Sec + Flashcards
1
Q
Which term describes when data is in some sort of persistent storage media?
A
Data at rest
2
Q
Describe Data in transit.
A
Same as data in motion, It is when data is transmitted over a network. Examples include website traffic and remote access traffic, and data being synchronized between cloud repositories.
3
Q
Describe Data in use
A
When data is present in volatile memory sources. Examples include documents open in a word processing application, database data that is currently being modified, and event logs being generated while an operating system is running.
4
Q
What is Data Sovereignty?
A
Refers to legal implications of data stores in other countries.
5
Q
What is a cold site?
A
A cold site is an alternate location where a network can be rebuilt after a disaster has occurred. A cold site can take some time to implement, as systems and assets (including data) are not readily configured and available for full use.
6
Q
What is a warm site?
A
A warm site is a dormant alternate location, or a location that performs noncritical functions under normal conditions, but can be rapidly converted to a main operations site with minimal effort.
7
Q
What is a hot site?
A
A hot site is a fully configured alternate network that can be quickly brought online after a disaster. With a hot site, systems and data are usually up-to-date.
8
Q
What is a failover?
A
Refers to system redundancy. With a failover configuration, an additional device is configured to function when the primary configuration fails.
9
Q
What is Standard Naming Convention?
A
A standard naming convention is a defined set of rules for choosing the character sequence to be used for identification in coding. A standard naming convention reduces the effort in code reviews and programming error.
10
Q
What is code of obfuscation?
A
Code obfuscation is the practice of camouflaging code by replacing numbers with expressions and renaming variables to make the code unreadable
11
Q
What is Baselining?
A
Baselining is a method for analyzing computer network performance. The method is marked by comparing current performance to a historical metric, or “baseline”.
Baselining is the practice of applying changes to the master baseline of code in a continuous pattern. Developers apply the changes regularly to build the application.
12
Q
Define Code Reuse?
A
Code reuse is the practice of reusing tested and approved code for development to save time and prevent the introduction of errors in new coding efforts.
13
Q
What is a logic bomb?
A
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files, should they ever be terminated from the company.
A logic bomb is a malicious program or script set to run under particular circumstances or in response to a defined event, such as the admin’s account becoming disabled.
14
Q
What is a RAT? (Remote Access Trojan)
A
A Remote Access Trojan functions as a backdoor and allows the attacker to access the PC, upload files, and install software on it.
15
Q
What is a rootkit?
A
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of “root” and the word “kit”.
A rootkit is a backdoor malware that changes core system files and programming interfaces so that local shell processes no longer reveal their presence.
16
Q
What is spyware?
A
Spyware is a program that monitors user activity and sends the information to someone else, with or without the user’s knowledge. One spyware technique is to spawn browser pop-up windows, as well as modify DNS queries attempting to direct the user to other websites, often of dubious provenance.
17
Q
What is crypto-malware?
A
Crypto-malware is a class of ransomware that attempts to encrypt data files. The user will be unable to access the files without obtaining the private encryption key, held by the attacker.
While ransomware primarily demand ransom in the form of Bitcoin, the first cryptocurrency— to ‘unblock’ access to system/files— a crypto malware is designed to mine cryptocurrencies from systems without the users’ knowledge
18
Q
Which of the following attacks do security professionals expose themselves to, if they do not salt passwords with a random value?
A
A rainbow table attack -Passwords not “salted” with a random value make the ciphertext vulnerable to rainbow table attacks. A rainbow table attack is a password attack that allows an attacker to use a set of plaintext passwords and their hashes to crack passwords.
19
Q
What is a dictionary attack?
A
In a dictionary attack, software enumerates values in a dictionary wordlist. Enforcing password complexity makes passwords difficult to guess and compromise. Varying the characters in the password makes it more resistant to these attacks
20
Q
What can an attacker do to acquire a duplicate of another user’s smart card?
A
Clone it - Card cloning refers to making one or more copies of an existing card. An attacker can physically duplicate a lost or stolen card with no cryptographic protections.
21
Q
What is a Potentially unwanted program (PUP)?
A
Potentially unwanted programs (PUP) or potentially unwanted applications (PUA) is software installed alongside a package or from a computer store that the user did not request.
22
Q
What is a downgrade attack?
A
A downgrade attack is a form of cyber attack in which an attacker forces a network channel to switch to an unprotected or less secure data transmission.
A downgrade attack can facilitate an On-path attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.
23
Q
What is a Lightweight Directory Access Protocol (LDAP)?
A
A lightweight directory access protocol (LDAP) injection occurs when an attacker exploits a client’s unauthenticated access to submit LDAP queries that could create or delete accounts, even change authorizations and privileges. LDAP uses port 389.
24
Q
What is XML injection?
A
An extensible markup language (XML) injection attack occurs when submitted XML data takes advantage of spoofing, request forgery, and injection of arbitrary code. The XML had no encryption or input validation checks.
25
What is a SQL injection?
A structured query language (SQL) attack embeds or inserts SQL code to a website to query and output information from a database such as password hashes, for example.
26
What is DLL?
DLL injection is a software vulnerability that can occur when a Windows-based application attempts to force another running application to load a dynamic-link library (DLL) in memory, that could cause the victim application to experience instability or leak sensitive information.
27
What is a replay attack?
In a replay attack, the attacker captures some data, like a cookie file, used to log on or start a session legitimately. The attacker resends the data to re-enable the connection.
28
What is Directory Traversal?
Directory traversal is an injection attack that submits a request for a file outside the web server's root directory by submitting a path to navigate to the parent directory (../). Access permissions on the file are the same as on the web server directory.
29
What is command injection?
A command injection attack runs OS shell commands from the browser and allows commands to operate outside of the server's directory root, forcing commands to run as the web "guest" user.
30
What is a server-side request forgery?
A server-side request forgery abuses the functionality and services of backend servers to read and update internal resources. This can expose, for example, database information, even without an authenticated session.
31
What is client-side request forgery?
A client-side (or cross-site) request forgery is an attack that forces a user to execute unwanted actions to a web server that the user is currently authenticated to
32
What is resource exhaustion?
A resource exhaustion attack overloads resources like CPU time, memory, or disk capacity using distributed denial of service (DDoS) requests.
33
What is race condition?
A race condition occurs when the outcome from an execution process is directly dependent on the order and timing of certain events. A TOCTTOU vulnerability will take advantage of this timing to modify data before finally using it
34
What is refactoring?
Refactoring is the process of altering an application's source code without changing its external behavior. The purpose of code refactoring is to improve some of the nonfunctional properties of the code, such as readability, complexity, maintainability and extensibility.
Refactoring means the code performs the same function by using different methods. Refactoring means that the antivirus software may no longer identify the malware by its signature.
35
What’s the difference between Cross Site-Scripting and SQL injection?
XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application's database.
36
What is a Man-in-the-Browser (MitB) attack?
An attack where the perpetrator installs a Trojan horse on the victim's computer that is capable of modifying that user's web transactions. The purpose of a man-in-the-browser attack includes eavesdropping, data theft or session tampering.
37
What is Cross-Site Request Forgery? (XSRF)
XSRF is a malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser
38
What is a VBA code?
Visual Basic for Applications (VBA) is a scripting language for Microsoft Office that uses macros to perform a sequence of actions in the context of a word processor, spreadsheet, or presentation file.
39
What is Bluesnarfing?
Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else's phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism.
40
What is a rogue access point?
A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.
A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.
41
What is a spectrum analyzer?
A spectrum analyzer is a device that can detect the source of jamming (interference) on a wireless network. It usually has a directional antenna, so that the security analyst can pinpoint the exact location of the interference.
42
Which attacks can perform a Denial of Service (DoS) attack against a wireless network?
Disassociation attack and deauthentication attack
43
A security engineer examined some suspicious error logs on a Windows server that showed attempts to run shellcode to a web application. The shellcode showed multiple lines beginning with Invoke-Command. What type of script is the suspicious code trying to run?
A Powershell Script - common scripts: Invoke-Expression, Invoke-Command, Invoke-WMIMethod, New-Service, etc
44
A low level distributed denial of service (DDoS) attack that involves SYN or SYN/ACK flooding describes what type of attack?
Network
45
Explain Application attacks
An application attack targets vulnerabilities in the headers and payloads of specific application protocols. For example, one type of amplification attack targets DNS services with bogus queries.
46
A malicious user sniffed credentials exchanged between two computers by intercepting communications between them. What type of attack did the attacker execute?
An on-path attack
On-path attackers place themselves between two devices (often a web browser and a web server) and intercept or modify communications between the two. The attackers can then collect information as well as impersonate either of the two agents.
47
Which attack does NOT provide encryption and is, therefore, vulnerable to eavesdropping and Man-in-the-Middle attacks?
NFC (Near Field Communications) does not provide encryption, so eavesdropping and Man-in-the-Middle attacks are possible if the attacker can find some way of intercepting the communication and other software services are not encrypting the data.
48
What is an Initialization Vector (IV) attack?
An Initialization Vector attack modifies the IV of an encrypted wireless packet during transmission to compute the RC4 keystream to decrypt all other wireless traffic. This attack becomes useless when WPA or WPA2 wireless protection is enabled.
49
Which actor seeks authorization before performing a penetration attack?
A white hat hacker always seeks authorization to perform penetration testing of private and proprietary systems. Companies usually contract these hackers to test their security systems.
50
What are Advanced Persistent Threats?
Advanced Persistent Threats (APTs) are cyber nation state adversaries that have developed cybersecurity expertise and use cyber weapons to compromise network security and achieve military and commercial goals.
51
What are state actors?
State actors' goals are primarily espionage and strategic advantage. These actors are backed by governments with virtually unlimited resources and are known to be particular about another country's energy and health network systems.
52
The Auto-ISAC is what type of threat intelligence source?
Information Sharing and Analysis Centers (ISACs) share threat intelligence and promote best practice in many critical industries, such as the auto industry. Auto-ISAC operates as a private organization made of a board of directors.
53
A vulnerability related to the system kernel affects which of the following?
Operating system
54
What is data exfiltration?
An attack that takes content from a local system, encrypts it, and sends it to the attacker's server via HTTP over the port 80
55
What is an SDN? (Software Defined Network)
A Software Defined Network (SDN) separates data and control planes in a network. It uses virtualization to route traffic to its intended destination, instead of using proprietary hardware.
56
What is a VM Sprawl?
Virtualization sprawl is a phenomenon that occurs when the number of virtual machines (VMs) on a network reaches a point where the administrator can no longer manage them effectively. This can happen by patch mismanagement or simply too many virtual machines.
57
What is a VM Escape?
Virtual machine escape is a vulnerability that enables a user to gain access to the primary hypervisor and associated virtual machines.
58
Define SaaS (Security as a Service)
Security as a Service is a part of the Software as a Service (SaaS) platform. Any security services provided in the cloud are a subset of SaaS cloud-based technologies.
59
Define PaaS (Platform as a Service)
Platform as a Service (PaaS) offers a company configurable operating systems and applications to use in a cloud environment. PaaS does not provide security services.
60
Define IaaS (Infrastructure as a Service)
Infrastructure as a Service (IaaS) provides companies the ability to "rent" hardware and services in a cloud environment. The company would do its own security patching and maintaining
61
What is the name of the infrastructure that uses a mix of public and private resources on a single platform?
Hybrid
62
A company has outsourced its equipment requirements and pays on a per use basis to save costs. Which cloud service is this?
IaaS
63
Which of the following secure coding techniques makes code more difficult to read for an attacker?
Obfuscation; Code obfuscation is the method of disguising coding methods by way of renaming variables, replacing strings, and hiding comments. This a secure coding practice.
64
What is code reuse?
Code reuse is the practice of using existing code (code previously developed) for a new function in a system. Because the code was previously built and published, it has also been tested for vulnerabilities and errors.
65
Describe Version Control
Version control tracks the versions of software in real time. It will record who has accessed the code, and what was changed. Version Control also allows for rollback if necessary.
66
A capability delivery team (CDT) reduces software development risk and cost while increasing the speed of delivery to the customer with updated software. What is the CDT providing the customer?
Continuous Deployment; The process of delivery of software to a production environment using automation, which reduces the software development lifecycle.
67
During testing, an application demonstrates poor performance in the amount of time a function to the database retrieves results. What should developers ensure in the database, to improve performance?
Normalization; Normalization is used to optimize database performance by removing duplicates, use of primary keys, and related data contained in separate tables.
68
Describe deprovisioning
Deprovisioning is the act of removing or disabling access to a resource. Since the application has been replaced, the application should be deprovisioned to preserve resources.
69
Describe provisioning
Provisioning is the process of procuring, configuring and making available an application or system. This process provides a resource to users.
70
What is Stored Procedures?
A stored procedure is a set of Structured Query Language (SQL) statements stored in a database as a group, so it can be reused and shared by multiple programs. Stored procedures can validate input.
71
A system administrator identified an issue in the cloud infrastructure where storage continues to fill, and system latency occurs. Which is the best solution to stop the drive space from reaching capacity and causing failure?
Automated scripting; An automated script can continuously check configurations of a system and react accordingly to keep systems secure and available.
72
Describe Scalability?
Scalability is the capacity to increase and decrease the workload on current resources by adding and removing necessary components without any interruption in business flow.
73
Which of the following describes the ability of a system to adapt to current demands by provisioning and deprovisioning resources as needed?
Elasticity; A user can increase or decrease resources as necessary. It is commonly used with cloud technologies.
74
Describe Version Control?
Version control tracks the versions of software in real time. It will record who has accessed the code, and what was changed. Version Control also allows for rollback if necessary.
75
Describe Integrity Measurements
Integrity measurements are done to identify baseline deviations. Automated tools continuously monitor the system for any baseline changes. If changes are found, Group Policy will force the system back to its original state.
76
An organization implements Directory Services as a management access control. Which of the following attributes will be used for authentication and role identification
Distinguished Name - Directory Services provide privilege management and authorization to a network by storing user information such as groups, roles, and services allowed into a Distinguished Name (DN). Directory services are used to structure user management and implement access security.
77
What is Gait Analysis?
Gait analysis is the study and recording of human behavior such as motion and action to authorize access. (An individual’s unique walking style)
78
What is Elliptic Curve Cryptography (ECC)?
Elliptic Curve Cryptography (ECC) is a trapdoor function used to generate public/private key pairs. Even at smaller key lengths, it is comparable to other asymmetric encryptions using larger key bits.
79
What is Key Stretching?
Key stretching is creating a key using thousands of rounds of hashing. Adding a salt in the hashing process makes the hash or key much stronger.
80
Describe United Communications
These solutions are messaging applications that combine multiple communications channels and technologies into a single platform. i.e. A phone call meeting can transition to a video call under same application.
81
What is a Secure Shell File Transfer Protocol (SFTP)?
Secure Shell File Transfer Protocol (SFTP) addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between a client and server. A secure link is created using Secure Shell over Transmission Control Protocol port 22.
82
What is Lightweight Directory Access Protocol Secure (LDAPS)?
Lightweight Directory Access Protocol Secure (LDAPS) uses port 636 to set up a secure channel to a directory service using a digital certificate. It secures queries to a directory service, while an unsecure version (LDAP) would utilize port 389.
83
What is DNS Security Extensions?
Domain Name System Security Extensions (DNSSEC) helps to mitigate against spoofing and poisoning attacks. The authoritative server for the zone creates a package of resource records, called an RRset, signed with a private key known as the zone signing key.
84
Which method is used for a Secure File Transfer within UNIX systems?
Secure Shell (SSH) is the principal means of obtaining secure remote access to a UNIX or Linux server. The main uses of SSH are for remote administration and Secure File Transfer (SFTP).
85
A server administrator should use which protocol to secure user communication with web services?
Hypertext transfer protocol secure (HTTPS) is the secure protocol that can encrypt communication between a user and web services. HTTPS operates over port 443 by default.
86
Which vulnerabilities can influence routing?
Fingerprinting, route injection, and ARP poisoning.
87
What is Lightweight Directory Access Protocol Secure (LDAPS)?
Lightweight Directory Access Protocol Secure (LDAPS) uses port 636 to set up a secure channel to a directory service using a digital certificate.
88
What is SNMPv3? (Simple Network Management Protocol) v3
Simple Network Management Protocol (SNMP) v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions.
89
What port does DNSSEC traffic use? (Domain Name Server Security Extensions)
DNS traffic uses port 53. However, given that most DNSSEC packets can be larger than 512 bytes, which is the limit for UDP packets, DNSSEC uses TCP port 53.
90
How does the default Windows protocol, Kerberos, benefit the overall security of the application?
Provides secure communication for directory services. It is a single sign-on service based on a time-sensitive ticket-granting system.
91
What is the main difference between Transport Layer Security 1.1 and 1.2?
Transport Layer Security (TLS) 1.2 added support for the strong Secure Hash Algorithm (SHA)-256 cipher. That is the primary difference between TLS 1.1 and TLS 1.2.
92
What is Dynamic Host Configuration Protocol (DHCP)?
DHCP provides an automatic method for network address allocation. As well, an IP address and subnet mask can include optional parameters.
93
What is Secure real-time transport protocol (SRTP)?
Secure real-time transport protocol (SRTP) encrypts actual real-time data, like voice and video. It provides confidentiality for the actual call data.
94
What is Secure/Multipurpose Internet Mail Extensions (S/MIME)?
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a widely accepted method for sending digitally signed and encrypted messages. It allows the sender to encrypt the emails and digitally sign them.
95
What is Post Office Protocol v3 (POP3)?
The Post Office Protocol v3 (POP3) is a mailbox protocol designed to allow mail to be stored on a server and downloaded to the recipient's email client at his or her convenience.
96
What is tunnel mode?
The tunnel mode is used by IPsec to provide encrypted communication by encrypting the entire network packet. This method is used mostly in unsecured networks.
97
What is transport mode?
The transport mode is used by IPsec to provide encrypted communication by only encrypting the payload. This method is used mostly in private networks.
98
What is Dynamic analysis?
Dynamic analysis inspects code as it is running for code quality and vulnerabilities. Fuzzing is a common technique used. When using fuzzing, the system is attacked with random data to check for code vulnerabilities.
99
A tokenization process is a substitute for encryption when securing a database. What does tokenization do in this case?
Replace field data with random numbers
100
What are the benefits of installing a Host Intrusion Prevention System (HIPS) at the end points?
Prevents malicious traffic between virtual machines on a virtual stack when communicating to each other. And provides protection from zero day attacks.
101
What are the concepts in a Secure DevOps project?
Continuous Integration, Immutable Systems, and Security Automation
102
What type of method prevents installation of software that is not a part of a library?
Whitelisting, this control means that nothing can run if it is not on the approved whitelist.
103
A company implements an encryption key burned into the chip of the processor of employee laptops which provides a hardware root of trust. What did the company employ?
A trusted platform model (TPM)
104
What is blacklisting?
Blacklisting uses Group Policy to block certain applications from being installed on the system. If certain applications are known, they can be added to the "deny" Group Policy.
105
A security engineer sets up hardware that will automatically encrypt data on the drive. When the user enters credentials, the drive will decrypt with keys stored on the system. Which type of hardware security implementation is this?
A Self-encrypting drive (SED)
106
What is Full disk encryption? (FDE)
Full disk encryption (FDE) provides encryption for a whole disk and protects the confidentiality of the data.
107
What is a hardware root of trust?
A hardware root of trust is a known secure starting point by embedding a private key in the system. The key remains private until the public key is matched.
108
What is the Sandbox environment?
The sandbox is an isolated environment that is often used for testing. Security, patches, and critical updates can be tested in a sandbox, without touching the system before implementation.
109
What is the Staging Environment?
The staging environment mimics that of production and allows for an environment to practice deployment. In the event deployment fails in this environment, it can roll back to the test and development environments
110
What is the Production Environment?
The production environment is the final stage of the deployment effort. Testing in this environment would be too late, given it is the operational environment.
111
What is the Development Environment?
The development environment is a place for creation. Requirements are turned into reality in this environment. It is not a complete copy of production, but just the beginning of an application.
112
Which two best provides an active and passive protection at the server level?
HIPS and HIDS
Host Intrusion Prevention System (HIPS) is software located on the host system and has an active response to threats. In the example of an unknown IP range trying to gain access to a server, the HIPS at the server level will block the connection.
Host Intrusion Detection System (HIDS) is also software located on the host system. It can log and notify admins or users about intrusion attempts without an active response, like denying or blocking.
113
What is Input Validation?
Input validation verifies data is valid. Proper input validation uses a set of rules to validate entries in fields for proper use. In the event an entry is invalid, the application will reject the entry. It is a secure coding practice
114
What is Error Handling?
Error handling helps protect the integrity of a system by catching errors and providing user feedback.
115
What is Code Reuse?
Code reuse is the practice of using existing code (code previously developed), for a new function in a system. Since the code has been previously built and published, it has also been tested for vulnerabilities and errors.
116
What is Code Signing?
Code signing verifies application code has not been modified by the use of digital signatures. The certificate provided with the signature identifies the author of the application and the codes authenticity.
117
What is stress testing?
Stress testing is a software testing activity that determines the robustness of software by testing beyond the limits of normal operation. Stress testing is particularly important for "mission critical" software, but is used for all types of software.
118
What is Dynamic Link Library (DLL) injection?
A Dynamic Link Library (DLL) injection inserts malicious code by attacking memory in a system and making it run.
119
What is Code Obfuscation?
Code obfuscation is the method of disguising coding methods by way of renaming variables, replacing strings, and hiding comments.
120
What is Electromagnetic Interference (EMI)?
Electromagnetic interference (EMI) are radio frequencies emitted by external sources, such as power lines that disturb signals. EMI can be avoided by the use of shielding.
121
What is Basic Input/Output Systems (BIOS)?
Basic Input/Output System (BIOS) is a combination of hardware and software used to adjust settings in a computer.
122
What is a Virtual Local Area Network (VLAN)?
A Virtual Local Area Network (VLAN) is a logical group of network devices on the same LAN, despite their geographical distribution. It can divide the devices logically on the data link layer, and group users according to departments. A proxy is a device that acts on behalf of another service.
123
Describe an Intranet
An intranet is a private company zone established to allow employees the ability to share content and communicate more effectively.
124
Describe an Extranet
An extranet is a zone created to allow authorized users access to company assets, separate from the intranet.
125
What is a Demilitarized Zone (DMZ)?
Demilitarized zone is a physical or logical subnet that separates a local area network (LAN) from other untrusted networks -- usually, the public internet. DMZs are also known as perimeter networks or screened subnetworks.
126
What is a Split Tunnel?
In a split tunnel VPN, administrators decide where traffic is routed. A split tunnel can decipher whether traffic goes to a private network or no
127
What is a Site-to-Site VPN?
A VPN that connects two local area networks (LANS) is called a site to site VPN. Access is transparent to the user.
128
What is a Host Based Firewall?
A host-based (or personal) firewall is a software application running on a single host designed to protect that host only. This firewall can run on a server or a client computer.
129
What is an Appliance Firewall?
An appliance firewall is a stand-alone hardware firewall deployed to monitor traffic passing into and out of a network zone. An application firewall analyzes packets at layer 7 or the application layer.
130
What is a Virtual Firewall?
A virtual firewall is a virtual server that runs a firewall application. This type of firewall can provide immediate network protection to other virtual servers in a cloud stack, for example.
131
What is a Hardware Firewall?
A hardware firewall (also known as an appliance firewall) provides immediate protection to the network. A hardware firewall can operate at layer 2 (bridged) or layer 3 (routed) of the Open Systems Interconnection (OSI) model.
132
What is a Reverse Proxy?
A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers.
133
What is Data Loss Prevention (DLP).
A data loss prevention system (DLP) uses algorithms to identify confidential information and prevent such information from leaving company systems.
134
What is a Load Balancer?
A load balancer will be able to balance the service requests among multiple servers that provide the same service. It does not determine an authorized connection like a proxy server.
135
What is a Network Addressing Protocol (NAT)?
Network Addressing Protocol (NAT) translates public IP addresses to private and vice versa. By using the NAT protocol on the firewall, a company can hide assets from the public internet. A proxy acts on behalf of another service.
136
What is URL filtering?
URL filtering allows someone to control access to websites by permitting or denying access to specific websites based on information contained in an URL list.
137
What is an Access Control List (ACL)?
An access control list (ACL) can be used to restrict communications between two network segments or two switches connected to a router. ACL is used by firewalls. The list of rules defines the type of data packet and the appropriate action to take when it exits or enters a network or system. The actions are to deny or accept.
138
What is HTML5?
Hypertext Markup Language 5 (HTML5) Virtual Private Network (VPN) uses modern web browsers to access and manage a desktop with relatively little lag. This is also known as a clientless remote desktop gateway
139
What is a Collector?
A collector combines multiple sensors to collect internet traffic for processing by an Intrusion Detection Systems (IDS) and other systems. Depending on where the collector is placed determines the type of traffic analyzed
140
What is an Aggregation Switch?
An aggregation switch can connect multiple subnets to reduce the number of active ports.
141
What is a Port Mirror?
A port mirror is used to monitor network traffic. It forwards a copy of each packet from one switch port to another.
142
What is Active/Passive Topology?
An active/passive topology will ensure a proper failure capability. Requests will continually flow through one load balancer and through the secondary if the primary fails.
143
What is File Integrity Monitoring?
File integrity monitoring is a feature available in most antivirus software or HIPS (Host-based Intrusion Prevention System). HIPS can capture a baseline of the image, any radical change (like an image) using hashing algorithms, will flag the incident, and quarantine the files.
144
Which network segmentation options provides the most security between services on the cloud platform?
Setting up efficient East-West traffic and setting up Zero Trust (Zero trust uses systems such as continuous authentication and conditional access to mitigate privilege escalation and account compromise.)
145
What is Secure Sockets Layer (SSL)?
Secure Sockets Layer (SSL) is a network protocol that establishes an encrypted link between a web server and a browser. Users interact with their bank's web portal using an SSL or TLS connection.
146
What is an active/active configuration?
An active/active cluster provides Enterprise services to clients from both virtual servers. All services will transparently transfer to the other server if one virtual host goes offline.
147
What is an active/passive configuration?
An active/passive cluster provides Enterprise services to clients from only one virtual server. The other server comes online only when the currently active server goes offline.
148
What is a Signature-Based detection method?
An active/passive cluster provides Enterprise services to clients from only one virtual server. The other server comes online only when the currently active server goes offline.
149
What is an Anomaly-Based Detection method?
Anomaly-based detection uses an engine that looks for irregularities in the use of protocols. For example, the engine may check packet headers or the exchange of packets in a session against RFC standards and generate an alert, if they deviate from strict RFC compliance.
150
What is a Behavioral-Based detection method?
Behavioral-based (statistical or profile-based) detection uses an engine to recognize baseline "normal" traffic or events. Any deviation from the baseline (outside a defined level of tolerance) generates an incident.
151
What are sensors?
Sensors gather information to determine if the data being passed is malicious or not. The Internet facing sensor will see all traffic and determine its Intent. The sensor behind the firewall will only see filtered traffic. The sensors send findings to the NIDS console.
152
What are Correlation Engines?
A correlation engine is part of a Security Information and Event Manager (SIEM). It captures and examines logged events to alert administrators of potential threats on a network.
153
What is a Status Code?
A static code analyzer examines code quality and effectiveness without executing the code. An analyzer can be used in conjunction with development, for continued code quality checks, or once the code is in its finalization stages.
154
What is MAC Filtering?
Media access control (MAC) filtering specifies a list of valid MAC addresses of devices that will be allowed to connect to the WAP (wireless access point).
155
What is a jump server commonly used for?
To provide secure access to DMZ servers. -- A jump server runs only necessary administrative applications to securely access a web server, for example, in the DMZ. This minimizes any inherit risks when connecting to the DMZ from a secure zone.
156
Which authentication protocol requires both a server and client-side public certificate?
Extensible Authentication Protocol with Transport Layer Security (EAP-TLS) requires a server and client-side public key certificate. An encrypted TLS tunnel is established between the supplicant and authentication server using this method.
157
What is Protected Extensible Authentication Protocol (PEAP)?
Protected Extensible Authentication Protocol (PEAP) creates an encrypted tunnel but only requires a server-side certificate. In this case, the user authentication method must use Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAPv2) or Generic Token Card (GTC).
158
What is EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)?
EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) is similar to PEAP but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server's master key.
159
Enterprise wireless solutions should use which of the following when configuring wireless access points?
Controllers and RADIUS
160
What is a Pre-Shared Key (PSK)?
Pre-shared Key (PSK) is the password needed to gain access to a WAP. An example is a WPA2 enabled PSK. Using a personal password will not work.
161
What is a WIFI Analyzer?
A Wi-Fi analyzer is a software tool that can scan for wireless signals in the area. With a wireless device, like a smartphone, the surveyor can move to catch rogue access point signals in range.
162
What is a Virtual Private Cloud (VPC) endpoint?
A virtual private cloud (VPC) endpoint is a means of publishing a service that is accessible by instances in other VPCs using the AWS internal network and private IP addresses. An interface endpoint makes use of AWS's PrivateLink feature to allow private access.
163
What is Dynamic Resource Allocation?
Dynamic resource allocation is the on-demand service capabilities that cloud service providers can provide. CSPs can create a virtual instance or container with X amount of resources any time.
164
What is a Cloud Access Security Broker? (CASB)
A Cloud Access Security Broker (CASB) is a part of security as a service that monitors network traffic between a company's network and cloud provider, enforcing security policies.
165
What is Infrastructure as a Service (IaaS)?
Infrastructure as a Service, (IaaS) allows for the outsourcing of equipment and support operations. The service provider owns, maintains, and manages the equipment.
166
What is Discretionary Access Control (DAC)?
Discretionary Access Control (DAC) is a type of control where the content owner/controller controls access and enforces rules, rather than the system.
167
What is Role-based Access Control (RBAC)?
Role-based Access Control (RBAC) is non-discretionary and assigns users permissions based on roles or groups to which they belong. The owner/creator does not allocate permissions.
168
What is Mandatory Access Control (MAC)?
Mandatory Access Control (MAC) is a non-discretionary access control measure based on security clearances. Each object has a security clearance level label, which a user must have a "need to know" in order to access.
169
What is Attribute-based Access Control (ABAC)?
Attribute-based access control (ABAC) is the most fine-grained, non-discretionary method of access control. The system allocates permission, rather than the content creator or owner.
170
What mode does the Sandbox Mode run on?
Rule-Based Access Control (RBAC). Sandbox mode is an example of a rule-based access control measure, designed to protect computer and network systems founded on discretionary access from misconfigurations that can result from DAC.
171
What is a Trusted Platform Module (TPM)?
A trusted platform module (TPM) is a secure cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. It is commonly used to store the keys to unlock an encrypted hard drive or solid-state drive.
172
What type of attacks do Kerberos authentication protect against?
Replay Attacks and Man-in-the-Midddle attack
173
What is IEEE802.1x
Institute of Electrical and Electronics Engineers (IEEE) 802.1X Port-based Network Access Control (NAC) protocol provides the means of using an Extensible Authentication Protocol (EAP) method when a device connects to an Ethernet switch port, wireless access point (WAP), or virtual private network (VPN) gateway.
174
What is Terminal Access Controller Access-Control System Plus (TACACS+)?
Terminal Access Controller Access-Control System Plus (TACACS+) is specifically designed for network administration of routers. TACACS+ data packets are encrypted and make it easier for network admins to work with multiple routers simultaneously.
175
How does Kerberos protect against a man-in-the-middle attack?
By performing mutual authentication. Mutual authentication assures that the client and the server are authenticated to one another, and an attacker cannot intercept the communications exchanged between the two.
176
Why is the Password Authentication Protocol (PAP) the weakest form of authentication?
It is designed for use with dial-up connections and transfers password information in cleartext rather than over a secure connection.
177
How are authorization tokens secured when a federated network employs Security Association Markup Language (SAML)?
SAML tokens are signed with an eXtensible Markup Language (XML) digital signature. Security Association Markup Language (SAML) authorizations or tokens are written and signed with the eXtensible Markup Language (XML) signature specification; this digital signature allows the service provider to trust the identity provider.
178
What's the difference between OAuth and OpenID Connect (OIDC)?
OAuth provides authorization services only, while OpenID Connect (OIDC) provides federated authentication.
179
Which type of certificate could be issued to network appliances?
Machine certificates may be issued to network appliances, such as routers, switches, and firewalls.
180
How does a wildcard certificate benefit an organization?
Reduces management overhead. A wildcard certificate is issued to the parent domain and will be accepted as valid for all subdomains because all are listed in one. These will reduce work to produce individual certificates for each.
181
Which certificate extensions can support the transfer of a private key?
A PFX, or .pfx, or .p12 extension is used to export a certificate along with its private key. The file is password protected and can archive or transport a private key.
182
What is the purpose of a Certificate Signing Request (CSR)?
To obtain a certificate. A subject must complete a Certificate Signing Request (CSR) and submit it to the Certificate Authority (CA) to obtain a certificate. It is a Base64 ASCII file containing information about the requester including its public key.
183
What is Key Escrow?
Key escrow refers to the archiving of a key (or keys) with a third party. This is a useful solution for organizations that do not have the capability to store keys securely but are able to fully trust the third party.
184
What are the components of a three-level Certificate Authority (CA) hierarchy?
Root server, Intermediate, and issuing server.
The three-level Certificate Authority (CA) hierarchy can be described with a root server at the top-level, an intermediate or subordinate CA in the middle, and issuing CAs at the bottom that issue certificates.
185
What is HTTP Public Key Pinning (HPKP)?
HTTP Public Key Pinning (HPKP) is a method of trusting digital certificates to bypass the CA hierarchy and chain of trust and minimize MitM attacks. The client stores a public key that belongs (or is pinned) to a web server. If visiting again and the key does not exist in the certificate chain, a warning is presented.
186
In a Public Key Infrastructure (PKI), which option best describes how users and multiple Certificate Authorities (CA) share information and exchange certificates?
Trust Model. The trust model is a concept of the Public Key Infrastructure (PKI) to show how users and different Certificate Authorities (CA) can trust one another. This is detailed in a certificate's certification path leading back to the root CA.
187
What is the Subject Alternative Name (SAN)?
Subject Alternative Name (SAN) is an extension field on a web server certificate using multiple subdomain labels to support the identification of the server.
188
What is a Certificate Revocation List (CRL)?
A Certificate Revocation List (CRL) is a list of certificates revoked by the CA and are no longer valid nor trusted.
189
What is Cuckoo?
Cuckoo is a security product designed to analyze malware as it runs in an isolated sandbox environment. It does not scan for vulnerabilities.
190
What is Autopsy?
Autopsy is a digital forensics platform with a graphical user interface (GUI). It investigates events on a device.
191
Identify the software classified as exploitation frameworks.
Metasploit, Sn1per, and fireELF
192
What does the "netstat" command perform?
The netstat command allows the admin to check the state of ports on the local machine (Windows or Linux). The admin may also be able to identify suspect remote connections to services on the local host or from the host to remote IP (Internet protocol) addresses.
193
What is Nessus?
Nessus is a commercial vulnerability scanner that scans a device and raises an alarm if it detects vulnerabilities on any device on the network that a malicious hacker could exploit.
194
What is theHarvester?
theHarvester is a tool for gathering open-source intelligence (OSINT) for a particular domain or company name. It works by scanning multiple public data sources and gathering emails, names, subdomains, IPs, URLs, and other relevant data.
195
What is dnsenum?
The dnsenum tool performs a number of tests in a single query and can retrieve hosting information, name records, and even work out IP address ranges currently in use.
196
What is the open-source tool, "hping"?
The open-source tool, known as hping, has packet sniffing and injection capabilities, as well as Denial of Service (DoS) testing features built right in.
197
Which software tools can perform both packet sniffing and a DoS attack?
Nmap and hping
198
What is a FTK Imager?
FTK Imager is a data imaging tool that quickly assesses electronic evidence to determine if it requires further analysis. The FTK Imager can save an image of a hard disk in one file or in segments to reconstruct later if needed.
199
What is a tcpreplay tool?
The tcpreplay tool can replay network traffic captured by another program, such as Wireshark, in the form of a .pcap file. This can be used to investigate suspicious traffic or test the effectiveness of intrusion detection rules.
200
What does the route command perform?
The route command views and configures the host's local routing table. Entries that are unfamiliar or that are not routers can be considered suspicious.
201
What is Sn1per?
Sn1per is a framework designed for penetration test reporting and evidence gathering and can integrate with other tools, such as Metasploit, to run automated tests.
202
What does the arp command perform?
The arp command is a TCP/IP command-line utility for viewing and modifying the local Address Resolution Protocol (ARP) cache, which contains recently resolved MAC addresses of Internet Protocol (IP) hosts on the network.
203
What will the command logger -f hostnames do?
Log the file 'hostnames' to syslog
204
What's the difference between the "grep" command and the "Select-String -Path" command?
They both define and call a function to search a keyword in a file, however, the grep tool is used in the Linux environment and Select-String -Path is used in a Powershell environment.
205
What is the Recovery stage in the incident response lifecycle?
Recovery is a stage in the incident response lifecycle. This stage ensures that the threat no longer exists, and all systems are brought back to a secure state. In this case, 10 days were required to eliminate the threat, bring systems online, and test.
206
What is the Identification stage in the incident response lifecycle?
Identification is a stage in the incident response lifecycle. In this stage, it is determined whether an incident has taken place. The assessment of how severe the incident might be is followed by notification of the incident to stakeholders.
207
What is the Containment stage in the incident response lifecycle?
Containment is a stage in the incident response lifecycle. In this stage, the goal is to limit the scope and reach of the event. One approach in containment is to isolate infected systems.
208
What is the Lessons Learned stage in the incident response lifecycle?
During this stage, the incident and related actions are reviewed for what went right and what went wrong data.
209
What is the Eradication stage in the incident response lifecycle?
In this stage, IT removes the threat to proceed to recovery.
210
What is a tabletop exercise?
With a tabletop exercise, staff will "ghost" the same procedures as they would in a disaster, without actually creating disaster conditions or applying or changing anything
211
What is a Test Access Point (TAP)?
A test access point (TAP) is a device that copies signals from the physical layer and the data link layer. Since no network or transport logic is used, every frame is received, allowing reliable packet monitoring.
212
What is a technical security control?
A technical security control includes hardware or software mechanisms used to protect assets. Antivirus software, firewalls, and intrusion detection systems are examples of a technical control.
213
What is a managerial security control?
A managerial security control provides the guidance, policies, and procedures for implementing a secure environment, such as an acceptable use policy.
214
What is a detective security control?
A detective control identifies when incidents or vulnerabilities have occurred. Auditing and monitoring are examples of detective controls.
215
What is a preventative security control?
A preventive control aims to prevent security incidents in a system. Security training and change management are examples of a preventive security control.
216
What is a deterrent security control?
A deterrent control may not physically or logically prevent access, but rather psychologically discourages an attacker from attempting an intrusion. A warning sign is an example of a deterrent control.
217
What is a compensating security control?
A compensating control does not prevent an attack, but it can restore functionality of systems through other means, such as a backup.
218
What is an administrative security control?
Administrative security controls determine behavior through policies, procedures, and guidance.
219
What is a corrective security control?
A corrective control responds to and fixes an incident. It may also prevent the reoccurrence of the incident. Antivirus software is an example of a corrective control.
