Review Topics Flashcards
Review topics that were missed on practice exams or topics that need more practice
a technique used to learn information about a computer system on a network and the services running on its open ports
Banner Grabbing
type of injection in which malicious scripts are injected into otherwise benign and trusted websites
Cross-Site Scripting (XSS)
occurs when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer
Race Condition
a symmetric block cipher with a fixed block size of 128 bits. It can utilize a 128-bit, 192-bit, or 256-bit symmetric key
Advanced Encryption Standard (AES)
provides security as a service (SECaaS)
managed security service provider (MSSP)
one of the first public-key cryptosystems and is widely used for secure data transmission. As a public-key cryptosystem, it relies on an asymmetric algorithm
RSA (Rivest–Shamir–Adleman)
an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program
Fuzzing or fuzz testing
modification of DAC that provides a set of organizational roles that users may be assigned to gain access rights
Role-based access control (RBAC)
provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes
Attribute-based access control (ABAC)
sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. Also can determine the versions of the applications being used on those ports and services
Nmap
a command-line utility that displays network connections for incoming and outgoing TCP packets, routing tables, and some network interface and network protocol statistics
Netstat
the process of extracting user names, machine names, network resources, shares, and services from a system
Enumeration
describes how much risk an organization is willing to accept
Risk appetite
a symmetric-key algorithm for encrypting digital data. Although its short key length of 56 bits makes it too insecure for applications, it was the standard used from 1977 until the early 2000s
Data Encryption Standard (DES)
occurs when an attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing power
smurf attack
The access control policy is determined by the owner. Every object in a system must have an owner and each owner determines access rights and permissions for each object
Discretionary Access Control (DAC)
An access control policy where the computer system determines the access control for an object. To access something, you need to meet the minimum level and
have a “need-to-know”
Mandatory Access Control (MAC)
Label-based access control that defines whether access should be granted or denied to objects by comparing the object label and the subject label
Rule-based Access Control
Utilizes complex mathematics to create sets of objects and
subjects to define how they interact
Lattice-based Access Control
An access model that is dynamic and context-aware using IF-THEN
statements
Attribute-Based Access Control (ABAC)
An access model that is controlled by the system but
utilizes a set of permissions instead of a single data label to define
the permission level
Role-Based Access Control (RBAC)
Encryption algorithm which uses three separate symmetric keys to
encrypt, decrypt, then encrypt the plaintext into ciphertext in order to
increase the strength of DES
Triple DES (3DES)
Symmetric block cipher which uses 64-bit blocks to encrypt plaintext into ciphertext
International Data Encryption Algorithm (IDEA)
Symmetric block cipher that uses 128-bit, 192-bit, or 256-bit blocks and a matching encryption key size to encrypt plaintext into ciphertext
Advanced Encryption Standard (AES)
Symmetric block cipher that uses 64-bit blocks and a variable length encryption key to encrypt plaintext into ciphertext
Blowfish
Symmetric block cipher that replaced blowfish and uses 128-bit blocks
and a 128-bit, 192-bit, or 256-bit encryption key to encrypt plaintext into
ciphertext
Twofish
Symmetric stream cipher using a variable key size from 40-bits to 2048-bits that is used in SSL and WEP
Rivest Cipher (RC4)
Symmetric block cipher with a key size up to 2048-bits
Rivest Cipher (RC5)
Symmetric block cipher that was introduced as a replacement for DES but
AES was chosen instead
Rivest Cipher (RC6)
Asymmetric algorithm used to conduct key exchanges and secure key distribution over an unsecured network. Used for the establishment of a VPN tunnel using IPSec
Diffie-Hellman (DH)
Asymmetric algorithm that relies on the mathematical difficulty of factoring large prime numbers. widely used for key exchange, encryption, and digital signatures and can use key sizes of 1024-bits to 4096-bits
RSA (Rivest, Shamir, and Adleman)
Algorithm that is based upon the algebraic structure of elliptic curves over finite fields to define the keys. with a 256-bit key is just as secure as RSA with a 2048-bit key. most commonly used for mobile devices and low-power computing device
Elliptic Curve Cryptography (ECC)
An encryption program used for signing, encrypting, and decrypting emails. The IDEA algorithm is used by this encryption program.
Pretty Good Privacy (PGP)
A newer and updated version of the PGP encryption suite that uses AES
for its symmetric encryption functions
GNU Privacy Guard (GPG)
A simulated random number stream generated by a computer that is used in
cryptography, video games, and more
Pseudo-Random Number Generator (PRNG)
The science and art of hiding messages within other messages
Steganography
A standard designed to regulate the transfer of secure public information across networks and the Internet utilizing any security tools and services available
Open Vulnerability and Assessment Language (OVAL)
A function that converts an arbitrary length string input to a fixed length string
output
Hash
A cryptographic hashing algorithm created to address possible weaknesses in the
older MD5 hashing algorithm. Uses a 160-bit hash digest, but isn’t considered strong
Secure Hash Algorithm 1 (SHA-1)
A cryptographic hashing algorithm created to address possible weaknesses in the
older MD5 hashing algorithm. Uses a 256-bit or 512-bit hash digest and is the current version in used in modern forensics
Secure Hash Algorithm 2 (SHA-2)
Uses a 128-bit hash digest, but is susceptible to collisions should only be used as a second-factor of integrity checking.
Message Digest Algorithm (MD5)
Technique used by an attacker to find two different messages that have
the same identical hash digest
Birthday Attack
An entire system of hardware, software, policies, procedures, and people that is
based on asymmetric encryption
Public Key Infrastructure (PKI)
Cost associated with the realization of each individualized threat
that occurs
Single Loss Expectancy (SLE)
Single Loss Expectancy (SLE) Formula
Asset Value x Exposure Factor
Number of times per year that a threat is realized
Annualized Rate of Occurrence (ARO)
Expected cost of a realized threat over a given year
Annualized Loss Expectancy (ALE)
Annualized Loss Expectancy (ALE) Formula
SLE x ARO
Relies on the physical characteristics of a person to identify them
Biometrics
Rate that a system authenticates a user as authorized or valid when they should not have been granted access to the system
False Acceptance Rate (FAR)
Rate that a system denies a user as authorized or valid when they should
have been granted access to the system
False Rejection Rate (FRR)
measures the effectiveness of a biometric system
Crossover Error Rate (CER)
