Practice Test 1 Flashcards
Packets with internal source addresses entering the network
Packets with internal source addresses should never originate from outside the network; block them
Packets with external source addresses leaving the network
Packets with external source addresses should never be found on the internal network; block from leaving the network
Packets with private IP addresses exiting the network
Private IP addresses should never be used on the internet; block from leaving the network
Packets with public IP addresses entering the network
Packets with public IP addresses will routinely be allowed to enter the network
CDN
content distribution network: provides reliable, low-latency, geographically distributed content distribution
Four functions of a forensic disk controller
Write blocking: intercepts write commands sent to the device and prevents them from modifying data on the device. Returning data requested by a read operation. Returning access-significant information from the device. Reporting errors from the device back to the forensic host.
RAID 1
Disk mirroring; requires two physical disks that will contain copies of the same data
TGS
ticket-granting service; receives and validates a TGT from the client, then issues a ticket and session keys to the client
KDC
Key distribution center; does not communicate directly with the client as part of Kerberos
AS
Authentication server forwards the username to the KDC
TGT
ticket-granting ticket; provided by the client to the TGS for validation and in return, receives user’s rights to access the service requested
breach of contract by a vendor to protect sensitive data
civil investigation; contract dispute.
Administrative investigation
for internal purposes and not applicable when a third party is being investigated
Criminal and regulatory investigation
initiated by those with regulatory authority, typically government agencies
Wave pattern motion detectors
Transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects
Infrared head-based detectors
Watch for unusual heat patterns
Capacitance detectors
Work based upon electromagnetic fields
Stateful packet inspection firewall
Dynamic packet filtering firewalls; track the state of a conversation and allow a response from a remote system based on an internal system being allowed to start the communication
Static packet filtering and circuit-level gateways
Only filter based on source, destination, and ports
Application-level gateway firewalls
Proxy traffic for specific applications
captive portal
provides access control for customers using wifi without provisioning user IDs while also gathering useful contact info
Business devices on open (unencrypted) wireless network
Wireless routers can provide multiple SSIDs. Separate SSID using WPA3 to create a private, secure network that is firewalled or logically separated
Hijacking customer web traffic including usernames and passwords
Open networks are unencrypted; traffic easily sniffable
Guideline
best practices, not mandatory; general, not specific
Clipping
analysis technique that only reports alerts after they exceed a set threshold
RADIUS
common AAA tech used to provide services for dial-up, wireless networks
OAuth
authentication protocol used to allow applications to act on a user’s behalf without sharing the password and is used for web applications
XTACACS; TACACS+
AAA technology; authentication, authorization, and accounting server for wireless network services using Cisco proprietary protocols
Inference
attacker uses several pieces of generic nonsensitive information to determine a specific sensitive value
Salami slicing attack
attacker siphons off minute quantities of money many times to accumulate a large amount of funds
Data diddling attack
attacker alters the contents of a database
Take-Grant protection model
Take rule allows a subject to take the rights belonging to another object
Brute-force attack
attack tries every possible password; password attempts change by one letter at each attempt
Dictionary attack
Uses dictionary words for the attack
Man-in-the-middle or pass-the-hash
attacks would not be visible in an authentication log except as a successful login
Isolation
database transactions operate separately from each other
Atomicity
ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred
Consistency
ensures all transactions are consistent with the logical rules of the database, such as having a primary key
Durability
requires that once a transaction is committed to the database it must be preserved
ACID model
database properties; Atomicity, Isolation, Consistency, Durability
Worm
built-in propagation mechanisms that do not require user interaction, scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access
Viruses and Trojan horses
Require user interaction to spread
Logic bomb
Lie in wait until certain conditions are met, triggering the delivery of their payload
HIPAA
Health Insurance Portability and Accountability Act; US law governing the healthcare sector that does provide for criminal penalties
FERPA
Family Educational Rights and Privacy Act; US law governing educational records that does not provide for criminal penalties
PCI DSS
Payment Card Industry Data Security Standard; industry standard for credit card operations and handling; it is not a law, so violations cannot incur criminal sanctions
SOX
Sarbanes-Oxley Act; governs publicly traded corporations and also provides for criminal penalties
TCP three-way handshake
- SYN (synchronize flagged packet) receives a response with a 2. SYN/ACK (synchronize and acknowledge flagged packet) and is acknowledged by the original sender with a 3. ACK (acknowledge packet)
RST
Used in TCP to reset a connection
PSH
Used to send data immediately
FIN
Used to end a connection
MDM capabilities
Mobile device management: manage device backups, enforce the use of encryption, and remotely wipe the contents of mobile devices
IDaaS
Identity as a service; provides an identity platform as a third party service. Provides integration with cloud services and removes overhead of traditional on-premises identity systems, but creates risk due to third-party control of identity services and reliance on off-site identity infrastructure
ISC2 Code of Ethics
Advance and protect the profession (do not publicly share the exam questions); Act honorably, honestly, justly, responsibly, and legally; Protect society; Provide diligent service to principals
ALE
annualized loss expectancy; the amount of damage the org expects to occur each year as the result of a given risk
Whitelisting
approach to application control; allows users to install only those software packages specifically approved by administrators (tightly controlled)
Denial of service
attack that denies legitimate users authorized access to the system through the use of overwhelming traffic
Compromise
attack where the attacker attempts to gain access to the system
Primary key
unique identifier in a database
PII
personally identifiable information; data that can be used to distinguish or trace that person’s identity and also includes information like their medical, education, financial, and employment information
PHI
personal health information
EDI
electronic data interchange
Proprietary
data used to maintain and organization’s competitive advantage
Public IP address
129.53.44.124; valid public IP address and legitimate destination for traffic leaving a network; 10.8.15.9 and 192.168.109.55 are both private IP addresses that should not be routed to the internet
Result of increasing length of cryptographic key by 8 bits
Increase size of the keyspace; binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. 2 to the eighth power is 256, so the keyspace will increase by a factor of 256
Types of data assets disposed by shredding
Traditional office shredding for paper records and credit cards; Industrial shredders for equipment including removable media and hard drives
Risk Mitigation Strategy
Reduces the probability of the risk (encryption reduces probability the data will be successfully stolen)
Risk avoidance
Avoid the risk (delete sensitive files and do not store them)
Risk transference
Purchase cyber-liability insurance
Risk Acceptance
Taking no action on a risk
Sampling
Should be done on a truly randomly to avoid human bias and on a sample of a sufficient size to provide effective coverage of the userbase
Involuntary termination under adverse circumstances
User is being fired and may have a negative and potentially hostile reaction. Important to terminate access immediately upon the user being informed of the termination. Terminating access prior to notification may tip the user off to the termination in advance. Leaving access privileges available after termination poses a risk of malicious insider activity
Application log from an HTTP server
Log file with HTTP requests, evidenced by GET commands
CVSS
Common Vulnerability Scoring System; standardized approach to rating the severity of vulnerabilities
STRIDE and ATT&CK
models used to classify the nature, not the severity, of threats
PASTA
model designed to help with countermeasure selection
Social engineering
Exploits humans to allow attacks to succeed; typically target help-desk employees posing as legitimate employees
Trojans
type of malware
Phishing
targeted attack via electronic communication methods intended to capture passwords or other sensitive data
Whaling
type of phishing aimed at high-profile or important targets
Supply Chain Risk to equipment
Interception and tampering of devices in transit from vendor to organization
Single-level security environment
Classify information systems with the highest classification of information they are ever expected to process
Availability of authentication services is the priority
Identity platform should be hybrid to provide services both in the cloud and on-premises, ensuring service outages due to interrupted links are minimized
On-site authentication service
Would continue to work during an internet outage but would not allow the e-commerce website to authenticate
Cloud authentication service
Would leave the corporate location offline during an outage
Federation
Links identity information between organizations. Federating with a business partner allows identification and authorization to occur between them
Single sign-on
Reduces the number of times a user has to log in but does not facilitate the sharing of identity information
MFA
Multifactor authentication secures authentication but does not help integrate with a third party
SAML
Security Assertion Markup Language (SAML) used to integrate cloud services and provides ability to make authentication and authorization assertions
SPML
Service Provisioning Markup Language (SPML) used to provision users, resources, and services
Rainbow tables
precomputed password hashes to conduct cracking attacks against password files. frustrated by use of salting
Salting
Adds a specified value to the password prior to hashing, making it much more difficult to perform precomputation
Honeypot
decoy computer system used to bait intruders into attacking
Honeynet
a network of multiple honeypots that creates a more sophisticated environment for intruders to explore
Pseudoflaw
False vulnerability in a system that may attract an attacker
Darknet
segment of unused network address space that should have no network activity and may be easily used to monitor for illicit activity
FAR
false acceptance rate; rate at which the system inadvertently admits an unauthorized user
FRR
false rejection rate; rate at which the system inadvertently rejects an authorized user
CER
crossover error rate; point where both the false acceptance rate and the false rejection rate cross; less subject to manipulation and thus the best metric to use for evaluating systems
Steganography
the art of using cryptographic techniques to embed secret messages within other content. algorithms make invisible alterations to files by modifying the least significant bits of the many bits that make up image files
VPN
Virtual Private Network; provide protection in transit
Watermarking
embed information in an image with the intent of protecting intellectual property
JavaScript
interpreted language so the code is not compiled prior to execution; code is human-readable in its final form allowing for inspection of the content
C, C++, Java
compiled languages; compiler produces an executable file that is not human-readable
Shadow passwords in an /etc/passwd file
password field contains x; no password in plaintext, encrypted, or hashed form
EOL
end-of-life date for a product is normally the date the vendor will stop selling a product
EOS
end-of-support; date the vendor will stop supporting the product
Due Care
Principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person
Due Diligence
Principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner
Least Privilege
Principle states an individual should have the minimum set of permissions necessary to carry out their work
Separation of duties
Principle states that no single person should have the right to perform two distinct tasks which when combined constitute a highly privileged action
Primary Driver for data classification
Sensitivity; the value of the information to the org, the damage caused if lost of compromised
Risk of interception
Require the use of transport encryption; anyone intercepting the information would be unable to read its contents
Tangible asset inventories
Physical items owned by the organization; server hardware, mobile devices
Intangible asset inventory
non-physical items owned by the organization; intellectual property and files stored on a server
Physical Layer; Fiber-Optic Cable
Layer of the OSI Model that deals with the electrical impulses or optical pulses sent as bits to convey data; cable tapping: attacker installs a tap on a cable
Data Link, Network, or Transport layer attack
Higher levels of activity in the OSI model, compromising a device and using a protocol analyzer to sniff network traffic
Vendor responsibility in IaaS
Responsible for all security mechanisms at the hypervisor layer and below; maintaining the hypervisor
Customer Responsibility for IaaS
Responsible for server security operations; managing OS security settings, maintaining host firewalls, and configuring server access control
Type I Hypervisor
Bare metal; acts like a lightweight operating system and runs directly on the host’s hardware; cloud service providers use Type I hypervisors, Hyper-V
Type II Hypervisor
Hosted; runs as a software layer on an operating system like other computer programs; VirtualBox on my laptop
Proactive monitoring
synthetic monitoring; uses recorded or generated traffic to test systems and software
Passive monitoring
Uses a network span, tap, or other device to capture traffic to be analyzed
Proximity Card
Uses an electromagnetic coil inside the card
Parallel test
team activates the disaster recovery site for testing, but the primary site remains operational
Full interruption test
team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations; most thorough but also most disruptive
Checklist review
least disruptive disaster recovery test; team reviews the contents of their disaster recovery checklists on their own and suggest any necessary changes
Tabletop exercise
team comes together and walks through a scenario without making any changes to information systems
Agile approach to software development
12 principles; best architecture, requirements, and designs emerge from self-organizing teams; teams should welcome changing requirements at any step in the process; simplicity is essential; emphasis on delivering software frequently
Hand geometry scanners
Assess the physical dimensions of an individual’s hand but do not verify other unique factors about the individual or even verify if they are alive; should not be implemented as the sole authentication factor for secure environments
MTD
maximum tolerable downtime; the amount of time that a business may be without a service before irreparable harm occurs; MTO maximum tolerable outage; MAD maximum allowable downtime
CASB
Cloud access security brokers; designed to enforce security policies consistently across cloud services
DLP
Data loss prevention; detects, blocks, and controls use of information in the cloud
DRM
digital rights management; detects, blocks, and controls use of information in the cloud
IPS
Intrusion prevention systems; designed to detect and block malicious activity
Replay attack
Specific type of masquerading attack that relies on captured authentication tokens, such as from a user’s web session to impersonate the user on the site
Masquerading (or impersonation) attacks
Use stolen or falsified credentials to bypass authentication mechanisms
Spoofing attack
Relies on falsifying an identity like an IP address or hostname without credentials
Modification attacks
Occur when captured packets are modified and replayed to a system to attempt to perform an action
OpenID Connect
An authentication layer that works with OAuth 2.0 as its underlying authorization framework; widely adopted by cloud service providers and widely supported; seamless integration with OAuth
Kerberos
authentication technology
Two-person control
Action requires the concurrence of two users
Job rotation
Move people through jobs on a periodic basis to deter fraud
Parol evidence rule
States that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing
Best evidence rule
States that a copy of a document is not admissible if the original document is available
Real evidence and testimonial evidence
types of evidence
NAT
Network Address Translation; translates an internal address to an external address
VLANs
virtual local area networks; used to logically divide networks
BGP
routing protocol
SSAE-18
Reviews the use and application of controls in an audited organization; An attestation standard used for external audits, forms part of the underlying framework for SOC 1, 2, and 3 reports; DOES NOT ASSERT SPECIFIC CONTROLS
Creating a digital signature
Sender of a message always encrypts the message with their own private key. Recipient verifies the digital signature by decrypting it with the sender’s public key and comparing that decrypted signature with a message digest that the recipient computes themselves
RTO
Recovery time objective; amount of time expected to return an IT service or component to operation after a failure; amount of time it should take to restore an IT service after an outage
RPO
Recovery Point Objective; maximum amount of data, measured in time that may be lost during a recovery effort
SLA
service-level agreement; written contracts that document service expectations
Change management
Business process that requires sign-off from a manager or supervisor before changes are made to ensure proper awareness and communication
SDN
software-defined networking
Release Management
the process that new software releases go through to be accepted
Versioning
Used to differentiate versions of software, code, or other objects
Wet pipe
Wet pipe suppression systems have water present in the pipes at all times, posing an unacceptable level of risk for a data center containing electronics that might be damaged if a pipe leaks
Dry pipe and pre-action
Suppression systems only contain water when triggered in the event of a possible fire
FM-200
a chemical suppressant commonly used in place of water in data centers
Directive control
Notifications and procedures like the signs posted on the company doors reminding employees to be careful to not allow people to enter when they do
Detective control
Designed to operate after the fact; Motion detectors
Physical control
the doors and the locks on the doors of the company
Preventive control
Designed to stop an event and could also include the locks on the doors; Mantraps intended to deny intruders access
Deterrent control
Prevent an intruder from attempting an attack in the first place; Guard dogs, Lighting
PaaS
Platform as a service; an example of function as a service (FaaS) computing; cloud provider is managing the infrastructure and only making the platform available to customers
IaaS
Infrastructure as a service; cloud provider provides the infrastructure but the customer manages the infrastructure
Frequency analysis
cryptanalytic attack against a large volume of encrypted ciphertext
Brute-force attack
Cryptanalytic attack against a large volume of encrypted ciphertext
Known plaintext attack
access to plaintext information
Chosen ciphertext attack
attacker has the ability to encrypt information
Workflow-based account provisioning
provisioning that occurs through an established workflow, such as through an HR process
Discretionary account provisioning
Individual (owner) set up accounts for a new hire on systems they manage
Self-service account provisioning
the provisioning system allowed the new hire to sign up for an account on their own
Automated account provisioning
a central, software-driven process to provision an account, rather than HR forms
Privilege creep
as individuals change roles, they may retain access to systems that they no longer administer.
User changes roles
Provisioned based on the role and other access entitlements. de-provisioning and re-provisioning are time-consuming and lead to problems with changed IDs and how existing credentials work
EAL2 evaluation assurance level
EAL2 assurance applies when the system has been structurally tested. It is the second-to-lowest level of assurance under the Common Criteria
Prior to granting any user access to information
Verify appropriate security clearance and need to know
Preservation phase of the e-discovery reference model
Ensures information related to the matter at hand is protected against unintentional alteration or deletion
Identification phase
Locates relevant information but does not preserve it
Collection phase
Occurs after preservation and gathers responsive information
Processing phase
Performs a rough cut of the collected information for relevance
Hash algorithms with known vulnerabilities
RIPEMD and MD5
SHA-2
cryptographically strong hash with speed and efficient; SHA-3 is also secure but less efficient
subject/object model
object of the resource request is the resource being requested by a subject. Requesting access to a document would make the document the object of the request
De-encapsulation
the process of removing a header (and possibly a footer) from the data received from a previous layer in the OSI model
Encapsulation
process when the header and/or footer are added
Payload
part of a virus or malware package delivered to a target
CPTED framework
Crime Prevention Through Environmental Design; implements three strategies: natural access control, natural surveillance, and natural territorial reinforcement
Natural access control
uses barricades and other physical elements to create a separation between secure and insecure spaces
Natural surveillance
designs the environment to expose potential intruders to natural scrutiny by legitimate occupants
Natural territorial reinforcement
Uses fences, signs, and other elements to clearly define secure spaces
SPML
Service Provisioning Markup Language; uses requesting authorities to issue SPML requests to a provisioning service point
Provisioning service targets
Often user accounts and are required to be allowed unique identification of the data in its implementation
SAML
used for security assertions
SAMPL
an algebraic modeling language
XACML
an access control markup language used to describe and process access control policies in an XML format
Qualitative risk assessment
uses probability/impact matrix and subjective measures of probability and impact, such as “high” and “low” in place of quantitative measures
MAC
mandatory access control systems are hierarchical, compartmentalized, or hybrid.
Hierarchical
each domain is ordered and related to other domains above and below it
Compartmentalized
where there is no relationship between each domain
Asymmetric encryption algorithm application
Require two keys per user, regardless of the number of participants. (6-member team would require 12 keys)
Symmetric cryptography
require (n*(n-1))/2 keys
Cat 5e
Category 5e, cable rated to 1000Mbps
Cat 6
Category 6 UTP cable rated to 1000Mbps
Cat 5
Category 5; rated to 100Mbps
Cat 7
Category 7; rated to 10Gbps
CDN
content delivery network; distribute content to many remote endpoints where it may be quickly loaded by local users
Smurf attack
a distributed attack approach to send ICMP echo replies at a targeted system from many different source addresses.
Most effective way to block smurf attacks
block inbound ICMP traffic
Static packet filtering firewalls
first-generation firewalls that do not track connection state; do not have the ability to track connection status between different packets
Firewalls with connection state tracking capability
Stateful inspection, application proxying, and next-generation firewalls
Dual power supplies
Address hardware issues (equipment failures) within a server, allowing it to continue to operate if one of the power supplies fails
Increase the reliability of power flowing to a server
redundant power sources, backup generators, and uninterruptible power supplies (UPS)
Remote access technologies with built-in encryption
RDP, Remote Desktop Protocol; SSH Secure Shell
Telnet and Dial-up
Outdated remote access tech that does not provide encryption for secure access
Latency
a delay in the delivery of packets from their source to their destination
Jitter
a variation in the latency for different packets
Packet loss
disappearance of packets in transit that requires retransmission
Interference
electrical noise or other disruptions that corrupt the contents of packets
Internal auditor report recipients
Internal reports for remediating issues: managers, individual contributors, and board members for oversight
Interface testing
web applications communicate with web browsers via an interface; ensure it is accessible from all commonly used web browsers
Regression testing
re-runs functional and non-functional tests to ensure that a software application works as intended after any code changes, updates, revisions, improvements, or optimizations
White-box testing
full knowledge test
Fuzzing
tests unexpected inputs, rather than functionality
Role-based access control
Gives users an array of permissions based on their position in the organization; reviewer, editor, submitter
Rule-based access control
Use rules that apply to all subject; firewalls and routers
Discretionary access controls
Gives object owners rights to choose how the object they own are accessed
Impact
Fire suppression system does not stop a fire but reduces the damage that fires cause (reduce risk by lowering the impact of an event)
Patent
intellectual property in the form of a process; Require public disclosure and have expiration dates
Trade Secret
intellectual property in the form of a process; remain in force for as long as they remain secret
SCAP
Security Content Automation Protocol; a suite of specifications used to handle vulnerability and security configuration information; The National Vulnerability Database provided by NIST uses SCAP
XACML
eXtensible Access Control Markup Language; an OASIS standard used for access control decisions
BAS
Breach and attack simulation platforms automate aspects of penetration testing; these systems are designed to inject threat indicators onto systems and networks in an effort to trigger other security controls; white-box, gray-box, and black-box testing involve more manual effort
Simple Security Property
prevents an individual from reading information at a higher security level than their clearance allows; “no read up” rule
Simple Integrity Property
a user can’t write data to a higher integrity level than their own
*-Security Property
Users can’t write data to a lower security level than their own
Discretionary Security Property
allows the use of a matrix to determine access permissions
WBS
work breakdown structure; project management tool that divides the work done for a large project into smaller components.
Project plan
describes timing and resources
Test analysis reports
used during later phases of the development effort to report test results
Functional requirements
May be included in a work breakdown structure
NAC
Network Access Control system; used to authenticate users (using identities) and validate their system’s compliance with a security standard before they are allowed to connect to the network; enforcing security policies can help reduce zero-day attacks
Firewall vs NAC
firewall can’t enforce system security policies
IDS vs NAC
intrusion detection system; only monitor for attacks and alarm when they happen; IDS can’t enforce system security policies
Port security
MAC address-based security feature that can only restrict which systems or devices can connect to a given port
Application running under a service account with full admin rights to the web server
Violation of least privilege principle; an application should never require full admin rights to run; service account should only have the privileges necessary to support the application
Key performance and risk indicators of security program
Time to resolve vulnerabilities, number of account compromises, number of attempts by users to visit malicious sites, number of repeat audit findings
True positive
Scan detected the vulnerability and the vulnerability actually existed
True negative
Scan correctly notes the absence of a vulnerability
False positive
Scan reports the presence of a vulnerability that does not actually exist
False negative
Scan reports that no vulnerability exists when one does, in fact, exist
/test directory
Test directories often include scripts that can be misused and have poor protections or may have other data that can be misued.
Issue of directory indexing
Knowing the name and location of files can provide an attacker with quite a bit of information about an org and a list of potentially accessible files; it is not a clear sign of attack
XST
Cross-site tracing; leverages the HTTP TRACE or TRACK methods and could be used to steal a user’s cookies via cross-site scripting (XSS)
Supervisor of an org’s chief audit executive (CAE)
Should report to the most senior possible leader to avoid conflicts of interest; CEO or board of directors to provide a degree of independence
DLS
Data loss prevention systems; identify sensitive information
Network-based DLP
detects sensitive information if the user transmits it over the network; not stored on an endpoint
IPS
Intrusion prevention systems; designed to detect and block attacks in progress
Private cloud
cloud computing model where customer builds a cloud environment in their own data center or build an environment in another data center that is for the customer’s exclusive use (by a vendor at a co-location site); dedicated to a single organization and does not follow the shared tenancy model
Load balancing
designed to prevent a web server going offline from becoming a single point of failure; helps to ensure a failed server will not take a website or service offline
Dual-power supplies
prevent failure of a power supply or power source
RAID
prevent a disk failure from taking a system offline
Star topology
uses a central connection device
Ethernet networks
may look like a star; actually a logical bus topology that is sometimes deployed in a physical star
Input validation
ensures that the data provided to a program as input matches the expected parameters
Limit check
a special form of input validation; ensures that the value remains within an expected range
Options when planning for possible system failures
fail open; fail secure
Black box
No prior knowledge of the system
White box
full knowledge of the system
Gray box
Partial or incomplete knowledge
Something you know
PIN, password, security question/answer
Something you have
token, smartcard
Something you are
fingerprint, retinal scan
