Sec+601

Question 1

3 key objectives of cybersecurity programs

Answer 1

confidentiality, integrity, and availability

Question 2

Confidentiality

Answer 2

ensures that unauthorized individuals are not able to gain access to sensitive information. Cybersecurity professionals develop and implement security controls, including firewalls, access control lists, and encryption, to prevent unauthorized access to information.

Question 3

Integrity

Answer 3

ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. Integrity controls, such as hashing and integrity monitoring solutions, seek to enforce this requirement. Integrity threats may come from attackers seeking the alteration of information without authorization or non-malicious sources, such as a power spike causing the corruption of information.

Question 4

Availability

Answer 4

ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them. Availability controls, such as fault tolerance, clustering, and backups, seek to ensure that legitimate users may gain access as needed. Similar to integrity threats, availability threats may come either from attackers seeking the disruption of access or non-malicious sources, such as a fire destroying a datacenter that contains valuable information or services.

Question 5

Security incidents

Answer 5

occur when an organization experiences a breach of the confidentiality, integrity, and/or availability of information or information systems.

Question 6

3 key threats to cybersecurity efforts:

Answer 6

DAD Triad - Disclosure, Alteration and Denial
Disclosure is the exposure of sensitive information to unauthorized individuals, otherwise known as data loss. Disclosure is a violation of the principle of confidentiality. Attackers who gain access to sensitive information and remove it from the organization are said to be performing data exfiltration. Disclosure may also occur accidentally, such as when an administrator misconfigures access controls or an employee loses a device.

Alteration is the unauthorized modification of information and is a violation of the principle of integrity. Attackers may seek to modify records contained in a system for financial gain, such as adding fraudulent transactions to a financial account. Alteration may occur as the result of natural activity, such as a power surge causing a “bit flip” that modifies stored data. Accidental alteration is also a possibility, if users unintentionally modify information stored in a critical system as the result of a typo or other unintended activity.
Denial is the unintended disruption of an authorized user’s legitimate access to information. Denial events violate the principle of availability. This availability loss may be intentional, such as when an attacker launches a distributed denial-of-service (DDoS) attack against a website. Denial may also occur as the result of accidental activity, such as the failure of a critical server, or as the result of natural activity, such as a natural disaster impacting a communications circuit.

Question 7

Attackers who gain access to sensitive information and remove it from the organization are said to be performing:

Answer 7

data exfiltration

Question 8

We can categorize the potential impact of a security incident using the same categories that businesses generally use to describe any type of risk:

Answer 8

financial, reputational, strategic, operational, and compliance.

Question 9

(Breach impact risk) as the name implies, the risk of monetary damage to the organization as the result of a data breach. This may be very direct financial damage, such as the costs of rebuilding a datacenter after it is physically destroyed or the costs of contracting experts for incident response and forensic analysis services.

Answer 9

Financial Risk

Question 10

(Breach impact risk) occurs when the negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers, and other stakeholders. It is often difficult to quantify reputational damage, as these stakeholders may not come out and directly say that they will reduce or eliminate their volume of business with the organization as a result of the security breach. However, the breach may still have an impact on their future decisions about doing business with the organization.

Answer 10

Reputational risk

Question 11

(Breach impact risk) is the risk that an organization will become less effective in meeting its major goals and objectives as a result of the breach.

Answer 11

Strategic risk

Question 12

(Breach impact risk) occurs when a security breach causes an organization to run afoul of legal or regulatory requirements. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that health-care providers and other covered entities protect the confidentiality, integrity, and availability of protected health information (PHI). If an organization loses patient medical records, they violate HIPAA requirements and are subject to sanctions and fines from the U.S. Department of Health and Human Services. That’s an example of compliance risk.

Answer 12

Compliance risk

Question 13

As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and systems. They express these requirements by writing the () that the organization wishes to achieve. These () are statements of a desired security state, but they do not, by themselves, actually carry out security activities.

Answer 13

control objectives

Question 14

are specific measures that fulfill the security objectives of an organization.

Answer 14

Security controls

Question 15

Security Control Categories

Answer 15

Technical, Operational, and Managerial

Question 16

enforce confidentiality, integrity, and availability in the digital space. Examples of ()l security controls include firewall rules, access control lists, intrusion prevention systems, and enc

Answer 16

Technical controls

Question 17

include the processes that we put in place to manage technology in a secure manner. These include user access reviews, log monitoring, and vulnerability management. (Under security controls)

Answer 17

Operational controls

Question 18

are procedural mechanisms that focus on the mechanics of the risk management process. Examples of administrative controls include periodic risk assessments, security planning exercises, and the incorporation of security into the organization’s change management, service acquisition, and project management practices. (Under security controls)

Answer 18

Managerial control

Question 19

intend to stop a security issue before it occurs. Firewalls and encryption are examples of () controls. (CompTIA version of security control types)

Answer 19

Preventive

Question 20

identify security events that have already occurred. Intrusion detection systems are () controls. (CompTIA version of security control types)

Answer 20

Detective

Question 21

remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a () control. (CompTIA version of security control types)

Answer 21

Corrective

Question 22

seek to prevent an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences are examples of deterrent controls. (CompTIA version of security control types)

Answer 22

Deterrent

Question 23

are security controls that impact the physical world. Examples of physical security controls include fences, perimeter lighting, locks, fire suppression systems, and burglar alarms. (CompTIA version of security control types)

Answer 23

Physical

Question 24

are controls designed to mitigate the risk associated with exceptions made to a security policy. (CompTIA version of security control types)

Answer 24

Compensating

Question 25

three states where data might exist.

Answer 25

data at rest, data in motion and data in processing

Question 26

is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. This data is prone to pilfering by insiders or external attackers who gain access to systems and are able to browse through their contents.

Answer 26

data at rest

Question 27

is data that is in transit over a network. When data travels on an untrusted network, it is open to eavesdropping attacks by anyone with access to those networks.

Answer 27

data in motion

Question 28

is data that is actively in use by a computer system. This includes the data stored in memory while processing takes place. An attacker with control of the system may be able to read the contents of memory and steal sensitive information.

Answer 28

Data in processing

Question 29

technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems.

Answer 29

Encryption

Question 30

technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems.

Answer 30

Data loss prevention (DLP)

Question 31

DLP systems work in two different environments:

Answer 31

Host-based DLP
Network DLP

Question 32

This DLP uses software agents installed on systems that search those systems for the presence of sensitive information. These searches often turn up Social Security numbers, credit card numbers, and other sensitive information in the most unlikely places!

Answer 32

Host-based

Question 33

This DLP systems are dedicated devices that sit on the network and monitor outbound network traffic, watching for any transmissions that contain unencrypted sensitive information. They can then block those transmissions, preventing the unsecured loss of sensitive information.

DLP systems may simply block traffic that violates the organization’s policy, or in some cases, they may automatically apply encryption to the content. This automatic encryption is commonly used with DLP systems that focus on email.

Answer 33

Network-based

Question 34

DLP systems also have two mechanisms of action:

Answer 34

Pattern matching, where they watch for the telltale signs of sensitive information. For example, if they see a number that is formatted like a credit card or Social Security number, they can automatically trigger on that. Similarly, they may contain a database of sensitive terms, such as “Top Secret” or “Business Confidential,” and trigger when they see those terms in a transmission.
Watermarking, where systems or administrators apply electronic tags to sensitive documents and then the DLP system can monitor systems and networks for unencrypted content containing those tags. Watermarking technology is also commonly used in digital rights management (DRM) solutions that enforce copyright and data ownership restrictions.

Question 35

techniques seek to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. The best way to achieve () () is to simply destroy data when it is no longer necessary to meet our original business purpose.

Answer 35

minimization

Question 36

If we can’t completely remove data from a dataset, we can often transform it into a format where the original sensitive information is (). The () process removes the ability to link data back to an individual, reducing its sensitivity.

Answer 36

de-identified

Question 37

An alternative to de-identifying data is transforming it into a format where the original information can’t be retrieved.

Answer 37

data obfuscation

Question 38

replaces sensitive values with a unique identifier using a lookup table. For example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We’d then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone’s identity. Of course, if you use this approach, you need to keep the lookup table secure!

Answer 38

tokenization

Question 39

uses a hash function to transform a value in our dataset to a corresponding hash value. If we apply a strong hash function to a data element, we may replace the value in our file with the hashed value.

Answer 39

hashing

Question 40

partially redacts sensitive information by replacing some or all sensitive fields with blank characters. For example, we might replace all but the last four digits of a credit card number with X’s or *’s to render the card number unreadable.

Answer 40

Masking

Question 41

In this attack, the attacker computes the hashes of those candidate values and then checks to see if those hashes exist in our data file.

For example, imagine that we have a file listing all the students at our college who have failed courses but we hash their student IDs. If an attacker has a list of all students, they can compute the hash values of all student IDs and then check to see which hash values are on the list. For this reason, hashing should only be used with caution.

Answer 41

Rainbow Table attack

Question 42

Chris is responding to a security incident that compromised one of his organization’s web servers. He believes that the attackers defaced one or more pages on the website. What cybersecurity objective did this attack violate?
a- Confidentiality
b- Nonrepudiation
c- Integrity
d- Availability

Answer 42

c- integrity

Question 43

Tonya is concerned about the risk that an attacker will attempt to gain access to her organization’s database server. She is searching for a control that would discourage the attacker from attempting to gain access. What type of security control is she seeking to implement?
A-Preventive
B-Detective
C-Corrective
D-Deterrent

Answer 43

D-Deterrent

Question 44

Greg recently conducted an assessment of his organization’s security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case?
A-Detective
B-Corrective
C-Deterrent
D-Preventive

Answer 44

D-Preventive

Question 45

Which one of the following data protection techniques is reversible when conducted properly?
A-Tokenization
B-Masking
C-Hashing
D-Shredding

Answer 45

A. Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can’t be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

Question 46

also known as authorized attackers, are those who act with authorization and seek to discover security vulnerabilities with the intent of correcting them. White-hat attackers may either be employees of the organization or contractors hired to engage in penetration testing.

Answer 46

White-hat hackers

Question 47

also known as unauthorized attackers, are those with malicious intent. They seek to defeat security controls and compromise the confidentiality, integrity, or availability of information and systems for their own, unauthorized, purposes.

Answer 47

Black-hat hackers

Question 48

also known as semi-authorized attackers, are those who fall somewhere between white- and black-hat hackers. They act without proper authorization, but they do so with the intent of informing their targets of any security vulnerabilities.

Answer 48

Gray-hat hacker

Question 49

is a derogatory term for people who use hacking techniques but have limited skills. Often such attackers may rely almost entirely on automated tools they download from the Internet. These attackers often have little knowledge of how their attacks actually work, and they are simply seeking out convenient targets of opportunity.

Answer 49

Script Kiddies

Question 50

use hacking techniques to accomplish some activist goal. They might deface the website of a company whose policies they disagree with. Or a () might attack a network due to some political issue. The defining characteristic of () is that they believe they are motivated by the greater good, even if their activity violates the law.

Answer 50

Hacktivists

Question 51

do not normally embrace political issues or causes, and they are not trying to demonstrate their skills. In fact, they would often prefer to remain in the shadows, drawing as little attention to themselves as possible. They simply want to generate as much illegal profit as they possibly can.

Answer 51

Organized criminal syndicates

Question 52

attacks that Mandiant reported are emblematic of nation-state attacks. They tend to be characterized by highly skilled attackers with significant resources. A nation has the labor force, time, and money to finance ongoing, sophisticated attacks.

The motive can be political or economic. In some cases, the attack is done for traditional espionage goals: to gather information about the target’s defense capabilities. In other cases, the attack might be targeting intellectual property or other economic assets.

Answer 52

Advanced Persistent Threats (APTs)

Question 53

attacks occur when an employee, contractor, vendor, or other individual with authorized access to information and systems uses that access to wage an attack against the organization. These attacks are often aimed at disclosing confidential information, but insiders may also seek to alter information or disrupt business processes.

Answer 53

Insiders

Question 53

attacks are particularly dangerous because they are unknown to product vendors, and therefore, no patches are available to correct them. APT actors who exploit () vulnerabilities are often able to easily compromise their targets.

Answer 53

Zero-Day Attacks

Question 53

Behavioral assessments are a powerful tool in identifying insider attacks.

Answer 53

Remember

Question 54

Dedicated employees often seek to achieve their goals and objectives through whatever means allows them to do so. Sometimes, this involves purchasing technology services that aren’t approved by the organization. For example, when file sharing and synchronization services first came on the market, many employees turned to personal Dropbox accounts to sync work content between their business and personal devices. They did not do this with any malicious intent. On the contrary, they were trying to benefit the business by being more productive.

This situation, where individuals and groups seek out their own technology solutions, is a phenomenon known as

Answer 54

Shadow IT

Question 55

may engage in corporate espionage designed to steal sensitive information from your organization and use it to their own business advantage.

Answer 55

Competitors

Question 56

Threat actors targeting an organization need some means to gain access to that organization’s information or systems. _______________ are the means that threat actors use to obtain that access.

Answer 56

Threat vectors

Question 57

Bold attackers may seek to gain ______________ to an organization’s network by physically entering the organization’s facilities. One of the most common ways they do this is by entering public areas of a facility, such as a lobby, customer store, or other easily accessible location and sitting and working on their laptops, which are surreptitiously connected to unsecured network jacks on the wall.

Answer 57

Direct Access

Question 58

Besides wireless networks and removable media, Cloud services can also be used as an attack vector. Attackers routinely scan popular cloud services for files with improper access controls, systems that have security flaws, or accidentally published API keys and passwords.

Answer 58

Remember this

Question 59

Sophisticated attackers may attempt to interfere with an organization’s IT supply chain, gaining access to devices at the manufacturer or while the devices are in transit from the manufacturer to the end user. Tampering with a device before the end user receives it allows attackers to insert backdoors that grant them control of the device once the customer installs it on their network. This type of third-party risk is difficult to anticipate and address.

Answer 59

Remember this

Question 60

Examples of Threat Vectors

Answer 60

Direct access
Wireless
Email
Supply chain
Social media
Removable media
Cloud

Question 61

is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment.

Answer 61

Threat intelligence

Question 62

Threat intelligence information can also be used for predictive analysis to identify likely risks to the organization.

Answer 62

Remember this

Question 63

There are many sources of threat intelligence, ranging from open source intelligence (OSINT) that you can gather from publicly available sources to commercial services that provide proprietary or closed-source intelligence information.

Answer 63

Remember this

Question 64

These are the telltale signs that an attack has taken place and may include file signatures, log patterns, and other evidence left behind by attackers. () may also be found in file and code repositories that offer threat intelligence information.

Answer 64

indicators of compromise (IoCs)

Question 65

A number of sites maintain extensive lists of open source threat information sources:

Senki.org provides a list: www.senki.org/operators-security-toolkit/open-source-threat-intelligence-feeds
The Open Threat Exchange operated by AT&T is part of a global community of security professionals and threat researchers: https://cybersecurity.att.com/open-threat-exchange
The MISP Threat Sharing project, www.misp-project.org/feeds, provides standardized threat feeds from many sources, with community-driven collections.
Threatfeeds.io hosts a list of open source threat intelligence feeds, with details of when they were added and modified, who maintains them, and other useful information: threatfeeds.io

Answer 65

Remember this

Question 66

is a network run over standard Internet connections but using multiple layers of encryption to provide anonymous communication.

Answer 66

dark web

Question 67

Threat maps provide a geographic view of threat intelligence. Many security vendors offer high-level maps that provide real-time insight into the cybersecurity threat landscape. For example, FireEye offers the public threat map shown in Figure 2.4 at www.fireeye.com/cyber-map/threat-map.html

Organizations may also use threat mapping information to gain insight into the sources of attacks aimed directly at their networks. However, threat map information should always be taken with a grain of salt because geographic attribution is notoriously unreliable. Attackers often relay their attacks through cloud services and other compromised networks, hiding their true geographic location from threat analysis tools.

Answer 67

Remember this

Question 68

allow organizations to filter and use threat intelligence based on how much trust they can give it. That doesn’t mean that lower confidence information isn’t useful; in fact, a lot of threat intelligence starts with a lower (), and that score increases as the information solidifies and as additional sources of information confirm it or are able to do a full analysis. Low confidence threat information shouldn’t be completely ignored, but it also shouldn’t be relied on to make important decisions without taking the low confidence score into account.

Answer 68

Confidence scores

Question 69

One way to summarize the threat intelligence assessment data is via a confidence score. Confidence scores allow organizations to filter and use threat intelligence based on how much trust they can give it. That doesn’t mean that lower confidence information isn’t useful; in fact, a lot of threat intelligence starts with a lower confidence score, and that score increases as the information solidifies and as additional sources of information confirm it or are able to do a full analysis. Low confidence threat information shouldn’t be completely ignored, but it also shouldn’t be relied on to make important decisions without taking the low confidence score into account.

Assessing the Co

Answer 69

Remember this

Question 70

Managing threat information at any scale requires standardization and tooling to allow the threat information to be processed and used in automated ways. Indicator management can be much easier with a defined set of terms. That’s where structured markup languages like STIX and OpenIOC come in.

Structured Threat Information eXpression (STIX) is an XML language originally sponsored by the U.S. Department of Homeland Security. In its current version, STIX 2.0 defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools.

Answer 70

Remember this

Question 71

Using a single threat feed can leave you in the dark! Many organizations leverage multiple threat feeds to get the most up-to-date information. Thread feed combination can also be challenging since they may not use the same format, classification model, or other elements. You can work around this by finding sources that already combine multiple feeds or by finding feeds that use the same description frameworks, like STIX.

Answer 71

Remember this

Question 72

In the United States, organizations known as Information Sharing and Analysis Centers (ISACs) help infrastructure owners and operators share threat information and provide tools and assistance to their members. The National Council of ISACs lists the sector-based ISACs at www.nationalisacs.org/member-isacs.

The ISAC concept was introduced in 1998, as part of Presidential Decision Directive-63 (PDD-63), which asked critical infrastructure sectors to establish organizations to share information about threats and vulnerabilities. ISACs operate on a trust model, allowing in-depth sharing of threat information for both physical and cyber threats. Most ISACs operate 24/7, providing ISAC members in their sector with incident response and threat analysis.

Answer 72

Remember this

Question 73

is specifically designed to communicate cyber threat information at the application layer.

Answer 73

TAXII, the Trusted Automated eXchange of Indicator Information protocol

Question 74

is a threat description language

Answer 74

STIX

Question 75

the term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users. Malware can also gather information, provide illicit access, and take a broad range of actions that the legitimate owner of a system or network may not want to occur.

Answer 75

Remember this

Question 76

The term malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users. Malware can also gather information, provide illicit access, and take a broad range of actions that the legitimate owner of a system or network may not want to occur.

Answer 76

Remember this

Question 77

which encrypts files and then holds them hostage until a ransom is paid

Answer 77

crypto malware

Question 78

is malware that takes over a computer and then demands a ransom.

Answer 78

ransomware

Question 79

Some ransomware has been defeated, and defenders may be able to use a preexisting decryption tool to restore files. Antivirus and antimalware providers as well as others in the security community provide anti-ransomware tools.

Answer 79

Remember this

Question 80

The Security+ Exam Outline calls out remote access Trojans (RATs) and Trojans separately. RATs are a subset of Trojans, so not every Trojan is a RAT. Make sure you remember that RATs provide remote access and monitoring of a system for attackers.

Answer 80

Remember this

Question 81

Unlike Trojans that require user interaction, () spread themselves. Although () are often associated with spreading via attacks on vulnerable services, any type of spread through automated means is possible, meaning that () can spread via email attachments, network file shares, or other methods as well. () also self-install, rather than requiring users to click on them, making them quite dangerous.

Answer 81

Worms

Question 82

are malware that is specifically designed to allow attackers to access a system through a backdoor. Many modern () also include capabilities that work to conceal the () from detection through any of a variety of techniques, ranging from leveraging filesystem drivers to ensure that users cannot see the rootkit files, to infecting startup code in the master boot record (MBR) of a disk, thus allowing attacks against full-disk encryption systems.

Answer 82

rootkits

Question 83

Rootkit detection can be challenging, because a system infected with malware like this cannot be trusted. That means that the best way to detect a rootkit is to test the suspected system from a trusted system or device. In cases where that isn’t possible, rootkit detection tools look for behaviors and signatures that are typical of rootkits. Techniques like integrity checking and data validation against expected responses can also be useful for rootkit detection, and anti-rootkit tools often use a combination of these techniques to detect complex rootkits.

Answer 83

RT

Question 84

Once a rootkit is discovered, removal can be challenging. Although some antimalware and anti-rootkit tools are able to remove specific rootkits, the most common recommendation whenever possible is

Answer 84

to rebuild the system or to restore it from a known good backup.

Question 85

Some rootkits are intentionally installed, either as part of digital rights management (DRM) systems or as part of anti-cheating toolkits for games, or because they are part of a tool used to defeat copy protection mechanisms. Although these tools are technically rootkits, you will normally be focused on tools used by malicious actors instead of intentional installation for purposes like these.

Answer 85

RT

Question 86

Like many of the malware types you will read about here, the best ways to prevent rootkits are normal security practices, including patching, using secure configurations, and ensuring that privilege management is used. Tools like secure boot and techniques that can validate live systems and files can also be used to help prevent rootkits from being successfully installed or remaining resident.

Answer 86

rt

Question 87

are methods or tools that provide access that bypasses normal authentication and authorization procedures, allowing attackers access to systems, devices, or applications. () can be hardware or software based, but in most scenarios for the Security+ exam you will be concerned with software-based backdoors.

Answer 87

backdoors

Question 88

Detecting backdoors can sometimes be done by checking for unexpected open ports and services, but more complex backdoor tools may leverage existing services. Examples include web-based backdoors that require a different URL under the existing web service, and backdoors that conceal their traffic by tunneling out to a remote control host using encrypted or obfuscated channels.

Answer 88

rt

Question 89

are used by attackers who control them to perform various actions, ranging from additional compromises and infection, to denial-of-service attacks or acting as spam relays. Large () may have hundreds of thousands of bots involved in them, and some have had millions of bots in total.

Answer 89

botnets

Question 90

Many botnet command and control (C&C) systems operate in a client-server mode, as shown in Figure 3.1. In this model, they will contact central control systems, which provide commands and updates, and track how many systems are in the botnet. Internet Relay Chat (IRC) was frequently used to manage client-server botnets in the past, but many modern botnets rely on secure HTTP (HTTPS) traffic to help hide C&C traffic and to prevent it from easily being monitored and analyzed by defenders.

Answer 90

rt

Question 91

Many botnet command and control (C&C) systems operate in a client-server mode, as shown in Figure 3.1. In this model, they will contact central control systems, which provide commands and updates, and track how many systems are in the botnet. Internet Relay Chat (IRC) was frequently used to manage client-server botnets in the past, but many modern botnets rely on secure HTTP (HTTPS) traffic to help hide C&C traffic and to prevent it from easily being monitored and analyzed by defenders.

Answer 91

rt

Question 92

which uses many IP addresses that are used to answer queries for one or more fully qualified DNS names.

Answer 92

fast flux DNS,

Question 93

Fast flux DNS is a technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies

Answer 93

Fast flux DNS

Question 94

Taking down the domain name is the best way to defeat a fast flux DNS–based botnet or malware, but not every DNS registrar is helpful when a complaint is made.

Answer 94

rt

Question 95

Detecting botnets is often accomplished by analysis of bot traffic using network monitoring tools like IPSs and IDSs and other network traffic analysis systems. Additional data is gathered through reverse engineering and analysis of malware infections associated with the bot. The underlying malware can be detected using antivirus and antimalware tools, as well as tools like endpoint detection and response tools.

Answer 95

rt

Question 96

are programs that capture keystrokes from keyboards, although () applications may also capture other input like mouse movement, touchscreen inputs, or credit card swipes from attached devices.

Answer 96

keyloggers

Question 97

Computer viruses are malicious programs that self-copy and self-replicate. Viruses require one or more infection mechanisms that they use to spread themselves, typically paired with some form of search capability to find new places to spread to. Viruses also typically have both a trigger, which sets the conditions for when the virus will execute, and a payload, which is what the virus does, delivers, or the actions it performs. Viruses come in many varieties, including

Memory-resident viruses, which remain in memory while the system of device is running
Non-memory-resident viruses, which execute, spread, and then shut down
Boot sector viruses, which reside inside the boot sector of a drive or storage media
Macro viruses, which use macros or code inside word processing software or other tools to spread
Email viruses, which spread via email either as attachments or as part of the email itself using flaws within email clients

Answer 97

rt

Question 98

virus attacks are similar to traditional viruses in a number of critical ways. They spread via methods like spam email and malicious websites, and they exploit flaws in browser plug-ins and web browsers themselves. Once they successfully find a way into a system, they inject themselves into memory and conduct further malicious activity, including adding the ability to reinfect the system by the same process at reboot through a registry entry or other technique. At no point do they require local file storage, because they remain memory resident throughout their entire active life—in fact, the only stored artifact of many fileless attacks would be the artifacts of their persistence techniques.

Answer 98

Fileless

Question 99

is malware that is designed to obtain information about an individual, organization, or system.

Answer 99

Spyware

Question 100

type of spyware used to illicitly monitor partners in relationships.

Answer 100

stalkerware

Question 101

are programs that may not be wanted by the user but are not as dangerous as other types of malware. () are typically installed without the user’s awareness or as part of a software bundle or other installation. () include adware, browser toolbars, web browser–tracking programs, and others.

Answer 101

potentially unwanted programs (PUPs)

Question 102

The Security+ exam outline includes PUPs with malware, but many PUPs are not technically malicious—they’re annoying, they can be privacy risks, and they can slow a system down or otherwise cause problems—but they aren’t actually malware. That’s why they’re called potentially unwanted programs instead of malware—most people and most organizations still don’t want them installed!

Answer 102

rt

Question 103

Defenses against PowerShell attacks include using Constrained Language Mode, which limits sensitive commands in PowerShell, and using Windows Defender’s built-in Application Control tool or AppLocker to validate scripts and to limit which modules and plug-ins can be run. It is also a good idea to turn on logging for PowerShell as well as Windows command-line auditing.

Answer 103

rt

Question 104

The Bash shell has a built-in security mode called the restricted shell that limits what users can do, including things like specifying command names containing slashes, importing function definitions from the shell environment, and others. These can limit the ability of attackers to leverage Bash as a tool for their attacks.

Answer 104

rt

Question 105

is the practice of manipulating people through a variety of strategies to accomplish desired actions.

Answer 105

Social engineering

Question 106

relies on scaring or bullying an individual into taking a desired action. The individual who is targeted will feel threatened and respond by doing what the social engineer wants them to do.

Answer 106

intimidation

Question 106

which relies on the fact that most people will obey someone who appears to be in charge or knowledgeable, regardless of whether or not they actually are.

Answer 106

authority

Question 107

-based social engineering uses the fact that people tend to want to do what others are doing to persuade them to take an action. A () attack might point out that everyone else in a department had already clicked on a link, or might provide fake testimonials about a product making it look safe. Also referred to as “social proof” in some categorization schemes.

Answer 107

consensus

Question 108

is used for social engineering in scenarios that make something look more desirable because it may be the last one available.

Answer 108

scarcity

Question 108

-based attacks rely on you liking the individual or even the organization the individual is claiming to represent.

Answer 108

familiarity

Question 109

much like familiarity, relies on a connection with the individual they are targeting. Unlike with familiarity, which relies on targets thinking that something is normal and thus familiar, social engineers who use this technique work to build a connection with their targets so that they will take the actions that they want them to take.

Answer 109

trust

Question 110

relies on creating a feeling that the action must be taken quickly due to some reason or reasons.

Answer 110

urgency

Question 111

Phishing is a broad term used to describe the fraudulent acquisition of information, often focused on credentials like usernames and passwords, as well as sensitive personal information like credit card numbers and related data. Phishing is most often done via email, but a wide range of phishing techniques exist, including things like smishing, which is phishing via SMS (text) messages, and vishing, or phishing via telephone.

Answer 111

rt

Question 112

targets specific individuals or groups in an organization in an attempt to gather desired information or access.

Answer 112

spear phishing

Question 113

much like spear phishing, targets specific people, but whaling is aimed at senior employees like CEOs and CFOs—“big fish” in the company, thus the term ().

Answer 113

whaling

Question 114

is the process of gathering credentials like usernames and passwords. () is often performed via phishing attacks but may also be accomplished through system compromise resulting in the acquisition of user databases and passwords, use of login or remote access tools that set up to steal credentials, or any other technique that will gather credentials for attackers.

Answer 114

Credential harvesting

Question 115

attacks redirect traffic away from legitimate websites to malicious versions. () typically requires a successful technical attack that can change DNS entries on a local PC or on a trusted local DNS server, allowing the traffic to be redirected.

Answer 115

Pharming

Question 116

rely on the fact that people will mistype URLs and end up on their sites, thus driving ad traffic or even sometimes using the typo-based website to drive sales of similar but not legitimate products.

Answer 116

Typo squatters

Question 117

Spam over Instant Messaging

Answer 117

(SPIM)

Question 118

retrieving potentially sensitive information from a dumpster and can provide treasure troves of information about an organization, including documentation and notes.

Answer 118

dumpster diving

Question 119

is the process of looking over a person’s shoulder to capture information like passwords or other data.

Answer 119

Shoulder surfing

Question 120

is a physical entry attack that requires simply following someone who has authorized access to an area so that as they open secured doors you can pass through as well.

Answer 120

Tailgating

Question 121

Eliciting information, often called elicitation, is a technique used to gather information without targets realizing they are providing it. Techniques like flattery, false ignorance, or even acting as a counselor or sounding board are all common elements of an elicitation effort. Talking a target through things, making incorrect statements so that they correct the person eliciting details with the information they need, and other techniques are all part of the elicitation process. Ideally, a social engineering target who has experienced an elicitation attack will never realize they have provided more information than they intended to, or will only realize it well after the fact.

Answer 121

rt

Question 122

can mean one of three things:

1. Adding an expression or phrase, such as adding “SAFE” to a set of email headers to attempt to fool a user into thinking it has passed an antispam tool
2. Adding information as part of another attack to manipulate the outcome
3. Suggesting topics via a social engineering conversation to lead a target toward related information the social engineer is looking for

Answer 122

Prepending

Question 123

is the process of using a made-up scenario to justify why you are approaching an individual. Pretexting is often used as part of impersonation efforts to make the impersonator more believable. An aware target can ask questions or require verification that can help defeat () and impersonation attacks. In many cases, simply making a verification call can defeat such attempts.

Answer 123

Pretexting

Question 124

Identity fraud, or identity theft, is the use of someone else’s identity. Although identity fraud is typically used for financial gain by malicious actors, identity fraud may be used as part of penetration tests or other security efforts as well. In fact, in some cases impersonation, where you act as if you are someone else, can be a limited form of identity fraud. In other cases, impersonation is less specific, and the social engineer or attacker who uses it may simply pretend to be a delivery driver or an employee of a service provider rather than claiming a specific identity.

Answer 124

rt

Question 125

In addition to these more direct individual interactions, hoaxes are a common occurrence. Hoaxes, which are intentional falsehoods, come in a variety of forms ranging from virus hoaxes to fake news. Social media plays a large role in many modern hoaxes, and attackers and social engineers may leverage current hoaxes to assist in their social engineering attempts.

Answer 125

rt

Question 126

A final type of fraud is the use of (), which involve sending fake invoices to organizations in the hopes of receiving payment. () can be either physical or electronic, and they rely on the recipient not checking to see if the invoice is legitimate.

Answer 126

invoice scams

Question 127

Influence campaigns themselves are not the exclusive domain of cyberwarfare, however. Individuals and organizations conduct influence campaigns to turn public opinion in directions of their choosing. Even advertising campaigns can be considered a form of influence campaign, but in general, most influence campaigns are associated with disinformation campaigns. For the Security+ exam, you should be aware of the tightly coupled roles of influence campaigns and social media as part of hybrid warfare efforts by nation-state actors of all types.

Answer 127

rt

Question 128

Brute-force attacks, which iterate through passwords until they find one that works. Actual brute-force methods can be more complex than just using a list of passwords and often involve word lists that use common passwords, words specifically picked as likely to be used by the target, and modification rules to help account for complexity rules. Regardless of how elegant or well thought out their input is, brute force in the end is simply a process that involves trying different variations until it succeeds.

Answer 128

rt

Question 129

attacks are a form of brute-force attack that attempts to use a single password or small set of passwords against many accounts. This approach can be particularly effective if you know that a target uses a specific default password or a set of passwords.

Answer 129

Password spraying

Question 130

Dictionary attacks are yet another form of brute-force attack that uses a list of words for their attempts. Commonly available brute-force dictionaries exist, and tools like John the Ripper, a popular open source password cracking tool, have word lists (dictionaries) built in. Many penetration testers build their own custom dictionaries as part of their intelligence gathering and reconnaissance processes.

Answer 130

rt

Question 131

Regardless of the password attack mechanism, an important differentiator between attack methods is whether they occur online, and thus against a live system that may have defenses in place, or if they are offline against a compromised or captured password store. If you can capture hashed passwords from a password store, tools like rainbow tables can be very useful. Rainbow tables are an easily searchable database of precomputed hashes using the same hashing methodology as the captured password file. Thus, if you captured a set of passwords that were hashed using MD5, you could compute or even purchase a full set of passwords for most reasonable password lengths, and then simply look up the hashes of those passwords in the table.

Answer 131

rt

Question 132

is a one-way cryptographic function that takes an input and generates a unique and repeatable output from that input.

Answer 132

hash

Question 133

attacks largely fall into two categories. Penetration testers (and potentially attackers) may drop drives in locations where they are likely to be picked up and plugged in by unwitting victims at their target organization. An additional layer of social engineering is sometimes accomplished by labeling the drives with compelling text that will make them more likely to be plugged in: performance reviews, financial planning, or other key words that will tempt victims.

Answer 133

Malicious flash drive

Question 134

Forensic tools like ()() (4discovery.com/our-tools/usb-historian) can help identify devices that were plugged into Windows systems, allowing incident responders to learn more about what devices might have been malicious and to look for other systems they may have been connected to.

Answer 134

USB Historian

Question 135

attacks focus on capturing information from cards like RFID and magnetic stripe cards often used for entry access.

Answer 135

Card cloning

Question 136

attacks that use hidden or fake readers or social engineering and hand-held readers to capture () cards, and then employ cloning tools to use credit cards and entry access cards for their own purposes.

Answer 136

skimming

Question 137

Card cloning can be difficult to detect if the cards do not have additional built-in protection such as cryptographic certificates and smart chips that make them hard to clone. Magnetic stripe and RFID-based cards that can be easily cloned can often be detected only by visual inspection to verify that they are not the original card.

Answer 137

rt

Question 138

ensures that the supply chain for classified and unclassified integrated circuits, devices, and other critical elements are secure and that manufacturers stay in business and are protected appropriately to ensure that trusted devices remain trusted.

Answer 138

The Trusted Foundry program

Question 139

There are seven key principles for social engineering.  The Security+ exam outline focuses on seven key social engineering principles. Authority relies on the victim believing that the person has a reason to be in charge or in a position of power. Intimidation relies on bullying or scaring the target into doing what is desired. Consensus builds on the trust that individuals have in others and what they think others are doing or believe. Scarcity leverages human reactions to limited supply. Familiarity uses what you expect and what you are used to against you. Trust is built and then used against the target. Urgency, the final item, makes what the social engineer expresses seem as if it is needed immediately.

Answer 139

rt

Question 140

programs play a crucial role in identifying, prioritizing, and remediating vulnerabilities in our environments

Answer 140

Vulnerability management

Question 141

Cybersecurity professionals depend on automation to help them perform their duties in an efficient, effective manner. Vulnerability scanning tools allow the automated scheduling of scans to take the burden off administrators. Figure 5.2 shows an example of how these scans might be configured in Tenable’s Nessus product. Nessus was one of the first vulnerability scanners on the market and remains widely used today. Administrators may designate a schedule that meets their security, compliance, and business requirements.

Answer 141

rt

Question 142

The organization’s ______ _____________ is its willingness to tolerate risk within the environment. If an organization is extremely risk averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.

Answer 142

Risk appetite

Question 142

Many different factors influence how often an organization decides to conduct vulnerability scans against its systems:

The organization’s risk appetite is its willingness to tolerate risk within the environment. If an organization is extremely risk averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.
Regulatory requirements, such as those imposed by the Payment Card Industry Data Security Standard (PCI DSS) or the Federal Information Security Management Act (FISMA), may dictate a minimum frequency for vulnerability scans. These requirements may also come from corporate policies.

Answer 142

rt

Question 143

Comprehensive vulnerability management programs provide the ability to conduct scans from a variety of scan perspectives. Each scan perspective conducts the scan from a different location on the network, providing a different view into vulnerabilities. For example, an external scan is run from the Internet, giving administrators a view of what an attacker located outside the organization would see as potential vulnerabilities. Internal scans might run from a scanner on the general corporate network, providing the view that a malicious insider might encounter. Finally, scanners located inside the datacenter and agents located on the servers offer the most accurate view of the real state of the server by showing vulnerabilities that might be blocked by other security controls on the network. Controls that might affect scan results include the following:

Firewall settings
Network segmentation
Intrusion detection systems (IDSs)
Intrusion prevention systems (IPSs)

Answer 143

rt

Question 144

The internal and external scans required by PCI DSS are a good example of scans performed from different perspectives. The organization may conduct its own internal scans but must supplement them with external scans conducted by an approved scanning vendor.

Answer 144

rt

Question 145

The Security Content Automation Protocol (SCAP) is an effort by the security community, led by the National Institute of Standards and Technology (NIST), to create a standardized approach for communicating security-related information. This standardization is important to the automation of interactions between security components. The SCAP standards include the following:

Common Configuration Enumeration (CCE) Provides a standard nomenclature for discussing system configuration issues
Common Platform Enumeration (CPE) Provides a standard nomenclature for describing product names and versions
Common Vulnerabilities and Exposures (CVE) Provides a standard nomenclature for describing security-related software flaws
Common Vulnerability Scoring System (CVSS) Provides a standardized approach for measuring and describing the severity of security-related software flaws
Extensible Configuration Checklist Description Format (XCCDF) A language for specifying checklists and reporting checklist results
Open Vulnerability and Assessment Language (OVAL) A language for specifying low-level testing procedures used by checklists

Answer 145

rt

Question 146

are often leveraged for preventive scanning and testing and are also found in penetration testers toolkits where they help identify systems that testers can exploit. This fact also means they’re a favorite tool of attackers!

Answer 146

vulnerability scanners

Question 147

etwork vulnerability scanners are capable of probing a wide range of network-connected devices for known vulnerabilities. They reach out to any systems connected to the network, attempt to determine the type of device and its configuration, and then launch targeted tests designed to detect the presence of any known vulnerabilities on those devices.

Answer 147

rt

Question 148

The following tools are examples of network vulnerability scanners:

Tenable’s Nessus is a well-known and widely respected network vulnerability scanning product that was one of the earliest products in this field.
Qualys’s vulnerability scanner is a more recently developed commercial network vulnerability scanner that offers a unique deployment model using a software-as-a-service (SaaS) management console to run scans using appliances located both in on-premises datacenters and in the cloud.
Rapid7’s Nexpose is another commercial vulnerability management system that offers capabilities similar to those of Nessus and Qualys.
The open source OpenVAS offers a free alternative to commercial vulnerability scanners.
These are four of the most commonly used network vulnerability scanners. Many other products are on the market today, and every mature organization should have at least one scanner in their toolkit. Many organizations choose to deploy two different vulnerability scanning products in the same environment as a defense-in-depth control.

Answer 148

rt

Question 149

Application scanning tools are commonly used as part of the software development process. These tools analyze custom-developed software to identify common security vulnerabilities. Application testing occurs using three techniques:

Static testing analyzes code without executing it. This approach points developers directly at vulnerabilities and often provides specific remediation suggestions.
Dynamic testing executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities.
Interactive testing combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces.
Application testing should be an integral part of the software development process. Many organizations introduce testing requirements into the software release process, requiring clean tests before releasing code into production.

Answer 149

rt

Question 150

Web application scanners are specialized tools used to examine the security of web applications. These tools test for web-specific vulnerabilities, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) vulnerabilities. They work by combining traditional network scans of web servers with detailed probing of web applications using such techniques as sending known malicious input sequences and fuzzing in attempts to break the application. Nikto is a popular web application scanning tool. It is an open source tool that is freely available for anyone to use. As shown in Figure 5.10, it uses a command-line interface and is somewhat difficult to use.
Another open source tool available for web application scanning is Arachni. This tool, shown in Figure 5.11, is a packaged scanner available for Windows, macOS, and Linux operating systems.

Most organizations do use web application scanners, but they choose to use commercial products that offer advanced capabilities and user-friendly interfaces. Although there are dedicated web application scanners, such as Acunetix, on the market, many firms use the web application scanning capabilities of traditional network vulnerability scanners, such as Nessus, Qualys, and Nexpose.

Answer 150

rt