Multiple Choice Flashcards

Question

Dion Training Solutions needs a network appliance capable of filtering traffic based on URL, HTTP headers, and specific web application functionalities. At which layer of the OSI model would this appliance primarily operate? Layer 5 Layer 3 Layer 6 Layer 7

Answer 1

Layer 7 Overall explanation: OBJ: 3.2 - Layer 7, or the application layer, deals with end-user services, and appliances at this layer can make filtering decisions based on specifics like URLs, HTTP headers, and specific application functions. Layer 6, the presentation layer, is responsible for translating data between the application and transport layers. Layer 5, the session layer, manages connections between applications. It isn't focused on the content-specific criteria like URLs and HTTP headers. Layer 3 devices are concerned with IP addressing and routing. Domain: Security Architecture

Answer 2

Evidence of internal audits Overall explanation: OBJ: 5.3 - Evidence of Internal Audits showcases a vendor's proactive approach to maintaining and enhancing their security measures. Such audits are conducted internally and reflect a rigorous self-assessment of security practices, vulnerabilities, and control mechanisms. By reviewing these, a company can gain insights into the vendor's commitment to security, how they address potential weaknesses, and their overall cybersecurity health. This evidence can be instrumental in gauging the reliability and trustworthiness of the vendor's internal security framework. Regulatory compliance certificates indicate compliance with specific regulations but don't provide detailed insights into internal evaluations. While customer testimonials may provide feedback on the vendor's performance, they don't offer insights into the vendor's internal evaluations of their security measures. External penetration test reports show the results of external entities testing the vendor's defenses, not the vendor's own evaluations. Domain: Security Program Management and Oversight

Answer 3

Disabling ports Overall explanation: OBJ: 2.5 - Disabling ports is the act of turning off specific communication points in a system to reduce potential vulnerabilities or halt unauthorized access. Encryption is the process of converting data into a code to prevent unauthorized access. It doesn't deal with turning off specific entry or exit points in a system. Monitoring is the continuous observation and checking of a system or network to ensure its functionality and security. It is not directly related to shutting off communication points. Segmentation is the dividing a network into different parts or segments for security and performance enhancement, but not specifically about shutting off communication points. Domain: Threats, Vulnerabilities, and Mitigations

Answer 4

Disabling unnecessary services and protocols. Overall explanation: OBJ: 3.2 - Reducing active services and protocols minimizes potential entry points for attackers, thereby reducing the attack surface. Relying on a single layer of security can leave the network vulnerable if that layer is compromised. Allowing most inbound and outbound traffic would significantly expand the attack surface by allowing potentially malicious traffic. Uniform passwords increase the risk of a widespread breach if the common password is compromised. Domain: Security Architecture

Answer 5

Time-of-check (TOC) Overall explanation: OBJ: 2.3 - A TOC vulnerability occurs when an attacker exploits the time gap between the verification of data and its use, potentially leading to unauthorized or malicious activities. Memory leaks are when a program doesn't release memory that it no longer needs, leading to potential system slowdowns or crashes. This does not involve data manipulation after verification. Race conditions relate to the unexpected order and timing of events in software execution but are not specifically about the gap between data verification and use. Resource exhaustion refers to the overuse of system resources, be it CPU time, memory, or others, which can lead to denial of service. It's not specific to data manipulation after its verification. Domain: Threats, Vulnerabilities, and Mitigations

Answer 6

Reviewing event logs Overall explanation: OBJ: 4.3 - Event logs can provide insight into system and process behaviors. By examining these logs, an organization can validate whether a vulnerability has been adequately addressed or if it's still causing issues. Rescanning is about running the vulnerability scan again to identify remaining vulnerabilities but doesn't provide insights from system and network logs. While it's about keeping systems updated, patch management itself doesn't involve examining logs to validate vulnerability remediation. Threat modeling is a process of understanding and mapping potential threats but doesn't validate vulnerability remediation through logs. Domain: Security Operations

Answer 7

Trapdoor function Overall explanation: OBJ: 1.4 - The RSA algorithm uses a trapdoor function, where encryption is easy to perform using the public key, but reversing the process (decryption) without the private key is challenging. RSA's principle is that certain mathematical operations are easy to perform, but their inverse operations are difficult without specific knowledge. Symmetric encryption is a type of encryption where the same key is used for both encryption and decryption, unlike RSA which uses a pair of public and private keys. A hash function is a process that converts an input (often a long string) into a fixed-size value, commonly used for verifying data integrity but not specifically tied to RSA's public key cryptography. A digital signature is a means to verify the authenticity of a digital message or document, using a combination of hashing and encryption, but it isn't the mathematical property of RSA. Domain: General Security Concepts

Answer 8

Attempting to access files outside of intended directories. Overall explanation: OBJ: 2.4 - This scenario is a classic example of directory traversal. The described activities are consistent with an attacker trying to move up the directory structure and access files or directories they shouldn't. This often involves navigating directories in ways the system didn't intend. Buffer overflow attacks involve overloading a system's memory buffer to cause it to crash or to insert malicious code. The activities described in the scenario are more about navigating the file system than overwhelming it. Injection attacks usually involve inputting malicious data into a system with the intent that it will be executed. The scenario described does not suggest data is being executed or run; rather, it's an attempt to navigate to unintended areas. Privilege escalation attacks aim to gain elevated access to resources that are normally protected from an application or user. While this might be an outcome or a motive, the method described here doesn't necessarily represent this type of attack. Domain: Threats, Vulnerabilities, and Mitigations

Answer 9

Agent-based NACs use additional software to authenticate users, while Agentless NACs use network-level protocols to authenticate users. Overall explanation: OBJ: 4.4 - Both forms of NAC authenticate users and grant access. Agent-based NACs use a software component installed on a central server to monitor network traffic, while Agentless involves monitoring network devices directly through the use of network-level protocols without the need for additional software. Agent-based NACs require additional software. There isn't a difference in the amount of data they collect. Both forms of NAC authenticate users and grant access. Agent-based NACs use a software component installed on a central server to monitor network traffic, while Agentless involves monitoring network devices directly through the use of network-level protocols without the need for additional software. Agentless NACs don't require additional software. There isn't a difference in the amount of data they collect. Domain: Security Operations

Answer 10

Risk assessments Overall explanation: OBJ: 1.1 - Periodic evaluations, like risk assessments, are a managerial security control that involves regularly evaluating the threats to systems and networks. This can help the company identify potential threats and take steps to mitigate them. Security guards are considered operational controls, not managerial controls. A firewall is a technical security control that monitors and controls incoming and outgoing network traffic based on predetermined security rules. An intrusion detection system is a technical security control that monitors network traffic for signs of security threats. Domain: General Security Concepts

Answer 11

Frequency Overall explanation: OBJ: 3.4 - Frequency refers to how often data backups are carried out. Regular backups at set intervals are crucial to minimize the potential loss of data. Replication is the copying of data from one system to another. The regularity with which this is done isn't an important part of replication. Journaling entails verifying and logging data, not the regularity of backups. While load balancing is a technique for distributing workloads across multiple computers or networks, it doesn't relate to how frequently backups are created. Domain Security Architecture

Answer 12

Using a passphrase to generate a pairwise master key (PMK). Overall explanation: OBJ: 2.2 - WPA2-PSK leverages a passphrase to create a key, called the PMK, to encrypt communications. This is a distinguishing feature of WPA2's personal authentication. The Dragonfly handshake is a key feature of the WPA3's Simultaneous Authentication of Equals (SAE) method. This does not pertain to the WPA2 authentication mechanism. PAKE is specifically a method associated with WPA3's SAE protocol. It's not the method employed by WPA2 for authentication. QR codes for configuration relate to the newer Easy Connect method. It is not a characteristic of WPA2 Personal authentication. Domain: Threats, Vulnerabilities, and Mitigations

Answer 13

Layer 4 Overall explanation: OBJ: 3.2 - Layer 4, or the transport layer, deals with protocols like TCP and UDP and is concerned with port numbers and connection-oriented communication. Network appliances operating at this layer filter and manage traffic based on source and destination IP addresses, as well as port numbers. Layer 3, the network layer, is primarily focused on routing data and IP addressing. Devices at this layer, like routers, aren't primarily concerned with port numbers. Layer 5, the session layer, establishes, maintains, and terminates connections between applications on different devices. It doesn't handle filtering based on IP addresses and port numbers. Layer 2, the data link layer, deals with frames and MAC addresses. Switches typically operate at this layer. Domain: Security Architecture

Answer 14

Complexity Overall explanation: OBJ: 4.7 - Complexity refers to the degree of intricacy in a system or process. In automation and orchestration, high complexity can lead to challenges in maintenance, understanding, and implementation. Ongoing supportability relates to the ease with which a system can be maintained and supported over time, but it doesn't specifically address the intricacy or convolution of a system. While high complexity can lead to increased costs, the term 'cost' encompasses a broader range of financial considerations, not just those associated with intricate systems. While technical debt can be a consequence of complexity, it more specifically refers to the implied cost of additional rework caused by choosing a quicker yet less optimal solution. Domain: Security Operations

Answer 15

Insecure Interfaces and APIs Overall explanation: OBJ: 2.3 - Insecure Interfaces and APIs are a type of vulnerability that arises when the interaction between users and cloud services through interfaces and APIs is not secure, exposing systems to potential unauthorized access and manipulation of data. Cross-site scripting (XSS) is a security vulnerability typically found in web applications, enabling attackers to inject malicious scripts into websites viewed by other users, potentially leading to a variety of malicious activities. Buffer overflows occur when a program writes more data to a block of memory, or buffer, than it was allocated for, which can lead to various issues, including the potential execution of arbitrary code. Side loading refers to the practice of installing applications on a device without using the official app store, which can lead to various security concerns, including the installation of malicious software. Domain: Threats, Vulnerabilities, and Mitigations

Answer 16

Verify the legitimacy of the software vendor. Overall explanation: OBJ: 4.1 - Before making any purchases, it's essential to ensure the vendor is reputable to avoid acquiring counterfeit or malicious software. Financial considerations, while valid, come after ensuring security. Compatibility is important, but first, you need to ensure you're buying from a reputable source. While collaboration is crucial, the first step should be to ensure the vendor's legitimacy. Domain: Security Operations

Answer 17

Risk Threshold Overall explanation: OBJ: 5.2 - The $500,000 financial impact figure is an example of a risk threshold, as it is the specific point at which the company must act to mitigate risk. While risk limit is not a standard term, it could colloquially be used to describe a risk threshold, but in this context, the correct term is "risk threshold." Risk level pertains to the severity of risk and does not describe the actionable limit set by the company. Risk tolerance refers to the general level of risk the firm is willing to accept, not the precise financial impact threshold for action. Domain: Security Program Management and Oversight

Answer 18

ECC Overall explanation: OBJ: 1.4 - ECC (Elliptic curve cryptography) is a type of trapdoor function that is efficient with shorter key lengths. For instance, ECC with a 256-bit key provides roughly the same security as RSA with a 2048-bit key. The primary advantage is that ECC has no known shortcuts to cracking it, making it particularly robust. Diffie-Hellman is an algorithm primarily for secure key exchange, not directly comparable to the encryption efficiency offered by ECC's shorter key lengths. Digital Signature Algorithm (DSA) is an algorithm used for digital signatures, but it doesn't inherently offer the same efficiency in terms of key length as ECC. While a foundational asymmetric algorithm, RSA generally requires longer key lengths than ECC to achieve comparable security levels. Domain: General Security Concepts

Answer 19

Inadequate buffer overflow protections. Overall explanation: OBJ: 3.1 - RTOSs prioritize performance, sometimes at the expense of security features like buffer overflow protections, potentially leaving the system susceptible to certain attacks. RTOSs aren't primarily concerned with supporting legacy protocols, and this isn't a direct security risk associated with them. RTOSs are designed for efficiency and generally don't involve the overheads from virtualization layers. While cloud access can pose risks, it's not an inherent security implication of using an RTOS. Domain: Security Architecture

Answer 20

Attestation Overall explanation: OBJ: 5.5 - Attestation is the term that refers to the process of affirming the accuracy and completeness of compliance reports. It involves providing formal statements or declarations about the organization's compliance with specific regulations or standards. Attestation can be done internally by the organization's management or externally by a third-party auditor. An independent third-party audit involves an external and unbiased assessment conducted by an independent auditor or a third-party organization. The purpose of this audit is to provide an objective evaluation of the organization's compliance status. Independent third-party audits are often used to validate and verify compliance claims made by the organization and can offer more credibility to compliance reports. Internal assessment involves the organization's internal evaluation of its adherence to established compliance requirements. This process may include self-assessments, internal audits, and reviews conducted by the organization's compliance team to ensure it meets necessary regulatory and security standards. A regulatory examination is an external evaluation conducted by a government agency or a regulatory body to ensure that an organization is complying with specific regulations or industry standards. During a regulatory examination, the organization's compliance practices, controls, and processes are thoroughly reviewed to assess their alignment with the applicable rules and requirements. Domain: Security Program Management and Oversight

Answer 21

The signatures require tuning. Overall explanation: OBJ: 4.5 - When signatures are overly broad or not precisely defined, they might incorrectly match legitimate network traffic, leading to false positives. Signature-based detection works by inspecting traffic patterns, whether encrypted or not. However, the encrypted nature of traffic isn't the primary reason for false positives in signature-based detection. While outdated signatures might miss newer threats, they aren't typically the cause of false positives. Instead, they might lead to false negatives. Where the signature database is stored does not influence the accuracy of detection. It's the quality and precision of the signatures that matter most. Domain: Security Operations

Answer 22

Limited security update capabilities. Overall explanation: OBJ: 3.1 - SCADA systems are often engineered for specific tasks and might not receive regular security updates, making them susceptible to vulnerabilities over time. While important for real-time systems, runtime efficiency is not a primary security concern for SCADA systems. Memory constraints are more pertinent to embedded or real-time systems, not inherently a SCADA security concern. SCADA systems are not typically deployed in containers; thus, this isn't a relevant security implication. Domain: Security Architecture

Answer 23

National legal implications Overall explanation: OBJ: 5.4 - National legal implications are laws and regulations set at the country level that outline the requirements and boundaries for data protection and privacy. Consent management is a process that ensures organizations obtain and manage the consent of individuals before collecting or processing their personal data. Data encryption is a method used to protect data from unauthorized access by converting it into a code. The GDPR is a regulation enacted by the European Union to ensure data protection and privacy for all its citizens. Domain: Security Program Management and Oversight

Answer 24

802.1X Overall explanation: OBJ: 3.2 - 802.1x is a standard developed by the IEEE to govern port-based network access. When used with a RADIUS based authentication server it provides authentication services, checking user credentials to ensure that the user is a legitimate part of the organization and granting access to only those areas of the system that the user is allowed to access. Fail-open refers to what happens when a network encounters errors and exceptions. Fail-open means that when errors occur or exceptions are encountered, the system continues allowing access rather than denying access. Fail-open allows a website to continue offering services even after an error has occurred. The emphasis is, therefore, keeping the website up while the error is addressed, hoping that the error is a minor issue. An intrusion detection system (IDS) monitors network traffic for malicious activities. It alerts to the potential activity but does not prevent it from passing through the network. In this way, it provides a layer of protection without slowing down network performance. Fail-close refers to what happens when a network encounters errors and exceptions. Fail-close means that when errors occur or exceptions are encountered, the system denies further access. This prevents any further network traffic until the error or exception are dealt with. While this provides greater security, it means that a website can’t be accessed even if the error encountered is minor or doesn’t pose a security threat. Domain: Security Architecture

Answer 25

Web application firewall (WAF) Overall explanation: OBJ: 4.4 - A WAF specifically protects web applications by filtering and monitoring HTTP traffic, providing defenses against web-specific attacks such as SQL injection. While HIDS monitors the internals of a computing system, it isn't explicitly designed to combat web application-specific threats. While antivirus software can detect malware and malicious files, it isn't particularly tailored to protect against web application-specific threats like SQL injection. NetFlow collects IP traffic information and monitors network flow data but doesn't specifically target web application vulnerabilities. Domain: Security Operations

Answer 26

$1,500 Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) SLE x ARO = ARO Overall explanation: OBJ: 5.2 - The ALE is calculated by multiplying the SLE by the ARO. With an SLE of $15,000 and an ARO of 0.1, the ALE equals $1,500 ($15,000 * 0.1 = $1,500). This represents the expected yearly financial loss due to operational failures. $150 isn't correct. $15,000 isn't correct. $150,000 isn't correct. Domain: Security Program Management and Oversight

Answer 27

Centralized governance Overall explanation: OBJ: 5.1 - Centralized governance involves decision-making authority concentrated in a single authority or department within an organization. In this structure, key decisions are made at the top level and are then disseminated throughout the organization. Decentralized governance involves distributing decision-making power among different departments or units within the organization, rather than being concentrated in a single authority. Board governance typically refers to the governing body of an organization, composed of members who represent various stakeholders. The board's role is to oversee the organization's activities, but it may not always involve centralized decision-making power. Committee governance involves decision-making authority vested in committees, which are groups of individuals formed to address specific tasks or issues within the organization. It does not necessarily involve a single authority or department with centralized decision-making power. Domain: Security Program Management and Oversight

Answer 28

Risk tolerance Overall explanation: OBJ: 5.2 - Risk tolerance refers to an organization's predetermined level of acceptable risk exposure. It represents the extent to which an organization is willing to tolerate potential risks before taking action to mitigate or avoid them. The exposure factor is a calculation that determines the amount of value that is lost if an event takes place. It doesn't measure an organization's level of acceptable risk exposure. The term "conservative" is not directly related to risk management. In financial contexts, it may refer to a risk-averse approach or cautious decision-making. While similar to risk tolerance, risk appetite refers to the amount of risk an organization is willing to take on to achieve its strategic objectives. It represents the organization's overall attitude toward risk-taking. Domain: Security Program Management and Oversight

Answer 29

Key exchange Overall explanation: OBJ: 1.4 - Key exchange is a process in which two communicating parties establish a shared secret key, typically used for symmetric encryption. This key is established in a manner so that eavesdroppers, even if they intercept the key exchange messages, cannot determine the shared key. The most common method for key exchange is the Diffie-Hellman protocol. Asymmetric encryption uses different keys for encryption and decryption, but it doesn't involve the exchange of cryptographic keys. Symmetric encryption the same key for both encryption and decryption, but it doesn't involve the exchange of cryptographic keys. Hashing involves converting input data (often called a message) into a fixed-length string of bytes. It's primarily used for data integrity checks and is not reversible, meaning you cannot retrieve the original input from its hash. Therefore, it isn't suitable for the purpose of exchanging cryptographic keys or establishing shared secrets for communication. Domain: General Security Concepts

Answer 30

SD-WAN Overall explanation OBJ: 3.2 - SD-WAN (Software-defined wide area network) provides centralized network management, flexible routing, and traffic management capabilities. It can be hosted both on-premises and in the cloud, giving it an edge for comprehensive WAN optimization. TLS (Transport Layer Security) operates at the application layer and is primarily used for securing application-level communication. It doesn't offer WAN optimization or centralized network management. While SASE offers both network security and WAN capabilities, its primary selling point is as a cloud-based solution that integrates both. It doesn't focus solely on WAN performance optimization. AH (Authentication header) is a protocol component of IPsec which offers packet integrity but does not specifically cater to WAN optimization or management. Domain Security Architecture

Answer 31

Risk owner Overall explanation: OBJ: 5.2 - Sarah exemplifies a risk owner, as she is tasked with the ongoing management and mitigation of risks pertaining to the data management platform. A risk register would be the tool Sarah uses to track and assess the risks, not her role. A risk indicator would be a metric Sarah might monitor to assess risk levels, not her position. A risk assessor might be a role that Sarah takes on when evaluating risks, but it does not encapsulate her comprehensive management responsibilities. Domain: Security Program Management and Oversight

Answer 32

IaC - Infrastructure as code Overall explanation: OBJ: 3.1 - Infrastructure as code (IaC) allows infrastructure to be provisioned and managed using code, making it easier to manage, replicate, and scale. While serverless architecture reduces the complexity of deploying code into production, it doesn't involve defining the underlying infrastructure as code. An air-gapped network is a security measure that involves physically isolating a computer or network and ensuring it doesn't connect to unsecured networks, especially the public internet. It doesn't deal with infrastructure management methodologies. Microservices architecture is about designing software applications as suites of independently deployable services, but it doesn't directly address infrastructure provisioning through code. Domain: Security Architecture

Answer 33

DAC - Discretionary Access Control Overall explanation: OBJ: 1.2 - Discretionary Access Control (DAC) is an authorization model where the owner of the resource decides who is allowed to access it. Mandatory Access Control (MAC) is an authorization model where access to resources is determined by a set of rules defined by a central authority. Role-Based Access Control (RBAC) is an authorization model that assigns permissions to roles, rather than individual users. Attribute Based Access Control (ABAC) determines access through a combination of contexts and system wide attributes. Domain: General Security Concepts

Answer 34

clickjacking Overall explanation: Clickjacking is a method by which an attacker can get a user to click on something that appears to be legitimate, but redirect that click to another location. CSS being injtected into a website or page is one method of performing this particular type of attack. Session hijacking involves taking over a user's session or using their cookies to gain access to a site. URL hijacking is when a legitimate URL is removed from a search engine index and replaced with another that redirects to the former URL by a malicious threat actor. Typo squatting is registering a domain name (or multiple domain names) that are very similar to a target's domain name so that people mistyping the intended domain name are sent to the threat actor's website instead. Domain: 2.4 - Given a scenario, analyze indicators of malicious activity.

Answer 35

evil twin Overall explanation: An evil twin is a type of a rogue access point, but goes a step further in that it is a malicious device that attempts to get users to join it instead of the real WAPs that are used by an organization. It typically uses the same SSID as the organization so that the user devices will automatically think that they have found the right network when they connect to it. Domain: 2.2 - Explain common threat vectors and attack surfaces.

Answer 36

WPS Overall explanation: Wi-Fi Protected Setup uses a very weak PIN as part of the connection configuration. Wired connections with USB and ethernet are much more secure, as is a Wi-Fi connection using WPA2 for encryption. Domain: 2.2 - Explain common threat vectors and attack surfaces.

Answer 37

Disassociation Attack Overall explanation: A disassociation attack can be used to disconnect a user from a wireless network so that they must re-authenticate to connect. When the user attempts to re-connect and re-authenticate, the attacker can sniff the packets involved in the 4-way handshake and then use brute force to attempt to crack the password being used. Domain: 2.4 - Given a scenario, analyze indicators of malicious activity.

Answer 38

Vishing (Voice Phishing) Overall explanation: Attacker tricks their victims into sharing personal or financial information over the phone. This is an example of social engineering called vishing. The help desk should never call a user and ask for their username and password. Domain: 2.2 - Explain common threat vectors and attack surfaces.

Answer 39

DNS Poisoning Overall explanation: Altering DNS responses to reroute traffic. A recursive name server is a caching DNS server. It retrieves records from the authoritative name server and then serves up cached copies to clients requesting resolution from that network or any client using it as their name server. Attackers might want to manipulate the cached records to redirect traffic to another site or location, which is called DNS poisoning. Domain: 2.4 - Given a scenario, analyze indicators of malicious activity.

Answer 40

Update the firmware Overall explanation: Since the time of manufacture, the wireless router has been packaged in a box, shipped (potentially internationally), sat on a warehouse shelf, and eventually made its way to a store shelf. There may have been multiple firmware updates since the wireless router was made, so the first thing Peter should do is update the firmware to ensure any security vulnerabilities have been eliminated. Domain: 2.3 - Explain various types of vulnerabilities.

Answer 41

Rainbow Tables Overall explanation: Rainbow tables commonly contain two fields. One column contains a list of hashes, and the other column contains the plain text equivalent required to create that hash. If a user gets a copy of the /etc/shadow file containing hashed versions of the users' passwords, they can look up the hash in the rainbow table to see if there is a match. If so, the plain text equivalent in the other column might be a valid password to log into the system for that user. Domain 2.4 - Given a scenario, analyze indicators of malicious activity.

Answer 42

High Availability Overall explanation: High availability is the idea that a system should be available as much as possible, or at a certain minimum as defined by customer requirements or a service-level agreement (SLA). Fault tolerance describes a system that can continue to operate even in the event of a failure so that there should be zero downtime whatsoever. Resiliency is the ability to recover quickly in the event of a failure. Redundancy is having more than one of a component so that the system can fail over to it in case of a failure. Domain: 3.4 - Explain the importance of resilience and recovery in security architecture.

Answer 43

Public Overall explanation: A public cloud is available for multiple customers to use by sharing hardware and other resources between its customers. Domain: 3.1 - Compare and contrast security implications of different architecture models.

Answer 44

Differential Backup Overall explanation: A differential backup is comprised of any data that has changed since the last full backup. An incremental backup is comprised of any data that has changed since the last backup of any kind. A full backup is comprised of all data. The term partial backup is not commonly used. Domain: 3.4 - Explain the importance of resilience and recovery in security architecture.

Answer 45

802.1X Overall explanation: 802.1x is a method by which the wireless access points can send an authentication request to an authentication server using something like RADIUS to verify the user's credentials before allowing or denying access. 802.3af defines power over ethernet. Wi-Fi protected setup is a method of joining devices to a network that allows the connecting device and WAP to create their own PIN and is extremely weak. WEP is a method of encrypting data for a WiFi connection that is irrelevant to the method of authentication used, but is also extremely weak and should not be used. Domain: 3.2 - Given a scenario, apply security principles to secure enterprise infrastructure.

Answer 46

Incremental Backup Overall explanation: A differential backup is comprised of any data that has changed since the last full backup. An incremental backup is comprised of any data that has changed since the last backup of any kind. A full backup is comprised of all data. The term partial backup is not commonly used. Domain: 3.4 - Explain the importance of resilience and recovery in security architecture.

Answer 47

Masking Overall explanation: Credit card numbers are commonly stored using a masking technique so that only the last 4 digits of the card are made visible to the customer. You may notice many receipts or online payment systems only show you the last 4 digits of the card you are using. This helps identify the card while leaving out enough information that someone looking over your shoulder or intercepting the transmission would not be able to use that information to make a payment using your card. Domain: 3.3 - Compare and contrast concepts and strategies to protect data.

Answer 48

Cold Site Overall explanation: A cold site may be nothing more than an empty building with power and Internet connections. It might take a 2 to 4 weeks or more to fully recover to a cold site. A warm site may be partially built out, but still take several days to a week to become fully operational. A hot site can typically become fully operational anywhere from immediately to a day. A mobile site example may be portable cellular phone towers that can quickly be erected if something happens to an existing tower or if they need to provide extra coverage for a large event where there are a lot more people in the area than normal. Domain: 3.4 - Explain the importance of resilience and recovery in security architecture.

Answer 49

Restricted Overall explanation: Data that is considered personally identifiable information, or PII, is typically considered to be classified as restricted, the highest level of privacy. Domain: 3.3 - Compare and contrast concepts and strategies to protect data.

Answer 50

Data at Rest Overall explanation: MySQL is a relational database management system, or database server. The data being stored by this server would be considered data at rest. There are parts of the server, such as RAM and CPU that would be considered data in use, but the question specifically mentioned the data being stored on the server. This data is stored on the hard drive in files accessible by the MySQL server. The question also did not ask about data being transmitted to and from the server, so data in transit is not applicable either. There is not a standardized term known as data incognito. Domain: 3.3 - Compare and contrast concepts and strategies to protect data.

Answer 51

Fault Tolerance Overall explanation: Fault tolerance describes the ability of a system to continue operation even when one of the components fails so that there is no downtime. High availability is similar, but simply describes that a system should be available as much as possible, though there may be some minimal downtime. Resiliency is the ability to recover quickly in the event of a failure. Redundancy simply mean that there is more than one system operating so that in the event of a failure, another device may take over the load. However, there can be some downtime during the failover period depending on the technology and how it is implemented. Domain: 3.1 - Compare and contrast security implications of different architecture models.

Answer 52

TKIP Overall Explanation: TKIP, or the temporal key integrity protocol, uses RC4 for its encryption. CCMP is an AES-based encryption method. MD5 and SHA are both hashing algorithms. Domain: 4.1 - Given a scenario, apply common security techniques to computing resources.

Answer 53

PAT Overall Explanation: Port address translation is typically used on home and SOHO routers where only one IP address is assigned by the Internet service provider. It is able to translate between multiple internal IP addresses and the single external IP address assigned by the ISP. Domain: 4.1 - Given a scenario, apply common security techniques to computing resources.

Answer 54

STP Overall Explanation: The spanning tree protocol is used in layer 2 switching to prevent switching loops. Switches do not use the TTL (time-to-liive) field of packets to prevent an infinite loop. They also do not make use of the RIP or OSPF routing protocols. Domain: 4.1 - Given a scenario, apply common security techniques to computing resources.

Answer 55

NAC Overall Explanation: Network Access Control is a technology that will require health checks to be run by using an agent on computers within an organization. If certain requirements are not met, such as not having the latest patches or antivirus definitions installed, the computer will be put onto a separate VLAN or subnet where it can download and install the necessary updates. Domain: 4.5 - Given a scenario, modify enterprise capabilities to enhance security.

Answer 56

RADIUS Overall Explanation: RADIUS is commonly used in wireless networks as part of an 802.1x configuration to authenticate users against a centralized authentication system or user directory. Domain: 4.5 - Given a scenario, modify enterprise capabilities to enhance security.

Answer 57

Data residing in RAM Overall Explanation: Data in RAM is the most volatile, so a memory dump should be performed first. If the computer turns off, the data that is in memory will be destroyed fairly quickly, whereas the data on the other forms of media should survive. Domain: 4.8 - Explain appropriate incident response activities.

Answer 58

MAC (Mandatory Access Control) Overall Explanation: Mandatory access control uses classifications for data where the user must have a certain level of access such as secret or top secret in order to view the contents. Role-Based Access Control is where users are assigned to a group based upon their role or job responsibilities and then the group is assigned permissions to a file or object. Discretionary access control is where the owner of an object can give permissions to individual users directly for a file or object. TAC is not a valid access control model. Domain: 4.6 - Given a scenario, implement and maintain identity and access management.

Answer 59

TOTP Overall Explanation: Key fobs are an example of a time-based one-time password. The six-digit password can only be used one time, and it is time-based; every 60 seconds, a new password is generated, and the previous one expires. This ensures that only users in possession of the key fob (something you have) can access the VPN. Domain: 4.6 - Given a scenario, implement and maintain identity and access management

Answer 60

Kerberos Overall Explanation: Kerberos uses a series of tickets to authenticate and validate users on a network rather than sending a password over the network. The protocol that uses a Ticket Granting Ticket (TGT) as part of its authentication process is Kerberos. In Kerberos authentication, a TGT is issued by the Key Distribution Center (KDC) after a user successfully authenticates with their password. The TGT is then used to request access to various network services by obtaining service tickets from the KDC. This process allows users to authenticate once and gain access to multiple services without needing to re-enter credentials each time. Domain: 4.5 - Given a scenario, modify enterprise capabilities to enhance security.

Answer 61

API Gateway Overall Explanation: An API gateway provides an application programming interface that commonly accepts JSON, XML, or other formatted data structures, processes the request, and returns a response. In a microservices architecture, an API Gateway acts as a single entry point for clients to interact with the different microservices. The gateway handles requests by routing them to the appropriate microservice, performing necessary transformations, aggregating responses, and providing security features like authentication, rate limiting, and logging. The API Gateway typically receives requests in the form of JSON (or other formats), processes them, and forwards them to the relevant microservice. The response from the microservices is often returned in JSON format as well, aligning with the description provided. Domain: 4.7 - Explain the importance of automation and orchestration related to secure operations.

Answer 62

CCMP Overall Explanation: CCMP has three components to its 9 word phrase: CM (counter-mode), CBC (cipher-block-chaining), and MAC (message authentication code). The P stands for Protocol. The form of encryption you are describing is CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). CCMP is an AES-based encryption protocol used in wireless networks, specifically in Wi-Fi Protected Access 2 (WPA2). It provides both data encryption and message integrity by combining: AES (Advanced Encryption Standard) for encryption. CCM (Counter with CBC-MAC) mode, which is a combination of Counter Mode (CTR) for encryption and Cipher Block Chaining Message Authentication Code (CBC-MAC) for message authentication. CCMP ensures that the data transmitted over wireless networks is both encrypted and authenticated, preventing eavesdropping and tampering. It is considered much more secure than the older WEP (Wired Equivalent Privacy) and TKIP (Temporal Key Integrity Protocol) used in previous Wi-Fi security protocols. Domain: 4.1 - Given a scenario, apply common security techniques to computing resources.

Answer 63

PAP Overall Explanation: The password authentication protocol is considered a legacy protocol and should no longer be used, as it sends password in plaintext over a network connection. Password Authentication Protocol (PAP) is a network authentication protocol that sends passwords in cleartext, meaning anyone who can sniff network packets can read them. Explanation: Cleartext transmission: This means passwords are sent without any encryption, making them easily readable by anyone who intercepts the network traffic. Vulnerability: Using PAP exposes passwords to potential attackers who can eavesdrop on the network. Key points about PAP: Outdated protocol: While still supported in some systems, PAP is considered insecure due to its cleartext password transmission. Secure alternatives: More secure authentication protocols like CHAP (Challenge Handshake Authentication Protocol) and EAP (Extensible Authentication Protocol) encrypt passwords during transmission, preventing eavesdropping Domain: 4.5 - Given a scenario, modify enterprise capabilities to enhance security.

Answer 64

TACACS+ Overall Explanation: TACACS+ is a Cisco developed protocol that is used for authentication between network devices. RADIUS is an authentication protocol, but was not developed by Cisco. OSPF and RIP are routing protocols. TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol developed by Cisco for AAA (Authentication, Authorization, and Accounting) purposes, similar to RADIUS but with some important differences and advantages. TACACS+ is primarily used to provide centralized authentication and authorization for network devices, such as routers, switches, and firewalls. It allows network administrators to manage and control access to devices more efficiently, ensuring that users are authenticated before they can access the network infrastructure. Key Features of TACACS+: Separation of AAA Functions: TACACS+ separates the authentication, authorization, and accounting functions, allowing more granular control over each one. This is in contrast to RADIUS, which typically combines authentication and authorization in a single step. Encryption: TACACS+ encrypts the entire payload of the communication, including the user's credentials (username and password), making it more secure than RADIUS, which only encrypts the password. This makes TACACS+ a better choice in environments where security is a primary concern. More Granular Control: TACACS+ allows for more detailed control over the authorization process, including the ability to control individual commands that a user can execute on a device. For example, you can specify which commands a user can issue on a router or switch, which is particularly useful for administrative control. Single Vendor Support: TACACS+ is generally used in Cisco-specific environments, while RADIUS is more widely adopted across multiple vendors' equipment. Communication: TACACS+ operates over TCP (usually port 49), while RADIUS uses UDP. The use of TCP makes TACACS+ more reliable, especially for large-scale network environments. Use Cases: Network Device Authentication: TACACS+ is used to authenticate users trying to access network devices (e.g., routers, switches, firewalls) via console access, SSH, or other management interfaces. Administrative Access Control: It allows administrators to define and enforce policies about who can log in and what specific commands they can execute. Centralized Management: TACACS+ is often used in large organizations to centralize user access control for network devices, simplifying management and improving security. Example of How It Works: A network administrator attempts to log into a Cisco router or switch. The router sends a request to the TACACS+ server for authentication. The TACACS+ server validates the credentials and sends an authorization response back to the device. Based on the configuration, the TACACS+ server may also specify which commands the administrator is authorized to execute. In summary, TACACS+ is particularly useful in Cisco environments where granular control and strong security are required for managing network devices. It is often favored in enterprise environments where centralized control over network device access and command-level permissions is crucial. Domain: 4.5 - Given a scenario, modify enterprise capabilities to enhance security.

Answer 65

tcpdump Overall Explanation: The tcpdump command can be used on Linux systems to display incoming packets on a given network interface. tcpdump is a command-line packet analyzer tool used for network traffic monitoring and troubleshooting. It allows users to capture and analyze the data packets being transmitted over a network. It's widely used by network administrators, security professionals, and anyone needing to debug network-related issues or analyze traffic for security purposes. Key Features of tcpdump: Packet Capture: tcpdump captures packets on a network interface (e.g., Ethernet, Wi-Fi) and displays them in real-time. It can capture traffic for specific network interfaces, protocols, or IP addresses. Protocol Analysis: It supports capturing traffic for a wide range of protocols like TCP, UDP, ICMP, HTTP, DNS, and many others. tcpdump decodes and displays detailed information about network packets, including headers and payloads. Filtering: tcpdump allows you to apply filters using BPF (Berkeley Packet Filter) syntax, enabling you to capture specific types of traffic. For example, you can filter traffic based on IP address, port number, protocol type, etc. Real-time and Saved Capture: It can display captured packets in real-time on the console. You can save the captured data to a file (in .pcap format), which can later be analyzed using other tools like Wireshark. Debugging and Security Monitoring: Useful for network troubleshooting (e.g., identifying network performance issues, diagnosing connectivity problems). Often used in security to analyze suspicious traffic or investigate potential attacks like DDoS or malware activity. Domain: 4.4 - Explain security alerting and monitoring concepts and tools.

Answer 66

Shibboleth Overall Explanation: Shibboleth is a method of providing single sign-on by whereby each of the universities would be an identity provider and would trust users that have been authenticated by the other trusted identity providers within the group. Key Features of Shibboleth: Federated Identity: Shibboleth allows multiple organizations (such as universities or businesses) to share resources securely while maintaining their own user directories. It ensures that users can access services from other institutions without needing to create separate accounts for each. Single Sign-On (SSO): Users authenticate once with their home organization, and then can seamlessly access resources hosted by partner organizations, without needing to log in again. This is achieved through SSO. SAML-based Authentication: Shibboleth uses SAML (Security Assertion Markup Language) for authentication and authorization. In this system, a user’s identity and attributes are exchanged securely between the Identity Provider (IdP) and the Service Provider (SP). Identity Provider (IdP): This is the organization (e.g., a university) that authenticates the user and sends a secure assertion (identity and attributes) to the Service Provider. Service Provider (SP): This is the organization or service the user is trying to access (e.g., a partner university’s resource), which receives the identity assertion from the IdP and grants access. Interoperability: Shibboleth is based on open standards like SAML, so it can interoperate with other systems and tools that support these standards. It is commonly used in higher education, research institutions, and other sectors where collaboration between organizations is needed. Attributes-Based Access Control: Shibboleth allows organizations to send user attributes (such as role, group membership, or other custom attributes) in the authentication assertion, which the Service Provider can use to make authorization decisions (e.g., granting or denying access to a resource). Domain: 4.6 - Given a scenario, implement and maintain identity and access management.

Answer 67

Generate New Keys for the Root Account Overall Explanation: Linux servers allow accounts to connect and log in by using either a password or a public/private key pair. In this case, since the password option has been disabled, a new set of keys should be generated immediately so that the former employee can no longer log in to the servers. Domain: 5.1 - Summarize elements of effective security governance.

Answer 68

Passive reconnaissance Overall Explanation: Passive reconnaissance can be performed without actually communicating with any of a target organization's systems. Examining the DNS registry records for a particular domain name can potentially start to give attackers some minimal information such as name server addresses, street addresses, phone numbers, e-mail addresses, or contact names. This is a good starting point to a reconnaissance mission. Domain: 5.5 - Explain types and purposes of audits and assessments.

Answer 69

FIM (File Integrity Monitoring) FIM is the most suitable option for detecting unauthorized changes to system configurations and files due to its focus on monitoring and alerting on modifications to these resources.

Answer 70

Tokenization Tokenization is the most effective method for protecting sensitive data in this scenario, as it replaces the data with non-sensitive substitutes while retaining the necessary information for business operations.

Answer 71

Directory Traversal Directory Traversal is the most likely explanation for the leak of the unauthorized press release, as it aligns with the scenario of accessing files outside of the intended scope.

Answer 72

Implicit Deny An implicit deny is the most secure default policy for a firewall. It blocks all traffic by default, and only traffic that is explicitly allowed by a rule is permitted to pass through. This ensures that only the necessary traffic is allowed, reducing the risk of unauthorized access or attacks.

Answer 73

LOTL (Living Off the Land) Living off the land is a technique where attackers use legitimate tools and resources already present on a compromised system to carry out their malicious activities.

Answer 74

Rate Limiting Traffic to the Affected Port Rate limiting traffic to the affected port is the most effective mitigation technique in this scenario. It can help to reduce the impact of the attack by limiting the amount of traffic that can reach the server, allowing it to remain responsive to legitimate requests.

Answer 75

RTO (Recovery Time Objective) RTO is the maximum acceptable time a system can be down after a disruption before causing a significant business impact. In this scenario, the 4-hour maximum tolerable downtime directly corresponds to the RTRO

Answer 76

Anonymization Anonymization is the most challenging technique for removing PII from data because it requires the complete removal of all identifying information. While other techniques can also protect privacy, anonymization offers the highest level of protection.

Answer 77

Risk Appetite Risk Appetite refers to the level of risk an organization is willing to accept in pursuit of its objectives. When an organization decides to accept risk and not take further action, it aligns with its predetermined risk appetite.

Answer 78

Time-of-Use The term "Time-of-Use" refers to the specific moment when a system or process accesses a resource it has been authorized to use.

Answer 79

Key Escrow Key escrow in cybersecurity is a system where cryptographic keys, used for encrypting and decrypting data, are securely stored with a trusted third party (escrow agent). This allows authorized parties access to the keys under specific circumstances, like lost or forgotten keys, or in cases where government agencies need to access encrypted communications.