer 126

The common use cases for automation and scripting in security
operations are user provisioning, resource provisioning,
guardrails, security groups, ticket creation, escalation,
enabling/disabling services and access, continuous integration
and testing, and the use of APIs to create integrations.

Answer 127

The key benefits of automation and scripting in security
operations include improved efficiency and time saving, consistent
enforcement of baselines, standardized infrastructure
configurations, secure scaling, increased employee retention,
faster reaction times, and serving as a workforce multiplier.

Answer 128

When implementing automation and scripting in security
operations, it is essential to consider the potential complexity,
cost, single points of failure, technical debt, and ongoing
supportability to ensure long-term success and maintainability.

Answer 129

It is not possible to eliminate risk, but you can take steps to
manage it. An organization can avoid a risk by not providing a
service or not participating in a risky activity. Insurance transfers
the risk to another entity. You can mitigate risk by implementing
controls, but when the cost of the controls exceeds the cost of
the risk, an organization accepts the remaining, or residual, risk.

Answer 130

A quantitative risk assessment uses specific monetary amounts to
identify cost and asset values. The SLE identifies each loss’s cost,
the ARO identifies the number of events in a typical year, and the
ALE identifies the expected annual loss from the risk. You
calculate the ALE as SLE × ARO. A qualitative risk assessment
uses judgment to categorize risks based on the likelihood of
occurrence and impact.

Answer 131

A risk register is a comprehensive document listing known
information about risks such as the risk owner. It typically
includes risk scores along with recommended security controls to
reduce the risk scores. A risk matrix plots risks onto a chart.

Answer 132

A vulnerability scanner can identify vulnerabilities, misconfigured systems, and the lack of security controls such as up-to-date
patches. Vulnerability scans may be configured as passive and
have little impact on a system during a test. In contrast, a
penetration test is intrusive and can potentially compromise a
system.

Answer 133

A false positive from a vulnerability scan indicates that a scan
detected a vulnerability, but the vulnerability doesn’t exist.
Credentialed scans run under the context of a valid account and
can get more detailed information on targets, such as the
software versions of installed applications. They are typically
more accurate than non-credentialed scans and result in fewer
false positives.

Answer 134

A penetration test is an active test that can assess deployed
security controls and determine the impact of a threat. It starts
with reconnaissance and then tries to exploit vulnerabilities by
attacking or simulating an attack

Answer 135

After exploiting a system, penetration testers use privilege
escalation techniques to gain more access to target systems.
Pivoting is the process of using an exploited system to target
other systems.

Answer 136

Unknown environment testers have zero prior knowledge of a
system prior to a penetration test. Known environment testers
have full knowledge of the environment, and partially known
environment testers have some knowledge.

Answer 137

Administrators use a protocol analyzer to capture, display, and
analyze packets sent over a network. It is useful when
troubleshooting communication problems between systems. It is
also useful to detect attacks that manipulate or fragment packets.

Answer 138

Proximity cards are typically credit card-sized access cards. Users
pass the card near a proximity card reader, and the card reader
then reads data on the card. Some access control points use
proximity cards with PINs for authentication.

Answer 139

Video surveillance provides reliable proof of a person’s location
and activity. It can identify who enters and exits secure areas and can record theft of assets. Many cameras include motion
detection and object detection capabilities. CCTV systems can be
used as a compensating control in some situations.

Answer 140

Sensors monitor the environment and can detect changes.
Common sensor types include motion and noise detection as well
as sensors designed to monitor infrared temperature, pressure,
microwaves, and ultrasonic waves.

Answer 141

A single point of failure is any component whose failure results in
the failure of an entire system. Elements such as RAID, load
balancing, UPSes, and generators remove many single points of
failure. RAID is an inexpensive method used to add fault
tolerance and increase availability. If only one person knows how
to perform specific tasks, that person can become a single point
of failure.

Answer 142

RAID subsystems, such as RAID-1, RAID-5, and RAID-6, provide
fault tolerance and increased data availability. RAID-1 and RAID-5
can survive the failure of one disk, and RAID-6 can survive the
failure of two disks.

Answer 143

Load balancing increases the overall processing power of a
service by sharing the load among multiple servers.
Configurations can be active/passive or active/active. Scheduling methods include round-robin and source IP address affinity.
Source IP address affinity scheduling ensures clients are
redirected to the same server for an entire session.

Answer 144

If you have unlimited time and money, the full backup alone
provides the fastest recovery time. Full/ incremental strategies
reduce the amount of time needed to perform backups.
Full/differential strategies reduce the amount of time needed to
restore backups.

Answer 145

Test restores are the best way to test the integrity of a company’s
backup data. Backup media should be protected with the same
level of protection as the data on the backup. Geographic considerations for backups include storing backups off-site,
choosing the best location, and considering legal implications and
data sovereignty.

Answer 146

The BIA identifies mission-essential functions and critical systems that are essential to the organization’s success. It also identifies
maximum downtime limits for these systems and components,
various scenarios that can impact these systems and components,
and the potential losses from an incident.

Answer 147

The recovery time objective (RTO) identifies the maximum
amount of time it should take to restore a system after an
outage. It is derived from the maximum allowable outage time
identified in the BIA. The recovery point objective (RPO) refers to
the amount of data you can afford to lose.

Answer 148

The mean time between failures (MTBF) provides a measure of a
system’s reliability and would provide an estimate of how often
the systems will experience outages. The mean time to repair (MTTR) refers to the time it takes to restore a system.

Answer 149

A hot site includes personnel, equipment, software, and
communication capabilities of the primary site with all the data
up-to-date. A hot site provides the shortest recovery time
compared with warm and cold sites. It is the most effective
disaster recovery solution, but it is also the most expensive to
maintain.

Answer 150

A cold site will have power and connectivity needed for a recovery
site, but little else. Cold sites are the least expensive and the
hardest to test. A warm site is a compromise between a hot site
and a cold site. Mobile sites do not have dedicated locations but
can provide temporary support during a disaster.

Answer 151

A disaster recovery plan (DRP) identifies how to recover critical
systems after a disaster and often prioritizes services to restore
after an outage. Testing validates the plan. The final phase of
disaster recovery includes a review to identify any lessons learned
and may include an update of the plan.

Answer 152

You can validate business continuity plans through testing.
Tabletop exercises are discussion-based only and are typically
performed in a conference setting. Simulations are hands-on
exercises using a simulated environment. Parallel processing
activates the disaster recovery site and runs it alongside the
primary site. Fail over tests shut down the primary site to
determine whether the fail over site works properly.

Answer 153

Hashing verifies integrity for data such as email, downloaded
files, and files stored on a disk. A hash is a hexadecimal number
created with a hashing algorithm.

Answer 154

Hashing is a one-way function that creates an alphanumeric
string of characters. You cannot reverse the hash to re-create the
original file. Passwords are often stored as hashes instead of
storing the actual password. Additionally, applications often salt
passwords with extra characters before hashing them.

Answer 155

If you can recognize the hashing algorithms such as MD5, SHA,
and HMAC, it will help you answer some exam questions. For
example, if a question asks what you would use to encrypt data
and it lists three hashing algorithms, you can quickly eliminate
them because hashing algorithms don’t encrypt data.

Answer 156

Online attacks guess the password of an online system. Offline
attacks guess the password stored within a downloaded file, such
as a database. Logs will show a large volume of failed logon
attempts as Event ID 4625 and/or several accounts being locked
out as Event ID 4740. Spraying attacks attempt to avoid account
lockout policies, but logs will still show a large volume of failed
logon attempts, but with a time lapse between each entry.

Answer 157

Passwords are typically stored as hashes. A pass the hash attack
attempts to use an intercepted hash to access an account. These
attacks can be detected in Event ID 4624 with a Logon Process of
NTLMSSP and/or an Authentication Package of NTLM

Answer 158

Birthday attacks exploit collisions in hashing algorithms. A hash
collision occurs when the hashing algorithm creates the same
hash from different passwords. Salting adds random text to
passwords before hashing them and thwarts many password
attacks, including rainbow table attacks.

Answer 159

Bcrypt, PBKDF2, and Argon2 are key stretching techniques that
help prevent brute force and rainbow table attacks. They salt the
password with additional bits and then send the result through a
cryptographic algorithm.

Answer 160

Encryption provides confidentiality and helps ensure that data is
viewable only by authorized users. This applies to any data at rest
(such as data stored in a database) or data in transit being sent
over a network

Answer 161

Symmetric encryption uses the same key to encrypt and decrypt
data. For example, when transmitting encrypted data, symmetric
encryption algorithms use the same key to encrypt and decrypt
data at both ends of the transmission media.

Answer 162

Stream ciphers encrypt data a single bit, or a single byte, at a
time in a stream. Block ciphers encrypt data in a specific-sized
block such as 64-bit or 128-bit blocks. Stream ciphers are more
efficient than block ciphers when encrypting data in a continuous
stream.

Answer 163

AES is a strong symmetric block cipher that encrypts data in 128-
bit blocks. AES uses 128-bit, 192-bit, or 256-bit keys. 3DES is a
block cipher that encrypts data in 64-bit blocks. 3DES was
originally designed as a replacement for DES, but NIST selected
AES as the current standard. However, 3DES is still used in some
applications, such as when legacy hardware doesn’t support AES.

Answer 164

Only a private key can decrypt information encrypted with a
matching public key. Only a public key can decrypt information
encrypted with a matching private key. A key element of several
asymmetric encryption methods is that they require a digital
certificate and a PKI

Answer 165

Digital certificates are an important part of asymmetric
encryption. Digital certificates include public keys along with
details on the owner of the certificate and on the Certificate
Authority (CA) that issued the certificate. Certificate owners share
their public key by sharing a copy of their digital certificate.

Answer 166

Steganography, tokenization, and masking are examples of
obfuscation techniques used to protect sensitive data.
Steganography hides messages or data within other files.
Tokenization replaces sensitive data with non-sensitive tokens,
retaining essential information without revealing sensitive details.
Masking partially or fully conceals sensitive data with characters,
symbols, or other data.

Answer 167

Knowing which key encrypts and which key decrypts will help you
answer some questions on the exam. For example, just by
knowing that a private key is encrypting, you know that it is being
used for a digital signature.

Answer 168

A digital signature is an encrypted hash of a message. The
sender’s private key encrypts the hash of the message to create
the digital signature. The recipient decrypts the digital signature
to reveal the hash with the sender’s public key. If successful, it
provides authentication, non-repudiation, and integrity.
Authentication identifies the sender. Integrity verifies the message
has not been modified. Non-repudiation prevents senders from
later denying they sent an email.

Answer 169

The recipient’s public key encrypts when encrypting an email
message and the recipient uses the recipient’s private key to
decrypt an encrypted email message.

Answer 170

TLS is the replacement for SSL. TLS requires certificates issued by
certificate authorities (CAs). TLS encrypts HTTPS traffic, but it can
also encrypt other traffic.

Answer 171

Administrators should disable weak cipher suites and weak
protocols on servers. When a server has both strong and weak
cipher suites, attackers can launch downgrade attacks bypassing
the strong cipher suite and exploiting the weak cipher suite.

Answer 172

You typically request certificates using a certificate signing
request (CSR). The first step is to create the RSA-based private
key, which is used to create the public key. You then include the
public key in the CSR and the CA will embed the public key in the
digital certificate. The private key is not sent to the CA.

Answer 173

CAs revoke certificates for several reasons such as when the
private key is compromised or the CA is compromised. The
certificate revocation list (CRL) includes a list of revoked certificates and is publicly available. An alternative to using a CRL
is the Online Certificate Status Protocol (OCSP), which returns
answers such as good, revoked, or unknown.

Answer 174

Certificate stapling is an alternative to OCSP. The certificate
presenter (such as a web server) appends the certificate with a
timestamped digitally signed OCSP response from the CA. This
reduces OCSP traffic to and from the CA.

Answer 175

CER is an ASCII format for certificates and DER is a binary
format. PEM is the most used certificate format and can be used
for just about any certificate type. P7B files are commonly used to
share public keys. P12 and PFX files are commonly used to hold
the private key.

Answer 176

An incident response policy defines a security incident and
incident response procedures. Incident response procedures start
with preparation to prepare for and prevent incidents. Preparation
helps prevent incidents such as malware infections. Personnel
review the policy periodically and in response to lessons learned
after incidents.

Answer 177

The first step in the incident response process is preparation.
Next, the organization detects security incidents that occur and
analyzes their effects. After identifying an incident, personnel
attempt to contain the problem to protect critical systems while
maintaining business operations. Eradication attempts to remove
all malicious components from an attack, and recovery returns
affected systems to normal operation. Reviewing lessons learned
allows personnel to analyze the incident and the response to help
prevent a future occurrence.

Answer 178

When collecting data for forensic analysis, you should collect it
from the most volatile to the least volatile. The order of volatility is cache memory, regular RAM, swap file (or paging file), hard
drive data, and data stored on network systems.

Answer 179

Security Orchestration, Automation, and Response (SOAR)
platforms use internal tools to respond to low-level security
events automatically, reducing administrator workload. A SOAR
playbook provides a checklist of things to check for suspected incidents. A SOAR runbook implements the playbook checklist
using available tools within the organization.

Answer 180

Data governance refers to the processes an organization uses to
manage, process, and protect data. Some data governance
methods help ensure or improve the quality of data. Other
methods are driven by regulations and laws. Proper data
governance practices ensure that critical data elements are
identified.